@meridianjs/auth 0.1.4 → 0.1.7

package/dist/index.d.mts

@@ -32,6 +32,20 @@ interface JwtPayload {
     iat?: number;
     exp?: number;
 }
+interface GoogleAuthInput {
+    googleId: string;
+    email: string;
+    firstName: string | null;
+    lastName: string | null;
+    picture: string | null;
+    inviteRecord?: {
+        id: string;
+        email: string | null;
+        role: string;
+        workspace_id: string;
+        app_role_id: string | null;
+    } | null;
+}
 declare const AuthModuleService_base: new (container: MeridianContainer) => _meridianjs_types.IModuleService;
 declare class AuthModuleService extends AuthModuleService_base {
     private readonly container;
@@ -40,6 +54,13 @@ declare class AuthModuleService extends AuthModuleService_base {
     register(input: RegisterInput): Promise<AuthResult>;
     /** Authenticate with email + password and return a signed JWT. */
     login(input: LoginInput): Promise<AuthResult>;
+    /**
+     * Sign in or register a user via Google OAuth.
+     * 1. Look up by google_id — existing SSO user
+     * 2. Look up by email — link google_id to existing account
+     * 3. Create new user
+     */
+    loginOrRegisterWithGoogle(input: GoogleAuthInput): Promise<AuthResult>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
     /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
@@ -93,4 +114,4 @@ declare function requireWorkspace(req: any, res: Response, next: NextFunction):
 declare const AUTH_MODULE = "authModuleService";
 declare const _default: _meridianjs_types.ModuleDefinition;
 
-export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requirePermission, requireRoles, requireWorkspace };
+export { AUTH_MODULE, AuthModuleService, type AuthResult, type GoogleAuthInput, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requirePermission, requireRoles, requireWorkspace };

package/dist/index.d.ts

@@ -32,6 +32,20 @@ interface JwtPayload {
     iat?: number;
     exp?: number;
 }
+interface GoogleAuthInput {
+    googleId: string;
+    email: string;
+    firstName: string | null;
+    lastName: string | null;
+    picture: string | null;
+    inviteRecord?: {
+        id: string;
+        email: string | null;
+        role: string;
+        workspace_id: string;
+        app_role_id: string | null;
+    } | null;
+}
 declare const AuthModuleService_base: new (container: MeridianContainer) => _meridianjs_types.IModuleService;
 declare class AuthModuleService extends AuthModuleService_base {
     private readonly container;
@@ -40,6 +54,13 @@ declare class AuthModuleService extends AuthModuleService_base {
     register(input: RegisterInput): Promise<AuthResult>;
     /** Authenticate with email + password and return a signed JWT. */
     login(input: LoginInput): Promise<AuthResult>;
+    /**
+     * Sign in or register a user via Google OAuth.
+     * 1. Look up by google_id — existing SSO user
+     * 2. Look up by email — link google_id to existing account
+     * 3. Create new user
+     */
+    loginOrRegisterWithGoogle(input: GoogleAuthInput): Promise<AuthResult>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
     /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
@@ -93,4 +114,4 @@ declare function requireWorkspace(req: any, res: Response, next: NextFunction):
 declare const AUTH_MODULE = "authModuleService";
 declare const _default: _meridianjs_types.ModuleDefinition;
 
-export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requirePermission, requireRoles, requireWorkspace };
+export { AUTH_MODULE, AuthModuleService, type AuthResult, type GoogleAuthInput, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requirePermission, requireRoles, requireWorkspace };

