@seamless-auth/express 0.0.2-beta.1 → 0.0.2-beta.10

package/dist/createServer.js

@@ -1,164 +0,0 @@
-import express from "express";
-import cookieParser from "cookie-parser";
-import { setSessionCookie, clearAllCookies, clearSessionCookie, } from './internal/cookie.js';
-import { authFetch } from './internal/authFetch.js';
-import { createEnsureCookiesMiddleware } from './middleware/ensureCookies.js';
-import { verifySignedAuthResponse } from './internal/verifySignedAuthResponse.js';
-/**
- * Creates an Express Router that proxies all authentication traffic to a Seamless Auth server.
- *
- * This helper wires your API backend to a Seamless Auth instance running in
- * "server mode." It automatically forwards login, registration, WebAuthn,
- * logout, token refresh, and session validation routes to the auth server
- * and handles all cookie management required for a seamless login flow.
- *
- * ### Responsibilities
- * - Proxies all `/auth/*` routes to the upstream Seamless Auth server
- * - Manages `access`, `registration`, `pre-auth`, and `refresh` cookies
- * - Normalizes cookie settings for cross-domain or same-domain deployments
- * - Ensures authentication routes behave consistently across environments
- * - Provides shared middleware for auth flows
- *
- * ### Cookie Types
- * - **accessCookie** – long-lived session cookie for authenticated API requests
- * - **registrationCookie** – ephemeral cookie used during registration and OTP/WebAuthn flows
- * - **preAuthCookie** – short-lived cookie used during login initiation
- * - **refreshCookie** – opaque refresh token cookie used to rotate session tokens
- *
- * All cookie names and their domains may be customized via the `opts` parameter.
- *
- * ### Example
- * ```ts
- * app.use("/auth", createSeamlessAuthServer({
- *   authServerUrl: "https://identifier.seamlessauth.com",
- *   cookieDomain: "mycompany.com",
- *   accesscookieName: "sa_access",
- *   registrationCookieName: "sa_registration",
- *   refreshCookieName: "sa_refresh",
- * }));
- * ```
- *
- * @param opts - Configuration options for the Seamless Auth proxy:
- *   - `authServerUrl` — Base URL of your Seamless Auth instance (required)
- *   - `cookieDomain` — Domain attribute applied to all auth cookies
- *   - `accesscookieName` — Name of the session access cookie
- *   - `registrationCookieName` — Name of the ephemeral registration cookie
- *   - `refreshCookieName` — Name of the refresh token cookie
- *   - `preAuthCookieName` — Name of the cookie used during login initiation
- *
- * @returns An Express `Router` preconfigured with all Seamless Auth routes.
- */
-export function createSeamlessAuthServer(opts) {
-    const r = express.Router();
-    r.use(express.json());
-    r.use(cookieParser());
-    const { authServerUrl, cookieDomain = "", accesscookieName = "seamless-access", registrationCookieName = "seamless-ephemeral", refreshCookieName = "seamless-refresh", preAuthCookieName = "seamless-ephemeral", } = opts;
-    const proxy = (path, method = "POST") => async (req, res) => {
-        try {
-            const response = await authFetch(req, `${authServerUrl}/${path}`, {
-                method,
-                body: req.body,
-            });
-            res.status(response.status).json(await response.json());
-        }
-        catch (error) {
-            console.error(`Failed to proxy to route. Error: ${error}`);
-        }
-    };
-    r.use(createEnsureCookiesMiddleware({
-        authServerUrl,
-        cookieDomain,
-        accesscookieName,
-        registrationCookieName,
-        refreshCookieName,
-        preAuthCookieName,
-    }));
-    r.post("/webAuthn/login/start", proxy("webAuthn/login/start"));
-    r.post("/webAuthn/login/finish", finishLogin);
