@productcraft/auth-passport 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 ProductCraft
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,44 @@
1
+ # @productcraft/auth-passport
2
+
3
+ Passport-JWT adapter for [`@productcraft/auth`](../auth). Plug an Auth `ConsumerScope` into a `passport-jwt` Strategy so existing Passport setups can authenticate Auth-issued tokens.
4
+
5
+ ```bash
6
+ npm install @productcraft/auth @productcraft/auth-passport passport-jwt
7
+ ```
8
+
9
+ ## Usage
10
+
11
+ ```ts
12
+ import passportJwt from "passport-jwt";
13
+ import { Auth } from "@productcraft/auth";
14
+ import { createPassportSecretOrKeyProvider } from "@productcraft/auth-passport";
15
+
16
+ const auth = new Auth({
17
+ auth: { type: "apiKey", key: process.env.PCFT_KEY! },
18
+ });
19
+ const scope = auth.consumer("my-app-slug");
20
+
21
+ new passportJwt.Strategy(
22
+ {
23
+ jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
24
+ secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
25
+ issuer: scope.expectedIssuer,
26
+ audience: "my-app", // optional
27
+ algorithms: ["ES256"],
28
+ },
29
+ (payload, done) => {
30
+ // payload is the verified Auth claims object (sub, role, permissions, ...)
31
+ return done(null, payload);
32
+ },
33
+ );
34
+ ```
35
+
36
+ The helper decodes the JWT header, asks the Auth `ConsumerScope` for the matching signing key via its cached JWKS, converts the resulting `CryptoKey` into a Node `KeyObject`, and hands it to passport-jwt.
37
+
38
+ ## How it relates to the main package
39
+
40
+ `@productcraft/auth` already ships a `scope.verifyToken(token)` one-liner. Use **this** package only when you have an existing Passport setup you'd rather keep. For Express middleware without Passport, the direct verify is simpler.
41
+
42
+ ## License
43
+
44
+ [MIT](../../LICENSE).
package/dist/index.cjs ADDED
@@ -0,0 +1,66 @@
1
+ 'use strict';
2
+
3
+ var crypto = require('crypto');
4
+ var jose = require('jose');
5
+
6
+ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
7
+ get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
8
+ }) : x)(function(x) {
9
+ if (typeof require !== "undefined") return require.apply(this, arguments);
10
+ throw Error('Dynamic require of "' + x + '" is not supported');
11
+ });
12
+ function createPassportSecretOrKeyProvider(scope) {
13
+ return (_request, rawJwt, done) => {
14
+ let header;
15
+ try {
16
+ header = jose.decodeProtectedHeader(rawJwt);
17
+ } catch (err) {
18
+ done(err);
19
+ return;
20
+ }
21
+ scope.jwks.getKey(header).then(
22
+ (cryptoKey) => {
23
+ try {
24
+ const keyObject = crypto.KeyObject.from(cryptoKey);
25
+ done(null, keyObject);
26
+ } catch (err) {
27
+ done(err);
28
+ }
29
+ },
30
+ (err) => done(err)
31
+ );
32
+ };
33
+ }
34
+ function loadPassportJwt() {
35
+ try {
36
+ const mod = __require("passport-jwt");
37
+ return {
38
+ Strategy: mod.Strategy ?? mod.default?.Strategy,
39
+ ExtractJwt: mod.ExtractJwt ?? mod.default?.ExtractJwt
40
+ };
41
+ } catch {
42
+ throw new Error(
43
+ "@productcraft/auth-passport: `passport-jwt` is not installed. Run `npm install passport-jwt @types/passport-jwt`."
44
+ );
45
+ }
46
+ }
47
+ function createAuthJwtStrategy(scope, verify, options = {}) {
48
+ const passportJwt = loadPassportJwt();
49
+ const issuer = options.strictIssuer ? scope.expectedIssuer : scope.acceptedIssuers;
50
+ return new passportJwt.Strategy(
51
+ {
52
+ jwtFromRequest: options.jwtFromRequest ?? passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
53
+ secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
54
+ issuer,
55
+ audience: scope.expectedAudience,
56
+ algorithms: options.algorithms ?? ["RS256"],
57
+ passReqToCallback: options.passReqToCallback ?? false
58
+ },
59
+ verify
60
+ );
61
+ }
62
+
63
+ exports.createAuthJwtStrategy = createAuthJwtStrategy;
64
+ exports.createPassportSecretOrKeyProvider = createPassportSecretOrKeyProvider;
65
+ //# sourceMappingURL=index.cjs.map
66
