@oas-tools/oas-telemetry 0.7.0-alpha.4 → 0.7.0-alpha.5

package/.env.example

@@ -24,12 +24,14 @@ OASTLM_CONFIG_GENERAL_SPEC_FILE_NAME=
 
 # Enable authentication | Possible values: "true", "false" | Default: "false"
 OASTLM_CONFIG_AUTH_ENABLED=
-# Maximum age for API keys (ms) | Default: 3600000 (1 hour)
-OASTLM_CONFIG_AUTH_API_KEY_MAX_AGE=
 # Password for authentication | Default: "oas-telemetry-password"
 OASTLM_CONFIG_AUTH_PASSWORD=
 # JWT secret for authentication | Default: "oas-telemetry-secret"
 OASTLM_CONFIG_AUTH_JWT_SECRET=
+# Access token max age (ms) | Default: 300000 (5 minutes)
+OASTLM_CONFIG_AUTH_ACCESS_TOKEN_MAX_AGE=
+# Refresh token max age (ms) | Default: 604800000 (7 days)
+OASTLM_CONFIG_AUTH_REFRESH_TOKEN_MAX_AGE=
 
 
 # Enable memory exporter for traces | Possible values: "true", "false" | Default: "true"

package/dist/cjs/config/config.cjs

@@ -18,9 +18,10 @@ const loadEnv = () => {
     },
     auth: {
       enabled: getParsedEnvVar("OASTLM_CONFIG_AUTH_ENABLED", v => v === "true"),
-      apiKeyMaxAge: getParsedEnvVar("OASTLM_CONFIG_AUTH_API_KEY_MAX_AGE", v => parseInt(v, 10)),
       password: getParsedEnvVar("OASTLM_CONFIG_AUTH_PASSWORD"),
-      jwtSecret: getParsedEnvVar("OASTLM_CONFIG_AUTH_JWT_SECRET")
+      jwtSecret: getParsedEnvVar("OASTLM_CONFIG_AUTH_JWT_SECRET"),
+      accessTokenMaxAge: getParsedEnvVar("OASTLM_CONFIG_AUTH_ACCESS_TOKEN_MAX_AGE", v => parseInt(v, 10)),
+      refreshTokenMaxAge: getParsedEnvVar("OASTLM_CONFIG_AUTH_REFRESH_TOKEN_MAX_AGE", v => parseInt(v, 10))
     },
     traces: {
       memoryExporter: {
@@ -70,10 +71,11 @@ const defaultConfig = exports.defaultConfig = {
   },
   auth: {
     enabled: false,
-    apiKeyMaxAge: 1000 * 60 * 60,
-    // 1 hour
     password: "oas-telemetry-password",
-    jwtSecret: "oas-telemetry-secret"
+    jwtSecret: "oas-telemetry-secret",
+    accessTokenMaxAge: 1000 * 60 * 5,
+    // 5 minutes
+    refreshTokenMaxAge: 1000 * 60 * 60 * 24 * 7 // 7 days
   },
   ai: {
     openAIKey: null,

