@notoofly/auth-server 1.0.0

package/dist/adapters/express/index.d.ts

@@ -0,0 +1,3 @@
+export type { AuthenticatedRequest, ExpressAuthOptions } from "./middleware.js";
+export { createAuthMiddleware, createGuard, createPermissionGuard, createRoleGuard, } from "./middleware.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/adapters/express/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/adapters/express/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EACN,oBAAoB,EACpB,WAAW,EACX,qBAAqB,EACrB,eAAe,GACf,MAAM,iBAAiB,CAAC"}

package/dist/adapters/express/index.js

@@ -0,0 +1,2 @@
+export { createAuthMiddleware, createGuard, createPermissionGuard, createRoleGuard, } from "./middleware.js";
+//# sourceMappingURL=index.js.map

package/dist/adapters/express/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/adapters/express/index.ts"],"names":[],"mappings":"AACA,OAAO,EACN,oBAAoB,EACpB,WAAW,EACX,qBAAqB,EACrB,eAAe,GACf,MAAM,iBAAiB,CAAC"}

package/dist/adapters/express/middleware.d.ts

@@ -0,0 +1,14 @@
+import type { NextFunction, Request, Response } from "express";
+import type { AuthContext, GuardOptions, JwtVerificationConfig } from "../../types/index.js";
+export interface ExpressAuthOptions extends JwtVerificationConfig {
+    readonly extractFrom?: "header" | "cookie" | "both";
+    readonly cookieName?: string;
+}
+export interface AuthenticatedRequest extends Request {
+    auth?: AuthContext;
+}
+export declare function createAuthMiddleware(options: ExpressAuthOptions): (req: AuthenticatedRequest, res: Response, next: NextFunction) => Promise<void>;
+export declare function createRoleGuard(role: string): (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
+export declare function createPermissionGuard(permission: string): (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
+export declare function createGuard(options: GuardOptions): (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/adapters/express/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/adapters/express/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE/D,OAAO,KAAK,EACX,WAAW,EACX,YAAY,EACZ,qBAAqB,EACrB,MAAM,sBAAsB,CAAC;AAO9B,MAAM,WAAW,kBAAmB,SAAQ,qBAAqB;IAChE,QAAQ,CAAC,WAAW,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;IACpD,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACpD,IAAI,CAAC,EAAE,WAAW,CAAC;CACnB;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,kBAAkB,IAM9D,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,MAAM,YAAY,KAChB,OAAO,CAAC,IAAI,CAAC,CAmDhB;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,IAE1C,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,MAAM,YAAY,KAChB,IAAI,CAiCP;AAED,wBAAgB,qBAAqB,CAAC,UAAU,EAAE,MAAM,IAEtD,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,MAAM,YAAY,KAChB,IAAI,CAiCP;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,YAAY,IAE/C,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,MAAM,YAAY,KAChB,IAAI,CAiCP"}

