@qwickapps/server 1.5.2 → 1.6.0

package/dist/plugins/api-keys/middleware/bearer-token-auth.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Bearer Token Authentication Middleware
+ *
+ * Middleware for authenticating API requests using Bearer tokens (API keys).
+ * Verifies the token, checks expiration and active status, and attaches
+ * the authenticated key info to the request.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+import type { Request, Response, NextFunction } from 'express';
+import type { ApiKeyScope } from '../types.js';
+/**
+ * Extended Express Request with API key authentication info
+ */
+export interface ApiKeyAuthenticatedRequest extends Request {
+    apiKey?: {
+        id: string;
+        user_id: string;
+        scopes: ApiKeyScope[];
+        key_type: 'm2m' | 'pat';
+    };
+}
+/**
+ * Options for bearer token authentication middleware
+ */
+export interface BearerTokenAuthOptions {
+    /** Required scopes (all must be present) */
+    requiredScopes?: ApiKeyScope[];
+    /** Allow only specific key types */
+    allowedKeyTypes?: ('m2m' | 'pat')[];
+    /** Custom error handler */
+    onUnauthorized?: (req: Request, res: Response, reason: string) => void;
+}
+/**
+ * Bearer Token Authentication Middleware
+ *
+ * Validates API keys sent as Bearer tokens in the Authorization header.
+ * Attaches authenticated key info to the request for downstream handlers.
+ *
+ * @param options Configuration options
+ * @returns Express middleware function
+ *
+ * @example
+ * ```ts
+ * import { bearerTokenAuth } from '@qwickapps/server';
+ *
+ * // Require authentication
+ * app.get('/api/data', bearerTokenAuth(), (req, res) => {
+ *   const { apiKey } = req as ApiKeyAuthenticatedRequest;
+ *   res.json({ user_id: apiKey?.user_id });
+ * });
+ *
+ * // Require specific scopes
+ * app.post('/api/data', bearerTokenAuth({
+ *   requiredScopes: ['write'],
+ * }), (req, res) => {
+ *   // Handler code
+ * });
+ *
+ * // Allow only M2M keys
+ * app.post('/api/admin', bearerTokenAuth({
+ *   allowedKeyTypes: ['m2m'],
+ *   requiredScopes: ['admin'],
+ * }), (req, res) => {
+ *   // Handler code
+ * });
+ * ```
+ */
+export declare function bearerTokenAuth(options?: BearerTokenAuthOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+/**
+ * Helper type guard for API key authenticated requests
+ */
+export declare function isApiKeyAuthenticated(req: Request): req is ApiKeyAuthenticatedRequest;
+//# sourceMappingURL=bearer-token-auth.d.ts.map

package/dist/plugins/api-keys/middleware/bearer-token-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearer-token-auth.d.ts","sourceRoot":"","sources":["../../../../src/plugins/api-keys/middleware/bearer-token-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAU,WAAW,EAAE,MAAM,aAAa,CAAC;AAIvD;;GAEG;AACH,MAAM,WAAW,0BAA2B,SAAQ,OAAO;IACzD,MAAM,CAAC,EAAE;QACP,EAAE,EAAE,MAAM,CAAC;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,WAAW,EAAE,CAAC;QACtB,QAAQ,EAAE,KAAK,GAAG,KAAK,CAAC;KACzB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,4CAA4C;IAC5C,cAAc,CAAC,EAAE,WAAW,EAAE,CAAC;IAC/B,oCAAoC;IACpC,eAAe,CAAC,EAAE,CAAC,KAAK,GAAG,KAAK,CAAC,EAAE,CAAC;IACpC,2BAA2B;IAC3B,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACxE;AA8FD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,wBAAgB,eAAe,CAAC,OAAO,GAAE,sBAA2B,IAOpD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC,CAqE9E;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,0BAA0B,CAErF"}

