npm - @plyaz/auth - Versions diffs - 1.0.0 - Mend

@plyaz/auth 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/.github/pull_request_template.md +71 -0
package/.github/workflows/deploy.yml +9 -0
package/.github/workflows/publish.yml +14 -0
package/.github/workflows/security.yml +20 -0
package/README.md +89 -0
package/commits.txt +5 -0
package/dist/common/index.cjs +48 -0
package/dist/common/index.cjs.map +1 -0
package/dist/common/index.mjs +43 -0
package/dist/common/index.mjs.map +1 -0
package/dist/index.cjs +20411 -0
package/dist/index.cjs.map +1 -0
package/dist/index.mjs +5139 -0
package/dist/index.mjs.map +1 -0
package/eslint.config.mjs +13 -0
package/index.html +13 -0
package/package.json +141 -0
package/src/adapters/auth-adapter-factory.ts +26 -0
package/src/adapters/auth-adapter.mapper.ts +53 -0
package/src/adapters/base-auth.adapter.ts +119 -0
package/src/adapters/clerk/clerk.adapter.ts +204 -0
package/src/adapters/custom/custom.adapter.ts +119 -0
package/src/adapters/index.ts +4 -0
package/src/adapters/next-auth/authOptions.ts +81 -0
package/src/adapters/next-auth/next-auth.adapter.ts +211 -0
package/src/api/client.ts +37 -0
package/src/audit/audit.logger.ts +52 -0
package/src/client/components/ProtectedRoute.tsx +37 -0
package/src/client/hooks/useAuth.ts +128 -0
package/src/client/hooks/useConnectedAccounts.ts +108 -0
package/src/client/hooks/usePermissions.ts +36 -0
package/src/client/hooks/useRBAC.ts +36 -0
package/src/client/hooks/useSession.ts +18 -0
package/src/client/providers/AuthProvider.tsx +104 -0
package/src/client/store/auth.store.ts +306 -0
package/src/client/utils/storage.ts +70 -0
package/src/common/constants/oauth-providers.ts +49 -0
package/src/common/errors/auth.errors.ts +64 -0
package/src/common/errors/specific-auth-errors.ts +201 -0
package/src/common/index.ts +19 -0
package/src/common/regex/index.ts +27 -0
package/src/common/types/auth.types.ts +641 -0
package/src/common/types/index.ts +297 -0
package/src/common/utils/index.ts +84 -0
package/src/core/blacklist/token.blacklist.ts +60 -0
package/src/core/index.ts +2 -0
package/src/core/jwt/jwt.manager.ts +131 -0
package/src/core/session/session.manager.ts +56 -0
package/src/db/repositories/connected-account.repository.ts +415 -0
package/src/db/repositories/role.repository.ts +519 -0
package/src/db/repositories/session.repository.ts +308 -0
package/src/db/repositories/user.repository.ts +320 -0
package/src/flows/index.ts +2 -0
package/src/flows/sign-in.flow.ts +106 -0
package/src/flows/sign-up.flow.ts +121 -0
package/src/index.ts +54 -0
package/src/libs/clerk.helper.ts +36 -0
package/src/libs/supabase.helper.ts +255 -0
package/src/libs/supabaseClient.ts +6 -0
package/src/providers/base/auth-provider.interface.ts +42 -0
package/src/providers/base/index.ts +1 -0
package/src/providers/index.ts +2 -0
package/src/providers/oauth/facebook.provider.ts +97 -0
package/src/providers/oauth/github.provider.ts +148 -0
package/src/providers/oauth/google.provider.ts +126 -0
package/src/providers/oauth/index.ts +3 -0
package/src/rbac/dynamic-roles.ts +552 -0
package/src/rbac/index.ts +4 -0
package/src/rbac/permission-checker.ts +464 -0
package/src/rbac/role-hierarchy.ts +545 -0
package/src/rbac/role.manager.ts +75 -0
package/src/security/csrf/csrf.protection.ts +37 -0
package/src/security/index.ts +3 -0
package/src/security/rate-limiting/auth/auth.controller.ts +12 -0
package/src/security/rate-limiting/auth/rate-limiting.interface.ts +67 -0
package/src/security/rate-limiting/auth.module.ts +32 -0
package/src/server/auth.module.ts +158 -0
package/src/server/decorators/auth.decorator.ts +43 -0
package/src/server/decorators/auth.decorators.ts +31 -0
package/src/server/decorators/current-user.decorator.ts +49 -0
package/src/server/decorators/permission.decorator.ts +49 -0
package/src/server/guards/auth.guard.ts +56 -0
