@plyaz/auth 1.0.0

package/src/adapters/next-auth/authOptions.ts

@@ -0,0 +1,81 @@
+import type { NextAuthOptions } from 'next-auth';
+import CredentialsProvider from 'next-auth/providers/credentials';
+
+import { compare } from 'bcryptjs'; 
+import { supabase } from '@/libs/supabaseClient';
+import { NUMERIX } from '@plyaz/config';
+
+const seven  = 7;
+export const authOptions: NextAuthOptions = {
+  providers: [
+    // Example: Email + password login (custom)
+    CredentialsProvider({
+      name: 'Credentials',
+      credentials: {
+        email: { label: 'Email', type: 'text', placeholder: 'email@example.com' },
+        password: { label: 'Password', type: 'password' },
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials.password) return null;
+
+        // Fetch user from Supabase
+        const { data: user, error } = await supabase
+          .from('users')
+          .select('*')
+          .eq('email', credentials.email)
+          .single();
+
+        if (error || !user) return null;
+
+        // Compare password
+        const isValid = await compare(credentials.password, user.password_hash);
+        if (!isValid) return null;
+
+        return {
+          id: user.id,
+          email: user.email,
+          name: user.name,
+          role: user.role ?? 'user',
+          isVerified: user.is_verified,
+          isActive: user.is_active,
+        };
+      },
+    }),
+  ],
+
+  // Session strategy: JWT (stateless)
+  session: {
+    strategy: 'jwt',
+    maxAge: seven * NUMERIX.TWENTY_FOUR * NUMERIX.SIXTY * NUMERIX.SIXTY, // 7 days
+  },
+
+  // JWT settings
+  jwt: {
+    secret: globalThis.process.env.NEXTAUTH_SECRET,
+  },
+
+  // callbacks: {
+  //   async jwt({ token, user }) {
+  //     if (user) {
+  //       token.id = user.id;
+  //       token.roles = user.roles;
+  //       token.isVerified = user.is_verified;
+  //     }
+  //     return token;
+  //   },
+  //   async session({ session, token }) {
+  //     if (token) {
+  //       session.user.id = token.id as string;
+  //       session.user.role = token.role as string;
+  //       session.user.isVerified = token.isVerified as boolean;
+  //     }
+  //     return session;
+  //   },
+  // },
+
+  pages: {
+    signIn: '/auth/signin', // custom signin page
+  },
+
+  debug: globalThis.process.env.NODE_ENV === 'development',
+};

