@rudderjs/auth 5.0.1 → 5.1.0

package/README.md

@@ -15,31 +15,13 @@ pnpm add @rudderjs/auth @rudderjs/hash @rudderjs/session
 import { User } from '../app/Models/User.js'
 
 export default {
-  defaults: {
-    guard: 'web',
-  },
-  guards: {
-    web: { driver: 'session', provider: 'users' },
-  },
-  providers: {
-    users: { driver: 'eloquent', model: User },
-  },
+  defaults: { guard: 'web' },
+  guards:   { web: { driver: 'session', provider: 'users' } },
+  providers:{ users: { driver: 'eloquent', model: User } },
 }
-
-// bootstrap/providers.ts
-import { SessionProvider } from '@rudderjs/session'
-import { HashProvider } from '@rudderjs/hash'
-import { AuthProvider } from '@rudderjs/auth'
-
-export default [
-  SessionProvider,
-  HashProvider,
-  AuthProvider,
-]
 ```
 
-> `AuthProvider` is the service-provider class — list it directly in the providers array.
-> `auth()` (lowercase) is the per-request helper — see below.
+`AuthProvider`, `SessionProvider`, and `HashProvider` are picked up by [auto-discovery](https://github.com/rudderjs/rudder/blob/main/docs/guide/service-providers.md#auto-discovery) — `pnpm rudder providers:discover` (or `--install` during scaffold) is all that's needed.
 
 ## Usage
 
@@ -70,6 +52,27 @@ Route.get('/profile', async (req) => {
 matched by `withRouting({ web })` has the auth context populated before your
 handler runs.
 
+### Reading the user from a view
+
+When `@rudderjs/vite` is installed, `AuthProvider.boot()` also registers a
+page-context enhancer that exposes the current user on `pageContext.user` —
+controller views (and any Vike page) can read it directly without a
+`+data.ts` or controller plumbing:
+
+```tsx
+// app/Views/Dashboard.tsx
+import { usePageContext } from 'vike-react/usePageContext'
+
+export default function Dashboard() {
+  const { user } = usePageContext()  // typed via Vike.PageContext augmentation
+  return <h1>Hello {user?.name ?? 'guest'}</h1>
+}
+```
+
+`pageContext.user` is `null` for guests. The registration is lazy and silently
+no-ops when `@rudderjs/vite` isn't installed, so the package stays usable
+standalone.
+
 **API routes stay stateless.** `AuthMiddleware` does not run on the `api` group
 by default — `req.user` will be `undefined`, and `Auth.user()` returns `null`.
 For token-based API auth, reach for [`@rudderjs/passport`](../passport):

package/boost/skills/auth-setup/SKILL.md

@@ -1,273 +1,40 @@
 ---
 name: auth-setup
 description: Setting up authentication with guards, sessions, registration, password reset, gates/policies, and vendor views in RudderJS
+license: MIT
+appliesTo:
+  - '@rudderjs/auth'
+trigger: configuring guards/providers in `config/auth.ts`, vendoring auth views, wiring `Gate`/`Policy`, or working with password reset / email verification
+skip: a route handler that just reads `Auth.user()` — no setup needed
+metadata:
+  author: rudderjs
 ---
 
 # Auth Setup
 
 ## When to use this skill
 
-Load this skill when you need to set up authentication, configure guards, add login/register views, implement authorization gates/policies, or work with password reset and email verification.
+Load when you're configuring guards/providers, vendoring auth views, wiring `Gate`/`Policy` authorization, or working with password reset / email verification. For depth, open the rule file matching your task.
 
-## Key concepts
+## Quick Reference
 
-- **AuthManager**: Process-wide DI singleton that creates fresh `SessionGuard` instances per call (never cached -- prevents ghost user leaks across requests).
-- **Guard contract**: `user()`, `check()`, `guest()`, `attempt()`, `login()`, `logout()` -- all async.
-- **`auth()` helper**: Returns the current request's `AuthManager` via AsyncLocalStorage. Mirrors Laravel's `auth()->user()`.
-- **Auth facade**: `Auth.user()`, `Auth.check()` etc. -- static class that proxies to `currentAuth()`.
-- **AuthMiddleware**: Sets up the auth ALS context and populates `req.user` for every request.
-- **RequireAuth**: Returns 401 if not authenticated.
-- **RequireGuest**: Redirects authenticated users away from guest-only pages (login, register).
-- **Gate/Policy**: Authorization system for checking abilities and model-level policies.
+| Task | Open |
+|---|---|
+| Provider setup — install deps, `config/auth.ts`, register provider, make User authenticatable | `rules/provider-setup.md` |
+| Reading the current user — `auth()`, `Auth` facade, `RequireAuth` / `RequireGuest` middleware, login/logout endpoints | `rules/guards-and-handlers.md` |
+| Login / register UI — `vendor:publish` auth views, `registerAuthRoutes`, custom paths and view ids | `rules/auth-views.md` |
+| Authorization — `Gate.define`, model `Policy` classes, `before` callbacks | `rules/gates-and-policies.md` |
+| Email verification + password reset — `MustVerifyEmail`, `verificationUrl`, `PasswordBroker` | `rules/email-and-password-reset.md` |
 
-## Step-by-step
+## Key concepts (load once)
 
-### 1. Install dependencies
-
-Auth requires `@rudderjs/session` and `@rudderjs/hash` as peer dependencies:
-
-```bash
-pnpm add @rudderjs/auth @rudderjs/session @rudderjs/hash
-```
-
-### 2. Configure auth (config/auth.ts)
-
-```ts
-import { User } from '../app/Models/User.js'
-import type { AuthConfig } from '@rudderjs/auth'
-
-export default {
-  defaults: {
-    guard: 'web',
-  },
-  guards: {
-    web: {
-      driver: 'session',
-      provider: 'users',
-    },
-  },
-  providers: {
-    users: {
-      driver: 'eloquent',
-      model: User,
-    },
-  },
-} satisfies AuthConfig
-```
-
-### 3. Register the provider (bootstrap/providers.ts)
-
-```ts
-import { defaultProviders } from '@rudderjs/core'
-// AuthProvider is auto-discovered via defaultProviders() if @rudderjs/auth is installed.
-// It requires HashProvider and SessionProvider to boot before it.
