@parsrun/auth 0.1.0

package/README.md

@@ -0,0 +1,133 @@
+# @parsrun/auth
+
+Passwordless-first, multi-runtime authentication for Pars framework.
+
+## Features
+
+- **Passwordless-First**: OTP (Email/SMS), Magic Links, WebAuthn/Passkeys
+- **OAuth Providers**: Google, Microsoft, GitHub, Apple with PKCE support
+- **Multi-Runtime**: Node.js, Deno, Cloudflare Workers, Bun
+- **Multi-Tenant**: Built-in tenant management and resolution
+- **Security**: Rate limiting, account lockout, CSRF protection
+- **Session Management**: JWT with key rotation, token blocklist
+
+## Installation
+
+```bash
+pnpm add @parsrun/auth
+```
+
+## Quick Start
+
+```typescript
+import { createAuth } from '@parsrun/auth';
+
+const auth = createAuth({
+  secret: process.env.AUTH_SECRET,
+  adapter: myDatabaseAdapter,
+  providers: {
+    otp: {
+      email: {
+        send: async (to, code) => {
+          await sendEmail(to, `Your code is: ${code}`);
+        },
+      },
+    },
+  },
+});
+
+await auth.initialize();
+
+// Request OTP
+await auth.requestOTP({ identifier: 'user@example.com', type: 'email' });
+
+// Sign in
+const result = await auth.signIn({
+  provider: 'otp',
+  identifier: 'user@example.com',
+  credential: '123456',
+  data: { type: 'email' },
+});
+```
+
+## API Overview
+
+### Core
+
+| Export | Description |
+|--------|-------------|
+| `createAuth(config)` | Create auth instance |
+| `ParsAuthEngine` | Main auth engine class |
+
+### Providers
+
+| Export | Description |
+|--------|-------------|
+| `OTPProvider` | Email/SMS OTP authentication |
+| `MagicLinkProvider` | Magic link authentication |
+| `GoogleProvider` | Google OAuth |
+| `MicrosoftProvider` | Microsoft OAuth |
+| `GitHubProvider` | GitHub OAuth |
+| `AppleProvider` | Apple Sign In |
+| `TOTPProvider` | 2FA with authenticator apps |
+| `WebAuthnProvider` | Passkeys/WebAuthn |
+
+### Middleware (Hono)
+
+```typescript
+import {
+  createAuthMiddleware,
+  requireRole,
+  requirePermission,
+  requireTenant,
+  requireAdmin,
+} from '@parsrun/auth';
+
+const authMiddleware = createAuthMiddleware({ auth });
+
+app.get('/admin', authMiddleware, requireAdmin(), handler);
+app.get('/users', authMiddleware, requireRole('admin', 'manager'), handler);
+app.get('/data', authMiddleware, requirePermission('data:read'), handler);
+```
+
+### Session Management
+
+| Export | Description |
+|--------|-------------|
+| `JwtManager` | JWT token management with rotation |
+| `SessionBlocklist` | Token revocation |
+| `extractBearerToken()` | Extract token from header |
+
+### Storage Adapters
+
+| Export | Description |
+|--------|-------------|
+| `createStorage()` | Auto-detect runtime storage |
+| `MemoryStorage` | In-memory (development) |
+| `RedisStorage` | Redis/Upstash |
+| `CloudflareKVStorage` | Cloudflare KV |
+| `DenoKVStorage` | Deno KV |
+
+### Security
+
+| Export | Description |
+|--------|-------------|
+| `RateLimiter` | Request rate limiting |
+| `LockoutManager` | Account lockout |
+| `CsrfManager` | CSRF protection |
+| `AuthorizationGuard` | Role/permission checks |
+
+## Exports
+
+```typescript
+import { ... } from '@parsrun/auth';           // Main exports
+import { ... } from '@parsrun/auth/storage';   // Storage adapters
+import { ... } from '@parsrun/auth/session';   // Session management
+import { ... } from '@parsrun/auth/security';  // Security utilities
+import { ... } from '@parsrun/auth/providers'; // Auth providers
+import { ... } from '@parsrun/auth/adapters';  // Framework adapters
+```
+
+## License
+
+MIT

package/dist/adapters/hono.d.ts

@@ -0,0 +1,9 @@
+import 'hono/types';
+import 'hono';
+export { Q as AuthVariables, W as HonoAdapterConfig, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, x as createOptionalAuthMiddleware, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from '../index-DOGcetyD.js';
+import '../authorization-By1Xp8Za.js';
+import '../jwt-manager-CH8H0kmm.js';
+import 'jose';
+import '../types-DSjafxJ4.js';
+import '../base-BKyR8rcE.js';
+import '../index-C3kz9XqE.js';