+ //# sourceMappingURL=index.cjs.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/index.ts"],"names":["decodeProtectedHeader","KeyObject"],"mappings":";;;;;;;;;;;AAsEO,SAAS,kCACd,KAAA,EAC6B;AAC7B,EAAA,OAAO,CAAC,QAAA,EAAU,MAAA,EAAQ,IAAA,KAAS;AACjC,IAAA,IAAI,MAAA;AACJ,IAAA,IAAI;AACF,MAAA,MAAA,GAASA,2BAAsB,MAAM,CAAA;AAAA,IACvC,SAAS,GAAA,EAAK;AACZ,MAAA,IAAA,CAAK,GAAG,CAAA;AACR,MAAA;AAAA,IACF;AAEA,IAAA,KAAA,CAAM,IAAA,CAAK,MAAA,CAAO,MAA6B,CAAA,CAAE,IAAA;AAAA,MAC/C,CAAC,SAAA,KAAc;AACb,QAAA,IAAI;AAKF,UAAA,MAAM,SAAA,GAAYC,gBAAA,CAAU,IAAA,CAAK,SAAS,CAAA;AAC1C,UAAA,IAAA,CAAK,MAAM,SAAS,CAAA;AAAA,QACtB,SAAS,GAAA,EAAK;AACZ,UAAA,IAAA,CAAK,GAAG,CAAA;AAAA,QACV;AAAA,MACF,CAAA;AAAA,MACA,CAAC,GAAA,KAAQ,IAAA,CAAK,GAAG;AAAA,KACnB;AAAA,EACF,CAAA;AACF;AA+DA,SAAS,eAAA,GAGP;AACA,EAAA,IAAI;AAEF,IAAA,MAAM,GAAA,GAAM,UAAQ,cAAc,CAAA;AAClC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,GAAA,CAAI,QAAA,IAAY,GAAA,CAAI,OAAA,EAAS,QAAA;AAAA,MACvC,UAAA,EAAY,GAAA,CAAI,UAAA,IAAc,GAAA,CAAI,OAAA,EAAS;AAAA,KAC7C;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACF;AAeO,SAAS,qBAAA,CACd,KAAA,EACA,MAAA,EACA,OAAA,GAAwC,EAAC,EACzC;AACA,EAAA,MAAM,cAAc,eAAA,EAAgB;AACpC,EAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,YAAA,GACnB,KAAA,CAAM,iBACL,KAAA,CAAM,eAAA;AAEX,EAAA,OAAO,IAAI,WAAA,CAAY,QAAA;AAAA,IACrB;AAAA,MACE,cAAA,EACE,OAAA,CAAQ,cAAA,IAAkB,WAAA,CAAY,WAAW,2BAAA,EAA4B;AAAA,MAC/E,mBAAA,EAAqB,kCAAkC,KAAK,CAAA;AAAA,MAC5D,MAAA;AAAA,MACA,UAAU,KAAA,CAAM,gBAAA;AAAA,MAChB,UAAA,EAAY,OAAA,CAAQ,UAAA,IAAc,CAAC,OAAO,CAAA;AAAA,MAC1C,iBAAA,EAAmB,QAAQ,iBAAA,IAAqB;AAAA,KAClD;AAAA,IACA;AAAA,GACF;AACF","file":"index.cjs","sourcesContent":["/**\n * `@productcraft/auth-passport` — passport-jwt adapter for Auth.\n *\n * Install alongside `@productcraft/auth` + `passport-jwt`:\n *\n * ```bash\n * npm install @productcraft/auth @productcraft/auth-passport passport-jwt\n * ```\n *\n * Recommended one-call form:\n *\n * ```ts\n * import passportJwt from \"passport-jwt\";\n * import passport from \"passport\";\n * import { Auth } from \"@productcraft/auth\";\n * import { createAuthJwtStrategy } from \"@productcraft/auth-passport\";\n *\n * const auth = new Auth({ auth: { type: \"apiKey\", key: process.env.PCFT_KEY! } });\n * const scope = auth.consumer(\"my-app-slug\");\n *\n * passport.use(createAuthJwtStrategy(scope, (claims, done) => {\n * // claims is the verified Auth claims object (sub, role, permissions, ...)\n * return done(null, claims);\n * }));\n * ```\n *\n * The helper wires `secretOrKeyProvider` + `issuer` (per-app URL) +\n * `audience` (app slug) + algorithms automatically from the scope.\n *\n * If you need the underlying primitives — to compose with your own\n * options or pass a custom `jwtFromRequest` — use the lower-level\n * `createPassportSecretOrKeyProvider` directly:\n *\n * ```ts\n * new passportJwt.Strategy(\n * {\n * jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),\n * secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),\n * issuer: scope.acceptedIssuers as string[],\n * audience: scope.expectedAudience,\n * algorithms: [\"RS256\", \"ES256\"],\n * },\n * (payload, done) => done(null, payload),\n * );\n * ```\n */\n\nimport { KeyObject } from \"node:crypto\";\nimport { decodeProtectedHeader, type JWTHeaderParameters } from \"jose\";\n\nimport type { ConsumerScope } from \"@productcraft/auth\";\n\n/**\n * passport-jwt's `secretOrKeyProvider` callback signature. We don't\n * depend on passport-jwt's types directly (to keep it a soft dep),\n * so this is the same shape as `SecretOrKeyProvider` in their typings.\n */\ntype PassportSecretOrKeyProvider = (\n request: unknown,\n rawJwtToken: string,\n done: (err: unknown, secretOrKey?: string | Buffer | KeyObject) => void,\n) => void;\n\n/**\n * Returns a passport-jwt `secretOrKeyProvider` bound to an Auth\n * `ConsumerScope`. Decodes the protected header, looks up the matching\n * key via the scope's JWKS cache, and converts the resulting jose\n * `CryptoKey` into a Node `KeyObject` that `jsonwebtoken` (the library\n * passport-jwt delegates to) accepts.\n */\nexport function createPassportSecretOrKeyProvider(\n scope: ConsumerScope,\n): PassportSecretOrKeyProvider {\n return (_request, rawJwt, done) => {\n let header;\n try {\n header = decodeProtectedHeader(rawJwt);\n } catch (err) {\n done(err);\n return;\n }\n\n scope.jwks.getKey(header as JWTHeaderParameters).then(\n (cryptoKey) => {\n try {\n // `jsonwebtoken` (passport-jwt's verifier) doesn't accept\n // Web Crypto `CryptoKey`, but it does accept Node's\n // `KeyObject`. `KeyObject.from(cryptoKey)` was added in\n // Node 16.6 and is the right adapter.\n const keyObject = KeyObject.from(cryptoKey);\n done(null, keyObject);\n } catch (err) {\n done(err);\n }\n },\n (err) => done(err),\n );\n };\n}\n\n/**\n * Shape of the verified-claims callback passport delegates to once a\n * token passes signature + issuer + audience + expiry checks. Mirrors\n * `passport-jwt`'s own `VerifyCallback` / `VerifyCallbackWithRequest`.\n */\nexport type AuthVerifyCallback = (\n payload: Record<string, unknown>,\n done: (err: unknown, user?: unknown, info?: unknown) => void,\n) => void;\n\n/**\n * Extra options for `createAuthJwtStrategy`. Defaults are the\n * Auth-recommended values; override here if you need a different\n * token source (cookie, custom header, ...), a stricter algorithm\n * allow-list, or want to skip the legacy-issuer acceptance window.