@nocobase/auth 1.6.0-beta.3 → 1.6.0-beta.5

package/lib/auth-manager.d.ts

@@ -11,6 +11,7 @@ import { Registry } from '@nocobase/utils';
 import { Auth, AuthExtend } from './auth';
 import { JwtOptions, JwtService } from './base/jwt-service';
 import { ITokenBlacklistService } from './base/token-blacklist-service';
+import { ITokenControlService } from './base/token-control-service';
 export interface Authenticator {
     authType: string;
     options: Record<string, any>;
@@ -34,12 +35,14 @@ export declare class AuthManager {
      * @internal
      */
     jwt: JwtService;
+    tokenController: ITokenControlService;
     protected options: AuthManagerOptions;
     protected authTypes: Registry<AuthConfig>;
     protected storer: Storer;
     constructor(options: AuthManagerOptions);
     setStorer(storer: Storer): void;
     setTokenBlacklistService(service: ITokenBlacklistService): void;
+    setTokenControlService(service: ITokenControlService): void;
     /**
      * registerTypes
      * @description Add a new authenticate type and the corresponding authenticator.
@@ -63,7 +66,7 @@ export declare class AuthManager {
     get(name: string, ctx: Context): Promise<Auth>;
     /**
      * middleware
-     * @description Auth middleware, used to check the authentication status.
+     * @description Auth middleware, used to check the user status.
      */
     middleware(): (ctx: Context & {
         auth: Auth;

package/lib/auth-manager.js

@@ -37,6 +37,7 @@ const _AuthManager = class _AuthManager {
    * @internal
    */
   jwt;
+  tokenController;
   options;
   authTypes = new import_utils.Registry();
   // authenticators collection manager.
@@ -51,6 +52,9 @@ const _AuthManager = class _AuthManager {
   setTokenBlacklistService(service) {
     this.jwt.blacklist = service;
   }
+  setTokenControlService(service) {
+    this.tokenController = service;
+  }
   /**
    * registerTypes
    * @description Add a new authenticate type and the corresponding authenticator.
@@ -93,19 +97,11 @@ const _AuthManager = class _AuthManager {
   }
   /**
    * middleware
-   * @description Auth middleware, used to check the authentication status.
+   * @description Auth middleware, used to check the user status.
    */
   middleware() {
     const self = this;
     return /* @__PURE__ */ __name(async function AuthManagerMiddleware(ctx, next) {
-      var _a;
-      const token = ctx.getBearerToken();
-      if (token && await ((_a = ctx.app.authManager.jwt.blacklist) == null ? void 0 : _a.has(token))) {
-        return ctx.throw(401, {
-          code: "TOKEN_INVALID",
-          message: ctx.t("Token is invalid")
-        });
-      }
       const name = ctx.get(self.options.authKey) || self.options.default;
       let authenticator;
       try {
@@ -116,11 +112,15 @@ const _AuthManager = class _AuthManager {
         ctx.logger.warn(err.message, { method: "check", authenticator: name });
         return next();
       }
-      if (authenticator) {
-        const user = await ctx.auth.check();
-        if (user) {
-          ctx.auth.user = user;
-        }
+      if (!authenticator) {
+        return next();
+      }
+      if (await ctx.auth.skipCheck()) {
+        return next();
+      }
+      const user = await ctx.auth.check();
+      if (user) {
+        ctx.auth.user = user;
       }
       await next();
     }, "AuthManagerMiddleware");

