@redmix/auth-dbauth-middleware 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Redmix
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,88 @@
+# DbAuth Middleware
+
+### Example instantiation
+
+```tsx filename='entry.server.tsx'
+import type { TagDescriptor } from '@redmix/web'
+
+import App from './App'
+import initDbAuthMiddleware from '@redmix/auth-dbauth-middleware'
+import { Document } from './Document'
+
+import { handler as dbAuthHandler } from '$api/src/functions/auth'
+import { cookieName } from '$api/src/lib/auth'
+import { getCurrentUser } from '$api/src/lib/auth'
+interface Props {
+  css: string[]
+  meta?: TagDescriptor[]
+}
+
+export const registerMiddleware = () => {
+  // This actually returns [dbAuthMiddleware, '*']
+  const authMw = initDbAuthMiddleware({
+    dbAuthHandler,
+    getCurrentUser,
+    // cookieName optional
+    // getRoles optional
+    // dbAuthUrl? optional
+  })
+
+  return [authMw]
+}
+
+export const ServerEntry: React.FC<Props> = ({ css, meta }) => {
+  return (
+    <Document css={css} meta={meta}>
+      <App />
+    </Document>
+  )
+}
+```
+
+### Roles handling
+
+By default the middleware assumes your roles will be in `currentUser.roles` - either as a string or an array of strings.
+
+For example
+
+```js
+
+// If this is your current user:
+{
+  email: 'user-1@example.com',
+  id: 'mocked-current-user-1',
+  roles: 'admin'
+}
+
+// In the ServerAuthState
+{
+  cookieHeader: 'session=session_cookie',
+  currentUser: {
+    email: 'user-1@example.com',
+    id: 'mocked-current-user-1',
+    roles: 'admin' // <-- you sent back 'admin' as string
+  },
+  hasError: false,
+  isAuthenticated: true,
+  loading: false,
+  userMetadata: /*..*/
+  roles: ['admin'] // <-- converted to array
+}
+```
+
+You can customise this by passing a custom `getRoles` function into `initDbAuthMiddleware`. For example:
+
+```ts
+const authMw = initDbAuthMiddleware({
+  dbAuthHandler,
+  getCurrentUser,
+  getRoles: (decoded) => {
+    // Assuming you want to get roles from a property called org
+    if (decoded.currentUser.org) {
+      return [decoded.currentUser.org]
+    } else {
+      return []
+    }
+  },
+})
+```

package/dist/cjs/defaultGetRoles.d.ts

@@ -0,0 +1,2 @@
+export declare const defaultGetRoles: (decoded: Record<string, any> | undefined | null) => string[];
+//# sourceMappingURL=defaultGetRoles.d.ts.map

package/dist/cjs/defaultGetRoles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaultGetRoles.d.ts","sourceRoot":"","sources":["../../src/defaultGetRoles.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe,YACjB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,SAAS,GAAG,IAAI,KAC9C,MAAM,EAYR,CAAA"}

package/dist/cjs/defaultGetRoles.js

@@ -0,0 +1,39 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var defaultGetRoles_exports = {};
+__export(defaultGetRoles_exports, {
+  defaultGetRoles: () => defaultGetRoles
+});
+module.exports = __toCommonJS(defaultGetRoles_exports);
+const defaultGetRoles = (decoded) => {
+  try {
+    const roles = decoded?.currentUser?.roles;
+    if (Array.isArray(roles)) {
+      return roles;
+    } else {
+      return roles ? [roles] : [];
+    }
+  } catch {
+    return [];
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  defaultGetRoles
+});

package/dist/cjs/index.d.ts

@@ -0,0 +1,14 @@
+import type { APIGatewayProxyEvent, Context } from 'aws-lambda';
+import type { DbAuthResponse } from '@redmix/auth-dbauth-api';
+import type { GetCurrentUser } from '@redmix/graphql-server';
+import type { Middleware } from '@redmix/web/middleware';
+export interface DbAuthMiddlewareOptions {
+    cookieName?: string;
+    dbAuthUrl?: string;
+    dbAuthHandler: (req: Request | APIGatewayProxyEvent, context?: Context) => DbAuthResponse;
+    getRoles?: (decoded: any) => string[];
+    getCurrentUser: GetCurrentUser;
+}
+export declare const initDbAuthMiddleware: ({ dbAuthHandler, getCurrentUser, getRoles, cookieName, dbAuthUrl, }: DbAuthMiddlewareOptions) => [Middleware, "*"];
+export default initDbAuthMiddleware;
+//# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAE/D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AAI7D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAA;AAE5D,OAAO,KAAK,EAAE,UAAU,EAAqB,MAAM,wBAAwB,CAAA;AAI3E,MAAM,WAAW,uBAAuB;IACtC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,SAAS,CAAC,EAAE,MAAM,CAAA;IAGlB,aAAa,EAAE,CACb,GAAG,EAAE,OAAO,GAAG,oBAAoB,EACnC,OAAO,CAAC,EAAE,OAAO,KACd,cAAc,CAAA;IACnB,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,MAAM,EAAE,CAAA;IACrC,cAAc,EAAE,cAAc,CAAA;CAC/B;AAED,eAAO,MAAM,oBAAoB,wEAM9B,uBAAuB,KAAG,CAAC,UAAU,EAAE,GAAG,CAkG5C,CAAA;AA8DD,eAAe,oBAAoB,CAAA"}

