@moss-dev/moss-auth-guard 1.0.0

package/dist/auth.guard.d.ts

@@ -0,0 +1,9 @@
+import { CanActivate, ExecutionContext } from "@nestjs/common";
+import { JwtService } from "@nestjs/jwt";
+import { Reflector } from "@nestjs/core";
+export declare class MossAuthGuard implements CanActivate {
+    private readonly jwtService;
+    private readonly reflector;
+    constructor(jwtService: JwtService, reflector: Reflector);
+    canActivate(ctx: ExecutionContext): boolean;
+}

package/dist/auth.guard.js

@@ -0,0 +1,69 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MossAuthGuard = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const core_1 = require("@nestjs/core");
+const require_auth_decorator_js_1 = require("./require-auth.decorator.js");
+const SCOPE_RANK = {
+    read: 1,
+    write: 2,
+    admin: 3,
+};
+let MossAuthGuard = class MossAuthGuard {
+    jwtService;
+    reflector;
+    constructor(jwtService, reflector) {
+        this.jwtService = jwtService;
+        this.reflector = reflector;
+    }
+    canActivate(ctx) {
+        const req = ctx.switchToHttp().getRequest();
+        const authHeader = req.headers["authorization"];
+        if (!authHeader?.startsWith("Bearer ")) {
+            throw new common_1.UnauthorizedException("Authorization header with Bearer token is required");
+        }
+        const token = authHeader.slice(7);
+        let payload;
+        try {
+            payload = this.jwtService.verify(token, {
+                algorithms: ["HS256"],
+            });
+        }
+        catch {
+            throw new common_1.UnauthorizedException("Invalid or expired token");
+        }
+        if (typeof payload.sub !== "string" || !payload.sub) {
+            throw new common_1.UnauthorizedException("Invalid token payload");
+        }
+        req.projectId = payload.sub;
+        req.orgId = payload.org ?? "";
+        req.scope = payload.scope ?? "";
+        // Scope enforcement
+        const requiredScope = this.reflector.getAllAndOverride(require_auth_decorator_js_1.REQUIRE_AUTH_SCOPE, [ctx.getHandler(), ctx.getClass()]);
+        if (requiredScope && requiredScope !== true) {
+            const tokenScopeRank = SCOPE_RANK[payload.scope] ?? 0;
+            const requiredScopeRank = SCOPE_RANK[requiredScope] ?? 0;
+            if (tokenScopeRank < requiredScopeRank) {
+                throw new common_1.UnauthorizedException("Insufficient scope");
+            }
+        }
+        return true;
+    }
+};
+exports.MossAuthGuard = MossAuthGuard;
+exports.MossAuthGuard = MossAuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [jwt_1.JwtService,
+        core_1.Reflector])
+], MossAuthGuard);
+//# sourceMappingURL=auth.guard.js.map

package/dist/auth.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.guard.js","sourceRoot":"","sources":["../src/auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAKwB;AACxB,qCAAyC;AACzC,uCAAyC;AACzC,2EAGqC;AAQrC,MAAM,UAAU,GAA8B;IAC5C,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;CACT,CAAC;AAGK,IAAM,aAAa,GAAnB,MAAM,aAAa;IAEL;IACA;IAFnB,YACmB,UAAsB,EACtB,SAAoB;QADpB,eAAU,GAAV,UAAU,CAAY;QACtB,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEJ,WAAW,CAAC,GAAqB;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAKrC,CAAC;QAEL,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,8BAAqB,CAC7B,oDAAoD,CACrD,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAa,KAAK,EAAE;gBAClD,UAAU,EAAE,CAAC,OAAO,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,8BAAqB,CAAC,0BAA0B,CAAC,CAAC;QAC9D,CAAC;QAED,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACpD,MAAM,IAAI,8BAAqB,CAAC,uBAAuB,CAAC,CAAC;QAC3D,CAAC;QAED,GAAG,CAAC,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC;QAC5B,GAAG,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QAC9B,GAAG,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;QAEhC,oBAAoB;QACpB,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAEpD,8CAAkB,EAAE,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAE1D,IAAI,aAAa,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC5C,MAAM,cAAc,GAAG,UAAU,CAAC,OAAO,CAAC,KAAkB,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,iBAAiB,GAAG,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;YACzD,IAAI,cAAc,GAAG,iBAAiB,EAAE,CAAC;gBACvC,MAAM,IAAI,8BAAqB,CAAC,oBAAoB,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAA;AAtDY,sCAAa;wBAAb,aAAa;IADzB,IAAA,mBAAU,GAAE;qCAGoB,gBAAU;QACX,gBAAS;GAH5B,aAAa,CAsDzB"}