package/src/adapters/next-auth/next-auth.adapter.ts

@@ -0,0 +1,211 @@
+/* eslint-disable no-unused-vars */
+
+import { DatabasePackageError } from "@plyaz/errors";
+import type {
+  AuthAdapterUser,
+  AuthDeviceInfo,
+  AUTHPROVIDER,
+  AuthProviderAdapter as BaseAuthProvider,
+  AuthSession,
+  AuthUser,
+  ConnectedAccount,
+  Credentials,
+  Tokens,
+} from "@plyaz/types";
+
+import type { DeviceInfo } from "../../libs/supabase.helper";
+
+import {
+  createUser,
+  createUserSession,
+  findUserByEmailProvider,
+  getLinkedAccounts,
+  linkConnectedAccount,
+  unlinkConnectedAccount,
+} from "../../libs/supabase.helper";
+
+/**
+ * Extends base provider WITHOUT changing behavior
+ */
+export interface AuthProviderAdapter extends BaseAuthProvider {
+  signIn(
+    credentials: unknown
+  ): Promise<{
+    user: AuthAdapterUser;
+    session: AuthSession;
+    tokens: Tokens;
+  }>;
+}
+
+export class NextAuthAdapter implements AuthProviderAdapter {
+  // -------------------
+  // Identity
+  // -------------------
+  async signIn(
+    provider: AUTHPROVIDER,
+    credentials?: Credentials,
+    deviceInfo?: AuthDeviceInfo
+  ): Promise<{
+    user: AuthAdapterUser;
+    session: AuthSession;
+    tokens: Tokens;
+  }> {
+    const userFindByEmail = await findUserByEmailProvider(
+      credentials?.email ?? "",
+      provider
+    );
+
+    if (!userFindByEmail) {
+      return {
+        user: { id: "", email: "" },
+        session: { id: "", userId: "", expiresAt: new Date() },
+        tokens: { accessToken: "" },
+      };
+    }
+
+    const accounts = await getLinkedAccounts(userFindByEmail.id);
+
+    if (accounts.length === 0) {
+      return {
+        user: { id: userFindByEmail.id, email: userFindByEmail.email },
+        session: { id: "", userId: "", expiresAt: new Date() },
+        tokens: { accessToken: "" },
+      };
+    }
+
+    const rawSession = await createUserSession(
+      accounts[0].id,
+      deviceInfo ?? {
+        ip: "",
+        browser: "",
+        os: "",
+        userAgent: "",
+      }
+    );
+
+    const session: AuthSession = {
+      id: rawSession.id,
+      userId: rawSession.userId,
+      expiresAt: rawSession.expiresAt,
+    };
+
+    return {
+      user: {
+        id: accounts[0].id,
+        email: accounts[0].providerEmail ?? '',
+      },
+      session,
+      tokens: { accessToken: "jwt-token" },
+    };
+  }
+
+  async signUp(
+    provider: AUTHPROVIDER,
+    credentials: Credentials,
+    data?: AuthUser,
+    deviceInfo?: DeviceInfo
+  ): Promise<{
+    user: AuthUser;
+    session: AuthSession;
+    tokens: Tokens;
+  }> {
+    const userFindByEmail = await findUserByEmailProvider(
+      data?.email ?? "",
+      provider
+    );
+
+    if (userFindByEmail) {
+      throw new Error("User already registered");
+    }
+
+    const user = await createUser(
+      credentials.email,
+      provider,
+      data,
+      credentials.password
+    );
+
+    if (!user) {
+      throw new DatabasePackageError("Something went wrong");
+    }
+
+    const rawSession = await createUserSession(
+      user.id,
+      deviceInfo ?? {
+        ip: "",
+        browser: "",
+        os: "",
+        userAgent: "",
+      }
+    );
+
+    const session: AuthSession = {
+      id: rawSession.id,
+      userId: rawSession.userId,
+      expiresAt: rawSession.expiresAt,
+    };
+
+    return {
+      user,
+      session,
+      tokens: { accessToken: "jwt-token" },
+    };
+  }
+
+  async signOut(_sessionId: string): Promise<void> {
+    throw new DatabasePackageError("signOut handled by NextAuth");
+  }
+
+  // -------------------
+  // Session
+  // -------------------
+  async getSession(_sessionId: string): Promise<AuthSession | null> {
+    return null;
+  }
+
+  async validateSession(_sessionId: string): Promise<boolean> {
+    return true;
+  }
+
+  async refreshSession(
+    _refreshToken: string
+  ): Promise<{ session: AuthSession; tokens: Tokens }> {
+    throw new DatabasePackageError("RefreshSession handled by NextAuth");
+  }
+
+  // -------------------
+  // Providers
+  // -------------------
+  async getOAuthUrl(
+    _provider: AUTHPROVIDER,
+    _redirectUri: string
+  ): Promise<string> {
+    throw new DatabasePackageError("OAuth handled by NextAuth");
+  }
+
+  async handleOAuthCallback(
+    _provider: AUTHPROVIDER,
+    _code: string
+  ): Promise<{ providerAccountId: string; profile: unknown }> {
+    throw new DatabasePackageError("OAuth callback handled by NextAuth");
+  }
+
+  // -------------------
+  // Connected Accounts
+  // -------------------
+  async linkAccount(
+    userId: string,
+    provider: AUTHPROVIDER,
+    data: ConnectedAccount
+  ): Promise<ConnectedAccount> {
+    return linkConnectedAccount(userId, provider, data);
+  }
+
+  async unlinkAccount(userId: string, accountId: string): Promise<void> {
+    await unlinkConnectedAccount(userId, accountId);
+  }
+
+  async getLinkedAccounts(userId: string): Promise<ConnectedAccount[]> {
+    return getLinkedAccounts(userId);
+  }
+}