package/dist/cjs/routesManager.cjs

@@ -23,13 +23,21 @@ const configureRoutes = (router, oasTlmConfig) => {
   if (_bootConfig.bootEnvVariables.OASTLM_BOOT_ENV === 'development') {
     _logger.default.info("Running in development mode, enabling CORS for all origins");
     router.use((0, _cors.default)({
-      origin: '*',
-      // Permitir todas las solicitudes en desarrollo
-      methods: ['GET', 'POST', 'PUT', 'DELETE'],
-      allowedHeaders: ['Content-Type', 'Authorization']
+      origin: (origin, callback) => {
+        if (!origin || /^http:\/\/localhost:\d+$/.test(origin)) {
+          callback(null, true);
+        } else {
+          callback(new Error('Not allowed by CORS'));
+        }
+      },
+      credentials: true
     }));
   }
-  router.use((req, res, next) => {
+  const telemetryBaseUrl = oasTlmConfig.general.baseUrl;
+  // Sub-router for all telemetry endpoints
+  const telemetryRouter = (0, _express.Router)();
+  // Body parser for JSON requests
+  telemetryRouter.use((req, res, next) => {
     if (req.body !== undefined) {
       return next(); // Already parsed, no need to parse again.
     }
@@ -37,52 +45,32 @@ const configureRoutes = (router, oasTlmConfig) => {
       limit: '10mb'
     })(req, res, next);
   });
-  const allAuthMiddlewares = getWrappedMiddlewares(() => oasTlmConfig.auth.enabled, [(0, _cookieParser.default)(), (0, _authRoutes.getAuthRoutes)(oasTlmConfig), (0, _authMiddleware.getAuthMiddleware)(oasTlmConfig)]);
-  const baseUrl = oasTlmConfig.general.baseUrl;
-  router.use(baseUrl, allAuthMiddlewares);
-  router.use(baseUrl + "/traces", (0, _traceRoutes.getTraceRoutes)());
-  router.use(baseUrl + "/metrics", (0, _metricsRoutes.getMetricsRoutes)());
-  router.use(baseUrl + "/logs", (0, _logRoutes.getLogRoutes)());
-  router.use(baseUrl + "/ai", getWrappedMiddlewares(() => oasTlmConfig.ai.openAIKey !== null, [(0, _aiRoutes.getAIRoutes)(oasTlmConfig)]));
-  // WARNING: This path must be the same as the one used in the UI package App.tsx "oas-telemetry-ui"
-  router.use(baseUrl + "/oas-telemetry-ui", (0, _uiRoutes.getUIRoutes)());
-  router.use(baseUrl + "/utils", (0, _utilRoutes.getUtilsRoutes)(oasTlmConfig));
-  router.use(baseUrl + "/plugins", (0, _pluginRoutes.getPluginRoutes)());
-  router.get(baseUrl + '/health', (_req, res) => {
+  telemetryRouter.get('/health', (_req, res) => {
     res.status(200).send({
       status: 'OK'
     });
   });
-  //redirect to the UI when accessing the base URL
-  router.get(baseUrl, (req, res) => {
-    res.redirect(baseUrl + "/oas-telemetry-ui");
+  // Redirect to the UI when accessing the base URL
+  telemetryRouter.get('/', (req, res) => {
+    res.redirect(`${telemetryBaseUrl}/oas-telemetry-ui/`);
   });
+  // WARNING: This path must be the same as the one used in the UI package App.tsx "oas-telemetry-ui"
+  telemetryRouter.use("/oas-telemetry-ui", (0, _uiRoutes.getUIRoutes)());
+  // Auth routes must be registered. If authentication is not enabled, all requests will be allowed.
+  // Frontend will use these endpoints;
+  telemetryRouter.use((0, _cookieParser.default)());
+  // Refresh token uses /auth/refresh path, careful if you change it
+  telemetryRouter.use('/auth', (0, _authRoutes.getAuthRoutes)(oasTlmConfig));
+  telemetryRouter.use((0, _authMiddleware.getAuthMiddleware)(oasTlmConfig));
+  telemetryRouter.use("/traces", (0, _traceRoutes.getTraceRoutes)());
+  telemetryRouter.use("/metrics", (0, _metricsRoutes.getMetricsRoutes)());
+  telemetryRouter.use("/logs", (0, _logRoutes.getLogRoutes)());
+  if (oasTlmConfig.ai.openAIKey) {
+    telemetryRouter.use("/ai", (0, _aiRoutes.getAIRoutes)(oasTlmConfig));
+  }
+  telemetryRouter.use("/utils", (0, _utilRoutes.getUtilsRoutes)(oasTlmConfig));
+  telemetryRouter.use("/plugins", (0, _pluginRoutes.getPluginRoutes)());
+  // Mount the telemetryRouter under telemetryBaseUrl
+  router.use(telemetryBaseUrl, telemetryRouter);
 };
-/**
- * This function wraps the provided middleware functions with a condition callback.
- * If the condition callback returns true, the middleware/router will be executed.
- * If the condition callback returns false, the middleware/router will be skipped.
- *
- * @callback {function} conditionCallback A callback function that returns a boolean to determine if the middleware should be used.
- * @param {Array} middlewares An array of middleware or routers to be wrapped.
- * @returns {Array} An array of wrapped middleware functions.
- */
-exports.configureRoutes = configureRoutes;
-function getWrappedMiddlewares(conditionCallback, middlewares) {
-  return middlewares.map(middleware => {
-    return function (req, res, next) {
-      if (conditionCallback()) {
-        if (typeof middleware === 'function') {
-          // look for handle property, if it exists, it's a router. If not call middleware
-          if (middleware.handle) {
-            middleware.handle(req, res, next);
-          } else {
-            middleware(req, res, next);
-          }
-        }
-      } else {
-        next();
-      }
-    };
-  });
-}
+exports.configureRoutes = configureRoutes;

