@ministerjs/auth 2.0.2 → 3.0.1

package/dist/nestjs.mjs

@@ -13,6 +13,165 @@ var __decorateParam = (index, decorator) => (target, key) => decorator(target, k
 // src/nestjs/token.ts
 var AUTH_DRIVER = Symbol("AUTH_DRIVER");
 
+// src/nestjs/stores.ts
+var InMemoryLockoutStore = class {
+  constructor(windowMs) {
+    this.windowMs = windowMs;
+  }
+  entries = /* @__PURE__ */ new Map();
+  async recordFailure(key) {
+    const now = Date.now();
+    const entry = this.entries.get(key);
+    if (!entry || now - entry.firstFailure > this.windowMs) {
+      this.entries.set(key, { count: 1, firstFailure: now });
+    } else {
+      entry.count++;
+    }
+  }
+  async getFailures(key) {
+    const entry = this.entries.get(key);
+    if (!entry) return 0;
+    if (Date.now() - entry.firstFailure > this.windowMs) {
+      this.entries.delete(key);
+      return 0;
+    }
+    return entry.count;
+  }
+  async reset(key) {
+    this.entries.delete(key);
+  }
+};
+var InMemoryRefreshTokenStore = class {
+  tokens = /* @__PURE__ */ new Map();
+  userJtis = /* @__PURE__ */ new Map();
+  async save(jti, userId, expiresAt) {
+    this.tokens.set(jti, { userId, expiresAt });
+    let jtis = this.userJtis.get(userId);
+    if (!jtis) {
+      jtis = /* @__PURE__ */ new Set();
+      this.userJtis.set(userId, jtis);
+    }
+    jtis.add(jti);
+  }
+  async find(jti) {
+    const entry = this.tokens.get(jti);
+    if (!entry) return null;
+    if (entry.expiresAt.getTime() < Date.now()) {
+      this.tokens.delete(jti);
+      return null;
+    }
+    return entry;
+  }
+  async revoke(jti) {
+    const entry = this.tokens.get(jti);
+    if (entry) {
+      this.userJtis.get(entry.userId)?.delete(jti);
+    }
+    this.tokens.delete(jti);
+  }
+  async revokeAll(userId) {
+    const jtis = this.userJtis.get(userId);
+    if (jtis) {
+      for (const jti of jtis) {
+        this.tokens.delete(jti);
+      }
+      this.userJtis.delete(userId);
+    }
+  }
+};
+
+// src/nestjs/rbac.ts
+import { SetMetadata } from "@nestjs/common";
+var ROLES_KEY = "ministerjs:roles";
+var Roles = (...roles) => SetMetadata(ROLES_KEY, roles);
+
+// src/nestjs/guards/JwtAuthGuard.ts
+import {
+  Injectable,
+  UnauthorizedException
+} from "@nestjs/common";
+import { verify } from "jsonwebtoken";
+var JwtAuthGuard = class {
+  jwtSecret;
+  cookieName;
+  csrfEnabled;
+  constructor(options) {
+    this.jwtSecret = options.jwtSecret;
+    this.cookieName = options.cookieName ?? "auth_token";
+    this.csrfEnabled = options.csrfEnabled ?? false;
+  }
+  canActivate(context) {
+    const request = context.switchToHttp().getRequest();
+    const token = this.extractToken(request);
+    if (!token) {
+      throw new UnauthorizedException("No token provided");
+    }
+    let payload;
+    try {
+      payload = verify(token, this.jwtSecret, {
+        algorithms: ["HS256"]
+      });
+    } catch {
+      throw new UnauthorizedException("Invalid token");
+    }
+    if (this.csrfEnabled) {
+      this.validateCsrf(request);
+    }
+    request.user = {
+      id: payload.sub,
+      roles: payload.roles ?? []
+    };
+    return true;
+  }
+  extractToken(request) {
+    const fromCookie = request.cookies?.[this.cookieName];
+    if (fromCookie) return fromCookie;
+    const authHeader = request.headers.authorization;
+    if (authHeader?.startsWith("Bearer ")) return authHeader.slice(7);
+    return void 0;
+  }
+  validateCsrf(request) {
+    const headerToken = request.headers["x-csrf-token"];
+    const cookieToken = request.cookies?.["csrf_token"];
+    if (!headerToken || headerToken !== cookieToken) {
+      throw new UnauthorizedException("CSRF token mismatch");
+    }
+  }
+};
+JwtAuthGuard = __decorateClass([
+  Injectable()
+], JwtAuthGuard);
+
+// src/nestjs/guards/RolesGuard.ts
+import {
+  ForbiddenException,
+  Injectable as Injectable2
+} from "@nestjs/common";
+var RolesGuard = class {
+  constructor(reflector) {
+    this.reflector = reflector;
+  }
+  canActivate(context) {
+    const required = this.reflector.getAllAndOverride(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (!required?.length) return true;
+    const request = context.switchToHttp().getRequest();
+    if (!request.user) {
+      throw new ForbiddenException("Not authenticated");
+    }
+    const hasRole = required.some((r) => request.user.roles.includes(r));
+    if (!hasRole) {
+      throw new ForbiddenException("Insufficient permissions");
+    }
+    return true;
+  }
+};
+RolesGuard = __decorateClass([
+  Injectable2()
+], RolesGuard);
+
 // src/nestjs/AuthController.ts
 import {
   Body,
@@ -22,7 +181,7 @@ import {
   Post,
   Req,
   Res,
-  UnauthorizedException
+  UnauthorizedException as UnauthorizedException2
 } from "@nestjs/common";
 var AuthController = class {
   constructor(driver) {
@@ -35,7 +194,17 @@ var AuthController = class {
   async checkIn(request, response) {
     const user = await this.driver.checkIn(request, response);
     if (!user) {
-      throw new UnauthorizedException("Not authenticated");
+      throw new UnauthorizedException2("Not authenticated");
+    }
+    return { message: "ok", data: user };
+  }
+  async refresh(request, response) {
+    if (!this.driver.refresh) {
+      throw new UnauthorizedException2("Refresh not supported");
+    }
+    const user = await this.driver.refresh(request, response);
+    if (!user) {
+      throw new UnauthorizedException2("Invalid refresh token");
     }
     return { message: "ok", data: user };
   }
@@ -57,6 +226,12 @@ __decorateClass([
   __decorateParam(0, Req()),
   __decorateParam(1, Res({ passthrough: true }))
 ], AuthController.prototype, "checkIn", 1);
+__decorateClass([
+  Post("/refresh"),
+  HttpCode(200),
+  __decorateParam(0, Req()),
+  __decorateParam(1, Res({ passthrough: true }))
+], AuthController.prototype, "refresh", 1);
 __decorateClass([
   Post("/logout"),
   HttpCode(200),
@@ -94,6 +269,9 @@ var AuthModule = class {
       exports: [driverProvider]
     };
   }
+  static createGuard(options) {
+    return new JwtAuthGuard(options);
+  }
   static normalizeDriverProvider(driver) {
     if (typeof driver === "function") {
       return { provide: AUTH_DRIVER, useClass: driver };
@@ -119,12 +297,26 @@ AuthModule = __decorateClass([
 ], AuthModule);
 
