@nwire/auth 0.7.0

package/dist/routes.js

@@ -0,0 +1,252 @@
+/**
+ * Auth routes — `{name}Route` + `{name}Handler` pairs for every canonical
+ * identity operation. Mount them on any `httpInterface` directly or via
+ * the `mountAuth(api)` helper:
+ *
+ *   import { httpInterface } from "@nwire/http";
+ *   import { mountAuth, identityPlugin } from "@nwire/auth";
+ *
+ *   const api = mountAuth(httpInterface({ prefix: "/api/v1" }));
+ *   // mounts: POST /auth/sign-in, /sign-out, /refresh, /register,
+ *   //         /request-password-reset, /reset-password, /verify-email,
+ *   //         GET  /auth/me
+ *
+ *   const app = createApp({
+ *     plugins: [identityPlugin({ adapter })],
+ *     ...
+ *   });
+ *
+ *   // app.runtime registers "idp" on the container; handlers resolve it
+ *   await endpoint("api").serve(app).serve(api).run();
+ *
+ * Each handler reads `idp` from the container (registered by
+ * `identityPlugin`) and delegates the business logic to the adapter.
+ * Apps that want only a subset of operations import individual
+ * `{Route, Handler}` pairs and wire them by hand instead of using
+ * `mountAuth`.
+ */
+import { z } from "zod";
+import { defineResource, NotFound } from "@nwire/forge";
+import { post, get } from "@nwire/http";
+import { response } from "@nwire/handler";
+// ─── Resources (response shapes) ───────────────────────────────────
+const UserResource = defineResource("User", {
+    schema: z.object({
+        id: z.string(),
+        email: z.string().optional(),
+        name: z.string().optional(),
+        roles: z.array(z.string()).readonly().optional(),
+        tenant: z.string().optional(),
+    }),
+});
+const TokensResource = defineResource("AuthTokens", {
+    schema: z.object({
+        accessToken: z.string(),
+        refreshToken: z.string().optional(),
+        idToken: z.string().optional(),
+        expiresAt: z.number().optional(),
+        tokenType: z.enum(["Bearer", "Cookie"]).optional(),
+    }),
+});
+const SignInResource = defineResource("SignInResult", {
+    schema: z.object({
+        user: UserResource.schema,
+        tokens: TokensResource.schema,
+    }),
+});
+const ok202 = response(202);
+const ok200User = response(200, UserResource);
+const ok200SignIn = response(200, SignInResource);
+const ok200Tokens = response(200, TokensResource);
+// ─── Schemas ───────────────────────────────────────────────────────
+const SignInBody = z.object({ email: z.email(), password: z.string().min(1) });
+const SignOutBody = z.object({ token: z.string() });
+const RefreshBody = z.object({ refreshToken: z.string() });
+const RegisterBody = z.object({
+    email: z.email(),
+    password: z.string().min(8),
+    name: z.string().optional(),
+});
+const RequestPwResetBody = z.object({ email: z.email() });
+const ResetPasswordBody = z.object({ resetToken: z.string(), newPassword: z.string().min(8) });
+const VerifyEmailBody = z.object({ verificationToken: z.string() });
+const MeBody = z.object({ token: z.string() });
+// ─── Routes + Handlers ─────────────────────────────────────────────
+export const signInRoute = post("/auth/sign-in", {
+    body: SignInBody,
+    openapi: {
+        operation: "auth.SignIn",
+        version: 1,
+        status: "active",
+        summary: "Authenticate with email + password",
+        tags: ["Auth"],
+        returns: [ok200SignIn],
+    },
+});
+export const signInHandler = async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    const result = await idp.signIn({ email: input.email, password: input.password });
+    return ok200SignIn(result);
+};
+export const signOutRoute = post("/auth/sign-out", {
+    body: SignOutBody,
+    openapi: {
+        operation: "auth.SignOut",
+        version: 1,
+        status: "active",
+        summary: "Invalidate the current session/token",
+        tags: ["Auth"],
+        returns: [ok202],
+    },
+});
+export const signOutHandler = async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    await idp.signOut(input.token);
+    return ok202();
+};
+export const refreshRoute = post("/auth/refresh", {
+    body: RefreshBody,