-    r.get("/webAuthn/register/start", proxy("webAuthn/register/start", "GET"));
-    r.post("/webAuthn/register/finish", finishRegister);
-    r.post("/otp/verify-phone-otp", proxy("otp/verify-phone-otp"));
-    r.post("/otp/verify-email-otp", proxy("otp/verify-email-otp"));
-    r.post("/login", login);
-    r.post("/users/update", proxy("users/update"));
-    r.post("/registration/register", register);
-    r.get("/users/me", me);
-    r.get("/logout", logout);
-    return r;
-    async function login(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/login`, {
-            method: "POST",
-            body: req.body,
-        });
-        const data = (await up.json());
-        if (!up.ok)
-            return res.status(up.status).json(data);
-        const verified = await verifySignedAuthResponse(data.token, authServerUrl);
-        if (!verified) {
-            throw new Error("Invalid signed response from Auth Server");
-        }
-        if (verified.sub !== data.sub) {
-            throw new Error("Signature mismatch with data payload");
-        }
-        setSessionCookie(res, { sub: data.sub }, cookieDomain, data.ttl, preAuthCookieName);
-        res.status(204).end();
-    }
-    async function register(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/registration/register`, {
-            method: "POST",
-            body: req.body,
-        });
-        const data = (await up.json());
-        if (!up.ok)
-            return res.status(up.status).json(data);
-        setSessionCookie(res, { sub: data.sub }, cookieDomain, data.ttl, registrationCookieName);
-        res.status(200).json(data).end();
-    }
-    async function finishLogin(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/webAuthn/login/finish`, {
-            method: "POST",
-            body: req.body,
-        });
-        const data = (await up.json());
-        if (!up.ok)
-            return res.status(up.status).json(data);
-        const verifiedAccessToken = await verifySignedAuthResponse(data.token, authServerUrl);
-        if (!verifiedAccessToken) {
-            throw new Error("Invalid signed response from Auth Server");
-        }
-        if (verifiedAccessToken.sub !== data.sub) {
-            throw new Error("Signature mismatch with data payload");
-        }
-        setSessionCookie(res, { sub: data.sub, roles: data.roles }, cookieDomain, data.ttl, accesscookieName);
-        setSessionCookie(res, { sub: data.sub, refreshToken: data.refreshToken }, req.hostname, data.refreshTtl, refreshCookieName);
-        res.status(200).json(data).end();
-    }
-    async function finishRegister(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/webAuthn/register/finish`, {
-            method: "POST",
-            body: req.body,
-        });
-        const data = (await up.json());
-        if (!up.ok)
-            return res.status(up.status).json(data);
-        setSessionCookie(res, { sub: data.sub, roles: data.roles }, cookieDomain, data.ttl, accesscookieName);
-        res.status(204).end();
-    }
-    async function logout(req, res) {
-        await authFetch(req, `${authServerUrl}/logout`, {
-            method: "GET",
-        });
-        clearAllCookies(res, cookieDomain, accesscookieName, registrationCookieName, refreshCookieName);
-        res.status(204).end();
-    }
-    async function me(req, res) {
-        const up = await authFetch(req, `${authServerUrl}/users/me`, {
-            method: "GET",
-        });
-        const data = (await up.json());
-        clearSessionCookie(res, cookieDomain, preAuthCookieName);
-        if (!data.user)
-            return res.status(401).json({ error: "unauthenticated" });
-        res.json({ user: data.user });
-    }
-}