package/dist/adapters/express/middleware.js

@@ -0,0 +1,156 @@
+import { JwtVerifier } from "../../core/jwt-verifier.js";
+import { checkGuard } from "../../utils/authorization.js";
+import { extractTokenFromCookie, extractTokenFromHeader, } from "../../utils/token-extraction.js";
+export function createAuthMiddleware(options) {
+    const verifier = new JwtVerifier(options);
+    const extractFrom = options.extractFrom ?? "header";
+    const cookieName = options.cookieName ?? "access_token";
+    return async (req, res, next) => {
+        try {
+            let token = null;
+            switch (extractFrom) {
+                case "header":
+                    token = extractTokenFromHeader(req.headers.authorization);
+                    break;
+                case "cookie":
+                    token = extractTokenFromCookie(req.headers.cookie, cookieName);
+                    break;
+                case "both":
+                    token =
+                        extractTokenFromHeader(req.headers.authorization) ??
+                            extractTokenFromCookie(req.headers.cookie, cookieName);
+                    break;
+            }
+            if (!token) {
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        code: "AUTH.TOKEN.MISSING",
+                        message: "Authentication token is required",
+                    },
+                    meta: {
+                        requestId: res.locals.requestId ?? "unknown",
+                        timestamp: new Date().toISOString(),
+                    },
+                });
+                return;
+            }
+            const user = await verifier.verifyAccessToken(token);
+            req.auth = { user, token };
+            next();
+        }
+        catch (error) {
+            res.status(401).json({
+                success: false,
+                error: {
+                    code: "AUTH.TOKEN.INVALID",
+                    message: error instanceof Error ? error.message : "Invalid token",
+                },
+                meta: {
+                    requestId: res.locals.requestId ?? "unknown",
+                    timestamp: new Date().toISOString(),
+                },
+            });
+        }
+    };
+}
+export function createRoleGuard(role) {
+    return (req, res, next) => {
+        if (!req.auth?.user) {
+            res.status(401).json({
+                success: false,
+                error: {
+                    code: "AUTH.REQUIRED",
+                    message: "Authentication required",
+                },
+                meta: {
+                    requestId: res.locals.requestId ?? "unknown",
+                    timestamp: new Date().toISOString(),
+                },
+            });
+            return;
+        }
+        if (!req.auth.user.roles.includes(role)) {
+            res.status(403).json({
+                success: false,
+                error: {
+                    code: "AUTH.ROLE.REQUIRED",
+                    message: `Role '${role}' is required`,
+                },
+                meta: {
+                    requestId: res.locals.requestId ?? "unknown",
+                    timestamp: new Date().toISOString(),
+                },
+            });
+            return;
+        }
+        next();
+    };
+}
+export function createPermissionGuard(permission) {
+    return (req, res, next) => {
+        if (!req.auth?.user) {
+            res.status(401).json({
+                success: false,
+                error: {
+                    code: "AUTH.REQUIRED",
+                    message: "Authentication required",
+                },
+                meta: {
+                    requestId: res.locals.requestId ?? "unknown",
+                    timestamp: new Date().toISOString(),
+                },
+            });
+            return;
+        }
+        if (!req.auth.user.permissions.includes(permission)) {
+            res.status(403).json({
+                success: false,
+                error: {
+                    code: "AUTH.PERMISSION.REQUIRED",
+                    message: `Permission '${permission}' is required`,
+                },
+                meta: {
+                    requestId: res.locals.requestId ?? "unknown",
+                    timestamp: new Date().toISOString(),
+                },
+            });
+            return;
+        }
+        next();
+    };
+}
+export function createGuard(options) {
+    return (req, res, next) => {
+        if (!req.auth?.user) {
+            res.status(401).json({
+                success: false,
+                error: {
+                    code: "AUTH.REQUIRED",
+                    message: "Authentication required",
+                },