+    openapi: {
+        operation: "auth.Refresh",
+        version: 1,
+        status: "active",
+        summary: "Exchange a refresh token for a new access token",
+        tags: ["Auth"],
+        returns: [ok200Tokens],
+    },
+});
+export const refreshHandler = async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    if (!idp.refresh)
+        throw NotFound.with({ operation: "auth.Refresh", reason: "not supported by adapter" });
+    const tokens = await idp.refresh(input.refreshToken);
+    return ok200Tokens(tokens);
+};
+export const registerRoute = post("/auth/register", {
+    body: RegisterBody,
+    openapi: {
+        operation: "auth.Register",
+        version: 1,
+        status: "active",
+        summary: "Create a new account",
+        tags: ["Auth"],
+        returns: [ok200SignIn],
+    },
+});
+export const registerHandler = async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    if (!idp.register)
+        throw NotFound.with({ operation: "auth.Register", reason: "not supported by adapter" });
+    const result = await idp.register({
+        email: input.email,
+        password: input.password,
+        name: input.name,
+    });
+    return ok200SignIn({
+        user: result.user,
+        tokens: result.tokens ?? { accessToken: "" },
+    });
+};
+export const requestPasswordResetRoute = post("/auth/request-password-reset", {
+    body: RequestPwResetBody,
+    openapi: {
+        operation: "auth.RequestPasswordReset",
+        version: 1,
+        status: "active",
+        summary: "Send a password-reset email",
+        tags: ["Auth"],
+        returns: [ok202],
+    },
+});
+export const requestPasswordResetHandler = async ({ input, resolve, }) => {
+    const idp = resolve("idp");
+    if (!idp.requestPasswordReset)
+        throw NotFound.with({ operation: "auth.RequestPasswordReset" });
+    await idp.requestPasswordReset(input.email);
+    return ok202();
+};
+export const resetPasswordRoute = post("/auth/reset-password", {
+    body: ResetPasswordBody,
+    openapi: {
+        operation: "auth.ResetPassword",
+        version: 1,
+        status: "active",
+        summary: "Consume a reset token + set a new password",
+        tags: ["Auth"],
+        returns: [ok202],
+    },
+});
+export const resetPasswordHandler = async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    if (!idp.resetPassword)
+        throw NotFound.with({ operation: "auth.ResetPassword" });
+    await idp.resetPassword(input.resetToken, input.newPassword);
+    return ok202();
+};
+export const verifyEmailRoute = post("/auth/verify-email", {
+    body: VerifyEmailBody,
+    openapi: {
+        operation: "auth.VerifyEmail",
+        version: 1,
+        status: "active",
+        summary: "Confirm an email-verification token",
+        tags: ["Auth"],
+        returns: [ok202],
+    },
+});
+export const verifyEmailHandler = async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    if (!idp.verifyEmail)
+        throw NotFound.with({ operation: "auth.VerifyEmail" });
+    await idp.verifyEmail(input.verificationToken);
+    return ok202();
+};
+export const meRoute = get("/auth/me", {
+    body: MeBody,
+    openapi: {
+        operation: "auth.Me",
+        version: 1,
+        status: "active",
+        summary: "Return the User identified by the current Authorization token",
+        tags: ["Auth"],
+        returns: [ok200User],
+    },
+});
+export const meHandler = async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    const user = await idp.verifyToken(input.token);
+    if (!user)
+        throw NotFound.with({ operation: "auth.Me", reason: "token does not resolve to a user" });
+    return ok200User(user);
+};
+/**
+ * Wire every canonical auth route onto the given httpInterface in one
+ * call. Returns the same interface for chaining. Pass `options.include`
+ * to mount only a subset (e.g. an app that doesn't expose registration).
+ *
+ *   const api = mountAuth(httpInterface({ prefix: "/api/v1" }));
+ *   // → 8 routes mounted: /auth/sign-in, /sign-out, /refresh, /register, ...
