@seamless-auth/express 0.0.1 → 0.0.2-beta.2

package/README.md

@@ -96,13 +96,12 @@ Everything happens securely between your API and a private Seamless Auth Server.
 
 ## Environment Variables
 
-| Variable                      | Description                            | Example                   |
-| ----------------------------- | -------------------------------------- | ------------------------- |
-| `AUTH_SERVER_URL`             | Base URL of your Seamless Auth Server  | `https://auth.client.com` |
-| `SEAMLESS_COOKIE_SIGNING_KEY` | Secret key for signing JWT cookies     | `base64:...`              |
-| `SEAMLESS_SERVICE_TOKEN`      | Private key for API → Auth Server JWTs | RSA PEM                   |
-| `SERVICE_JWT_KEYID`           | Key ID for JWKS                        | `service-main`            |
-| `COOKIE_DOMAIN`               | Domain for cookies                     | `.client.com`             |
+| Variable                      | Description                                   | Example                        |
+| ----------------------------- | --------------------------------------------- | ------------------------------ |
+| `AUTH_SERVER_URL`             | Base URL of your Seamless Auth Server         | `https://auth.client.com`      |
+| `SEAMLESS_COOKIE_SIGNING_KEY` | Secret key for signing JWT cookies            | `base64:...`                   |
+| `SEAMLESS_SERVICE_TOKEN`      | Private key for API → Auth Server JWTs        | `Obtained via the auth portal` |
+| `FRONTEND_URL`                | URL of your website or https://localhost:5001 | `https://mySite.com`           |
 
 ---
 
@@ -188,7 +187,7 @@ User shape
    → sets short-lived pre-auth cookie.
 
 2. **Frontend** → `/auth/webauthn/finish`  
-   → API proxies, validates, sets access cookie (`seamless_auth_access`).
+   → API proxies, validates, sets access cookie (`seamless-access`).
 
 3. **Subsequent API calls** → `/api/...`  
    → `requireAuth()` verifies cookie and attaches user.  
@@ -206,9 +205,10 @@ In order to develop with your Seamless Auth server instance, you will need to ha
 Example env:
 
 ```bash
-AUTH_SERVER_URL=http://https://<identifier>.seamlessauth.com # Found in the portal
-COOKIE_DOMAIN=localhost # Or frontend domain in prod
-SEAMLESS_COOKIE_SIGNING_KEY=local-secret-key # Found in the portal
+AUTH_SERVER_URL=https://<identifier>.seamlessauth.com # Found in the portal
+SEAMLESS_SERVICE_TOKEN=32byte-secret # Created and rotated in the portal
+FRONTEND_URL=https://yourSite.com # Must match the value you have for Frontend Domain in the portal (Can be localhost:5001 when application is in demo mode)
+SEAMLESS_COOKIE_SIGNING_KEY=local-secret-key # A key you make for signing your API's distributed cookies
 ```
 
 ---
@@ -217,7 +217,7 @@ SEAMLESS_COOKIE_SIGNING_KEY=local-secret-key # Found in the portal
 
 ```ts
 const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL!;
-app.use(cors({ origin: "http://localhost:5001", credentials: true }));
+app.use(cors({ origin: "https://localhost:5001", credentials: true }));
 app.use(express.json());
 app.use(cookieParser());
 app.use("/auth", createSeamlessAuthServer({ authServerUrl: AUTH_SERVER_URL }));
@@ -266,3 +266,4 @@ app.get("/api/test", requireAuth(), (req, res) => res.json({ ok: true }));
 
 MIT © 2025 Fells Code LLC  
 Part of the **Seamless Auth** ecosystem.
