npm - @mostajs/auth-lite - Versions diffs - 0.1.1 → 0.3.0 - Mend

@mostajs/auth-lite 0.1.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,18 +1,3 @@
-/**
- * @mostajs/auth-lite — minimal, dependency-free email/password + session auth
- * for Next.js (App Router) on top of @mostajs/orm.
- *
- * Why "lite": it boots in WebContainers (Bolt.new / StackBlitz) and the edge —
- * no native addon (no bcrypt/argon2), and it sets the session cookie on the
- * NextResponse object inside Route Handlers, which sidesteps the AsyncLocalStorage
- * pitfalls of `cookies()` after a DB call in constrained runtimes.
- *
- * Password hashing is salted, iterated SHA-256 (works everywhere). For a
- * production server you can swap in argon2/scrypt — the API is unchanged.
- *
- * @author Dr Hamid MADANI <drmdh@msn.com>
- */
-import type { NextRequest } from 'next/server';
 import type { EntitySchema } from '@mostajs/orm';
 export declare function hashPassword(password: string): string;
 export declare function verifyPassword(password: string, stored: string): boolean;
@@ -42,10 +27,13 @@ export interface AuthLiteConfig {
     loginErrorPath?: string;
     /** Redirect on signup error (default "/signup?error=<kind>"). */
     signupErrorPath?: (kind: 'invalid' | 'exists') => string;
+    /**
+     * Embedding in a **cross-site iframe** (ex. CodeSandbox preview `*.csb.app`) :
+     * un cookie `sameSite:'lax'` n'est PAS renvoyé → session perdue. Mettre `true`
+     * pour utiliser `sameSite:'none'; secure:true` **quand la requête est en
+     * https** (détecté via `x-forwarded-proto`), et retomber sur `lax` en http
+     * (localhost dev). Défaut `false` (lax). ⚠️ `none` réduit la protection CSRF —
+     * à n'activer que pour des previews embarquées, pas pour une vraie prod hors-iframe.
+     */
+    crossSiteCookie?: boolean;
 }
-export declare function createAuthHandlers(config: AuthLiteConfig): {
-    login: (req: NextRequest) => Promise<import("next/server").NextResponse<unknown>>;
-    signup: (req: NextRequest) => Promise<import("next/server").NextResponse<unknown>>;
-    logout: (req: NextRequest) => Promise<import("next/server").NextResponse<unknown>>;
-};
-export declare function createGetCurrentUser<TUser = unknown>(config: AuthLiteConfig): () => Promise<TUser | null>;

package/dist/index.js CHANGED Viewed

@@ -1,15 +1,22 @@
-import { createHash, randomBytes, timingSafeEqual } from 'crypto';
 /**
- * Réponse 303 avec un `Location` **relatif** (ex. `/dashboard`). Le navigateur
- * le résout contre l'URL PUBLIQUE de la requête courante → fonctionne en
- * WebContainer (StackBlitz/Bolt — qui ne transmettent pas l'hôte public au
- * serveur), derrière un reverse proxy, et en localhost, **sans que le serveur
- * ait besoin de connaître son hôte**. Plus robuste qu'une URL absolue.
+ * @mostajs/auth-lite — minimal email/password + session auth on @mostajs/orm.
+ *
+ * This entry (`@mostajs/auth-lite`) is the **framework-agnostic core** :
+ * password hashing + the `Session` schema + the shared types. It imports
+ * **no `next`**, so it loads in Node / edge / WebContainer and is unit-testable.
+ *
+ * The **Next.js adapter** (Route Handlers + `getCurrentUser`) lives in the
+ * `@mostajs/auth-lite/next` subpath — it statically imports `next/server` and
+ * `next/headers` so that `cookies()` is the first `await` (request scope intact
+ * in WebContainers).
+ *
+ * Password hashing is salted, iterated SHA-256 (no native addon — boots
+ * everywhere). For a production server you can swap in argon2/scrypt; the API
+ * is unchanged.