package/src/server/guards/custom-throttler.guard.ts +46 -0
package/src/server/guards/permissions.guard.ts +115 -0
package/src/server/guards/roles.guard.ts +31 -0
package/src/server/middleware/auth.middleware.ts +46 -0
package/src/server/middleware/index.ts +2 -0
package/src/server/middleware/middleware.ts +11 -0
package/src/server/middleware/session.middleware.ts +255 -0
package/src/server/services/account.service.ts +269 -0
package/src/server/services/auth.service.ts +79 -0
package/src/server/services/brute-force.service.ts +98 -0
package/src/server/services/index.ts +15 -0
package/src/server/services/rate-limiter.service.ts +60 -0
package/src/server/services/session.service.ts +287 -0
package/src/server/services/token.service.ts +262 -0
package/src/session/cookie-store.ts +255 -0
package/src/session/enhanced-session-manager.ts +406 -0
package/src/session/index.ts +14 -0
package/src/session/memory-store.ts +320 -0
package/src/session/redis-store.ts +443 -0
package/src/strategies/oauth.strategy.ts +128 -0
package/src/strategies/traditional-auth.strategy.ts +116 -0
package/src/tokens/index.ts +4 -0
package/src/tokens/refresh-token-manager.ts +448 -0
package/src/tokens/token-validator.ts +311 -0
package/tsconfig.build.json +28 -0
package/tsconfig.json +38 -0
package/tsup.config.mjs +28 -0
package/vitest.config.mjs +16 -0
package/vitest.setup.d.ts +2 -0
package/vitest.setup.d.ts.map +1 -0
package/vitest.setup.ts +1 -0

package/src/db/repositories/connected-account.repository.ts ADDED Viewed

@@ -0,0 +1,415 @@
+import { createClient } from '@supabase/supabase-js';
+import type { ConnectedAccount, ConnectedAccountRepository as IConnectedAccountRepository, CreateConnectedAccountData, UpdateConnectedAccountData } from '@/common/types/auth.types';
+/**
+ * Repository for managing connected accounts (provider account linking)
+ *
+ * @description
+ * Handles CRUD operations for external provider accounts linked to users.
+ * Supports OAuth providers (Clerk, Google, Facebook, etc.) and stores tokens.
+ *
+ * @example
+ * ```typescript
+ * const repo = new ConnectedAccountRepository(supabaseUrl, supabaseKey);
+ * const account = await repo.findByProvider('clerk', 'user_123');
+ * ```
+ */
+export class ConnectedAccountRepository implements IConnectedAccountRepository {
+  private supabase;
+  /**
+   * STEP 1: Initialize repository with Supabase client
+   * @param supabaseUrl - Supabase project URL
+   * @param supabaseKey - Supabase service role key
+   */
+  constructor(supabaseUrl: string, supabaseKey: string) {
+    this.supabase = createClient(supabaseUrl, supabaseKey);
+  }
+  /**
+   * STEP 2: Create a new connected account
+   * Links an external provider account to a user
+   *
+   * @param data - Connected account creation data
+   * @returns Promise resolving to created ConnectedAccount
+   * @throws Error if creation fails
+   */
+  async create(data: CreateConnectedAccountData): Promise<ConnectedAccount> {
+    const insertData = this.transformToDbFormat(data);
+    const { data: accountData, error } = await this.supabase
+      .from('connected_accounts')
+      .insert(insertData)
+      .select()
+      .single();
+    if (error || !accountData) throw new Error(`Failed to create connected account: ${error?.message}`);
+    return this.mapToConnectedAccount(accountData);
+  }
+  /**
+   * STEP 3: Find connected account by ID
+   *
+   * @param id - Connected account UUID
+   * @returns Promise resolving to ConnectedAccount or null if not found
+   */
+  async findById(id: string): Promise<ConnectedAccount | null> {
+    const { data, error } = await this.supabase
+      .from('connected_accounts')
+      .select('*')
+      .eq('id', id)
+      .single();
+    if (error || !data) return null;
+    return this.mapToConnectedAccount(data);
+  }
+  /**
+   * STEP 4: Find all connected accounts for a user