+                meta: {
+                    requestId: res.locals.requestId ?? "unknown",
+                    timestamp: new Date().toISOString(),
+                },
+            });
+            return;
+        }
+        if (!checkGuard(req.auth.user, options)) {
+            res.status(403).json({
+                success: false,
+                error: {
+                    code: "AUTH.GUARD.FAILED",
+                    message: "Access denied by authorization guard",
+                },
+                meta: {
+                    requestId: res.locals.requestId ?? "unknown",
+                    timestamp: new Date().toISOString(),
+                },
+            });
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/adapters/express/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/adapters/express/middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAMzD,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EACN,sBAAsB,EACtB,sBAAsB,GACtB,MAAM,iCAAiC,CAAC;AAWzC,MAAM,UAAU,oBAAoB,CAAC,OAA2B;IAC/D,MAAM,QAAQ,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,QAAQ,CAAC;IACpD,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,cAAc,CAAC;IAExD,OAAO,KAAK,EACX,GAAyB,EACzB,GAAa,EACb,IAAkB,EACF,EAAE;QAClB,IAAI,CAAC;YACJ,IAAI,KAAK,GAAkB,IAAI,CAAC;YAEhC,QAAQ,WAAW,EAAE,CAAC;gBACrB,KAAK,QAAQ;oBACZ,KAAK,GAAG,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;oBAC1D,MAAM;gBACP,KAAK,QAAQ;oBACZ,KAAK,GAAG,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;oBAC/D,MAAM;gBACP,KAAK,MAAM;oBACV,KAAK;wBACJ,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;4BACjD,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;oBACxD,MAAM;YACR,CAAC;YAED,IAAI,CAAC,KAAK,EAAE,CAAC;gBACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACpB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE;wBACN,IAAI,EAAE,oBAAoB;wBAC1B,OAAO,EAAE,kCAAkC;qBAC3C;oBACD,IAAI,EAAE;wBACL,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS;wBAC5C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACnC;iBACD,CAAC,CAAC;gBACH,OAAO;YACR,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YACrD,GAAG,CAAC,IAAI,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;YAE3B,IAAI,EAAE,CAAC;QACR,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACN,IAAI,EAAE,oBAAoB;oBAC1B,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;iBACjE;gBACD,IAAI,EAAE;oBACL,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS;oBAC5C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACnC;aACD,CAAC,CAAC;QACJ,CAAC;IACF,CAAC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAAY;IAC3C,OAAO,CACN,GAAyB,EACzB,GAAa,EACb,IAAkB,EACX,EAAE;QACT,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACN,IAAI,EAAE,eAAe;oBACrB,OAAO,EAAE,yBAAyB;iBAClC;gBACD,IAAI,EAAE;oBACL,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS;oBAC5C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACnC;aACD,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACN,IAAI,EAAE,oBAAoB;oBAC1B,OAAO,EAAE,SAAS,IAAI,eAAe;iBACrC;gBACD,IAAI,EAAE;oBACL,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS;oBAC5C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACnC;aACD,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QAED,IAAI,EAAE,CAAC;IACR,CAAC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,UAAkB;IACvD,OAAO,CACN,GAAyB,EACzB,GAAa,EACb,IAAkB,EACX,EAAE;QACT,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACN,IAAI,EAAE,eAAe;oBACrB,OAAO,EAAE,yBAAyB;iBAClC;gBACD,IAAI,EAAE;oBACL,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS;oBAC5C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACnC;aACD,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACN,IAAI,EAAE,0BAA0B;oBAChC,OAAO,EAAE,eAAe,UAAU,eAAe;iBACjD;gBACD,IAAI,EAAE;oBACL,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS;oBAC5C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACnC;aACD,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QAED,IAAI,EAAE,CAAC;IACR,CAAC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,OAAqB;IAChD,OAAO,CACN,GAAyB,EACzB,GAAa,EACb,IAAkB,EACX,EAAE;QACT,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACN,IAAI,EAAE,eAAe;oBACrB,OAAO,EAAE,yBAAyB;iBAClC;gBACD,IAAI,EAAE;oBACL,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS;oBAC5C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACnC;aACD,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;YACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACN,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE,sCAAsC;iBAC/C;gBACD,IAAI,EAAE;oBACL,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS;oBAC5C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACnC;aACD,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QAED,IAAI,EAAE,CAAC;IACR,CAAC,CAAC;AACH,CAAC"}