package/dist/index.js

@@ -66,7 +66,7 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
     const password_hash = await import_bcrypt.default.hash(input.password, BCRYPT_ROUNDS);
     let role = input.role ?? "member";
     if (!input.role) {
-      const userCount = await userService.countUsers();
+      const [, userCount] = await userService.listAndCountUsers({}, { limit: 1 });
       if (userCount === 0) role = "super-admin";
     }
     const user = await userService.createUser({
@@ -122,9 +122,88 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       token
     };
   }
+  /**
+   * Sign in or register a user via Google OAuth.
+   * 1. Look up by google_id — existing SSO user
+   * 2. Look up by email — link google_id to existing account
+   * 3. Create new user
+   */
+  async loginOrRegisterWithGoogle(input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    let user = await userService.retrieveUserByGoogleId(input.googleId);
+    if (!user) {
+      const existingByEmail = await userService.retrieveUserByEmail(input.email.toLowerCase().trim());
+      if (existingByEmail) {
+        throw Object.assign(
+          new Error(
+            "An account with this email already exists. Please sign in with your password. You can link Google sign-in from your account settings afterwards."
+          ),
+          { status: 409 }
+        );
+      }
+    }
+    if (user) {
+      if (!user.is_active) {
+        throw Object.assign(new Error("Account deactivated"), { status: 403 });
+      }
+      await userService.recordLogin(user.id).catch(() => {
+      });
+      const permissions2 = await this.resolvePermissions(user.app_role_id);
+      const { token: token2, jti: jti2, expiresAt: expiresAt2 } = this.signToken(user.id, null, [user.role ?? "member"], permissions2, config.projectConfig.jwtSecret);
+      await userService.createSession(jti2, user.id, expiresAt2).catch(() => {
+      });
+      return {
+        user: { id: user.id, email: user.email, first_name: user.first_name ?? null, last_name: user.last_name ?? null },
+        token: token2
+      };
+    }
+    const invite = input.inviteRecord;
+    let role = "member";
+    if (invite) {
+      role = invite.role ?? "member";
+    } else {
+      const [, userCount] = await userService.listAndCountUsers({}, { limit: 1 });
+      if (userCount === 0) {
+        role = "super-admin";
+      } else {
+        throw Object.assign(
+          new Error("You are not authorized to access this application. Contact an admin for an invitation."),
+          { status: 403 }
+        );
+      }
+    }
+    const password_hash = await import_bcrypt.default.hash((0, import_crypto.randomUUID)(), 1);
+    const newUser = await userService.createUser({
+      email: input.email.toLowerCase().trim(),
+      password_hash,
+      first_name: input.firstName ?? null,
+      last_name: input.lastName ?? null,
+      role,
+      is_active: true,
+      google_id: input.googleId,
+      ...invite?.app_role_id ? { app_role_id: invite.app_role_id } : {}
+    });
+    if (invite) {
+      try {
+        const workspaceMemberService = this.container.resolve("workspaceMemberModuleService");
+        const wsRole = invite.role === "member" ? "member" : "admin";
+        await workspaceMemberService.ensureMember(invite.workspace_id, newUser.id, wsRole);
+      } catch {
+      }
+    }
+    const permissions = await this.resolvePermissions(newUser.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(newUser.id, null, [newUser.role], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, newUser.id, expiresAt).catch(() => {
+    });
+    return {
+      user: { id: newUser.id, email: newUser.email, first_name: newUser.first_name ?? null, last_name: newUser.last_name ?? null },
+      token
+    };
+  }
   /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
   verifyToken(token, secret) {
-    return import_jsonwebtoken.default.verify(token, secret);
+    return import_jsonwebtoken.default.verify(token, secret, { algorithms: ["HS256"] });
   }
   /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
   async resolvePermissions(appRoleId) {
@@ -166,7 +245,7 @@ function authenticateJWT(req, res, next) {
       return;
     }
     try {
-      const payload = import_jsonwebtoken2.default.verify(token, config.projectConfig.jwtSecret);
+      const payload = import_jsonwebtoken2.default.verify(token, config.projectConfig.jwtSecret, { algorithms: ["HS256"] });
       if (payload.jti) {
         try {
           const scope = req.scope;

