@productcraft/auth-passport 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +44 -0
- package/dist/index.cjs +66 -0
- package/dist/index.cjs.map +1 -0
- package/dist/index.d.cts +125 -0
- package/dist/index.d.ts +125 -0
- package/dist/index.js +63 -0
- package/dist/index.js.map +1 -0
- package/package.json +54 -0
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 ProductCraft
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
ADDED
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# @productcraft/auth-passport
|
|
2
|
+
|
|
3
|
+
Passport-JWT adapter for [`@productcraft/auth`](../auth). Plug an Auth `ConsumerScope` into a `passport-jwt` Strategy so existing Passport setups can authenticate Auth-issued tokens.
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
npm install @productcraft/auth @productcraft/auth-passport passport-jwt
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
## Usage
|
|
10
|
+
|
|
11
|
+
```ts
|
|
12
|
+
import passportJwt from "passport-jwt";
|
|
13
|
+
import { Auth } from "@productcraft/auth";
|
|
14
|
+
import { createPassportSecretOrKeyProvider } from "@productcraft/auth-passport";
|
|
15
|
+
|
|
16
|
+
const auth = new Auth({
|
|
17
|
+
auth: { type: "apiKey", key: process.env.PCFT_KEY! },
|
|
18
|
+
});
|
|
19
|
+
const scope = auth.consumer("my-app-slug");
|
|
20
|
+
|
|
21
|
+
new passportJwt.Strategy(
|
|
22
|
+
{
|
|
23
|
+
jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
|
|
24
|
+
secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
|
|
25
|
+
issuer: scope.expectedIssuer,
|
|
26
|
+
audience: "my-app", // optional
|
|
27
|
+
algorithms: ["ES256"],
|
|
28
|
+
},
|
|
29
|
+
(payload, done) => {
|
|
30
|
+
// payload is the verified Auth claims object (sub, role, permissions, ...)
|
|
31
|
+
return done(null, payload);
|
|
32
|
+
},
|
|
33
|
+
);
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
The helper decodes the JWT header, asks the Auth `ConsumerScope` for the matching signing key via its cached JWKS, converts the resulting `CryptoKey` into a Node `KeyObject`, and hands it to passport-jwt.
|
|
37
|
+
|
|
38
|
+
## How it relates to the main package
|
|
39
|
+
|
|
40
|
+
`@productcraft/auth` already ships a `scope.verifyToken(token)` one-liner. Use **this** package only when you have an existing Passport setup you'd rather keep. For Express middleware without Passport, the direct verify is simpler.
|
|
41
|
+
|
|
42
|
+
## License
|
|
43
|
+
|
|
44
|
+
[MIT](../../LICENSE).
|
package/dist/index.cjs
ADDED
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
var crypto = require('crypto');
|
|
4
|
+
var jose = require('jose');
|
|
5
|
+
|
|
6
|
+
var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
|
|
7
|
+
get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
|
|
8
|
+
}) : x)(function(x) {
|
|
9
|
+
if (typeof require !== "undefined") return require.apply(this, arguments);
|
|
10
|
+
throw Error('Dynamic require of "' + x + '" is not supported');
|
|
11
|
+
});
|
|
12
|
+
function createPassportSecretOrKeyProvider(scope) {
|
|
13
|
+
return (_request, rawJwt, done) => {
|
|
14
|
+
let header;
|
|
15
|
+
try {
|
|
16
|
+
header = jose.decodeProtectedHeader(rawJwt);
|
|
17
|
+
} catch (err) {
|
|
18
|
+
done(err);
|
|
19
|
+
return;
|
|
20
|
+
}
|
|
21
|
+
scope.jwks.getKey(header).then(
|
|
22
|
+
(cryptoKey) => {
|
|
23
|
+
try {
|
|
24
|
+
const keyObject = crypto.KeyObject.from(cryptoKey);
|
|
25
|
+
done(null, keyObject);
|
|
26
|
+
} catch (err) {
|
|
27
|
+
done(err);
|
|
28
|
+
}
|
|
29
|
+
},
|
|
30
|
+
(err) => done(err)
|
|
31
|
+
);
|
|
32
|
+
};
|
|
33
|
+
}
|
|
34
|
+
function loadPassportJwt() {
|
|
35
|
+
try {
|
|
36
|
+
const mod = __require("passport-jwt");
|
|
37
|
+
return {
|
|
38
|
+
Strategy: mod.Strategy ?? mod.default?.Strategy,
|
|
39
|
+
ExtractJwt: mod.ExtractJwt ?? mod.default?.ExtractJwt
|
|
40
|
+
};
|
|
41
|
+
} catch {
|
|
42
|
+
throw new Error(
|
|
43
|
+
"@productcraft/auth-passport: `passport-jwt` is not installed. Run `npm install passport-jwt @types/passport-jwt`."