package/lib/auth.d.ts

@@ -16,6 +16,24 @@ export type AuthConfig = {
     };
     ctx: Context;
 };
+export declare const AuthErrorCode: {
+    EMPTY_TOKEN: "EMPTY_TOKEN";
+    EXPIRED_TOKEN: "EXPIRED_TOKEN";
+    INVALID_TOKEN: "INVALID_TOKEN";
+    TOKEN_RENEW_FAILED: "TOKEN_RENEW_FAILED";
+    BLOCKED_TOKEN: "BLOCKED_TOKEN";
+    EXPIRED_SESSION: "EXPIRED_SESSION";
+    NOT_EXIST_USER: "NOT_EXIST_USER";
+    SKIP_TOKEN_RENEW: "SKIP_TOKEN_RENEW";
+};
+export type AuthErrorType = keyof typeof AuthErrorCode;
+export declare class AuthError extends Error {
+    code: AuthErrorType;
+    constructor(options: {
+        code: AuthErrorType;
+        message: string;
+    });
+}
 export type AuthExtend<T extends Auth> = new (config: AuthConfig) => T;
 interface IAuth {
     user: Model;
@@ -25,6 +43,10 @@ interface IAuth {
     signOut(): Promise<any>;
 }
 export declare abstract class Auth implements IAuth {
+    /**
+     * options keys that are not allowed to use environment variables
+     */
+    static optionsKeysNotAllowedInEnv: string[];
     abstract user: Model;
     protected authenticator: Authenticator;
     protected options: {
@@ -32,6 +54,7 @@ export declare abstract class Auth implements IAuth {
     };
     protected ctx: Context;
     constructor(config: AuthConfig);
+    skipCheck(): Promise<any>;
     abstract check(): Promise<Model>;
     signIn(): Promise<any>;
     signUp(): Promise<any>;

package/lib/auth.js

@@ -11,6 +11,7 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 var __export = (target, all) => {
   for (var name in all)
@@ -25,11 +26,33 @@ var __copyProps = (to, from, except, desc) => {
   return to;
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
 var auth_exports = {};
 __export(auth_exports, {
-  Auth: () => Auth
+  Auth: () => Auth,
+  AuthError: () => AuthError,
+  AuthErrorCode: () => AuthErrorCode
 });
 module.exports = __toCommonJS(auth_exports);
+const AuthErrorCode = {
+  EMPTY_TOKEN: "EMPTY_TOKEN",
+  EXPIRED_TOKEN: "EXPIRED_TOKEN",
+  INVALID_TOKEN: "INVALID_TOKEN",
+  TOKEN_RENEW_FAILED: "TOKEN_RENEW_FAILED",
+  BLOCKED_TOKEN: "BLOCKED_TOKEN",
+  EXPIRED_SESSION: "EXPIRED_SESSION",
+  NOT_EXIST_USER: "NOT_EXIST_USER",
+  SKIP_TOKEN_RENEW: "SKIP_TOKEN_RENEW"
+};
+const _AuthError = class _AuthError extends Error {
+  code;
+  constructor(options) {
+    super(options.message);
+    this.code = options.code;
+  }
+};
+__name(_AuthError, "AuthError");
+let AuthError = _AuthError;
 const _Auth = class _Auth {
   authenticator;
   options;
@@ -40,6 +63,16 @@ const _Auth = class _Auth {
     this.options = options;
     this.ctx = ctx;
   }
+  async skipCheck() {
+    const token = this.ctx.getBearerToken();
+    if (!token && this.ctx.app.options.acl === false) {
+      return true;
+    }
+    const { resourceName, actionName } = this.ctx.action;
+    const acl = this.ctx.dataSource.acl;
+    const isPublic = await acl.allowManager.isAllowed(resourceName, actionName, this.ctx);
+    return isPublic;
+  }
   // The following methods are mainly designed for user authentications.
   async signIn() {
   }
@@ -49,8 +82,14 @@ const _Auth = class _Auth {
   }
 };
 __name(_Auth, "Auth");
+/**
+ * options keys that are not allowed to use environment variables
+ */
+__publicField(_Auth, "optionsKeysNotAllowedInEnv");
 let Auth = _Auth;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  Auth
+  Auth,
+  AuthError,
+  AuthErrorCode
 });

package/lib/base/auth.d.ts

@@ -9,6 +9,7 @@
 import { Collection, Model } from '@nocobase/database';
 import { Auth, AuthConfig } from '../auth';
 import { JwtService } from './jwt-service';
+import { ITokenControlService } from './token-control-service';
 /**
  * BaseAuth
  * @description A base class with jwt provide some common methods.
@@ -23,6 +24,7 @@ export declare class BaseAuth extends Auth {
      * @internal
      */
     get jwt(): JwtService;
+    get tokenController(): ITokenControlService;
     set user(user: Model);
     get user(): Model;
     /**
@@ -33,7 +35,7 @@ export declare class BaseAuth extends Auth {
      * @internal
      */
     validateUsername(username: string): boolean;
-    check(): Promise<any>;
+    check(): ReturnType<Auth['check']>;
     validate(): Promise<Model>;
     signIn(): Promise<{
         user: Model<any, any>;

