@seamless-auth/express 0.0.1 → 0.0.2-beta.2

package/dist/createServer.js

@@ -1,120 +0,0 @@
-import express from "express";
-import cookieParser from "cookie-parser";
-import { setSessionCookie, clearAllCookies, clearSessionCookie, } from "./internal/cookie";
-import { authFetch } from "./internal/authFetch";
-import { createEnsureCookiesMiddleware } from "./middleware/ensureCookies";
-import { verifySignedAuthResponse } from "./internal/verifySignedAuthResponse";
-export function createSeamlessAuthServer(opts) {
-    const r = express.Router();
-    r.use(express.json());
-    r.use(cookieParser());
-    const { authServerUrl, cookieDomain = "", accesscookieName = "seamless-access", registrationCookieName = "seamless-ephemeral", refreshCookieName = "seamless-refresh", preAuthCookieName = "seamless-ephemeral", } = opts;
-    const proxy = (path, method = "POST") => async (req, res) => {
-        try {
-            const response = await authFetch(req, `${authServerUrl}/${path}`, {
-                method,
-                body: req.body,
-            });
-            res.status(response.status).json(await response.json());
-        }
-        catch (error) {
-            console.error(`Failed to proxy to route. Error: ${error}`);
-        }
-    };
-    r.use(createEnsureCookiesMiddleware({
-        authServerUrl,
-        cookieDomain,
-        accesscookieName,
-        registrationCookieName,
-        refreshCookieName,
-        preAuthCookieName,
-    }));
-    r.post("/webAuthn/login/start", proxy("webAuthn/login/start"));
-    r.post("/webAuthn/login/finish", finishLogin);
-    r.get("/webAuthn/register/start", proxy("webAuthn/register/start", "GET"));
-    r.post("/webAuthn/register/finish", finishRegister);
-    r.post("/otp/verify-phone-otp", proxy("otp/verify-phone-otp"));
-    r.post("/otp/verify-email-otp", proxy("otp/verify-email-otp"));
-    r.post("/login", login);
-    r.post("/users/update", proxy("users/update"));
-    r.post("/registration/register", register);
-    r.get("/users/me", me);
-    r.get("/logout", logout);
-    return r;
-    async function login(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/login`, {
-            method: "POST",
-            body: req.body,
-        });
-        const data = (await up.json());
-        if (!up.ok)
-            return res.status(up.status).json(data);
-        const verified = await verifySignedAuthResponse(data.token, authServerUrl);
-        if (!verified) {
-            throw new Error("Invalid signed response from Auth Server");
-        }
-        if (verified.sub !== data.sub) {
-            throw new Error("Signature mismatch with data payload");
-        }
-        setSessionCookie(res, { sub: data.sub }, cookieDomain, data.ttl, preAuthCookieName);
-        res.status(204).end();
-    }
-    async function register(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/registration/register`, {
-            method: "POST",
-            body: req.body,
-        });
-        const data = (await up.json());
-        if (!up.ok)
-            return res.status(up.status).json(data);
-        setSessionCookie(res, { sub: data.sub }, cookieDomain, data.ttl, registrationCookieName);
-        res.status(200).json(data).end();
-    }
-    async function finishLogin(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/webAuthn/login/finish`, {
-            method: "POST",
-            body: req.body,
-        });
-        const data = (await up.json());
-        if (!up.ok)
-            return res.status(up.status).json(data);
-        const verifiedAccessToken = await verifySignedAuthResponse(data.token, authServerUrl);
-        if (!verifiedAccessToken) {
-            throw new Error("Invalid signed response from Auth Server");
-        }
-        if (verifiedAccessToken.sub !== data.sub) {
-            throw new Error("Signature mismatch with data payload");
-        }
-        setSessionCookie(res, { sub: data.sub, roles: data.roles }, cookieDomain, data.ttl, accesscookieName);
-        setSessionCookie(res, { sub: data.sub, refreshToken: data.refreshToken }, req.hostname, data.refreshTtl, refreshCookieName);
-        res.status(200).json(data).end();
-    }
-    async function finishRegister(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/webAuthn/register/finish`, {
-            method: "POST",
-            body: req.body,
-        });
-        const data = (await up.json());
-        if (!up.ok)
-            return res.status(up.status).json(data);
-        setSessionCookie(res, { sub: data.sub, roles: data.roles }, cookieDomain, data.ttl, accesscookieName);
-        res.status(204).end();
-    }
-    async function logout(req, res) {
-        await authFetch(req, `${authServerUrl}/logout`, {
-            method: "GET",
-        });
-        clearAllCookies(res, cookieDomain, accesscookieName, registrationCookieName, refreshCookieName);
-        res.status(204).end();
-    }
-    async function me(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/users/me`, {
-            method: "GET",
-        });
-        const data = (await up.json());
-        clearSessionCookie(res, cookieDomain, preAuthCookieName);
-        if (!data.user)
-            return res.status(401).json({ error: "unauthenticated" });
-        res.json({ user: data.user });
-    }
-}

