@redmix/auth-auth0-api 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Redmix
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,148 @@
+# Authentication
+
+## Contributing
+
+If you want to contribute a new auth provider integration we recommend you
+start by implementing it as a custom auth provider in a Redwood App first. When
+that works you can package it up as an npm package and publish it on your own.
+You can then create a PR on this repo with support for your new auth provider
+in our `yarn rw setup auth` cli command. The easiest option is probably to just
+look at one of the existing auth providers in
+`packages/cli/src/commands/setup/auth/providers` and the corresponding
+templates in `../templates`.
+
+If you need help setting up a custom auth provider there's more info in the
+[auth docs](https://redwoodjs.com/docs/authentication).
+
+### Contributing to the base auth implementation
+
+If you want to contribute to our auth implementation, the interface towards
+both auth service providers and RW apps we recommend you start looking in
+`authFactory.ts` and then continue to `AuthProvider.tsx`. `AuthProvider.tsx`
+has most of our implementation together with all the custom hooks it uses.
+Another file to be accustomed with is `AuthContext.ts`. The interface in there
+has pretty good code comments, and is what will be exposed to RW apps.
+
+## getCurrentUser
+
+`getCurrentUser` returns the user information together with
+an optional collection of roles used by requireAuth() to check if the user is authenticated or has role-based access.
+
+Use in conjunction with `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param decoded - The decoded access token containing user info and JWT claims like `sub`
+@param { token, SupportedAuthTypes type } - The access token itself as well as the auth provider type
+@param { APIGatewayEvent event, Context context } - An object which contains information from the invoker
+such as headers and cookies, and the context information about the invocation such as IP Address
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+This example is the standard use of `getCurrentUser`.
+
+```js
+export const getCurrentUser = async (
+  decoded,
+  { _token, _type },
+  { _event, _context },
+) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User details fetched via database query
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return await db.user.findUnique({ where: { decoded.email } })
+}
+```
+
+#### User info is decoded from the access token
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded }
+}
+```
+
+#### User info is contained in the decoded token and roles extracted
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User record query by email with namespaced app_metadata roles as Auth0 requires custom JWT claims to be namespaced
+
+```js
+export const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { email: decoded.email },
+  })
+
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded, namespace: NAMESPACE }).roles,
+  }
+}
+```
+
+#### User record query by an identity with app_metadata roles
+
+```js
+const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { userIdentity: decoded.sub },
+  })
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded }).roles,
+  }
+}
+```
+
+#### Cookies and other request information are available in the req parameter, just in case
+
+```js
+const getCurrentUser = async (_decoded, _raw, { event, _context }) => {
+  const cookies = cookie(event.headers.cookies)
+  const session = cookies['my.cookie.name']
+  const currentUser = await db.sessions.findUnique({ where: { id: session } })
+  return currentUser
+}
+```
+
+## requireAuth
+
+Use `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param {string=} roles - An optional role or list of roles
+@param {string[]=} roles - An optional list of roles
+
+@returns {boolean} - If the currentUser is authenticated (and assigned one of the given roles)
+
+@throws {AuthenticationError} - If the currentUser is not authenticated
+@throws {ForbiddenError} If the currentUser is not allowed due to role permissions
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+```js
+requireAuth()
+```
+
+#### Checks if currentUser is authenticated and assigned one of the given roles
+
+```js
+requireAuth({ role: 'admin' })
+requireAuth({ role: ['editor', 'author'] })
+requireAuth({ role: ['publisher'] })
+```

package/dist/decoder.d.ts

@@ -0,0 +1,25 @@
+import type { Decoder } from '@redmix/api';
+/**
+ * This takes an auth0 jwt and verifies it. It returns something like this:
+ * ```js
+ * {
+ *   iss: 'https://<AUTH0_DOMAIN>/',
+ *   sub: 'auth0|xxx',
+ *   aud: [ 'api.billable', 'https://<AUTH0_DOMAIN>/userinfo' ],
+ *   iat: 1588800141,
+ *   exp: 1588886541,
+ *   azp: 'QOsYIlHvCLqLzmfDU0Z3upFdu1znlkqK',
+ *   scope: 'openid profile email'
+ * }
+ * ```
+ *
+ * You can use `sub` as a stable reference to your user, but if you want the email
+ * address you can set a context object[^0] in rules[^1]:
+ *
+ * ^0: https://auth0.com/docs/rules/references/context-object
+ * ^1: https://manage.auth0.com/#/rules/new
+ *
+ */
+export declare const verifyAuth0Token: (bearerToken: string) => Promise<null | Record<string, unknown>>;
+export declare const authDecoder: Decoder;
+//# sourceMappingURL=decoder.d.ts.map