package/lib/base/auth.js

@@ -7,9 +7,11 @@
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
 
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 var __export = (target, all) => {
@@ -24,13 +26,23 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var auth_exports = {};
 __export(auth_exports, {
   BaseAuth: () => BaseAuth
 });
 module.exports = __toCommonJS(auth_exports);
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
 var import_auth = require("../auth");
+const localeNamespace = "auth";
 const _BaseAuth = class _BaseAuth extends import_auth.Auth {
   userCollection;
   constructor(config) {
@@ -47,6 +59,9 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
   get jwt() {
     return this.ctx.app.authManager.jwt;
   }
+  get tokenController() {
+    return this.ctx.app.authManager.tokenController;
+  }
   set user(user) {
     this.ctx.state.currentUser = user;
   }
@@ -66,33 +81,119 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
     return /^[^@.<>"'/]{1,50}$/.test(username);
   }
   async check() {
+    var _a, _b, _c, _d, _e, _f, _g, _h, _i;
     const token = this.ctx.getBearerToken();
     if (!token) {
-      return null;
+      this.ctx.throw(401, {
+        message: this.ctx.t("Unauthenticated. Please sign in to continue.", { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.EMPTY_TOKEN
+      });
     }
+    let tokenStatus;
+    let payload;
     try {
-      const { userId, roleName, iat, temp } = await this.jwt.decode(token);
-      if (roleName) {
-        this.ctx.headers["x-role"] = roleName;
+      payload = await this.jwt.decode(token);
+      tokenStatus = "valid";
+    } catch (err) {
+      if (err.name === "TokenExpiredError") {
+        tokenStatus = "expired";
+        payload = import_jsonwebtoken.default.decode(token);
+      } else {
+        this.ctx.logger.error(err, { method: "jwt.decode" });
+        this.ctx.throw(401, {
+          message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
+          code: import_auth.AuthErrorCode.INVALID_TOKEN
+        });
+      }
+    }
+    const { userId, roleName, iat, temp, jti, exp, signInTime } = payload ?? {};
+    const tokenPolicy = await this.tokenController.getConfig();
+    if (signInTime && Date.now() - signInTime > tokenPolicy.sessionExpirationTime) {
+      this.ctx.throw(401, {
+        message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.EXPIRED_SESSION
+      });
+    }
+    if (tokenStatus === "valid" && Date.now() - iat * 1e3 > tokenPolicy.tokenExpirationTime) {
+      tokenStatus = "expired";
+    }
+    const blocked = await this.jwt.blacklist.has(jti ?? token);
+    if (blocked) {
+      this.ctx.throw(401, {
+        message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.BLOCKED_TOKEN
+      });
+    }
+    if (roleName) {
+      this.ctx.headers["x-role"] = roleName;
+    }
+    const cache = this.ctx.cache;
+    const user = await cache.wrap(
+      this.getCacheKey(userId),
+      () => this.userRepository.findOne({
+        filter: {
+          id: userId
+        },
+        raw: true
+      })
+    );
+    if (!temp && tokenStatus !== "valid") {
+      this.ctx.throw(401, {
+        message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.INVALID_TOKEN
+      });
+    }
+    if (tokenStatus === "valid" && user.passwordChangeTz && iat * 1e3 < user.passwordChangeTz) {
+      this.ctx.throw(401, {
+        message: this.ctx.t("User password changed, please signin again.", { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.INVALID_TOKEN
+      });
+    }
+    if (tokenStatus === "expired") {
+      if (tokenPolicy.expiredTokenRenewLimit > 0 && Date.now() - exp * 1e3 > tokenPolicy.expiredTokenRenewLimit) {
+        this.ctx.throw(401, {