-export default [
-  ...(await defaultProviders()),
-  // ... your app providers
-]
-```
-
-### 4. Make the User model authenticatable
-
-```ts
-import { Model, Hidden } from '@rudderjs/orm'
-import type { Authenticatable } from '@rudderjs/auth'
-
-export class User extends Model implements Authenticatable {
-  static fillable = ['name', 'email', 'password']
-
-  @Hidden password = ''
-
-  getAuthIdentifier(): string { return String(this.id) }
-  getAuthPassword(): string { return this.password }
-  getRememberToken(): string | null { return null }
-  setRememberToken(_token: string): void {}
-}
-```
-
-### 5. Use auth in route handlers
-
-```ts
-import { auth, Auth, RequireAuth } from '@rudderjs/auth'
-
-// Using the auth() helper (Laravel-style)
-router.get('/api/me', async (req, res) => {
-  const user = await auth().user()
-  if (!user) return res.status(401).json({ message: 'Unauthorized' })
-  res.json({ user })
-})
-
-// Using the Auth facade
-router.get('/api/profile', async (req, res) => {
-  if (await Auth.guest()) return res.status(401).json({ message: 'Unauthorized' })
-  const user = await Auth.user()
-  res.json({ user })
-})
-
-// Using RequireAuth middleware
-router.get('/api/dashboard', RequireAuth(), async (req, res) => {
-  // req.user is guaranteed to exist here
-  res.json({ user: req.user })
-})
-```
-
-### 6. Login / logout endpoints
-
-```ts
-router.post('/auth/login', async (req, res) => {
-  const { email, password } = req.body
-  const success = await auth().attempt({ email, password })
-  if (!success) {
-    return res.status(422).json({ message: 'Invalid credentials.' })
-  }
-  const user = await auth().user()
-  res.json({ user })
-})
-
-router.post('/auth/register', async (req, res) => {
-  const user = await User.create({
-    name: req.body.name,
-    email: req.body.email,
-    password: req.body.password,  // hashed by Attribute mutator
-  })
-  await auth().login(user)
-  res.json({ user })
-})
-
-router.post('/auth/logout', RequireAuth(), async (req, res) => {
-  await auth().logout()
-  res.json({ message: 'Logged out.' })
-})
-```
-
-### 7. Set up auth views (login/register pages)
-
-Vendor the view files into your app:
-
-```bash
-pnpm rudder vendor:publish --tag=auth-views
-```
-
-This copies `@rudderjs/auth/views/react/` into `app/Views/Auth/`. Then register routes:
-
-```ts
-// routes/web.ts
-import { Route } from '@rudderjs/router'
-import { registerAuthRoutes } from '@rudderjs/auth/routes'
-
-registerAuthRoutes(Route)
-// Registers: GET /login, GET /register, GET /forgot-password, GET /reset-password
-```
-
-Customize paths and view ids:
-
-```ts
-registerAuthRoutes(Route, {
-  paths: {
-    login: '/sign-in',
-    register: '/sign-up',
-  },
-  views: {
-    login: 'auth.sign-in',       // maps to app/Views/Auth/SignIn.tsx
-    register: 'auth.sign-up',
-  },
-  homeUrl: '/dashboard',          // redirect destination for authenticated users
-})
-```
-
-### 8. Authorization with Gates
-
-```ts
-import { Gate, Policy, AuthorizationError } from '@rudderjs/auth'
-
-// Define abilities
-Gate.define('manage-settings', (user) => user.role === 'admin')
-Gate.define('edit-post', (user, post) => post.authorId === user.getAuthIdentifier())
-
-// Check in handlers
-if (await Gate.allows('manage-settings')) { /* ... */ }
-if (await Gate.denies('edit-post', post)) { /* ... */ }
-
-// Throw 403 if denied
-await Gate.authorize('edit-post', post)
-
-// Before callback -- runs before all checks
-Gate.before((user, ability) => {
-  if (user.role === 'super-admin') return true  // allow everything
-  return null  // fall through to normal checks
-})
-```
-
-### 9. Model policies
-
-```ts
-import { Policy } from '@rudderjs/auth'
-import type { Authenticatable } from '@rudderjs/auth'
-
-class PostPolicy extends Policy {
-  before(user: Authenticatable) {
-    if ((user as any).role === 'admin') return true
-    return null  // fall through
-  }
-
-  view(user: Authenticatable, post: Post) {
-    return post.isPublished || post.authorId === user.getAuthIdentifier()
-  }
-
-  update(user: Authenticatable, post: Post) {
-    return post.authorId === user.getAuthIdentifier()
-  }
-
-  delete(user: Authenticatable, post: Post) {
-    return post.authorId === user.getAuthIdentifier()
-  }
-}
-
-// Register the policy
-Gate.policy(Post, PostPolicy)
-
-// Use it
-await Gate.authorize('update', post)  // auto-finds PostPolicy.update()
-```
-
-### 10. Email verification
-
-```ts
-import { EnsureEmailIsVerified, verificationUrl, handleEmailVerification } from '@rudderjs/auth'
-import type { MustVerifyEmail } from '@rudderjs/auth'
-
-// Make user implement MustVerifyEmail
-class User extends Model implements Authenticatable, MustVerifyEmail {
-  hasVerifiedEmail() { return this.emailVerifiedAt !== null }
-  async markEmailAsVerified() { await User.update(this.id, { emailVerifiedAt: new Date() }) }
-  getEmailForVerification() { return this.email }
-}
-
-// Protect routes
-router.get('/dashboard', RequireAuth(), EnsureEmailIsVerified(), handler)
-
-// Generate verification URL (for sending in emails)
-const url = verificationUrl(user)
-```
-
-### 11. Password reset
-
-```ts
-import { PasswordBroker, MemoryTokenRepository } from '@rudderjs/auth'
-
-const broker = new PasswordBroker(new MemoryTokenRepository())
-// In production, implement TokenRepository backed by your database
-```
+- **AuthManager** — process-wide DI singleton that creates fresh `SessionGuard` instances per call. **Never cached** — cached guards leak `_user` across requests.
+- **`auth()` helper** — Laravel-style accessor returning the request-scoped `AuthManager` via AsyncLocalStorage.
+- **`Auth` facade** — `Auth.user()`, `Auth.check()`, etc. — static class that proxies to `currentAuth()`.
+- **Middleware groups** — `AuthMiddleware` auto-installs on the `web` group only. API routes are stateless by default; use `RequireBearer()` + `scope(...)` (passport) for token auth per-route.
+- **`SessionGuard.user()` soft-fails** — returns `null` (not throw) when there's no ALS context, matching Laravel's `Auth::user()` semantics.
+- **Peer deps**: `@rudderjs/session` and `@rudderjs/hash` are **required peers**. `HashProvider` must boot before `AuthProvider` (`defaultProviders()` orders this automatically).
 
 ## Examples
 
-See `playground/config/auth.ts` for configuration, `playground/app/Models/User.ts` for the model, `playground/routes/web.ts` for route registration, and `playground/app/Views/Auth/` for vendored view files.