\n */\nexport interface CreateAuthJwtStrategyOptions {\n /**\n * Where to read the bearer from. Defaults to\n * `ExtractJwt.fromAuthHeaderAsBearerToken()`. Pass any\n * passport-jwt extractor when you need a different source.\n */\n jwtFromRequest?: (req: unknown) => string | null;\n\n /**\n * JWS algorithms accepted by the underlying verifier. Defaults to\n * the algorithms Auth mints today (`['RS256']`); set explicitly\n * if your app is on a different signing alg or you also accept\n * customer-minted tokens with a different alg.\n */\n algorithms?: string[];\n\n /**\n * Pin only the per-app issuer URL (skip the legacy `'heimdall'`\n * literal). Defaults to `false` — verifying both keeps in-flight\n * tokens minted before the per-app-issuer migration valid. Set to\n * `true` once you're confident all old tokens have expired.\n */\n strictIssuer?: boolean;\n\n /** Whether the request object should be passed to the verify callback. Defaults to `false`. */\n passReqToCallback?: boolean;\n}\n\n/**\n * Constructor signature for `passport-jwt`'s `Strategy`. We don't take\n * a direct dep on passport-jwt to keep it a peer/soft dep — at runtime\n * the caller imports passportJwt and the helper does\n * `new passportJwt.Strategy(...)` via the constructor reference.\n */\nexport interface PassportJwtStrategyCtor {\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n new (options: Record<string, unknown>, verify: AuthVerifyCallback): any;\n}\n\n/**\n * Lazy passport-jwt loader. We try to `require('passport-jwt')` from\n * the caller's dep graph at first use. Throws a clear error if it's\n * missing so the user doesn't see a cryptic `Cannot find module`\n * deep in the strategy constructor.\n */\nfunction loadPassportJwt(): {\n Strategy: PassportJwtStrategyCtor;\n ExtractJwt: { fromAuthHeaderAsBearerToken: () => (req: unknown) => string | null };\n} {\n try {\n // dynamic require so passport-jwt stays a peer dep\n const mod = require(\"passport-jwt\");\n return {\n Strategy: mod.Strategy ?? mod.default?.Strategy,\n ExtractJwt: mod.ExtractJwt ?? mod.default?.ExtractJwt,\n };\n } catch {\n throw new Error(\n \"@productcraft/auth-passport: `passport-jwt` is not installed. Run `npm install passport-jwt @types/passport-jwt`.\",\n );\n }\n}\n\n/**\n * Build a fully-configured `passport-jwt` strategy from an Auth\n * `ConsumerScope`. Wires:\n *\n * - `jwtFromRequest` → `ExtractJwt.fromAuthHeaderAsBearerToken()` (override via opts)\n * - `secretOrKeyProvider` → JWKS-backed key resolution via `scope.jwks`\n * - `issuer` → both `scope.expectedIssuer` AND the legacy `'heimdall'` literal (or only the per-app URL if `strictIssuer: true`)\n * - `audience` → `scope.expectedAudience` (the app slug)\n * - `algorithms` → `['RS256']` (override via opts)\n *\n * The verify callback you pass receives the parsed claims after\n * passport-jwt has finished its checks.\n */\nexport function createAuthJwtStrategy(\n scope: ConsumerScope,\n verify: AuthVerifyCallback,\n options: CreateAuthJwtStrategyOptions = {},\n) {\n const passportJwt = loadPassportJwt();\n const issuer = options.strictIssuer\n ? scope.expectedIssuer\n : (scope.acceptedIssuers as string[]);\n\n return new passportJwt.Strategy(\n {\n jwtFromRequest:\n options.jwtFromRequest ?? passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),\n secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),\n issuer,\n audience: scope.expectedAudience,\n algorithms: options.algorithms ?? [\"RS256\"],\n passReqToCallback: options.passReqToCallback ?? false,\n },\n verify,\n );\n}\n"]}
@@ -0,0 +1,125 @@
1
+ import { KeyObject } from 'node:crypto';
2
+ import { ConsumerScope } from '@productcraft/auth';
3
+
4
+ /**
5
+ * `@productcraft/auth-passport` — passport-jwt adapter for Auth.
6
+ *
7
+ * Install alongside `@productcraft/auth` + `passport-jwt`:
8
+ *
9
+ * ```bash
10
+ * npm install @productcraft/auth @productcraft/auth-passport passport-jwt
11
+ * ```
12
+ *
13
+ * Recommended one-call form:
14
+ *
15
+ * ```ts
16
+ * import passportJwt from "passport-jwt";
17
+ * import passport from "passport";
18
+ * import { Auth } from "@productcraft/auth";
19
+ * import { createAuthJwtStrategy } from "@productcraft/auth-passport";
20
+ *
21
+ * const auth = new Auth({ auth: { type: "apiKey", key: process.env.PCFT_KEY! } });
22
+ * const scope = auth.consumer("my-app-slug");
23
+ *
24
+ * passport.use(createAuthJwtStrategy(scope, (claims, done) => {
25
+ * // claims is the verified Auth claims object (sub, role, permissions, ...)