package/dist/core/index.d.ts

@@ -0,0 +1,3 @@
+export type { JwtVerificationConfig } from "../types/index.js";
+export { JwtVerifier } from "./jwt-verifier.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/core/index.js

@@ -0,0 +1,2 @@
+export { JwtVerifier } from "./jwt-verifier.js";
+//# sourceMappingURL=index.js.map

package/dist/core/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/core/jwt-verifier.d.ts

@@ -0,0 +1,16 @@
+import type { AuthUser, JwtVerificationConfig } from "../types/index.js";
+export declare class JwtVerifier {
+    private readonly config;
+    private cache;
+    private fetchPromise;
+    constructor(config: JwtVerificationConfig);
+    verifyAccessToken(token: string): Promise<AuthUser>;
+    getUserFromToken(token: string): Promise<AuthUser>;
+    private getPublicKey;
+    private getJwks;
+    private fetchJwks;
+    private isCacheExpired;
+    private decodeTokenHeader;
+    private mapPayloadToAuthUser;
+}
+//# sourceMappingURL=jwt-verifier.d.ts.map

package/dist/core/jwt-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-verifier.d.ts","sourceRoot":"","sources":["../../src/core/jwt-verifier.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACX,QAAQ,EAER,qBAAqB,EACrB,MAAM,mBAAmB,CAAC;AAgB3B,qBAAa,WAAW;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,KAAK,CAA0B;IACvC,OAAO,CAAC,YAAY,CAAmC;gBAE3C,MAAM,EAAE,qBAAqB;IAOnC,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IA6BnD,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;YAI1C,YAAY;YAWZ,OAAO;YAgBP,SAAS;IAyBvB,OAAO,CAAC,cAAc;IAItB,OAAO,CAAC,iBAAiB;IAczB,OAAO,CAAC,oBAAoB;CAiB5B"}

package/dist/core/jwt-verifier.js

@@ -0,0 +1,117 @@
+import { importJWK, jwtVerify } from "jose";
+export class JwtVerifier {
+    config;
+    cache = null;
+    fetchPromise = null;
+    constructor(config) {
+        this.config = {
+            cacheTtl: 300000, // 5 minutes default
+            ...config,
+        };
+    }
+    async verifyAccessToken(token) {
+        try {
+            // Decode token to get key ID
+            const header = this.decodeTokenHeader(token);
+            const keyId = header.kid;
+            if (!keyId) {
+                throw new Error("Token missing key ID (kid)");
+            }
+            // Get public key
+            const publicKey = await this.getPublicKey(keyId);
+            // Verify token
+            const { payload } = await jwtVerify(token, publicKey, {
+                issuer: this.config.issuer,
+                audience: this.config.audience,
+                algorithms: ["RS256", "ES256"],
+            });
+            return this.mapPayloadToAuthUser(payload);
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                throw new Error(`JWT verification failed: ${error.message}`);
+            }
+            throw new Error("JWT verification failed: Unknown error");
+        }
+    }
+    async getUserFromToken(token) {
+        return this.verifyAccessToken(token);
+    }
+    async getPublicKey(keyId) {
+        const jwks = await this.getJwks();
+        const key = jwks.keys.find((k) => k.kid === keyId);
+        if (!key) {
+            throw new Error(`Key with ID ${keyId} not found in JWKS`);
+        }
+        return importJWK(key);
+    }
+    async getJwks() {
+        // Check cache first
+        if (this.cache && !this.isCacheExpired(this.cache)) {
+            return this.cache;
+        }
+        // If fetch is in progress, wait for it
+        if (this.fetchPromise) {
+            return this.fetchPromise;
+        }
+        // Start new fetch
+        this.fetchPromise = this.fetchJwks();
+        return this.fetchPromise;
+    }
+    async fetchJwks() {
+        try {
+            const response = await fetch(this.config.jwksUri);
+            if (!response.ok) {
+                throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+            }
+            const jwks = (await response.json());
+            const now = Date.now();
+            this.cache = {
+                keys: jwks.keys,
+                fetchedAt: now,
+                expiresAt: now + (this.config.cacheTtl ?? 300000),
+            };
+            return this.cache;
+        }
+        catch (error) {
+            this.fetchPromise = null;
+            throw error;
+        }
+        finally {
+            this.fetchPromise = null;
+        }
+    }
+    isCacheExpired(cache) {
+        return Date.now() >= cache.expiresAt;
+    }
+    decodeTokenHeader(token) {
+        const parts = token.split(".");
+        if (parts.length !== 3) {
+            throw new Error("Invalid token format");
+        }
+        try {
+            const header = JSON.parse(atob(parts[0] ?? "{}"));
+            return header;
+        }
+        catch {
+            throw new Error("Failed to decode token header");
+        }
+    }
+    mapPayloadToAuthUser(payload) {
+        return {
+            sub: payload.sub,
+            email: typeof payload.email === "string" ? payload.email : "",
+            roles: payload.roles ?? [],
+            permissions: payload.permissions ?? [],
+            iat: payload.iat,
+            exp: payload.exp,
+            iss: payload.iss,
+            aud: typeof payload.aud === "string"
+                ? payload.aud
+                : Array.isArray(payload.aud)
+                    ? (payload.aud[0] ?? "")
+                    : "",
+        };
+    }
+}
+//# sourceMappingURL=jwt-verifier.js.map

