@seamless-auth/express 0.0.1-beta.1 → 0.0.1

package/README.md

@@ -10,7 +10,6 @@ It proxies all authentication flows, manages signed cookies, and gives you out-o
 > **Docs:** https://docs.seamlessauth.com  
 > **Repo:** https://github.com/fells-code/seamless-auth-server
 
-
 > Couple with https://github.com/fells-code/seamless-auth/react for an end to end seamless experience
 
 > Or get a full starter application with https://github.com/fells-code/create-seamless
@@ -27,25 +26,32 @@ npm install @seamless-auth/server-express
 yarn add @seamless-auth/server-express
 ```
 
-
 ## Quick Example
 
 ```ts
 import express from "express";
 import cookieParser from "cookie-parser";
-import createSeamlessAuthServer, { requireAuth, requireRole } from "@seamless-auth/server-express";
+import createSeamlessAuthServer, {
+  requireAuth,
+  requireRole,
+} from "@seamless-auth/server-express";
 
 const app = express();
 app.use(cookieParser());
 
 // Public Seamless Auth endpoints
-app.use("/auth", createSeamlessAuthServer({ authServerUrl: process.env.AUTH_SERVER_URL! }));
+app.use(
+  "/auth",
+  createSeamlessAuthServer({ authServerUrl: process.env.AUTH_SERVER_URL! })
+);
 
 // Everything after this line requires authentication
 app.use(requireAuth());
 
 app.get("/api/me", (req, res) => res.json({ user: (req as any).user }));
-app.get("/admin", requireRole("admin"), (req, res) => res.json({ message: "Welcome admin!" }));
+app.get("/admin", requireRole("admin"), (req, res) =>
+  res.json({ message: "Welcome admin!" })
+);
 
 app.listen(5000, () => console.log("Portal API running on :5000"));
 ```
@@ -60,16 +66,14 @@ app.listen(5000, () => console.log("Portal API running on :5000"));
 
 It transparently proxies and validates authentication flows so your frontend can use a single API endpoint for:
 
-- Login / Registration / Logout  
-- User introspection (`/auth/me`)  
-- Session cookies (signed JWTs)  
-- Role & permission guards  
+- Login / Registration / Logout
+- User introspection (`/auth/me`)
+- Session cookies (signed JWTs)
+- Role & permission guards
 - Internal Auth Server communication (JWKS + service tokens)
 
 Everything happens securely between your API and a private Seamless Auth Server.
 
-
-
 ---
 
 ## Architecture
@@ -92,13 +96,13 @@ Everything happens securely between your API and a private Seamless Auth Server.
 
 ## Environment Variables
 
-| Variable | Description | Example |
-|-----------|--------------|----------|
-| `AUTH_SERVER_URL` | Base URL of your Seamless Auth Server | `https://auth.client.com` |
-| `SEAMLESS_COOKIE_SIGNING_KEY` | Secret key for signing JWT cookies | `base64:...` |
-| `SERVICE_JWT_PRIVATE_KEY` | Private key for API → Auth Server JWTs | RSA PEM |
-| `SERVICE_JWT_KEYID` | Key ID for JWKS | `service-main` |
-| `COOKIE_DOMAIN` | Domain for cookies | `.client.com` |
+| Variable                      | Description                            | Example                   |
+| ----------------------------- | -------------------------------------- | ------------------------- |
+| `AUTH_SERVER_URL`             | Base URL of your Seamless Auth Server  | `https://auth.client.com` |
+| `SEAMLESS_COOKIE_SIGNING_KEY` | Secret key for signing JWT cookies     | `base64:...`              |
+| `SEAMLESS_SERVICE_TOKEN`      | Private key for API → Auth Server JWTs | RSA PEM                   |
+| `SERVICE_JWT_KEYID`           | Key ID for JWKS                        | `service-main`            |
+| `COOKIE_DOMAIN`               | Domain for cookies                     | `.client.com`             |
 
 ---
 
@@ -108,11 +112,11 @@ Everything happens securely between your API and a private Seamless Auth Server.
 
 Mounts an Express router exposing the full Seamless Auth flow:
 
-- `/auth/login/start`  
-- `/auth/login/finish`  
-- `/auth/webauthn/...`  
-- `/auth/registration/...`  
-- `/auth/me`  
+- `/auth/login/start`
+- `/auth/login/finish`
+- `/auth/webauthn/...`
+- `/auth/registration/...`
+- `/auth/me`
 - `/auth/logout`
 
 **Options**
@@ -167,6 +171,7 @@ const user = await getSeamlessUser(req, process.env.AUTH_SERVER_URL!);
 ```
 
 User shape
+
 ```ts
 {
   id: string;
@@ -212,7 +217,7 @@ SEAMLESS_COOKIE_SIGNING_KEY=local-secret-key # Found in the portal
 