package/dist/decoder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decoder.d.ts","sourceRoot":"","sources":["../src/decoder.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAA;AAE1C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,gBAAgB,gBACd,MAAM,KAClB,OAAO,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAqCxC,CAAA;AAED,eAAO,MAAM,WAAW,EAAE,OAMzB,CAAA"}

package/dist/decoder.js

@@ -0,0 +1,81 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var decoder_exports = {};
+__export(decoder_exports, {
+  authDecoder: () => authDecoder,
+  verifyAuth0Token: () => verifyAuth0Token
+});
+module.exports = __toCommonJS(decoder_exports);
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var import_jwks_rsa = __toESM(require("jwks-rsa"));
+const verifyAuth0Token = (bearerToken) => {
+  return new Promise((resolve, reject) => {
+    const { AUTH0_DOMAIN, AUTH0_AUDIENCE } = process.env;
+    if (!AUTH0_DOMAIN || !AUTH0_AUDIENCE) {
+      throw new Error(
+        "`AUTH0_DOMAIN` or `AUTH0_AUDIENCE` env vars are not set."
+      );
+    }
+    const client = (0, import_jwks_rsa.default)({
+      jwksUri: `https://${AUTH0_DOMAIN}/.well-known/jwks.json`
+    });
+    import_jsonwebtoken.default.verify(
+      bearerToken,
+      (header, callback) => {
+        client.getSigningKey(header.kid, (error, key) => {
+          callback(error, key?.getPublicKey());
+        });
+      },
+      {
+        audience: AUTH0_AUDIENCE,
+        issuer: `https://${AUTH0_DOMAIN}/`,
+        algorithms: ["RS256"]
+      },
+      (verifyError, decoded) => {
+        if (verifyError) {
+          return reject(verifyError);
+        }
+        resolve(
+          typeof decoded === "undefined" ? null : decoded
+        );
+      }
+    );
+  });
+};
+const authDecoder = async (token, type) => {
+  if (type !== "auth0") {
+    return null;
+  }
+  return verifyAuth0Token(token);
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  authDecoder,
+  verifyAuth0Token
+});

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export { authDecoder } from './decoder';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA"}

package/dist/index.js

@@ -0,0 +1,28 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var index_exports = {};
+__export(index_exports, {
+  authDecoder: () => import_decoder.authDecoder
+});
+module.exports = __toCommonJS(index_exports);
+var import_decoder = require("./decoder");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  authDecoder
+});

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@redmix/auth-auth0-api",
+  "version": "0.0.1",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/redmix-run/redmix.git",
+    "directory": "packages/auth-providers/auth0/api"
+  },
+  "license": "MIT",
+  "type": "commonjs",
+  "exports": {
+    ".": {
+      "default": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      }
+    },
+    "./dist/decoder": {
+      "default": {
+        "types": "./dist/decoder.d.ts",
+        "default": "./dist/decoder.js"
+      }
+    }
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsx ./build.mts && yarn build:types",
+    "build:pack": "yarn pack -o redmix-auth-auth0-api.tgz",
+    "build:types": "tsc --build --verbose ./tsconfig.json",
+    "build:watch": "nodemon --watch src --ext \"js,jsx,ts,tsx,template\" --ignore dist --exec \"yarn build\"",
+    "check:attw": "yarn attw -P",
+    "check:package": "concurrently npm:check:attw yarn:publint",
+    "prepublishOnly": "NODE_ENV=production yarn build",
+    "test": "vitest run",
+    "test:watch": "vitest watch"
+  },
+  "dependencies": {
+    "jsonwebtoken": "9.0.2",
+    "jwks-rsa": "3.1.0"
+  },
+  "devDependencies": {
+    "@arethetypeswrong/cli": "0.16.4",
+    "@redmix/api": "0.0.1",
+    "@redmix/framework-tools": "0.0.1",
+    "@types/jsonwebtoken": "9.0.8",
+    "concurrently": "8.2.2",
+    "publint": "0.3.11",
+    "tsx": "4.19.3",
+    "typescript": "5.6.2",
+    "vitest": "2.1.9"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "gitHead": "688027c97502c500ebbede9cdc7cc51545a8dcf3"
+}