npm - @plyaz/auth - Versions diffs - 1.0.0 - Mend

@plyaz/auth 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/.github/pull_request_template.md +71 -0
package/.github/workflows/deploy.yml +9 -0
package/.github/workflows/publish.yml +14 -0
package/.github/workflows/security.yml +20 -0
package/README.md +89 -0
package/commits.txt +5 -0
package/dist/common/index.cjs +48 -0
package/dist/common/index.cjs.map +1 -0
package/dist/common/index.mjs +43 -0
package/dist/common/index.mjs.map +1 -0
package/dist/index.cjs +20411 -0
package/dist/index.cjs.map +1 -0
package/dist/index.mjs +5139 -0
package/dist/index.mjs.map +1 -0
package/eslint.config.mjs +13 -0
package/index.html +13 -0
package/package.json +141 -0
package/src/adapters/auth-adapter-factory.ts +26 -0
package/src/adapters/auth-adapter.mapper.ts +53 -0
package/src/adapters/base-auth.adapter.ts +119 -0
package/src/adapters/clerk/clerk.adapter.ts +204 -0
package/src/adapters/custom/custom.adapter.ts +119 -0
package/src/adapters/index.ts +4 -0
package/src/adapters/next-auth/authOptions.ts +81 -0
package/src/adapters/next-auth/next-auth.adapter.ts +211 -0
package/src/api/client.ts +37 -0
package/src/audit/audit.logger.ts +52 -0
package/src/client/components/ProtectedRoute.tsx +37 -0
package/src/client/hooks/useAuth.ts +128 -0
package/src/client/hooks/useConnectedAccounts.ts +108 -0
package/src/client/hooks/usePermissions.ts +36 -0
package/src/client/hooks/useRBAC.ts +36 -0
package/src/client/hooks/useSession.ts +18 -0
package/src/client/providers/AuthProvider.tsx +104 -0
package/src/client/store/auth.store.ts +306 -0
package/src/client/utils/storage.ts +70 -0
package/src/common/constants/oauth-providers.ts +49 -0
package/src/common/errors/auth.errors.ts +64 -0
package/src/common/errors/specific-auth-errors.ts +201 -0
package/src/common/index.ts +19 -0
package/src/common/regex/index.ts +27 -0
package/src/common/types/auth.types.ts +641 -0
package/src/common/types/index.ts +297 -0
package/src/common/utils/index.ts +84 -0
package/src/core/blacklist/token.blacklist.ts +60 -0
package/src/core/index.ts +2 -0
package/src/core/jwt/jwt.manager.ts +131 -0
package/src/core/session/session.manager.ts +56 -0
package/src/db/repositories/connected-account.repository.ts +415 -0
package/src/db/repositories/role.repository.ts +519 -0
package/src/db/repositories/session.repository.ts +308 -0
package/src/db/repositories/user.repository.ts +320 -0
package/src/flows/index.ts +2 -0
package/src/flows/sign-in.flow.ts +106 -0
package/src/flows/sign-up.flow.ts +121 -0
package/src/index.ts +54 -0
package/src/libs/clerk.helper.ts +36 -0
package/src/libs/supabase.helper.ts +255 -0
package/src/libs/supabaseClient.ts +6 -0
package/src/providers/base/auth-provider.interface.ts +42 -0
package/src/providers/base/index.ts +1 -0
package/src/providers/index.ts +2 -0
package/src/providers/oauth/facebook.provider.ts +97 -0
package/src/providers/oauth/github.provider.ts +148 -0
package/src/providers/oauth/google.provider.ts +126 -0
package/src/providers/oauth/index.ts +3 -0
package/src/rbac/dynamic-roles.ts +552 -0
package/src/rbac/index.ts +4 -0
package/src/rbac/permission-checker.ts +464 -0
package/src/rbac/role-hierarchy.ts +545 -0
package/src/rbac/role.manager.ts +75 -0
package/src/security/csrf/csrf.protection.ts +37 -0
package/src/security/index.ts +3 -0
package/src/security/rate-limiting/auth/auth.controller.ts +12 -0
package/src/security/rate-limiting/auth/rate-limiting.interface.ts +67 -0
package/src/security/rate-limiting/auth.module.ts +32 -0
package/src/server/auth.module.ts +158 -0
package/src/server/decorators/auth.decorator.ts +43 -0