package/dist/cjs/index.js

@@ -0,0 +1,158 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var index_exports = {};
+__export(index_exports, {
+  default: () => index_default,
+  initDbAuthMiddleware: () => initDbAuthMiddleware
+});
+module.exports = __toCommonJS(index_exports);
+var import_auth_dbauth_api = __toESM(require("@redmix/auth-dbauth-api"), 1);
+var import_middleware = require("@redmix/web/middleware");
+var import_defaultGetRoles = require("./defaultGetRoles.js");
+const { dbAuthSession, cookieName: cookieNameCreator } = import_auth_dbauth_api.default;
+const initDbAuthMiddleware = ({
+  dbAuthHandler,
+  getCurrentUser,
+  getRoles = import_defaultGetRoles.defaultGetRoles,
+  cookieName,
+  dbAuthUrl = "/middleware/dbauth"
+}) => {
+  const mw = async (req, res = import_middleware.MiddlewareResponse.next()) => {
+    console.log("dbAuthUrl", dbAuthUrl);
+    console.log("req.url", req.url);
+    if (req.url.includes(dbAuthUrl)) {
+      if (req.url.includes(`${dbAuthUrl}/currentUser`)) {
+        const validatedSession2 = await validateSession({
+          req,
+          cookieName,
+          getCurrentUser
+        });
+        if (validatedSession2) {
+          return new import_middleware.MiddlewareResponse(
+            JSON.stringify({ currentUser: validatedSession2.currentUser })
+          );
+        } else {
+          return new import_middleware.MiddlewareResponse(JSON.stringify({ currentUser: null }));
+        }
+      } else {
+        const output = await dbAuthHandler(req);
+        console.log("output", output);
+        const finalHeaders = new Headers();
+        Object.entries(output.headers).forEach(([key, value]) => {
+          if (Array.isArray(value)) {
+            value.forEach((mvhHeader) => finalHeaders.append(key, mvhHeader));
+          } else {
+            finalHeaders.append(key, value);
+          }
+        });
+        return new import_middleware.MiddlewareResponse(output.body, {
+          headers: finalHeaders,
+          status: output.statusCode
+        });
+      }
+    }
+    const cookieHeader = req.headers.get("Cookie");
+    if (!cookieHeader?.includes("auth-provider")) {
+      return res;
+    }
+    const validatedSession = await validateSession({
+      req,
+      cookieName,
+      getCurrentUser
+    });
+    if (validatedSession) {
+      const { currentUser, decryptedSession } = validatedSession;
+      req.serverAuthState.set({
+        currentUser,
+        loading: false,
+        isAuthenticated: !!currentUser,
+        hasError: false,
+        userMetadata: currentUser,
+        // dbAuth doesn't have userMetadata
+        cookieHeader,
+        roles: getRoles(decryptedSession)
+      });
+    } else {
+      req.serverAuthState.clear();
+      res.cookies.unset(cookieNameCreator(cookieName));
+      res.cookies.unset("auth-provider");
+    }
+    return res;
+  };
+  return [mw, "*"];
+};
+async function validateSession({
+  req,
+  cookieName,
+  getCurrentUser
+}) {
+  let decryptedSession;
+  try {
+    decryptedSession = dbAuthSession(
+      req,
+      cookieNameCreator(cookieName)
+    );
+  } catch (e) {
+    if (process.env.NODE_ENV === "development") {
+      console.debug("Could not decrypt dbAuth session", e);
+    }
+    return void 0;
+  }
+  if (!decryptedSession) {
+    if (process.env.NODE_ENV === "development") {
+      console.debug(
+        "No dbAuth session cookie found. Looking for a cookie named:",
+        cookieName
+      );
+    }
+    return void 0;
+  }
+  const currentUser = await getCurrentUser(
+    decryptedSession,
+    {
+      type: "dbAuth",
+      schema: "cookie",
+      // @MARK: We pass the entire cookie header as a token. This isn't
+      // actually the token!
+      // At this point the Cookie header is guaranteed, because otherwise a
+      // decryptionError would have been thrown
+      token: req.headers.get("Cookie")
+    },
+    {
+      // MWRequest is a superset of Request
+      event: req
+    }
+  );
+  return { currentUser, decryptedSession };
+}
+var index_default = initDbAuthMiddleware;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  initDbAuthMiddleware
+});