package/dist/index.mjs

@@ -26,7 +26,7 @@ var AuthModuleService = class extends MeridianService({}) {
     const password_hash = await bcrypt.hash(input.password, BCRYPT_ROUNDS);
     let role = input.role ?? "member";
     if (!input.role) {
-      const userCount = await userService.countUsers();
+      const [, userCount] = await userService.listAndCountUsers({}, { limit: 1 });
       if (userCount === 0) role = "super-admin";
     }
     const user = await userService.createUser({
@@ -82,9 +82,88 @@ var AuthModuleService = class extends MeridianService({}) {
       token
     };
   }
+  /**
+   * Sign in or register a user via Google OAuth.
+   * 1. Look up by google_id — existing SSO user
+   * 2. Look up by email — link google_id to existing account
+   * 3. Create new user
+   */
+  async loginOrRegisterWithGoogle(input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    let user = await userService.retrieveUserByGoogleId(input.googleId);
+    if (!user) {
+      const existingByEmail = await userService.retrieveUserByEmail(input.email.toLowerCase().trim());
+      if (existingByEmail) {
+        throw Object.assign(
+          new Error(
+            "An account with this email already exists. Please sign in with your password. You can link Google sign-in from your account settings afterwards."
+          ),
+          { status: 409 }
+        );
+      }
+    }
+    if (user) {
+      if (!user.is_active) {
+        throw Object.assign(new Error("Account deactivated"), { status: 403 });
+      }
+      await userService.recordLogin(user.id).catch(() => {
+      });
+      const permissions2 = await this.resolvePermissions(user.app_role_id);
+      const { token: token2, jti: jti2, expiresAt: expiresAt2 } = this.signToken(user.id, null, [user.role ?? "member"], permissions2, config.projectConfig.jwtSecret);
+      await userService.createSession(jti2, user.id, expiresAt2).catch(() => {
+      });
+      return {
+        user: { id: user.id, email: user.email, first_name: user.first_name ?? null, last_name: user.last_name ?? null },
+        token: token2
+      };
+    }
+    const invite = input.inviteRecord;
+    let role = "member";
+    if (invite) {
+      role = invite.role ?? "member";
+    } else {
+      const [, userCount] = await userService.listAndCountUsers({}, { limit: 1 });
+      if (userCount === 0) {
+        role = "super-admin";
+      } else {
+        throw Object.assign(
+          new Error("You are not authorized to access this application. Contact an admin for an invitation."),
+          { status: 403 }
+        );
+      }
+    }
+    const password_hash = await bcrypt.hash(randomUUID(), 1);
+    const newUser = await userService.createUser({
+      email: input.email.toLowerCase().trim(),
+      password_hash,
+      first_name: input.firstName ?? null,
+      last_name: input.lastName ?? null,
+      role,
+      is_active: true,
+      google_id: input.googleId,
+      ...invite?.app_role_id ? { app_role_id: invite.app_role_id } : {}
+    });
+    if (invite) {
+      try {
+        const workspaceMemberService = this.container.resolve("workspaceMemberModuleService");
+        const wsRole = invite.role === "member" ? "member" : "admin";
+        await workspaceMemberService.ensureMember(invite.workspace_id, newUser.id, wsRole);
+      } catch {
+      }
+    }
+    const permissions = await this.resolvePermissions(newUser.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(newUser.id, null, [newUser.role], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, newUser.id, expiresAt).catch(() => {
+    });
+    return {
+      user: { id: newUser.id, email: newUser.email, first_name: newUser.first_name ?? null, last_name: newUser.last_name ?? null },
+      token
+    };
+  }
   /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
   verifyToken(token, secret) {
-    return jwt.verify(token, secret);
+    return jwt.verify(token, secret, { algorithms: ["HS256"] });
   }
   /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
   async resolvePermissions(appRoleId) {
@@ -126,7 +205,7 @@ function authenticateJWT(req, res, next) {
       return;
     }
     try {
-      const payload = jwt2.verify(token, config.projectConfig.jwtSecret);
+      const payload = jwt2.verify(token, config.projectConfig.jwtSecret, { algorithms: ["HS256"] });
       if (payload.jti) {
         try {
           const scope = req.scope;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meridianjs/auth",
-  "version": "0.1.4",
+  "version": "0.1.7",
   "description": "Meridian auth module — JWT authentication and middleware",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",