package/dist/core/jwt-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-verifier.js","sourceRoot":"","sources":["../../src/core/jwt-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAkB,SAAS,EAAmB,SAAS,EAAE,MAAM,MAAM,CAAC;AAqB7E,MAAM,OAAO,WAAW;IACN,MAAM,CAAwB;IACvC,KAAK,GAAqB,IAAI,CAAC;IAC/B,YAAY,GAA8B,IAAI,CAAC;IAEvD,YAAY,MAA6B;QACxC,IAAI,CAAC,MAAM,GAAG;YACb,QAAQ,EAAE,MAAM,EAAE,oBAAoB;YACtC,GAAG,MAAM;SACT,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACpC,IAAI,CAAC;YACJ,6BAA6B;YAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC;YAEzB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAC/C,CAAC;YAED,iBAAiB;YACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAM,CAAC,CAAC;YAElD,eAAe;YACf,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE;gBACrD,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;gBAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC9B,UAAU,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC;aAC9B,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,4BAA4B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC3D,CAAC;IACF,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,KAAa;QACnC,OAAO,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,KAAa;QACvC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC;QAEnD,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,eAAe,KAAK,oBAAoB,CAAC,CAAC;QAC3D,CAAC;QAED,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,OAAO;QACpB,oBAAoB;QACpB,IAAI,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC,KAAK,CAAC;QACnB,CAAC;QAED,uCAAuC;QACvC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,YAAY,CAAC;QAC1B,CAAC;QAED,kBAAkB;QAClB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC,YAAY,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,SAAS;QACtB,IAAI,CAAC;YACJ,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAClD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YACpE,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiB,CAAC;YACrD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAEvB,IAAI,CAAC,KAAK,GAAG;gBACZ,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC;aACjD,CAAC;YAEF,OAAO,IAAI,CAAC,KAAK,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;YACzB,MAAM,KAAK,CAAC;QACb,CAAC;gBAAS,CAAC;YACV,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC1B,CAAC;IACF,CAAC;IAEO,cAAc,CAAC,KAAgB;QACtC,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,CAAC;IACtC,CAAC;IAEO,iBAAiB,CAAC,KAAa;QACtC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC;YAClD,OAAO,MAAM,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACR,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAClD,CAAC;IACF,CAAC;IAEO,oBAAoB,CAAC,OAAmB;QAC/C,OAAO;YACN,GAAG,EAAE,OAAO,CAAC,GAAI;YACjB,KAAK,EAAE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;YAC7D,KAAK,EAAG,OAAO,CAAC,KAAkB,IAAI,EAAE;YACxC,WAAW,EAAG,OAAO,CAAC,WAAwB,IAAI,EAAE;YACpD,GAAG,EAAE,OAAO,CAAC,GAAI;YACjB,GAAG,EAAE,OAAO,CAAC,GAAI;YACjB,GAAG,EAAE,OAAO,CAAC,GAAI;YACjB,GAAG,EACF,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC9B,CAAC,CAAC,OAAO,CAAC,GAAG;gBACb,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;oBAC3B,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBACxB,CAAC,CAAC,EAAE;SACP,CAAC;IACH,CAAC;CACD"}

package/dist/types/auth-user.d.ts

@@ -0,0 +1,12 @@
+import type { JWTPayload } from "jose";
+export interface AuthUser extends JWTPayload {
+    readonly sub: string;
+    readonly email?: string;
+    readonly roles: readonly string[];
+    readonly permissions: readonly string[];
+    readonly iat: number;
+    readonly exp: number;
+    readonly iss: string;
+    readonly aud: string;
+}
+//# sourceMappingURL=auth-user.d.ts.map