 // src/nestjs/JwtPrismaCookieAuthDriver.ts
-import { UnauthorizedException as UnauthorizedException2 } from "@nestjs/common";
-import { sign, verify } from "jsonwebtoken";
+import { randomBytes, randomUUID } from "crypto";
+import { UnauthorizedException as UnauthorizedException3 } from "@nestjs/common";
+import { sign, verify as verify2 } from "jsonwebtoken";
+var DURATION_UNITS = {
+  s: 1e3,
+  m: 6e4,
+  h: 36e5,
+  d: 864e5
+};
+function parseDuration(value) {
+  const match = value.match(/^(\d+)\s*([smhd])$/);
+  if (!match) return 7 * 864e5;
+  return parseInt(match[1], 10) * DURATION_UNITS[match[2]];
+}
+var isProduction = process.env.NODE_ENV === "production";
 var defaultCookieOptions = {
   httpOnly: true,
   sameSite: "lax",
-  path: "/"
+  path: "/",
+  secure: isProduction
 };
 var JwtPrismaCookieAuthDriver = class {
   prismaModel;
@@ -137,13 +329,23 @@ var JwtPrismaCookieAuthDriver = class {
   cookieOptions;
   comparePassword;
   transformUser;
+  csrf;
+  onAudit;
+  onRateLimitCheck;
+  lockoutStore;
+  lockoutMaxAttempts;
+  refreshTokenEnabled;
+  refreshTokenCookieName;
+  refreshTokenExpiresIn;
+  refreshTokenStore;
   constructor(options) {
-    this.prismaModel = options.prisma[options.modelName];
-    if (!this.prismaModel) {
+    const model = options.prisma[options.modelName];
+    if (!model) {
       throw new Error(
         `Model "${options.modelName}" n\xE3o encontrado no PrismaClient.`
       );
     }
+    this.prismaModel = model;
     this.identifierField = options.identifierField ?? "email";
     this.passwordField = options.passwordField ?? "password";
     this.idField = options.idField ?? "id";
@@ -154,34 +356,107 @@ var JwtPrismaCookieAuthDriver = class {
       ...defaultCookieOptions,
       ...options.cookieOptions ?? {}
     };
-    this.comparePassword = options.comparePassword ?? ((provided, stored) => String(stored) === provided);
+    this.comparePassword = options.comparePassword;
     this.transformUser = options.transformUser ?? ((user) => {
       const clone = { ...user };
       delete clone[this.passwordField];
       return clone;
     });
+    this.csrf = options.csrf ?? false;
+    this.onAudit = options.onAudit;
+    this.onRateLimitCheck = options.onRateLimitCheck;
+    if (options.lockout) {
+      const windowMs = options.lockout.windowMs ?? 15 * 60 * 1e3;
+      this.lockoutMaxAttempts = options.lockout.maxAttempts ?? 5;
+      this.lockoutStore = options.lockout.store ?? new InMemoryLockoutStore(windowMs);
+    } else {
+      this.lockoutMaxAttempts = 0;
+    }
+    if (options.refreshToken?.enabled) {
+      this.refreshTokenEnabled = true;
+      this.refreshTokenCookieName = options.refreshToken.cookieName ?? "refresh_token";
+      this.refreshTokenExpiresIn = options.refreshToken.expiresIn ?? "30d";
+      this.refreshTokenStore = options.refreshToken.store ?? new InMemoryRefreshTokenStore();
+    } else {
+      this.refreshTokenEnabled = false;
+      this.refreshTokenCookieName = "refresh_token";
+      this.refreshTokenExpiresIn = "30d";
+    }
   }
-  async login(payload, _req, res) {
+  async login(payload, req, res) {
     const identifier = payload[this.identifierField];
+    const ip = req.ip ?? req.socket?.remoteAddress ?? "unknown";
+    if (this.onRateLimitCheck) {
+      const allowed = await this.onRateLimitCheck(ip, identifier);
+      if (!allowed) {