package/dist/index.d.ts

@@ -1,7 +0,0 @@
-import { createSeamlessAuthServer } from "./createServer";
-export { requireAuth } from "./middleware/requireAuth";
-export { requireRole } from "./middleware/requireRole";
-export { getSeamlessUser } from "./internal/getSeamlessUser";
-export type { SeamlessAuthServerOptions } from "./types";
-export default createSeamlessAuthServer;
-//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAA;AAC5D,YAAY,EAAE,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAEzD,eAAe,wBAAwB,CAAC"}

package/dist/internal/authFetch.d.ts

@@ -1,9 +0,0 @@
-import { CookieRequest } from "../middleware/ensureCookies";
-export interface AuthFetchOptions {
-    method?: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
-    body?: any;
-    cookies?: string[];
-    headers?: Record<string, string>;
-}
-export declare function authFetch(req: CookieRequest, url: string, { method, body, cookies, headers }?: AuthFetchOptions): Promise<Response>;
-//# sourceMappingURL=authFetch.d.ts.map

package/dist/internal/authFetch.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"authFetch.d.ts","sourceRoot":"","sources":["../../src/internal/authFetch.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAE5D,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAC;IACrD,IAAI,CAAC,EAAE,GAAG,CAAC;IACX,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED,wBAAsB,SAAS,CAC7B,GAAG,EAAE,aAAa,EAClB,GAAG,EAAE,MAAM,EACX,EAAE,MAAe,EAAE,IAAI,EAAE,OAAO,EAAE,OAAY,EAAE,GAAE,gBAAqB,qBAuDxE"}

package/dist/internal/authFetch.js

@@ -1,41 +0,0 @@
-import jwt from "jsonwebtoken";
-export async function authFetch(req, url, { method = "POST", body, cookies, headers = {} } = {}) {
-    const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
-    if (!serviceKey) {
-        throw new Error("Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN");
-    }
-    console.debug("[SeamlessAuth] Performing authentication fetch to Auth server");
-    // -------------------------------
-    // Issue short-lived machine token
-    // -------------------------------
-    const token = jwt.sign({
-        // Minimal, safe fields
-        iss: process.env.FRONTEND_URL,
-        aud: process.env.AUTH_SERVER_URL,
-        sub: req.cookiePayload?.sub,
-        roles: req.cookiePayload?.roles ?? [],
-        iat: Math.floor(Date.now() / 1000),
-    }, serviceKey, {
-        expiresIn: "60s", // Short-lived = safer
-        algorithm: "HS256", // HMAC-based
-        keyid: "dev-main", // For future rotation
-    });
-    const finalHeaders = {
-        ...(method !== "GET" && { "Content-Type": "application/json" }),
-        ...(cookies ? { Cookie: cookies.join("; ") } : {}),
-        Authorization: `Bearer ${serviceKey}`,
-        ...headers,
-    };
-    let finalUrl = url;
-    console.debug("[SeamlessAuth] URL ...", finalUrl);
-    if (method === "GET" && body && typeof body === "object") {
-        const qs = new URLSearchParams(body).toString();
-        finalUrl += url.includes("?") ? `&${qs}` : `?${qs}`;
-    }
-    const res = await fetch(finalUrl, {
-        method,
-        headers: finalHeaders,
-        ...(method !== "GET" && body ? { body: JSON.stringify(body) } : {}),
-    });
-    return res;
-}