package/dist/types/auth-user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-user.d.ts","sourceRoot":"","sources":["../../src/types/auth-user.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,MAAM,WAAW,QAAS,SAAQ,UAAU;IAC3C,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,QAAQ,CAAC,WAAW,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACrB"}

package/dist/types/auth-user.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=auth-user.js.map

package/dist/types/auth-user.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-user.js","sourceRoot":"","sources":["../../src/types/auth-user.ts"],"names":[],"mappings":""}

package/dist/types/index.d.ts

@@ -0,0 +1,40 @@
+export interface AuthUser {
+    readonly sub: string;
+    readonly email?: string;
+    readonly roles: readonly string[];
+    readonly permissions: readonly string[];
+    readonly iat: number;
+    readonly exp: number;
+    readonly iss: string;
+    readonly aud: string;
+}
+export interface JwtVerificationConfig {
+    readonly jwksUri: string;
+    readonly issuer: string;
+    readonly audience: string;
+    readonly cacheTtl?: number;
+}
+export interface JwksCache {
+    readonly keys: readonly any[];
+    readonly fetchedAt: number;
+    readonly expiresAt: number;
+}
+export type Algorithm = "RS256" | "ES256";
+export interface GuardOptions {
+    readonly roles?: readonly string[];
+    readonly permissions?: readonly string[];
+}
+export interface AuthContext {
+    readonly user: AuthUser;
+    readonly token: string;
+}
+export declare class JwtVerificationError extends Error {
+    readonly code: string;
+    readonly token?: string | undefined;
+    constructor(message: string, code: string, token?: string | undefined);
+}
+export declare class JwksFetchError extends Error {
+    readonly cause?: Error | undefined;
+    constructor(message: string, cause?: Error | undefined);
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,QAAQ,CAAC,WAAW,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,qBAAqB;IACrC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,SAAS;IACzB,QAAQ,CAAC,IAAI,EAAE,SAAS,GAAG,EAAE,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC;AAE1C,MAAM,WAAW,YAAY;IAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACzC;AAED,MAAM,WAAW,WAAW;IAC3B,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACvB;AAED,qBAAa,oBAAqB,SAAQ,KAAK;aAG7B,IAAI,EAAE,MAAM;aACZ,KAAK,CAAC,EAAE,MAAM;gBAF9B,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,KAAK,CAAC,EAAE,MAAM,YAAA;CAK/B;AAED,qBAAa,cAAe,SAAQ,KAAK;aAGvB,KAAK,CAAC,EAAE,KAAK;gBAD7B,OAAO,EAAE,MAAM,EACC,KAAK,CAAC,EAAE,KAAK,YAAA;CAK9B"}

package/dist/types/index.js

@@ -0,0 +1,19 @@
+export class JwtVerificationError extends Error {
+    code;
+    token;
+    constructor(message, code, token) {
+        super(message);
+        this.code = code;
+        this.token = token;
+        this.name = "JwtVerificationError";
+    }
+}
+export class JwksFetchError extends Error {
+    cause;
+    constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "JwksFetchError";
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAoCA,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IAG7B;IACA;IAHjB,YACC,OAAe,EACC,IAAY,EACZ,KAAc;QAE9B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAQ;QACZ,UAAK,GAAL,KAAK,CAAS;QAG9B,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACpC,CAAC;CACD;AAED,MAAM,OAAO,cAAe,SAAQ,KAAK;IAGvB;IAFjB,YACC,OAAe,EACC,KAAa;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,UAAK,GAAL,KAAK,CAAQ;QAG7B,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC9B,CAAC;CACD"}

package/dist/utils/authorization.d.ts

@@ -0,0 +1,9 @@
+import type { AuthUser, GuardOptions } from "../types/index.js";
+export declare function hasRole(user: AuthUser, role: string): boolean;
+export declare function hasPermission(user: AuthUser, permission: string): boolean;
+export declare function hasAnyRole(user: AuthUser, roles: readonly string[]): boolean;
+export declare function hasAllRoles(user: AuthUser, roles: readonly string[]): boolean;
+export declare function hasAnyPermission(user: AuthUser, permissions: readonly string[]): boolean;
+export declare function hasAllPermissions(user: AuthUser, permissions: readonly string[]): boolean;
+export declare function checkGuard(user: AuthUser, options: GuardOptions): boolean;
+//# sourceMappingURL=authorization.d.ts.map