package/dist/cjs/tlm-auth/authController.cjs

@@ -3,69 +3,134 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.getLogout = exports.getLogin = exports.getCheck = void 0;
+exports.getRefresh = exports.getLogout = exports.getLogin = exports.getAuthEnabled = void 0;
 var _jsonwebtoken = _interopRequireDefault(require("jsonwebtoken"));
 var _logger = _interopRequireDefault(require("../utils/logger.cjs"));
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
+function generateAccessToken(secret, expiresIn) {
+  return _jsonwebtoken.default.sign({
+    type: "access"
+  }, secret, {
+    expiresIn: Math.floor(expiresIn / 1000)
+  });
+}
+function generateRefreshToken(secret, expiresIn) {
+  return _jsonwebtoken.default.sign({
+    type: "refresh"
+  }, secret, {
+    expiresIn: Math.floor(expiresIn / 1000)
+  });
+}
 const getLogin = oasTlmConfig => (req, res) => {
+  if (!oasTlmConfig.auth.enabled) {
+    res.status(200).json({
+      valid: true,
+      message: "Auth disabled"
+    });
+    return;
+  }
   try {
     const {
       password
     } = req.body;
     if (password === oasTlmConfig.auth.password) {
-      const options = {
-        maxAge: oasTlmConfig.auth.apiKeyMaxAge,
+      const accessToken = generateAccessToken(oasTlmConfig.auth.jwtSecret, oasTlmConfig.auth.accessTokenMaxAge);
+      const refreshToken = generateRefreshToken(oasTlmConfig.auth.jwtSecret, oasTlmConfig.auth.refreshTokenMaxAge);
+      res.cookie("accessToken", accessToken, {
+        maxAge: oasTlmConfig.auth.accessTokenMaxAge,
         httpOnly: true,
-        secure: true,
-        signed: false
-      };
-      const apiKey = _jsonwebtoken.default.sign({
-        password: oasTlmConfig.auth.password
-      }, oasTlmConfig.auth.jwtSecret);
-      res.cookie('apiKey', apiKey, options);
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        path: "/"
+      });
+      res.cookie("refreshToken", refreshToken, {
+        maxAge: oasTlmConfig.auth.refreshTokenMaxAge,
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        path: oasTlmConfig.general.baseUrl + "/auth/refresh" // <-- cambiado de "/auth/refresh" a oasTlmConfig.general.baseUrl + "/auth/refresh"
+      });
       res.status(200).json({
         valid: true,
-        message: 'API Key is valid'
+        message: "Login successful"
       });
       return;
     }
     res.status(400).json({
       valid: false,
-      message: 'Invalid API Key'
+      message: "Invalid password"
     });
   } catch (error) {
-    _logger.default.log("Error: ", error);
+    _logger.default.error("Login error: ", error);
     res.status(500).json({
       valid: false,
-      message: 'Internal server error'
+      message: "Internal server error"
     });
   }
 };
 exports.getLogin = getLogin;
 const getLogout = oasTlmConfig => (req, res) => {
-  res.clearCookie('apiKey');
-  res.redirect(oasTlmConfig.general.baseUrl + oasTlmConfig.general.uiPath + '/login');
+  if (!oasTlmConfig.auth.enabled) {
+    res.status(200).json({
+      valid: true,
+      message: "Auth disabled"
+    });
+    return;
+  }
+  res.clearCookie('accessToken', {
+    path: '/'
+  });
+  res.clearCookie('refreshToken', {