package/dist/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAA;AAC5D,YAAY,EAAE,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAEzD,eAAe,wBAAwB,CAAC"}

package/dist/internal/authFetch.d.ts

@@ -1,9 +0,0 @@
-import { CookieRequest } from "../middleware/ensureCookies";
-export interface AuthFetchOptions {
-    method?: "GET" | "POST" | "PUT" | "DELETE";
-    body?: any;
-    cookies?: string[];
-    headers?: Record<string, string>;
-}
-export declare function authFetch(req: CookieRequest, url: string, { method, body, cookies, headers }?: AuthFetchOptions): Promise<Response>;
-//# sourceMappingURL=authFetch.d.ts.map

package/dist/internal/authFetch.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"authFetch.d.ts","sourceRoot":"","sources":["../../src/internal/authFetch.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAE5D,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;IAC3C,IAAI,CAAC,EAAE,GAAG,CAAC;IACX,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED,wBAAsB,SAAS,CAC7B,GAAG,EAAE,aAAa,EAClB,GAAG,EAAE,MAAM,EACX,EAAE,MAAe,EAAE,IAAI,EAAE,OAAO,EAAE,OAAY,EAAE,GAAE,gBAAqB,qBAiDxE"}

package/dist/internal/authFetch.js

@@ -1,37 +0,0 @@
-import jwt from "jsonwebtoken";
-export async function authFetch(req, url, { method = "POST", body, cookies, headers = {} } = {}) {
-    const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
-    if (!serviceKey) {
-        throw new Error("Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN");
-    }
-    // -------------------------------
-    // Issue short-lived machine token
-    // -------------------------------
-    const token = jwt.sign({
-        iss: process.env.FRONTEND_URL,
-        aud: process.env.AUTH_SERVER_URL,
-        sub: req.cookiePayload?.sub,
-        roles: req.cookiePayload?.roles ?? [],
-        iat: Math.floor(Date.now() / 1000),
-    }, serviceKey, {
-        expiresIn: "60s", // Short-lived
-        algorithm: "HS256", // HMAC-based
-    });
-    const finalHeaders = {
-        ...(method !== "GET" && { "Content-Type": "application/json" }),
-        ...(cookies ? { Cookie: cookies.join("; ") } : {}),
-        Authorization: `Bearer ${token}`,
-        ...headers,
-    };
-    let finalUrl = url;
-    if (method === "GET" && body && typeof body === "object") {
-        const qs = new URLSearchParams(body).toString();
-        finalUrl += url.includes("?") ? `&${qs}` : `?${qs}`;
-    }
-    const res = await fetch(finalUrl, {
-        method,
-        headers: finalHeaders,
-        ...(method !== "GET" && body ? { body: JSON.stringify(body) } : {}),
-    });
-    return res;
-}

package/dist/internal/cookie.d.ts

@@ -1,11 +0,0 @@
-import { Response } from "express";
-export interface CookiePayload {
-    sub: string;
-    token?: string;
-    refreshToken?: string;
-    roles?: string[];
-}
-export declare function setSessionCookie(res: Response, payload: CookiePayload, domain?: string, ttlSeconds?: number, name?: string): void;
-export declare function clearSessionCookie(res: Response, domain: string, name?: string): void;
-export declare function clearAllCookies(res: Response, domain: string, accesscookieName: string, registrationCookieName: string, refreshCookieName: string): void;
-//# sourceMappingURL=cookie.d.ts.map

package/dist/internal/cookie.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"cookie.d.ts","sourceRoot":"","sources":["../../src/internal/cookie.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnC,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,QAAQ,EACb,OAAO,EAAE,aAAa,EACtB,MAAM,CAAC,EAAE,MAAM,EACf,UAAU,SAAM,EAChB,IAAI,SAAe,QAqBpB;AAED,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,QAAQ,EACb,MAAM,EAAE,MAAM,EACd,IAAI,SAAe,QAGpB;AAED,wBAAgB,eAAe,CAC7B,GAAG,EAAE,QAAQ,EACb,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,MAAM,EACxB,sBAAsB,EAAE,MAAM,EAC9B,iBAAiB,EAAE,MAAM,QAK1B"}

package/dist/internal/cookie.js

@@ -1,28 +0,0 @@
-import jwt from "jsonwebtoken";
-export function setSessionCookie(res, payload, domain, ttlSeconds = 300, name = "sa_session") {
-    const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-    if (!COOKIE_SECRET) {
-        console.warn("[SeamlessAuth] Missing SEAMLESS_COOKIE_SIGNING_KEY env var!");
-        throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-    }
-    const token = jwt.sign(payload, COOKIE_SECRET, {
-        algorithm: "HS256",
-        expiresIn: `${ttlSeconds}s`,
-    });
-    res.cookie(name, token, {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === "production",
-        sameSite: process.env.NODE_ENV === "production" ? "none" : "lax",
-        path: "/",
-        domain,
-        maxAge: ttlSeconds * 1000,
-    });
-}
-export function clearSessionCookie(res, domain, name = "sa_session") {
-    res.clearCookie(name, { domain, path: "/" });
-}
-export function clearAllCookies(res, domain, accesscookieName, registrationCookieName, refreshCookieName) {
-    res.clearCookie(accesscookieName, { domain, path: "/" });
-    res.clearCookie(registrationCookieName, { domain, path: "/" });
-    res.clearCookie(refreshCookieName, { domain, path: "/" });
-}

