@mostajs/auth 2.1.1 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/LICENSE +29 -21
  2. package/README.md +63 -0
  3. package/dist/lib/auth.js +2 -1
  4. package/package.json +3 -2
package/LICENSE CHANGED
@@ -1,21 +1,29 @@
1
- MIT License
2
-
3
- Copyright (c) 2024 Dr Hamid MADANI <drmdh@msn.com>
4
-
5
- Permission is hereby granted, free of charge, to any person obtaining a copy
6
- of this software and associated documentation files (the "Software"), to deal
7
- in the Software without restriction, including without limitation the rights
8
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
- copies of the Software, and to permit persons to whom the Software is
10
- furnished to do so, subject to the following conditions:
11
-
12
- The above copyright notice and this permission notice shall be included in all
13
- copies or substantial portions of the Software.
14
-
15
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
- SOFTWARE.
1
+ GNU AFFERO GENERAL PUBLIC LICENSE
2
+ Version 3, 19 November 2007
3
+
4
+ Copyright (c) 2026 Dr Hamid MADANI <drmdh@msn.com>
5
+
6
+ This program is free software: you can redistribute it and/or modify
7
+ it under the terms of the GNU Affero General Public License as published by
8
+ the Free Software Foundation, either version 3 of the License, or
9
+ (at your option) any later version.
10
+
11
+ This program is distributed in the hope that it will be useful,
12
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
13
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
+ GNU Affero General Public License for more details.
15
+
16
+ You should have received a copy of the GNU Affero General Public License
17
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
18
+
19
+ COMMERCIAL LICENSE
20
+
21
+ For organizations that cannot comply with the AGPL open-source requirements,
22
+ a commercial license is available. Contact: drmdh@msn.com
23
+
24
+ The commercial license allows you to:
25
+ - Use the software in proprietary/closed-source projects
26
+ - Modify without publishing your source code
27
+ - Get priority support and SLA
28
+
29
+ Contact: Dr Hamid MADANI <drmdh@msn.com>
package/README.md CHANGED
@@ -62,3 +62,66 @@ await createAdmin({ email: 'admin@test.com', password: 'Admin123!', firstName: '
62
62
  import { usePermissions } from '@mostajs/auth'
63
63
  import { PermissionGuard, SessionProvider } from '@mostajs/auth'
64
64
  ```
65
+
66
+ ## Environment
67
+
68
+ ```bash
69
+ AUTH_SECRET=your-32-bytes-secret # required — openssl rand -hex 32
70
+ # or alias for NextAuth compat:
71
+ NEXTAUTH_SECRET=your-32-bytes-secret
72
+ ```
73
+
74
+ ### Profile cascade with `MOSTA_ENV` (v2.2+)
75
+
76
+ Powered by [`@mostajs/config`](https://www.npmjs.com/package/@mostajs/config).
77
+ Keep one `.env` with profile-prefixed overrides à la
78
+ [Spring Boot profiles](https://docs.spring.io/spring-boot/reference/features/profiles.html)
79
+ (`spring.profiles.active=test`) :
80
+
81
+ ```bash
82
+ MOSTA_ENV=TEST
83
+ AUTH_SECRET=dev-secret-fallback
84
+ TEST_AUTH_SECRET=test-specific-secret
85
+ PROD_AUTH_SECRET=${VAULT_AUTH_SECRET} # injected by orchestrator
86
+ ```
87
+
88
+ **Resolution cascade** (first non-empty value wins) :
89
+
90
+ 1. `${MOSTA_ENV}_AUTH_SECRET` — profile-prefixed override
91
+ 2. `AUTH_SECRET` — plain default
92
+ 3. `NEXTAUTH_SECRET` — NextAuth-compat alias
93
+ 4. `undefined` — NextAuth raises its own configuration error
94
+
95
+ Missing profile overrides silently fall back to the plain variable — no
96
+ crash if the profiled key is absent. Empty strings (`TEST_AUTH_SECRET=`)
97
+ are treated as "not set" so they don't silently leak a blank value to
98
+ the signer.
99
+
100
+ ### Why this matters for auth
101
+
102
+ Routing secret resolution through `@mostajs/config` lets you keep **one**
103
+ `.env` file in your repo with non-secret profile defaults (dev/test keys)
104
+ and have the orchestrator (Vault, Scaleway Secrets, Kubernetes Secrets,
105
+ Docker env) inject the real `PROD_AUTH_SECRET` at runtime. No more
106
+ juggling `.env.test` / `.env.development` / `.env.production` and
107
+ forgetting to sync them. Users who already defined `AUTH_SECRET` or
108
+ `NEXTAUTH_SECRET` keep working unchanged — the cascade is fully
109
+ backward-compatible.
110
+
111
+ ## Changelog
112
+
113
+ ### v2.2.0 — 2026-04-21
114
+
115
+ **Added** : `AUTH_SECRET` / `NEXTAUTH_SECRET` resolution routed through
116
+ [`@mostajs/config`](https://www.npmjs.com/package/@mostajs/config). Users
117
+ who set `MOSTA_ENV=TEST` now get `TEST_AUTH_SECRET` preferred over plain
118
+ `AUTH_SECRET`, with silent fallback to the plain variable when the
119
+ profiled override is absent. Matches Spring Boot profile semantics
120
+ (`spring.profiles.active=test`).
121
+
122
+ - `lib/auth.ts` : secret resolution via `getEnv()` instead of
123
+ `process.env.X`
124
+ - `package.json` : add `@mostajs/config ^1.0.0` dependency, bump to
125
+ `2.2.0`
126
+ - `README` : document the Environment section + profile cascade +
127
+ changelog
package/dist/lib/auth.js CHANGED
@@ -3,6 +3,7 @@
3
3
  // Phase 3: schemas/repos imported from @mostajs/rbac
4
4
  import NextAuth from 'next-auth';
5
5
  import CredentialsProvider from 'next-auth/providers/credentials';
6
+ import { getEnv } from '@mostajs/config';
6
7
  import { getRbacRepos } from '@mostajs/rbac/lib/repos-factory';
7
8
  import { comparePassword } from './password';
8
9
  /**
@@ -13,7 +14,7 @@ import { comparePassword } from './password';
13
14
  */
14
15
  export function createAuthHandlers(rolePermissions, config) {
15
16
  const { handlers, auth, signIn, signOut } = NextAuth({
16
- secret: process.env.AUTH_SECRET || process.env.NEXTAUTH_SECRET,
17
+ secret: getEnv('AUTH_SECRET') || getEnv('NEXTAUTH_SECRET'),
17
18
  trustHost: true,
18
19
  debug: false,
19
20
  useSecureCookies: false,
package/package.json CHANGED
@@ -1,9 +1,9 @@
1
1
  {
2
2
  "name": "@mostajs/auth",
3
- "version": "2.1.1",
3
+ "version": "2.2.0",
4
4
  "description": "Authentication — NextAuth, password hashing, session management",
5
5
  "author": "Dr Hamid MADANI <drmdh@msn.com>",
6
- "license": "MIT",
6
+ "license": "AGPL-3.0-or-later",
7
7
  "type": "module",
8
8
  "main": "dist/index.js",
9
9
  "types": "dist/index.d.ts",
@@ -118,6 +118,7 @@
118
118
  "prepublishOnly": "npm run build"
119
119
  },
120
120
  "dependencies": {
121
+ "@mostajs/config": "^1.0.0",
121
122
  "@mostajs/net": "^2.0.0",
122
123
  "@mostajs/orm": "^1.7.0",
123
124
  "bcryptjs": "^2.4.3"