+    path: oasTlmConfig.general.baseUrl + '/auth/refresh'
+  }); // <-- cambiado de "/auth/refresh" a oasTlmConfig.general.baseUrl + "/auth/refresh"
+  res.status(200).json({
+    valid: true,
+    message: "Logged out"
+  });
 };
 exports.getLogout = getLogout;
-const getCheck = oasTlmConfig => (req, res) => {
-  if (!req.cookies.apiKey) {
+const getRefresh = oasTlmConfig => (req, res) => {
+  if (!oasTlmConfig.auth.enabled) {
     res.status(200).json({
+      valid: true,
+      message: "Auth disabled"
+    });
+    return;
+  }
+  const refreshToken = req.cookies.refreshToken;
+  if (!refreshToken) {
+    res.status(401).json({
       valid: false,
-      message: 'API Key is invalid'
+      message: "No refresh token"
     });
     return;
   }
-  const decoded = _jsonwebtoken.default.verify(req.cookies.apiKey, oasTlmConfig.auth.jwtSecret);
-  if (decoded.password === oasTlmConfig.auth.password) {
+  try {
+    const payload = _jsonwebtoken.default.verify(refreshToken, oasTlmConfig.auth.jwtSecret);
+    if (payload.type !== "refresh") throw new Error("Invalid token type");
+    const accessToken = generateAccessToken(oasTlmConfig.auth.jwtSecret, oasTlmConfig.auth.accessTokenMaxAge);
+    res.cookie("accessToken", accessToken, {
+      maxAge: oasTlmConfig.auth.accessTokenMaxAge,
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "lax",
+      path: "/"
+    });
     res.status(200).json({
       valid: true,
-      message: 'API Key is valid'
+      message: "Refreshed"
+    });
+  } catch (err) {
+    res.status(401).json({
+      valid: false,
+      message: "Invalid refresh token"
     });
-    return;
   }
+};
+exports.getRefresh = getRefresh;
+const getAuthEnabled = oasTlmConfig => (req, res) => {
   res.status(200).json({
-    valid: false,
-    message: 'Invalid API Key'
+    enabled: !!oasTlmConfig.auth.enabled
   });
 };
-exports.getCheck = getCheck;
+exports.getAuthEnabled = getAuthEnabled;

package/dist/cjs/tlm-auth/authMiddleware.cjs

@@ -8,13 +8,26 @@ var _jsonwebtoken = _interopRequireDefault(require("jsonwebtoken"));
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 function getAuthMiddleware(oasTlmConfig) {
   return function authMiddleware(req, res, next) {
-    const apiKey = req.cookies.apiKey;
-    if (apiKey) {
-      const decoded = _jsonwebtoken.default.verify(apiKey, oasTlmConfig.auth.jwtSecret);
-      if (decoded.password === oasTlmConfig.auth.password) {
-        return next();
-      }
+    if (!oasTlmConfig.auth.enabled) {
+      return next();
+    }
+    const token = req.cookies.accessToken;
+    if (!token) {
+      res.status(401).json({
+        valid: false,
+        message: "No access token"
+      });
+      return;
+    }
+    try {
+      const payload = _jsonwebtoken.default.verify(token, oasTlmConfig.auth.jwtSecret);
+      if (payload.type !== "access") throw new Error("Invalid token type");
+      return next();
+    } catch {
+      res.status(401).json({
+        valid: false,
+        message: "Invalid access token"
+      });
     }
-    res.status(401).redirect(oasTlmConfig.general.baseUrl + oasTlmConfig.general.uiPath + '/login');
   };
 }