-
-## Common pitfalls
-
-- **Ghost signed-in user**: `AuthManager` must NOT cache `SessionGuard` instances. The manager is a DI singleton; cached guards leak `_user` across requests.
-- **Provider boot order**: `HashProvider` and `SessionProvider` must boot before `AuthProvider`. With `defaultProviders()`, this is handled automatically.
-- **Session middleware required**: Auth views require session middleware. Ensure `@rudderjs/session` is installed and its provider is registered.
-- **View route override**: Auth view files need `export const route = '/login'` etc. so SPA navigation works correctly (URL must match Vike's route table).
-- **POST handlers not included**: `registerAuthRoutes()` only registers GET routes for the UI pages. POST endpoints for login/register/logout are your responsibility in `routes/api.ts`.
-- **Guard driver**: Currently only `'session'` is supported as a guard driver. API token guards are planned.
+See `playground/config/auth.ts`, `playground/app/Models/User.ts`, `playground/routes/web.ts`, and `playground/app/Views/Auth/`.

package/boost/skills/auth-setup/rules/auth-views.md

@@ -0,0 +1,90 @@
+# Auth Views (Login / Register UI)
+
+## Vendor the view files
+
+`@rudderjs/auth` ships React and Vue auth views. Vendor them into your app:
+
+```bash
+pnpm rudder vendor:publish --tag=auth-views
+```
+
+This copies `@rudderjs/auth/views/react/` (or `/vue/`) into `app/Views/Auth/`. After vendoring, the files belong to your app — edit them freely.
+
+## Register the controller routes
+
+```ts
+// routes/web.ts
+import { Route } from '@rudderjs/router'
+import { registerAuthRoutes } from '@rudderjs/auth/routes'
+
+registerAuthRoutes(Route)
+```
+
+`registerAuthRoutes(Route)` registers:
+
+| URL | View id |
+|---|---|
+| `GET /login`           | `auth.login` |
+| `GET /register`        | `auth.register` |
+| `GET /forgot-password` | `auth.forgot-password` |
+| `GET /reset-password`  | `auth.reset-password` |
+
+The view-id mapping uses `view('id', props)` and lands in `app/Views/Auth/<File>.tsx`.
+
+## Customize paths and view ids
+
+```ts
+registerAuthRoutes(Route, {
+  paths: {
+    login:    '/sign-in',
+    register: '/sign-up',
+  },
+  views: {
+    login:    'auth.sign-in',     // maps to app/Views/Auth/SignIn.tsx
+    register: 'auth.sign-up',
+  },
+  homeUrl: '/dashboard',          // redirect destination for authenticated users
+})
+```
+
+## Add the `route` export to vendored views
+
+Vendored auth views need an explicit URL because the id-derived default (`/auth/login`) doesn't match the controller route (`/login`).
+
+```tsx
+// app/Views/Auth/Login.tsx
+export const route = '/login'
+
+export default function Login(props: { /* ... */ }) { /* ... */ }
+```
+
+Without this, **SPA navigation falls back to full page reloads** because Vike's client route table doesn't match the browser URL.
+
+## Pitfalls
+
+❌ **Don't** assume POST handlers come from `registerAuthRoutes`:
+
+```ts
+registerAuthRoutes(Route)
+// ❌ POST /login / POST /register / POST /logout — those are YOUR job
+```
+
+✅ **Do** add them in `routes/api.ts` or `routes/web.ts` using `auth().attempt()` / `auth().login()` / `auth().logout()`.
+
+❌ **Don't** skip the `route` export when customizing URLs:
+
+```tsx
+// app/Views/Auth/Login.tsx — no route export
+export default function Login() { /* ... */ }
+```
+
+✅ **Do** add it so SPA nav works:
+
+```tsx
+export const route = '/sign-in'
+export default function Login() { /* ... */ }
+```
+
+❌ **Don't** mix `vike-react` and `vike-vue` — the scanner errors at boot.
+
+✅ **Do** pick one renderer per project; vendor the matching auth views (`--tag=auth-views` auto-detects).

package/boost/skills/auth-setup/rules/email-and-password-reset.md

@@ -0,0 +1,91 @@
+# Email Verification + Password Reset
+
+## Email verification
+
+Implement `MustVerifyEmail` on your User model:
+
+```ts
+import type { Authenticatable, MustVerifyEmail } from '@rudderjs/auth'
+
+class User extends Model implements Authenticatable, MustVerifyEmail {
+  hasVerifiedEmail()         { return this.emailVerifiedAt !== null }
+  getEmailForVerification()  { return this.email }
+  async markEmailAsVerified() {
+    await User.update(this.id, { emailVerifiedAt: new Date() })
+  }
+}
+```
+
+Protect routes that require a verified email:
+
+```ts
+import { RequireAuth, EnsureEmailIsVerified } from '@rudderjs/auth'
+
+router.get('/dashboard', RequireAuth(), EnsureEmailIsVerified(), handler)
+```
+
+Generate a signed URL to send in an email:
+
+```ts
+import { verificationUrl } from '@rudderjs/auth'
+
+const url = verificationUrl(user)
+// Sign-protected — calling it with a tampered signature returns 403
+```
+
+Handle the click:
+
+```ts
+import { handleEmailVerification } from '@rudderjs/auth'
+
+router.get('/verify-email/:id/:hash', async (req, res) => {
+  await handleEmailVerification(req.params.id, req.params.hash, (id) => User.find(id))
+  res.redirect('/dashboard')
+})
+```
+
+## Password reset
+
+The `PasswordBroker` orchestrates token generation, email dispatch, and verification. A token repository persists the tokens.
+
+```ts
+import { PasswordBroker, MemoryTokenRepository } from '@rudderjs/auth'
+
+const broker = new PasswordBroker(new MemoryTokenRepository())
+```
+
+In production, implement `TokenRepository` backed by your database:
+
+```ts
+import type { TokenRepository } from '@rudderjs/auth'
+
+class PrismaTokenRepository implements TokenRepository {
+  async create(email: string, token: string) { /* INSERT */ }
+  async findByEmailAndToken(email: string, token: string) { /* SELECT */ }
+  async delete(email: string) { /* DELETE */ }
+  async deleteExpired(thresholdMs: number) { /* DELETE WHERE created_at < ... */ }
+}
+```
+
+## Pitfalls
+
+❌ **Don't** ship `MemoryTokenRepository` to production — tokens evaporate on restart, and multi-process / multi-worker setups never share state.
+
+✅ **Do** persist tokens via your ORM (Prisma/Drizzle) and run a scheduled cleanup of expired rows.