 ```ts
 const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL!;
-app.use(cors({ origin: "https://localhost:5001", credentials: true }));
+app.use(cors({ origin: "http://localhost:5001", credentials: true }));
 app.use(express.json());
 app.use(cookieParser());
 app.use("/auth", createSeamlessAuthServer({ authServerUrl: AUTH_SERVER_URL }));
@@ -223,17 +228,17 @@ app.use(requireAuth());
 
 ## Security Model
 
-| Layer | Auth Mechanism | Signed By |
-|--------|----------------|------------|
-| **Frontend ↔ API** | Signed JWT in HttpOnly cookie (HS256) | Client API |
-| **API ↔ Auth Server** | Bearer Service JWT (RS256) | API’s private key |
-| **Auth Server** | Validates service tokens via JWKS | Seamless Auth JWKS |
+| Layer                 | Auth Mechanism                        | Signed By          |
+| --------------------- | ------------------------------------- | ------------------ |
+| **Frontend ↔ API**    | Signed JWT in HttpOnly cookie (HS256) | Client API         |
+| **API ↔ Auth Server** | Bearer Service JWT (RS256)            | API’s private key  |
+| **Auth Server**       | Validates service tokens via JWKS     | Seamless Auth JWKS |
 
 All tokens and cookies are stateless and cryptographically verifiable.
 
 ---
 
-##  Testing
+## Testing
 
 You can mock `requireAuth` and test Express routes via `supertest`.
 
@@ -248,11 +253,11 @@ app.get("/api/test", requireAuth(), (req, res) => res.json({ ok: true }));
 
 ## Roadmap
 
-| Feature | Status |
-|----------|---------|
-| JWKS-verified response signing | ✅ |
-| OIDC discovery & SSO readiness |  planned |
-| Federation (Google / Okta) | future |
+| Feature                                      | Status      |
+| -------------------------------------------- | ----------- |
+| JWKS-verified response signing               | ✅          |
+| OIDC discovery & SSO readiness               | planned     |
+| Federation (Google / Okta)                   | future      |
 | Multi-framework adapters (Next.js / Fastify) | coming soon |
 
 ---
@@ -261,4 +266,3 @@ app.get("/api/test", requireAuth(), (req, res) => res.json({ ok: true }));
 
 MIT © 2025 Fells Code LLC  
 Part of the **Seamless Auth** ecosystem.
-

package/dist/createServer.d.ts

@@ -1,3 +1,4 @@
 import { Router } from "express";
 import type { SeamlessAuthServerOptions } from "./types";
 export declare function createSeamlessAuthServer(opts: SeamlessAuthServerOptions): Router;
+//# sourceMappingURL=createServer.d.ts.map

package/dist/createServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createServer.d.ts","sourceRoot":"","sources":["../src/createServer.ts"],"names":[],"mappings":"AAAA,OAAgB,EAAqB,MAAM,EAAE,MAAM,SAAS,CAAC;AAQ7D,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAIzD,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,yBAAyB,GAC9B,MAAM,CA6LR"}