+          message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
+          code: import_auth.AuthErrorCode.EXPIRED_SESSION
+        });
       }
-      const cache = this.ctx.cache;
-      const user = await cache.wrap(
-        this.getCacheKey(userId),
-        () => this.userRepository.findOne({
-          filter: {
-            id: userId
-          },
-          raw: true
-        })
-      );
-      if (temp && user.passwordChangeTz && iat * 1e3 < user.passwordChangeTz) {
-        throw new Error("Token is invalid");
+      try {
+        this.ctx.logger.info("token renewing", {
+          method: "auth.check",
+          url: this.ctx.originalUrl,
+          headers: JSON.stringify((_b = (_a = this.ctx) == null ? void 0 : _a.req) == null ? void 0 : _b.headers)
+        });
+        const isStreamRequest = ((_e = (_d = (_c = this.ctx) == null ? void 0 : _c.req) == null ? void 0 : _d.headers) == null ? void 0 : _e.accept) === "text/event-stream";
+        if (isStreamRequest) {
+          this.ctx.throw(401, {
+            message: "Stream api not allow renew token.",
+            code: import_auth.AuthErrorCode.SKIP_TOKEN_RENEW
+          });
+        }
+        const renewedResult = await this.tokenController.renew(jti);
+        this.ctx.logger.info("token renewed", {
+          method: "auth.check",
+          url: this.ctx.originalUrl,
+          headers: JSON.stringify((_g = (_f = this.ctx) == null ? void 0 : _f.req) == null ? void 0 : _g.headers)
+        });
+        const expiresIn = Math.floor(tokenPolicy.tokenExpirationTime / 1e3);
+        const newToken = this.jwt.sign({ userId, roleName, temp, signInTime }, { jwtid: renewedResult.jti, expiresIn });
+        this.ctx.res.setHeader("x-new-token", newToken);
+        return user;
+      } catch (err) {
+        this.ctx.logger.info("token renew failed", {
+          method: "auth.check",
+          url: this.ctx.originalUrl,
+          err,
+          headers: JSON.stringify((_i = (_h = this.ctx) == null ? void 0 : _h.req) == null ? void 0 : _i.headers)
+        });
+        const options = err instanceof import_auth.AuthError ? { code: err.code, message: err.message } : { message: err.message, code: err.code ?? import_auth.AuthErrorCode.INVALID_TOKEN };
+        this.ctx.throw(401, {
+          message: this.ctx.t(options.message, { ns: localeNamespace }),
+          code: options.code
+        });
       }
-      return user;
-    } catch (err) {
-      this.ctx.logger.error(err, { method: "check" });
-      return null;
     }
+    return user;
   }
   async validate() {
     return null;
@@ -102,15 +203,30 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
     try {
       user = await this.validate();
     } catch (err) {
-      this.ctx.throw(err.status || 401, err.message);
+      this.ctx.throw(err.status || 401, err.message, {
+        ...err
+      });
     }
     if (!user) {
-      this.ctx.throw(401, "Unauthorized");
+      this.ctx.throw(401, {
+        message: this.ctx.t("User not found. Please sign in again to continue.", { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.NOT_EXIST_USER
+      });
     }
-    const token = this.jwt.sign({
-      userId: user.id,
-      temp: true
-    });
+    const tokenInfo = await this.tokenController.add({ userId: user.id });
+    const expiresIn = Math.floor((await this.tokenController.getConfig()).tokenExpirationTime / 1e3);
+    const token = this.jwt.sign(
+      {
+        userId: user.id,
+        temp: true,
+        iat: Math.floor(tokenInfo.issuedTime / 1e3),
+        signInTime: tokenInfo.signInTime
+      },
+      {
+        jwtid: tokenInfo.jti,
+        expiresIn
+      }
+    );
     return {
       user,
       token

