@mostajs/auth 2.1.2 → 2.2.0

package/README.md

@@ -62,3 +62,66 @@ await createAdmin({ email: 'admin@test.com', password: 'Admin123!', firstName: '
 import { usePermissions } from '@mostajs/auth'
 import { PermissionGuard, SessionProvider } from '@mostajs/auth'
 ```
+
+## Environment
+
+```bash
+AUTH_SECRET=your-32-bytes-secret           # required — openssl rand -hex 32
+# or alias for NextAuth compat:
+NEXTAUTH_SECRET=your-32-bytes-secret
+```
+
+### Profile cascade with `MOSTA_ENV` (v2.2+)
+
+Powered by [`@mostajs/config`](https://www.npmjs.com/package/@mostajs/config).
+Keep one `.env` with profile-prefixed overrides à la
+[Spring Boot profiles](https://docs.spring.io/spring-boot/reference/features/profiles.html)
+(`spring.profiles.active=test`) :
+
+```bash
+MOSTA_ENV=TEST
+AUTH_SECRET=dev-secret-fallback
+TEST_AUTH_SECRET=test-specific-secret
+PROD_AUTH_SECRET=${VAULT_AUTH_SECRET}      # injected by orchestrator
+```
+
+**Resolution cascade** (first non-empty value wins) :
+
+1. `${MOSTA_ENV}_AUTH_SECRET` — profile-prefixed override
+2. `AUTH_SECRET` — plain default
+3. `NEXTAUTH_SECRET` — NextAuth-compat alias
+4. `undefined` — NextAuth raises its own configuration error
+
+Missing profile overrides silently fall back to the plain variable — no
+crash if the profiled key is absent. Empty strings (`TEST_AUTH_SECRET=`)
+are treated as "not set" so they don't silently leak a blank value to
+the signer.
+
+### Why this matters for auth
+
+Routing secret resolution through `@mostajs/config` lets you keep **one**
+`.env` file in your repo with non-secret profile defaults (dev/test keys)
+and have the orchestrator (Vault, Scaleway Secrets, Kubernetes Secrets,
+Docker env) inject the real `PROD_AUTH_SECRET` at runtime. No more
+juggling `.env.test` / `.env.development` / `.env.production` and
+forgetting to sync them. Users who already defined `AUTH_SECRET` or
+`NEXTAUTH_SECRET` keep working unchanged — the cascade is fully
+backward-compatible.
+
+## Changelog
+
+### v2.2.0 — 2026-04-21
+
+**Added** : `AUTH_SECRET` / `NEXTAUTH_SECRET` resolution routed through
+[`@mostajs/config`](https://www.npmjs.com/package/@mostajs/config). Users
+who set `MOSTA_ENV=TEST` now get `TEST_AUTH_SECRET` preferred over plain
+`AUTH_SECRET`, with silent fallback to the plain variable when the
+profiled override is absent. Matches Spring Boot profile semantics
+(`spring.profiles.active=test`).
+
+- `lib/auth.ts` : secret resolution via `getEnv()` instead of
+  `process.env.X`
+- `package.json` : add `@mostajs/config ^1.0.0` dependency, bump to
+  `2.2.0`
+- `README` : document the Environment section + profile cascade +
+  changelog

package/dist/lib/auth.js

@@ -3,6 +3,7 @@
 // Phase 3: schemas/repos imported from @mostajs/rbac
 import NextAuth from 'next-auth';
 import CredentialsProvider from 'next-auth/providers/credentials';
+import { getEnv } from '@mostajs/config';
 import { getRbacRepos } from '@mostajs/rbac/lib/repos-factory';
 import { comparePassword } from './password';
 /**
@@ -13,7 +14,7 @@ import { comparePassword } from './password';
  */
 export function createAuthHandlers(rolePermissions, config) {
     const { handlers, auth, signIn, signOut } = NextAuth({
-        secret: process.env.AUTH_SECRET || process.env.NEXTAUTH_SECRET,
+        secret: getEnv('AUTH_SECRET') || getEnv('NEXTAUTH_SECRET'),
         trustHost: true,
         debug: false,
         useSecureCookies: false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mostajs/auth",
-  "version": "2.1.2",
+  "version": "2.2.0",
   "description": "Authentication — NextAuth, password hashing, session management",
   "author": "Dr Hamid MADANI <drmdh@msn.com>",
   "license": "AGPL-3.0-or-later",
@@ -118,6 +118,7 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
+    "@mostajs/config": "^1.0.0",
     "@mostajs/net": "^2.0.0",
     "@mostajs/orm": "^1.7.0",
     "bcryptjs": "^2.4.3"