package/dist/internal/getSeamlessUser.d.ts

@@ -1,51 +0,0 @@
-import { CookieRequest } from "../middleware/ensureCookies.js";
-/**
- * Retrieves the authenticated Seamless Auth user for a request by calling
- * the upstream Seamless Auth Server’s introspection endpoint.
- *
- * This helper is used when server-side code needs the fully hydrated
- * Seamless Auth user object (including roles, metadata, and profile fields),
- * not just the JWT payload extracted from cookies.
- *
- * Unlike `requireAuth`, this helper does **not** enforce authentication.
- * It simply returns:
- * - The resolved user object (if the session is valid)
- * - `null` if the session is invalid, expired, or missing
- *
- * ### Responsibilities
- * - Extracts the access cookie (or refresh cookie when needed)
- * - Calls the Seamless Auth Server’s `/internal/session/introspect` endpoint
- * - Validates whether the session is active
- * - Returns the user object or `null` without throwing
- *
- * ### Use Cases
- * - Fetching the current user in internal APIs
- * - Enriching backend requests with server-authoritative user information
- * - Logging, analytics, auditing
- * - Optional-auth routes that behave differently for signed-in users
- *
- * ### Example
- * ```ts
- * app.get("/portal/me", async (req, res) => {
- *   const user = await getSeamlessUser(req, process.env.SA_AUTH_SERVER_URL);
- *
- *   if (!user) {
- *     return res.json({ user: null });
- *   }
- *
- *   return res.json({ user });
- * });
- * ```
- *
- * ### Returns
- * - A full Seamless Auth user object (if active)
- * - `null` if not authenticated or session expired
- *
- * @param req - The Express request object containing auth cookies.
- * @param authServerUrl - Base URL of the Seamless Auth instance to introspect against.
- * @param cookieName - Name of the access cookie storing the session JWT (`"seamless-access"` by default).
- *
- * @returns The authenticated user object, or `null` if the session is inactive.
- */
-export declare function getSeamlessUser<T = any>(req: CookieRequest, authServerUrl: string, cookieName?: string): Promise<T | null>;
-//# sourceMappingURL=getSeamlessUser.d.ts.map

package/dist/internal/getSeamlessUser.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"getSeamlessUser.d.ts","sourceRoot":"","sources":["../../src/internal/getSeamlessUser.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAG/D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AACH,wBAAsB,eAAe,CAAC,CAAC,GAAG,GAAG,EAC3C,GAAG,EAAE,aAAa,EAClB,aAAa,EAAE,MAAM,EACrB,UAAU,GAAE,MAA0B,GACrC,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAwBnB"}

package/dist/internal/getSeamlessUser.js

@@ -1,72 +0,0 @@
-import { authFetch } from "./authFetch.js";
-import { verifyCookieJwt } from "./verifyCookieJwt.js";
-/**
- * Retrieves the authenticated Seamless Auth user for a request by calling
- * the upstream Seamless Auth Server’s introspection endpoint.
- *
- * This helper is used when server-side code needs the fully hydrated
- * Seamless Auth user object (including roles, metadata, and profile fields),
- * not just the JWT payload extracted from cookies.
- *
- * Unlike `requireAuth`, this helper does **not** enforce authentication.
- * It simply returns:
- * - The resolved user object (if the session is valid)
- * - `null` if the session is invalid, expired, or missing
- *
- * ### Responsibilities
- * - Extracts the access cookie (or refresh cookie when needed)
- * - Calls the Seamless Auth Server’s `/internal/session/introspect` endpoint
- * - Validates whether the session is active
- * - Returns the user object or `null` without throwing
- *
- * ### Use Cases
- * - Fetching the current user in internal APIs
- * - Enriching backend requests with server-authoritative user information
- * - Logging, analytics, auditing
- * - Optional-auth routes that behave differently for signed-in users
- *
- * ### Example
- * ```ts
- * app.get("/portal/me", async (req, res) => {
- *   const user = await getSeamlessUser(req, process.env.SA_AUTH_SERVER_URL);
- *
- *   if (!user) {
- *     return res.json({ user: null });
- *   }
- *
- *   return res.json({ user });
- * });
- * ```
- *
- * ### Returns
- * - A full Seamless Auth user object (if active)
- * - `null` if not authenticated or session expired
- *
- * @param req - The Express request object containing auth cookies.
- * @param authServerUrl - Base URL of the Seamless Auth instance to introspect against.
- * @param cookieName - Name of the access cookie storing the session JWT (`"seamless-access"` by default).
- *
- * @returns The authenticated user object, or `null` if the session is inactive.
- */
-export async function getSeamlessUser(req, authServerUrl, cookieName = "seamless-access") {
-    try {
-        const payload = verifyCookieJwt(req.cookies[cookieName]);
-        if (!payload) {
-            throw new Error("Missing cookie");
-        }
-        req.cookiePayload = payload;
-        const response = await authFetch(req, `${authServerUrl}/users/me`, {
-            method: "GET",
-        });
-        if (!response.ok) {
-            console.warn(`[SeamlessAuth] Auth server responded ${response.status}`);
-            return null;
-        }
-        const data = (await response.json());
-        return data.user;
-    }
-    catch (err) {
-        console.error("[SeamlessAuth] getSeamlessUser failed:", err);
-        return null;
-    }
-}