package/dist/createServer.js

@@ -1,17 +1,20 @@
 import express from "express";
 import cookieParser from "cookie-parser";
-import { setSessionCookie, clearAllCookies, clearSessionCookie, } from './internal/cookie.js';
-import { authFetch } from './internal/authFetch.js';
-import { createEnsureCookiesMiddleware } from './middleware/ensureCookies.js';
-import { verifySignedAuthResponse } from './internal/verifySignedAuthResponse.js';
+import { setSessionCookie, clearAllCookies, clearSessionCookie, } from "./internal/cookie";
+import { authFetch } from "./internal/authFetch";
+import { createEnsureCookiesMiddleware } from "./middleware/ensureCookies";
+import { verifySignedAuthResponse } from "./internal/verifySignedAuthResponse";
 export function createSeamlessAuthServer(opts) {
     const r = express.Router();
     r.use(express.json());
     r.use(cookieParser());
-    const { authServerUrl, cookieDomain = "", accesscookieName = "seamless-auth-access", registrationCookieName = "seamless-auth-registration", refreshCookieName = "seamless-auth-refresh", preAuthCookieName = "seamless-auth-pre-auth" } = opts;
+    const { authServerUrl, cookieDomain = "", accesscookieName = "seamless-access", registrationCookieName = "seamless-ephemeral", refreshCookieName = "seamless-refresh", preAuthCookieName = "seamless-ephemeral", } = opts;
     const proxy = (path, method = "POST") => async (req, res) => {
         try {
-            const response = await authFetch(req, `${authServerUrl}/${path}`, { method, body: req.body });
+            const response = await authFetch(req, `${authServerUrl}/${path}`, {
+                method,
+                body: req.body,
+            });
             res.status(response.status).json(await response.json());
         }
         catch (error) {
@@ -24,7 +27,7 @@ export function createSeamlessAuthServer(opts) {
         accesscookieName,
         registrationCookieName,
         refreshCookieName,
-        preAuthCookieName
+        preAuthCookieName,
     }));
     r.post("/webAuthn/login/start", proxy("webAuthn/login/start"));
     r.post("/webAuthn/login/finish", finishLogin);
@@ -33,9 +36,10 @@ export function createSeamlessAuthServer(opts) {
     r.post("/otp/verify-phone-otp", proxy("otp/verify-phone-otp"));
     r.post("/otp/verify-email-otp", proxy("otp/verify-email-otp"));
     r.post("/login", login);
+    r.post("/users/update", proxy("users/update"));
     r.post("/registration/register", register);
-    r.post("/logout", logout);
     r.get("/users/me", me);
+    r.get("/logout", logout);
     return r;
     async function login(req, res) {
         const up = await authFetch(req, `${authServerUrl}/login`, {
@@ -75,15 +79,14 @@ export function createSeamlessAuthServer(opts) {
         if (!up.ok)
             return res.status(up.status).json(data);
         const verifiedAccessToken = await verifySignedAuthResponse(data.token, authServerUrl);
-        const verifiedRefreshToken = await verifySignedAuthResponse(data.refreshToken, authServerUrl);
-        if (!verifiedAccessToken || !verifiedRefreshToken) {
+        if (!verifiedAccessToken) {
             throw new Error("Invalid signed response from Auth Server");
         }
-        if (verifiedAccessToken.sub !== data.sub || verifiedRefreshToken.sub !== data.sub) {
+        if (verifiedAccessToken.sub !== data.sub) {
             throw new Error("Signature mismatch with data payload");
         }
         setSessionCookie(res, { sub: data.sub, roles: data.roles }, cookieDomain, data.ttl, accesscookieName);
-        setSessionCookie(res, { sub: data.sub, refreshToken: data.refreshToken }, cookieDomain, data.ttl, refreshCookieName);
+        setSessionCookie(res, { sub: data.sub, refreshToken: data.refreshToken }, req.hostname, data.refreshTtl, refreshCookieName);
         res.status(200).json(data).end();
     }
     async function finishRegister(req, res) {
@@ -98,12 +101,9 @@ export function createSeamlessAuthServer(opts) {
         res.status(204).end();
     }
     async function logout(req, res) {
-        const sid = req.cookies[accesscookieName];
-        if (sid)
-            await authFetch(req, `${authServerUrl}/logout`, {
-                method: "POST",
-                body: { sid },
-            });
+        await authFetch(req, `${authServerUrl}/logout`, {
+            method: "GET",
+        });
         clearAllCookies(res, cookieDomain, accesscookieName, registrationCookieName, refreshCookieName);
         res.status(204).end();
     }
@@ -112,14 +112,6 @@ export function createSeamlessAuthServer(opts) {
             method: "GET",
         });
         const data = (await up.json());
-        console.log(data.token);
-        const verified = await verifySignedAuthResponse(data.token, authServerUrl);
-        if (!verified) {
-            throw new Error("Invalid signed response from Auth Server");
-        }
-        if (verified.sub !== data.sub) {
-            throw new Error("Signature mismatch with data payload");
-        }
         clearSessionCookie(res, cookieDomain, preAuthCookieName);
         if (!data.user)
             return res.status(401).json({ error: "unauthenticated" });

package/dist/index.d.ts

@@ -4,3 +4,4 @@ export { requireRole } from "./middleware/requireRole";
 export { getSeamlessUser } from "./internal/getSeamlessUser";
 export type { SeamlessAuthServerOptions } from "./types";
 export default createSeamlessAuthServer;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAA;AAC5D,YAAY,EAAE,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAEzD,eAAe,wBAAwB,CAAC"}

package/dist/index.js

@@ -1,5 +1,5 @@
-import { createSeamlessAuthServer } from './createServer.js';
-export { requireAuth } from './middleware/requireAuth.js';
-export { requireRole } from './middleware/requireRole.js';
-export { getSeamlessUser } from './internal/getSeamlessUser.js';
+import { createSeamlessAuthServer } from "./createServer";
+export { requireAuth } from "./middleware/requireAuth";
+export { requireRole } from "./middleware/requireRole";
+export { getSeamlessUser } from "./internal/getSeamlessUser";
 export default createSeamlessAuthServer;

package/dist/internal/authFetch.d.ts

@@ -5,4 +5,5 @@ export interface AuthFetchOptions {
     cookies?: string[];
     headers?: Record<string, string>;
 }
-export declare function authFetch(req: CookieRequest, url: string, { method, body, cookies, headers }?: AuthFetchOptions): Promise<import("node-fetch").Response>;
+export declare function authFetch(req: CookieRequest, url: string, { method, body, cookies, headers }?: AuthFetchOptions): Promise<Response>;
+//# sourceMappingURL=authFetch.d.ts.map