+https://seamlessauth.com

package/dist/index.js

@@ -1,5 +1,564 @@
-import { createSeamlessAuthServer } from "./createServer";
-export { requireAuth } from "./middleware/requireAuth";
-export { requireRole } from "./middleware/requireRole";
-export { getSeamlessUser } from "./internal/getSeamlessUser";
-export default createSeamlessAuthServer;
+// src/createServer.ts
+import express from "express";
+import cookieParser from "cookie-parser";
+
+// src/internal/cookie.ts
+import jwt from "jsonwebtoken";
+function setSessionCookie(res, payload, domain, ttlSeconds = 300, name = "sa_session") {
+  const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+  if (!COOKIE_SECRET2) {
+    console.warn("[SeamlessAuth] Missing SEAMLESS_COOKIE_SIGNING_KEY env var!");
+    throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+  }
+  const token = jwt.sign(payload, COOKIE_SECRET2, {
+    algorithm: "HS256",
+    expiresIn: `${ttlSeconds}s`
+  });
+  res.cookie(name, token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax",
+    path: "/",
+    domain,
+    maxAge: ttlSeconds * 1e3
+  });
+}
+function clearSessionCookie(res, domain, name = "sa_session") {
+  res.clearCookie(name, { domain, path: "/" });
+}
+function clearAllCookies(res, domain, accesscookieName, registrationCookieName, refreshCookieName) {
+  res.clearCookie(accesscookieName, { domain, path: "/" });
+  res.clearCookie(registrationCookieName, { domain, path: "/" });
+  res.clearCookie(refreshCookieName, { domain, path: "/" });
+}
+
+// src/internal/authFetch.ts
+import jwt2 from "jsonwebtoken";
+async function authFetch(req, url, { method = "POST", body, cookies, headers = {} } = {}) {
+  const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
+  if (!serviceKey) {
+    throw new Error(
+      "Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN"
+    );
+  }
+  const token = jwt2.sign(
+    {
+      iss: process.env.FRONTEND_URL,
+      aud: process.env.AUTH_SERVER_URL,
+      sub: req.cookiePayload?.sub,
+      roles: req.cookiePayload?.roles ?? [],
+      iat: Math.floor(Date.now() / 1e3)
+    },
+    serviceKey,
+    {
+      expiresIn: "60s",
+      // Short-lived
+      algorithm: "HS256"
+      // HMAC-based
+    }
+  );
+  const finalHeaders = {
+    ...method !== "GET" && { "Content-Type": "application/json" },
+    ...cookies ? { Cookie: cookies.join("; ") } : {},
+    Authorization: `Bearer ${token}`,
+    ...headers
+  };
+  let finalUrl = url;
+  if (method === "GET" && body && typeof body === "object") {
+    const qs = new URLSearchParams(body).toString();
+    finalUrl += url.includes("?") ? `&${qs}` : `?${qs}`;
+  }
+  const res = await fetch(finalUrl, {
+    method,
+    headers: finalHeaders,
+    ...method !== "GET" && body ? { body: JSON.stringify(body) } : {}
+  });
+  return res;
+}
+
+// src/internal/verifyCookieJwt.ts
+import jwt3 from "jsonwebtoken";
+var COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+function verifyCookieJwt(token) {
+  try {
+    return jwt3.verify(token, COOKIE_SECRET, {
+      algorithms: ["HS256"]
+    });
+  } catch (err) {
+    console.error("[SeamlessAuth] Cookie JWT verification failed:", err);
+    return null;
+  }
+}
+
+// src/internal/refreshAccessToken.ts
+import jwt4 from "jsonwebtoken";
+async function refreshAccessToken(req, authServerUrl, refreshToken) {
+  try {
+    const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+    if (!COOKIE_SECRET2) {
+      console.warn(
+        "[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing \u2014 requireAuth will always fail."