package/dist/plugins/api-keys/middleware/bearer-token-auth.js

@@ -0,0 +1,201 @@
+/**
+ * Bearer Token Authentication Middleware
+ *
+ * Middleware for authenticating API requests using Bearer tokens (API keys).
+ * Verifies the token, checks expiration and active status, and attaches
+ * the authenticated key info to the request.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+import { getApiKeysStore } from '../api-keys-plugin.js';
+import { incrementLimit, isLimited } from '../../rate-limit/rate-limit-service.js';
+/**
+ * Extract Bearer token from Authorization header
+ *
+ * @param req Express request
+ * @returns Bearer token or null if not found
+ */
+function extractBearerToken(req) {
+    const authHeader = req.headers.authorization;
+    if (!authHeader) {
+        return null;
+    }
+    // Check for "Bearer <token>" format
+    const parts = authHeader.split(' ');
+    if (parts.length !== 2 || parts[0] !== 'Bearer') {
+        return null;
+    }
+    return parts[1];
+}
+/**
+ * Check if API key has all required scopes
+ *
+ * @param keyScopes Scopes granted to the API key
+ * @param requiredScopes Scopes required for the endpoint
+ * @returns True if key has all required scopes
+ */
+function hasRequiredScopes(keyScopes, requiredScopes) {
+    return requiredScopes.every(required => keyScopes.includes(required));
+}
+/**
+ * Default unauthorized handler
+ */
+function defaultUnauthorizedHandler(req, res, reason) {
+    res.status(401).json({
+        error: 'Unauthorized',
+        message: reason,
+    });
+}
+/**
+ * Get rate limit identifier for API key authentication
+ * Uses IP address as the identifier
+ */
+function getRateLimitIdentifier(req) {
+    const ip = req.ip ||
+        req.headers['x-forwarded-for']?.toString().split(',')[0].trim() ||
+        req.socket?.remoteAddress ||
+        'unknown';
+    return `api-key-auth:${ip}`;
+}
+/**
+ * Check if rate limit has been exceeded
+ * Uses the existing rate-limit plugin with specific limits for API key auth
+ */
+async function checkRateLimit(identifier) {
+    try {
+        // Check rate limit: 100 requests per 15 minutes
+        return await isLimited(identifier, {
+            maxRequests: 100,
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            strategy: 'sliding-window',
+        });
+    }
+    catch (error) {
+        // If rate limit service not available, allow the request
+        // (fail open - let other security measures handle it)
+        console.warn('[bearerTokenAuth] Rate limit service unavailable:', error);
+        return false;
+    }
+}
+/**
+ * Record a failed authentication attempt
+ * Increments the rate limit counter
+ */
+async function recordFailedAttempt(identifier) {
+    try {
+        await incrementLimit(identifier, {
+            maxRequests: 100,
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            strategy: 'sliding-window',
+        });
+    }
+    catch (error) {
+        // Non-critical - log and continue
+        console.warn('[bearerTokenAuth] Failed to record attempt:', error);
+    }
+}
+/**
+ * Bearer Token Authentication Middleware
+ *
+ * Validates API keys sent as Bearer tokens in the Authorization header.
+ * Attaches authenticated key info to the request for downstream handlers.
+ *
+ * @param options Configuration options
+ * @returns Express middleware function
+ *
+ * @example
+ * ```ts
+ * import { bearerTokenAuth } from '@qwickapps/server';
+ *
+ * // Require authentication
+ * app.get('/api/data', bearerTokenAuth(), (req, res) => {
+ *   const { apiKey } = req as ApiKeyAuthenticatedRequest;
+ *   res.json({ user_id: apiKey?.user_id });
+ * });
+ *
+ * // Require specific scopes
+ * app.post('/api/data', bearerTokenAuth({
+ *   requiredScopes: ['write'],
+ * }), (req, res) => {
+ *   // Handler code
+ * });
+ *
+ * // Allow only M2M keys
+ * app.post('/api/admin', bearerTokenAuth({
+ *   allowedKeyTypes: ['m2m'],
+ *   requiredScopes: ['admin'],
+ * }), (req, res) => {
+ *   // Handler code
+ * });
+ * ```
+ */
+export function bearerTokenAuth(options = {}) {
+    const { requiredScopes = [], allowedKeyTypes, onUnauthorized = defaultUnauthorizedHandler, } = options;
+    return async (req, res, next) => {
+        try {
+            // Check rate limit first
+            const rateLimitId = getRateLimitIdentifier(req);
+            if (await checkRateLimit(rateLimitId)) {
+                res.status(429).json({
+                    error: 'Too Many Requests',
+                    message: 'Too many authentication attempts. Please try again later.',
+                });
+                return;
+            }
+            // Extract token from Authorization header
+            const token = extractBearerToken(req);
+            if (!token) {
+                recordFailedAttempt(rateLimitId);
+                onUnauthorized(req, res, 'Missing or invalid Authorization header');
+                return;
+            }
+            // Get store instance
+            const store = getApiKeysStore();
+            if (!store) {
+                console.error('[bearerTokenAuth] API Keys plugin not initialized');
+                res.status(500).json({ error: 'Authentication service unavailable' });
+                return;
+            }
+            // Verify the token
+            const apiKey = await store.verify(token);
+            if (!apiKey) {
+                recordFailedAttempt(rateLimitId);
+                onUnauthorized(req, res, 'Invalid, expired, or inactive API key');
+                return;
+            }
+            // Check key type if restrictions apply
+            if (allowedKeyTypes && !allowedKeyTypes.includes(apiKey.key_type)) {
+                onUnauthorized(req, res, `This endpoint requires ${allowedKeyTypes.join(' or ')} keys`);
+                return;
+            }
+            // Check scopes if required
+            if (requiredScopes.length > 0 && !hasRequiredScopes(apiKey.scopes, requiredScopes)) {
+                onUnauthorized(req, res, `Insufficient scopes. Required: ${requiredScopes.join(', ')}`);
+                return;
+            }
+            // Record usage (non-blocking)
+            store.recordUsage(apiKey.id).catch(err => {
+                console.error('[bearerTokenAuth] Failed to record key usage:', err);
+            });
+            // Attach authenticated key info to request
+            req.apiKey = {
+                id: apiKey.id,
+                user_id: apiKey.user_id,
+                scopes: apiKey.scopes,
+                key_type: apiKey.key_type,
+            };
+            next();
+        }
+        catch (error) {
+            console.error('[bearerTokenAuth] Authentication error:', error);
+            res.status(500).json({ error: 'Authentication failed' });
+        }
+    };
+}
+/**
+ * Helper type guard for API key authenticated requests
+ */
+export function isApiKeyAuthenticated(req) {
+    return 'apiKey' in req && req.apiKey !== undefined;
+}
+//# sourceMappingURL=bearer-token-auth.js.map