package/dist/cjs/tlm-auth/authRoutes.cjs

@@ -9,8 +9,9 @@ var _authController = require("./authController.cjs");
 const getAuthRoutes = oasTlmConfig => {
   const router = (0, _express.Router)();
   router.post('/login', (0, _authController.getLogin)(oasTlmConfig));
-  router.get('/logout', (0, _authController.getLogout)(oasTlmConfig));
-  router.get('/check', (0, _authController.getCheck)(oasTlmConfig));
+  router.post('/refresh', (0, _authController.getRefresh)(oasTlmConfig));
+  router.post('/logout', (0, _authController.getLogout)(oasTlmConfig));
+  router.get('/enabled', (0, _authController.getAuthEnabled)(oasTlmConfig));
   return router;
 };
 exports.getAuthRoutes = getAuthRoutes;

package/dist/esm/config/config.js

@@ -11,9 +11,10 @@ const loadEnv = () => {
         },
         auth: {
             enabled: getParsedEnvVar("OASTLM_CONFIG_AUTH_ENABLED", (v) => v === "true"),
-            apiKeyMaxAge: getParsedEnvVar("OASTLM_CONFIG_AUTH_API_KEY_MAX_AGE", (v) => parseInt(v, 10)),
             password: getParsedEnvVar("OASTLM_CONFIG_AUTH_PASSWORD"),
             jwtSecret: getParsedEnvVar("OASTLM_CONFIG_AUTH_JWT_SECRET"),
+            accessTokenMaxAge: getParsedEnvVar("OASTLM_CONFIG_AUTH_ACCESS_TOKEN_MAX_AGE", (v) => parseInt(v, 10)),
+            refreshTokenMaxAge: getParsedEnvVar("OASTLM_CONFIG_AUTH_REFRESH_TOKEN_MAX_AGE", (v) => parseInt(v, 10)),
         },
         traces: {
             memoryExporter: {
@@ -61,9 +62,10 @@ export const defaultConfig = {
     },
     auth: {
         enabled: false,
-        apiKeyMaxAge: 1000 * 60 * 60, // 1 hour
         password: "oas-telemetry-password",
         jwtSecret: "oas-telemetry-secret",
+        accessTokenMaxAge: 1000 * 60 * 5, // 5 minutes
+        refreshTokenMaxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
     },
     ai: {
         openAIKey: null,