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export { MossAuthGuard } from "./auth.guard.js";
+export { RequireAuth, REQUIRE_AUTH_SCOPE, type AuthScope, } from "./require-auth.decorator.js";
+export { ProjectId } from "./project-id.decorator.js";
+export { OrgId } from "./org-id.decorator.js";

package/dist/index.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrgId = exports.ProjectId = exports.REQUIRE_AUTH_SCOPE = exports.RequireAuth = exports.MossAuthGuard = void 0;
+var auth_guard_js_1 = require("./auth.guard.js");
+Object.defineProperty(exports, "MossAuthGuard", { enumerable: true, get: function () { return auth_guard_js_1.MossAuthGuard; } });
+var require_auth_decorator_js_1 = require("./require-auth.decorator.js");
+Object.defineProperty(exports, "RequireAuth", { enumerable: true, get: function () { return require_auth_decorator_js_1.RequireAuth; } });
+Object.defineProperty(exports, "REQUIRE_AUTH_SCOPE", { enumerable: true, get: function () { return require_auth_decorator_js_1.REQUIRE_AUTH_SCOPE; } });
+var project_id_decorator_js_1 = require("./project-id.decorator.js");
+Object.defineProperty(exports, "ProjectId", { enumerable: true, get: function () { return project_id_decorator_js_1.ProjectId; } });
+var org_id_decorator_js_1 = require("./org-id.decorator.js");
+Object.defineProperty(exports, "OrgId", { enumerable: true, get: function () { return org_id_decorator_js_1.OrgId; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,iDAAgD;AAAvC,8GAAA,aAAa,OAAA;AACtB,yEAIqC;AAHnC,wHAAA,WAAW,OAAA;AACX,+HAAA,kBAAkB,OAAA;AAGpB,qEAAsD;AAA7C,oHAAA,SAAS,OAAA;AAClB,6DAA8C;AAArC,4GAAA,KAAK,OAAA"}

package/dist/org-id.decorator.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Extracts req.orgId — set by MossAuthGuard after successful JWT verification.
+ */
+export declare const OrgId: (...dataOrPipes: unknown[]) => ParameterDecorator;

package/dist/org-id.decorator.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrgId = void 0;
+const common_1 = require("@nestjs/common");
+/**
+ * Extracts req.orgId — set by MossAuthGuard after successful JWT verification.
+ */
+exports.OrgId = (0, common_1.createParamDecorator)((_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    return req.orgId;
+});
+//# sourceMappingURL=org-id.decorator.js.map

package/dist/org-id.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"org-id.decorator.js","sourceRoot":"","sources":["../src/org-id.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAAwE;AAExE;;GAEG;AACU,QAAA,KAAK,GAAG,IAAA,6BAAoB,EACvC,CAAC,KAAc,EAAE,GAAqB,EAAU,EAAE;IAChD,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAqB,CAAC;IAC/D,OAAO,GAAG,CAAC,KAAK,CAAC;AACnB,CAAC,CACF,CAAC"}

package/dist/project-id.decorator.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Extracts req.projectId — set by MossAuthGuard after successful JWT verification.
+ */
+export declare const ProjectId: (...dataOrPipes: unknown[]) => ParameterDecorator;