+      );
+      throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+    }
+    const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
+    if (!serviceKey) {
+      throw new Error(
+        "Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN"
+      );
+    }
+    const payload = jwt4.verify(refreshToken, COOKIE_SECRET2, {
+      algorithms: ["HS256"]
+    });
+    const token = jwt4.sign(
+      {
+        // Minimal, safe fields
+        iss: process.env.FRONTEND_URL,
+        aud: process.env.AUTH_SERVER_URL,
+        sub: payload.sub,
+        refreshToken: payload.refreshToken,
+        iat: Math.floor(Date.now() / 1e3)
+      },
+      serviceKey,
+      {
+        expiresIn: "60s",
+        // Short-lived = safer
+        algorithm: "HS256",
+        // HMAC-based
+        keyid: "dev-main"
+        // For future rotation
+      }
+    );
+    const response = await fetch(`${authServerUrl}/refresh`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      console.error(
+        "[SeamlessAuth] Refresh token request failed:",
+        response.status
+      );
+      return null;
+    }
+    const data = await response.json();
+    return data;
+  } catch (err) {
+    console.error("[SeamlessAuth] refreshAccessToken error:", err);
+    return null;
+  }
+}
+
+// src/middleware/ensureCookies.ts
+function createEnsureCookiesMiddleware(opts) {
+  const COOKIE_REQUIREMENTS = {
+    "/webAuthn/login/finish": { name: opts.preAuthCookieName, required: true },
+    "/webAuthn/login/start": { name: opts.preAuthCookieName, required: true },
+    "/webAuthn/register/start": {
+      name: opts.registrationCookieName,
+      required: true
+    },
+    "/webAuthn/register/finish": {
+      name: opts.registrationCookieName,
+      required: true
+    },
+    "/otp/verify-email-otp": {
+      name: opts.registrationCookieName,
+      required: true
+    },
+    "/otp/verify-phone-otp": {
+      name: opts.registrationCookieName,
+      required: true
+    },
+    "/logout": { name: opts.accesscookieName, required: true },
+    "/users/me": { name: opts.accesscookieName, required: true }
+  };
+  return async function ensureCookies(req, res, next, cookieDomain = "") {
+    const match = Object.entries(COOKIE_REQUIREMENTS).find(
+      ([path]) => req.path.startsWith(path)
+    );
+    if (!match) return next();
+    const [, { name, required }] = match;
+    const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL;
+    const cookieValue = req.cookies?.[name];
+    const refreshCookieValue = req.cookies?.[opts.refreshCookieName];
+    if (required && !cookieValue) {
+      if (refreshCookieValue) {
+        console.log("[SeamlessAuth] Access token expired \u2014 attempting refresh");
+        const refreshed = await refreshAccessToken(
+          req,
+          AUTH_SERVER_URL,
+          refreshCookieValue
+        );
+        if (!refreshed?.token) {
+          clearAllCookies(
+            res,
+            cookieDomain,
+            name,
+            opts.registrationCookieName,
+            opts.refreshCookieName
+          );
+          res.status(401).json({ error: "Refresh failed" });
+          return;
+        }
+        setSessionCookie(
+          res,
+          {
+            sub: refreshed.sub,
+            token: refreshed.token,
+            roles: refreshed.roles
+          },
+          cookieDomain,
+          refreshed.ttl,
+          name
+        );
+        setSessionCookie(
+          res,
+          { sub: refreshed.sub, refreshToken: refreshed.refreshToken },
+          cookieDomain,
+          refreshed.refreshTtl,
+          opts.refreshCookieName
+        );
+        req.cookiePayload = {
+          sub: refreshed.sub,
+          roles: refreshed.roles
+        };
+        return next();
+      }
+      return res.status(400).json({
+        error: `Missing required cookie "${name}" for route ${req.path}`,
+        hint: "Did you forget to call /auth/login/start first?"