26
+ * return done(null, claims);
27
+ * }));
28
+ * ```
29
+ *
30
+ * The helper wires `secretOrKeyProvider` + `issuer` (per-app URL) +
31
+ * `audience` (app slug) + algorithms automatically from the scope.
32
+ *
33
+ * If you need the underlying primitives — to compose with your own
34
+ * options or pass a custom `jwtFromRequest` — use the lower-level
35
+ * `createPassportSecretOrKeyProvider` directly:
36
+ *
37
+ * ```ts
38
+ * new passportJwt.Strategy(
39
+ * {
40
+ * jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
41
+ * secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
42
+ * issuer: scope.acceptedIssuers as string[],
43
+ * audience: scope.expectedAudience,
44
+ * algorithms: ["RS256", "ES256"],
45
+ * },
46
+ * (payload, done) => done(null, payload),
47
+ * );
48
+ * ```
49
+ */
50
+
51
+ /**
52
+ * passport-jwt's `secretOrKeyProvider` callback signature. We don't
53
+ * depend on passport-jwt's types directly (to keep it a soft dep),
54
+ * so this is the same shape as `SecretOrKeyProvider` in their typings.
55
+ */
56
+ type PassportSecretOrKeyProvider = (request: unknown, rawJwtToken: string, done: (err: unknown, secretOrKey?: string | Buffer | KeyObject) => void) => void;
57
+ /**
58
+ * Returns a passport-jwt `secretOrKeyProvider` bound to an Auth
59
+ * `ConsumerScope`. Decodes the protected header, looks up the matching
60
+ * key via the scope's JWKS cache, and converts the resulting jose
61
+ * `CryptoKey` into a Node `KeyObject` that `jsonwebtoken` (the library
62
+ * passport-jwt delegates to) accepts.
63
+ */
64
+ declare function createPassportSecretOrKeyProvider(scope: ConsumerScope): PassportSecretOrKeyProvider;
65
+ /**
66
+ * Shape of the verified-claims callback passport delegates to once a
67
+ * token passes signature + issuer + audience + expiry checks. Mirrors
68
+ * `passport-jwt`'s own `VerifyCallback` / `VerifyCallbackWithRequest`.
69
+ */
70
+ type AuthVerifyCallback = (payload: Record<string, unknown>, done: (err: unknown, user?: unknown, info?: unknown) => void) => void;
71
+ /**
72
+ * Extra options for `createAuthJwtStrategy`. Defaults are the
73
+ * Auth-recommended values; override here if you need a different
74
+ * token source (cookie, custom header, ...), a stricter algorithm
75
+ * allow-list, or want to skip the legacy-issuer acceptance window.
76
+ */
77
+ interface CreateAuthJwtStrategyOptions {
78
+ /**
79
+ * Where to read the bearer from. Defaults to
80
+ * `ExtractJwt.fromAuthHeaderAsBearerToken()`. Pass any
81
+ * passport-jwt extractor when you need a different source.
82
+ */
83
+ jwtFromRequest?: (req: unknown) => string | null;
84
+ /**
85
+ * JWS algorithms accepted by the underlying verifier. Defaults to
86
+ * the algorithms Auth mints today (`['RS256']`); set explicitly
87
+ * if your app is on a different signing alg or you also accept
88
+ * customer-minted tokens with a different alg.
89
+ */
90
+ algorithms?: string[];
91
+ /**
92
+ * Pin only the per-app issuer URL (skip the legacy `'heimdall'`
93
+ * literal). Defaults to `false` — verifying both keeps in-flight
94
+ * tokens minted before the per-app-issuer migration valid. Set to
95
+ * `true` once you're confident all old tokens have expired.
96
+ */
97
+ strictIssuer?: boolean;
98
+ /** Whether the request object should be passed to the verify callback. Defaults to `false`. */
99
+ passReqToCallback?: boolean;
100
+ }
101
+ /**
102
+ * Constructor signature for `passport-jwt`'s `Strategy`. We don't take
103
+ * a direct dep on passport-jwt to keep it a peer/soft dep — at runtime
104
+ * the caller imports passportJwt and the helper does
105
+ * `new passportJwt.Strategy(...)` via the constructor reference.
106
+ */
107
+ interface PassportJwtStrategyCtor {
108
+ new (options: Record<string, unknown>, verify: AuthVerifyCallback): any;
109
+ }
110
+ /**
111
+ * Build a fully-configured `passport-jwt` strategy from an Auth
112
+ * `ConsumerScope`. Wires:
113
+ *
114
+ * - `jwtFromRequest` → `ExtractJwt.fromAuthHeaderAsBearerToken()` (override via opts)
115
+ * - `secretOrKeyProvider` → JWKS-backed key resolution via `scope.jwks`
116
+ * - `issuer` → both `scope.expectedIssuer` AND the legacy `'heimdall'` literal (or only the per-app URL if `strictIssuer: true`)
117
+ * - `audience` → `scope.expectedAudience` (the app slug)
118
+ * - `algorithms` → `['RS256']` (override via opts)
119
+ *
120
+ * The verify callback you pass receives the parsed claims after
121
+ * passport-jwt has finished its checks.