+   * Returns accounts ordered by creation date (newest first)
+   *
+   * @param userId - User UUID
+   * @returns Promise resolving to array of ConnectedAccount
+   */
+  async findByUserId(userId: string): Promise<ConnectedAccount[]> {
+    const { data, error } = await this.supabase
+      .from('connected_accounts')
+      .select('*')
+      .eq('user_id', userId)
+      .order('created_at', { ascending: false });
+    if (error || !data) return [];
+    return data.map(this.mapToConnectedAccount);
+  }
+  /**
+   * STEP 5: Find connected account by provider credentials
+   * Used for authentication - matches (provider, provider_account_id)
+   *
+   * @param provider - Provider name (e.g., 'clerk', 'google')
+   * @param providerAccountId - Provider's user ID
+   * @returns Promise resolving to ConnectedAccount or null if not found
+   */
+  async findByProvider(provider: string, providerAccountId: string): Promise<ConnectedAccount | null> {
+    const { data, error } = await this.supabase
+      .from('connected_accounts')
+      .select('*')
+      .eq('provider', provider)
+      .eq('provider_account_id', providerAccountId)
+      .single();
+    if (error || !data) return null;
+    return this.mapToConnectedAccount(data);
+  }
+  /**
+   * Find connected account by provider and ID (alias for compatibility)
+   */
+  async findByProviderAndId(provider: string, providerAccountId: string): Promise<ConnectedAccount | null> {
+    return this.findByProvider(provider, providerAccountId);
+  }
+  /**
+   * Update tokens for connected account
+   */
+  async updateTokens(accountId: string, accessToken: string, refreshToken?: string): Promise<void> {
+    const updateData = {
+      access_token_encrypted: accessToken,
+      updated_at: new Date(),
+      refresh_token_encrypted:refreshToken
+    };
+    if (refreshToken) {
+      updateData.refresh_token_encrypted = refreshToken;
+    }
+    const { error } = await this.supabase
+      .from('connected_accounts')
+      .update(updateData)
+      .eq('id', accountId);
+    if (error) throw new Error(`Failed to update tokens: ${error.message}`);
+  }
+  /**
+   * STEP 6: Update connected account
+   * Updates tokens, profile info, or metadata
+   *
+   * @param id - Connected account UUID
+   * @param data - Partial update data
+   * @returns Promise resolving to updated ConnectedAccount
+   * @throws Error if update fails
+   */
+  async update(id: string, data: UpdateConnectedAccountData): Promise<ConnectedAccount> {
+    const updateData = this.buildUpdateData(data);
+    const { data: accountData, error } = await this.supabase
+      .from('connected_accounts')
+      .update(updateData)
+      .eq('id', id)
+      .select()
+      .single();
+    if (error || !accountData) throw new Error(`Failed to update connected account: ${error?.message}`);
+    return this.mapToConnectedAccount(accountData);
+  }
+  /**
+   * STEP 7: Delete connected account (unlink provider)
+   *
+   * @param id - Connected account UUID
+   * @throws Error if deletion fails
+   */
+  async delete(id: string): Promise<void> {
+    const { error } = await this.supabase
+      .from('connected_accounts')
+      .delete()
+      .eq('id', id);
+    if (error) throw new Error(`Failed to delete connected account: ${error.message}`);
+  }
+  /**
+   * Find primary connected account for user
+   * Query WHERE user_id AND is_primary = true
+   * @param userId - User identifier
+   * @returns Primary connected account or null
+   */
+  async findPrimary(userId: string): Promise<ConnectedAccount | null> {
+    const { data, error } = await this.supabase
+      .from('connected_accounts')
+      .select('*')
+      .eq('user_id', userId)
+      .eq('is_primary', true)
+      .eq('is_active', true)
+      .single();
+    if (error || !data) return null;