package/dist/internal/cookie.d.ts

@@ -1,11 +0,0 @@
-import { Response } from "express";
-export interface CookiePayload {
-    sub: string;
-    token?: string;
-    refreshToken?: string;
-    roles?: string[];
-}
-export declare function setSessionCookie(res: Response, payload: CookiePayload, domain?: string, ttlSeconds?: number, name?: string): void;
-export declare function clearSessionCookie(res: Response, domain: string, name?: string): void;
-export declare function clearAllCookies(res: Response, domain: string, accesscookieName: string, registrationCookieName: string, refreshCookieName: string): void;
-//# sourceMappingURL=cookie.d.ts.map

package/dist/internal/cookie.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"cookie.d.ts","sourceRoot":"","sources":["../../src/internal/cookie.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnC,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,QAAQ,EACb,OAAO,EAAE,aAAa,EACtB,MAAM,CAAC,EAAE,MAAM,EACf,UAAU,SAAM,EAChB,IAAI,SAAe,QAqBpB;AAED,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,QAAQ,EACb,MAAM,EAAE,MAAM,EACd,IAAI,SAAe,QAGpB;AAED,wBAAgB,eAAe,CAC7B,GAAG,EAAE,QAAQ,EACb,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,MAAM,EACxB,sBAAsB,EAAE,MAAM,EAC9B,iBAAiB,EAAE,MAAM,QAK1B"}

package/dist/internal/cookie.js

@@ -1,28 +0,0 @@
-import jwt from "jsonwebtoken";
-export function setSessionCookie(res, payload, domain, ttlSeconds = 300, name = "sa_session") {
-    const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-    if (!COOKIE_SECRET) {
-        console.warn("[SeamlessAuth] Missing SEAMLESS_COOKIE_SIGNING_KEY env var!");
-        throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-    }
-    const token = jwt.sign(payload, COOKIE_SECRET, {
-        algorithm: "HS256",
-        expiresIn: `${ttlSeconds}s`,
-    });
-    res.cookie(name, token, {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === "production",
-        sameSite: process.env.NODE_ENV === "production" ? "none" : "lax",
-        path: "/",
-        domain,
-        maxAge: ttlSeconds * 1000,
-    });
-}
-export function clearSessionCookie(res, domain, name = "sa_session") {
-    res.clearCookie(name, { domain, path: "/" });
-}
-export function clearAllCookies(res, domain, accesscookieName, registrationCookieName, refreshCookieName) {
-    res.clearCookie(accesscookieName, { domain, path: "/" });
-    res.clearCookie(registrationCookieName, { domain, path: "/" });
-    res.clearCookie(refreshCookieName, { domain, path: "/" });
-}

package/dist/internal/getSeamlessUser.d.ts

@@ -1,11 +0,0 @@
-import { CookieRequest } from "../middleware/ensureCookies.js";
-/**
- * Retrieves the Seamless Auth user information by calling the auth server's introspection endpoint.
- * Requires the sa_session (or custom) cookie to be present on the request.
- *
- * @param req Express request object
- * @param authServerUrl Base URL of the client's auth server
- * @returns The user data object if valid, or null if invalid/unauthenticated
- */
-export declare function getSeamlessUser<T = any>(req: CookieRequest, authServerUrl: string, cookieName?: string): Promise<T | null>;
-//# sourceMappingURL=getSeamlessUser.d.ts.map

package/dist/internal/getSeamlessUser.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"getSeamlessUser.d.ts","sourceRoot":"","sources":["../../src/internal/getSeamlessUser.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAG/D;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,CAAC,GAAG,GAAG,EAC3C,GAAG,EAAE,aAAa,EAClB,aAAa,EAAE,MAAM,EACrB,UAAU,GAAE,MAA+B,GAC1C,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAwBnB"}