package/dist/internal/authFetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authFetch.d.ts","sourceRoot":"","sources":["../../src/internal/authFetch.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAE5D,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAC;IACrD,IAAI,CAAC,EAAE,GAAG,CAAC;IACX,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED,wBAAsB,SAAS,CAC7B,GAAG,EAAE,aAAa,EAClB,GAAG,EAAE,MAAM,EACX,EAAE,MAAe,EAAE,IAAI,EAAE,OAAO,EAAE,OAAY,EAAE,GAAE,gBAAqB,qBAuDxE"}

package/dist/internal/authFetch.js

@@ -1,23 +1,33 @@
-import fetch from "node-fetch";
 import jwt from "jsonwebtoken";
-const privateKey = process.env.SERVICE_JWT_KEY;
 export async function authFetch(req, url, { method = "POST", body, cookies, headers = {} } = {}) {
-    const token = privateKey
-        ? jwt.sign({ aud: "auth-internal", iss: "portal-api", sub: req.cookiePayload?.sub, role: req.cookiePayload?.roles }, privateKey, {
-            expiresIn: "60s",
-            keyid: "service-main",
-        })
-        : undefined;
-    if (!token) {
-        throw new Error("Cannot sign JWT for communications with Seamless Auth Server. Did you set your SERVICE_JWT_KEY?");
+    const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
+    if (!serviceKey) {
+        throw new Error("Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN");
     }
+    console.debug("[SeamlessAuth] Performing authentication fetch to Auth server");
+    // -------------------------------
+    // Issue short-lived machine token
+    // -------------------------------
+    const token = jwt.sign({
+        // Minimal, safe fields
+        iss: process.env.FRONTEND_URL,
+        aud: process.env.AUTH_SERVER_URL,
+        sub: req.cookiePayload?.sub,
+        roles: req.cookiePayload?.roles ?? [],
+        iat: Math.floor(Date.now() / 1000),
+    }, serviceKey, {
+        expiresIn: "60s", // Short-lived = safer
+        algorithm: "HS256", // HMAC-based
+        keyid: "dev-main", // For future rotation
+    });
     const finalHeaders = {
         ...(method !== "GET" && { "Content-Type": "application/json" }),
         ...(cookies ? { Cookie: cookies.join("; ") } : {}),
-        ...(token ? { Authorization: `Bearer ${token}` } : {}),
+        Authorization: `Bearer ${serviceKey}`,
         ...headers,
     };
     let finalUrl = url;
+    console.debug("[SeamlessAuth] URL ...", finalUrl);
     if (method === "GET" && body && typeof body === "object") {
         const qs = new URLSearchParams(body).toString();
         finalUrl += url.includes("?") ? `&${qs}` : `?${qs}`;

package/dist/internal/cookie.d.ts

@@ -1,9 +1,11 @@
 import { Response } from "express";
 export interface CookiePayload {
     sub: string;
+    token?: string;
     refreshToken?: string;
     roles?: string[];
 }
 export declare function setSessionCookie(res: Response, payload: CookiePayload, domain?: string, ttlSeconds?: number, name?: string): void;
 export declare function clearSessionCookie(res: Response, domain: string, name?: string): void;
 export declare function clearAllCookies(res: Response, domain: string, accesscookieName: string, registrationCookieName: string, refreshCookieName: string): void;
+//# sourceMappingURL=cookie.d.ts.map

package/dist/internal/cookie.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie.d.ts","sourceRoot":"","sources":["../../src/internal/cookie.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnC,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,QAAQ,EACb,OAAO,EAAE,aAAa,EACtB,MAAM,CAAC,EAAE,MAAM,EACf,UAAU,SAAM,EAChB,IAAI,SAAe,QAqBpB;AAED,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,QAAQ,EACb,MAAM,EAAE,MAAM,EACd,IAAI,SAAe,QAGpB;AAED,wBAAgB,eAAe,CAC7B,GAAG,EAAE,QAAQ,EACb,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,MAAM,EACxB,sBAAsB,EAAE,MAAM,EAC9B,iBAAiB,EAAE,MAAM,QAK1B"}

package/dist/internal/cookie.js

@@ -1,17 +1,18 @@
 import jwt from "jsonwebtoken";
-const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-if (!COOKIE_SECRET) {
-    console.warn("[SeamlessAuth] Missing SEAMLESS_COOKIE_SIGNING_KEY env var!");
-}
 export function setSessionCookie(res, payload, domain, ttlSeconds = 300, name = "sa_session") {
+    const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+    if (!COOKIE_SECRET) {
+        console.warn("[SeamlessAuth] Missing SEAMLESS_COOKIE_SIGNING_KEY env var!");
+        throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+    }
     const token = jwt.sign(payload, COOKIE_SECRET, {
         algorithm: "HS256",
-        expiresIn: ttlSeconds,
+        expiresIn: `${ttlSeconds}s`,
     });
     res.cookie(name, token, {
         httpOnly: true,
-        secure: true,
-        sameSite: "lax",
+        secure: process.env.NODE_ENV === "production",
+        sameSite: process.env.NODE_ENV === "production" ? "none" : "lax",
         path: "/",
         domain,
         maxAge: ttlSeconds * 1000,