package/src/server/decorators/auth.decorators.ts +31 -0
package/src/server/decorators/current-user.decorator.ts +49 -0
package/src/server/decorators/permission.decorator.ts +49 -0
package/src/server/guards/auth.guard.ts +56 -0
package/src/server/guards/custom-throttler.guard.ts +46 -0
package/src/server/guards/permissions.guard.ts +115 -0
package/src/server/guards/roles.guard.ts +31 -0
package/src/server/middleware/auth.middleware.ts +46 -0
package/src/server/middleware/index.ts +2 -0
package/src/server/middleware/middleware.ts +11 -0
package/src/server/middleware/session.middleware.ts +255 -0
package/src/server/services/account.service.ts +269 -0
package/src/server/services/auth.service.ts +79 -0
package/src/server/services/brute-force.service.ts +98 -0
package/src/server/services/index.ts +15 -0
package/src/server/services/rate-limiter.service.ts +60 -0
package/src/server/services/session.service.ts +287 -0
package/src/server/services/token.service.ts +262 -0
package/src/session/cookie-store.ts +255 -0
package/src/session/enhanced-session-manager.ts +406 -0
package/src/session/index.ts +14 -0
package/src/session/memory-store.ts +320 -0
package/src/session/redis-store.ts +443 -0
package/src/strategies/oauth.strategy.ts +128 -0
package/src/strategies/traditional-auth.strategy.ts +116 -0
package/src/tokens/index.ts +4 -0
package/src/tokens/refresh-token-manager.ts +448 -0
package/src/tokens/token-validator.ts +311 -0
package/tsconfig.build.json +28 -0
package/tsconfig.json +38 -0
package/tsup.config.mjs +28 -0
package/vitest.config.mjs +16 -0
package/vitest.setup.d.ts +2 -0
package/vitest.setup.d.ts.map +1 -0
package/vitest.setup.ts +1 -0

package/src/common/types/auth.types.ts ADDED Viewed

@@ -0,0 +1,641 @@
+/**
+ * @fileoverview Core authentication types and interfaces for @plyaz/auth
+ * @module @plyaz/auth/types
+ *
+ * @description
+ * Defines all TypeScript interfaces, enums, and types for the authentication system.
+ * Includes B2C (public) and B2B (backoffice) user types, sessions, RBAC, and provider adapters.
+ * All types match database schema exactly (snake_case in DB, camelCase in TS).
+ */
+// ============================================
+// ENUMS
+// ============================================
+/**
+ * User role assignment status
+ * @enum {string}
+ */
+export enum USER_ROLE_STATUS {
+  /** Role is active and grants permissions */
+  ACTIVE = 'ACTIVE',
+  /** Role is inactive (temporarily disabled) */
+  INACTIVE = 'INACTIVE',
+  /** Role is suspended (user violation) */
+  SUSPENDED = 'SUSPENDED'
+}
+/**
+ * Authentication provider types
+ * @enum {string}
+ */
+export enum AUTHPROVIDER {
+  /** Email/password authentication */
+  EMAIL = 'EMAIL',
+  /** Clerk authentication */
+  CLERK = 'CLERK',
+  /** Google OAuth */
+  GOOGLE = 'GOOGLE',
+  /** Facebook OAuth */
+  FACEBOOK = 'FACEBOOK',
+  /** Apple Sign In */
+  APPLE = 'APPLE',
+  /** Web3 wallet authentication */
+  WEB3 = 'WEB3'
+}
+/**
+ * Token type for authentication
+ * @enum {string}
+ */
+export enum TOKENTYPE {
+  /** Bearer token */
+  BEARER = 'Bearer',
+  /** JSON Web Token */
+  JWT = 'JWT'
+}
+// ============================================
+// CORE USER TYPES
+// ============================================
+/**
+ * B2C User (public schema)
+ * Represents platform users: fans, athletes, clubs, scouts, agents
+ *
+ * @interface User
+ * @property {string} id - Unique user identifier (UUID)
+ * @property {string} email - User email address (unique)
+ * @property {string} [clerkUserId] - Clerk provider user ID
+ * @property {string} authProvider - Authentication provider used
+ * @property {string} [firstName] - User first name
