@ministerjs/auth 2.0.2 → 3.0.1

package/types/nestjs/AuthController.d.ts

@@ -5,6 +5,7 @@ declare class AuthController<User extends Record<string, any> = Record<string, a
     constructor(driver: AuthDriver<User>);
     login(body: AuthPayload, request: Request, response: Response): Promise<AuthResponse<User>>;
     checkIn(request: Request, response: Response): Promise<AuthResponse<User>>;
+    refresh(request: Request, response: Response): Promise<AuthResponse<User>>;
     logout(request: Request, response: Response): Promise<LogoutResponse>;
 }
 export { AuthController };

package/types/nestjs/AuthModule.d.ts

@@ -1,5 +1,6 @@
 import { DynamicModule, Type } from "@nestjs/common";
 import type { AuthDriver } from "./types";
+import { JwtAuthGuard, type JwtAuthGuardOptions } from "./guards/JwtAuthGuard";
 type DriverProvider<User> = AuthDriver<User> | {
     useValue: AuthDriver<User>;
 } | {
@@ -26,6 +27,7 @@ interface AuthModuleAsyncOptions<User = any> {
 declare class AuthModule {
     static register<User = any>(options: AuthModuleOptions<User>): DynamicModule;
     static registerAsync<User = any>(options: AuthModuleAsyncOptions<User>): DynamicModule;
+    static createGuard(options: JwtAuthGuardOptions): JwtAuthGuard;
     private static normalizeDriverProvider;
 }
 export type { AuthModuleOptions, AuthModuleAsyncOptions, DriverProvider };

package/types/nestjs/JwtPrismaCookieAuthDriver.d.ts

@@ -1,7 +1,13 @@
 import type { CookieOptions, Request, Response } from "express";
 import { type SignOptions } from "jsonwebtoken";
-import type { AuthDriver, AuthPayload } from "./types";
-type PrismaClientLike = Record<string, any>;
+import type { AuthDriver, LoginPayload, AuditEvent } from "./types";
+import type { LockoutStore, RefreshTokenStore } from "./stores";
+interface PrismaModelDelegate {
+    findUnique(args: {
+        where: Record<string, unknown>;
+    }): Promise<any>;
+}
+type PrismaClientLike = Record<string, PrismaModelDelegate | undefined>;
 interface JwtPrismaDriverOptions {
     prisma: PrismaClientLike;
     /**
@@ -38,12 +44,52 @@ interface JwtPrismaDriverOptions {
     cookieOptions?: Partial<CookieOptions>;
     /**
      * Função de comparação de senha (p.ex. bcrypt.compare).
+     * Obrigatório — não há fallback para comparação em plain-text.
      */
-    comparePassword?: (provided: string, stored: unknown) => Promise<boolean> | boolean;
+    comparePassword: (provided: string, stored: unknown) => Promise<boolean> | boolean;
     /**
      * Permite alterar a shape do usuário retornado.
      */
     transformUser?: <T extends Record<string, any>>(user: T) => any;
+    /**
+     * Habilita proteção CSRF via double-submit cookie.
+     * No login, emite um cookie `csrf_token` (não-httpOnly) que o cliente
+     * deve enviar no header `x-csrf-token` em requisições autenticadas.
+     */
+    csrf?: boolean;
+    /**
+     * Callback de auditoria chamado em cada evento de autenticação.
+     */
+    onAudit?: (event: AuditEvent) => void | Promise<void>;
+    /**
+     * Callback de rate limiting chamado antes de cada tentativa de login.
+     * Retorne `false` para bloquear a tentativa.
+     */
+    onRateLimitCheck?: (ip: string, identifier: string) => Promise<boolean> | boolean;
+    /**
+     * Configuração de account lockout.
+     */
+    lockout?: {
+        /** Número máximo de tentativas antes de bloquear (default: 5). */
+        maxAttempts?: number;
+        /** Janela de tempo em ms para contar falhas (default: 15 min). */
+        windowMs?: number;
+        /** Store customizado para persistir falhas (default: InMemoryLockoutStore). */
+        store?: LockoutStore;
+    };
+    /**
+     * Configuração de refresh token rotation.
+     * Quando habilitado, login emite um par access + refresh token.
+     */
+    refreshToken?: {
+        enabled: boolean;
+        /** Nome do cookie do refresh token (default: "refresh_token"). */
+        cookieName?: string;
+        /** Tempo de expiração do refresh token (default: "30d"). */
+        expiresIn?: SignOptions["expiresIn"];
+        /** Store para persistir refresh tokens (default: InMemoryRefreshTokenStore). */
+        store?: RefreshTokenStore;
+    };
 }
 declare class JwtPrismaCookieAuthDriver<User extends Record<string, any>> implements AuthDriver<User> {
     private readonly prismaModel;
@@ -56,10 +102,22 @@ declare class JwtPrismaCookieAuthDriver<User extends Record<string, any>> implem
     private readonly cookieOptions;
     private readonly comparePassword;
     private readonly transformUser;
+    private readonly csrf;
+    private readonly onAudit?;
+    private readonly onRateLimitCheck?;
+    private readonly lockoutStore?;
+    private readonly lockoutMaxAttempts;
+    private readonly refreshTokenEnabled;
+    private readonly refreshTokenCookieName;
+    private readonly refreshTokenExpiresIn;
+    private readonly refreshTokenStore?;
     constructor(options: JwtPrismaDriverOptions);
-    login(payload: AuthPayload, _req: Request, res: Response): Promise<User>;
+    login(payload: LoginPayload, req: Request, res: Response): Promise<User>;
     checkIn(req: Request, res: Response): Promise<User | null>;
-    logout(_req: Request, res: Response): Promise<void>;
+    logout(req: Request, res: Response): Promise<void>;
+    refresh(req: Request, res: Response): Promise<User | null>;
+    private issueRefreshToken;
+    private emitAudit;
 }
-export type { JwtPrismaDriverOptions };
+export type { PrismaModelDelegate, PrismaClientLike, JwtPrismaDriverOptions };
 export { JwtPrismaCookieAuthDriver };