|
|
44
|
+
);
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
function createAuthJwtStrategy(scope, verify, options = {}) {
|
|
48
|
+
const passportJwt = loadPassportJwt();
|
|
49
|
+
const issuer = options.strictIssuer ? scope.expectedIssuer : scope.acceptedIssuers;
|
|
50
|
+
return new passportJwt.Strategy(
|
|
51
|
+
{
|
|
52
|
+
jwtFromRequest: options.jwtFromRequest ?? passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
|
|
53
|
+
secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
|
|
54
|
+
issuer,
|
|
55
|
+
audience: scope.expectedAudience,
|
|
56
|
+
algorithms: options.algorithms ?? ["RS256"],
|
|
57
|
+
passReqToCallback: options.passReqToCallback ?? false
|
|
58
|
+
},
|
|
59
|
+
verify
|
|
60
|
+
);
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
exports.createAuthJwtStrategy = createAuthJwtStrategy;
|
|
64
|
+
exports.createPassportSecretOrKeyProvider = createPassportSecretOrKeyProvider;
|
|
65
|
+
//# sourceMappingURL=index.cjs.map
|
|
66
|
+
//# sourceMappingURL=index.cjs.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/index.ts"],"names":["decodeProtectedHeader","KeyObject"],"mappings":";;;;;;;;;;;AAsEO,SAAS,kCACd,KAAA,EAC6B;AAC7B,EAAA,OAAO,CAAC,QAAA,EAAU,MAAA,EAAQ,IAAA,KAAS;AACjC,IAAA,IAAI,MAAA;AACJ,IAAA,IAAI;AACF,MAAA,MAAA,GAASA,2BAAsB,MAAM,CAAA;AAAA,IACvC,SAAS,GAAA,EAAK;AACZ,MAAA,IAAA,CAAK,GAAG,CAAA;AACR,MAAA;AAAA,IACF;AAEA,IAAA,KAAA,CAAM,IAAA,CAAK,MAAA,CAAO,MAA6B,CAAA,CAAE,IAAA;AAAA,MAC/C,CAAC,SAAA,KAAc;AACb,QAAA,IAAI;AAKF,UAAA,MAAM,SAAA,GAAYC,gBAAA,CAAU,IAAA,CAAK,SAAS,CAAA;AAC1C,UAAA,IAAA,CAAK,MAAM,SAAS,CAAA;AAAA,QACtB,SAAS,GAAA,EAAK;AACZ,UAAA,IAAA,CAAK,GAAG,CAAA;AAAA,QACV;AAAA,MACF,CAAA;AAAA,MACA,CAAC,GAAA,KAAQ,IAAA,CAAK,GAAG;AAAA,KACnB;AAAA,EACF,CAAA;AACF;AA+DA,SAAS,eAAA,GAGP;AACA,EAAA,IAAI;AAEF,IAAA,MAAM,GAAA,GAAM,UAAQ,cAAc,CAAA;AAClC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,GAAA,CAAI,QAAA,IAAY,GAAA,CAAI,OAAA,EAAS,QAAA;AAAA,MACvC,UAAA,EAAY,GAAA,CAAI,UAAA,IAAc,GAAA,CAAI,OAAA,EAAS;AAAA,KAC7C;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACF;AAeO,SAAS,qBAAA,CACd,KAAA,EACA,MAAA,EACA,OAAA,GAAwC,EAAC,EACzC;AACA,EAAA,MAAM,cAAc,eAAA,EAAgB;AACpC,EAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,YAAA,GACnB,KAAA,CAAM,iBACL,KAAA,CAAM,eAAA;AAEX,EAAA,OAAO,IAAI,WAAA,CAAY,QAAA;AAAA,IACrB;AAAA,MACE,cAAA,EACE,OAAA,CAAQ,cAAA,IAAkB,WAAA,CAAY,WAAW,2BAAA,EAA4B;AAAA,MAC/E,mBAAA,EAAqB,kCAAkC,KAAK,CAAA;AAAA,MAC5D,MAAA;AAAA,MACA,UAAU,KAAA,CAAM,gBAAA;AAAA,MAChB,UAAA,EAAY,OAAA,CAAQ,UAAA,IAAc,CAAC,OAAO,CAAA;AAAA,MAC1C,iBAAA,EAAmB,QAAQ,iBAAA,IAAqB;AAAA,KAClD;AAAA,IACA;AAAA,GACF;AACF","file":"index.cjs","sourcesContent":["/**\n * `@productcraft/auth-passport` — passport-jwt adapter for Auth.\n *\n * Install alongside `@productcraft/auth` + `passport-jwt`:\n *\n * ```bash\n * npm install @productcraft/auth @productcraft/auth-passport passport-jwt\n * ```\n *\n * Recommended one-call form:\n *\n * ```ts\n * import passportJwt from \"passport-jwt\";\n * import passport from \"passport\";\n * import { Auth } from \"@productcraft/auth\";\n * import { createAuthJwtStrategy } from \"@productcraft/auth-passport\";\n *\n * const auth = new Auth({ auth: { type: \"apiKey\", key: process.env.PCFT_KEY! } });\n * const scope = auth.consumer(\"my-app-slug\");\n *\n * passport.use(createAuthJwtStrategy(scope, (claims, done) => {\n * // claims is the verified Auth claims object (sub, role, permissions, ...)\n * return done(null, claims);\n * }));\n * ```\n *\n * The helper wires `secretOrKeyProvider` + `issuer` (per-app URL) +\n * `audience` (app slug) + algorithms automatically from the scope.\n *\n * If you need the underlying primitives — to compose with your own\n * options or pass a custom `jwtFromRequest` — use the lower-level\n * `createPassportSecretOrKeyProvider` directly:\n *\n * ```ts\n * new passportJwt.Strategy(\n * {\n * jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),\n * secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),\n * issuer: scope.acceptedIssuers as string[],\n * audience: scope.expectedAudience,\n * algorithms: [\"RS256\", \"ES256\"],\n * },\n * (payload, done) => done(null, payload),\n * );\n * ```\n */\n\nimport { KeyObject } from \"node:crypto\";\nimport { decodeProtectedHeader, type JWTHeaderParameters } from \"jose\";\n\nimport type { ConsumerScope } from \"@productcraft/auth\";\n\n/**\n * passport-jwt's `secretOrKeyProvider` callback signature. We don't\n * depend on passport-jwt's types directly (to keep it a soft dep),\n * so this is the same shape as `SecretOrKeyProvider` in their typings.\n */\ntype PassportSecretOrKeyProvider = (\n request: unknown,\n rawJwtToken: string,\n done: (err: unknown, secretOrKey?: string | Buffer | KeyObject) => void,\n) => void;\n\n/**\n * Returns a passport-jwt `secretOrKeyProvider` bound to an Auth\n * `ConsumerScope`. Decodes the protected header, looks up the matching\n * key via the scope's JWKS cache, and converts the resulting jose\n * `CryptoKey` into a Node `KeyObject` that `jsonwebtoken` (the library\n * passport-jwt delegates to) accepts.\n */\nexport function createPassportSecretOrKeyProvider(\n scope: ConsumerScope,\n): PassportSecretOrKeyProvider {\n return (_request, rawJwt, done) => {\n let header;\n try {\n header = decodeProtectedHeader(rawJwt);\n } catch (err) {\n done(err);\n return;\n }\n\n scope.jwks.getKey(header as JWTHeaderParameters).then(\n (cryptoKey) => {\n try {\n // `jsonwebtoken` (passport-jwt's verifier) doesn't accept\n // Web Crypto `CryptoKey`, but it does accept Node's\n // `KeyObject`. `KeyObject.from(cryptoKey)` was added in\n // Node 16.6 and is the right adapter.