package/dist/internal/getSeamlessUser.js

@@ -1,32 +0,0 @@
-import { authFetch } from "./authFetch.js";
-import { verifyCookieJwt } from "./verifyCookieJwt.js";
-/**
- * Retrieves the Seamless Auth user information by calling the auth server's introspection endpoint.
- * Requires the sa_session (or custom) cookie to be present on the request.
- *
- * @param req Express request object
- * @param authServerUrl Base URL of the client's auth server
- * @returns The user data object if valid, or null if invalid/unauthenticated
- */
-export async function getSeamlessUser(req, authServerUrl, cookieName = "seamless-auth-access") {
-    try {
-        const payload = verifyCookieJwt(req.cookies[cookieName]);
-        if (!payload) {
-            throw new Error("Missing cookie");
-        }
-        req.cookiePayload = payload;
-        const response = await authFetch(req, `${authServerUrl}/users/me`, {
-            method: "GET",
-        });
-        if (!response.ok) {
-            console.warn(`[SeamlessAuth] Auth server responded ${response.status}`);
-            return null;
-        }
-        const data = (await response.json());
-        return data.user;
-    }
-    catch (err) {
-        console.error("[SeamlessAuth] getSeamlessUser failed:", err);
-        return null;
-    }
-}

package/dist/internal/refreshAccessToken.d.ts

@@ -1,10 +0,0 @@
-import { CookieRequest } from "../middleware/ensureCookies.js";
-export declare function refreshAccessToken(req: CookieRequest, authServerUrl: string, refreshToken: string): Promise<{
-    sub: string;
-    token: string;
-    refreshToken: string;
-    roles: string[];
-    ttl: number;
-    refreshTtl: number;
-} | null>;
-//# sourceMappingURL=refreshAccessToken.d.ts.map

package/dist/internal/refreshAccessToken.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"refreshAccessToken.d.ts","sourceRoot":"","sources":["../../src/internal/refreshAccessToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAG/D,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,aAAa,EAClB,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;CACpB,GAAG,IAAI,CAAC,CAwDR"}

package/dist/internal/refreshAccessToken.js

@@ -1,44 +0,0 @@
-import jwt from "jsonwebtoken";
-export async function refreshAccessToken(req, authServerUrl, refreshToken) {
-    try {
-        const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-        if (!COOKIE_SECRET) {
-            console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireAuth will always fail.");
-            throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-        }
-        const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
-        if (!serviceKey) {
-            throw new Error("Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN");
-        }
-        // unwrap token with local key and rewrap with service key
-        const payload = jwt.verify(refreshToken, COOKIE_SECRET, {
-            algorithms: ["HS256"],
-        });
-        const token = jwt.sign({
-            // Minimal, safe fields
-            iss: process.env.FRONTEND_URL,
-            aud: process.env.AUTH_SERVER,
-            sub: payload.sub,
-            refreshToken: payload.refreshToken,
-            iat: Math.floor(Date.now() / 1000),
-        }, serviceKey, {
-            expiresIn: "60s", // Short-lived = safer
-            algorithm: "HS256", // HMAC-based
-            keyid: "dev-main", // For future rotation
-        });
-        const response = await fetch(`${authServerUrl}/refresh`, {
-            method: "GET",
-            headers: { Authorization: `Bearer ${token}` },
-        });
-        if (!response.ok) {
-            console.error("[SeamlessAuth] Refresh token request failed:", response.status);
-            return null;
-        }
-        const data = await response.json();
-        return data;
-    }
-    catch (err) {
-        console.error("[SeamlessAuth] refreshAccessToken error:", err);
-        return null;
-    }
-}

package/dist/internal/verifyCookieJwt.d.ts

@@ -1,2 +0,0 @@
-export declare function verifyCookieJwt<T = any>(token: string): T | null;
-//# sourceMappingURL=verifyCookieJwt.d.ts.map

package/dist/internal/verifyCookieJwt.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"verifyCookieJwt.d.ts","sourceRoot":"","sources":["../../src/internal/verifyCookieJwt.ts"],"names":[],"mappings":"AAIA,wBAAgB,eAAe,CAAC,CAAC,GAAG,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,CAShE"}

package/dist/internal/verifyCookieJwt.js

@@ -1,13 +0,0 @@
-import jwt from "jsonwebtoken";
-const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-export function verifyCookieJwt(token) {
-    try {
-        return jwt.verify(token, COOKIE_SECRET, {
-            algorithms: ["HS256"],
-        });
-    }
-    catch (err) {
-        console.error("[SeamlessAuth] Cookie JWT verification failed:", err);
-        return null;
-    }
-}