package/src/api/client.ts

@@ -0,0 +1,37 @@
+import { AuthenticationError,  } from "@plyaz/errors";
+import { HTTP_STATUS } from "@plyaz/types";
+export const API_BASE_URL =
+ globalThis.process.env.VITE_API_BASE_URL ?? "http://localhost:3000";
+
+export async function apiFetch<T>(
+  path: string,
+  options: RequestInit = {}
+): Promise<T> {
+  const res = await globalThis.fetch(`${API_BASE_URL}${path}`, {
+    credentials: "include", // IMPORTANT for session auth
+    headers: {
+      "Content-Type": "application/json",
+      ...options.headers,
+    },
+    ...options,
+  });
+
+  if (!res.ok) {
+    let data = null;
+
+    try {
+      data = await res.json();
+    } catch {
+          throw new AuthenticationError("AUTH_INVALID_CREDENTIALS", data?.message);
+    }
+
+
+  }
+
+  // Handle empty responses (204 No Content)
+  if (res.status === HTTP_STATUS.NO_CONTENT) {
+    return null as T;
+  }
+
+  return res.json();
+}

package/src/audit/audit.logger.ts

@@ -0,0 +1,52 @@
+export interface AuditEvent {
+  userId?: string;
+  action: string;
+  resource: string;
+  resourceId?: string;
+  ipAddress?: string;
+  userAgent?: string;
+  metadata?: Record<string, string>;
+  timestamp: Date;
+}
+
+export class AuditLogger {
+  private events: AuditEvent[] = [];
+
+  async log(event: Omit<AuditEvent, 'timestamp'>): Promise<void> {
+    const auditEvent: AuditEvent = {
+      ...event,
+      timestamp: new Date()
+    };
+
+    this.events.push(auditEvent);
+    
+    // This would write to audit.audit_logs table
+   globalThis.console.log('AUDIT:', JSON.stringify(auditEvent));
+  }
+
+  async logAuthEvent(action: string, userId?: string, metadata?: Record<string, string>): Promise<void> {
+    await this.log({
+      userId,
+      action,
+      resource: 'authentication',
+      metadata
+    });
+  }
+
+  async logPermissionEvent(action: string, userId: string, resource: string, resourceId?: string): Promise<void> {
+    await this.log({
+      userId,
+      action,
+      resource,
+      resourceId
+    });
+  }
+
+  getEvents(): AuditEvent[] {
+    return [...this.events];
+  }
+
+  clearEvents(): void {
+    this.events = [];
+  }
+}

package/src/client/components/ProtectedRoute.tsx

@@ -0,0 +1,37 @@
+import type { ReactNode } from 'react';
+import React from 'react';
+import { useAuth } from '../hooks/useAuth';
+
+interface ProtectedRouteProps {
+  children: ReactNode;
+  fallback?: ReactNode;
+  requiredRoles?: string[];
+}
+
+export const ProtectedRoute: React.FC<ProtectedRouteProps> = ({ 
+  children, 
+  fallback = <div>Please sign in to access this page</div>,
+  requiredRoles = []
+// eslint-disable-next-line complexity
+}) => {
+  const { isAuthenticated, user, isLoading } = useAuth();
+
+  if (isLoading) {
+    return <div>Loading...</div>;
+  }
+
+  if (!isAuthenticated) {
+    return <>{fallback}</>;
+  }
+
+  if (requiredRoles.length > 0 && user) {
+    const userRoles = user.roles ?? [];
+    const hasRequiredRole = requiredRoles.some(role => userRoles.includes(role));
+    
+    if (!hasRequiredRole) {
+      return <div>Access denied. Required roles: {requiredRoles.join(', ')}</div>;
+    }
+  }
+
+  return <>{children}</>;
+};