\n const keyObject = KeyObject.from(cryptoKey);\n done(null, keyObject);\n } catch (err) {\n done(err);\n }\n },\n (err) => done(err),\n );\n };\n}\n\n/**\n * Shape of the verified-claims callback passport delegates to once a\n * token passes signature + issuer + audience + expiry checks. Mirrors\n * `passport-jwt`'s own `VerifyCallback` / `VerifyCallbackWithRequest`.\n */\nexport type AuthVerifyCallback = (\n payload: Record<string, unknown>,\n done: (err: unknown, user?: unknown, info?: unknown) => void,\n) => void;\n\n/**\n * Extra options for `createAuthJwtStrategy`. Defaults are the\n * Auth-recommended values; override here if you need a different\n * token source (cookie, custom header, ...), a stricter algorithm\n * allow-list, or want to skip the legacy-issuer acceptance window.\n */\nexport interface CreateAuthJwtStrategyOptions {\n /**\n * Where to read the bearer from. Defaults to\n * `ExtractJwt.fromAuthHeaderAsBearerToken()`. Pass any\n * passport-jwt extractor when you need a different source.\n */\n jwtFromRequest?: (req: unknown) => string | null;\n\n /**\n * JWS algorithms accepted by the underlying verifier. Defaults to\n * the algorithms Auth mints today (`['RS256']`); set explicitly\n * if your app is on a different signing alg or you also accept\n * customer-minted tokens with a different alg.\n */\n algorithms?: string[];\n\n /**\n * Pin only the per-app issuer URL (skip the legacy `'heimdall'`\n * literal). Defaults to `false` — verifying both keeps in-flight\n * tokens minted before the per-app-issuer migration valid. Set to\n * `true` once you're confident all old tokens have expired.\n */\n strictIssuer?: boolean;\n\n /** Whether the request object should be passed to the verify callback. Defaults to `false`. */\n passReqToCallback?: boolean;\n}\n\n/**\n * Constructor signature for `passport-jwt`'s `Strategy`. We don't take\n * a direct dep on passport-jwt to keep it a peer/soft dep — at runtime\n * the caller imports passportJwt and the helper does\n * `new passportJwt.Strategy(...)` via the constructor reference.\n */\nexport interface PassportJwtStrategyCtor {\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n new (options: Record<string, unknown>, verify: AuthVerifyCallback): any;\n}\n\n/**\n * Lazy passport-jwt loader. We try to `require('passport-jwt')` from\n * the caller's dep graph at first use. Throws a clear error if it's\n * missing so the user doesn't see a cryptic `Cannot find module`\n * deep in the strategy constructor.\n */\nfunction loadPassportJwt(): {\n Strategy: PassportJwtStrategyCtor;\n ExtractJwt: { fromAuthHeaderAsBearerToken: () => (req: unknown) => string | null };\n} {\n try {\n // dynamic require so passport-jwt stays a peer dep\n const mod = require(\"passport-jwt\");\n return {\n Strategy: mod.Strategy ?? mod.default?.Strategy,\n ExtractJwt: mod.ExtractJwt ?? mod.default?.ExtractJwt,\n };\n } catch {\n throw new Error(\n \"@productcraft/auth-passport: `passport-jwt` is not installed. Run `npm install passport-jwt @types/passport-jwt`.\",\n );\n }\n}\n\n/**\n * Build a fully-configured `passport-jwt` strategy from an Auth\n * `ConsumerScope`. Wires:\n *\n * - `jwtFromRequest` → `ExtractJwt.fromAuthHeaderAsBearerToken()` (override via opts)\n * - `secretOrKeyProvider` → JWKS-backed key resolution via `scope.jwks`\n * - `issuer` → both `scope.expectedIssuer` AND the legacy `'heimdall'` literal (or only the per-app URL if `strictIssuer: true`)\n * - `audience` → `scope.expectedAudience` (the app slug)\n * - `algorithms` → `['RS256']` (override via opts)\n *\n * The verify callback you pass receives the parsed claims after\n * passport-jwt has finished its checks.\n */\nexport function createAuthJwtStrategy(\n scope: ConsumerScope,\n verify: AuthVerifyCallback,\n options: CreateAuthJwtStrategyOptions = {},\n) {\n const passportJwt = loadPassportJwt();\n const issuer = options.strictIssuer\n ? scope.expectedIssuer\n : (scope.acceptedIssuers as string[]);\n\n return new passportJwt.Strategy(\n {\n jwtFromRequest:\n options.jwtFromRequest ?? passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),\n secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),\n issuer,\n audience: scope.expectedAudience,\n algorithms: options.algorithms ?? [\"RS256\"],\n passReqToCallback: options.passReqToCallback ?? false,\n },\n verify,\n );\n}\n"]}
|
package/dist/index.d.cts
ADDED
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
import { KeyObject } from 'node:crypto';
|
|
2
|
+
import { ConsumerScope } from '@productcraft/auth';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* `@productcraft/auth-passport` — passport-jwt adapter for Auth.
|
|
6
|
+
*
|
|
7
|
+
* Install alongside `@productcraft/auth` + `passport-jwt`:
|
|
8
|
+
*
|
|
9
|
+
* ```bash
|
|
10
|
+
* npm install @productcraft/auth @productcraft/auth-passport passport-jwt
|
|
11
|
+
* ```
|
|
12
|
+
*
|
|
13
|
+
* Recommended one-call form:
|
|
14
|
+
*
|
|
15
|
+
* ```ts
|
|
16
|
+
* import passportJwt from "passport-jwt";
|
|
17
|
+
* import passport from "passport";
|
|
18
|
+
* import { Auth } from "@productcraft/auth";
|
|
19
|
+
* import { createAuthJwtStrategy } from "@productcraft/auth-passport";
|
|
20
|
+
*
|
|
21
|
+
* const auth = new Auth({ auth: { type: "apiKey", key: process.env.PCFT_KEY! } });
|
|
22
|
+
* const scope = auth.consumer("my-app-slug");
|
|
23
|
+
*
|
|
24
|
+
* passport.use(createAuthJwtStrategy(scope, (claims, done) => {
|
|
25
|
+
* // claims is the verified Auth claims object (sub, role, permissions, ...)
|
|
26
|
+
* return done(null, claims);
|
|
27
|
+
* }));
|
|
28
|
+
* ```
|
|
29
|
+
*
|
|
30
|
+
* The helper wires `secretOrKeyProvider` + `issuer` (per-app URL) +
|
|
31
|
+
* `audience` (app slug) + algorithms automatically from the scope.
