@meridianjs/auth 0.1.7 → 0.1.9

package/README.md

@@ -0,0 +1,131 @@
+# @meridianjs/auth
+
+Authentication module for MeridianJS. Provides JWT-based register/login flows, Google OAuth support, Express middleware for token verification, and RBAC guards.
+
+Auto-loaded by `@meridianjs/meridian` — you do not need to add this to `modules[]` yourself.
+
+## Service: `authModuleService`
+
+```typescript
+const svc = req.scope.resolve("authModuleService") as any
+```
+
+### Methods
+
+```typescript
+// Register a new user — returns { user, token }
+const { user, token } = await svc.register({
+  email: "alice@example.com",
+  password: "password123",
+  first_name: "Alice",
+  last_name: "Smith",
+  role: "member",       // optional: "super-admin" | "admin" | "moderator" | "member"
+})
+
+// Login — returns { user, token }
+const { user, token } = await svc.login({
+  email: "alice@example.com",
+  password: "password123",
+})
+
+// Verify and decode a JWT
+const payload = await svc.verifyToken(token)
+// payload: { sub, workspaceId, roles, permissions, jti }
+```
+
+## Middleware
+
+### `authenticateJWT`
+
+Verifies the `Authorization: Bearer <token>` header and attaches `req.user`. Returns `401` if the token is missing or invalid.
+
+```typescript
+import { authenticateJWT } from "@meridianjs/auth"
+
+// Applied globally in middlewares.ts:
+export default {
+  routes: [
+    { matcher: "/admin", middlewares: [authenticateJWT] },
+  ],
+}
+
+// Or inline in a route:
+export const GET = [authenticateJWT, async (req: any, res: Response) => {
+  res.json({ userId: req.user.id })
+}]
+```
+
+### `requireRoles`
+
+Guard a route or handler to specific roles. Returns `403` if the user's roles don't match.
+
+```typescript
+import { requireRoles } from "@meridianjs/auth"
+
+export const DELETE = [
+  authenticateJWT,
+  requireRoles("admin", "super-admin"),
+  async (req: any, res: Response) => {
+    // Only admins reach here
+  },
+]
+```
+
+### `requirePermission`
+
+Guard based on a specific permission string from a custom AppRole:
+
+```typescript
+import { requirePermission } from "@meridianjs/auth"
+
+export const POST = [
+  authenticateJWT,
+  requirePermission("issues:create"),
+  async (req: any, res: Response) => { /* ... */ },
+]
+```
+
+## JWT Payload
+
+```typescript
+interface JwtPayload {
+  sub: string           // User ID
+  workspaceId: string   // Active workspace ID (null until workspace selected)
+  roles: string[]       // e.g. ["admin"] or ["member"]
+  permissions: string[] // Custom AppRole permissions (e.g. ["issues:create", "issues:delete"])
+  jti: string           // Unique token ID (for revocation)
+  iat: number
+  exp: number
+}
+```
+
+Tokens expire after **7 days** by default. Configure in `projectConfig`:
+
+```typescript
+projectConfig: {
+  jwtSecret: process.env.JWT_SECRET!,
+  jwtExpiresIn: "30d",  // optional
+}
+```
+
+## Google OAuth
+
+When `@meridianjs/google-oauth` is configured, the auth module exposes:
+
+```
+GET /auth/google           → Redirects to Google consent screen
+GET /auth/google/callback  → Handles OAuth code, returns JWT
+```
+
+## API Routes
+
+| Method | Path | Description |
+|---|---|---|
+| `POST` | `/auth/register` | Register, return `{ user, token }` |
+| `POST` | `/auth/login` | Login, return `{ user, token }` |
+| `GET` | `/auth/invite/:token` | Validate an invitation token |
+| `POST` | `/auth/invite/:token` | Accept invitation (register or login) |
+
+## License
+
+MIT

package/dist/index.d.mts

@@ -61,6 +61,17 @@ declare class AuthModuleService extends AuthModuleService_base {
      * 3. Create new user
      */
     loginOrRegisterWithGoogle(input: GoogleAuthInput): Promise<AuthResult>;
+    /**
+     * Restore a soft-deleted user via an invite link.
+     * Updates their name, password, and role, then issues a fresh session token.
+     * The user's ID — and all history tied to it — is preserved.
+     */
+    restoreFromInvite(userId: string, input: {
+        password: string;
+        first_name?: string;
+        last_name?: string;
+        role?: UserRole;
+    }): Promise<AuthResult>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
     /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */

package/dist/index.d.ts

@@ -61,6 +61,17 @@ declare class AuthModuleService extends AuthModuleService_base {
      * 3. Create new user
      */
     loginOrRegisterWithGoogle(input: GoogleAuthInput): Promise<AuthResult>;
+    /**
+     * Restore a soft-deleted user via an invite link.
+     * Updates their name, password, and role, then issues a fresh session token.
+     * The user's ID — and all history tied to it — is preserved.
+     */
+    restoreFromInvite(userId: string, input: {
+        password: string;
+        first_name?: string;
+        last_name?: string;
+        role?: UserRole;
+    }): Promise<AuthResult>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
     /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */

package/dist/index.js

@@ -99,6 +99,9 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
     if (!user) {
       throw Object.assign(new Error("Invalid credentials"), { status: 401 });
     }
+    if (user.deleted_at) {
+      throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+    }
     if (!user.is_active) {
       throw Object.assign(new Error("Account deactivated"), { status: 403 });
     }
@@ -144,6 +147,9 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       }
     }
     if (user) {
+      if (user.deleted_at) {
+        throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+      }
       if (!user.is_active) {
         throw Object.assign(new Error("Account deactivated"), { status: 403 });
       }
@@ -201,6 +207,35 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       token
     };
   }
+  /**
+   * Restore a soft-deleted user via an invite link.
+   * Updates their name, password, and role, then issues a fresh session token.
+   * The user's ID — and all history tied to it — is preserved.
+   */
+  async restoreFromInvite(userId, input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const password_hash = await import_bcrypt.default.hash(input.password, BCRYPT_ROUNDS);
+    const user = await userService.restoreUser(userId, {
+      password_hash,
+      first_name: input.first_name ?? null,
+      last_name: input.last_name ?? null,
+      role: input.role ?? "member"
+    });
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(user.id, null, [user.role], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, user.id, expiresAt).catch(() => {
+    });
+    return {
+      user: {
+        id: user.id,
+        email: user.email,
+        first_name: user.first_name ?? null,
+        last_name: user.last_name ?? null
+      },
+      token
+    };
+  }
   /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
   verifyToken(token, secret) {
     return import_jsonwebtoken.default.verify(token, secret, { algorithms: ["HS256"] });

package/dist/index.mjs

@@ -59,6 +59,9 @@ var AuthModuleService = class extends MeridianService({}) {
     if (!user) {
       throw Object.assign(new Error("Invalid credentials"), { status: 401 });
     }
+    if (user.deleted_at) {
+      throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+    }
     if (!user.is_active) {
       throw Object.assign(new Error("Account deactivated"), { status: 403 });
     }
@@ -104,6 +107,9 @@ var AuthModuleService = class extends MeridianService({}) {
       }
     }
     if (user) {
+      if (user.deleted_at) {
+        throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+      }
       if (!user.is_active) {
         throw Object.assign(new Error("Account deactivated"), { status: 403 });
       }
@@ -161,6 +167,35 @@ var AuthModuleService = class extends MeridianService({}) {
       token
     };
   }
+  /**
+   * Restore a soft-deleted user via an invite link.
+   * Updates their name, password, and role, then issues a fresh session token.
+   * The user's ID — and all history tied to it — is preserved.
+   */
+  async restoreFromInvite(userId, input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const password_hash = await bcrypt.hash(input.password, BCRYPT_ROUNDS);
+    const user = await userService.restoreUser(userId, {
+      password_hash,
+      first_name: input.first_name ?? null,
+      last_name: input.last_name ?? null,
+      role: input.role ?? "member"
+    });
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(user.id, null, [user.role], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, user.id, expiresAt).catch(() => {
+    });
+    return {
+      user: {
+        id: user.id,
+        email: user.email,
+        first_name: user.first_name ?? null,
+        last_name: user.last_name ?? null
+      },
+      token
+    };
+  }
   /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
   verifyToken(token, secret) {
     return jwt.verify(token, secret, { algorithms: ["HS256"] });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meridianjs/auth",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "Meridian auth module — JWT authentication and middleware",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",