+ *
+ *   // Subset:
+ *   mountAuth(api, { include: ["signIn", "signOut", "me"] });
+ */
+export function mountAuth(api, options) {
+    const all = {
+        signIn: [signInRoute, signInHandler],
+        signOut: [signOutRoute, signOutHandler],
+        refresh: [refreshRoute, refreshHandler],
+        register: [registerRoute, registerHandler],
+        requestPasswordReset: [requestPasswordResetRoute, requestPasswordResetHandler],
+        resetPassword: [resetPasswordRoute, resetPasswordHandler],
+        verifyEmail: [verifyEmailRoute, verifyEmailHandler],
+        me: [meRoute, meHandler],
+    };
+    const keys = options?.include ?? Object.keys(all);
+    for (const k of keys) {
+        const [route, handler] = all[k];
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        api.wire(route, handler);
+    }
+    return api;
+}
+//# sourceMappingURL=routes.js.map

package/dist/routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.js","sourceRoot":"","sources":["../src/routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,GAAG,EAA2D,MAAM,aAAa,CAAC;AACjG,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAG1C,sEAAsE;AAEtE,MAAM,YAAY,GAAG,cAAc,CAAC,MAAM,EAAE;IAC1C,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;QACd,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC5B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC3B,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;QAChD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC9B,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,cAAc,CAAC,YAAY,EAAE;IAClD,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QACvB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACnC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC9B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;KACnD,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,cAAc,CAAC,cAAc,EAAE;IACpD,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,IAAI,EAAE,YAAY,CAAC,MAAM;QACzB,MAAM,EAAE,cAAc,CAAC,MAAM;KAC9B,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,KAAK,GAAG,QAAQ,CAAY,GAAG,CAAC,CAAC;AACvC,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;AAC9C,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;AAClD,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;AAElD,sEAAsE;AAEtE,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AAC/E,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACpD,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC3D,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE;IAChB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC5B,CAAC,CAAC;AACH,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC1D,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AAC/F,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACpE,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAW/C,sEAAsE;AAEtE,MAAM,CAAC,MAAM,WAAW,GAA8B,IAAI,CAAC,eAAe,EAAE;IAC1E,IAAI,EAAE,UAAU;IAChB,OAAO,EAAE;QACP,SAAS,EAAE,aAAa;QACxB,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,oCAAoC;QAC7C,IAAI,EAAE,CAAC,MAAM,CAAC;QACd,OAAO,EAAE,CAAC,WAAW,CAAC;KACvB;CACF,CAAC,CAAC;AACH,MAAM,CAAC,MAAM,aAAa,GAA6B,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAClF,MAAM,GAAG,GAAG,OAAO,CAAa,KAAK,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IAClF,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAC7B,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,YAAY,GAA+B,IAAI,CAAC,gBAAgB,EAAE;IAC7E,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE;QACP,SAAS,EAAE,cAAc;QACzB,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,CAAC,MAAM,CAAC;QACd,OAAO,EAAE,CAAC,KAAK,CAAC;KACjB;CACF,CAAC,CAAC;AACH,MAAM,CAAC,MAAM,cAAc,GAA8B,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IACpF,MAAM,GAAG,GAAG,OAAO,CAAa,KAAK,CAAC,CAAC;IACvC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,EAAE,CAAC;AACjB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,YAAY,GAA+B,IAAI,CAAC,eAAe,EAAE;IAC5E,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE;QACP,SAAS,EAAE,cAAc;QACzB,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,iDAAiD;QAC1D,IAAI,EAAE,CAAC,MAAM,CAAC;QACd,OAAO,EAAE,CAAC,WAAW,CAAC;KACvB;CACF,CAAC,CAAC;AACH,MAAM,CAAC,MAAM,cAAc,GAA8B,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IACpF,MAAM,GAAG,GAAG,OAAO,CAAa,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG,CAAC,OAAO;QACd,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC,CAAC;IACzF,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACrD,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAC7B,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,aAAa,GAAgC,IAAI,CAAC,gBAAgB,EAAE;IAC/E,IAAI,EAAE,YAAY;IAClB,OAAO,EAAE;QACP,SAAS,EAAE,eAAe;QAC1B,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,sBAAsB;QAC/B,IAAI,EAAE,CAAC,MAAM,CAAC;QACd,OAAO,EAAE,CAAC,WAAW,CAAC;KACvB;CACF,CAAC,CAAC;AACH,MAAM,CAAC,MAAM,eAAe,GAA+B,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IACtF,MAAM,GAAG,GAAG,OAAO,CAAa,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG,CAAC,QAAQ;QACf,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC1F,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC;QAChC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAC,CAAC;IACH,OAAO,WAAW,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE;KAC7C,CAAC,CAAC;AACL,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,yBAAyB,GAAsC,IAAI,CAC9E,8BAA8B,EAC9B;IACE,IAAI,EAAE,kBAAkB;IACxB,OAAO,EAAE;QACP,SAAS,EAAE,2BAA2B;QACtC,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,6BAA6B;QACtC,IAAI,EAAE,CAAC,MAAM,CAAC;QACd,OAAO,EAAE,CAAC,KAAK,CAAC;KACjB;CACF,CACF,CAAC;AACF,MAAM,CAAC,MAAM,2BAA2B,GAAqC,KAAK,EAAE,EAClF,KAAK,EACL,OAAO,GACR,EAAE,EAAE;IACH,MAAM,GAAG,GAAG,OAAO,CAAa,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG,CAAC,oBAAoB;QAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,2BAA2B,EAAE,CAAC,CAAC;IAC/F,MAAM,GAAG,CAAC,oBAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC5C,OAAO,KAAK,EAAE,CAAC;AACjB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAqC,IAAI,CAAC,sBAAsB,EAAE;IAC/F,IAAI,EAAE,iBAAiB;IACvB,OAAO,EAAE;QACP,SAAS,EAAE,oBAAoB;QAC/B,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,4CAA4C;QACrD,IAAI,EAAE,CAAC,MAAM,CAAC;QACd,OAAO,EAAE,CAAC,KAAK,CAAC;KACjB;CACF,CAAC,CAAC;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAoC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAChG,MAAM,GAAG,GAAG,OAAO,CAAa,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG,CAAC,aAAa;QAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,oBAAoB,EAAE,CAAC,CAAC;IACjF,MAAM,GAAG,CAAC,aAAa,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IAC7D,OAAO,KAAK,EAAE,CAAC;AACjB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAmC,IAAI,CAAC,oBAAoB,EAAE;IACzF,IAAI,EAAE,eAAe;IACrB,OAAO,EAAE;QACP,SAAS,EAAE,kBAAkB;QAC7B,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,qCAAqC;QAC9C,IAAI,EAAE,CAAC,MAAM,CAAC;QACd,OAAO,EAAE,CAAC,KAAK,CAAC;KACjB;CACF,CAAC,CAAC;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAkC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAC5F,MAAM,GAAG,GAAG,OAAO,CAAa,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG,CAAC,WAAW;QAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAC7E,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC/C,OAAO,KAAK,EAAE,CAAC;AACjB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,OAAO,GAA0B,GAAG,CAAC,UAAU,EAAE;IAC5D,IAAI,EAAE,MAAM;IACZ,OAAO,EAAE;QACP,SAAS,EAAE,SAAS;QACpB,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,+DAA+D;QACxE,IAAI,EAAE,CAAC,MAAM,CAAC;QACd,OAAO,EAAE,CAAC,SAAS,CAAC;KACrB;CACF,CAAC,CAAC;AACH,MAAM,CAAC,MAAM,SAAS,GAAyB,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAC1E,MAAM,GAAG,GAAG,OAAO,CAAa,KAAK,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,CAAC,IAAI;QACP,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC,CAAC;IAC5F,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC;AACzB,CAAC,CAAC;AAkBF;;;;;;;;;;GAUG;AACH,MAAM,UAAU,SAAS,CAAC,GAAkB,EAAE,OAA0B;IACtE,MAAM,GAAG,GAAG;QACV,MAAM,EAAE,CAAC,WAAW,EAAE,aAAa,CAAU;QAC7C,OAAO,EAAE,CAAC,YAAY,EAAE,cAAc,CAAU;QAChD,OAAO,EAAE,CAAC,YAAY,EAAE,cAAc,CAAU;QAChD,QAAQ,EAAE,CAAC,aAAa,EAAE,eAAe,CAAU;QACnD,oBAAoB,EAAE,CAAC,yBAAyB,EAAE,2BAA2B,CAAU;QACvF,aAAa,EAAE,CAAC,kBAAkB,EAAE,oBAAoB,CAAU;QAClE,WAAW,EAAE,CAAC,gBAAgB,EAAE,kBAAkB,CAAU;QAC5D,EAAE,EAAE,CAAC,OAAO,EAAE,SAAS,CAAU;KAClC,CAAC;IACF,MAAM,IAAI,GAAG,OAAO,EAAE,OAAO,IAAK,MAAM,CAAC,IAAI,CAAC,GAAG,CAA6B,CAAC;IAC/E,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;QAChC,8DAA8D;QAC9D,GAAG,CAAC,IAAI,CAAC,KAAY,EAAE,OAAc,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/user.d.ts

@@ -0,0 +1,44 @@
+/**
+ * `User` — the canonical identity shape every adapter produces and every
+ * handler sees on `ctx.user`. Adapters (Logto, better-auth, Passport, …)
+ * translate their provider-specific user shapes into this interface.