+      });
+    }
+    if (cookieValue) {
+      const payload = verifyCookieJwt(cookieValue);
+      if (!payload) {
+        return res.status(401).json({ error: `Invalid or expired ${name} cookie` });
+      }
+      req.cookiePayload = payload;
+    }
+    next();
+  };
+}
+
+// src/internal/verifySignedAuthResponse.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+async function verifySignedAuthResponse(token, authServerUrl) {
+  try {
+    const jwksUrl = new URL("/.well-known/jwks.json", authServerUrl).toString();
+    const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+    const { payload } = await jwtVerify(token, JWKS, {
+      algorithms: ["RS256"],
+      issuer: authServerUrl
+    });
+    return payload;
+  } catch (err) {
+    console.error("[SeamlessAuth] Failed to verify signed auth response:", err);
+    return null;
+  }
+}
+
+// src/createServer.ts
+function createSeamlessAuthServer(opts) {
+  const r = express.Router();
+  r.use(express.json());
+  r.use(cookieParser());
+  const {
+    authServerUrl,
+    cookieDomain = "",
+    accesscookieName = "seamless-access",
+    registrationCookieName = "seamless-ephemeral",
+    refreshCookieName = "seamless-refresh",
+    preAuthCookieName = "seamless-ephemeral"
+  } = opts;
+  const proxy = (path, method = "POST") => async (req, res) => {
+    try {
+      const response = await authFetch(req, `${authServerUrl}/${path}`, {
+        method,
+        body: req.body
+      });
+      res.status(response.status).json(await response.json());
+    } catch (error) {
+      console.error(`Failed to proxy to route. Error: ${error}`);
+    }
+  };
+  r.use(
+    createEnsureCookiesMiddleware({
+      authServerUrl,
+      cookieDomain,
+      accesscookieName,
+      registrationCookieName,
+      refreshCookieName,
+      preAuthCookieName
+    })
+  );
+  r.post("/webAuthn/login/start", proxy("webAuthn/login/start"));
+  r.post("/webAuthn/login/finish", finishLogin);
+  r.get("/webAuthn/register/start", proxy("webAuthn/register/start", "GET"));
+  r.post("/webAuthn/register/finish", finishRegister);
+  r.post("/otp/verify-phone-otp", proxy("otp/verify-phone-otp"));
+  r.post("/otp/verify-email-otp", proxy("otp/verify-email-otp"));
+  r.post("/login", login);
+  r.post("/users/update", proxy("users/update"));
+  r.post("/registration/register", register);
+  r.get("/users/me", me);
+  r.get("/logout", logout);
+  return r;
+  async function login(req, res) {
+    const up = await authFetch(req, `${authServerUrl}/login`, {
+      method: "POST",
+      body: req.body
+    });
+    const data = await up.json();
+    if (!up.ok) return res.status(up.status).json(data);
+    const verified = await verifySignedAuthResponse(data.token, authServerUrl);
+    if (!verified) {
+      throw new Error("Invalid signed response from Auth Server");
+    }
+    if (verified.sub !== data.sub) {
+      throw new Error("Signature mismatch with data payload");
+    }
+    setSessionCookie(
+      res,
+      { sub: data.sub },
+      cookieDomain,
+      data.ttl,
+      preAuthCookieName
+    );
+    res.status(204).end();
+  }
+  async function register(req, res) {
+    const up = await authFetch(req, `${authServerUrl}/registration/register`, {
+      method: "POST",
+      body: req.body
+    });
+    const data = await up.json();
+    if (!up.ok) return res.status(up.status).json(data);
+    setSessionCookie(
+      res,
+      { sub: data.sub },
+      cookieDomain,
+      data.ttl,
+      registrationCookieName
+    );
+    res.status(200).json(data).end();
+  }
+  async function finishLogin(req, res) {
+    const up = await authFetch(req, `${authServerUrl}/webAuthn/login/finish`, {
+      method: "POST",
+      body: req.body
+    });
+    const data = await up.json();
+    if (!up.ok) return res.status(up.status).json(data);
+    const verifiedAccessToken = await verifySignedAuthResponse(
+      data.token,
+      authServerUrl
+    );
+    if (!verifiedAccessToken) {
+      throw new Error("Invalid signed response from Auth Server");
+    }
+    if (verifiedAccessToken.sub !== data.sub) {
+      throw new Error("Signature mismatch with data payload");
+    }
+    setSessionCookie(
+      res,
+      { sub: data.sub, roles: data.roles },
+      cookieDomain,
+      data.ttl,
+      accesscookieName
+    );
+    setSessionCookie(
+      res,