|
|
32
|
+
*
|
|
33
|
+
* If you need the underlying primitives — to compose with your own
|
|
34
|
+
* options or pass a custom `jwtFromRequest` — use the lower-level
|
|
35
|
+
* `createPassportSecretOrKeyProvider` directly:
|
|
36
|
+
*
|
|
37
|
+
* ```ts
|
|
38
|
+
* new passportJwt.Strategy(
|
|
39
|
+
* {
|
|
40
|
+
* jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
|
|
41
|
+
* secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
|
|
42
|
+
* issuer: scope.acceptedIssuers as string[],
|
|
43
|
+
* audience: scope.expectedAudience,
|
|
44
|
+
* algorithms: ["RS256", "ES256"],
|
|
45
|
+
* },
|
|
46
|
+
* (payload, done) => done(null, payload),
|
|
47
|
+
* );
|
|
48
|
+
* ```
|
|
49
|
+
*/
|
|
50
|
+
|
|
51
|
+
/**
|
|
52
|
+
* passport-jwt's `secretOrKeyProvider` callback signature. We don't
|
|
53
|
+
* depend on passport-jwt's types directly (to keep it a soft dep),
|
|
54
|
+
* so this is the same shape as `SecretOrKeyProvider` in their typings.
|
|
55
|
+
*/
|
|
56
|
+
type PassportSecretOrKeyProvider = (request: unknown, rawJwtToken: string, done: (err: unknown, secretOrKey?: string | Buffer | KeyObject) => void) => void;
|
|
57
|
+
/**
|
|
58
|
+
* Returns a passport-jwt `secretOrKeyProvider` bound to an Auth
|
|
59
|
+
* `ConsumerScope`. Decodes the protected header, looks up the matching
|
|
60
|
+
* key via the scope's JWKS cache, and converts the resulting jose
|
|
61
|
+
* `CryptoKey` into a Node `KeyObject` that `jsonwebtoken` (the library
|
|
62
|
+
* passport-jwt delegates to) accepts.
|
|
63
|
+
*/
|
|
64
|
+
declare function createPassportSecretOrKeyProvider(scope: ConsumerScope): PassportSecretOrKeyProvider;
|
|
65
|
+
/**
|
|
66
|
+
* Shape of the verified-claims callback passport delegates to once a
|
|
67
|
+
* token passes signature + issuer + audience + expiry checks. Mirrors
|
|
68
|
+
* `passport-jwt`'s own `VerifyCallback` / `VerifyCallbackWithRequest`.
|
|
69
|
+
*/
|
|
70
|
+
type AuthVerifyCallback = (payload: Record<string, unknown>, done: (err: unknown, user?: unknown, info?: unknown) => void) => void;
|
|
71
|
+
/**
|
|
72
|
+
* Extra options for `createAuthJwtStrategy`. Defaults are the
|
|
73
|
+
* Auth-recommended values; override here if you need a different
|
|
74
|
+
* token source (cookie, custom header, ...), a stricter algorithm
|
|
75
|
+
* allow-list, or want to skip the legacy-issuer acceptance window.
|
|
76
|
+
*/
|
|
77
|
+
interface CreateAuthJwtStrategyOptions {
|
|
78
|
+
/**
|
|
79
|
+
* Where to read the bearer from. Defaults to
|
|
80
|
+
* `ExtractJwt.fromAuthHeaderAsBearerToken()`. Pass any
|
|
81
|
+
* passport-jwt extractor when you need a different source.
|
|
82
|
+
*/
|
|
83
|
+
jwtFromRequest?: (req: unknown) => string | null;
|
|
84
|
+
/**
|
|
85
|
+
* JWS algorithms accepted by the underlying verifier. Defaults to
|
|
86
|
+
* the algorithms Auth mints today (`['RS256']`); set explicitly
|
|
87
|
+
* if your app is on a different signing alg or you also accept
|
|
88
|
+
* customer-minted tokens with a different alg.
|
|
89
|
+
*/
|
|
90
|
+
algorithms?: string[];
|
|
91
|
+
/**
|
|
92
|
+
* Pin only the per-app issuer URL (skip the legacy `'heimdall'`
|
|
93
|
+
* literal). Defaults to `false` — verifying both keeps in-flight
|
|
94
|
+
* tokens minted before the per-app-issuer migration valid. Set to
|
|
95
|
+
* `true` once you're confident all old tokens have expired.
|
|
96
|
+
*/
|
|
97
|
+
strictIssuer?: boolean;
|
|
98
|
+
/** Whether the request object should be passed to the verify callback. Defaults to `false`. */
|
|
99
|
+
passReqToCallback?: boolean;
|
|
100
|
+
}
|
|
101
|
+
/**
|
|
102
|
+
* Constructor signature for `passport-jwt`'s `Strategy`. We don't take
|
|
103
|
+
* a direct dep on passport-jwt to keep it a peer/soft dep — at runtime
|
|
104
|
+
* the caller imports passportJwt and the helper does
|
|
105
|
+
* `new passportJwt.Strategy(...)` via the constructor reference.
|
|
106
|
+
*/
|
|
107
|
+
interface PassportJwtStrategyCtor {
|
|
108
|
+
new (options: Record<string, unknown>, verify: AuthVerifyCallback): any;
|
|
109
|
+
}
|
|
110
|
+
/**
|
|
111
|
+
* Build a fully-configured `passport-jwt` strategy from an Auth
|
|
112
|
+
* `ConsumerScope`. Wires:
|
|
113
|
+
*
|
|
114
|
+
* - `jwtFromRequest` → `ExtractJwt.fromAuthHeaderAsBearerToken()` (override via opts)
|
|
115
|
+
* - `secretOrKeyProvider` → JWKS-backed key resolution via `scope.jwks`
|
|
116
|
+
* - `issuer` → both `scope.expectedIssuer` AND the legacy `'heimdall'` literal (or only the per-app URL if `strictIssuer: true`)
|
|
117
|
+
* - `audience` → `scope.expectedAudience` (the app slug)
|
|
118
|
+
* - `algorithms` → `['RS256']` (override via opts)
|
|
119
|
+
*
|
|
120
|
+
* The verify callback you pass receives the parsed claims after
|
|
121
|
+
* passport-jwt has finished its checks.