122
+ */
123
+ declare function createAuthJwtStrategy(scope: ConsumerScope, verify: AuthVerifyCallback, options?: CreateAuthJwtStrategyOptions): any;
124
+
125
+ export { type AuthVerifyCallback, type CreateAuthJwtStrategyOptions, type PassportJwtStrategyCtor, createAuthJwtStrategy, createPassportSecretOrKeyProvider };
@@ -0,0 +1,125 @@
1
+ import { KeyObject } from 'node:crypto';
2
+ import { ConsumerScope } from '@productcraft/auth';
3
+
4
+ /**
5
+ * `@productcraft/auth-passport` — passport-jwt adapter for Auth.
6
+ *
7
+ * Install alongside `@productcraft/auth` + `passport-jwt`:
8
+ *
9
+ * ```bash
10
+ * npm install @productcraft/auth @productcraft/auth-passport passport-jwt
11
+ * ```
12
+ *
13
+ * Recommended one-call form:
14
+ *
15
+ * ```ts
16
+ * import passportJwt from "passport-jwt";
17
+ * import passport from "passport";
18
+ * import { Auth } from "@productcraft/auth";
19
+ * import { createAuthJwtStrategy } from "@productcraft/auth-passport";
20
+ *
21
+ * const auth = new Auth({ auth: { type: "apiKey", key: process.env.PCFT_KEY! } });
22
+ * const scope = auth.consumer("my-app-slug");
23
+ *
24
+ * passport.use(createAuthJwtStrategy(scope, (claims, done) => {
25
+ * // claims is the verified Auth claims object (sub, role, permissions, ...)
26
+ * return done(null, claims);
27
+ * }));
28
+ * ```
29
+ *
30
+ * The helper wires `secretOrKeyProvider` + `issuer` (per-app URL) +
31
+ * `audience` (app slug) + algorithms automatically from the scope.
32
+ *
33
+ * If you need the underlying primitives — to compose with your own
34
+ * options or pass a custom `jwtFromRequest` — use the lower-level
35
+ * `createPassportSecretOrKeyProvider` directly:
36
+ *
37
+ * ```ts
38
+ * new passportJwt.Strategy(
39
+ * {
40
+ * jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
41
+ * secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
42
+ * issuer: scope.acceptedIssuers as string[],
43
+ * audience: scope.expectedAudience,
44
+ * algorithms: ["RS256", "ES256"],
45
+ * },
46
+ * (payload, done) => done(null, payload),
47
+ * );
48
+ * ```
49
+ */
50
+
51
+ /**
52
+ * passport-jwt's `secretOrKeyProvider` callback signature. We don't
53
+ * depend on passport-jwt's types directly (to keep it a soft dep),
54
+ * so this is the same shape as `SecretOrKeyProvider` in their typings.
55
+ */
56
+ type PassportSecretOrKeyProvider = (request: unknown, rawJwtToken: string, done: (err: unknown, secretOrKey?: string | Buffer | KeyObject) => void) => void;
57
+ /**
58
+ * Returns a passport-jwt `secretOrKeyProvider` bound to an Auth
59
+ * `ConsumerScope`. Decodes the protected header, looks up the matching
60
+ * key via the scope's JWKS cache, and converts the resulting jose
61
+ * `CryptoKey` into a Node `KeyObject` that `jsonwebtoken` (the library
62
+ * passport-jwt delegates to) accepts.
63
+ */
64
+ declare function createPassportSecretOrKeyProvider(scope: ConsumerScope): PassportSecretOrKeyProvider;
65
+ /**
66
+ * Shape of the verified-claims callback passport delegates to once a
67
+ * token passes signature + issuer + audience + expiry checks. Mirrors
68
+ * `passport-jwt`'s own `VerifyCallback` / `VerifyCallbackWithRequest`.
69
+ */
70
+ type AuthVerifyCallback = (payload: Record<string, unknown>, done: (err: unknown, user?: unknown, info?: unknown) => void) => void;
71
+ /**
72
+ * Extra options for `createAuthJwtStrategy`. Defaults are the
73
+ * Auth-recommended values; override here if you need a different
74
+ * token source (cookie, custom header, ...), a stricter algorithm
75
+ * allow-list, or want to skip the legacy-issuer acceptance window.
76
+ */
77
+ interface CreateAuthJwtStrategyOptions {
78
+ /**
79
+ * Where to read the bearer from. Defaults to
80
+ * `ExtractJwt.fromAuthHeaderAsBearerToken()`. Pass any
81
+ * passport-jwt extractor when you need a different source.
82
+ */
83
+ jwtFromRequest?: (req: unknown) => string | null;
84
+ /**
85
+ * JWS algorithms accepted by the underlying verifier. Defaults to
86
+ * the algorithms Auth mints today (`['RS256']`); set explicitly
87
+ * if your app is on a different signing alg or you also accept
88
+ * customer-minted tokens with a different alg.
89
+ */
90
+ algorithms?: string[];
91
+ /**
92
+ * Pin only the per-app issuer URL (skip the legacy `'heimdall'`
93
+ * literal). Defaults to `false` — verifying both keeps in-flight
94
+ * tokens minted before the per-app-issuer migration valid. Set to
95
+ * `true` once you're confident all old tokens have expired.
96
+ */
97
+ strictIssuer?: boolean;
98
+ /** Whether the request object should be passed to the verify callback. Defaults to `false`. */
99
+ passReqToCallback?: boolean;
100
+ }
101
+ /**
102
+ * Constructor signature for `passport-jwt`'s `Strategy`. We don't take
103
+ * a direct dep on passport-jwt to keep it a peer/soft dep — at runtime
104
+ * the caller imports passportJwt and the helper does
105
+ * `new passportJwt.Strategy(...)` via the constructor reference.