+ * @property {string} [lastName] - User last name
+ * @property {string} displayName - Display name (required)
+ * @property {string} [avatarUrl] - Avatar image URL
+ * @property {string} [phoneNumber] - Phone number
+ * @property {boolean} isActive - Account active status
+ * @property {boolean} isVerified - Email verification status
+ * @property {Date} createdAt - Account creation timestamp
+ * @property {Date} updatedAt - Last update timestamp
+ * @property {Date} [lastLoginAt] - Last login timestamp
+ */
+export interface User {
+  id: string;
+  email: string;
+  clerkUserId?: string;
+  authProvider: string;
+  firstName?: string;
+  lastName?: string;
+  displayName: string;
+  avatarUrl?: string;
+  phoneNumber?: string;
+  isActive: boolean;
+  isVerified: boolean;
+  createdAt: Date;
+  updatedAt: Date;
+  lastLoginAt?: Date;
+  roles?: string[];
+  passwordHash?: string;
+  isSuspended?: boolean;
+}
+/**
+ * B2B User (backoffice schema)
+ * Represents internal staff: admins, moderators, support, finance, compliance
+ *
+ * @interface BackofficeUser
+ * @property {string} id - Unique user identifier (UUID)
+ * @property {string} email - User email address (unique)
+ * @property {string} passwordHash - Hashed password
+ * @property {string} [clerkUserId] - Clerk provider user ID
+ * @property {string} authProvider - Authentication provider used
+ * @property {string} [firstName] - User first name
+ * @property {string} [lastName] - User last name
+ * @property {string} displayName - Display name (required)
+ * @property {string} [avatarMediaId] - Avatar media UUID reference
+ * @property {string} [phoneNumber] - Phone number
+ * @property {boolean} isActive - Account active status
+ * @property {boolean} isVerified - Email verification status
+ * @property {boolean} isSuspended - Account suspension status
+ * @property {string} [suspensionReason] - Reason for suspension
+ * @property {Date} [suspendedAt] - Suspension timestamp
+ * @property {Date} createdAt - Account creation timestamp
+ * @property {Date} updatedAt - Last update timestamp
+ * @property {Date} [lastLoginAt] - Last login timestamp
+ */
+export interface BackofficeUser {
+  id: string;
+  email: string;
+  passwordHash: string;
+  clerkUserId?: string;
+  authProvider: string;
+  firstName?: string;
+  lastName?: string;
+  displayName: string;
+  avatarMediaId?: string;
+  phoneNumber?: string;
+  isActive: boolean;
+  isVerified: boolean;
+  isSuspended: boolean;
+  suspensionReason?: string;
+  suspendedAt?: Date;
+  createdAt: Date;
+  updatedAt: Date;
+  lastLoginAt?: Date;
+}
+// ============================================
+// SESSION TYPES
+// ============================================
+/**
+ * B2C Session (public schema)
+ * Tracks authenticated user sessions with device and activity info
+ *
+ * @interface Session
+ */
+export interface Session {
+  id: string;
+  userId: string;
+  provider: string;
+  providerSessionId?: string;
+  expiresAt: Date;
+  createdAt: Date;
+  lastActivityAt: Date;
+  ipAddress?: string;
+  userAgent?: string;
+  metadata?: Record<string, string>;
+}
+/**
+ * B2B Session (backoffice schema)
+ * Tracks authenticated backoffice user sessions
+ *
+ * @interface BackofficeSession
+ */
+export interface BackofficeSession {
+  id: string;
+  backofficeUserId: string;
+  provider: string;
+  providerSessionId?: string;
+  expiresAt: Date;
+  createdAt: Date;
+  lastActivityAt: Date;
+  ipAddress?: string;
+  userAgent?: string;
+  metadata?: Record<string, string>;
+}
+// ============================================
+// CONNECTED ACCOUNT TYPES