package/dist/internal/verifySignedAuthResponse.d.ts

@@ -1,6 +0,0 @@
-/**
- * Verifies a signed response JWT from a Seamless Auth server.
- * Uses the Auth Server's JWKS endpoint to dynamically fetch public keys.
- */
-export declare function verifySignedAuthResponse<T = any>(token: string, authServerUrl: string): Promise<T | null>;
-//# sourceMappingURL=verifySignedAuthResponse.d.ts.map

package/dist/internal/verifySignedAuthResponse.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"verifySignedAuthResponse.d.ts","sourceRoot":"","sources":["../../src/internal/verifySignedAuthResponse.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAsB,wBAAwB,CAAC,CAAC,GAAG,GAAG,EACpD,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAmBnB"}

package/dist/internal/verifySignedAuthResponse.js

@@ -1,23 +0,0 @@
-import { createRemoteJWKSet, jwtVerify } from "jose";
-/**
- * Verifies a signed response JWT from a Seamless Auth server.
- * Uses the Auth Server's JWKS endpoint to dynamically fetch public keys.
- */
-export async function verifySignedAuthResponse(token, authServerUrl) {
-    try {
-        // Construct JWKS URL from auth server
-        const jwksUrl = new URL("/.well-known/jwks.json", authServerUrl).toString();
-        // Create a remote JWKS verifier (auto-caches)
-        const JWKS = createRemoteJWKSet(new URL(jwksUrl));
-        // Verify signature and algorithm
-        const { payload } = await jwtVerify(token, JWKS, {
-            algorithms: ["RS256"],
-            issuer: authServerUrl,
-        });
-        return payload;
-    }
-    catch (err) {
-        console.error("[SeamlessAuth] Failed to verify signed auth response:", err);
-        return null;
-    }
-}

package/dist/middleware/ensureCookies.d.ts

@@ -1,8 +0,0 @@
-import { NextFunction, Request, Response } from "express";
-import { SeamlessAuthServerOptions } from "../types";
-import { JwtPayload } from "jsonwebtoken";
-export interface CookieRequest extends Request {
-    cookiePayload?: JwtPayload;
-}
-export declare function createEnsureCookiesMiddleware(opts: SeamlessAuthServerOptions): (req: CookieRequest, res: Response, next: NextFunction, cookieDomain?: string) => Promise<void | Response<any, Record<string, any>>>;
-//# sourceMappingURL=ensureCookies.d.ts.map

package/dist/middleware/ensureCookies.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ensureCookies.d.ts","sourceRoot":"","sources":["../../src/middleware/ensureCookies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,yBAAyB,EAAE,MAAM,UAAU,CAAC;AAGrD,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI1C,MAAM,WAAW,aAAc,SAAQ,OAAO;IAC5C,aAAa,CAAC,EAAE,UAAU,CAAC;CAC5B;AAED,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,yBAAyB,IA4BzE,KAAK,aAAa,EAClB,KAAK,QAAQ,EACb,MAAM,YAAY,EAClB,qBAAiB,wDA2FpB"}