package/dist/project-id.decorator.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProjectId = void 0;
+const common_1 = require("@nestjs/common");
+/**
+ * Extracts req.projectId — set by MossAuthGuard after successful JWT verification.
+ */
+exports.ProjectId = (0, common_1.createParamDecorator)((_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    return req.projectId;
+});
+//# sourceMappingURL=project-id.decorator.js.map

package/dist/project-id.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project-id.decorator.js","sourceRoot":"","sources":["../src/project-id.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAAwE;AAExE;;GAEG;AACU,QAAA,SAAS,GAAG,IAAA,6BAAoB,EAC3C,CAAC,KAAc,EAAE,GAAqB,EAAU,EAAE;IAChD,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAyB,CAAC;IACnE,OAAO,GAAG,CAAC,SAAS,CAAC;AACvB,CAAC,CACF,CAAC"}

package/dist/require-auth.decorator.d.ts

@@ -0,0 +1,8 @@
+export type AuthScope = "read" | "write" | "admin";
+export declare const REQUIRE_AUTH_SCOPE = "REQUIRE_AUTH_SCOPE";
+/**
+ * Marks a route as requiring authentication.
+ * @param scope Optional minimum scope required. Defaults to any valid token.
+ *              Hierarchy: admin ⊃ write ⊃ read
+ */
+export declare const RequireAuth: (scope?: AuthScope) => import("@nestjs/common").CustomDecorator<string>;

package/dist/require-auth.decorator.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequireAuth = exports.REQUIRE_AUTH_SCOPE = void 0;
+const common_1 = require("@nestjs/common");
+exports.REQUIRE_AUTH_SCOPE = "REQUIRE_AUTH_SCOPE";
+/**
+ * Marks a route as requiring authentication.
+ * @param scope Optional minimum scope required. Defaults to any valid token.
+ *              Hierarchy: admin ⊃ write ⊃ read
+ */
+const RequireAuth = (scope) => (0, common_1.SetMetadata)(exports.REQUIRE_AUTH_SCOPE, scope ?? true);
+exports.RequireAuth = RequireAuth;
+//# sourceMappingURL=require-auth.decorator.js.map

package/dist/require-auth.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-auth.decorator.js","sourceRoot":"","sources":["../src/require-auth.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAA6C;AAGhC,QAAA,kBAAkB,GAAG,oBAAoB,CAAC;AAEvD;;;;GAIG;AACI,MAAM,WAAW,GAAG,CAAC,KAAiB,EAAE,EAAE,CAC/C,IAAA,oBAAW,EAAC,0BAAkB,EAAE,KAAK,IAAI,IAAI,CAAC,CAAC;AADpC,QAAA,WAAW,eACyB"}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@moss-dev/moss-auth-guard",
+  "version": "1.0.0",
+  "description": "Shared NestJS auth guard and decorators for Moss microservices",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "jest"
+  },
+  "peerDependencies": {
+    "@nestjs/common": "^11.0.0",
+    "@nestjs/core": "^11.0.0",
+    "@nestjs/jwt": "^11.0.0",
+    "reflect-metadata": "^0.2.0"
+  },
+  "devDependencies": {
+    "@nestjs/common": "^11.0.0",
+    "@nestjs/core": "^11.0.0",
+    "@nestjs/jwt": "^11.0.0",
+    "@nestjs/testing": "^11.0.0",
+    "@types/jest": "^29.0.0",
+    "jest": "^29.0.0",
+    "reflect-metadata": "^0.2.0",
+    "rxjs": "^7.8.0",
+    "ts-jest": "^29.0.0",
+    "typescript": "^5.0.0"
+  },
+  "jest": {
+    "moduleFileExtensions": [
+      "js",
+      "json",
+      "ts"
+    ],
+    "rootDir": "src",
+    "testRegex": ".*\\.spec\\.ts$",
+    "transform": {
+      "^.+\\.(t|j)s$": "ts-jest"
+    },
+    "moduleNameMapper": {
+      "^(\\.{1,2}/.*)\\.js$": "$1"
+    },
+    "testEnvironment": "node"
+  }
+}