package/dist/plugins/api-keys/middleware/bearer-token-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearer-token-auth.js","sourceRoot":"","sources":["../../../../src/plugins/api-keys/middleware/bearer-token-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,wCAAwC,CAAC;AA0BnF;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,GAAY;IACtC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IAE7C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oCAAoC;IACpC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,SAAwB,EAAE,cAA6B;IAChF,OAAO,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B,CAAC,GAAY,EAAE,GAAa,EAAE,MAAc;IAC7E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,KAAK,EAAE,cAAc;QACrB,OAAO,EAAE,MAAM;KAChB,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,GAAY;IAC1C,MAAM,EAAE,GAAG,GAAG,CAAC,EAAE;QACf,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,QAAQ,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;QAC/D,GAAG,CAAC,MAAM,EAAE,aAAa;QACzB,SAAS,CAAC;IACZ,OAAO,gBAAgB,EAAE,EAAE,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,cAAc,CAAC,UAAkB;IAC9C,IAAI,CAAC;QACH,gDAAgD;QAChD,OAAO,MAAM,SAAS,CAAC,UAAU,EAAE;YACjC,WAAW,EAAE,GAAG;YAChB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;YACvC,QAAQ,EAAE,gBAAgB;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,yDAAyD;QACzD,sDAAsD;QACtD,OAAO,CAAC,IAAI,CAAC,mDAAmD,EAAE,KAAK,CAAC,CAAC;QACzE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,mBAAmB,CAAC,UAAkB;IACnD,IAAI,CAAC;QACH,MAAM,cAAc,CAAC,UAAU,EAAE;YAC/B,WAAW,EAAE,GAAG;YAChB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;YACvC,QAAQ,EAAE,gBAAgB;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,kCAAkC;QAClC,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkC,EAAE;IAClE,MAAM,EACJ,cAAc,GAAG,EAAE,EACnB,eAAe,EACf,cAAc,GAAG,0BAA0B,GAC5C,GAAG,OAAO,CAAC;IAEZ,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAC9E,IAAI,CAAC;YACH,yBAAyB;YACzB,MAAM,WAAW,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YAChD,IAAI,MAAM,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;gBACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,mBAAmB;oBAC1B,OAAO,EAAE,2DAA2D;iBACrE,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,0CAA0C;YAC1C,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YAEtC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,mBAAmB,CAAC,WAAW,CAAC,CAAC;gBACjC,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,yCAAyC,CAAC,CAAC;gBACpE,OAAO;YACT,CAAC;YAED,qBAAqB;YACrB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;gBACnE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC,CAAC;gBACtE,OAAO;YACT,CAAC;YAED,mBAAmB;YACnB,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAEzC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,mBAAmB,CAAC,WAAW,CAAC,CAAC;gBACjC,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,uCAAuC,CAAC,CAAC;gBAClE,OAAO;YACT,CAAC;YAED,uCAAuC;YACvC,IAAI,eAAe,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClE,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,0BAA0B,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBACxF,OAAO;YACT,CAAC;YAED,2BAA2B;YAC3B,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,EAAE,CAAC;gBACnF,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,kCAAkC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACxF,OAAO;YACT,CAAC;YAED,8BAA8B;YAC9B,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBACvC,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,GAAG,CAAC,CAAC;YACtE,CAAC,CAAC,CAAC;YAEH,2CAA2C;YAC1C,GAAkC,CAAC,MAAM,GAAG;gBAC3C,EAAE,EAAE,MAAM,CAAC,EAAE;gBACb,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC;YAEF,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;YAChE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,GAAY;IAChD,OAAO,QAAQ,IAAI,GAAG,IAAK,GAAkC,CAAC,MAAM,KAAK,SAAS,CAAC;AACrF,CAAC"}