package/types/nestjs/guards/JwtAuthGuard.d.ts

@@ -0,0 +1,17 @@
+import { CanActivate, ExecutionContext } from "@nestjs/common";
+interface JwtAuthGuardOptions {
+    jwtSecret: string;
+    cookieName?: string;
+    csrfEnabled?: boolean;
+}
+declare class JwtAuthGuard implements CanActivate {
+    private readonly jwtSecret;
+    private readonly cookieName;
+    private readonly csrfEnabled;
+    constructor(options: JwtAuthGuardOptions);
+    canActivate(context: ExecutionContext): boolean;
+    private extractToken;
+    private validateCsrf;
+}
+export type { JwtAuthGuardOptions };
+export { JwtAuthGuard };

package/types/nestjs/guards/RolesGuard.d.ts

@@ -0,0 +1,8 @@
+import { CanActivate, ExecutionContext } from "@nestjs/common";
+import { Reflector } from "@nestjs/core";
+declare class RolesGuard implements CanActivate {
+    private readonly reflector;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}
+export { RolesGuard };

package/types/nestjs/guards/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./JwtAuthGuard";
+export * from "./RolesGuard";

package/types/nestjs/index.d.ts

@@ -1,5 +1,8 @@
 export * from "./types";
 export * from "./token";
+export * from "./stores";
+export * from "./rbac";
+export * from "./guards";
 export * from "./AuthController";
 export * from "./AuthModule";
 export * from "./JwtPrismaCookieAuthDriver";

package/types/nestjs/rbac.d.ts

@@ -0,0 +1,3 @@
+declare const ROLES_KEY = "ministerjs:roles";
+declare const Roles: (...roles: string[]) => import("@nestjs/common").CustomDecorator<string>;
+export { ROLES_KEY, Roles };