package/dist/cjs/package.json

@@ -0,0 +1 @@
+{"type":"commonjs"}

package/dist/defaultGetRoles.d.ts

@@ -0,0 +1,2 @@
+export declare const defaultGetRoles: (decoded: Record<string, any> | undefined | null) => string[];
+//# sourceMappingURL=defaultGetRoles.d.ts.map

package/dist/defaultGetRoles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaultGetRoles.d.ts","sourceRoot":"","sources":["../src/defaultGetRoles.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe,YACjB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,SAAS,GAAG,IAAI,KAC9C,MAAM,EAYR,CAAA"}

package/dist/defaultGetRoles.js

@@ -0,0 +1,15 @@
+const defaultGetRoles = (decoded) => {
+  try {
+    const roles = decoded?.currentUser?.roles;
+    if (Array.isArray(roles)) {
+      return roles;
+    } else {
+      return roles ? [roles] : [];
+    }
+  } catch {
+    return [];
+  }
+};
+export {
+  defaultGetRoles
+};

package/dist/index.d.ts

@@ -0,0 +1,14 @@
+import type { APIGatewayProxyEvent, Context } from 'aws-lambda';
+import type { DbAuthResponse } from '@redmix/auth-dbauth-api';
+import type { GetCurrentUser } from '@redmix/graphql-server';
+import type { Middleware } from '@redmix/web/middleware';
+export interface DbAuthMiddlewareOptions {
+    cookieName?: string;
+    dbAuthUrl?: string;
+    dbAuthHandler: (req: Request | APIGatewayProxyEvent, context?: Context) => DbAuthResponse;
+    getRoles?: (decoded: any) => string[];
+    getCurrentUser: GetCurrentUser;
+}
+export declare const initDbAuthMiddleware: ({ dbAuthHandler, getCurrentUser, getRoles, cookieName, dbAuthUrl, }: DbAuthMiddlewareOptions) => [Middleware, "*"];
+export default initDbAuthMiddleware;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAE/D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AAI7D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAA;AAE5D,OAAO,KAAK,EAAE,UAAU,EAAqB,MAAM,wBAAwB,CAAA;AAI3E,MAAM,WAAW,uBAAuB;IACtC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,SAAS,CAAC,EAAE,MAAM,CAAA;IAGlB,aAAa,EAAE,CACb,GAAG,EAAE,OAAO,GAAG,oBAAoB,EACnC,OAAO,CAAC,EAAE,OAAO,KACd,cAAc,CAAA;IACnB,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,MAAM,EAAE,CAAA;IACrC,cAAc,EAAE,cAAc,CAAA;CAC/B;AAED,eAAO,MAAM,oBAAoB,wEAM9B,uBAAuB,KAAG,CAAC,UAAU,EAAE,GAAG,CAkG5C,CAAA;AA8DD,eAAe,oBAAoB,CAAA"}