+
+❌ **Don't** assume `verificationUrl(user)` works without `APP_KEY`:
+
+```ts
+// Throws if APP_KEY isn't set
+const url = verificationUrl(user)
+```
+
+✅ **Do** set `APP_KEY` in `.env` (or call `Url.setKey('test-key')` in tests).
+
+❌ **Don't** roll a hand-crafted signature on the verification URL:
+
+```ts
+const url = `/verify-email/${user.id}/${crypto.createHash(...)}`
+```
+
+✅ **Do** use `verificationUrl(user)` — it uses HMAC-SHA256 with timing-safe comparison via `@rudderjs/router`'s `Url`.

package/boost/skills/auth-setup/rules/gates-and-policies.md

@@ -0,0 +1,110 @@
+# Gates and Policies
+
+`Gate` is the imperative authorization API; `Policy` classes group abilities per model.
+
+## Define abilities
+
+```ts
+import { Gate } from '@rudderjs/auth'
+
+Gate.define('manage-settings', (user) => user.role === 'admin')
+Gate.define('edit-post',       (user, post) => post.authorId === user.getAuthIdentifier())
+```
+
+## Check in route handlers
+
+```ts
+// Returns boolean
+if (await Gate.allows('manage-settings')) { /* ... */ }
+if (await Gate.denies('edit-post', post)) { /* ... */ }
+
+// Throws 403 on denial
+await Gate.authorize('edit-post', post)
+```
+
+`authorize` throws `AuthorizationError` which the framework maps to a `403` response.
+
+## Before callback
+
+Runs before every gate check — useful for super-admins:
+
+```ts
+Gate.before((user, ability) => {
+  if (user.role === 'super-admin') return true   // allow everything
+  return null                                     // fall through to normal checks
+})
+```
+
+Return `true` to allow, `false` to deny, `null` to fall through.
+
+## Model policies
+
+```ts
+import { Policy } from '@rudderjs/auth'
+import type { Authenticatable } from '@rudderjs/auth'
+
+class PostPolicy extends Policy {
+  before(user: Authenticatable) {
+    if ((user as { role?: string }).role === 'admin') return true
+    return null
+  }
+
+  view(user: Authenticatable, post: Post) {
+    return post.isPublished || post.authorId === user.getAuthIdentifier()
+  }
+
+  update(user: Authenticatable, post: Post) {
+    return post.authorId === user.getAuthIdentifier()
+  }
+
+  delete(user: Authenticatable, post: Post) {
+    return post.authorId === user.getAuthIdentifier()
+  }
+}
+
+Gate.policy(Post, PostPolicy)
+```
+
+Method names on the policy class match ability names. `Gate.authorize('update', post)` looks up `PostPolicy.update(user, post)`.
+
+## Pitfalls
+
+❌ **Don't** call `Gate.authorize` outside an auth context expecting it to throw 401:
+
+```ts
+// In a job — no auth context, user is null, gate throws AuthorizationError as 403
+await Gate.authorize('edit-post', post)
+```
+
+✅ **Do** check authentication first or scope the gate explicitly:
+
+```ts
+await Gate.forUser(user).authorize('edit-post', post)
+```
+
+❌ **Don't** rely on policy autoloading from disk:
+
+```ts
+// Putting app/Policies/PostPolicy.ts on disk does NOT auto-register it
+```
+
+✅ **Do** register policies in a service provider's `boot()`:
+
+```ts
+// app/Providers/AppServiceProvider.ts
+boot() {
+  Gate.policy(Post, PostPolicy)
+}
+```
+
+❌ **Don't** return non-boolean from a `define` callback expecting it to count:
+
+```ts
+Gate.define('edit-post', (user, post) => post.authorId)   // truthy number, but not boolean
+```
+
+✅ **Do** return a boolean explicitly:
+
+```ts
+Gate.define('edit-post', (user, post) => post.authorId === user.getAuthIdentifier())
+```

package/boost/skills/auth-setup/rules/guards-and-handlers.md

@@ -0,0 +1,121 @@
+# Guards and Route Handlers
+
+## Reading the current user
+
+Three equivalent ways:
+
+```ts
+import { auth, Auth, RequireAuth } from '@rudderjs/auth'
+
+// auth() helper — Laravel-style
+router.get('/api/me', async (req, res) => {
+  const user = await auth().user()
+  if (!user) return res.status(401).json({ message: 'Unauthorized' })
+  res.json({ user })
+})
+
+// Auth facade
+router.get('/api/profile', async (req, res) => {
+  if (await Auth.guest()) return res.status(401).json({ message: 'Unauthorized' })
+  res.json({ user: await Auth.user() })
+})
+
+// RequireAuth middleware — guarantees req.user
+router.get('/api/dashboard', RequireAuth(), async (req, res) => {
+  res.json({ user: req.user })
+})
+```
+
+`Auth.user()` and `auth().user()` **soft-fail** outside the `AuthMiddleware` ALS context — they return `null`, never throw. This matches Laravel's `Auth::user()` semantics.
+
+## Login / register / logout
+
+```ts
+router.post('/auth/login', async (req, res) => {
+  const { email, password } = req.body
+  const success = await auth().attempt({ email, password })
+  if (!success) return res.status(422).json({ message: 'Invalid credentials.' })
+  res.json({ user: await auth().user() })
+})
+
+router.post('/auth/register', async (req, res) => {
+  const user = await User.create({
+    name:     req.body.name,
+    email:    req.body.email,
+    password: req.body.password,   // hashed automatically via Attribute mutator
+  })
+  await auth().login(user)
+  res.json({ user })
+})
+
+router.post('/auth/logout', RequireAuth(), async (req, res) => {
+  await auth().logout()
+  res.json({ message: 'Logged out.' })
+})
+```
+
+`attempt({ email, password })` runs `hashCheck(plain, hashed)` internally via the `EloquentUserProvider`.
+
+## RequireAuth vs RequireGuest
+
+```ts
+router.get('/dashboard', RequireAuth(),  handler)   // 401 if not authenticated
+router.get('/login',     RequireGuest(), handler)   // redirects authenticated users away
+```
+
+## Web vs API auth
+
+| | Web | API |
+|---|---|---|
+| `req.user` | ✓ — populated by `AuthMiddleware` (auto-installed on `web` group) | ✗ — stateless by default |
+| Session | ✓ — `sessionMiddleware` auto-installed on `web` | ✗ — don't add it globally |
+| Per-route auth | Just use `RequireAuth()` | `RequireBearer()` + `scope(...)` from `@rudderjs/passport` |
+
+## Pitfalls
+
+❌ **Don't** add `sessionMiddleware` to `m.use(...)` (global):
+
+```ts
+.withMiddleware((m) => {
+  m.use(sessionMiddleware)   // breaks the "API is stateless" contract
+})
+```
+
+✅ **Do** let `SessionProvider.boot()` install it on the `web` group only.