package/src/client/hooks/useAuth.ts

@@ -0,0 +1,128 @@
+import { useAuthStore } from "../store/auth.store";
+import type {
+  AuthAdapterUser,
+  AuthCredentials,
+  AUTHPROVIDER,
+  AuthSession,
+  AuthUser,
+  Tokens,
+
+  ConnectedAccount,
+} from "@plyaz/types";
+
+export interface Permission {
+  resource: string;
+  action: string;
+  conditions: Record<string, string>;
+}
+
+export interface AuthPermissions extends AuthUser {
+  permissions?: Permission[];
+  isActive: boolean;
+  isVerified: boolean;
+}
+
+export interface UseAuthReturn {
+  user: AuthPermissions | null;
+  isAuthenticated: boolean;
+  isLoading: boolean;
+  error: string | null;
+  signIn: (provider?: AUTHPROVIDER, credentials?: AuthCredentials) => Promise<{
+    user: AuthAdapterUser;
+    session: AuthSession;
+    tokens: Tokens;
+  }>;
+  signUp: (provider: AUTHPROVIDER, data?: unknown) => Promise<void>;
+  signOut: () => Promise<void>;
+  linkAccount: (
+   userId:string,provider:AUTHPROVIDER,data:ConnectedAccount
+  ) => Promise<void | ConnectedAccount>;
+  unlinkAccount: (accountId: string) => Promise<void>;
+}
+
+export function useAuth(): UseAuthReturn {
+  const store = useAuthStore();
+
+  /**
+   * Handles authentication actions with consistent loading and error states
+   *
+   * @param {Function} action - Async function to execute
+   * @returns {Promise<void>}
+   * @private
+   */
+
+  const handleAuthAction = async <T,>(
+    action: () => Promise<T>
+  ): Promise<T> => {
+    store.setLoading(true);
+    store.setError(null);
+
+    try {
+      const result = await action();
+      return result;
+    } 
+   catch (err: unknown) {
+  const errorMessage =
+    err instanceof Error ? err.message : "Authentication failed";
+
+  store.setError(errorMessage);
+  throw err;
+}
+
+    finally {
+      store.setLoading(false);
+    }
+  };
+
+  return {
+    user: store.user,
+    isAuthenticated: store.isAuthenticated,
+    isLoading: store.isLoading,
+    error: store.error,
+    signIn: async (
+      provider?: AUTHPROVIDER,
+      credentials?: AuthCredentials
+    ): Promise<{
+      user: AuthAdapterUser;
+      session: AuthSession;
+      tokens: Tokens;
+    }> => {
+      return handleAuthAction(() => store.signIn(provider, credentials));
+    },
+
+    signUp: async (provider: AUTHPROVIDER, data?: unknown): Promise<void> => {
+      return handleAuthAction(() => store.signUp(provider, data));
+    },
+
+    signOut: async (): Promise<void> => {
+      return handleAuthAction(() => store.signOut());
+    },
+
+    linkAccount: async (
+    userId:string,provider:AUTHPROVIDER,data:ConnectedAccount
+    ): Promise<void> => {
+      return handleAuthAction(async () => {
+        // Construct a ConnectedAccount object; adjust fields as needed
+        const connectedAccount: ConnectedAccount = {
+         
+          ...data,
+          userId,
+          provider,
+          providerType: "",
+          providerAccountId: "",
+          isPrimary: false,
+          isVerified: false,
+          isActive: false,
+          linkedAt: new Date(),
+          createdAt: new Date(),
+          updatedAt: new Date()
+        };
+        store.addConnectedAccount(connectedAccount);
+      });
+    },
+
+    unlinkAccount: async (accountId: string): Promise<void> => {
+      return handleAuthAction(async () => store.removeConnectedAccount(accountId));
+    },
+  };
+}