package/dist/esm/routesManager.js

@@ -1,4 +1,4 @@
-import { json } from "express";
+import { Router, json } from "express";
 import logger from "./utils/logger.js";
 import cors from 'cors';
 import { getTraceRoutes } from "./tlm-trace/traceRoutes.js";
@@ -16,62 +16,50 @@ export const configureRoutes = (router, oasTlmConfig) => {
     if (bootEnvVariables.OASTLM_BOOT_ENV === 'development') {
         logger.info("Running in development mode, enabling CORS for all origins");
         router.use(cors({
-            origin: '*', // Permitir todas las solicitudes en desarrollo
-            methods: ['GET', 'POST', 'PUT', 'DELETE'],
-            allowedHeaders: ['Content-Type', 'Authorization'],
+            origin: (origin, callback) => {
+                if (!origin || /^http:\/\/localhost:\d+$/.test(origin)) {
+                    callback(null, true);
+                }
+                else {
+                    callback(new Error('Not allowed by CORS'));
+                }
+            },
+            credentials: true
         }));
     }
-    router.use((req, res, next) => {
+    const telemetryBaseUrl = oasTlmConfig.general.baseUrl;
+    // Sub-router for all telemetry endpoints
+    const telemetryRouter = Router();
+    // Body parser for JSON requests
+    telemetryRouter.use((req, res, next) => {
         if (req.body !== undefined) {
             return next(); // Already parsed, no need to parse again.
         }
         return json({ limit: '10mb' })(req, res, next);
     });
-    const allAuthMiddlewares = getWrappedMiddlewares(() => oasTlmConfig.auth.enabled, [cookieParser(), getAuthRoutes(oasTlmConfig), getAuthMiddleware(oasTlmConfig)]);
-    const baseUrl = oasTlmConfig.general.baseUrl;
-    router.use(baseUrl, allAuthMiddlewares);
-    router.use(baseUrl + "/traces", getTraceRoutes());
-    router.use(baseUrl + "/metrics", getMetricsRoutes());
-    router.use(baseUrl + "/logs", getLogRoutes());
-    router.use(baseUrl + "/ai", getWrappedMiddlewares(() => oasTlmConfig.ai.openAIKey !== null, [getAIRoutes(oasTlmConfig)]));
-    // WARNING: This path must be the same as the one used in the UI package App.tsx "oas-telemetry-ui"
-    router.use(baseUrl + "/oas-telemetry-ui", getUIRoutes());
-    router.use(baseUrl + "/utils", getUtilsRoutes(oasTlmConfig));
-    router.use(baseUrl + "/plugins", getPluginRoutes());
-    router.get(baseUrl + '/health', (_req, res) => {
+    telemetryRouter.get('/health', (_req, res) => {
         res.status(200).send({ status: 'OK' });
     });
-    //redirect to the UI when accessing the base URL
-    router.get(baseUrl, (req, res) => {
-        res.redirect(baseUrl + "/oas-telemetry-ui");
+    // Redirect to the UI when accessing the base URL
+    telemetryRouter.get('/', (req, res) => {
+        res.redirect(`${telemetryBaseUrl}/oas-telemetry-ui/`);
     });
+    // WARNING: This path must be the same as the one used in the UI package App.tsx "oas-telemetry-ui"
+    telemetryRouter.use("/oas-telemetry-ui", getUIRoutes());
+    // Auth routes must be registered. If authentication is not enabled, all requests will be allowed.
+    // Frontend will use these endpoints;
+    telemetryRouter.use(cookieParser());
+    // Refresh token uses /auth/refresh path, careful if you change it
+    telemetryRouter.use('/auth', getAuthRoutes(oasTlmConfig));
+    telemetryRouter.use(getAuthMiddleware(oasTlmConfig));
+    telemetryRouter.use("/traces", getTraceRoutes());
+    telemetryRouter.use("/metrics", getMetricsRoutes());
+    telemetryRouter.use("/logs", getLogRoutes());
+    if (oasTlmConfig.ai.openAIKey) {
+        telemetryRouter.use("/ai", getAIRoutes(oasTlmConfig));
+    }
+    telemetryRouter.use("/utils", getUtilsRoutes(oasTlmConfig));
+    telemetryRouter.use("/plugins", getPluginRoutes());
+    // Mount the telemetryRouter under telemetryBaseUrl
+    router.use(telemetryBaseUrl, telemetryRouter);
 };
-/**
- * This function wraps the provided middleware functions with a condition callback.
- * If the condition callback returns true, the middleware/router will be executed.
- * If the condition callback returns false, the middleware/router will be skipped.
- *
- * @callback {function} conditionCallback A callback function that returns a boolean to determine if the middleware should be used.
- * @param {Array} middlewares An array of middleware or routers to be wrapped.
- * @returns {Array} An array of wrapped middleware functions.
- */
-function getWrappedMiddlewares(conditionCallback, middlewares) {
-    return middlewares.map(middleware => {
-        return function (req, res, next) {
-            if (conditionCallback()) {
-                if (typeof middleware === 'function') {
-                    // look for handle property, if it exists, it's a router. If not call middleware
-                    if (middleware.handle) {
-                        middleware.handle(req, res, next);
-                    }
-                    else {
-                        middleware(req, res, next);
-                    }
-                }
-            }
-            else {
-                next();
-            }
-        };
-    });
-}

