npm - @seamless-auth/express - Versions diffs - 0.0.2-beta.1 → 0.0.2-beta.10 - Mend

@seamless-auth/express 0.0.2-beta.1 → 0.0.2-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/LICENSE +79 -0
package/LICENSE.md +26 -0
package/README.md +99 -123
package/dist/index.d.ts +190 -7
package/dist/index.js +501 -5
package/package.json +31 -14
package/dist/createServer.d.ts +0 -48
package/dist/createServer.d.ts.map +0 -1
package/dist/createServer.js +0 -164
package/dist/index.d.ts.map +0 -1
package/dist/internal/authFetch.d.ts +0 -9
package/dist/internal/authFetch.d.ts.map +0 -1
package/dist/internal/authFetch.js +0 -37
package/dist/internal/cookie.d.ts +0 -11
package/dist/internal/cookie.d.ts.map +0 -1
package/dist/internal/cookie.js +0 -28
package/dist/internal/getSeamlessUser.d.ts +0 -51
package/dist/internal/getSeamlessUser.d.ts.map +0 -1
package/dist/internal/getSeamlessUser.js +0 -72
package/dist/internal/refreshAccessToken.d.ts +0 -10
package/dist/internal/refreshAccessToken.d.ts.map +0 -1
package/dist/internal/refreshAccessToken.js +0 -44
package/dist/internal/verifyCookieJwt.d.ts +0 -2
package/dist/internal/verifyCookieJwt.d.ts.map +0 -1
package/dist/internal/verifyCookieJwt.js +0 -13
package/dist/internal/verifySignedAuthResponse.d.ts +0 -6
package/dist/internal/verifySignedAuthResponse.d.ts.map +0 -1
package/dist/internal/verifySignedAuthResponse.js +0 -23
package/dist/middleware/ensureCookies.d.ts +0 -8
package/dist/middleware/ensureCookies.d.ts.map +0 -1
package/dist/middleware/ensureCookies.js +0 -78
package/dist/middleware/requireAuth.d.ts +0 -53
package/dist/middleware/requireAuth.d.ts.map +0 -1
package/dist/middleware/requireAuth.js +0 -118
package/dist/middleware/requireRole.d.ts +0 -49
package/dist/middleware/requireRole.d.ts.map +0 -1
package/dist/middleware/requireRole.js +0 -77
package/dist/types.d.ts +0 -9
package/dist/types.d.ts.map +0 -1
package/dist/types.js +0 -1

package/dist/middleware/requireAuth.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"requireAuth.d.ts","sourceRoot":"","sources":["../../src/middleware/requireAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAM1D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AACH,wBAAgB,WAAW,CACzB,UAAU,SAAoB,EAC9B,iBAAiB,SAAqB,EACtC,YAAY,SAAM,IAahB,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,YAAY,KACjB,OAAO,CAAC,IAAI,CAAC,CA+EjB"}

package/dist/middleware/requireAuth.js DELETED Viewed

@@ -1,118 +0,0 @@
-import jwt from "jsonwebtoken";
-import { refreshAccessToken } from "../internal/refreshAccessToken.js";
-import { setSessionCookie } from "../internal/cookie.js";
-/**
- * Express middleware that enforces authentication using Seamless Auth cookies.
- *
- * This guard verifies the signed access cookie generated by the Seamless Auth
- * server. If the access cookie is valid and unexpired, the decoded session
- * payload is attached to `req.user` and the request proceeds.
- *
- * If the access cookie is expired or missing *but* a valid refresh cookie is
- * present, the middleware automatically attempts a silent token refresh using
- * the Seamless Auth server. When successful, new session cookies are issued and
- * the request continues with an updated `req.user`.
- *
- * If neither the access token nor refresh token can validate the session,
- * the middleware returns a 401 Unauthorized error and prevents further
- * route execution.
- *
- * ### Responsibilities
- * - Validates the Seamless Auth session access cookie
- * - Attempts refresh-token–based session renewal when necessary
- * - Populates `req.user` with the verified session payload
- * - Handles all cookie rewriting during refresh flows
- * - Acts as a request-level authentication guard for API routes
- *
- * ### Cookie Parameters
- * - **cookieName** — Name of the access cookie that holds the signed session JWT
- * - **refreshCookieName** — Name of the refresh cookie used for silent token refresh
- * - **cookieDomain** — Domain or path value applied to issued cookies
- *
- * ### Example
- * ```ts
- * // Protect a route
- * app.get("/api/me", requireAuth(), (req, res) => {
- *   res.json({ user: req.user });
- * });
- *
- * // Custom cookie names (if your Seamless Auth server uses overrides)
- * app.use(
- *   "/internal",
- *   requireAuth("sa_access", "sa_refresh", "mycompany.com"),
- *   internalRouter
- * );
- * ```
- *
- * @param cookieName - The access cookie name. Defaults to `"seamless-access"`.
- * @param refreshCookieName - The refresh cookie name used for session rotation. Defaults to `"seamless-refresh"`.
- * @param cookieDomain - Domain or path used when rewriting cookies. Defaults to `"/"`.
- *
- * @returns An Express middleware function that enforces Seamless Auth
- *          authentication on incoming requests.
- */
-export function requireAuth(cookieName = "seamless-access", refreshCookieName = "seamless-refresh", cookieDomain = "/") {
-    const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-    if (!COOKIE_SECRET) {
-        console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireAuth will always fail.");
-        throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-    }
-    const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL;
-    return async (req, res, next) => {
-        try {
-            if (!COOKIE_SECRET) {
-                throw new Error("Missing required SEAMLESS_COOKIE_SIGNING_KEY env");
-            }
-            const token = req.cookies?.[cookieName];
-            if (!token) {
-                res.status(401).json({ error: "Missing access cookie" });
-                return;
-            }
-            try {
-                const payload = jwt.verify(token, COOKIE_SECRET, {
-                    algorithms: ["HS256"],
-                });
-                req.user = payload;
-                return next();
-            }
-            catch (err) {
-                // expired or invalid token
-                if (err.name !== "TokenExpiredError") {
-                    console.warn("[SeamlessAuth] Invalid token:", err.message);
-                    res.status(401).json({ error: "Invalid token" });
-                    return;
-                }
-                // Try refresh
-                const refreshToken = req.cookies?.[refreshCookieName];
-                if (!refreshToken) {
-                    res.status(401).json({ error: "Session expired; re-login required" });
-                    return;
-                }
-                console.log("[SeamlessAuth] Access token expired — attempting refresh");
-                const refreshed = await refreshAccessToken(req, AUTH_SERVER_URL, refreshToken);
-                if (!refreshed?.token) {
-                    res.status(401).json({ error: "Refresh failed" });
-                    return;
-                }
-                // Update cookie with new access token
-                setSessionCookie(res, {
-                    sub: refreshed.sub,
-                    token: refreshed.token,
-                    roles: refreshed.roles,
-                }, cookieDomain, refreshed.ttl, cookieName);
-                setSessionCookie(res, { sub: refreshed.sub, refreshToken: refreshed.refreshToken }, req.hostname, refreshed.refreshTtl, refreshCookieName);
-                // Decode new token so downstream has user
-                const payload = jwt.verify(refreshed.token, COOKIE_SECRET, {
-                    algorithms: ["HS256"],
-                });
-                req.user = payload;
-                next();
-            }
-        }
-        catch (err) {
-            console.error("[SeamlessAuth] requireAuth error:", err.message);
-            res.status(401).json({ error: "Invalid or expired access cookie" });
-            return;
-        }
-    };
-}