package/dist/internal/refreshAccessToken.d.ts

@@ -1,10 +0,0 @@
-import { CookieRequest } from "../middleware/ensureCookies.js";
-export declare function refreshAccessToken(req: CookieRequest, authServerUrl: string, refreshToken: string): Promise<{
-    sub: string;
-    token: string;
-    refreshToken: string;
-    roles: string[];
-    ttl: number;
-    refreshTtl: number;
-} | null>;
-//# sourceMappingURL=refreshAccessToken.d.ts.map

package/dist/internal/refreshAccessToken.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"refreshAccessToken.d.ts","sourceRoot":"","sources":["../../src/internal/refreshAccessToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAG/D,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,aAAa,EAClB,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;CACpB,GAAG,IAAI,CAAC,CAwDR"}

package/dist/internal/refreshAccessToken.js

@@ -1,44 +0,0 @@
-import jwt from "jsonwebtoken";
-export async function refreshAccessToken(req, authServerUrl, refreshToken) {
-    try {
-        const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-        if (!COOKIE_SECRET) {
-            console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireAuth will always fail.");
-            throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-        }
-        const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
-        if (!serviceKey) {
-            throw new Error("Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN");
-        }
-        // unwrap token with local key and rewrap with service key
-        const payload = jwt.verify(refreshToken, COOKIE_SECRET, {
-            algorithms: ["HS256"],
-        });
-        const token = jwt.sign({
-            // Minimal, safe fields
-            iss: process.env.FRONTEND_URL,
-            aud: process.env.AUTH_SERVER,
-            sub: payload.sub,
-            refreshToken: payload.refreshToken,
-            iat: Math.floor(Date.now() / 1000),
-        }, serviceKey, {
-            expiresIn: "60s", // Short-lived = safer
-            algorithm: "HS256", // HMAC-based
-            keyid: "dev-main", // For future rotation
-        });
-        const response = await fetch(`${authServerUrl}/refresh`, {
-            method: "GET",
-            headers: { Authorization: `Bearer ${token}` },
-        });
-        if (!response.ok) {
-            console.error("[SeamlessAuth] Refresh token request failed:", response.status);
-            return null;
-        }
-        const data = await response.json();
-        return data;
-    }
-    catch (err) {
-        console.error("[SeamlessAuth] refreshAccessToken error:", err);
-        return null;
-    }
-}

package/dist/internal/verifyCookieJwt.d.ts

@@ -1,2 +0,0 @@
-export declare function verifyCookieJwt<T = any>(token: string): T | null;
-//# sourceMappingURL=verifyCookieJwt.d.ts.map

package/dist/internal/verifyCookieJwt.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"verifyCookieJwt.d.ts","sourceRoot":"","sources":["../../src/internal/verifyCookieJwt.ts"],"names":[],"mappings":"AAIA,wBAAgB,eAAe,CAAC,CAAC,GAAG,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,CAShE"}

package/dist/internal/verifyCookieJwt.js

@@ -1,13 +0,0 @@
-import jwt from "jsonwebtoken";
-const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-export function verifyCookieJwt(token) {
-    try {
-        return jwt.verify(token, COOKIE_SECRET, {
-            algorithms: ["HS256"],
-        });
-    }
-    catch (err) {
-        console.error("[SeamlessAuth] Cookie JWT verification failed:", err);
-        return null;
-    }
-}