package/dist/internal/getSeamlessUser.d.ts

@@ -1,4 +1,4 @@
-import type { Request } from "express";
+import { CookieRequest } from "../middleware/ensureCookies.js";
 /**
  * Retrieves the Seamless Auth user information by calling the auth server's introspection endpoint.
  * Requires the sa_session (or custom) cookie to be present on the request.
@@ -7,4 +7,5 @@ import type { Request } from "express";
  * @param authServerUrl Base URL of the client's auth server
  * @returns The user data object if valid, or null if invalid/unauthenticated
  */
-export declare function getSeamlessUser<T = any>(req: Request, authServerUrl: string): Promise<T | null>;
+export declare function getSeamlessUser<T = any>(req: CookieRequest, authServerUrl: string, cookieName?: string): Promise<T | null>;
+//# sourceMappingURL=getSeamlessUser.d.ts.map

package/dist/internal/getSeamlessUser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSeamlessUser.d.ts","sourceRoot":"","sources":["../../src/internal/getSeamlessUser.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAG/D;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,CAAC,GAAG,GAAG,EAC3C,GAAG,EAAE,aAAa,EAClB,aAAa,EAAE,MAAM,EACrB,UAAU,GAAE,MAA+B,GAC1C,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAwBnB"}

package/dist/internal/getSeamlessUser.js

@@ -1,5 +1,5 @@
 import { authFetch } from "./authFetch.js";
-import { verifySignedAuthResponse } from "./verifySignedAuthResponse.js";
+import { verifyCookieJwt } from "./verifyCookieJwt.js";
 /**
  * Retrieves the Seamless Auth user information by calling the auth server's introspection endpoint.
  * Requires the sa_session (or custom) cookie to be present on the request.
@@ -8,8 +8,13 @@ import { verifySignedAuthResponse } from "./verifySignedAuthResponse.js";
  * @param authServerUrl Base URL of the client's auth server
  * @returns The user data object if valid, or null if invalid/unauthenticated
  */
-export async function getSeamlessUser(req, authServerUrl) {
+export async function getSeamlessUser(req, authServerUrl, cookieName = "seamless-auth-access") {
     try {
+        const payload = verifyCookieJwt(req.cookies[cookieName]);
+        if (!payload) {
+            throw new Error("Missing cookie");
+        }
+        req.cookiePayload = payload;
         const response = await authFetch(req, `${authServerUrl}/users/me`, {
             method: "GET",
         });
@@ -18,13 +23,6 @@ export async function getSeamlessUser(req, authServerUrl) {
             return null;
         }
         const data = (await response.json());
-        const verified = await verifySignedAuthResponse(data.token, authServerUrl);
-        if (!verified) {
-            throw new Error("Invalid signed response from Auth Server");
-        }
-        if (verified.sub !== data.sub) {
-            throw new Error("Signature mismatch with data payload");
-        }
         return data.user;
     }
     catch (err) {

package/dist/internal/refreshAccessToken.d.ts

@@ -0,0 +1,10 @@
+import { CookieRequest } from "../middleware/ensureCookies.js";
+export declare function refreshAccessToken(req: CookieRequest, authServerUrl: string, refreshToken: string): Promise<{
+    sub: string;
+    token: string;
+    refreshToken: string;
+    roles: string[];
+    ttl: number;
+    refreshTtl: number;
+} | null>;
+//# sourceMappingURL=refreshAccessToken.d.ts.map

package/dist/internal/refreshAccessToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshAccessToken.d.ts","sourceRoot":"","sources":["../../src/internal/refreshAccessToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAG/D,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,aAAa,EAClB,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;CACpB,GAAG,IAAI,CAAC,CAwDR"}

package/dist/internal/refreshAccessToken.js

@@ -0,0 +1,44 @@
+import jwt from "jsonwebtoken";
+export async function refreshAccessToken(req, authServerUrl, refreshToken) {
+    try {
+        const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+        if (!COOKIE_SECRET) {
+            console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireAuth will always fail.");
+            throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+        }
+        const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
+        if (!serviceKey) {
+            throw new Error("Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN");
+        }
+        // unwrap token with local key and rewrap with service key
+        const payload = jwt.verify(refreshToken, COOKIE_SECRET, {
+            algorithms: ["HS256"],
+        });
+        const token = jwt.sign({
+            // Minimal, safe fields
+            iss: process.env.FRONTEND_URL,
+            aud: process.env.AUTH_SERVER,
+            sub: payload.sub,
+            refreshToken: payload.refreshToken,
+            iat: Math.floor(Date.now() / 1000),
+        }, serviceKey, {
+            expiresIn: "60s", // Short-lived = safer
+            algorithm: "HS256", // HMAC-based
+            keyid: "dev-main", // For future rotation
+        });
+        const response = await fetch(`${authServerUrl}/refresh`, {
+            method: "GET",
+            headers: { Authorization: `Bearer ${token}` },
+        });
+        if (!response.ok) {
+            console.error("[SeamlessAuth] Refresh token request failed:", response.status);
+            return null;
+        }
+        const data = await response.json();
+        return data;
+    }
+    catch (err) {
+        console.error("[SeamlessAuth] refreshAccessToken error:", err);
+        return null;
+    }
+}