+ *
+ * @author Dr Hamid MADANI <drmdh@msn.com>
  */
-async function see(location) {
-    const { NextResponse } = await import('next/server');
-    return new NextResponse(null, { status: 303, headers: { Location: location } });
-}
+import { createHash, randomBytes, timingSafeEqual } from 'crypto';
 // ---------------------------------------------------------------------------
 // Password hashing — salted, iterated SHA-256 (no native addon, boots anywhere)
 // ---------------------------------------------------------------------------
@@ -49,84 +56,3 @@ export const SessionSchema = {
     indexes: [{ fields: ['token'], unique: true }],
     timestamps: true,
 };
-// ---------------------------------------------------------------------------
-// Route Handlers — login / signup / logout (set the cookie on the response)
-// ---------------------------------------------------------------------------
-export function createAuthHandlers(config) {
-    const cookie = config.cookieName ?? 'session';
-    const ttlMs = (config.ttlDays ?? 7) * 86400000;
-    const afterAuth = config.afterAuth ?? '/dashboard';
-    const afterLogout = config.afterLogout ?? '/';
-    const loginError = config.loginErrorPath ?? '/login?error=invalid';
-    const signupError = config.signupErrorPath ?? ((k) => `/signup?error=${k}`);
-    async function startSession(sessions, userId) {
-        const token = randomBytes(32).toString('hex');
-        const expiresAt = new Date(Date.now() + ttlMs);
-        await sessions.create({ token, user: userId, expiresAt });
-        const res = await see(afterAuth);
-        res.cookies.set(cookie, token, { httpOnly: true, sameSite: 'lax', path: '/', expires: expiresAt });
-        return res;
-    }
-    /** POST handler — verify credentials, start a session. */
-    async function login(req) {
-        const form = await req.formData();
-        const email = String(form.get('email') ?? '').toLowerCase().trim();
-        const password = String(form.get('password') ?? '');
-        const { users, sessions } = await config.getRepos();
-        const user = await users.findOne({ email });
-        if (!user || !verifyPassword(password, user.passwordHash)) {
-            return see(loginError);
-        }
-        return startSession(sessions, user.id);
-    }
-    /** POST handler — create the account, start a session. */
-    async function signup(req) {
-        const form = await req.formData();
-        const email = String(form.get('email') ?? '').toLowerCase().trim();
-        const name = String(form.get('name') ?? '').trim();
-        const password = String(form.get('password') ?? '');
-        if (!email || !name || password.length < 6) {
-            return see(signupError('invalid'));
-        }
-        const { users, sessions } = await config.getRepos();
-        if (await users.findOne({ email })) {
-            return see(signupError('exists'));
-        }
-        const user = await users.create({ email, name, passwordHash: hashPassword(password) });
-        return startSession(sessions, user.id);
-    }
-    /** POST handler — destroy the session (DB + cookie). */
-    async function logout(req) {
-        const token = req.cookies.get(cookie)?.value;
-        if (token) {
-            const { sessions } = await config.getRepos();
-            const session = await sessions.findOne({ token });
-            if (session)
-                await sessions.delete(session.id);
-        }
-        const res = await see(afterLogout);
-        res.cookies.delete(cookie);
-        return res;
-    }
-    return { login, signup, logout };
-}
-// ---------------------------------------------------------------------------
-// getCurrentUser — read the session in Server Components (cookie read before DB)
-// ---------------------------------------------------------------------------
-export function createGetCurrentUser(config) {
-    const cookie = config.cookieName ?? 'session';
-    return async function getCurrentUser() {
-        const { cookies } = await import('next/headers');
-        const token = (await cookies()).get(cookie)?.value;
-        if (!token)
-            return null;
-        const { sessions } = await config.getRepos();
-        const session = await sessions.findOne({ token });
-        if (!session)
-            return null;
-        if (new Date(session.expiresAt) < new Date())
-            return null;
-        const populated = (await sessions.findByIdWithRelations(session.id, ['user']));
-        return populated?.user ?? null;
-    };
-}

package/dist/next.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * @mostajs/auth-lite/next — Next.js (App Router) adapter.