package/dist/plugins/api-keys/middleware/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * API Keys Middleware Index
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+export { bearerTokenAuth, isApiKeyAuthenticated, type ApiKeyAuthenticatedRequest, type BearerTokenAuthOptions, } from './bearer-token-auth.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/plugins/api-keys/middleware/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/plugins/api-keys/middleware/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,KAAK,0BAA0B,EAC/B,KAAK,sBAAsB,GAC5B,MAAM,wBAAwB,CAAC"}

package/dist/plugins/api-keys/middleware/index.js

@@ -0,0 +1,7 @@
+/**
+ * API Keys Middleware Index
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+export { bearerTokenAuth, isApiKeyAuthenticated, } from './bearer-token-auth.js';
+//# sourceMappingURL=index.js.map

package/dist/plugins/api-keys/middleware/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/plugins/api-keys/middleware/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,eAAe,EACf,qBAAqB,GAGtB,MAAM,wBAAwB,CAAC"}

package/dist/plugins/api-keys/stores/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * API Keys Stores Index
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+export { postgresApiKeyStore } from './postgres-store.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/plugins/api-keys/stores/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/plugins/api-keys/stores/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/plugins/api-keys/stores/index.js

@@ -0,0 +1,7 @@
+/**
+ * API Keys Stores Index
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+export { postgresApiKeyStore } from './postgres-store.js';
+//# sourceMappingURL=index.js.map

package/dist/plugins/api-keys/stores/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/plugins/api-keys/stores/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/plugins/api-keys/stores/postgres-store.d.ts

@@ -0,0 +1,34 @@
+/**
+ * PostgreSQL API Keys Store
+ *
+ * API key storage implementation using PostgreSQL with Row-Level Security (RLS).
+ * Uses SHA-256 for token hashing (high-entropy keys don't need bcrypt's slowness).
+ *
+ * RLS Context Pattern:
+ * Each operation uses an explicit transaction and sets `app.current_user_id`
+ * as a transaction-local configuration variable. The RLS policy checks this
+ * variable to enforce that users can only access their own API keys.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+import type { ApiKeyStore, PostgresApiKeyStoreConfig } from '../types.js';
+/**
+ * Create a PostgreSQL API keys store with RLS
+ *
+ * @param config Configuration including a pg Pool instance
+ * @returns ApiKeyStore implementation
+ *
+ * @example
+ * ```ts
+ * import { Pool } from 'pg';
+ * import { postgresApiKeyStore } from '@qwickapps/server';
+ *
+ * const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+ * const store = postgresApiKeyStore({ pool });
+ *
+ * // Or with lazy initialization:
+ * const store = postgresApiKeyStore({ pool: () => getPostgres().getPool() });
+ * ```
+ */
+export declare function postgresApiKeyStore(config: PostgresApiKeyStoreConfig): ApiKeyStore;
+//# sourceMappingURL=postgres-store.d.ts.map

package/dist/plugins/api-keys/stores/postgres-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"postgres-store.d.ts","sourceRoot":"","sources":["../../../../src/plugins/api-keys/stores/postgres-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,KAAK,EACV,WAAW,EACX,yBAAyB,EAK1B,MAAM,aAAa,CAAC;AAuKrB;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,yBAAyB,GAAG,WAAW,CAsRlF"}