+// ============================================
+/**
+ * Connected Account (provider linking)
+ * Links external OAuth/Web3 provider accounts to users
+ * Supports OAuth providers (Clerk, Google, etc.) and Web3 wallets
+ *
+ * @interface ConnectedAccount
+ */
+export interface ConnectedAccount {
+  id: string;
+  userId: string;
+  providerType: string;
+  provider: string;
+  providerAccountId: string;
+  providerEmail?: string;
+  providerUsername?: string;
+  providerDisplayName?: string;
+  providerAvatarUrl?: string;
+  providerProfileUrl?: string;
+  providerMetadata?: Record<string, unknown>;
+  walletAddress?: string;
+  chainId?: string;
+  accessTokenEncrypted?: string;
+  refreshTokenEncrypted?: string;
+  tokenExpiresAt?: Date;
+  tokenScope?: string;
+  isPrimary: boolean;
+  isVerified: boolean;
+  isActive: boolean;
+  linkedAt: Date;
+  linkedIpAddress?: string;
+  linkedUserAgent?: string;
+  lastUsedAt?: Date;
+  lastUsedIpAddress?: string;
+  createdAt: Date;
+  updatedAt: Date;
+}
+// ============================================
+// AUTH TOKENS
+// ============================================
+/**
+ * Authentication tokens returned after successful login
+ *
+ * @interface AuthTokens
+ */
+export interface AuthTokens {
+  accessToken: string;
+  refreshToken: string;
+}
+// ============================================
+// RBAC TYPES
+// ============================================
+/**
+ * B2C Role (public schema)
+ * Defines user roles: FAN, ATHLETE, SCOUT, AGENT, CLUB, DEVELOPER, ADMIN
+ *
+ * @interface Role
+ */
+export interface Role {
+  id: string;
+  code: string;
+  name: string;
+  description?: string;
+  hierarchy: number;
+  canCreateCampaigns?: boolean;
+  canContribute?: boolean;
+  requiresKyc?: boolean;
+  isActive: boolean;
+  isSystem: boolean;
+  metadata?: Record<string, string>;
+  createdAt: Date;
+  updatedAt: Date;
+}
+/**
+ * B2B Role (backoffice schema)
+ * Defines staff roles: SUPER_ADMIN, ADMIN, MODERATOR, FINANCE, COMPLIANCE, SUPPORT
+ *
+ * @interface BackofficeRole
+ */
+export interface BackofficeRole {
+  id: string;
+  code: string;
+  name: string;
+  description?: string;
+  hierarchy: number;
+  canApproveCampaigns: boolean;
+  canApproveKyc: boolean;
+  canApprovePayouts: boolean;
+  canManageUsers: boolean;
+  canManageRoles: boolean;
+  canViewAllData: boolean;
+  isActive: boolean;
+  isSystem: boolean;
+  metadata?: Record<string, string>;
+  createdAt: Date;
+  updatedAt: Date;
+}
+/**
+ * Permission (backoffice only)
+ * Fine-grained permissions for backoffice users
+ *
+ * @interface Permission
+ */
+export interface Permission {
+  id: string;
+  code: string;
+  name: string;
+  description?: string;
+  resource: string;
+  action: string;
+  isActive: boolean;
+  isSystem: boolean;
+  metadata?: Record<string, string>;
+  createdAt: Date;
+  updatedAt: Date;
+}
+/**
+ * Role-Permission mapping (backoffice only)
+ * Links permissions to roles
+ *
+ * @interface RolePermission
+ */
+export interface RolePermission {
+  id: string;
+  roleId: string;
+  role: string;
+  permissionId: string;
+  grantedAt: Date;
+  grantedBy?: string;
+}
+/**
+ * User-Permission mapping (backoffice only)
+ * Grants/revokes specific permissions to users
+ *
+ * @interface UserPermission
+ */
+export interface UserPermission {
+  id: string;
+  backofficeUserId: string;
+  permissionId: string;
+  isGranted: boolean;
+  expiresAt?: Date;
+  grantedAt: Date;
+  grantedBy?: string;
+  reason?: string;
+}
+/**
+ * B2C User-Role assignment
+ * Links users to roles with status tracking
+ *
+ * @interface UserRole
+ */
+export interface UserRole {
+  id: string;