+ *
+ * Route Handlers (login/signup/logout) + `getCurrentUser`. Imports `next/server`
+ * and `next/headers` **statically** on purpose:
+ *   - the cookie is set on the `NextResponse` object (no `cookies()` write),
+ *   - redirects use a **relative** `Location` → resolved by the browser against
+ *     the public request URL, so it works in WebContainers (StackBlitz/Bolt,
+ *     which don't forward the public host) and behind a reverse proxy,
+ *   - `getCurrentUser` calls `cookies()` as the **first `await`** (no dynamic
+ *     `import` before it) → the request AsyncLocalStorage scope stays intact in
+ *     constrained runtimes (a preceding `await import(...)` loses it).
+ *
+ * The framework-agnostic core (hashing, `SessionSchema`, types) is in the root
+ * entry `@mostajs/auth-lite`.
+ *
+ * @author Dr Hamid MADANI <drmdh@msn.com>
+ */
+import { type NextRequest, NextResponse } from 'next/server';
+import { type AuthRepo, type AuthLiteConfig } from './index.js';
+export type { AuthRepo, AuthLiteConfig };
+export declare function createAuthHandlers(config: AuthLiteConfig): {
+    login: (req: NextRequest) => Promise<NextResponse<unknown>>;
+    signup: (req: NextRequest) => Promise<NextResponse<unknown>>;
+    logout: (req: NextRequest) => Promise<NextResponse<unknown>>;
+};
+export declare function createGetCurrentUser<TUser = unknown>(config: AuthLiteConfig): () => Promise<TUser | null>;

package/dist/next.js ADDED Viewed

@@ -0,0 +1,135 @@
+/**
+ * @mostajs/auth-lite/next — Next.js (App Router) adapter.
+ *
+ * Route Handlers (login/signup/logout) + `getCurrentUser`. Imports `next/server`
+ * and `next/headers` **statically** on purpose:
+ *   - the cookie is set on the `NextResponse` object (no `cookies()` write),
+ *   - redirects use a **relative** `Location` → resolved by the browser against
+ *     the public request URL, so it works in WebContainers (StackBlitz/Bolt,
+ *     which don't forward the public host) and behind a reverse proxy,
+ *   - `getCurrentUser` calls `cookies()` as the **first `await`** (no dynamic
+ *     `import` before it) → the request AsyncLocalStorage scope stays intact in
+ *     constrained runtimes (a preceding `await import(...)` loses it).
+ *
+ * The framework-agnostic core (hashing, `SessionSchema`, types) is in the root
+ * entry `@mostajs/auth-lite`.
+ *
+ * @author Dr Hamid MADANI <drmdh@msn.com>
+ */
+import { NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import { randomBytes } from 'crypto';
+import { hashPassword, verifyPassword } from './index.js';
+/**
+ * 303 response with a **relative** `Location` (e.g. `/dashboard`). The browser
+ * resolves it against the current request's public URL → works in WebContainer
+ * / reverse-proxy / localhost without the server knowing its own host.
+ */
+function see(location) {
+    return new NextResponse(null, { status: 303, headers: { Location: location } });
+}
+// ---------------------------------------------------------------------------
+// Route Handlers — login / signup / logout (cookie set on the response)
+// ---------------------------------------------------------------------------
+export function createAuthHandlers(config) {
+    const cookie = config.cookieName ?? 'session';
+    const ttlMs = (config.ttlDays ?? 7) * 86400000;
+    const afterAuth = config.afterAuth ?? '/dashboard';
+    const afterLogout = config.afterLogout ?? '/';
+    const loginError = config.loginErrorPath ?? '/login?error=invalid';
+    const signupError = config.signupErrorPath ?? ((k) => `/signup?error=${k}`);
+    const crossSite = config.crossSiteCookie ?? false;
+    /** La requête arrive-t-elle en https (proxy forwarde `x-forwarded-proto`, ou URL https) ? */
+    function isHttps(req) {
+        if (req.headers.get('x-forwarded-proto') === 'https')
+            return true;
+        try {
+            return new URL(req.url).protocol === 'https:';
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Attributs du cookie de session. `crossSiteCookie` + https → `sameSite:'none'`
+     * + `secure` (cookie renvoyé en iframe cross-site, ex. CodeSandbox). Sinon
+     * `sameSite:'lax'` (et pas de `secure`, pour que localhost http garde la session).