package/dist/index.js

@@ -0,0 +1,124 @@
+import dbAuthApi from "@redmix/auth-dbauth-api";
+const { dbAuthSession, cookieName: cookieNameCreator } = dbAuthApi;
+import { MiddlewareResponse } from "@redmix/web/middleware";
+import { defaultGetRoles } from "./defaultGetRoles.js";
+const initDbAuthMiddleware = ({
+  dbAuthHandler,
+  getCurrentUser,
+  getRoles = defaultGetRoles,
+  cookieName,
+  dbAuthUrl = "/middleware/dbauth"
+}) => {
+  const mw = async (req, res = MiddlewareResponse.next()) => {
+    console.log("dbAuthUrl", dbAuthUrl);
+    console.log("req.url", req.url);
+    if (req.url.includes(dbAuthUrl)) {
+      if (req.url.includes(`${dbAuthUrl}/currentUser`)) {
+        const validatedSession2 = await validateSession({
+          req,
+          cookieName,
+          getCurrentUser
+        });
+        if (validatedSession2) {
+          return new MiddlewareResponse(
+            JSON.stringify({ currentUser: validatedSession2.currentUser })
+          );
+        } else {
+          return new MiddlewareResponse(JSON.stringify({ currentUser: null }));
+        }
+      } else {
+        const output = await dbAuthHandler(req);
+        console.log("output", output);
+        const finalHeaders = new Headers();
+        Object.entries(output.headers).forEach(([key, value]) => {
+          if (Array.isArray(value)) {
+            value.forEach((mvhHeader) => finalHeaders.append(key, mvhHeader));
+          } else {
+            finalHeaders.append(key, value);
+          }
+        });
+        return new MiddlewareResponse(output.body, {
+          headers: finalHeaders,
+          status: output.statusCode
+        });
+      }
+    }
+    const cookieHeader = req.headers.get("Cookie");
+    if (!cookieHeader?.includes("auth-provider")) {
+      return res;
+    }
+    const validatedSession = await validateSession({
+      req,
+      cookieName,
+      getCurrentUser
+    });
+    if (validatedSession) {
+      const { currentUser, decryptedSession } = validatedSession;
+      req.serverAuthState.set({
+        currentUser,
+        loading: false,
+        isAuthenticated: !!currentUser,
+        hasError: false,
+        userMetadata: currentUser,
+        // dbAuth doesn't have userMetadata
+        cookieHeader,
+        roles: getRoles(decryptedSession)
+      });
+    } else {
+      req.serverAuthState.clear();
+      res.cookies.unset(cookieNameCreator(cookieName));
+      res.cookies.unset("auth-provider");
+    }
+    return res;
+  };
+  return [mw, "*"];
+};
+async function validateSession({
+  req,
+  cookieName,
+  getCurrentUser
+}) {
+  let decryptedSession;
+  try {
+    decryptedSession = dbAuthSession(
+      req,
+      cookieNameCreator(cookieName)
+    );
+  } catch (e) {
+    if (process.env.NODE_ENV === "development") {
+      console.debug("Could not decrypt dbAuth session", e);
+    }
+    return void 0;
+  }
+  if (!decryptedSession) {
+    if (process.env.NODE_ENV === "development") {
+      console.debug(
+        "No dbAuth session cookie found. Looking for a cookie named:",
+        cookieName
+      );
+    }
+    return void 0;
+  }
+  const currentUser = await getCurrentUser(
+    decryptedSession,
+    {
+      type: "dbAuth",
+      schema: "cookie",
+      // @MARK: We pass the entire cookie header as a token. This isn't
+      // actually the token!
+      // At this point the Cookie header is guaranteed, because otherwise a
+      // decryptionError would have been thrown
+      token: req.headers.get("Cookie")
+    },
+    {
+      // MWRequest is a superset of Request
+      event: req
+    }
+  );
+  return { currentUser, decryptedSession };
+}
+var index_default = initDbAuthMiddleware;
+export {
+  index_default as default,
+  initDbAuthMiddleware
+};

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@redmix/auth-dbauth-middleware",
+  "version": "0.0.1",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/redmix-run/redmix.git",
+    "directory": "packages/auth-providers/dbAuth/middleware"
+  },
+  "license": "MIT",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/cjs/index.d.ts",
+        "default": "./dist/cjs/index.js"
+      }
+    }
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsx ./build.mts",
+    "build:pack": "yarn pack -o redmix-auth-dbauth-middleware.tgz",
+    "build:types": "tsc --build --verbose ./tsconfig.build.json",
+    "build:types-cjs": "tsc --build --verbose tsconfig.cjs.json",
+    "check:attw": "yarn attw -P",
+    "check:package": "concurrently npm:check:attw yarn:publint",
+    "prepublishOnly": "NODE_ENV=production yarn build",
+    "test": "vitest run",
+    "test:watch": "vitest watch"
+  },
+  "dependencies": {
+    "@redmix/auth-dbauth-api": "0.0.1",
+    "@redmix/web": "0.0.1"
+  },
+  "devDependencies": {
+    "@arethetypeswrong/cli": "0.16.4",
+    "@redmix/api": "0.0.1",
+    "@redmix/framework-tools": "0.0.1",
+    "@redmix/graphql-server": "0.0.1",
+    "@types/aws-lambda": "8.10.145",
+    "concurrently": "8.2.2",
+    "publint": "0.3.11",
+    "ts-toolbelt": "9.6.0",
+    "tsx": "4.19.3",
+    "typescript": "5.6.2",
+    "vitest": "2.1.9"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "gitHead": "25a2481ac394049b7c864eda26381814a0124a79"
+}