+        await this.emitAudit({
+          action: "login",
+          ip,
+          success: false,
+          metadata: { reason: "rate_limited" }
+        });
+        throw new UnauthorizedException3("Too many requests");
+      }
+    }
+    if (this.lockoutStore) {
+      const failures = await this.lockoutStore.getFailures(identifier);
+      if (failures >= this.lockoutMaxAttempts) {
+        await this.emitAudit({
+          action: "lockout",
+          ip,
+          success: false,
+          metadata: { identifier }
+        });
+        throw new UnauthorizedException3("Invalid credentials");
+      }
+    }
     const user = await this.prismaModel.findUnique({
       where: { [this.identifierField]: identifier }
     });
     if (!user) {
-      throw new UnauthorizedException2("Invalid credentials");
+      await this.lockoutStore?.recordFailure(identifier);
+      await this.emitAudit({ action: "login", ip, success: false });
+      throw new UnauthorizedException3("Invalid credentials");
     }
     const ok = await this.comparePassword(
       payload[this.passwordField],
       user[this.passwordField]
     );
     if (!ok) {
-      throw new UnauthorizedException2("Invalid credentials");
+      await this.lockoutStore?.recordFailure(identifier);
+      await this.emitAudit({
+        action: "login",
+        userId: String(user[this.idField]),
+        ip,
+        success: false
+      });
+      throw new UnauthorizedException3("Invalid credentials");
     }
+    await this.lockoutStore?.reset(identifier);
     const token = sign(
       { sub: user[this.idField] },
       this.jwtSecret,
-      { expiresIn: this.jwtExpiresIn }
+      { expiresIn: this.jwtExpiresIn, algorithm: "HS256" }
     );
     res.cookie(this.cookieName, token, this.cookieOptions);
+    if (this.refreshTokenEnabled && this.refreshTokenStore) {
+      await this.issueRefreshToken(String(user[this.idField]), res);
+    }
+    if (this.csrf) {
+      const csrfToken = randomBytes(32).toString("hex");
+      res.cookie("csrf_token", csrfToken, {
+        httpOnly: false,
+        sameSite: this.cookieOptions.sameSite,
+        path: "/",
+        secure: this.cookieOptions.secure
+      });
+    }
+    await this.emitAudit({
+      action: "login",
+      userId: String(user[this.idField]),
+      ip,
+      success: true
+    });
     return this.transformUser(user);
   }
   async checkIn(req, res) {
@@ -191,7 +466,9 @@ var JwtPrismaCookieAuthDriver = class {
     }
     let payload;
     try {
-      payload = verify(token, this.jwtSecret);
+      payload = verify2(token, this.jwtSecret, {
+        algorithms: ["HS256"]
+      });
     } catch {
       return null;
     }
@@ -201,19 +478,136 @@ var JwtPrismaCookieAuthDriver = class {
     if (!user) {
       return null;
     }
-    res.cookie(this.cookieName, token, this.cookieOptions);
+    const newToken = sign(
+      { sub: payload.sub },
+      this.jwtSecret,
+      { expiresIn: this.jwtExpiresIn, algorithm: "HS256" }
+    );
+    res.cookie(this.cookieName, newToken, this.cookieOptions);
+    await this.emitAudit({
+      action: "checkin",
+      userId: String(payload.sub),
+      ip: req.ip ?? req.socket?.remoteAddress,
+      success: true
+    });
     return this.transformUser(user);
   }
-  async logout(_req, res) {
+  async logout(req, res) {
     res.clearCookie(this.cookieName, {
       ...this.cookieOptions,