package/dist/internal/verifyCookieJwt.d.ts

@@ -1 +1,2 @@
 export declare function verifyCookieJwt<T = any>(token: string): T | null;
+//# sourceMappingURL=verifyCookieJwt.d.ts.map

package/dist/internal/verifyCookieJwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyCookieJwt.d.ts","sourceRoot":"","sources":["../../src/internal/verifyCookieJwt.ts"],"names":[],"mappings":"AAIA,wBAAgB,eAAe,CAAC,CAAC,GAAG,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,CAShE"}

package/dist/internal/verifySignedAuthResponse.d.ts

@@ -3,3 +3,4 @@
  * Uses the Auth Server's JWKS endpoint to dynamically fetch public keys.
  */
 export declare function verifySignedAuthResponse<T = any>(token: string, authServerUrl: string): Promise<T | null>;
+//# sourceMappingURL=verifySignedAuthResponse.d.ts.map

package/dist/internal/verifySignedAuthResponse.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifySignedAuthResponse.d.ts","sourceRoot":"","sources":["../../src/internal/verifySignedAuthResponse.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAsB,wBAAwB,CAAC,CAAC,GAAG,GAAG,EACpD,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAmBnB"}

package/dist/internal/verifySignedAuthResponse.js

@@ -12,6 +12,7 @@ export async function verifySignedAuthResponse(token, authServerUrl) {
         // Verify signature and algorithm
         const { payload } = await jwtVerify(token, JWKS, {
             algorithms: ["RS256"],
+            issuer: authServerUrl,
         });
         return payload;
     }

package/dist/middleware/ensureCookies.d.ts

@@ -4,4 +4,5 @@ import { JwtPayload } from "jsonwebtoken";
 export interface CookieRequest extends Request {
     cookiePayload?: JwtPayload;
 }
-export declare function createEnsureCookiesMiddleware(opts: SeamlessAuthServerOptions): (req: CookieRequest, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+export declare function createEnsureCookiesMiddleware(opts: SeamlessAuthServerOptions): (req: CookieRequest, res: Response, next: NextFunction, cookieDomain?: string) => Promise<void | Response<any, Record<string, any>>>;
+//# sourceMappingURL=ensureCookies.d.ts.map

package/dist/middleware/ensureCookies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ensureCookies.d.ts","sourceRoot":"","sources":["../../src/middleware/ensureCookies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,yBAAyB,EAAE,MAAM,UAAU,CAAC;AAGrD,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI1C,MAAM,WAAW,aAAc,SAAQ,OAAO;IAC5C,aAAa,CAAC,EAAE,UAAU,CAAC;CAC5B;AAED,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,yBAAyB,IA4BzE,KAAK,aAAa,EAClB,KAAK,QAAQ,EACb,MAAM,YAAY,EAClB,qBAAiB,wDA2FpB"}