package/lib/base/jwt-service.d.ts

@@ -6,7 +6,7 @@
  * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
-import jwt, { SignOptions } from 'jsonwebtoken';
+import jwt, { JwtPayload, SignOptions } from 'jsonwebtoken';
 import { ITokenBlacklistService } from './token-blacklist-service';
 export interface JwtOptions {
     secret: string;
@@ -20,7 +20,7 @@ export declare class JwtService {
     private expiresIn;
     private secret;
     sign(payload: SignPayload, options?: SignOptions): string;
-    decode(token: string): Promise<any>;
+    decode(token: string): Promise<JwtPayload>;
     /**
      * @description Block a token so that this token can no longer be used
      */

package/lib/base/jwt-service.js

@@ -86,9 +86,9 @@ const _JwtService = class _JwtService {
       return null;
     }
     try {
-      const { exp } = await this.decode(token);
+      const { exp, jti } = await this.decode(token);
       return this.blacklist.add({
-        token,
+        token: jti ?? token,
         expiration: new Date(exp * 1e3).toString()
       });
     } catch {

package/lib/base/token-control-service.d.ts

@@ -0,0 +1,38 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+export interface TokenPolicyConfig {
+    tokenExpirationTime: string;
+    sessionExpirationTime: string;
+    expiredTokenRenewLimit: string;
+}
+type millisecond = number;
+export type NumericTokenPolicyConfig = {
+    [K in keyof TokenPolicyConfig]: millisecond;
+};
+export type TokenInfo = {
+    jti: string;
+    userId: number;
+    issuedTime: EpochTimeStamp;
+    signInTime: EpochTimeStamp;
+    renewed: boolean;
+};
+export type JTIStatus = 'valid' | 'inactive' | 'blocked' | 'missing' | 'renewed' | 'expired';
+export interface ITokenControlService {
+    getConfig(): Promise<NumericTokenPolicyConfig>;
+    setConfig(config: TokenPolicyConfig): Promise<any>;
+    renew(jti: string): Promise<{
+        jti: string;
+        issuedTime: EpochTimeStamp;
+    }>;
+    add({ userId }: {
+        userId: number;
+    }): Promise<TokenInfo>;
+    removeSessionExpiredTokens(userId: number): Promise<void>;
+}
+export {};

package/lib/base/token-control-service.js

@@ -0,0 +1,24 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var token_control_service_exports = {};
+module.exports = __toCommonJS(token_control_service_exports);

package/lib/client.d.ts

@@ -0,0 +1,9 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+export { AuthErrorCode } from './auth';

package/lib/client.js

@@ -0,0 +1,36 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var client_exports = {};
+__export(client_exports, {
+  AuthErrorCode: () => import_auth.AuthErrorCode
+});
+module.exports = __toCommonJS(client_exports);
+var import_auth = require("./auth");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthErrorCode
+});

package/lib/index.d.ts

@@ -11,3 +11,4 @@ export * from './auth';
 export * from './auth-manager';
 export * from './base/auth';
 export * from './base/token-blacklist-service';
+export * from './base/token-control-service';

package/lib/index.js

@@ -28,11 +28,13 @@ __reExport(src_exports, require("./auth"), module.exports);
 __reExport(src_exports, require("./auth-manager"), module.exports);
 __reExport(src_exports, require("./base/auth"), module.exports);
 __reExport(src_exports, require("./base/token-blacklist-service"), module.exports);
+__reExport(src_exports, require("./base/token-control-service"), module.exports);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ...require("./actions"),
   ...require("./auth"),
   ...require("./auth-manager"),
   ...require("./base/auth"),
-  ...require("./base/token-blacklist-service")
+  ...require("./base/token-blacklist-service"),
+  ...require("./base/token-control-service")
 });

package/package.json

@@ -1,16 +1,16 @@
 {
   "name": "@nocobase/auth",
-  "version": "1.6.0-beta.3",
+  "version": "1.6.0-beta.5",
   "description": "",
   "license": "AGPL-3.0",
   "main": "./lib/index.js",
   "types": "./lib/index.d.ts",
   "dependencies": {
-    "@nocobase/actions": "1.6.0-beta.3",
-    "@nocobase/cache": "1.6.0-beta.3",
-    "@nocobase/database": "1.6.0-beta.3",
-    "@nocobase/resourcer": "1.6.0-beta.3",
-    "@nocobase/utils": "1.6.0-beta.3",
+    "@nocobase/actions": "1.6.0-beta.5",
+    "@nocobase/cache": "1.6.0-beta.5",
+    "@nocobase/database": "1.6.0-beta.5",
+    "@nocobase/resourcer": "1.6.0-beta.5",
+    "@nocobase/utils": "1.6.0-beta.5",
     "@types/jsonwebtoken": "^8.5.8",
     "jsonwebtoken": "^8.5.1"
   },
@@ -19,5 +19,5 @@
     "url": "git+https://github.com/nocobase/nocobase.git",
     "directory": "packages/auth"
   },
-  "gitHead": "19a659c49d7eedd3d57e46f9df2e8540f55c99b7"
+  "gitHead": "66e7c7239b29361bc60543886d107ba0e00085d9"
 }