+  userId: string;
+  roleId: string;
+  role: string;
+  isPrimary: boolean;
+  status: USER_ROLE_STATUS;
+  assignedBy?: string;
+  assignedReason?: string;
+  expiresAt?: Date;
+  createdAt: Date;
+  updatedAt: Date;
+}
+/**
+ * B2B User-Role assignment
+ * Links backoffice users to roles
+ *
+ * @interface BackofficeUserRole
+ */
+export interface BackofficeUserRole {
+  id: string;
+  backofficeUserId: string;
+  roleId: string;
+  role: string;
+  isPrimary: boolean;
+  status: USER_ROLE_STATUS;
+  assignedBy?: string;
+  assignedReason?: string;
+  expiresAt?: Date;
+  createdAt: Date;
+  updatedAt: Date;
+}
+// ============================================
+// AUTH PROVIDER ADAPTER INTERFACE
+// ============================================
+/**
+ * Authentication provider adapter interface
+ * Defines contract for provider-agnostic authentication
+ *
+ * @interface AuthProviderAdapter
+ * @example
+ * ```typescript
+ * class ClerkAdapter implements AuthProviderAdapter {
+ *   name = 'clerk';
+ *   async verifyToken(token: string) { ... }
+ *   async getUserInfo(token: string) { ... }
+ * }
+ * ```
+ */
+export interface AuthProviderAdapter {
+  name: string;
+  verifyToken(token: string): Promise<VerifiedToken>;
+  getUserInfo(token: string): Promise<ProviderUserInfo>;
+  refreshToken?(refreshToken: string): Promise<AuthTokens>;
+  revokeToken?(token: string): Promise<void>;
+}
+/**
+ * Verified token result
+ * Returned after successful token verification
+ *
+ * @interface VerifiedToken
+ */
+export interface VerifiedToken {
+  userId: string;
+  provider: string;
+  providerAccountId: string;
+  email?: string;
+  expiresAt?: Date;
+  metadata?: Record<string, string>;
+}
+/**
+ * Provider user information
+ * User profile data from external provider
+ *
+ * @interface ProviderUserInfo
+ */
+export interface ProviderUserInfo {
+  providerAccountId: string;
+  email?: string;
+  displayName?: string;
+  firstName?: string;
+  lastName?: string;
+  avatarUrl?: string;
+  phoneNumber?: string;
+  metadata?: Record<string, string>;
+}
+// ============================================
+// REPOSITORY INTERFACES
+// ============================================
+/**
+ * User repository interface
+ * Defines data access methods for user management
+ *
+ * @interface UserRepository
+ */
+export interface UserRepository {
+  findById(id: string): Promise<User | null>;
+  findByEmail(email: string): Promise<User | null>;
+  findByProviderAccount(provider: string, providerAccountId: string): Promise<User | null>;
+  findByCredentials(email: string, passwordHash: string): Promise<User | null>;
+  create(data: CreateUserData): Promise<User>;
+  update(id: string, data: UpdateUserData): Promise<User>;
+  delete(id: string): Promise<void>;
+}
+/**
+ * Session repository interface
+ * Defines data access methods for session management
+ *
+ * @interface SessionRepository
+ */
+export interface SessionRepository {
+  create(data: CreateSessionData): Promise<Session>;
+  findById(id: string): Promise<Session | null>;
+  findByUserId(userId: string): Promise<Session[]>;
+  validate(sessionId: string): Promise<Session | null>;
+  invalidate(sessionId: string): Promise<void>;
+  invalidateAllForUser(userId: string): Promise<void>;
+  updateActivity(sessionId: string): Promise<void>;
+}
+/**
+ * Connected account repository interface
+ * Defines data access methods for provider account linking
+ *
+ * @interface ConnectedAccountRepository
+ */
+export interface ConnectedAccountRepository {
+  create(data: CreateConnectedAccountData): Promise<ConnectedAccount>;
+  findById(id: string): Promise<ConnectedAccount | null>;