+      { sub: data.sub, refreshToken: data.refreshToken },
+      req.hostname,
+      data.refreshTtl,
+      refreshCookieName
+    );
+    res.status(200).json(data).end();
+  }
+  async function finishRegister(req, res) {
+    const up = await authFetch(
+      req,
+      `${authServerUrl}/webAuthn/register/finish`,
+      {
+        method: "POST",
+        body: req.body
+      }
+    );
+    const data = await up.json();
+    if (!up.ok) return res.status(up.status).json(data);
+    setSessionCookie(
+      res,
+      { sub: data.sub, roles: data.roles },
+      cookieDomain,
+      data.ttl,
+      accesscookieName
+    );
+    res.status(204).end();
+  }
+  async function logout(req, res) {
+    await authFetch(req, `${authServerUrl}/logout`, {
+      method: "GET"
+    });
+    clearAllCookies(
+      res,
+      cookieDomain,
+      accesscookieName,
+      registrationCookieName,
+      refreshCookieName
+    );
+    res.status(204).end();
+  }
+  async function me(req, res) {
+    const up = await authFetch(req, `${authServerUrl}/users/me`, {
+      method: "GET"
+    });
+    const data = await up.json();
+    clearSessionCookie(res, cookieDomain, preAuthCookieName);
+    if (!data.user) return res.status(401).json({ error: "unauthenticated" });
+    res.json({ user: data.user });
+  }
+}
+
+// src/middleware/requireAuth.ts
+import jwt5 from "jsonwebtoken";
+function requireAuth(cookieName = "seamless-access", refreshCookieName = "seamless-refresh", cookieDomain = "/") {
+  const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+  if (!COOKIE_SECRET2) {
+    console.warn(
+      "[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing \u2014 requireAuth will always fail."
+    );
+    throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+  }
+  const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL;
+  return async (req, res, next) => {
+    try {
+      if (!COOKIE_SECRET2) {
+        throw new Error("Missing required SEAMLESS_COOKIE_SIGNING_KEY env");
+      }
+      const token = req.cookies?.[cookieName];
+      if (!token) {
+        res.status(401).json({ error: "Missing access cookie" });
+        return;
+      }
+      try {
+        const payload = jwt5.verify(token, COOKIE_SECRET2, {
+          algorithms: ["HS256"]
+        });
+        req.user = payload;
+        return next();
+      } catch (err) {
+        if (err.name !== "TokenExpiredError") {
+          console.warn("[SeamlessAuth] Invalid token:", err.message);
+          res.status(401).json({ error: "Invalid token" });
+          return;
+        }
+        const refreshToken = req.cookies?.[refreshCookieName];
+        if (!refreshToken) {
+          res.status(401).json({ error: "Session expired; re-login required" });
+          return;
+        }
+        console.log("[SeamlessAuth] Access token expired \u2014 attempting refresh");
+        const refreshed = await refreshAccessToken(
+          req,
+          AUTH_SERVER_URL,
+          refreshToken
+        );
+        if (!refreshed?.token) {
+          res.status(401).json({ error: "Refresh failed" });
+          return;
+        }
+        setSessionCookie(
+          res,
+          {
+            sub: refreshed.sub,
+            token: refreshed.token,
+            roles: refreshed.roles
+          },
+          cookieDomain,
+          refreshed.ttl,
+          cookieName
+        );
+        setSessionCookie(
+          res,
+          { sub: refreshed.sub, refreshToken: refreshed.refreshToken },
+          req.hostname,
+          refreshed.refreshTtl,
+          refreshCookieName
+        );
+        const payload = jwt5.verify(refreshed.token, COOKIE_SECRET2, {
+          algorithms: ["HS256"]
+        });
+        req.user = payload;
+        next();
+      }
+    } catch (err) {
+      console.error("[SeamlessAuth] requireAuth error:", err.message);
+      res.status(401).json({ error: "Invalid or expired access cookie" });
+      return;
+    }
+  };
+}
+
+// src/middleware/requireRole.ts
+import jwt6 from "jsonwebtoken";
+function requireRole(role, cookieName = "seamless-access") {
+  return (req, res, next) => {
+    try {
+      const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+      if (!COOKIE_SECRET2) {
+        console.warn(
+          "[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing \u2014 requireRole will always fail."