package/dist/adapters/hono.js

@@ -0,0 +1,6 @@
+export { createAuthMiddleware, createAuthRoutes, createHonoAuth, createOptionalAuthMiddleware, requireAdmin, requireAll, requireAny, requireAnyPermission, requireOwnerOrPermission, requirePermission, requireRole, requireTenant, requireTenantAccess } from '../chunk-RHNVRCF3.js';
+import '../chunk-NK4TJV2W.js';
+import '../chunk-MOG4Y6I7.js';
+import '../chunk-42MGHABB.js';
+//# sourceMappingURL=hono.js.map
+//# sourceMappingURL=hono.js.map

package/dist/adapters/hono.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"hono.js"}

package/dist/adapters/index.d.ts

@@ -0,0 +1,9 @@
+export { X as AuthContext, Z as AuthResponse, Q as AuthVariables, Y as CookieOptions, W as HonoAdapterConfig, a1 as RefreshBody, _ as RequestOtpBody, a0 as SignInBody, $ as VerifyOtpBody, B as createAuthCookies, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, D as createLogoutCookies, x as createOptionalAuthMiddleware, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from '../index-DOGcetyD.js';
+import '../jwt-manager-CH8H0kmm.js';
+import 'jose';
+import 'hono/types';
+import 'hono';
+import '../types-DSjafxJ4.js';
+import '../base-BKyR8rcE.js';
+import '../index-C3kz9XqE.js';
+import '../authorization-By1Xp8Za.js';

package/dist/adapters/index.js

@@ -0,0 +1,7 @@
+import '../chunk-7GOBAL4G.js';
+export { createAuthCookies, createAuthMiddleware, createAuthRoutes, createHonoAuth, createLogoutCookies, createOptionalAuthMiddleware, requireAdmin, requireAll, requireAny, requireAnyPermission, requireOwnerOrPermission, requirePermission, requireRole, requireTenant, requireTenantAccess } from '../chunk-RHNVRCF3.js';
+import '../chunk-NK4TJV2W.js';
+import '../chunk-MOG4Y6I7.js';
+import '../chunk-42MGHABB.js';
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/adapters/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}