+    return this.mapToConnectedAccount(data);
+  }
+  /**
+   * Set primary connected account
+   * UPDATE all user accounts is_primary = false, then UPDATE specific account is_primary = true
+   * @param userId - User identifier
+   * @param accountId - Account identifier to set as primary
+   */
+  async setPrimary(userId: string, accountId: string): Promise<void> {
+    // First, unset all primary accounts for user
+    await this.supabase
+      .from('connected_accounts')
+      .update({ is_primary: false, updated_at: new Date() })
+      .eq('user_id', userId);
+    // Then set the specified account as primary
+    const { error } = await this.supabase
+      .from('connected_accounts')
+      .update({ is_primary: true, updated_at: new Date() })
+      .eq('id', accountId)
+      .eq('user_id', userId);
+    if (error) throw new Error(`Failed to set primary account: ${error.message}`);
+  }
+  /**
+   * Link account to user
+   * INSERT new connected account and emit account.linked event
+   * @param userId - User identifier
+   * @param provider - Provider name
+   * @param providerData - Provider account data
+   * @returns Created connected account
+   */
+  async linkAccount(userId: string, provider: string, providerData: ConnectedAccount): Promise<ConnectedAccount> {
+    const accountData = {
+      user_id: userId,
+      provider_type: providerData.providerType ?? 'OAUTH',
+      provider,
+      provider_account_id: providerData.providerAccountId,
+      provider_email: providerData.providerEmail,
+      provider_username: providerData.providerUsername,
+      provider_display_name: providerData.providerDisplayName,
+      provider_avatar_url: providerData.providerAvatarUrl,
+      provider_metadata: providerData.providerMetadata ?? {},
+      is_primary: false,
+      is_verified: true,
+      is_active: true,
+      linked_at: new Date(),
+      created_at: new Date(),
+      updated_at: new Date()
+    };
+    const { data, error } = await this.supabase
+      .from('connected_accounts')
+      .insert(accountData)
+      .select()
+      .single();
+    if (error || !data) throw new Error(`Failed to link account: ${error?.message}`);
+    const connectedAccount = this.mapToConnectedAccount(data);
+    // Emit account linked event
+    this.emitAccountLinkedEvent(userId, provider, connectedAccount.id);
+    return connectedAccount;
+  }
+  /**
+   * Unlink account from user
+   * DELETE connected account with validation (not last auth method) and emit account.unlinked event
+   * @param accountId - Account identifier
+   */
+  async unlinkAccount(accountId: string): Promise<void> {
+    // Get account details
+    const account = await this.findById(accountId);
+    if (!account) {
+      throw new Error('Connected account not found');
+    }
+    // Check if this is the last authentication method
+    const userAccounts = await this.findByUserId(account.userId);
+    if (userAccounts.length <= 1) {
+      throw new Error('Cannot unlink the last authentication method');
+    }
+    // Delete the account
+    await this.delete(accountId);
+    // Emit account unlinked event
+    this.emitAccountUnlinkedEvent(account.userId, account.provider, accountId);
+  }
+  /**
+   * Emit account linked event
+   * @param userId - User identifier
+   * @param provider - Provider name
+   * @param accountId - Account identifier
+   * @private
+   */
+  private emitAccountLinkedEvent(userId: string, provider: string, accountId: string): void {
+    // Mock event emission - in real implementation would use event system
+    globalThis.console.log('Event: auth.account.linked', {
+      userId,
+      provider,
+      accountId,
+      timestamp: new Date()
+    });
+  }
+  /**
+   * Emit account unlinked event
+   * @param userId - User identifier
+   * @param provider - Provider name