+  findByUserId(userId: string): Promise<ConnectedAccount[]>;
+  findByProvider(provider: string, providerAccountId: string): Promise<ConnectedAccount | null>;
+  update(id: string, data: UpdateConnectedAccountData): Promise<ConnectedAccount>;
+  delete(id: string): Promise<void>;
+}
+// ============================================
+// DATA TRANSFER OBJECTS
+// ============================================
+/**
+ * DTO for creating B2C users
+ * @interface CreateUserData
+ */
+export interface CreateUserData {
+  email: string;
+  clerkUserId?: string;
+  authProvider?: string;
+  firstName?: string;
+  lastName?: string;
+  displayName: string;
+  avatarUrl?: string;
+  phoneNumber?: string;
+  isVerified?: boolean;
+  passwordHash?: string;
+  isActive?: boolean;
+}
+/**
+ * DTO for creating B2B users
+ * @interface CreateBackofficeUserData
+ */
+export interface CreateBackofficeUserData {
+  email: string;
+  passwordHash: string;
+  clerkUserId?: string;
+  authProvider?: string;
+  firstName?: string;
+  lastName?: string;
+  displayName: string;
+  avatarMediaId?: string;
+  phoneNumber?: string;
+  isVerified?: boolean;
+}
+/**
+ * DTO for updating B2C users
+ * @interface UpdateUserData
+ */
+export interface UpdateUserData {
+  email?: string;
+  clerkUserId?: string;
+  authProvider?: string;
+  firstName?: string;
+  lastName?: string;
+  displayName?: string;
+  avatarUrl?: string;
+  phoneNumber?: string;
+  isActive?: boolean;
+  isVerified?: boolean;
+  lastLoginAt?: Date;
+}
+/**
+ * DTO for updating B2B users
+ * @interface UpdateBackofficeUserData
+ */
+export interface UpdateBackofficeUserData {
+  email?: string;
+  passwordHash?: string;
+  clerkUserId?: string;
+  authProvider?: string;
+  firstName?: string;
+  lastName?: string;
+  displayName?: string;
+  avatarMediaId?: string;
+  phoneNumber?: string;
+  isActive?: boolean;
+  isVerified?: boolean;
+  isSuspended?: boolean;
+  suspensionReason?: string;
+  suspendedAt?: Date;
+  lastLoginAt?: Date;
+}
+/**
+ * DTO for creating sessions
+ * @interface CreateSessionData
+ */
+export interface CreateSessionData {
+  userId: string;
+  provider: string;
+  providerSessionId?: string;
+  expiresAt: Date;
+  ipAddress?: string;
+  userAgent?: string;
+  metadata?: Record<string, string>;
+}
+/**
+ * DTO for creating connected accounts
+ * @interface CreateConnectedAccountData
+ */
+export interface CreateConnectedAccountData {
+  userId: string;
+  providerType: string;
+  provider: string;
+  providerAccountId: string;
+  providerEmail?: string;
+  providerUsername?: string;
+  providerDisplayName?: string;
+  providerAvatarUrl?: string;
+  providerProfileUrl?: string;
+  providerMetadata?: Record<string, unknown>;
+  walletAddress?: string;
+  chainId?: string;
+  accessTokenEncrypted?: string;
+  refreshTokenEncrypted?: string;
+  tokenExpiresAt?: Date;
+  tokenScope?: string;
+  isPrimary?: boolean;
+  isVerified?: boolean;
+  isActive?: boolean;
+  linkedIpAddress?: string;
+  linkedUserAgent?: string;
+}
+/**
+ * DTO for updating connected accounts
+ * @interface UpdateConnectedAccountData
+ */
+export interface UpdateConnectedAccountData {
+  providerEmail?: string;
+  providerUsername?: string;
+  providerDisplayName?: string;
+  providerAvatarUrl?: string;
+  providerProfileUrl?: string;
+  providerMetadata?: Record<string, string>;
+  accessTokenEncrypted?: string;
+  refreshTokenEncrypted?: string;
+  tokenExpiresAt?: Date;
+  tokenScope?: string;
+  isPrimary?: boolean;
+  isVerified?: boolean;
+  isActive?: boolean;
+  lastUsedAt?: Date;
+  lastUsedIpAddress?: string;
+}