package/dist/utils/authorization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["../../src/utils/authorization.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEhE,wBAAgB,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED,wBAAgB,aAAa,CAAC,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAEzE;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAE5E;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAE7E;AAED,wBAAgB,gBAAgB,CAC/B,IAAI,EAAE,QAAQ,EACd,WAAW,EAAE,SAAS,MAAM,EAAE,GAC5B,OAAO,CAET;AAED,wBAAgB,iBAAiB,CAChC,IAAI,EAAE,QAAQ,EACd,WAAW,EAAE,SAAS,MAAM,EAAE,GAC5B,OAAO,CAET;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAgBzE"}

package/dist/utils/authorization.js

@@ -0,0 +1,33 @@
+export function hasRole(user, role) {
+    return user.roles.includes(role);
+}
+export function hasPermission(user, permission) {
+    return user.permissions.includes(permission);
+}
+export function hasAnyRole(user, roles) {
+    return roles.some((role) => hasRole(user, role));
+}
+export function hasAllRoles(user, roles) {
+    return roles.every((role) => hasRole(user, role));
+}
+export function hasAnyPermission(user, permissions) {
+    return permissions.some((permission) => hasPermission(user, permission));
+}
+export function hasAllPermissions(user, permissions) {
+    return permissions.every((permission) => hasPermission(user, permission));
+}
+export function checkGuard(user, options) {
+    const { roles, permissions } = options;
+    if (roles && roles.length > 0) {
+        if (!hasAnyRole(user, roles)) {
+            return false;
+        }
+    }
+    if (permissions && permissions.length > 0) {
+        if (!hasAnyPermission(user, permissions)) {
+            return false;
+        }
+    }
+    return true;
+}
+//# sourceMappingURL=authorization.js.map

package/dist/utils/authorization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.js","sourceRoot":"","sources":["../../src/utils/authorization.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,OAAO,CAAC,IAAc,EAAE,IAAY;IACnD,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAAc,EAAE,UAAkB;IAC/D,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAc,EAAE,KAAwB;IAClE,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAc,EAAE,KAAwB;IACnE,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC/B,IAAc,EACd,WAA8B;IAE9B,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,iBAAiB,CAChC,IAAc,EACd,WAA8B;IAE9B,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAc,EAAE,OAAqB;IAC/D,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAEvC,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC;QACd,CAAC;IACF,CAAC;IAED,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAC;QACd,CAAC;IACF,CAAC;IAED,OAAO,IAAI,CAAC;AACb,CAAC"}

package/dist/utils/security.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Security utilities for production environment
+ */
+export interface SecurityConfig {
+    allowedOrigins: string[];
+    maxRequestSize: number;
+    rateLimiting: {
+        enabled: boolean;
+        windowMs: number;
+        maxRequests: number;
+    };
+    cookies: {
+        secure: boolean;
+        httpOnly: boolean;
+        sameSite: "strict" | "lax" | "none";
+    };
+}
+export declare const defaultSecurityConfig: SecurityConfig;
+/**
+ * Validate origin against allowed origins
+ */
+export declare function validateOrigin(origin: string | undefined): boolean;
+/**
+ * Sanitize error messages for production
+ */
+export declare function sanitizeError(error: Error | string): string;
+/**
+ * Generate secure random token
+ */
+export declare function generateSecureToken(length?: number): string;
+//# sourceMappingURL=security.d.ts.map

package/dist/utils/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,cAAc;IAC9B,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE;QACb,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,OAAO,EAAE;QACR,MAAM,EAAE,OAAO,CAAC;QAChB,QAAQ,EAAE,OAAO,CAAC;QAClB,QAAQ,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;KACpC,CAAC;CACF;AAED,eAAO,MAAM,qBAAqB,EAAE,cAenC,CAAC;AAEF;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAQlE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,KAAK,GAAG,MAAM,GAAG,MAAM,CAS3D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,SAAK,GAAG,MAAM,CAUvD"}