+        );
+        throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+      }
+      const token = req.cookies?.[cookieName];
+      if (!token) {
+        res.status(401).json({ error: "Missing access cookie" });
+        return;
+      }
+      const payload = jwt6.verify(token, COOKIE_SECRET2, {
+        algorithms: ["HS256"]
+      });
+      if (!payload.roles?.includes(role)) {
+        res.status(403).json({ error: `Forbidden: ${role} role required` });
+        return;
+      }
+      next();
+    } catch (err) {
+      console.error(`[RequireRole] requireRole(${role}) failed:`, err.message);
+      res.status(401).json({ error: "Invalid or expired access cookie" });
+    }
+  };
+}
+
+// src/internal/getSeamlessUser.ts
+async function getSeamlessUser(req, authServerUrl, cookieName = "seamless-access") {
+  try {
+    const payload = verifyCookieJwt(req.cookies[cookieName]);
+    if (!payload) {
+      throw new Error("Missing cookie");
+    }
+    req.cookiePayload = payload;
+    const response = await authFetch(req, `${authServerUrl}/users/me`, {
+      method: "GET"
+    });
+    if (!response.ok) {
+      console.warn(`[SeamlessAuth] Auth server responded ${response.status}`);
+      return null;
+    }
+    const data = await response.json();
+    return data.user;
+  } catch (err) {
+    console.error("[SeamlessAuth] getSeamlessUser failed:", err);
+    return null;
+  }
+}
+
+// src/index.ts
+var index_default = createSeamlessAuthServer;
+export {
+  index_default as default,
+  getSeamlessUser,
+  requireAuth,
+  requireRole
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seamless-auth/express",
-  "version": "0.0.1",
+  "version": "0.0.2-beta.2",
   "description": "Express adapter for Seamless Auth passwordless authentication",
   "license": "MIT",
   "type": "module",
@@ -8,7 +8,7 @@
   "types": "./dist/index.d.ts",
   "author": "Fells Code LLC",
   "scripts": {
-    "build": "tsc -p tsconfig.json && node build.mjs",
+    "build": "tsup src/index.ts --format esm --out-dir dist --splitting",
     "dev": "tsc --watch"
   },
   "repository": {
@@ -32,6 +32,7 @@
   "devDependencies": {
     "@types/cookie-parser": "^1.4.10",
     "@types/jsonwebtoken": "^9.0.10",
+    "tsup": "^8.5.1",
     "typescript": "^5.5.0"
   },
   "publishConfig": {

package/dist/createServer.d.ts

@@ -1,4 +0,0 @@
-import { Router } from "express";
-import type { SeamlessAuthServerOptions } from "./types";
-export declare function createSeamlessAuthServer(opts: SeamlessAuthServerOptions): Router;
-//# sourceMappingURL=createServer.d.ts.map

package/dist/createServer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"createServer.d.ts","sourceRoot":"","sources":["../src/createServer.ts"],"names":[],"mappings":"AAAA,OAAgB,EAAqB,MAAM,EAAE,MAAM,SAAS,CAAC;AAQ7D,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAIzD,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,yBAAyB,GAC9B,MAAM,CA6LR"}