package/dist/middleware/ensureCookies.js

@@ -1,84 +0,0 @@
-import { verifyCookieJwt } from "../internal/verifyCookieJwt.js";
-import { refreshAccessToken } from "../internal/refreshAccessToken";
-import { clearAllCookies, setSessionCookie } from "../internal/cookie";
-export function createEnsureCookiesMiddleware(opts) {
-    const COOKIE_REQUIREMENTS = {
-        "/webAuthn/login/finish": { name: opts.preAuthCookieName, required: true },
-        "/webAuthn/login/start": { name: opts.preAuthCookieName, required: true },
-        "/webAuthn/register/start": {
-            name: opts.registrationCookieName,
-            required: true,
-        },
-        "/webAuthn/register/finish": {
-            name: opts.registrationCookieName,
-            required: true,
-        },
-        "/otp/verify-email-otp": {
-            name: opts.registrationCookieName,
-            required: true,
-        },
-        "/otp/verify-phone-otp": {
-            name: opts.registrationCookieName,
-            required: true,
-        },
-        "/logout": { name: opts.accesscookieName, required: true },
-        "/users/me": { name: opts.accesscookieName, required: true },
-    };
-    return async function ensureCookies(req, res, next, cookieDomain = "") {
-        const match = Object.entries(COOKIE_REQUIREMENTS).find(([path]) => req.path.startsWith(path));
-        if (!match)
-            return next();
-        const [, { name, required }] = match;
-        const AUTH_SERVER_URL = process.env.AUTH_SERVER;
-        const cookieValue = req.cookies?.[name];
-        const refreshCookieValue = req.cookies?.[opts.refreshCookieName];
-        //
-        // --- NEW REFRESH-AWARE LOGIC ---
-        //
-        // If required cookie is missing BUT refresh cookie exists,
-        // allow request to proceed. requireAuth() will perform refresh.
-        //
-        if (required && !cookieValue) {
-            if (refreshCookieValue) {
-                console.log("[SeamlessAuth] Access token expired — attempting refresh");
-                const refreshed = await refreshAccessToken(req, AUTH_SERVER_URL, refreshCookieValue);
-                if (!refreshed?.token) {
-                    clearAllCookies(res, cookieDomain, name, opts.registrationCookieName, opts.refreshCookieName);
-                    res.status(401).json({ error: "Refresh failed" });
-                    return;
-                }
-                // Update cookie with new access token
-                setSessionCookie(res, {
-                    sub: refreshed.sub,
-                    token: refreshed.token,
-                    roles: refreshed.roles,
-                }, cookieDomain, refreshed.ttl, name);
-                setSessionCookie(res, { sub: refreshed.sub, refreshToken: refreshed.refreshToken }, cookieDomain, refreshed.refreshTtl, opts.refreshCookieName);
-                // Let requireAuth() attempt refresh
-                req.cookiePayload = {
-                    sub: refreshed.sub,
-                    roles: refreshed.roles,
-                };
-                return next();
-            }
-            // No required cookie AND no refresh cookie → hard fail
-            return res.status(400).json({
-                error: `Missing required cookie "${name}" for route ${req.path}`,
-                hint: "Did you forget to call /auth/login/start first?",
-            });
-        }
-        //
-        // If cookie exists, verify it normally
-        //
-        if (cookieValue) {
-            const payload = verifyCookieJwt(cookieValue);
-            if (!payload) {
-                return res
-                    .status(401)
-                    .json({ error: `Invalid or expired ${name} cookie` });
-            }
-            req.cookiePayload = payload;
-        }
-        next();
-    };
-}

package/dist/middleware/requireAuth.d.ts

@@ -1,9 +0,0 @@
-import { Request, Response, NextFunction } from "express";
-/**
- * Express middleware that verifies a Seamless Auth access cookie.
- * - Reads and verifies signed cookie JWT
- * - Attaches decoded payload to req.user
- * - Returns 401 if missing/invalid/expired
- */
-export declare function requireAuth(cookieName?: string, refreshCookieName?: string, cookieDomain?: string): (req: Request, res: Response, next: NextFunction) => Promise<void>;
-//# sourceMappingURL=requireAuth.d.ts.map

package/dist/middleware/requireAuth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"requireAuth.d.ts","sourceRoot":"","sources":["../../src/middleware/requireAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAM1D;;;;;GAKG;AACH,wBAAgB,WAAW,CACzB,UAAU,SAAyB,EACnC,iBAAiB,SAA0B,EAC3C,YAAY,SAAM,IAahB,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,YAAY,KACjB,OAAO,CAAC,IAAI,CAAC,CA+EjB"}