package/dist/esm/tlm-auth/authController.js

@@ -1,40 +1,82 @@
 import jwt from 'jsonwebtoken';
 import logger from '../utils/logger.js';
+function generateAccessToken(secret, expiresIn) {
+    return jwt.sign({ type: "access" }, secret, { expiresIn: Math.floor(expiresIn / 1000) });
+}
+function generateRefreshToken(secret, expiresIn) {
+    return jwt.sign({ type: "refresh" }, secret, { expiresIn: Math.floor(expiresIn / 1000) });
+}
 export const getLogin = (oasTlmConfig) => (req, res) => {
+    if (!oasTlmConfig.auth.enabled) {
+        res.status(200).json({ valid: true, message: "Auth disabled" });
+        return;
+    }
     try {
         const { password } = req.body;
         if (password === oasTlmConfig.auth.password) {
-            const options = {
-                maxAge: oasTlmConfig.auth.apiKeyMaxAge,
+            const accessToken = generateAccessToken(oasTlmConfig.auth.jwtSecret, oasTlmConfig.auth.accessTokenMaxAge);
+            const refreshToken = generateRefreshToken(oasTlmConfig.auth.jwtSecret, oasTlmConfig.auth.refreshTokenMaxAge);
+            res.cookie("accessToken", accessToken, {
+                maxAge: oasTlmConfig.auth.accessTokenMaxAge,
+                httpOnly: true,
+                secure: process.env.NODE_ENV === "production",
+                sameSite: "lax",
+                path: "/"
+            });
+            res.cookie("refreshToken", refreshToken, {
+                maxAge: oasTlmConfig.auth.refreshTokenMaxAge,
                 httpOnly: true,
-                secure: true,
-                signed: false
-            };
-            const apiKey = jwt.sign({ password: oasTlmConfig.auth.password }, oasTlmConfig.auth.jwtSecret);
-            res.cookie('apiKey', apiKey, options);
-            res.status(200).json({ valid: true, message: 'API Key is valid' });
+                secure: process.env.NODE_ENV === "production",
+                sameSite: "lax",
+                path: oasTlmConfig.general.baseUrl + "/auth/refresh" // <-- cambiado de "/auth/refresh" a oasTlmConfig.general.baseUrl + "/auth/refresh"
+            });
+            res.status(200).json({ valid: true, message: "Login successful" });
             return;
         }
-        res.status(400).json({ valid: false, message: 'Invalid API Key' });
+        res.status(400).json({ valid: false, message: "Invalid password" });
     }
     catch (error) {
-        logger.log("Error: ", error);
-        res.status(500).json({ valid: false, message: 'Internal server error' });
+        logger.error("Login error: ", error);
+        res.status(500).json({ valid: false, message: "Internal server error" });
     }
 };
 export const getLogout = (oasTlmConfig) => (req, res) => {
-    res.clearCookie('apiKey');
-    res.redirect(oasTlmConfig.general.baseUrl + oasTlmConfig.general.uiPath + '/login');
+    if (!oasTlmConfig.auth.enabled) {
+        res.status(200).json({ valid: true, message: "Auth disabled" });
+        return;
+    }
+    res.clearCookie('accessToken', { path: '/' });
+    res.clearCookie('refreshToken', { path: oasTlmConfig.general.baseUrl + '/auth/refresh' }); // <-- cambiado de "/auth/refresh" a oasTlmConfig.general.baseUrl + "/auth/refresh"
+    res.status(200).json({ valid: true, message: "Logged out" });
 };
-export const getCheck = (oasTlmConfig) => (req, res) => {
-    if (!req.cookies.apiKey) {
-        res.status(200).json({ valid: false, message: 'API Key is invalid' });
+export const getRefresh = (oasTlmConfig) => (req, res) => {
+    if (!oasTlmConfig.auth.enabled) {
+        res.status(200).json({ valid: true, message: "Auth disabled" });
         return;
     }
-    const decoded = jwt.verify(req.cookies.apiKey, oasTlmConfig.auth.jwtSecret);
-    if (decoded.password === oasTlmConfig.auth.password) {
-        res.status(200).json({ valid: true, message: 'API Key is valid' });
+    const refreshToken = req.cookies.refreshToken;
+    if (!refreshToken) {
+        res.status(401).json({ valid: false, message: "No refresh token" });
         return;
     }
-    res.status(200).json({ valid: false, message: 'Invalid API Key' });
+    try {
+        const payload = jwt.verify(refreshToken, oasTlmConfig.auth.jwtSecret);
+        if (payload.type !== "refresh")
+            throw new Error("Invalid token type");
+        const accessToken = generateAccessToken(oasTlmConfig.auth.jwtSecret, oasTlmConfig.auth.accessTokenMaxAge);
+        res.cookie("accessToken", accessToken, {
+            maxAge: oasTlmConfig.auth.accessTokenMaxAge,
+            httpOnly: true,
+            secure: process.env.NODE_ENV === "production",
+            sameSite: "lax",
+            path: "/"
+        });
+        res.status(200).json({ valid: true, message: "Refreshed" });
+    }
+    catch (err) {
+        res.status(401).json({ valid: false, message: "Invalid refresh token" });
+    }
+};
+export const getAuthEnabled = (oasTlmConfig) => (req, res) => {
+    res.status(200).json({ enabled: !!oasTlmConfig.auth.enabled });
 };