106
+ */
107
+ interface PassportJwtStrategyCtor {
108
+ new (options: Record<string, unknown>, verify: AuthVerifyCallback): any;
109
+ }
110
+ /**
111
+ * Build a fully-configured `passport-jwt` strategy from an Auth
112
+ * `ConsumerScope`. Wires:
113
+ *
114
+ * - `jwtFromRequest` → `ExtractJwt.fromAuthHeaderAsBearerToken()` (override via opts)
115
+ * - `secretOrKeyProvider` → JWKS-backed key resolution via `scope.jwks`
116
+ * - `issuer` → both `scope.expectedIssuer` AND the legacy `'heimdall'` literal (or only the per-app URL if `strictIssuer: true`)
117
+ * - `audience` → `scope.expectedAudience` (the app slug)
118
+ * - `algorithms` → `['RS256']` (override via opts)
119
+ *
120
+ * The verify callback you pass receives the parsed claims after
121
+ * passport-jwt has finished its checks.
122
+ */
123
+ declare function createAuthJwtStrategy(scope: ConsumerScope, verify: AuthVerifyCallback, options?: CreateAuthJwtStrategyOptions): any;
124
+
125
+ export { type AuthVerifyCallback, type CreateAuthJwtStrategyOptions, type PassportJwtStrategyCtor, createAuthJwtStrategy, createPassportSecretOrKeyProvider };
package/dist/index.js ADDED
@@ -0,0 +1,63 @@
1
+ import { KeyObject } from 'crypto';
2
+ import { decodeProtectedHeader } from 'jose';
3
+
4
+ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
5
+ get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
6
+ }) : x)(function(x) {
7
+ if (typeof require !== "undefined") return require.apply(this, arguments);
8
+ throw Error('Dynamic require of "' + x + '" is not supported');
9
+ });
10
+ function createPassportSecretOrKeyProvider(scope) {
11
+ return (_request, rawJwt, done) => {
12
+ let header;
13
+ try {
14
+ header = decodeProtectedHeader(rawJwt);
15
+ } catch (err) {
16
+ done(err);
17
+ return;
18
+ }
19
+ scope.jwks.getKey(header).then(
20
+ (cryptoKey) => {
21
+ try {
22
+ const keyObject = KeyObject.from(cryptoKey);
23
+ done(null, keyObject);
24
+ } catch (err) {
25
+ done(err);
26
+ }
27
+ },
28
+ (err) => done(err)
29
+ );
30
+ };
31
+ }
32
+ function loadPassportJwt() {
33
+ try {
34
+ const mod = __require("passport-jwt");
35
+ return {
36
+ Strategy: mod.Strategy ?? mod.default?.Strategy,
37
+ ExtractJwt: mod.ExtractJwt ?? mod.default?.ExtractJwt
38
+ };
39
+ } catch {
40
+ throw new Error(
41
+ "@productcraft/auth-passport: `passport-jwt` is not installed. Run `npm install passport-jwt @types/passport-jwt`."
42
+ );
43
+ }
44
+ }
45
+ function createAuthJwtStrategy(scope, verify, options = {}) {
46
+ const passportJwt = loadPassportJwt();
47
+ const issuer = options.strictIssuer ? scope.expectedIssuer : scope.acceptedIssuers;
48
+ return new passportJwt.Strategy(
49
+ {
50
+ jwtFromRequest: options.jwtFromRequest ?? passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
51
+ secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),
52
+ issuer,
53
+ audience: scope.expectedAudience,
54
+ algorithms: options.algorithms ?? ["RS256"],
55
+ passReqToCallback: options.passReqToCallback ?? false
56
+ },
57
+ verify
58
+ );
59
+ }
60
+
61
+ export { createAuthJwtStrategy, createPassportSecretOrKeyProvider };
62
+ //# sourceMappingURL=index.js.map
63
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;AAsEO,SAAS,kCACd,KAAA,EAC6B;AAC7B,EAAA,OAAO,CAAC,QAAA,EAAU,MAAA,EAAQ,IAAA,KAAS;AACjC,IAAA,IAAI,MAAA;AACJ,IAAA,IAAI;AACF,MAAA,MAAA,GAAS,sBAAsB,MAAM,CAAA;AAAA,IACvC,SAAS,GAAA,EAAK;AACZ,MAAA,IAAA,CAAK,GAAG,CAAA;AACR,MAAA;AAAA,IACF;AAEA,IAAA,KAAA,CAAM,IAAA,CAAK,MAAA,CAAO,MAA6B,CAAA,CAAE,IAAA;AAAA,MAC/C,CAAC,SAAA,KAAc;AACb,QAAA,IAAI;AAKF,UAAA,MAAM,SAAA,GAAY,SAAA,CAAU,IAAA,CAAK,SAAS,CAAA;AAC1C,UAAA,IAAA,CAAK,MAAM,SAAS,CAAA;AAAA,QACtB,SAAS,GAAA,EAAK;AACZ,UAAA,IAAA,CAAK,GAAG,CAAA;AAAA,QACV;AAAA,MACF,CAAA;AAAA,MACA,CAAC,GAAA,KAAQ,IAAA,CAAK,GAAG;AAAA,KACnB;AAAA,EACF,CAAA;AACF;AA+DA,SAAS,eAAA,GAGP;AACA,EAAA,IAAI;AAEF,IAAA,MAAM,GAAA,GAAM,UAAQ,cAAc,CAAA;AAClC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,GAAA,CAAI,QAAA,IAAY,GAAA,CAAI,OAAA,EAAS,QAAA;AAAA,MACvC,UAAA,EAAY,GAAA,CAAI,UAAA,IAAc,GAAA,CAAI,OAAA,EAAS;AAAA,KAC7C;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACF;AAeO,SAAS,qBAAA,CACd,KAAA,EACA,MAAA,EACA,OAAA,GAAwC,EAAC,EACzC;AACA,EAAA,MAAM,cAAc,eAAA,EAAgB;AACpC,EAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,YAAA,GACnB,KAAA,CAAM,iBACL,KAAA,CAAM,eAAA;AAEX,EAAA,OAAO,IAAI,WAAA,CAAY,QAAA;AAAA,IACrB;AAAA,MACE,cAAA,EACE,OAAA,CAAQ,cAAA,IAAkB,WAAA,CAAY,WAAW,2BAAA,EAA4B;AAAA,MAC/E,mBAAA,EAAqB,kCAAkC,KAAK,CAAA;AAAA,MAC5D,MAAA;AAAA,MACA,UAAU,KAAA,CAAM,gBAAA;AAAA,MAChB,UAAA,EAAY,OAAA,CAAQ,UAAA,IAAc,CAAC,OAAO,CAAA;AAAA,MAC1C,iBAAA,EAAmB,QAAQ,iBAAA,IAAqB;AAAA,KAClD;AAAA,IACA;AAAA,GACF;AACF","file":"index.js","sourcesContent":["/**\n * `@productcraft/auth-passport` — passport-jwt adapter for Auth.