package/dist/middleware/requireAuth.js

@@ -1,74 +0,0 @@
-import jwt from "jsonwebtoken";
-import { refreshAccessToken } from "../internal/refreshAccessToken.js";
-import { setSessionCookie } from "../internal/cookie.js";
-/**
- * Express middleware that verifies a Seamless Auth access cookie.
- * - Reads and verifies signed cookie JWT
- * - Attaches decoded payload to req.user
- * - Returns 401 if missing/invalid/expired
- */
-export function requireAuth(cookieName = "seamless-auth-access", refreshCookieName = "seamless-auth-refresh", cookieDomain = "/") {
-    const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-    if (!COOKIE_SECRET) {
-        console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireAuth will always fail.");
-        throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-    }
-    const AUTH_SERVER_URL = process.env.AUTH_SERVER;
-    return async (req, res, next) => {
-        try {
-            if (!COOKIE_SECRET) {
-                throw new Error("Missing required SEAMLESS_COOKIE_SIGNING_KEY env");
-            }
-            const token = req.cookies?.[cookieName];
-            if (!token) {
-                res.status(401).json({ error: "Missing access cookie" });
-                return;
-            }
-            try {
-                const payload = jwt.verify(token, COOKIE_SECRET, {
-                    algorithms: ["HS256"],
-                });
-                req.user = payload;
-                return next();
-            }
-            catch (err) {
-                // expired or invalid token
-                if (err.name !== "TokenExpiredError") {
-                    console.warn("[SeamlessAuth] Invalid token:", err.message);
-                    res.status(401).json({ error: "Invalid token" });
-                    return;
-                }
-                // Try refresh
-                const refreshToken = req.cookies?.[refreshCookieName];
-                if (!refreshToken) {
-                    res.status(401).json({ error: "Session expired; re-login required" });
-                    return;
-                }
-                console.log("[SeamlessAuth] Access token expired — attempting refresh");
-                const refreshed = await refreshAccessToken(req, AUTH_SERVER_URL, refreshToken);
-                if (!refreshed?.token) {
-                    res.status(401).json({ error: "Refresh failed" });
-                    return;
-                }
-                // Update cookie with new access token
-                setSessionCookie(res, {
-                    sub: refreshed.sub,
-                    token: refreshed.token,
-                    roles: refreshed.roles,
-                }, cookieDomain, refreshed.ttl, cookieName);
-                setSessionCookie(res, { sub: refreshed.sub, refreshToken: refreshed.refreshToken }, req.hostname, refreshed.refreshTtl, refreshCookieName);
-                // Decode new token so downstream has user
-                const payload = jwt.verify(refreshed.token, COOKIE_SECRET, {
-                    algorithms: ["HS256"],
-                });
-                req.user = payload;
-                next();
-            }
-        }
-        catch (err) {
-            console.error("[SeamlessAuth] requireAuth error:", err.message);
-            res.status(401).json({ error: "Invalid or expired access cookie" });
-            return;
-        }
-    };
-}

package/dist/middleware/requireRole.d.ts

@@ -1,9 +0,0 @@
-import { RequestHandler } from "express";
-/**
- * Express middleware to enforce a required role from Seamless Auth cookie JWT.
- *
- * @param role        Role name to require (e.g. 'admin')
- * @param cookieName  Cookie name containing JWT (default: 'sa_session')
- */
-export declare function requireRole(role: string, cookieName?: string): RequestHandler;
-//# sourceMappingURL=requireRole.d.ts.map

package/dist/middleware/requireRole.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"requireRole.d.ts","sourceRoot":"","sources":["../../src/middleware/requireRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAG1E;;;;;GAKG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,EACZ,UAAU,SAAoB,GAC7B,cAAc,CAiChB"}

package/dist/middleware/requireRole.js

@@ -1,37 +0,0 @@
-import jwt from "jsonwebtoken";
-/**
- * Express middleware to enforce a required role from Seamless Auth cookie JWT.
- *
- * @param role        Role name to require (e.g. 'admin')
- * @param cookieName  Cookie name containing JWT (default: 'sa_session')
- */
-export function requireRole(role, cookieName = "seamless-access") {
-    return (req, res, next) => {
-        try {
-            const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-            if (!COOKIE_SECRET) {
-                console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireRole will always fail.");
-                throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-            }
-            const token = req.cookies?.[cookieName];
-            if (!token) {
-                res.status(401).json({ error: "Missing access cookie" });
-                return;
-            }
-            // Verify JWT signature
-            const payload = jwt.verify(token, COOKIE_SECRET, {
-                algorithms: ["HS256"],
-            });
-            // Check role membership
-            if (!payload.roles?.includes(role)) {
-                res.status(403).json({ error: `Forbidden: ${role} role required` });
-                return;
-            }
-            next();
-        }
-        catch (err) {
-            console.error(`[RequireRole] requireRole(${role}) failed:`, err.message);
-            res.status(401).json({ error: "Invalid or expired access cookie" });
-        }
-    };
-}