package/dist/esm/tlm-auth/authMiddleware.js

@@ -1,13 +1,22 @@
-import jwt from 'jsonwebtoken';
+import jwt from "jsonwebtoken";
 export function getAuthMiddleware(oasTlmConfig) {
     return function authMiddleware(req, res, next) {
-        const apiKey = req.cookies.apiKey;
-        if (apiKey) {
-            const decoded = jwt.verify(apiKey, oasTlmConfig.auth.jwtSecret);
-            if (decoded.password === oasTlmConfig.auth.password) {
-                return next();
-            }
-        }
-        res.status(401).redirect(oasTlmConfig.general.baseUrl + oasTlmConfig.general.uiPath + '/login');
+        if (!oasTlmConfig.auth.enabled) {
+            return next();
+        }
+        const token = req.cookies.accessToken;
+        if (!token) {
+            res.status(401).json({ valid: false, message: "No access token" });
+            return;
+        }
+        try {
+            const payload = jwt.verify(token, oasTlmConfig.auth.jwtSecret);
+            if (payload.type !== "access")
+                throw new Error("Invalid token type");
+            return next();
+        }
+        catch {
+            res.status(401).json({ valid: false, message: "Invalid access token" });
+        }
     };
 }

package/dist/esm/tlm-auth/authRoutes.js

@@ -1,9 +1,10 @@
 import { Router } from 'express';
-import { getLogin, getLogout, getCheck } from './authController.js';
+import { getLogin, getLogout, getRefresh, getAuthEnabled } from './authController.js';
 export const getAuthRoutes = (oasTlmConfig) => {
     const router = Router();
     router.post('/login', getLogin(oasTlmConfig));
-    router.get('/logout', getLogout(oasTlmConfig));
-    router.get('/check', getCheck(oasTlmConfig));
+    router.post('/refresh', getRefresh(oasTlmConfig));
+    router.post('/logout', getLogout(oasTlmConfig));
+    router.get('/enabled', getAuthEnabled(oasTlmConfig));
     return router;
 };