package/dist/middleware/ensureCookies.js

@@ -1,32 +1,84 @@
 import { verifyCookieJwt } from "../internal/verifyCookieJwt.js";
+import { refreshAccessToken } from "../internal/refreshAccessToken";
+import { clearAllCookies, setSessionCookie } from "../internal/cookie";
 export function createEnsureCookiesMiddleware(opts) {
     const COOKIE_REQUIREMENTS = {
         "/webAuthn/login/finish": { name: opts.preAuthCookieName, required: true },
         "/webAuthn/login/start": { name: opts.preAuthCookieName, required: true },
-        "/webAuthn/register/start": { name: opts.registrationCookieName, required: true },
-        "/webAuthn/register/finish": { name: opts.registrationCookieName, required: true },
-        "/otp/verify-email-otp": { name: opts.registrationCookieName, required: true },
-        "/otp/verify-phone-otp": { name: opts.registrationCookieName, required: true },
+        "/webAuthn/register/start": {
+            name: opts.registrationCookieName,
+            required: true,
+        },
+        "/webAuthn/register/finish": {
+            name: opts.registrationCookieName,
+            required: true,
+        },
+        "/otp/verify-email-otp": {
+            name: opts.registrationCookieName,
+            required: true,
+        },
+        "/otp/verify-phone-otp": {
+            name: opts.registrationCookieName,
+            required: true,
+        },
         "/logout": { name: opts.accesscookieName, required: true },
         "/users/me": { name: opts.accesscookieName, required: true },
     };
-    return function ensureCookies(req, res, next) {
+    return async function ensureCookies(req, res, next, cookieDomain = "") {
         const match = Object.entries(COOKIE_REQUIREMENTS).find(([path]) => req.path.startsWith(path));
         if (!match)
             return next();
         const [, { name, required }] = match;
+        const AUTH_SERVER_URL = process.env.AUTH_SERVER;
         const cookieValue = req.cookies?.[name];
+        const refreshCookieValue = req.cookies?.[opts.refreshCookieName];
+        //
+        // --- NEW REFRESH-AWARE LOGIC ---
+        //
+        // If required cookie is missing BUT refresh cookie exists,
+        // allow request to proceed. requireAuth() will perform refresh.
+        //
         if (required && !cookieValue) {
+            if (refreshCookieValue) {
+                console.log("[SeamlessAuth] Access token expired — attempting refresh");
+                const refreshed = await refreshAccessToken(req, AUTH_SERVER_URL, refreshCookieValue);
+                if (!refreshed?.token) {
+                    clearAllCookies(res, cookieDomain, name, opts.registrationCookieName, opts.refreshCookieName);
+                    res.status(401).json({ error: "Refresh failed" });
+                    return;
+                }
+                // Update cookie with new access token
+                setSessionCookie(res, {
+                    sub: refreshed.sub,
+                    token: refreshed.token,
+                    roles: refreshed.roles,
+                }, cookieDomain, refreshed.ttl, name);
+                setSessionCookie(res, { sub: refreshed.sub, refreshToken: refreshed.refreshToken }, cookieDomain, refreshed.refreshTtl, opts.refreshCookieName);
+                // Let requireAuth() attempt refresh
+                req.cookiePayload = {
+                    sub: refreshed.sub,
+                    roles: refreshed.roles,
+                };
+                return next();
+            }
+            // No required cookie AND no refresh cookie → hard fail
             return res.status(400).json({
                 error: `Missing required cookie "${name}" for route ${req.path}`,
                 hint: "Did you forget to call /auth/login/start first?",
             });
         }
-        const payload = verifyCookieJwt(cookieValue);
-        if (!payload) {
-            return res.status(401).json({ error: `Invalid or expired ${name} cookie` });
+        //
+        // If cookie exists, verify it normally
+        //
+        if (cookieValue) {
+            const payload = verifyCookieJwt(cookieValue);
+            if (!payload) {
+                return res
+                    .status(401)
+                    .json({ error: `Invalid or expired ${name} cookie` });
+            }
+            req.cookiePayload = payload;
         }
-        req.cookiePayload = payload;
         next();
     };
 }

package/dist/middleware/requireAuth.d.ts

@@ -5,4 +5,5 @@ import { Request, Response, NextFunction } from "express";
  * - Attaches decoded payload to req.user
  * - Returns 401 if missing/invalid/expired
  */
-export declare function requireAuth(cookieName?: string): (req: Request, res: Response, next: NextFunction) => void;
+export declare function requireAuth(cookieName?: string, refreshCookieName?: string, cookieDomain?: string): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=requireAuth.d.ts.map

package/dist/middleware/requireAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"requireAuth.d.ts","sourceRoot":"","sources":["../../src/middleware/requireAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAM1D;;;;;GAKG;AACH,wBAAgB,WAAW,CACzB,UAAU,SAAyB,EACnC,iBAAiB,SAA0B,EAC3C,YAAY,SAAM,IAahB,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,YAAY,KACjB,OAAO,CAAC,IAAI,CAAC,CA+EjB"}