+ *
+ * Extensibility via declaration merging — the same trick Express / Hono /
+ * Fastify use. Apps add their fields once, globally, and every
+ * `ctx.user.fieldName` access is typed.
+ *
+ *   // somewhere in your app, once:
+ *   declare module "@nwire/auth" {
+ *     interface User {
+ *       readonly accountId: string;
+ *       readonly plan: "free" | "pro" | "enterprise";
+ *     }
+ *   }
+ *
+ * Adapter authors: provide the base fields; let users add domain-specific
+ * fields through merging.
+ */
+export interface User {
+    /** Stable identifier — what envelope.userId carries. */
+    readonly id: string;
+    /** Display email if the IdP knows it. */
+    readonly email?: string;
+    /** Human-readable name. */
+    readonly name?: string;
+    /**
+     * Authorization roles — coarse-grained groupings ("admin", "editor").
+     * Adapters fill this in from their native role mechanism. Feeds RBAC.
+     */
+    readonly roles?: readonly string[];
+    /**
+     * OAuth/OIDC scopes — fine-grained capabilities ("read:posts",
+     * "write:billing", "manage:users"). Logto-style IdPs expose these as
+     * the standard `scope` claim; adapters split it into an array. Use
+     * scopes when a permission is verb-on-resource specific; roles for
+     * org-level groupings.
+     */
+    readonly scopes?: readonly string[];
+    /** Tenant the user belongs to — propagates to envelope.tenant. */
+    readonly tenant?: string;
+}
+//# sourceMappingURL=user.d.ts.map

package/dist/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../src/user.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,IAAI;IACnB,wDAAwD;IACxD,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,yCAAyC;IACzC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,2BAA2B;IAC3B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;OAGG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC;;;;;;OAMG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,kEAAkE;IAClE,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B"}

package/dist/user.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=user.js.map

package/dist/user.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.js","sourceRoot":"","sources":["../src/user.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@nwire/auth",
+  "version": "0.7.0",
+  "description": "Nwire — authorization contract + middleware. Authorizer interface (throw-on-deny) + authzMiddleware. Per-action `policy` tag is opaque to the framework; the authorizer decides what each tag means.",
+  "keywords": [
+    "auth",
+    "authz",
+    "middleware",
+    "nwire",
+    "policy"
+  ],
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "type": "module",
+  "main": "./dist/auth.js",
+  "types": "./dist/auth.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/auth.js",
+      "types": "./dist/auth.d.ts"
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "zod": "^4.0.0",
+    "@nwire/forge": "0.7.0",
+    "@nwire/http": "0.7.0",
+    "@nwire/handler": "0.7.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.19.9",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18",
+    "@nwire/envelope": "0.7.0"
+  },
+  "scripts": {
+    "build": "tsc && node ../../scripts/fix-dist-extensions.mjs dist",
+    "dev": "tsc --watch",
+    "typecheck": "tsc --noEmit"
+  }
+}