|
|
122
|
+
*/
|
|
123
|
+
declare function createAuthJwtStrategy(scope: ConsumerScope, verify: AuthVerifyCallback, options?: CreateAuthJwtStrategyOptions): any;
|
|
124
|
+
|
|
125
|
+
export { type AuthVerifyCallback, type CreateAuthJwtStrategyOptions, type PassportJwtStrategyCtor, createAuthJwtStrategy, createPassportSecretOrKeyProvider };
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
import { KeyObject } from 'node:crypto';
|
|
2
|
+
import { ConsumerScope } from '@productcraft/auth';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* `@productcraft/auth-passport` — passport-jwt adapter for Auth.
|
|
6
|
+
*
|
|
7
|
+
* Install alongside `@productcraft/auth` + `passport-jwt`:
|
|
8
|
+
*
|
|
9
|
+
* ```bash
|
|
10
|
+
* npm install @productcraft/auth @productcraft/auth-passport passport-jwt
|
|
11
|
+
* ```
|
|
12
|
+
*
|
|
13
|
+
* Recommended one-call form:
|
|
14
|
+
*
|
|
15
|
+
* ```ts
|
|
16
|
+
* import passportJwt from "passport-jwt";
|
|
17
|
+
* import passport from "passport";
|
|
18
|
+
* import { Auth } from "@productcraft/auth";
|
|
19
|
+
* import { createAuthJwtStrategy } from "@productcraft/auth-passport";
|
|
20
|
+
*
|
|
21
|
+
* const auth = new Auth({ auth: { type: "apiKey", key: process.env.PCFT_KEY! } });
|
|
22
|
+
* const scope = auth.consumer("my-app-slug");
|
|
23
|
+
*
|
|
24
|
+
* passport.use(createAuthJwtStrategy(scope, (claims, done) => {
|
|
25
|
+
* // claims is the verified Auth claims object (sub, role, permissions, ...)
|
|
26
|
+
* return done(null, claims);
|
|
27
|
+
* }));
|
|
28
|
+
* ```
|
|
29
|
+
*
|
|
30
|
+
* The helper wires `secretOrKeyProvider` + `issuer` (per-app URL) +
|
|
31
|
+
* `audience` (app slug) + algorithms automatically from the scope.
|
|
32
|
+
*
|
|
33
|
+
* If you need the underlying primitives — to compose with your own
|
|
34
|
+
* options or pass a custom `jwtFromRequest` — use the lower-level
|
|
35
|
+
* `createPassportSecretOrKeyProvider` directly:
|
|
36
|
+
*
|
|
37
|
+
* ```ts
|
|
38
|
+
* new passportJwt.Strategy(
|
|
39
|
+
* {
|
|
40
|
+
* jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
|
|
41
|
+
* secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
|
|
42
|
+
* issuer: scope.acceptedIssuers as string[],
|
|
43
|
+
* audience: scope.expectedAudience,
|
|
44
|
+
* algorithms: ["RS256", "ES256"],
|
|
45
|
+
* },
|
|
46
|
+
* (payload, done) => done(null, payload),
|
|
47
|
+
* );
|
|
48
|
+
* ```
|
|
49
|
+
*/
|
|
50
|
+
|
|
51
|
+
/**
|
|
52
|
+
* passport-jwt's `secretOrKeyProvider` callback signature. We don't
|
|
53
|
+
* depend on passport-jwt's types directly (to keep it a soft dep),
|
|
54
|
+
* so this is the same shape as `SecretOrKeyProvider` in their typings.
|
|
55
|
+
*/
|
|
56
|
+
type PassportSecretOrKeyProvider = (request: unknown, rawJwtToken: string, done: (err: unknown, secretOrKey?: string | Buffer | KeyObject) => void) => void;
|
|
57
|
+
/**
|
|
58
|
+
* Returns a passport-jwt `secretOrKeyProvider` bound to an Auth
|
|
59
|
+
* `ConsumerScope`. Decodes the protected header, looks up the matching
|
|
60
|
+
* key via the scope's JWKS cache, and converts the resulting jose
|
|
61
|
+
* `CryptoKey` into a Node `KeyObject` that `jsonwebtoken` (the library
|
|
62
|
+
* passport-jwt delegates to) accepts.
|
|
63
|
+
*/
|
|
64
|
+
declare function createPassportSecretOrKeyProvider(scope: ConsumerScope): PassportSecretOrKeyProvider;
|
|
65
|
+
/**
|
|
66
|
+
* Shape of the verified-claims callback passport delegates to once a
|
|
67
|
+
* token passes signature + issuer + audience + expiry checks. Mirrors
|
|
68
|
+
* `passport-jwt`'s own `VerifyCallback` / `VerifyCallbackWithRequest`.
|
|
69
|
+
*/
|
|
70
|
+
type AuthVerifyCallback = (payload: Record<string, unknown>, done: (err: unknown, user?: unknown, info?: unknown) => void) => void;
|
|
71
|
+
/**
|
|
72
|
+
* Extra options for `createAuthJwtStrategy`. Defaults are the
|
|
73
|
+
* Auth-recommended values; override here if you need a different
|
|
74
|
+
* token source (cookie, custom header, ...), a stricter algorithm
|
|
75
|
+
* allow-list, or want to skip the legacy-issuer acceptance window.
|
|
76
|
+
*/
|
|
77
|
+
interface CreateAuthJwtStrategyOptions {
|
|
78
|
+
/**
|
|
79
|
+
* Where to read the bearer from. Defaults to
|
|
80
|
+
* `ExtractJwt.fromAuthHeaderAsBearerToken()`. Pass any
|
|
81
|
+
* passport-jwt extractor when you need a different source.
|
|
82
|
+
*/
|
|
83
|
+
jwtFromRequest?: (req: unknown) => string | null;
|
|
84
|
+
/**
|
|
85
|
+
* JWS algorithms accepted by the underlying verifier. Defaults to
|
|
86
|
+
* the algorithms Auth mints today (`['RS256']`); set explicitly
|
|
87
|
+
* if your app is on a different signing alg or you also accept
|
|
88
|
+
* customer-minted tokens with a different alg.
|
|
89
|
+
*/
|
|
90
|
+
algorithms?: string[];
|
|
91
|
+
/**
|
|
92
|
+
* Pin only the per-app issuer URL (skip the legacy `'heimdall'`
|
|
93
|
+
* literal). Defaults to `false` — verifying both keeps in-flight
|
|
94
|
+
* tokens minted before the per-app-issuer migration valid. Set to
|
|
95
|
+
* `true` once you're confident all old tokens have expired.