+
+❌ **Don't** expect `req.user` on api routes:
+
+```ts
+router.get('/api/data', async (req, res) => {
+  console.log(req.user)   // always undefined — AuthMiddleware doesn't run on api group
+})
+```
+
+✅ **Do** use bearer auth per-route on api:
+
+```ts
+import { RequireBearer, scope } from '@rudderjs/passport'
+
+router.get('/api/data', RequireBearer(), scope('read'), async (req, res) => {
+  res.json({ user: req.user })
+})
+```
+
+❌ **Don't** rely on `Auth.user()` outside `AuthMiddleware`:
+
+```ts
+// In a queue job — no ALS context
+const user = await Auth.user()   // always null
+```
+
+✅ **Do** pass `userId` into the job and re-fetch:
+
+```ts
+class SendWelcomeEmail extends Job {
+  constructor(private userId: number) { super() }
+  async handle() {
+    const user = await User.find(this.userId)
+    // …
+  }
+}
+```

package/boost/skills/auth-setup/rules/provider-setup.md

@@ -0,0 +1,104 @@
+# Provider Setup
+
+## Install dependencies
+
+```bash
+pnpm add @rudderjs/auth @rudderjs/session @rudderjs/hash
+```
+
+Both `@rudderjs/session` and `@rudderjs/hash` are **required peer dependencies**.
+
+## Configure (`config/auth.ts`)
+
+```ts
+import { User } from '../app/Models/User.js'
+import type { AuthConfig } from '@rudderjs/auth'
+
+export default {
+  defaults: {
+    guard: 'web',
+  },
+  guards: {
+    web: {
+      driver:   'session',
+      provider: 'users',
+    },
+  },
+  providers: {
+    users: {
+      driver: 'eloquent',
+      model:  User,
+    },
+  },
+} satisfies AuthConfig
+```
+
+## Register the provider (`bootstrap/providers.ts`)
+
+`AuthProvider` is auto-discovered via `defaultProviders()` — nothing manual to add:
+
+```ts
+import { defaultProviders } from '@rudderjs/core'
+
+export default [
+  ...(await defaultProviders()),
+  // … your app providers
+]
+```
+
+## Make the User model authenticatable
+
+```ts
+import { Model, Hidden } from '@rudderjs/orm'
+import type { Authenticatable } from '@rudderjs/auth'
+
+export class User extends Model implements Authenticatable {
+  static fillable = ['name', 'email', 'password']
+
+  @Hidden password = ''
+
+  getAuthIdentifier(): string  { return String(this.id) }
+  getAuthPassword():   string  { return this.password }
+  getRememberToken(): string | null { return null }
+  setRememberToken(_t: string): void {}
+}
+```
+
+The `@Hidden` decorator keeps `password` out of `toJSON()` output. The `EloquentUserProvider` calls `hashCheck()` (from `@rudderjs/hash`) on `getAuthPassword()`.
+
+## Pitfalls
+
+❌ **Don't** register `AuthProvider` before `HashProvider` / `SessionProvider`:
+
+```ts
+export default [
+  AuthProvider,       // boots before HashProvider — throws on first hash check
+  HashProvider,
+  SessionProvider,
+]
+```
+
+✅ **Do** use `defaultProviders()` — it orders the foundation/infrastructure stages correctly:
+
+```ts
+export default [...(await defaultProviders())]
+```
+
+❌ **Don't** add `AuthMiddleware` globally via `m.use()`:
+
+```ts
+.withMiddleware((m) => {
+  m.use(AuthMiddleware())   // crashes api routes — no session context
+})
+```
+
+✅ **Do** let `AuthProvider.boot()` auto-install it on the `web` group only:
+
+```ts
+// Nothing to do — AuthProvider handles it. For api auth, use RequireBearer()
+// + scope(...) from @rudderjs/passport per-route.
+```
+
+❌ **Don't** cache `SessionGuard` instances inside `AuthManager` (legacy `_guards` Map):
+
+The manager is a DI singleton; cached guards leak `_user` across requests. The fix is already in place — don't reintroduce.

package/dist/index.d.ts

@@ -6,6 +6,7 @@ declare module '@rudderjs/contracts' {
         user?: AuthUser;
     }
 }
+import './types/vike.js';
 export { Auth, auth } from './auth-manager.js';
 export { AuthManager, runWithAuth, currentAuth } from './auth-manager.js';
 export { SessionGuard } from './session-guard.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAA8B,MAAM,gBAAgB,CAAA;AAC5E,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAE5D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAK9C,OAAO,QAAQ,qBAAqB,CAAC;IACnC,UAAU,UAAU;QAClB,IAAI,CAAC,EAAE,QAAQ,CAAA;KAChB;CACF;AAID,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AACzE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAC5D,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAC3E,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACpH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AAEhF,YAAY,EAAE,eAAe,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AACpF,YAAY,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACxD,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAA;AACpG,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAA;AACxF,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAetD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,GAAG,QAAQ,CAsBnD;AAID;;;GAGG;AACH,wBAAgB,cAAc,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAuCpE;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAoBjE;AAID;;;;;;;;;;;GAWG;AACH,qBAAa,YAAa,SAAQ,eAAe;IAC/C,QAAQ,IAAI,IAAI;IAgBV,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;CA6B5B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAA8B,MAAM,gBAAgB,CAAA;AAC5E,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAE5D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAK9C,OAAO,QAAQ,qBAAqB,CAAC;IACnC,UAAU,UAAU;QAClB,IAAI,CAAC,EAAE,QAAQ,CAAA;KAChB;CACF;AAID,OAAO,iBAAiB,CAAA;AAIxB,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AACzE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAC5D,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAC3E,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACpH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AAEhF,YAAY,EAAE,eAAe,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AACpF,YAAY,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACxD,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAA;AACpG,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAA;AACxF,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAetD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,GAAG,QAAQ,CAsBnD;AAID;;;GAGG;AACH,wBAAgB,cAAc,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAuCpE;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAoBjE;AAID;;;;;;;;;;;GAWG;AACH,qBAAa,YAAa,SAAQ,eAAe;IAC/C,QAAQ,IAAI,IAAI;IAgBV,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;CAkC5B"}

package/dist/index.js

@@ -1,5 +1,8 @@
 import { ServiceProvider, app, config, appendToGroup } from '@rudderjs/core';
 import { AuthManager, Auth, runWithAuth } from './auth-manager.js';
+// Pulls in the Vike.PageContext.user augmentation so app code can read
+// `pageContext.user` with full typing when this package is installed.