       maxAge: 0
     });
+    if (this.refreshTokenEnabled) {
+      const refreshCookie = req.cookies?.[this.refreshTokenCookieName];
+      if (refreshCookie && this.refreshTokenStore) {
+        try {
+          const payload = verify2(refreshCookie, this.jwtSecret, {
+            algorithms: ["HS256"]
+          });
+          if (payload.jti) {
+            await this.refreshTokenStore.revokeAll(String(payload.sub));
+          }
+        } catch {
+        }
+      }
+      res.clearCookie(this.refreshTokenCookieName, {
+        ...this.cookieOptions,
+        maxAge: 0
+      });
+    }
+    if (this.csrf) {
+      res.clearCookie("csrf_token", { path: "/", maxAge: 0 });
+    }
+    await this.emitAudit({
+      action: "logout",
+      ip: req.ip ?? req.socket?.remoteAddress,
+      success: true
+    });
+  }
+  async refresh(req, res) {
+    if (!this.refreshTokenEnabled || !this.refreshTokenStore) {
+      return null;
+    }
+    const refreshCookie = req.cookies?.[this.refreshTokenCookieName];
+    if (!refreshCookie) {
+      return null;
+    }
+    let payload;
+    try {
+      payload = verify2(refreshCookie, this.jwtSecret, {
+        algorithms: ["HS256"]
+      });
+    } catch {
+      return null;
+    }
+    if (!payload.jti) {
+      return null;
+    }
+    const stored = await this.refreshTokenStore.find(payload.jti);
+    if (!stored) {
+      return null;
+    }
+    await this.refreshTokenStore.revoke(payload.jti);
+    const userId = String(payload.sub);
+    const user = await this.prismaModel.findUnique({
+      where: { [this.idField]: userId }
+    });
+    if (!user) {
+      return null;
+    }
+    const accessToken = sign(
+      { sub: userId },
+      this.jwtSecret,
+      { expiresIn: this.jwtExpiresIn, algorithm: "HS256" }
+    );
+    res.cookie(this.cookieName, accessToken, this.cookieOptions);
+    await this.issueRefreshToken(userId, res);
+    if (this.csrf) {
+      const csrfToken = randomBytes(32).toString("hex");
+      res.cookie("csrf_token", csrfToken, {
+        httpOnly: false,
+        sameSite: this.cookieOptions.sameSite,
+        path: "/",
+        secure: this.cookieOptions.secure
+      });
+    }
+    await this.emitAudit({
+      action: "refresh",
+      userId,
+      ip: req.ip ?? req.socket?.remoteAddress,
+      success: true
+    });
+    return this.transformUser(user);
+  }
+  async issueRefreshToken(userId, res) {
+    const jti = randomUUID();
+    const expiresInMs = typeof this.refreshTokenExpiresIn === "number" ? this.refreshTokenExpiresIn * 1e3 : parseDuration(this.refreshTokenExpiresIn);
+    const expiresAt = new Date(Date.now() + expiresInMs);
+    const refreshToken = sign(
+      { sub: userId, jti },
+      this.jwtSecret,
+      { expiresIn: this.refreshTokenExpiresIn, algorithm: "HS256" }
+    );
+    await this.refreshTokenStore.save(jti, userId, expiresAt);
+    res.cookie(this.refreshTokenCookieName, refreshToken, {
+      ...this.cookieOptions,
+      path: "/"
+    });
+  }
+  async emitAudit(partial) {
+    if (!this.onAudit) return;
+    await this.onAudit({ ...partial, timestamp: /* @__PURE__ */ new Date() });
   }
 };
 export {
   AUTH_DRIVER,
   AuthController,
   AuthModule,
-  JwtPrismaCookieAuthDriver
+  InMemoryLockoutStore,
+  InMemoryRefreshTokenStore,
+  JwtAuthGuard,
+  JwtPrismaCookieAuthDriver,
+  ROLES_KEY,
+  Roles,
+  RolesGuard
 };

