@rabstack/rab-api 1.12.0 → 1.13.0

package/index.cjs.js

@@ -688,22 +688,28 @@ const controllerHandler = (controller, config)=>{
 };
 
 const authHandler = (isProtected, config)=>(req, res, next)=>{
-        console.log('authHandler:', req.path, ':isProtected:', isProtected);
+        var _config_debug;
+        const debug = (_config_debug = config.debug) != null ? _config_debug : false;
+        if (debug) console.log('authHandler:', req.path, ':isProtected:', isProtected);
         const token = extractTokenFromHeader(req);
         // If not protected and no token, just continue
         if (!isProtected && !token) return next();
         // If no token but route is protected, throw error
         if (!token) {
-            console.log('authHandler:UnauthorizedException:Token Not Found');
+            if (debug) console.log('authHandler:UnauthorizedException:Token Not Found');
             throw new UnauthorizedException('Unauthorized', config.errorCode);
         }
-        // Token exists - verify it (must be valid regardless of protection)
+        // Token exists - verify it
         try {
-            const payload = jwt.verify(token, config.jwt.secret_key);
+            const payload = jwt.verify(token, config.jwt.secret_key, {
+                algorithms: config.jwt.algorithms
+            });
             req['auth'] = payload;
             return next();
         } catch (err) {
-            console.error('authHandler:JWT Error:', err.message);
+            // If route is not protected, silently continue without auth
+            if (!isProtected) return next();
+            if (debug) console.error('authHandler:JWT Error:', err.message);
             throw new UnauthorizedException('Unauthorized', config.errorCode);
         }
     };
@@ -1131,7 +1137,9 @@ class AtomExpressApp {
             //auth middleware
             if (this.options.auth) {
                 var _config_isProtected;
-                allPipes.unshift(authHandler((_config_isProtected = config.isProtected) != null ? _config_isProtected : this.options.enforceRouteProtection, this.options.auth));
+                allPipes.unshift(authHandler((_config_isProtected = config.isProtected) != null ? _config_isProtected : this.options.enforceRouteProtection, _extends({}, this.options.auth, {
+                    debug: this.options.debug
+                })));
             }
             //add body validation to validate the schema and inject request context
             if (config.bodySchema && !config.disableBodyValidation) {

package/index.esm.d.ts

@@ -78,6 +78,7 @@ export declare type AtomExpressOptions = {
     errorHandler?: (err: any, req: Request_2, res: Response_2, next: NextFunction) => any;
     enforceBodyValidation?: boolean;
     enforceRouteProtection?: boolean;
+    debug?: boolean;
     auth?: AuthHandlerOptions;
     openapi?: {
         enabled?: boolean;
@@ -124,6 +125,7 @@ export declare const authHandler: (isProtected: boolean, config: AuthHandlerOpti
 
 export declare type AuthHandlerOptions = {
     errorCode?: string;
+    debug?: boolean;
     jwt: {
         secret_key: string;
         algorithms: any;

package/index.esm.js

@@ -686,22 +686,28 @@ const controllerHandler = (controller, config)=>{
 };
 
 const authHandler = (isProtected, config)=>(req, res, next)=>{
-        console.log('authHandler:', req.path, ':isProtected:', isProtected);
+        var _config_debug;
+        const debug = (_config_debug = config.debug) != null ? _config_debug : false;
+        if (debug) console.log('authHandler:', req.path, ':isProtected:', isProtected);
         const token = extractTokenFromHeader(req);
         // If not protected and no token, just continue
         if (!isProtected && !token) return next();
         // If no token but route is protected, throw error
         if (!token) {
-            console.log('authHandler:UnauthorizedException:Token Not Found');
+            if (debug) console.log('authHandler:UnauthorizedException:Token Not Found');
             throw new UnauthorizedException('Unauthorized', config.errorCode);
         }
-        // Token exists - verify it (must be valid regardless of protection)
+        // Token exists - verify it
         try {
-            const payload = jwt.verify(token, config.jwt.secret_key);
+            const payload = jwt.verify(token, config.jwt.secret_key, {
+                algorithms: config.jwt.algorithms
+            });
             req['auth'] = payload;
             return next();
         } catch (err) {
-            console.error('authHandler:JWT Error:', err.message);
+            // If route is not protected, silently continue without auth
+            if (!isProtected) return next();
+            if (debug) console.error('authHandler:JWT Error:', err.message);
             throw new UnauthorizedException('Unauthorized', config.errorCode);
         }
     };
@@ -1129,7 +1135,9 @@ class AtomExpressApp {
             //auth middleware
             if (this.options.auth) {
                 var _config_isProtected;
-                allPipes.unshift(authHandler((_config_isProtected = config.isProtected) != null ? _config_isProtected : this.options.enforceRouteProtection, this.options.auth));
+                allPipes.unshift(authHandler((_config_isProtected = config.isProtected) != null ? _config_isProtected : this.options.enforceRouteProtection, _extends({}, this.options.auth, {
+                    debug: this.options.debug
+                })));
             }
             //add body validation to validate the schema and inject request context
             if (config.bodySchema && !config.disableBodyValidation) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rabstack/rab-api",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "description": "A TypeScript REST API framework built on Express.js with decorator-based routing, dependency injection, and built-in validation",
   "author": "Softin",
   "license": "MIT",