+import './types/vike.js';
 // ─── Re-exports ───────────────────────────────────────────
 export { Auth, auth } from './auth-manager.js';
 export { AuthManager, runWithAuth, currentAuth } from './auth-manager.js';
@@ -179,6 +182,29 @@ export class AuthProvider extends ServiceProvider {
         // API routes opt into bearer auth with `RequireBearer()` from @rudderjs/passport
         // or `RequireAuth('api')` with a token-based guard.
         appendToGroup('web', AuthMiddleware());
+        // Register a Vike page-context enhancer that exposes the current user
+        // on `pageContext.user`. `@rudderjs/vite` is an optional peer — apps
+        // without it (e.g. API-only services) silently skip this registration.
+        await registerVikeUserEnhancer();
+    }
+}
+async function registerVikeUserEnhancer() {
+    try {
+        const mod = await import('@rudderjs/vite/page-context-enhancers').catch(() => null);
+        if (!mod?.registerPageContextEnhancer)
+            return;
+        mod.registerPageContextEnhancer(async (pageContext) => {
+            try {
+                const u = await Auth.user();
+                pageContext.user = u ? userToPlain(u) : null;
+            }
+            catch {
+                pageContext.user = null;
+            }
+        });
+    }
+    catch {
+        // Optional peer not installed — quietly skip.
     }
 }
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAE5E,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,WAAW,EAAmB,MAAM,mBAAmB,CAAA;AAYnF,6DAA6D;AAE7D,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AACzE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAC5D,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAC3E,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACpH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAS9D,6DAA6D;AAE7D;;;;;;;;GAQG;AACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAA;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,IAAa;IACvC,MAAM,CAAC,GAAG,IAA+B,CAAA;IACzC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAA;IACrC,MAAM,SAAS,GAAI,CAAC,CAAC,WAAW,CAAkC,CAAA;IAClE,IAAI,OAAO,SAAS,KAAK,UAAU,EAAE,CAAC;QACpC,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;IAClD,CAAC;IACD,MAAM,KAAK,GAA4B,EAAE,CAAA;IACzC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,IAAI,OAAO,CAAC,KAAK,UAAU;YAAE,SAAQ;QACrC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAQ;QAC3B,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;IACd,CAAC;IACD,2EAA2E;IAC3E,2EAA2E;IAC3E,0EAA0E;IAC1E,OAAO;QACL,GAAG,KAAK;QACR,EAAE,EAAK,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAChC,IAAI,EAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAClC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;KACpC,CAAA;AACH,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,SAAkB;IAC/C,OAAO,KAAK,UAAU,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QACjD,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAAc,cAAc,CAAC,CAAA;QACvD,MAAM,aAAa,GAAG,SAAS,IAAK,OAA6C,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAA;QAEvG,MAAM,MAAM,GAAG,GAAG,CAAC,GAA8B,CAAA;QACjD,MAAM,OAAO,GAAG,MAAM,CAAC,eAAe,CAA4C,CAAA;QAElF,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;YAC1B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,IAAI,EAAE,CAAA;YACnD,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAAA;gBAC/B,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAA;gBAC5B,IAAI,CAAC;oBAAE,GAA0C,CAAC,MAAM,CAAC,GAAG,KAAK,CAAA;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;YAC/F,CAAC;iBAAM,CAAC;gBACN,OAAO,MAAM,CAAC,YAAY,CAAC,CAAA;gBAC3B,IAAI,CAAC;oBAAC,OAAQ,GAA0C,CAAC,MAAM,CAAC,CAAA;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;YAC9F,CAAC;QACH,CAAC,CAAA;QAED,MAAM,WAAW,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE;YACpC,wFAAwF;YACxF,MAAM,UAAU,GAAG,OAAO,EAAE,GAAG,CAAC,cAAc,CAAuB,CAAA;YACrE,IAAI,UAAU;gBAAE,MAAM,QAAQ,EAAE,CAAA;YAEhC,MAAM,IAAI,EAAE,CAAA;YAEZ,gFAAgF;YAChF,mEAAmE;YACnE,MAAM,QAAQ,GAAG,OAAO,EAAE,GAAG,CAAC,cAAc,CAAuB,CAAA;YACnE,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;gBAC5B,IAAI,QAAQ;oBAAE,MAAM,QAAQ,EAAE,CAAA;qBACzB,CAAC;oBACJ,OAAO,MAAM,CAAC,YAAY,CAAC,CAAA;oBAC3B,IAAI,CAAC;wBAAC,OAAQ,GAA0C,CAAC,MAAM,CAAC,CAAA;oBAAC,CAAC;oBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;gBAC9F,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,SAAkB;IAC5C,OAAO,KAAK,UAAU,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QAC9C,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAAc,cAAc,CAAC,CAAA;QAEvD,MAAM,WAAW,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE;YACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,IAAK,OAA6C,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;YAC3G,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAA;YAE/B,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAA;gBAClD,OAAM;YACR,CAAC;YAED,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAC9B;YAAC,GAAG,CAAC,GAA+B,CAAC,YAAY,CAAC,GAAG,KAAK,CAAA;YAC3D,IAAI,CAAC;gBAAE,GAA0C,CAAC,MAAM,CAAC,GAAG,KAAK,CAAA;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;YAE7F,MAAM,IAAI,EAAE,CAAA;QACd,CAAC,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC;AAED,6DAA6D;AAE7D;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,YAAa,SAAQ,eAAe;IAC/C,QAAQ;QACN,yEAAyE;QACzE,2FAA2F;QAC3F,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,GAAG,CAAC,kBAAkB,CAAC,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,EAAE,gBAAgB,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAA;QACzI,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,GAAG,CAAC,kBAAkB,CAAC,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,EAAE,gBAAgB,EAAE,GAAG,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAE/I,sCAAsC;QACtC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAA;QACnF,IAAI,CAAC,SAAS,CAAC;YACb,EAAE,IAAI,EAAE,GAAG,SAAS,cAAc,EAAa,EAAE,EAAE,eAAe,EAAI,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,QAAiB,EAAE;YAClH,EAAE,IAAI,EAAE,GAAG,SAAS,yBAAyB,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,SAAkB,EAAE,MAAM,EAAE,QAAiB,EAAE;YAC9I,EAAE,IAAI,EAAE,GAAG,SAAS,qBAAqB,EAAM,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,SAAkB,EAAE,MAAM,EAAE,YAAqB,EAAE;YAClJ,EAAE,IAAI,EAAE,GAAG,SAAS,wBAAwB,EAAG,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,SAAkB,EAAE,MAAM,EAAE,OAAgB,EAAE;SAC9I,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,GAAG,GAAG,MAAM,CAAa,MAAM,CAAC,CAAA;QAEtC,6BAA6B;QAC7B,IAAI,SAA8D,CAAA;QAClE,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAoD,MAAM,CAAC,CAAA;YAC3F,SAAS,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,kFAAkF,CACnF,CAAA;QACH,CAAC;QAED,0EAA0E;QAC1E,MAAM,UAAU,GAAG,GAAiB,EAAE;YACpC,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAe,gBAAgB,CAAC,CAAA;QACtD,CAAC,CAAA;QAED,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,GAAG,EAAE,SAAS,EAAE,UAAU,CAAC,CAAA;QAC3D,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC,CAAA;QAC1C,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;QAE/B,oEAAoE;QACpE,oEAAoE;QACpE,iFAAiF;QACjF,oDAAoD;QACpD,aAAa,CAAC,KAAK,EAAE,cAAc,EAAE,CAAC,CAAA;IACxC,CAAC;CACF"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAE5E,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,WAAW,EAAmB,MAAM,mBAAmB,CAAA;AAYnF,uEAAuE;AACvE,sEAAsE;AACtE,OAAO,iBAAiB,CAAA;AAExB,6DAA6D;AAE7D,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AACzE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAC5D,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAC3E,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACpH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAS9D,6DAA6D;AAE7D;;;;;;;;GAQG;AACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAA;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,IAAa;IACvC,MAAM,CAAC,GAAG,IAA+B,CAAA;IACzC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAA;IACrC,MAAM,SAAS,GAAI,CAAC,CAAC,WAAW,CAAkC,CAAA;IAClE,IAAI,OAAO,SAAS,KAAK,UAAU,EAAE,CAAC;QACpC,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;IAClD,CAAC;IACD,MAAM,KAAK,GAA4B,EAAE,CAAA;IACzC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,IAAI,OAAO,CAAC,KAAK,UAAU;YAAE,SAAQ;QACrC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAQ;QAC3B,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;IACd,CAAC;IACD,2EAA2E;IAC3E,2EAA2E;IAC3E,0EAA0E;IAC1E,OAAO;QACL,GAAG,KAAK;QACR,EAAE,EAAK,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAChC,IAAI,EAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAClC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;KACpC,CAAA;AACH,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,SAAkB;IAC/C,OAAO,KAAK,UAAU,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QACjD,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAAc,cAAc,CAAC,CAAA;QACvD,MAAM,aAAa,GAAG,SAAS,IAAK,OAA6C,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAA;QAEvG,MAAM,MAAM,GAAG,GAAG,CAAC,GAA8B,CAAA;QACjD,MAAM,OAAO,GAAG,MAAM,CAAC,eAAe,CAA4C,CAAA;QAElF,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;YAC1B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,IAAI,EAAE,CAAA;YACnD,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAAA;gBAC/B,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAA;gBAC5B,IAAI,CAAC;oBAAE,GAA0C,CAAC,MAAM,CAAC,GAAG,KAAK,CAAA;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;YAC/F,CAAC;iBAAM,CAAC;gBACN,OAAO,MAAM,CAAC,YAAY,CAAC,CAAA;gBAC3B,IAAI,CAAC;oBAAC,OAAQ,GAA0C,CAAC,MAAM,CAAC,CAAA;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;YAC9F,CAAC;QACH,CAAC,CAAA;QAED,MAAM,WAAW,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE;YACpC,wFAAwF;YACxF,MAAM,UAAU,GAAG,OAAO,EAAE,GAAG,CAAC,cAAc,CAAuB,CAAA;YACrE,IAAI,UAAU;gBAAE,MAAM,QAAQ,EAAE,CAAA;YAEhC,MAAM,IAAI,EAAE,CAAA;YAEZ,gFAAgF;YAChF,mEAAmE;YACnE,MAAM,QAAQ,GAAG,OAAO,EAAE,GAAG,CAAC,cAAc,CAAuB,CAAA;YACnE,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;gBAC5B,IAAI,QAAQ;oBAAE,MAAM,QAAQ,EAAE,CAAA;qBACzB,CAAC;oBACJ,OAAO,MAAM,CAAC,YAAY,CAAC,CAAA;oBAC3B,IAAI,CAAC;wBAAC,OAAQ,GAA0C,CAAC,MAAM,CAAC,CAAA;oBAAC,CAAC;oBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;gBAC9F,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,SAAkB;IAC5C,OAAO,KAAK,UAAU,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QAC9C,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAAc,cAAc,CAAC,CAAA;QAEvD,MAAM,WAAW,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE;YACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,IAAK,OAA6C,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;YAC3G,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAA;YAE/B,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAA;gBAClD,OAAM;YACR,CAAC;YAED,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAC9B;YAAC,GAAG,CAAC,GAA+B,CAAC,YAAY,CAAC,GAAG,KAAK,CAAA;YAC3D,IAAI,CAAC;gBAAE,GAA0C,CAAC,MAAM,CAAC,GAAG,KAAK,CAAA;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;YAE7F,MAAM,IAAI,EAAE,CAAA;QACd,CAAC,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC;AAED,6DAA6D;AAE7D;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,YAAa,SAAQ,eAAe;IAC/C,QAAQ;QACN,yEAAyE;QACzE,2FAA2F;QAC3F,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,GAAG,CAAC,kBAAkB,CAAC,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,EAAE,gBAAgB,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAA;QACzI,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,GAAG,CAAC,kBAAkB,CAAC,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,EAAE,gBAAgB,EAAE,GAAG,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAE/I,sCAAsC;QACtC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAA;QACnF,IAAI,CAAC,SAAS,CAAC;YACb,EAAE,IAAI,EAAE,GAAG,SAAS,cAAc,EAAa,EAAE,EAAE,eAAe,EAAI,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,QAAiB,EAAE;YAClH,EAAE,IAAI,EAAE,GAAG,SAAS,yBAAyB,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,SAAkB,EAAE,MAAM,EAAE,QAAiB,EAAE;YAC9I,EAAE,IAAI,EAAE,GAAG,SAAS,qBAAqB,EAAM,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,SAAkB,EAAE,MAAM,EAAE,YAAqB,EAAE;YAClJ,EAAE,IAAI,EAAE,GAAG,SAAS,wBAAwB,EAAG,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,SAAkB,EAAE,MAAM,EAAE,OAAgB,EAAE;SAC9I,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,GAAG,GAAG,MAAM,CAAa,MAAM,CAAC,CAAA;QAEtC,6BAA6B;QAC7B,IAAI,SAA8D,CAAA;QAClE,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAoD,MAAM,CAAC,CAAA;YAC3F,SAAS,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,kFAAkF,CACnF,CAAA;QACH,CAAC;QAED,0EAA0E;QAC1E,MAAM,UAAU,GAAG,GAAiB,EAAE;YACpC,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAe,gBAAgB,CAAC,CAAA;QACtD,CAAC,CAAA;QAED,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,GAAG,EAAE,SAAS,EAAE,UAAU,CAAC,CAAA;QAC3D,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC,CAAA;QAC1C,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;QAE/B,oEAAoE;QACpE,oEAAoE;QACpE,iFAAiF;QACjF,oDAAoD;QACpD,aAAa,CAAC,KAAK,EAAE,cAAc,EAAE,CAAC,CAAA;QAEtC,sEAAsE;QACtE,qEAAqE;QACrE,uEAAuE;QACvE,MAAM,wBAAwB,EAAE,CAAA;IAClC,CAAC;CACF;AAED,KAAK,UAAU,wBAAwB;IACrC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,uCAAuC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAE1E,CAAA;QACR,IAAI,CAAC,GAAG,EAAE,2BAA2B;YAAE,OAAM;QAE7C,GAAG,CAAC,2BAA2B,CAAC,KAAK,EAAE,WAAW,EAAE,EAAE;YACpD,IAAI,CAAC;gBACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;gBAC3B,WAAW,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,WAAW,CAAC,IAAI,GAAG,IAAI,CAAA;YACzB,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;AACH,CAAC"}

package/dist/types/vike.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Vike module augmentation — declares `pageContext.user` for apps using
+ * `@rudderjs/auth`. The runtime value is populated by the page-context
+ * enhancer registered in `AuthProvider.boot()`.