package/dist/utils/security.js

@@ -0,0 +1,55 @@
+/**
+ * Security utilities for production environment
+ */
+export const defaultSecurityConfig = {
+    allowedOrigins: process.env.ALLOWED_ORIGINS?.split(",") || [
+        "https://yourdomain.com",
+    ],
+    maxRequestSize: 10 * 1024 * 1024, // 10MB
+    rateLimiting: {
+        enabled: process.env.NODE_ENV === "production",
+        windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS || "60000", 10),
+        maxRequests: parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || "100", 10),
+    },
+    cookies: {
+        secure: process.env.NODE_ENV === "production",
+        httpOnly: true,
+        sameSite: "strict",
+    },
+};
+/**
+ * Validate origin against allowed origins
+ */
+export function validateOrigin(origin) {
+    if (!origin)
+        return false;
+    const allowedOrigins = defaultSecurityConfig.allowedOrigins;
+    return allowedOrigins.some((allowed) => {
+        if (allowed === "*")
+            return true;
+        return origin === allowed || origin.startsWith(allowed.replace("*", ""));
+    });
+}
+/**
+ * Sanitize error messages for production
+ */
+export function sanitizeError(error) {
+    const message = typeof error === "string" ? error : error.message;
+    if (process.env.NODE_ENV === "production") {
+        // Remove sensitive information from error messages
+        return message.replace(/password|token|secret|key/gi, "[REDACTED]");
+    }
+    return message;
+}
+/**
+ * Generate secure random token
+ */
+export function generateSecureToken(length = 32) {
+    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+    let result = "";
+    for (let i = 0; i < length; i++) {
+        result += chars.charAt(Math.floor(Math.random() * chars.length));
+    }
+    return result;
+}
+//# sourceMappingURL=security.js.map

package/dist/utils/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAiBH,MAAM,CAAC,MAAM,qBAAqB,GAAmB;IACpD,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI;QAC1D,wBAAwB;KACxB;IACD,cAAc,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;IACzC,YAAY,EAAE;QACb,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAC9C,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,OAAO,EAAE,EAAE,CAAC;QACnE,WAAW,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,KAAK,EAAE,EAAE,CAAC;KACvE;IACD,OAAO,EAAE;QACR,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAC7C,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,QAAQ;KAClB;CACD,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAA0B;IACxD,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B,MAAM,cAAc,GAAG,qBAAqB,CAAC,cAAc,CAAC;IAC5D,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QACtC,IAAI,OAAO,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACjC,OAAO,MAAM,KAAK,OAAO,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAqB;IAClD,MAAM,OAAO,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC;IAElE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC3C,mDAAmD;QACnD,OAAO,OAAO,CAAC,OAAO,CAAC,6BAA6B,EAAE,YAAY,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,OAAO,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAM,GAAG,EAAE;IAC9C,MAAM,KAAK,GACV,gEAAgE,CAAC;IAClE,IAAI,MAAM,GAAG,EAAE,CAAC;IAEhB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,MAAM,CAAC;AACf,CAAC"}

package/dist/utils/token-extraction.d.ts

@@ -0,0 +1,3 @@
+export declare function extractTokenFromHeader(authHeader: string | undefined | null): string | null;
+export declare function extractTokenFromCookie(cookieHeader: string | undefined | null, cookieName?: string): string | null;
+//# sourceMappingURL=token-extraction.d.ts.map

package/dist/utils/token-extraction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-extraction.d.ts","sourceRoot":"","sources":["../../src/utils/token-extraction.ts"],"names":[],"mappings":"AAAA,wBAAgB,sBAAsB,CACrC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GACnC,MAAM,GAAG,IAAI,CAWf;AAED,wBAAgB,sBAAsB,CACrC,YAAY,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACvC,UAAU,SAAiB,GACzB,MAAM,GAAG,IAAI,CAcf"}