|
|
96
|
+
*/
|
|
97
|
+
strictIssuer?: boolean;
|
|
98
|
+
/** Whether the request object should be passed to the verify callback. Defaults to `false`. */
|
|
99
|
+
passReqToCallback?: boolean;
|
|
100
|
+
}
|
|
101
|
+
/**
|
|
102
|
+
* Constructor signature for `passport-jwt`'s `Strategy`. We don't take
|
|
103
|
+
* a direct dep on passport-jwt to keep it a peer/soft dep — at runtime
|
|
104
|
+
* the caller imports passportJwt and the helper does
|
|
105
|
+
* `new passportJwt.Strategy(...)` via the constructor reference.
|
|
106
|
+
*/
|
|
107
|
+
interface PassportJwtStrategyCtor {
|
|
108
|
+
new (options: Record<string, unknown>, verify: AuthVerifyCallback): any;
|
|
109
|
+
}
|
|
110
|
+
/**
|
|
111
|
+
* Build a fully-configured `passport-jwt` strategy from an Auth
|
|
112
|
+
* `ConsumerScope`. Wires:
|
|
113
|
+
*
|
|
114
|
+
* - `jwtFromRequest` → `ExtractJwt.fromAuthHeaderAsBearerToken()` (override via opts)
|
|
115
|
+
* - `secretOrKeyProvider` → JWKS-backed key resolution via `scope.jwks`
|
|
116
|
+
* - `issuer` → both `scope.expectedIssuer` AND the legacy `'heimdall'` literal (or only the per-app URL if `strictIssuer: true`)
|
|
117
|
+
* - `audience` → `scope.expectedAudience` (the app slug)
|
|
118
|
+
* - `algorithms` → `['RS256']` (override via opts)
|
|
119
|
+
*
|
|
120
|
+
* The verify callback you pass receives the parsed claims after
|
|
121
|
+
* passport-jwt has finished its checks.
|
|
122
|
+
*/
|
|
123
|
+
declare function createAuthJwtStrategy(scope: ConsumerScope, verify: AuthVerifyCallback, options?: CreateAuthJwtStrategyOptions): any;
|
|
124
|
+
|
|
125
|
+
export { type AuthVerifyCallback, type CreateAuthJwtStrategyOptions, type PassportJwtStrategyCtor, createAuthJwtStrategy, createPassportSecretOrKeyProvider };
|
package/dist/index.js
ADDED
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
import { KeyObject } from 'crypto';
|
|
2
|
+
import { decodeProtectedHeader } from 'jose';
|
|
3
|
+
|
|
4
|
+
var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
|
|
5
|
+
get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
|
|
6
|
+
}) : x)(function(x) {
|
|
7
|
+
if (typeof require !== "undefined") return require.apply(this, arguments);
|
|
8
|
+
throw Error('Dynamic require of "' + x + '" is not supported');
|
|
9
|
+
});
|
|
10
|
+
function createPassportSecretOrKeyProvider(scope) {
|
|
11
|
+
return (_request, rawJwt, done) => {
|
|
12
|
+
let header;
|
|
13
|
+
try {
|
|
14
|
+
header = decodeProtectedHeader(rawJwt);
|
|
15
|
+
} catch (err) {
|
|
16
|
+
done(err);
|
|
17
|
+
return;
|
|
18
|
+
}
|
|
19
|
+
scope.jwks.getKey(header).then(
|
|
20
|
+
(cryptoKey) => {
|
|
21
|
+
try {
|
|
22
|
+
const keyObject = KeyObject.from(cryptoKey);
|
|
23
|
+
done(null, keyObject);
|
|
24
|
+
} catch (err) {
|
|
25
|
+
done(err);
|
|
26
|
+
}
|
|
27
|
+
},
|
|
28
|
+
(err) => done(err)
|
|
29
|
+
);
|
|
30
|
+
};
|
|
31
|
+
}
|
|
32
|
+
function loadPassportJwt() {
|
|
33
|
+
try {
|
|
34
|
+
const mod = __require("passport-jwt");
|
|
35
|
+
return {
|
|
36
|
+
Strategy: mod.Strategy ?? mod.default?.Strategy,
|
|
37
|
+
ExtractJwt: mod.ExtractJwt ?? mod.default?.ExtractJwt
|
|
38
|
+
};
|
|
39
|
+
} catch {
|
|
40
|
+
throw new Error(
|
|
41
|
+
"@productcraft/auth-passport: `passport-jwt` is not installed. Run `npm install passport-jwt @types/passport-jwt`."
|
|
42
|
+
);
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
function createAuthJwtStrategy(scope, verify, options = {}) {
|
|
46
|
+
const passportJwt = loadPassportJwt();
|
|
47
|
+
const issuer = options.strictIssuer ? scope.expectedIssuer : scope.acceptedIssuers;
|
|
48
|
+
return new passportJwt.Strategy(
|
|
49
|
+
{
|
|
50
|
+
jwtFromRequest: options.jwtFromRequest ?? passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
|
|
51
|
+
secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
|
|
52
|
+
issuer,
|
|
53
|
+
audience: scope.expectedAudience,
|
|
54
|
+
algorithms: options.algorithms ?? ["RS256"],
|
|
55
|
+
passReqToCallback: options.passReqToCallback ?? false
|
|
56
|
+
},
|
|
57
|
+
verify
|
|
58
|
+
);
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
export { createAuthJwtStrategy, createPassportSecretOrKeyProvider };
|
|
62
|
+
//# sourceMappingURL=index.js.map
|
|
63