+   * @param accountId - Account identifier
+   * @private
+   */
+  private emitAccountUnlinkedEvent(userId: string, provider: string, accountId: string): void {
+    // Mock event emission - in real implementation would use event system
+    globalThis.console.log('Event: auth.account.unlinked', {
+      userId,
+      provider,
+      accountId,
+      timestamp: new Date()
+    });
+  }
+  /**
+   * Transform camelCase DTO to snake_case database format
+   * @private
+   */
+  private transformToDbFormat(data: CreateConnectedAccountData): Record<string, string| undefined | Record<string, unknown> |Date | boolean > {
+    return {
+      user_id: data.userId,
+      provider_type: data.providerType,
+      provider: data.provider,
+      provider_account_id: data.providerAccountId,
+      provider_email: data.providerEmail,
+      provider_username: data.providerUsername,
+      provider_display_name: data.providerDisplayName,
+      provider_avatar_url: data.providerAvatarUrl,
+      provider_profile_url: data.providerProfileUrl,
+      provider_metadata: data.providerMetadata,
+      wallet_address: data.walletAddress,
+      chain_id: data.chainId,
+      access_token_encrypted: data.accessTokenEncrypted,
+      refresh_token_encrypted: data.refreshTokenEncrypted,
+      token_expires_at: data.tokenExpiresAt,
+      token_scope: data.tokenScope,
+      is_primary: data.isPrimary ?? false,
+      is_verified: data.isVerified ?? true,
+      is_active: data.isActive ?? true,
+      linked_ip_address: data.linkedIpAddress,
+      linked_user_agent: data.linkedUserAgent,
+    };
+  }
+  /**
+   * Build update data with only defined fields
+   * @private
+   */
+  private buildUpdateData(data: UpdateConnectedAccountData): Record<string, string> {
+    const result: Record<string, string> = { updated_at: new Date().toString() };
+    // Only include defined fields
+    Object.entries(data).forEach(([key, value]) => {
+      if (value !== undefined) {
+        const dbKey = this.camelToSnake(key);
+        result[dbKey] = value;
+      }
+    });
+    return result;
+  }
+  /**
+   * Convert camelCase to snake_case
+   * @private
+   */
+  private camelToSnake(str: string): string {
+    return str.replace(/[A-Z]/g, letter => `_${letter.toLowerCase()}`);
+  }
+  /**
+   * STEP 8: Map database row to ConnectedAccount interface
+   * Converts snake_case to camelCase
+   *
+   * @param data - Raw database row
+   * @returns Mapped ConnectedAccount object
+   * @private
+   */
+  private mapToConnectedAccount(data: ConnectedAccount): ConnectedAccount {
+    return {
+      id: data.id,
+      userId: data.userId,
+      providerType: data.providerType,
+      provider: data.provider,
+      providerAccountId: data.providerAccountId,
+      providerEmail: data.providerEmail,
+      providerUsername: data.providerUsername,
+      providerDisplayName: data.providerDisplayName,
+      providerAvatarUrl: data.providerAvatarUrl,
+      providerProfileUrl: data.providerProfileUrl,
+      providerMetadata: data.providerMetadata,
+      walletAddress: data.walletAddress,
+      chainId: data.chainId,
+      accessTokenEncrypted: data.accessTokenEncrypted,
+      refreshTokenEncrypted: data.refreshTokenEncrypted,
+      tokenExpiresAt: data.tokenExpiresAt ? new Date(data.tokenExpiresAt) : undefined,
+      tokenScope: data.tokenScope,
+      isPrimary: data.isPrimary,
+      isVerified: data.isVerified,
+      isActive: data.isActive,
+      linkedAt: new Date(data.linkedAt),
+      linkedIpAddress: data.lastUsedIpAddress,
+      linkedUserAgent: data.linkedUserAgent,
+      lastUsedAt: data.lastUsedAt ? new Date(data.lastUsedAt) : undefined,
+      lastUsedIpAddress: data.lastUsedIpAddress,
+      createdAt: new Date(data.createdAt),
+      updatedAt: new Date(data.updatedAt),
+    };
+  }
+}