package/dist/internal/verifySignedAuthResponse.d.ts

@@ -1,6 +0,0 @@
-/**
- * Verifies a signed response JWT from a Seamless Auth server.
- * Uses the Auth Server's JWKS endpoint to dynamically fetch public keys.
- */
-export declare function verifySignedAuthResponse<T = any>(token: string, authServerUrl: string): Promise<T | null>;
-//# sourceMappingURL=verifySignedAuthResponse.d.ts.map

package/dist/internal/verifySignedAuthResponse.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"verifySignedAuthResponse.d.ts","sourceRoot":"","sources":["../../src/internal/verifySignedAuthResponse.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAsB,wBAAwB,CAAC,CAAC,GAAG,GAAG,EACpD,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAmBnB"}

package/dist/internal/verifySignedAuthResponse.js

@@ -1,23 +0,0 @@
-import { createRemoteJWKSet, jwtVerify } from "jose";
-/**
- * Verifies a signed response JWT from a Seamless Auth server.
- * Uses the Auth Server's JWKS endpoint to dynamically fetch public keys.
- */
-export async function verifySignedAuthResponse(token, authServerUrl) {
-    try {
-        // Construct JWKS URL from auth server
-        const jwksUrl = new URL("/.well-known/jwks.json", authServerUrl).toString();
-        // Create a remote JWKS verifier (auto-caches)
-        const JWKS = createRemoteJWKSet(new URL(jwksUrl));
-        // Verify signature and algorithm
-        const { payload } = await jwtVerify(token, JWKS, {
-            algorithms: ["RS256"],
-            issuer: authServerUrl,
-        });
-        return payload;
-    }
-    catch (err) {
-        console.error("[SeamlessAuth] Failed to verify signed auth response:", err);
-        return null;
-    }
-}

package/dist/middleware/ensureCookies.d.ts

@@ -1,8 +0,0 @@
-import { NextFunction, Request, Response } from "express";
-import { SeamlessAuthServerOptions } from "../types";
-import { JwtPayload } from "jsonwebtoken";
-export interface CookieRequest extends Request {
-    cookiePayload?: JwtPayload;
-}
-export declare function createEnsureCookiesMiddleware(opts: SeamlessAuthServerOptions): (req: CookieRequest, res: Response, next: NextFunction, cookieDomain?: string) => Promise<void | Response<any, Record<string, any>>>;
-//# sourceMappingURL=ensureCookies.d.ts.map

package/dist/middleware/ensureCookies.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ensureCookies.d.ts","sourceRoot":"","sources":["../../src/middleware/ensureCookies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,yBAAyB,EAAE,MAAM,UAAU,CAAC;AAGrD,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI1C,MAAM,WAAW,aAAc,SAAQ,OAAO;IAC5C,aAAa,CAAC,EAAE,UAAU,CAAC;CAC5B;AAED,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,yBAAyB,IA4BzE,KAAK,aAAa,EAClB,KAAK,QAAQ,EACb,MAAM,YAAY,EAClB,qBAAiB,wDAqFpB"}