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;AAsEO,SAAS,kCACd,KAAA,EAC6B;AAC7B,EAAA,OAAO,CAAC,QAAA,EAAU,MAAA,EAAQ,IAAA,KAAS;AACjC,IAAA,IAAI,MAAA;AACJ,IAAA,IAAI;AACF,MAAA,MAAA,GAAS,sBAAsB,MAAM,CAAA;AAAA,IACvC,SAAS,GAAA,EAAK;AACZ,MAAA,IAAA,CAAK,GAAG,CAAA;AACR,MAAA;AAAA,IACF;AAEA,IAAA,KAAA,CAAM,IAAA,CAAK,MAAA,CAAO,MAA6B,CAAA,CAAE,IAAA;AAAA,MAC/C,CAAC,SAAA,KAAc;AACb,QAAA,IAAI;AAKF,UAAA,MAAM,SAAA,GAAY,SAAA,CAAU,IAAA,CAAK,SAAS,CAAA;AAC1C,UAAA,IAAA,CAAK,MAAM,SAAS,CAAA;AAAA,QACtB,SAAS,GAAA,EAAK;AACZ,UAAA,IAAA,CAAK,GAAG,CAAA;AAAA,QACV;AAAA,MACF,CAAA;AAAA,MACA,CAAC,GAAA,KAAQ,IAAA,CAAK,GAAG;AAAA,KACnB;AAAA,EACF,CAAA;AACF;AA+DA,SAAS,eAAA,GAGP;AACA,EAAA,IAAI;AAEF,IAAA,MAAM,GAAA,GAAM,UAAQ,cAAc,CAAA;AAClC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,GAAA,CAAI,QAAA,IAAY,GAAA,CAAI,OAAA,EAAS,QAAA;AAAA,MACvC,UAAA,EAAY,GAAA,CAAI,UAAA,IAAc,GAAA,CAAI,OAAA,EAAS;AAAA,KAC7C;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACF;AAeO,SAAS,qBAAA,CACd,KAAA,EACA,MAAA,EACA,OAAA,GAAwC,EAAC,EACzC;AACA,EAAA,MAAM,cAAc,eAAA,EAAgB;AACpC,EAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,YAAA,GACnB,KAAA,CAAM,iBACL,KAAA,CAAM,eAAA;AAEX,EAAA,OAAO,IAAI,WAAA,CAAY,QAAA;AAAA,IACrB;AAAA,MACE,cAAA,EACE,OAAA,CAAQ,cAAA,IAAkB,WAAA,CAAY,WAAW,2BAAA,EAA4B;AAAA,MAC/E,mBAAA,EAAqB,kCAAkC,KAAK,CAAA;AAAA,MAC5D,MAAA;AAAA,MACA,UAAU,KAAA,CAAM,gBAAA;AAAA,MAChB,UAAA,EAAY,OAAA,CAAQ,UAAA,IAAc,CAAC,OAAO,CAAA;AAAA,MAC1C,iBAAA,EAAmB,QAAQ,iBAAA,IAAqB;AAAA,KAClD;AAAA,IACA;AAAA,GACF;AACF","file":"index.js","sourcesContent":["/**\n * `@productcraft/auth-passport` — passport-jwt adapter for Auth.\n *\n * Install alongside `@productcraft/auth` + `passport-jwt`:\n *\n * ```bash\n * npm install @productcraft/auth @productcraft/auth-passport passport-jwt\n * ```\n *\n * Recommended one-call form:\n *\n * ```ts\n * import passportJwt from \"passport-jwt\";\n * import passport from \"passport\";\n * import { Auth } from \"@productcraft/auth\";\n * import { createAuthJwtStrategy } from \"@productcraft/auth-passport\";\n *\n * const auth = new Auth({ auth: { type: \"apiKey\", key: process.env.PCFT_KEY! } });\n * const scope = auth.consumer(\"my-app-slug\");\n *\n * passport.use(createAuthJwtStrategy(scope, (claims, done) => {\n * // claims is the verified Auth claims object (sub, role, permissions, ...)\n * return done(null, claims);\n * }));\n * ```\n *\n * The helper wires `secretOrKeyProvider` + `issuer` (per-app URL) +\n * `audience` (app slug) + algorithms automatically from the scope.\n *\n * If you need the underlying primitives — to compose with your own\n * options or pass a custom `jwtFromRequest` — use the lower-level\n * `createPassportSecretOrKeyProvider` directly:\n *\n * ```ts\n * new passportJwt.Strategy(\n * {\n * jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),\n * secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),\n * issuer: scope.acceptedIssuers as string[],\n * audience: scope.expectedAudience,\n * algorithms: [\"RS256\", \"ES256\"],\n * },\n * (payload, done) => done(null, payload),\n * );\n * ```\n */\n\nimport { KeyObject } from \"node:crypto\";\nimport { decodeProtectedHeader, type JWTHeaderParameters } from \"jose\";\n\nimport type { ConsumerScope } from \"@productcraft/auth\";\n\n/**\n * passport-jwt's `secretOrKeyProvider` callback signature. We don't\n * depend on passport-jwt's types directly (to keep it a soft dep),\n * so this is the same shape as `SecretOrKeyProvider` in their typings.\n */\ntype PassportSecretOrKeyProvider = (\n request: unknown,\n rawJwtToken: string,\n done: (err: unknown, secretOrKey?: string | Buffer | KeyObject) => void,\n) => void;\n\n/**\n * Returns a passport-jwt `secretOrKeyProvider` bound to an Auth\n * `ConsumerScope`. Decodes the protected header, looks up the matching\n * key via the scope's JWKS cache, and converts the resulting jose\n * `CryptoKey` into a Node `KeyObject` that `jsonwebtoken` (the library\n * passport-jwt delegates to) accepts.\n */\nexport function createPassportSecretOrKeyProvider(\n scope: ConsumerScope,\n): PassportSecretOrKeyProvider {\n return (_request, rawJwt, done) => {\n let header;\n try {\n header = decodeProtectedHeader(rawJwt);\n } catch (err) {\n done(err);\n return;\n }\n\n scope.jwks.getKey(header as JWTHeaderParameters).then(\n (cryptoKey) => {\n try {\n // `jsonwebtoken` (passport-jwt's verifier) doesn't accept\n // Web Crypto `CryptoKey`, but it does accept Node's\n // `KeyObject`. `KeyObject.from(cryptoKey)` was added in\n // Node 16.6 and is the right adapter.\n const keyObject = KeyObject.from(cryptoKey);\n done(null, keyObject);\n } catch (err) {\n done(err);\n }\n },\n (err) => done(err),\n );\n };\n}\n\n/**\n * Shape of the verified-claims callback passport delegates to once a\n * token passes signature + issuer + audience + expiry checks. Mirrors\n * `passport-jwt`'s own `VerifyCallback` / `VerifyCallbackWithRequest`.\n */\nexport type AuthVerifyCallback = (\n payload: Record<string, unknown>,\n done: (err: unknown, user?: unknown, info?: unknown) => void,\n) => void;\n\n/**\n * Extra options for `createAuthJwtStrategy`. Defaults are the\n * Auth-recommended values; override here if you need a different\n * token source (cookie, custom header, ...), a stricter algorithm\n * allow-list, or want to skip the legacy-issuer acceptance window.\n */\nexport interface CreateAuthJwtStrategyOptions {\n /**\n * Where to read the bearer from. Defaults to\n * `ExtractJwt.fromAuthHeaderAsBearerToken()`. Pass any\n * passport-jwt extractor when you need a different source.