\n *\n * Install alongside `@productcraft/auth` + `passport-jwt`:\n *\n * ```bash\n * npm install @productcraft/auth @productcraft/auth-passport passport-jwt\n * ```\n *\n * Recommended one-call form:\n *\n * ```ts\n * import passportJwt from \"passport-jwt\";\n * import passport from \"passport\";\n * import { Auth } from \"@productcraft/auth\";\n * import { createAuthJwtStrategy } from \"@productcraft/auth-passport\";\n *\n * const auth = new Auth({ auth: { type: \"apiKey\", key: process.env.PCFT_KEY! } });\n * const scope = auth.consumer(\"my-app-slug\");\n *\n * passport.use(createAuthJwtStrategy(scope, (claims, done) => {\n * // claims is the verified Auth claims object (sub, role, permissions, ...)\n * return done(null, claims);\n * }));\n * ```\n *\n * The helper wires `secretOrKeyProvider` + `issuer` (per-app URL) +\n * `audience` (app slug) + algorithms automatically from the scope.\n *\n * If you need the underlying primitives — to compose with your own\n * options or pass a custom `jwtFromRequest` — use the lower-level\n * `createPassportSecretOrKeyProvider` directly:\n *\n * ```ts\n * new passportJwt.Strategy(\n * {\n * jwtFromRequest: passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),\n * secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),\n * issuer: scope.acceptedIssuers as string[],\n * audience: scope.expectedAudience,\n * algorithms: [\"RS256\", \"ES256\"],\n * },\n * (payload, done) => done(null, payload),\n * );\n * ```\n */\n\nimport { KeyObject } from \"node:crypto\";\nimport { decodeProtectedHeader, type JWTHeaderParameters } from \"jose\";\n\nimport type { ConsumerScope } from \"@productcraft/auth\";\n\n/**\n * passport-jwt's `secretOrKeyProvider` callback signature. We don't\n * depend on passport-jwt's types directly (to keep it a soft dep),\n * so this is the same shape as `SecretOrKeyProvider` in their typings.\n */\ntype PassportSecretOrKeyProvider = (\n request: unknown,\n rawJwtToken: string,\n done: (err: unknown, secretOrKey?: string | Buffer | KeyObject) => void,\n) => void;\n\n/**\n * Returns a passport-jwt `secretOrKeyProvider` bound to an Auth\n * `ConsumerScope`. Decodes the protected header, looks up the matching\n * key via the scope's JWKS cache, and converts the resulting jose\n * `CryptoKey` into a Node `KeyObject` that `jsonwebtoken` (the library\n * passport-jwt delegates to) accepts.\n */\nexport function createPassportSecretOrKeyProvider(\n scope: ConsumerScope,\n): PassportSecretOrKeyProvider {\n return (_request, rawJwt, done) => {\n let header;\n try {\n header = decodeProtectedHeader(rawJwt);\n } catch (err) {\n done(err);\n return;\n }\n\n scope.jwks.getKey(header as JWTHeaderParameters).then(\n (cryptoKey) => {\n try {\n // `jsonwebtoken` (passport-jwt's verifier) doesn't accept\n // Web Crypto `CryptoKey`, but it does accept Node's\n // `KeyObject`. `KeyObject.from(cryptoKey)` was added in\n // Node 16.6 and is the right adapter.\n const keyObject = KeyObject.from(cryptoKey);\n done(null, keyObject);\n } catch (err) {\n done(err);\n }\n },\n (err) => done(err),\n );\n };\n}\n\n/**\n * Shape of the verified-claims callback passport delegates to once a\n * token passes signature + issuer + audience + expiry checks. Mirrors\n * `passport-jwt`'s own `VerifyCallback` / `VerifyCallbackWithRequest`.\n */\nexport type AuthVerifyCallback = (\n payload: Record<string, unknown>,\n done: (err: unknown, user?: unknown, info?: unknown) => void,\n) => void;\n\n/**\n * Extra options for `createAuthJwtStrategy`. Defaults are the\n * Auth-recommended values; override here if you need a different\n * token source (cookie, custom header, ...), a stricter algorithm\n * allow-list, or want to skip the legacy-issuer acceptance window.\n */\nexport interface CreateAuthJwtStrategyOptions {\n /**\n * Where to read the bearer from. Defaults to\n * `ExtractJwt.fromAuthHeaderAsBearerToken()`. Pass any\n * passport-jwt extractor when you need a different source.\n */\n jwtFromRequest?: (req: unknown) => string | null;\n\n /**\n * JWS algorithms accepted by the underlying verifier. Defaults to\n * the algorithms Auth mints today (`['RS256']`); set explicitly\n * if your app is on a different signing alg or you also accept\n * customer-minted tokens with a different alg.