package/types/nestjs/stores.d.ts

@@ -0,0 +1,36 @@
+interface LockoutStore {
+    recordFailure(key: string): Promise<void>;
+    getFailures(key: string): Promise<number>;
+    reset(key: string): Promise<void>;
+}
+declare class InMemoryLockoutStore implements LockoutStore {
+    private readonly windowMs;
+    private entries;
+    constructor(windowMs: number);
+    recordFailure(key: string): Promise<void>;
+    getFailures(key: string): Promise<number>;
+    reset(key: string): Promise<void>;
+}
+interface RefreshTokenStore {
+    save(jti: string, userId: string, expiresAt: Date): Promise<void>;
+    find(jti: string): Promise<{
+        userId: string;
+        expiresAt: Date;
+    } | null>;
+    revoke(jti: string): Promise<void>;
+    revokeAll(userId: string): Promise<void>;
+}
+interface RefreshTokenEntry {
+    userId: string;
+    expiresAt: Date;
+}
+declare class InMemoryRefreshTokenStore implements RefreshTokenStore {
+    private tokens;
+    private userJtis;
+    save(jti: string, userId: string, expiresAt: Date): Promise<void>;
+    find(jti: string): Promise<RefreshTokenEntry | null>;
+    revoke(jti: string): Promise<void>;
+    revokeAll(userId: string): Promise<void>;
+}
+export type { LockoutStore, RefreshTokenStore };
+export { InMemoryLockoutStore, InMemoryRefreshTokenStore };

package/types/nestjs/types.d.ts

@@ -1,5 +1,9 @@
 import type { Request, Response } from "express";
-export type AuthPayload = Record<string, any>;
+export interface LoginPayload {
+    [key: string]: string;
+}
+/** @deprecated Use LoginPayload */
+export type AuthPayload = LoginPayload;
 export interface AuthResponse<User> {
     message: string;
     data: User;
@@ -7,11 +11,37 @@ export interface AuthResponse<User> {
 export interface LogoutResponse {
     message: string;
 }
+export interface JwtAccessPayload {
+    sub: string;
+    roles?: string[];
+    iat?: number;
+    exp?: number;
+}
+export interface JwtRefreshPayload {
+    sub: string;
+    jti: string;
+    iat?: number;
+    exp?: number;
+}
+export interface AuthenticatedUser {
+    id: string;
+    roles: string[];
+    [key: string]: unknown;
+}
+export interface AuditEvent {
+    action: "login" | "logout" | "checkin" | "refresh" | "lockout";
+    userId?: string;
+    ip?: string;
+    userAgent?: string;
+    timestamp: Date;
+    success: boolean;
+    metadata?: Record<string, unknown>;
+}
 export interface AuthDriver<User = any> {
     /**
      * Deve validar o payload recebido e retornar o usuário autenticado.
      */
-    login(payload: AuthPayload, request: Request, response: Response): Promise<User> | User;
+    login(payload: LoginPayload, request: Request, response: Response): Promise<User> | User;
     /**
      * Deve recuperar o usuário a partir do contexto (cookies, headers, sessão, etc.).
      * Retorne `null` ou `undefined` quando não houver sessão ativa.
@@ -21,4 +51,9 @@ export interface AuthDriver<User = any> {
      * Deve encerrar a sessão/tokens do usuário.
      */
     logout(request: Request, response: Response): Promise<void> | void;
+    /**
+     * Renova os tokens usando um refresh token.
+     * Opcional — drivers que não implementam retornam undefined.
+     */
+    refresh?(request: Request, response: Response): Promise<User | null | undefined> | User | null | undefined;
 }

package/types/vue/VueAuth.d.ts

@@ -17,12 +17,14 @@ declare class Auth<User extends Record<string, any>> {
     on: Ref<boolean, boolean>;
     loading: Ref<boolean, boolean>;
     checkedIn: Ref<boolean, boolean>;
+    roles: Ref<string[]>;
     private fetch;
     private mapUser;
     private afterLogout;
     private afterCheckIn;
     private routes;
     constructor({ fetch, mapUser, routes, afterLogout, afterCheckIn, }: Options<User>);
+    signUp(payload: Record<string, any>): Promise<void>;
     login(payload: Record<string, any>): Promise<void>;
     checkIn(): Promise<void>;
     logout(): Promise<void>;