+     */
+    function cookieOpts(req, expires) {
+        if (crossSite && isHttps(req)) {
+            return { httpOnly: true, sameSite: 'none', secure: true, path: '/', expires };
+        }
+        return { httpOnly: true, sameSite: 'lax', path: '/', expires };
+    }
+    async function openSession(req, sessions, userId) {
+        const token = randomBytes(32).toString('hex');
+        const expiresAt = new Date(Date.now() + ttlMs);
+        await sessions.create({ token, user: userId, expiresAt });
+        const res = see(afterAuth);
+        res.cookies.set(cookie, token, cookieOpts(req, expiresAt));
+        return res;
+    }
+    /** POST handler — verify credentials, start a session. */
+    async function login(req) {
+        const form = await req.formData();
+        const email = String(form.get('email') ?? '').toLowerCase().trim();
+        const password = String(form.get('password') ?? '');
+        const { users, sessions } = await config.getRepos();
+        const user = await users.findOne({ email });
+        if (!user || !verifyPassword(password, user.passwordHash)) {
+            return see(loginError);
+        }
+        return openSession(req, sessions, user.id);
+    }
+    /** POST handler — create the account, start a session. */
+    async function signup(req) {
+        const form = await req.formData();
+        const email = String(form.get('email') ?? '').toLowerCase().trim();
+        const name = String(form.get('name') ?? '').trim();
+        const password = String(form.get('password') ?? '');
+        if (!email || !name || password.length < 6) {
+            return see(signupError('invalid'));
+        }
+        const { users, sessions } = await config.getRepos();
+        if (await users.findOne({ email })) {
+            return see(signupError('exists'));
+        }
+        const user = await users.create({ email, name, passwordHash: hashPassword(password) });
+        return openSession(req, sessions, user.id);
+    }
+    /** POST handler — destroy the session (DB + cookie). */
+    async function logout(req) {
+        const token = req.cookies.get(cookie)?.value;
+        if (token) {
+            const { sessions } = await config.getRepos();
+            const session = await sessions.findOne({ token });
+            if (session)
+                await sessions.delete(session.id);
+        }
+        const res = see(afterLogout);
+        res.cookies.delete(cookie);
+        return res;
+    }
+    return { login, signup, logout };
+}
+// ---------------------------------------------------------------------------
+// getCurrentUser — read the session in Server Components.
+// `cookies()` MUST be the first `await` (no preceding await/import) so the
+// request scope survives in WebContainers.
+// ---------------------------------------------------------------------------
+export function createGetCurrentUser(config) {
+    const cookie = config.cookieName ?? 'session';
+    return async function getCurrentUser() {
+        const token = (await cookies()).get(cookie)?.value;
+        if (!token)
+            return null;
+        const { sessions } = await config.getRepos();
+        const session = await sessions.findOne({ token });
+        if (!session)
+            return null;
+        if (new Date(session.expiresAt) < new Date())
+            return null;
+        const populated = (await sessions.findByIdWithRelations(session.id, ['user']));
+        return populated?.user ?? null;
+    };
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mostajs/auth-lite",
-  "version": "0.1.1",
+  "version": "0.3.0",
   "description": "Minimal email/password + session auth for Next.js on @mostajs/orm. No native addon — boots in Bolt.new / StackBlitz / edge.",
   "license": "AGPL-3.0-or-later",
   "author": "Dr Hamid MADANI <drmdh@msn.com>",
@@ -10,6 +10,11 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js",
       "default": "./dist/index.js"
+    },
+    "./next": {
+      "types": "./dist/next.d.ts",
+      "import": "./dist/next.js",
+      "default": "./dist/next.js"
     }
   },
   "files": [