@mountsqli/auth 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +117 -0
- package/package.json +18 -6
package/README.md
ADDED
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
# @mountsqli/auth
|
|
2
|
+
|
|
3
|
+
Complete, production-ready authentication system for MountSQLi applications.
|
|
4
|
+
|
|
5
|
+
## Features
|
|
6
|
+
|
|
7
|
+
- **Email/password** — Secure registration and login with scrypt hashing
|
|
8
|
+
- **JWT sessions** — Configurable expiration, revocable via database sessions
|
|
9
|
+
- **OAuth** — Google, GitHub with CSRF protection and email verification
|
|
10
|
+
- **2FA** — TOTP-based with QR code generation
|
|
11
|
+
- **RBAC** — Role-based access control with permission checking
|
|
12
|
+
- **Email verification** — Send verification emails on registration
|
|
13
|
+
- **Password reset** — Secure token-based password reset flow
|
|
14
|
+
- **Rate limiting** — Built-in protection against brute force attacks
|
|
15
|
+
- **CSRF protection** — For cookie-based authentication
|
|
16
|
+
- **Token encryption** — OAuth tokens encrypted at rest with AES-256-GCM
|
|
17
|
+
- **Framework middleware** — Express, Next.js, Hono, Fastify
|
|
18
|
+
|
|
19
|
+
## Installation
|
|
20
|
+
|
|
21
|
+
```bash
|
|
22
|
+
npm install @mountsqli/auth
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
## Quick Start
|
|
26
|
+
|
|
27
|
+
```typescript
|
|
28
|
+
import { createAuth, credentials, google, github } from '@mountsqli/auth';
|
|
29
|
+
import { mountsqli } from '@mountsqli/pg/node-postgres';
|
|
30
|
+
|
|
31
|
+
const db = mountsqli(process.env.DATABASE_URL!);
|
|
32
|
+
|
|
33
|
+
export const auth = createAuth({
|
|
34
|
+
db,
|
|
35
|
+
secret: process.env.AUTH_SECRET!,
|
|
36
|
+
providers: [
|
|
37
|
+
credentials(),
|
|
38
|
+
google({ clientId: process.env.GOOGLE_ID!, clientSecret: process.env.GOOGLE_SECRET! }),
|
|
39
|
+
github({ clientId: process.env.GITHUB_ID!, clientSecret: process.env.GITHUB_SECRET! }),
|
|
40
|
+
],
|
|
41
|
+
session: { strategy: 'jwt', maxAge: 30 * 24 * 60 * 60 },
|
|
42
|
+
});
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
## Usage
|
|
46
|
+
|
|
47
|
+
### Register & Login
|
|
48
|
+
|
|
49
|
+
```typescript
|
|
50
|
+
// Register
|
|
51
|
+
const { user, token } = await auth.register({ email, password, name });
|
|
52
|
+
|
|
53
|
+
// Login
|
|
54
|
+
const result = await auth.login('credentials', { email, password });
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
### OAuth
|
|
58
|
+
|
|
59
|
+
```typescript
|
|
60
|
+
// Get redirect URL
|
|
61
|
+
const url = await auth.signIn('google');
|
|
62
|
+
|
|
63
|
+
// Handle callback
|
|
64
|
+
const result = await auth.handleCallback('google', { code, state });
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
### Middleware (Express)
|
|
68
|
+
|
|
69
|
+
```typescript
|
|
70
|
+
import { expressMiddleware, requireAuth } from '@mountsqli/auth';
|
|
71
|
+
|
|
72
|
+
app.use(expressMiddleware(auth));
|
|
73
|
+
app.get('/api/me', requireAuth(auth), (req, res) => {
|
|
74
|
+
res.json(req.auth.user);
|
|
75
|
+
});
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
### RBAC
|
|
79
|
+
|
|
80
|
+
```typescript
|
|
81
|
+
await auth.rbac.createRole({ name: 'admin', permissions: ['*'] });
|
|
82
|
+
await auth.rbac.assignRole(userId, 'admin');
|
|
83
|
+
const allowed = await auth.rbac.authorize(userId, 'posts:write');
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
### 2FA
|
|
87
|
+
|
|
88
|
+
```typescript
|
|
89
|
+
const { secret, otpauthUrl } = await auth.twoFactor.generate(userId);
|
|
90
|
+
await auth.twoFactor.enable(userId, code);
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
### Password Reset
|
|
94
|
+
|
|
95
|
+
```typescript
|
|
96
|
+
await auth.passwordReset.create(email);
|
|
97
|
+
await auth.passwordReset.verify(token, newPassword);
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
## Security
|
|
101
|
+
|
|
102
|
+
- scrypt password hashing with timing-safe comparison
|
|
103
|
+
- JWT with HS256 algorithm (prevents algorithm confusion)
|
|
104
|
+
- OAuth state validation (CSRF protection)
|
|
105
|
+
- AES-256-GCM token encryption at rest
|
|
106
|
+
- Rate limiting on all auth endpoints
|
|
107
|
+
- Input validation (email format, password strength)
|
|
108
|
+
- Generic error messages (prevents user enumeration)
|
|
109
|
+
- Timing-safe TOTP comparison
|
|
110
|
+
|
|
111
|
+
## Documentation
|
|
112
|
+
|
|
113
|
+
📖 [Documentation](https://mountsqli.vercel.app/docs/auth/overview)
|
|
114
|
+
|
|
115
|
+
## License
|
|
116
|
+
|
|
117
|
+
MIT
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mountsqli/auth",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.2",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"exports": {
|
|
6
6
|
".": {
|
|
@@ -10,7 +10,11 @@
|
|
|
10
10
|
},
|
|
11
11
|
"main": "./dist/index.js",
|
|
12
12
|
"types": "./dist/index.d.ts",
|
|
13
|
-
"files": [
|
|
13
|
+
"files": [
|
|
14
|
+
"dist",
|
|
15
|
+
"LICENSE",
|
|
16
|
+
"README.md"
|
|
17
|
+
],
|
|
14
18
|
"scripts": {
|
|
15
19
|
"build": "tsup",
|
|
16
20
|
"dev": "tsup --watch",
|
|
@@ -27,10 +31,18 @@
|
|
|
27
31
|
"hono": "^4.0.0"
|
|
28
32
|
},
|
|
29
33
|
"peerDependenciesMeta": {
|
|
30
|
-
"pg": {
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
"
|
|
34
|
+
"pg": {
|
|
35
|
+
"optional": true
|
|
36
|
+
},
|
|
37
|
+
"express": {
|
|
38
|
+
"optional": true
|
|
39
|
+
},
|
|
40
|
+
"fastify": {
|
|
41
|
+
"optional": true
|
|
42
|
+
},
|
|
43
|
+
"hono": {
|
|
44
|
+
"optional": true
|
|
45
|
+
}
|
|
34
46
|
},
|
|
35
47
|
"devDependencies": {
|
|
36
48
|
"@mountsqli/pg": "workspace:*",
|