package/dist/middleware/ensureCookies.js

@@ -1,78 +0,0 @@
-import { verifyCookieJwt } from "../internal/verifyCookieJwt.js";
-import { refreshAccessToken } from "../internal/refreshAccessToken";
-import { clearAllCookies, setSessionCookie } from "../internal/cookie";
-export function createEnsureCookiesMiddleware(opts) {
-    const COOKIE_REQUIREMENTS = {
-        "/webAuthn/login/finish": { name: opts.preAuthCookieName, required: true },
-        "/webAuthn/login/start": { name: opts.preAuthCookieName, required: true },
-        "/webAuthn/register/start": {
-            name: opts.registrationCookieName,
-            required: true,
-        },
-        "/webAuthn/register/finish": {
-            name: opts.registrationCookieName,
-            required: true,
-        },
-        "/otp/verify-email-otp": {
-            name: opts.registrationCookieName,
-            required: true,
-        },
-        "/otp/verify-phone-otp": {
-            name: opts.registrationCookieName,
-            required: true,
-        },
-        "/logout": { name: opts.accesscookieName, required: true },
-        "/users/me": { name: opts.accesscookieName, required: true },
-    };
-    return async function ensureCookies(req, res, next, cookieDomain = "") {
-        const match = Object.entries(COOKIE_REQUIREMENTS).find(([path]) => req.path.startsWith(path));
-        if (!match)
-            return next();
-        const [, { name, required }] = match;
-        const AUTH_SERVER_URL = process.env.AUTH_SERVER;
-        const cookieValue = req.cookies?.[name];
-        const refreshCookieValue = req.cookies?.[opts.refreshCookieName];
-        if (required && !cookieValue) {
-            if (refreshCookieValue) {
-                console.log("[SeamlessAuth] Access token expired — attempting refresh");
-                const refreshed = await refreshAccessToken(req, AUTH_SERVER_URL, refreshCookieValue);
-                if (!refreshed?.token) {
-                    clearAllCookies(res, cookieDomain, name, opts.registrationCookieName, opts.refreshCookieName);
-                    res.status(401).json({ error: "Refresh failed" });
-                    return;
-                }
-                // Update cookie with new access token
-                setSessionCookie(res, {
-                    sub: refreshed.sub,
-                    token: refreshed.token,
-                    roles: refreshed.roles,
-                }, cookieDomain, refreshed.ttl, name);
-                setSessionCookie(res, { sub: refreshed.sub, refreshToken: refreshed.refreshToken }, cookieDomain, refreshed.refreshTtl, opts.refreshCookieName);
-                // Let requireAuth() attempt refresh
-                req.cookiePayload = {
-                    sub: refreshed.sub,
-                    roles: refreshed.roles,
-                };
-                return next();
-            }
-            // No required cookie AND no refresh cookie
-            return res.status(400).json({
-                error: `Missing required cookie "${name}" for route ${req.path}`,
-                hint: "Did you forget to call /auth/login/start first?",
-            });
-        }
-        //
-        // If cookie exists, verify it normally
-        //
-        if (cookieValue) {
-            const payload = verifyCookieJwt(cookieValue);
-            if (!payload) {
-                return res
-                    .status(401)
-                    .json({ error: `Invalid or expired ${name} cookie` });
-            }
-            req.cookiePayload = payload;
-        }
-        next();
-    };
-}

package/dist/middleware/requireAuth.d.ts

@@ -1,53 +0,0 @@
-import { Request, Response, NextFunction } from "express";
-/**
- * Express middleware that enforces authentication using Seamless Auth cookies.
- *
- * This guard verifies the signed access cookie generated by the Seamless Auth
- * server. If the access cookie is valid and unexpired, the decoded session
- * payload is attached to `req.user` and the request proceeds.
- *
- * If the access cookie is expired or missing *but* a valid refresh cookie is
- * present, the middleware automatically attempts a silent token refresh using
- * the Seamless Auth server. When successful, new session cookies are issued and
- * the request continues with an updated `req.user`.
- *
- * If neither the access token nor refresh token can validate the session,
- * the middleware returns a 401 Unauthorized error and prevents further
- * route execution.
- *
- * ### Responsibilities
- * - Validates the Seamless Auth session access cookie
- * - Attempts refresh-token–based session renewal when necessary
- * - Populates `req.user` with the verified session payload
- * - Handles all cookie rewriting during refresh flows
- * - Acts as a request-level authentication guard for API routes
- *
- * ### Cookie Parameters
- * - **cookieName** — Name of the access cookie that holds the signed session JWT
- * - **refreshCookieName** — Name of the refresh cookie used for silent token refresh
- * - **cookieDomain** — Domain or path value applied to issued cookies
- *
- * ### Example
- * ```ts
- * // Protect a route
- * app.get("/api/me", requireAuth(), (req, res) => {
- *   res.json({ user: req.user });
- * });
- *
- * // Custom cookie names (if your Seamless Auth server uses overrides)
- * app.use(
- *   "/internal",
- *   requireAuth("sa_access", "sa_refresh", "mycompany.com"),
- *   internalRouter
- * );
- * ```
- *
- * @param cookieName - The access cookie name. Defaults to `"seamless-access"`.
- * @param refreshCookieName - The refresh cookie name used for session rotation. Defaults to `"seamless-refresh"`.
- * @param cookieDomain - Domain or path used when rewriting cookies. Defaults to `"/"`.
- *
- * @returns An Express middleware function that enforces Seamless Auth
- *          authentication on incoming requests.
- */
-export declare function requireAuth(cookieName?: string, refreshCookieName?: string, cookieDomain?: string): (req: Request, res: Response, next: NextFunction) => Promise<void>;
-//# sourceMappingURL=requireAuth.d.ts.map