package/dist/authorization-By1Xp8Za.d.ts

@@ -0,0 +1,213 @@
+/**
+ * Authorization & Access Control
+ * Guards for tenant, role, and permission-based access control
+ */
+/**
+ * Authorization context - usually extracted from JWT
+ */
+interface AuthorizationContext {
+    userId: string;
+    tenantId?: string | null;
+    roles?: string[];
+    permissions?: string[];
+    memberships?: TenantMembershipInfo[];
+}
+/**
+ * Tenant membership information
+ */
+interface TenantMembershipInfo {
+    tenantId: string;
+    role: string;
+    permissions: string[];
+    status: 'active' | 'inactive' | 'pending';
+}
+/**
+ * Authorization check result
+ */
+interface AuthorizationResult {
+    allowed: boolean;
+    reason?: string;
+    missingPermissions?: string[];
+    missingRoles?: string[];
+}
+/**
+ * Permission pattern for matching
+ * Supports wildcards: 'users:*', '*:read', '*'
+ */
+type PermissionPattern = string;
+/**
+ * Authorization Guard
+ * Checks if a user has required permissions/roles for an action
+ */
+declare class AuthorizationGuard {
+    private context;
+    constructor(context: AuthorizationContext);
+    /**
+     * Check if user is authenticated
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Check if user has a tenant context
+     */
+    hasTenant(): boolean;
+    /**
+     * Check if user is member of a specific tenant
+     */
+    isMemberOf(tenantId: string): boolean;
+    /**
+     * Check if user has a specific role
+     */
+    hasRole(role: string): boolean;
+    /**
+     * Check if user has any of the specified roles
+     */
+    hasAnyRole(roles: string[]): boolean;
+    /**
+     * Check if user has all of the specified roles
+     */
+    hasAllRoles(roles: string[]): boolean;
+    /**
+     * Check if user has a specific permission
+     * Supports wildcards: 'users:*', '*:read', '*'
+     */
+    hasPermission(permission: PermissionPattern): boolean;
+    /**
+     * Check if user has any of the specified permissions
+     */
+    hasAnyPermission(permissions: PermissionPattern[]): boolean;
+    /**
+     * Check if user has all of the specified permissions
+     */
+    hasAllPermissions(permissions: PermissionPattern[]): boolean;
+    /**
+     * Check if user has role in specific tenant
+     */
+    hasRoleInTenant(tenantId: string, role: string): boolean;
+    /**
+     * Check if user has permission in specific tenant
+     */
+    hasPermissionInTenant(tenantId: string, permission: PermissionPattern): boolean;
+    /**
+     * Comprehensive authorization check
+     */
+    authorize(requirements: AuthorizationRequirements): AuthorizationResult;
+    /**
+     * Get current tenant ID
+     */
+    getTenantId(): string | null;
+    /**
+     * Get current user ID
+     */
+    getUserId(): string;
+    /**
+     * Get all user roles
+     */
+    getRoles(): string[];
+    /**
+     * Get all user permissions
+     */
+    getPermissions(): string[];
+    /**
+     * Get all tenant memberships
+     */
+    getMemberships(): TenantMembershipInfo[];
+}
+/**
+ * Authorization requirements
+ */
+interface AuthorizationRequirements {
+    /** User must be authenticated */
+    authenticated?: boolean;
+    /** User must have tenant context */
+    tenant?: boolean;
+    /** User must be member of specific tenant */
+    memberOf?: string;
+    /** Required roles */
+    roles?: string[];
+    /** Role check mode: 'any' (at least one) or 'all' */
+    rolesMode?: 'any' | 'all';
+    /** Required permissions */
+    permissions?: PermissionPattern[];
+    /** Permission check mode: 'any' (at least one) or 'all' */
+    permissionsMode?: 'any' | 'all';
+    /** Custom authorization function */
+    custom?: (context: AuthorizationContext) => boolean;
+    /** Custom failure reason */
+    customReason?: string;
+}
+/**
+ * Create an authorization guard
+ */
+declare function createAuthorizationGuard(context: AuthorizationContext): AuthorizationGuard;
+/**
+ * Quick authorization checks
+ */
+declare const authorize: {
+    /**
+     * Check if authenticated
+     */
+    isAuthenticated(context: AuthorizationContext): AuthorizationResult;
+    /**
+     * Check if has tenant
+     */
+    hasTenant(context: AuthorizationContext): AuthorizationResult;
+    /**
+     * Check if has specific role
+     */
+    hasRole(context: AuthorizationContext, role: string): AuthorizationResult;
+    /**
+     * Check if has specific permission
+     */
+    hasPermission(context: AuthorizationContext, permission: string): AuthorizationResult;
+    /**
+     * Check if is member of tenant
+     */
+    isMemberOf(context: AuthorizationContext, tenantId: string): AuthorizationResult;
+    /**
+     * Check if is admin (has 'admin' role or '*' permission)
+     */
+    isAdmin(context: AuthorizationContext): AuthorizationResult;
+    /**
+     * Check if is owner of resource
+     */
+    isOwner(context: AuthorizationContext, ownerId: string): AuthorizationResult;
+    /**
+     * Check if is owner or has permission
+     */
+    isOwnerOrHasPermission(context: AuthorizationContext, ownerId: string, permission: string): AuthorizationResult;
+};
+/**
+ * Common permission patterns
+ */
+declare const Permissions: {
+    readonly USERS_READ: "users:read";
+    readonly USERS_WRITE: "users:write";
+    readonly USERS_DELETE: "users:delete";
+    readonly USERS_ADMIN: "users:*";
+    readonly TENANTS_READ: "tenants:read";
+    readonly TENANTS_WRITE: "tenants:write";
+    readonly TENANTS_DELETE: "tenants:delete";
+    readonly TENANTS_ADMIN: "tenants:*";
+    readonly MEMBERS_READ: "members:read";
+    readonly MEMBERS_INVITE: "members:invite";
+    readonly MEMBERS_REMOVE: "members:remove";
+    readonly MEMBERS_ADMIN: "members:*";
+    readonly ROLES_READ: "roles:read";
+    readonly ROLES_WRITE: "roles:write";
+    readonly ROLES_DELETE: "roles:delete";
+    readonly ROLES_ADMIN: "roles:*";
+    readonly SUPER_ADMIN: "*";
+};
+/**
+ * Common roles
+ */
+declare const Roles: {
+    readonly OWNER: "owner";
+    readonly ADMIN: "admin";
+    readonly MANAGER: "manager";
+    readonly MEMBER: "member";
+    readonly VIEWER: "viewer";
+    readonly GUEST: "guest";
+};
+
+export { AuthorizationGuard as A, Permissions as P, Roles as R, type TenantMembershipInfo as T, authorize as a, type AuthorizationContext as b, createAuthorizationGuard as c, type AuthorizationResult as d, type AuthorizationRequirements as e, type PermissionPattern as f };