package/dist/vue.d.mts

@@ -19,12 +19,14 @@ declare class Auth<User extends Record<string, any>> {
     on: Ref<boolean, boolean>;
     loading: Ref<boolean, boolean>;
     checkedIn: Ref<boolean, boolean>;
+    roles: Ref<string[]>;
     private fetch;
     private mapUser;
     private afterLogout;
     private afterCheckIn;
     private routes;
     constructor({ fetch, mapUser, routes, afterLogout, afterCheckIn, }: Options<User>);
+    signUp(payload: Record<string, any>): Promise<void>;
     login(payload: Record<string, any>): Promise<void>;
     checkIn(): Promise<void>;
     logout(): Promise<void>;

package/dist/vue.d.ts

@@ -19,12 +19,14 @@ declare class Auth<User extends Record<string, any>> {
     on: Ref<boolean, boolean>;
     loading: Ref<boolean, boolean>;
     checkedIn: Ref<boolean, boolean>;
+    roles: Ref<string[]>;
     private fetch;
     private mapUser;
     private afterLogout;
     private afterCheckIn;
     private routes;
     constructor({ fetch, mapUser, routes, afterLogout, afterCheckIn, }: Options<User>);
+    signUp(payload: Record<string, any>): Promise<void>;
     login(payload: Record<string, any>): Promise<void>;
     checkIn(): Promise<void>;
     logout(): Promise<void>;