\n */\n algorithms?: string[];\n\n /**\n * Pin only the per-app issuer URL (skip the legacy `'heimdall'`\n * literal). Defaults to `false` — verifying both keeps in-flight\n * tokens minted before the per-app-issuer migration valid. Set to\n * `true` once you're confident all old tokens have expired.\n */\n strictIssuer?: boolean;\n\n /** Whether the request object should be passed to the verify callback. Defaults to `false`. */\n passReqToCallback?: boolean;\n}\n\n/**\n * Constructor signature for `passport-jwt`'s `Strategy`. We don't take\n * a direct dep on passport-jwt to keep it a peer/soft dep — at runtime\n * the caller imports passportJwt and the helper does\n * `new passportJwt.Strategy(...)` via the constructor reference.\n */\nexport interface PassportJwtStrategyCtor {\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n new (options: Record<string, unknown>, verify: AuthVerifyCallback): any;\n}\n\n/**\n * Lazy passport-jwt loader. We try to `require('passport-jwt')` from\n * the caller's dep graph at first use. Throws a clear error if it's\n * missing so the user doesn't see a cryptic `Cannot find module`\n * deep in the strategy constructor.\n */\nfunction loadPassportJwt(): {\n Strategy: PassportJwtStrategyCtor;\n ExtractJwt: { fromAuthHeaderAsBearerToken: () => (req: unknown) => string | null };\n} {\n try {\n // dynamic require so passport-jwt stays a peer dep\n const mod = require(\"passport-jwt\");\n return {\n Strategy: mod.Strategy ?? mod.default?.Strategy,\n ExtractJwt: mod.ExtractJwt ?? mod.default?.ExtractJwt,\n };\n } catch {\n throw new Error(\n \"@productcraft/auth-passport: `passport-jwt` is not installed. Run `npm install passport-jwt @types/passport-jwt`.\",\n );\n }\n}\n\n/**\n * Build a fully-configured `passport-jwt` strategy from an Auth\n * `ConsumerScope`. Wires:\n *\n * - `jwtFromRequest` → `ExtractJwt.fromAuthHeaderAsBearerToken()` (override via opts)\n * - `secretOrKeyProvider` → JWKS-backed key resolution via `scope.jwks`\n * - `issuer` → both `scope.expectedIssuer` AND the legacy `'heimdall'` literal (or only the per-app URL if `strictIssuer: true`)\n * - `audience` → `scope.expectedAudience` (the app slug)\n * - `algorithms` → `['RS256']` (override via opts)\n *\n * The verify callback you pass receives the parsed claims after\n * passport-jwt has finished its checks.\n */\nexport function createAuthJwtStrategy(\n scope: ConsumerScope,\n verify: AuthVerifyCallback,\n options: CreateAuthJwtStrategyOptions = {},\n) {\n const passportJwt = loadPassportJwt();\n const issuer = options.strictIssuer\n ? scope.expectedIssuer\n : (scope.acceptedIssuers as string[]);\n\n return new passportJwt.Strategy(\n {\n jwtFromRequest:\n options.jwtFromRequest ?? passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(),\n secretOrKeyProvider: createPassportSecretOrKeyProvider(scope),\n issuer,\n audience: scope.expectedAudience,\n algorithms: options.algorithms ?? [\"RS256\"],\n passReqToCallback: options.passReqToCallback ?? false,\n },\n verify,\n );\n}\n"]}
package/package.json ADDED
@@ -0,0 +1,54 @@
1
+ {
2
+ "name": "@productcraft/auth-passport",
3
+ "version": "0.2.0",
4
+ "description": "Passport-JWT adapter for ProductCraft Auth. Plug an Auth ConsumerScope into a `passport-jwt` Strategy so existing Passport setups can authenticate Auth-issued tokens.",
5
+ "type": "module",
6
+ "main": "./dist/index.cjs",
7
+ "module": "./dist/index.js",
8
+ "types": "./dist/index.d.ts",
9
+ "exports": {
10
+ ".": {
11
+ "types": "./dist/index.d.ts",
12
+ "import": "./dist/index.js",
13
+ "require": "./dist/index.cjs"
14
+ }
15
+ },
16
+ "files": [
17
+ "dist/**",
18
+ "README.md",
19
+ "LICENSE"
20
+ ],
21
+ "engines": {
22
+ "node": ">=18"
23
+ },
24
+ "keywords": [
25
+ "productcraft",
26
+ "sdk",
27
+ "auth",
28
+ "passport",
29
+ "passport-jwt",
30
+ "jwt"
31
+ ],
32
+ "author": "ProductCraft",
33
+ "license": "MIT",
34
+ "repository": {
35
+ "type": "git",
36
+ "url": "git+https://github.com/clauderanelagh/productcraft-node.git",
37
+ "directory": "packages/auth-passport"
38
+ },
39
+ "homepage": "https://github.com/clauderanelagh/productcraft-node/tree/main/packages/auth-passport",
40
+ "publishConfig": {
41
+ "access": "public"
42
+ },
43
+ "dependencies": {
44
+ "jose": "^6.2.3",
45
+ "@productcraft/auth": "^0.5.0"
46
+ },
47
+ "peerDependencies": {
48
+ "passport-jwt": "^4.0.0"
49
+ },
50
+ "scripts": {
51
+ "build": "tsup",
52
+ "test": "vitest run"
53
+ }
54
+ }