\n */\n jwtFromRequest?: (req: unknown) => string | null;\n\n /**\n * JWS algorithms accepted by the underlying verifier. Defaults to\n * the algorithms Auth mints today (`['RS256']`); set explicitly\n * if your app is on a different signing alg or you also accept\n * customer-minted tokens with a different alg.\n */\n algorithms?: string[];\n\n /**\n * Pin only the per-app issuer URL (skip the legacy `'heimdall'`\n * literal). Defaults to `false` — verifying both keeps in-flight\n * tokens minted before the per-app-issuer migration valid. Set to\n * `true` once you're confident all old tokens have expired.\n */\n strictIssuer?: boolean;\n\n /** Whether the request object should be passed to the verify callback. Defaults to `false`. */\n passReqToCallback?: boolean;\n}\n\n/**\n * Constructor signature for `passport-jwt`'s `Strategy`. We don't take\n * a direct dep on passport-jwt to keep it a peer/soft dep — at runtime\n * the caller imports passportJwt and the helper does\n * `new passportJwt.Strategy(...)` via the constructor reference.\n */\nexport interface PassportJwtStrategyCtor {\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n new (options: Record<string, unknown>, verify: AuthVerifyCallback): any;\n}\n\n/**\n * Lazy passport-jwt loader. We try to `require('passport-jwt')` from\n * the caller's dep graph at first use. Throws a clear error if it's\n * missing so the user doesn't see a cryptic `Cannot find module`\n * deep in the strategy constructor.\n */\nfunction loadPassportJwt(): {\n Strategy: PassportJwtStrategyCtor;\n ExtractJwt: { fromAuthHeaderAsBearerToken: () => (req: unknown) => string | null };\n} {\n try {\n // dynamic require so passport-jwt stays a peer dep\n const mod = require(\"passport-jwt\");\n return {\n Strategy: mod.Strategy ?? mod.default?.Strategy,\n ExtractJwt: mod.ExtractJwt ?? mod.default?.ExtractJwt,\n };\n } catch {\n throw new Error(\n \"@productcraft/auth-passport: `passport-jwt` is not installed. Run `npm install passport-jwt @types/passport-jwt`.\",\n );\n }\n}\n\n/**\n * Build a fully-configured `passport-jwt` strategy from an Auth\n * `ConsumerScope`. Wires:\n *\n * - `jwtFromRequest` → `ExtractJwt.fromAuthHeaderAsBearerToken()` (override via opts)\n * - `secretOrKeyProvider` → JWKS-backed key resolution via `scope.jwks`\n * - `issuer` → both `scope.expectedIssuer` AND the legacy `'heimdall'` literal (or only the per-app URL if `strictIssuer: true`)\n * - `audience` → `scope.expectedAudience` (the app slug)\n * - `algorithms` → `['RS256']` (override via opts)\n *\n * The verify callback you pass receives the parsed claims after\n * passport-jwt has finished its checks.\n */\nexport function createAuthJwtStrategy(\n scope: ConsumerScope,\n verify: AuthVerifyCallback,\n options: CreateAuthJwtStrategyOptions = {},\n) {\n const passportJwt = loadPassportJwt();\n const issuer = options.strictIssuer\n ? scope.expectedIssuer\n : (scope.acceptedIssuers as string[]);\n\n return new passportJwt.Strategy(\n {\n jwtFromRequest:\n options.jwtFromRequest ?? passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),\n secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),\n issuer,\n audience: scope.expectedAudience,\n algorithms: options.algorithms ?? [\"RS256\"],\n passReqToCallback: options.passReqToCallback ?? false,\n },\n verify,\n );\n}\n"]}
|
package/package.json
ADDED
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@productcraft/auth-passport",
|
|
3
|
+
"version": "0.2.0",
|
|
4
|
+
"description": "Passport-JWT adapter for ProductCraft Auth. Plug an Auth ConsumerScope into a `passport-jwt` Strategy so existing Passport setups can authenticate Auth-issued tokens.",
|
|
5
|
+
"type": "module",
|
|
6
|
+
"main": "./dist/index.cjs",
|
|
7
|
+
"module": "./dist/index.js",
|
|
8
|
+
"types": "./dist/index.d.ts",
|
|
9
|
+
"exports": {
|
|
10
|
+
".": {
|
|
11
|
+
"types": "./dist/index.d.ts",
|
|
12
|
+
"import": "./dist/index.js",
|
|
13
|
+
"require": "./dist/index.cjs"
|
|
14
|
+
}
|
|
15
|
+
},
|
|
16
|
+
"files": [
|
|
17
|
+
"dist/**",
|
|
18
|
+
"README.md",
|
|
19
|
+
"LICENSE"
|
|
20
|
+
],
|
|
21
|
+
"engines": {
|
|
22
|
+
"node": ">=18"
|
|
23
|
+
},
|
|
24
|
+
"keywords": [
|
|
25
|
+
"productcraft",
|
|
26
|
+
"sdk",
|
|
27
|
+
"auth",
|
|
28
|
+
"passport",
|
|
29
|
+
"passport-jwt",
|
|
30
|
+
"jwt"
|
|
31
|
+
],
|
|
32
|
+
"author": "ProductCraft",
|
|
33
|
+
"license": "MIT",
|
|
34
|
+
"repository": {
|
|
35
|
+
"type": "git",
|
|
36
|
+
"url": "git+https://github.com/clauderanelagh/productcraft-node.git",
|
|
37
|
+
"directory": "packages/auth-passport"
|
|
38
|
+
},
|
|
39
|
+
"homepage": "https://github.com/clauderanelagh/productcraft-node/tree/main/packages/auth-passport",
|
|
40
|
+
"publishConfig": {
|
|
41
|
+
"access": "public"
|
|
42
|
+
},
|
|
43
|
+
"dependencies": {
|
|
44
|
+
"jose": "^6.2.3",
|
|
45
|
+
"@productcraft/auth": "^0.5.0"
|
|
46
|
+
},
|
|
47
|
+
"peerDependencies": {
|
|
48
|
+
"passport-jwt": "^4.0.0"
|
|
49
|
+
},
|
|
50
|
+
"scripts": {
|
|
51
|
+
"build": "tsup",
|
|
52
|
+
"test": "vitest run"
|
|
53
|
+
}
|
|
54
|
+
}
|