package/dist/middleware/requireAuth.js

@@ -1,28 +1,69 @@
 import jwt from "jsonwebtoken";
-const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-if (!COOKIE_SECRET) {
-    console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireAuth will always fail.");
-}
+import { refreshAccessToken } from "../internal/refreshAccessToken.js";
+import { setSessionCookie } from "../internal/cookie.js";
 /**
  * Express middleware that verifies a Seamless Auth access cookie.
  * - Reads and verifies signed cookie JWT
  * - Attaches decoded payload to req.user
  * - Returns 401 if missing/invalid/expired
  */
-export function requireAuth(cookieName = "seamless-auth-access") {
-    return (req, res, next) => {
+export function requireAuth(cookieName = "seamless-auth-access", refreshCookieName = "seamless-auth-refresh", cookieDomain = "/") {
+    const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+    if (!COOKIE_SECRET) {
+        console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireAuth will always fail.");
+        throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+    }
+    const AUTH_SERVER_URL = process.env.AUTH_SERVER;
+    return async (req, res, next) => {
         try {
+            if (!COOKIE_SECRET) {
+                throw new Error("Missing required SEAMLESS_COOKIE_SIGNING_KEY env");
+            }
             const token = req.cookies?.[cookieName];
             if (!token) {
                 res.status(401).json({ error: "Missing access cookie" });
                 return;
             }
-            const payload = jwt.verify(token, COOKIE_SECRET, {
-                algorithms: ["HS256"],
-            });
-            // Attach decoded JWT claims to request for downstream handlers
-            req.user = payload;
-            next();
+            try {
+                const payload = jwt.verify(token, COOKIE_SECRET, {
+                    algorithms: ["HS256"],
+                });
+                req.user = payload;
+                return next();
+            }
+            catch (err) {
+                // expired or invalid token
+                if (err.name !== "TokenExpiredError") {
+                    console.warn("[SeamlessAuth] Invalid token:", err.message);
+                    res.status(401).json({ error: "Invalid token" });
+                    return;
+                }
+                // Try refresh
+                const refreshToken = req.cookies?.[refreshCookieName];
+                if (!refreshToken) {
+                    res.status(401).json({ error: "Session expired; re-login required" });
+                    return;
+                }
+                console.log("[SeamlessAuth] Access token expired — attempting refresh");
+                const refreshed = await refreshAccessToken(req, AUTH_SERVER_URL, refreshToken);
+                if (!refreshed?.token) {
+                    res.status(401).json({ error: "Refresh failed" });
+                    return;
+                }
+                // Update cookie with new access token
+                setSessionCookie(res, {
+                    sub: refreshed.sub,
+                    token: refreshed.token,
+                    roles: refreshed.roles,
+                }, cookieDomain, refreshed.ttl, cookieName);
+                setSessionCookie(res, { sub: refreshed.sub, refreshToken: refreshed.refreshToken }, req.hostname, refreshed.refreshTtl, refreshCookieName);
+                // Decode new token so downstream has user
+                const payload = jwt.verify(refreshed.token, COOKIE_SECRET, {
+                    algorithms: ["HS256"],
+                });
+                req.user = payload;
+                next();
+            }
         }
         catch (err) {
             console.error("[SeamlessAuth] requireAuth error:", err.message);

package/dist/middleware/requireRole.d.ts

@@ -6,3 +6,4 @@ import { RequestHandler } from "express";
  * @param cookieName  Cookie name containing JWT (default: 'sa_session')
  */
 export declare function requireRole(role: string, cookieName?: string): RequestHandler;
+//# sourceMappingURL=requireRole.d.ts.map

package/dist/middleware/requireRole.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"requireRole.d.ts","sourceRoot":"","sources":["../../src/middleware/requireRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAG1E;;;;;GAKG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,EACZ,UAAU,SAAoB,GAC7B,cAAc,CAiChB"}

package/dist/middleware/requireRole.js

@@ -1,17 +1,18 @@
 import jwt from "jsonwebtoken";
-const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-if (!COOKIE_SECRET) {
-    console.warn("[PortalAPI] Missing SEAMLESS_COOKIE_SIGNING_KEY — role checks will fail.");
-}
 /**
  * Express middleware to enforce a required role from Seamless Auth cookie JWT.
  *
  * @param role        Role name to require (e.g. 'admin')
  * @param cookieName  Cookie name containing JWT (default: 'sa_session')
  */
-export function requireRole(role, cookieName = "seamless-auth-access") {
+export function requireRole(role, cookieName = "seamless-access") {
     return (req, res, next) => {
         try {
+            const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+            if (!COOKIE_SECRET) {
+                console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireRole will always fail.");
+                throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+            }
             const token = req.cookies?.[cookieName];
             if (!token) {
                 res.status(401).json({ error: "Missing access cookie" });
@@ -29,7 +30,7 @@ export function requireRole(role, cookieName = "seamless-auth-access") {
             next();
         }
         catch (err) {
-            console.error(`[PortalAPI] requireRole(${role}) failed:`, err.message);
+            console.error(`[RequireRole] requireRole(${role}) failed:`, err.message);
             res.status(401).json({ error: "Invalid or expired access cookie" });
         }
     };

package/dist/types.d.ts

@@ -6,3 +6,4 @@ export interface SeamlessAuthServerOptions {
     refreshCookieName?: string;
     preAuthCookieName?: string;
 }
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,yBAAyB;IACxC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seamless-auth/express",
-  "version": "0.0.1-beta.1",
+  "version": "0.0.1",
   "description": "Express adapter for Seamless Auth passwordless authentication",
   "license": "MIT",
   "type": "module",
@@ -13,7 +13,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/fells-code/seamless-auth-server"
+    "url": "git+https://github.com/fells-code/seamless-auth-server.git"
   },
   "files": [
     "dist"
@@ -24,6 +24,7 @@
   },
   "dependencies": {
     "cookie-parser": "^1.4.6",
+    "dotenv": "^17.2.3",
     "jose": "^6.1.1",
     "jsonwebtoken": "^9.0.2",
     "node-fetch": "^3.3.2"