package/dist/vue.js

@@ -31,11 +31,13 @@ var Auth = class {
   on = (0, import_vue.ref)(false);
   loading = (0, import_vue.ref)(false);
   checkedIn = (0, import_vue.ref)(false);
+  roles = (0, import_vue.ref)([]);
   fetch;
   mapUser;
   afterLogout;
   afterCheckIn;
   routes = {
+    signUp: "/api/signup",
     login: "/api/login",
     checkIn: "/api/checkin",
     logout: "/api/logout"
@@ -57,6 +59,20 @@ var Auth = class {
       Object.assign(this.routes, routes);
     }
   }
+  async signUp(payload) {
+    this.loading.value = true;
+    try {
+      const response = await this.fetch(this.routes.signUp, {
+        method: "POST",
+        body: JSON.stringify(payload)
+      });
+      this.on.value = true;
+      const { data } = await response.json();
+      this.setUser(data);
+    } finally {
+      this.loading.value = false;
+    }
+  }
   async login(payload) {
     this.loading.value = true;
     try {
@@ -104,6 +120,7 @@ var Auth = class {
   setUser = (data) => {
     if (data === null || data === void 0) {
       this.user.value = null;
+      this.roles.value = [];
       return;
     }
     const parsedData = this.mapUser(data);
@@ -113,6 +130,9 @@ var Auth = class {
     for (const key in parsedData) {
       this.user.value[key] = parsedData[key];
     }
+    if (Array.isArray(parsedData.roles)) {
+      this.roles.value = parsedData.roles;
+    }
   };
 };
 // Annotate the CommonJS export names for ESM import in node:

package/dist/vue.mjs

@@ -5,11 +5,13 @@ var Auth = class {
   on = ref(false);
   loading = ref(false);
   checkedIn = ref(false);
+  roles = ref([]);
   fetch;
   mapUser;
   afterLogout;
   afterCheckIn;
   routes = {
+    signUp: "/api/signup",
     login: "/api/login",
     checkIn: "/api/checkin",
     logout: "/api/logout"
@@ -31,6 +33,20 @@ var Auth = class {
       Object.assign(this.routes, routes);
     }
   }
+  async signUp(payload) {
+    this.loading.value = true;
+    try {
+      const response = await this.fetch(this.routes.signUp, {
+        method: "POST",
+        body: JSON.stringify(payload)
+      });
+      this.on.value = true;
+      const { data } = await response.json();
+      this.setUser(data);
+    } finally {
+      this.loading.value = false;
+    }
+  }
   async login(payload) {
     this.loading.value = true;
     try {
@@ -78,6 +94,7 @@ var Auth = class {
   setUser = (data) => {
     if (data === null || data === void 0) {
       this.user.value = null;
+      this.roles.value = [];
       return;
     }
     const parsedData = this.mapUser(data);
@@ -87,6 +104,9 @@ var Auth = class {
     for (const key in parsedData) {
       this.user.value[key] = parsedData[key];
     }
+    if (Array.isArray(parsedData.roles)) {
+      this.roles.value = parsedData.roles;
+    }
   };
 };
 export {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ministerjs/auth",
-  "version": "2.0.2",
+  "version": "3.0.1",
   "license": "UNLICENSED",
   "private": false,
   "publishConfig": {
@@ -29,6 +29,7 @@
   "peerDependencies": {
     "vue": "^3.5.12",
     "@nestjs/common": "^11.0.11",
+    "@nestjs/core": "^11.0.11",
     "@prisma/client": "^6.5.0",
     "jsonwebtoken": "^9.0.2"
   },
@@ -36,6 +37,9 @@
     "@nestjs/common": {
       "optional": true
     },
+    "@nestjs/core": {
+      "optional": true
+    },
     "@prisma/client": {
       "optional": true
     },
@@ -58,6 +62,7 @@
     "vitest": "^3.0.9",
     "vue": "^3.5.13",
     "@nestjs/common": "^11.0.11",
+    "@nestjs/core": "^11.0.11",
     "@types/jsonwebtoken": "^9.0.6",
     "jsonwebtoken": "^9.0.2"
   },