+ *
+ * Apps that don't install `@rudderjs/vite`'s `+onCreatePageContext` hook
+ * (i.e. don't extend `@rudderjs/vite/config` from their `pages/+config.ts`)
+ * will see `undefined` at runtime — the type is intentionally optional.
+ */
+import type { AuthUser } from '../contracts.js';
+declare global {
+    namespace Vike {
+        interface PageContext {
+            /**
+             * The currently authenticated user, populated by `@rudderjs/auth`'s
+             * page-context enhancer. `null` when no session is active or the
+             * request is outside the `AuthMiddleware` async-local context.
+             */
+            user?: AuthUser | null;
+        }
+    }
+}
+export {};
+//# sourceMappingURL=vike.d.ts.map

package/dist/types/vike.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vike.d.ts","sourceRoot":"","sources":["../../src/types/vike.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAE/C,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,IAAI,CAAC;QACb,UAAU,WAAW;YACnB;;;;eAIG;YACH,IAAI,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAA;SACvB;KACF;CACF;AAED,OAAO,EAAE,CAAA"}

package/dist/types/vike.js

@@ -0,0 +1,11 @@
+/**
+ * Vike module augmentation — declares `pageContext.user` for apps using
+ * `@rudderjs/auth`. The runtime value is populated by the page-context
+ * enhancer registered in `AuthProvider.boot()`.
+ *
+ * Apps that don't install `@rudderjs/vite`'s `+onCreatePageContext` hook
+ * (i.e. don't extend `@rudderjs/vite/config` from their `pages/+config.ts`)
+ * will see `undefined` at runtime — the type is intentionally optional.
+ */
+export {};
+//# sourceMappingURL=vike.js.map

package/dist/types/vike.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vike.js","sourceRoot":"","sources":["../../src/types/vike.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rudderjs/auth",
-  "version": "5.0.1",
+  "version": "5.1.0",
   "rudderjs": {
     "provider": "AuthProvider",
     "stage": "infrastructure",
@@ -44,14 +44,15 @@
     "./package.json": "./package.json"
   },
   "dependencies": {
-    "@rudderjs/contracts": "^1.4.0",
+    "@rudderjs/contracts": "^1.6.0",
     "@rudderjs/core": "^1.1.3"
   },
   "peerDependencies": {
     "@rudderjs/hash": "^1.0.1",
     "@rudderjs/router": "^1.2.0",
-    "@rudderjs/session": "^1.0.5",
-    "@rudderjs/view": "^1.0.1"
+    "@rudderjs/session": "^1.1.0",
+    "@rudderjs/view": "^1.1.0",
+    "@rudderjs/vite": "^1.1.0"
   },
   "peerDependenciesMeta": {
     "@rudderjs/hash": {
@@ -65,6 +66,9 @@
     },
     "@rudderjs/view": {
       "optional": false
+    },
+    "@rudderjs/vite": {
+      "optional": true
     }
   },
   "devDependencies": {
@@ -73,8 +77,9 @@
     "typescript": "^5.4.0",
     "@rudderjs/hash": "^1.0.1",
     "@rudderjs/router": "^1.2.0",
-    "@rudderjs/session": "^1.0.5",
-    "@rudderjs/view": "^1.0.1"
+    "@rudderjs/session": "^1.1.0",
+    "@rudderjs/view": "^1.1.0",
+    "@rudderjs/vite": "^1.1.0"
   },
   "author": "Suleiman Shahbari",
   "scripts": {

package/views/react/ForgotPassword.tsx

@@ -1,6 +1,6 @@
 import '@/index.css'
 import { useState } from 'react'
-import { getCsrfToken } from '@rudderjs/middleware'
+import { getCsrfToken } from '@rudderjs/middleware/client'
 
 // URL this view is served at — see Login.tsx for rationale.
 export const route = '/forgot-password'

package/views/react/Login.tsx

@@ -1,7 +1,7 @@
 import '@/index.css'
 import { useState } from 'react'
 import { navigate } from 'vike/client/router'
-import { getCsrfToken } from '@rudderjs/middleware'
+import { getCsrfToken } from '@rudderjs/middleware/client'
 
 // URL this view is served at — MUST match the controller route registered
 // by registerAuthRoutes() in the consumer project. If you override

package/views/react/Register.tsx

@@ -1,7 +1,7 @@
 import '@/index.css'
 import { useState } from 'react'
 import { navigate } from 'vike/client/router'
-import { getCsrfToken } from '@rudderjs/middleware'
+import { getCsrfToken } from '@rudderjs/middleware/client'
 
 // URL this view is served at — see Login.tsx for rationale.
 export const route = '/register'

package/views/react/ResetPassword.tsx

@@ -1,6 +1,6 @@
 import '@/index.css'
 import { useState, useEffect } from 'react'
-import { getCsrfToken } from '@rudderjs/middleware'
+import { getCsrfToken } from '@rudderjs/middleware/client'
 
 // URL this view is served at — see Login.tsx for rationale.
 export const route = '/reset-password'