package/src/client/hooks/useConnectedAccounts.ts

@@ -0,0 +1,108 @@
+/**
+ * @fileoverview Connected accounts management hook
+ * @module @plyaz/auth/client/hooks/useConnectedAccounts
+ */
+
+import { useState, useEffect } from 'react';
+import { useAuth } from './useAuth';
+import type { AuthCredentials, ConnectedAccount } from '@plyaz/types';
+
+export interface UseConnectedAccountsReturn {
+  accounts: ConnectedAccount[];
+  isLoading: boolean;
+  linkAccount: (provider: string, credentials: AuthCredentials) => Promise<void>;
+  unlinkAccount: (accountId: string) => Promise<void>;
+  setPrimaryAccount: (accountId: string) => Promise<void>;
+  refreshAccounts: () => Promise<void>;
+}
+
+export const useConnectedAccounts = (): UseConnectedAccountsReturn => {
+  const [accounts, setAccounts] = useState<ConnectedAccount[]>([]);
+  const [isLoading, setIsLoading] = useState(true);
+  const { user } = useAuth();
+
+  const linkAccount = async (provider: string, credentials:AuthCredentials):Promise<void> => {
+    if (!user) throw new Error('User not authenticated');
+    
+    setIsLoading(true);
+    try {
+      const response = await globalThis.fetch('/api/auth/accounts/link', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ provider, credentials })
+      });
+      
+      if (!response.ok) throw new Error('Failed to link account');
+      
+      const newAccount = await response.json() as ConnectedAccount;
+      setAccounts(prev => [...prev, newAccount]);
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  const unlinkAccount = async (accountId: string):Promise<void> => {
+    setIsLoading(true);
+    try {
+      const response = await globalThis.fetch(`/api/auth/accounts/${accountId}/unlink`, {
+        method: 'DELETE'
+      });
+      
+      if (!response.ok) throw new Error('Failed to unlink account');
+      
+      setAccounts(prev => prev.filter(acc => acc.id !== accountId));
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  const setPrimaryAccount = async (accountId: string):Promise<void> => {
+    setIsLoading(true);
+    try {
+      const response = await globalThis.fetch(`/api/auth/accounts/${accountId}/primary`, {
+        method: 'PUT'
+      });
+      
+      if (!response.ok) throw new Error('Failed to set primary account');
+      
+      setAccounts(prev => prev.map(acc => ({
+        ...acc,
+        isPrimary: acc.id === accountId
+      })));
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  const refreshAccounts = async ():Promise<void>=> {
+    if (!user) return;
+    
+    setIsLoading(true);
+    try {
+      const response = await globalThis.fetch('/api/auth/accounts');
+      if (response.ok) {
+        const data = await response.json() as ConnectedAccount[];
+        setAccounts(data);
+      }
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  useEffect(() => {
+    void (async():Promise<void> => {
+ await refreshAccounts();
+})();
+
+   
+  }, [user]);
+
+  return {
+    accounts,
+    isLoading,
+    linkAccount,
+    unlinkAccount,
+    setPrimaryAccount,
+    refreshAccounts,
+  };
+};

package/src/client/hooks/usePermissions.ts

@@ -0,0 +1,36 @@
+/**
+ * @fileoverview Permissions management hook
+ * @module @plyaz/auth/client/hooks/usePermissions
+ */
+
+import type { Permission} from "./useAuth";
+import { useAuth } from "./useAuth";
+
+export interface UsePermissionsReturn {
+  permissions: Permission[];
+  hasPermission: (permission: Permission) => boolean;
+  hasAnyPermission: (permissions: Permission[]) => boolean;
+  hasAllPermissions: (permissions: Permission[]) => boolean;
+}
+
+export const usePermissions = (): UsePermissionsReturn => {
+  const { user } = useAuth();
+
+  const permissions = user?.permissions ?? [];
+
+  const hasPermission = (permission: Permission): boolean =>
+    permissions.includes(permission);
+
+  const hasAnyPermission = (perms: Permission[]): boolean =>
+    perms.some((perm) => permissions.includes(perm));
+
+  const hasAllPermissions = (perms: Permission[]): boolean =>
+    perms.every((perm) => permissions.includes(perm));
+
+  return {
+    permissions,
+    hasPermission,
+    hasAnyPermission,
+    hasAllPermissions,
+  };
+};