package/dist/middleware/requireRole.d.ts DELETED Viewed

@@ -1,49 +0,0 @@
-import { RequestHandler } from "express";
-/**
- * Express middleware that enforces role-based authorization for Seamless Auth sessions.
- *
- * This guard assumes that `requireAuth()` has already validated the request
- * and populated `req.user` with the decoded Seamless Auth session payload.
- * It then checks whether the user’s roles include the required role (or any
- * of several, when an array is provided).
- *
- * If the user possesses the required authorization, the request proceeds.
- * Otherwise, the middleware responds with a 403 Forbidden error.
- *
- * ### Responsibilities
- * - Validates that `req.user` is present (enforced upstream by `requireAuth`)
- * - Ensures the authenticated user includes the specified role(s)
- * - Blocks unauthorized access with a standardized JSON 403 response
- *
- * ### Parameters
- * - **requiredRole** — A role (string) or list of roles the user must have.
- *   If an array is provided, *any* matching role grants access.
- * - **cookieName** — Optional name of the access cookie to inspect.
- *   Defaults to `"seamless-access"`, but typically not needed because
- *   `requireAuth` is expected to run first.
- *
- * ### Example
- * ```ts
- * // Require a single role
- * app.get("/admin/users",
- *   requireAuth(),
- *   requireRole("admin"),
- *   (req, res) => {
- *     res.send("Welcome admin!");
- *   }
- * );
- *
- * // Allow any of multiple roles
- * app.post("/settings",
- *   requireAuth(),
- *   requireRole(["admin", "supervisor"]),
- *   updateSettingsHandler
- * );
- * ```
- *
- * @param requiredRole - A role or list of roles required to access the route.
- * @param cookieName - Optional access cookie name (defaults to `seamless-access`).
- * @returns An Express middleware function enforcing role-based access control.
- */
-export declare function requireRole(role: string, cookieName?: string): RequestHandler;
-//# sourceMappingURL=requireRole.d.ts.map

package/dist/middleware/requireRole.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"requireRole.d.ts","sourceRoot":"","sources":["../../src/middleware/requireRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAG1E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,EACZ,UAAU,SAAoB,GAC7B,cAAc,CAiChB"}

package/dist/middleware/requireRole.js DELETED Viewed

@@ -1,77 +0,0 @@
-import jwt from "jsonwebtoken";
-/**
- * Express middleware that enforces role-based authorization for Seamless Auth sessions.
- *
- * This guard assumes that `requireAuth()` has already validated the request
- * and populated `req.user` with the decoded Seamless Auth session payload.
- * It then checks whether the user’s roles include the required role (or any
- * of several, when an array is provided).
- *
- * If the user possesses the required authorization, the request proceeds.
- * Otherwise, the middleware responds with a 403 Forbidden error.
- *
- * ### Responsibilities
- * - Validates that `req.user` is present (enforced upstream by `requireAuth`)
- * - Ensures the authenticated user includes the specified role(s)
- * - Blocks unauthorized access with a standardized JSON 403 response
- *
- * ### Parameters
- * - **requiredRole** — A role (string) or list of roles the user must have.
- *   If an array is provided, *any* matching role grants access.
- * - **cookieName** — Optional name of the access cookie to inspect.
- *   Defaults to `"seamless-access"`, but typically not needed because
- *   `requireAuth` is expected to run first.
- *
- * ### Example
- * ```ts
- * // Require a single role
- * app.get("/admin/users",
- *   requireAuth(),
- *   requireRole("admin"),
- *   (req, res) => {
- *     res.send("Welcome admin!");
- *   }
- * );
- *
- * // Allow any of multiple roles
- * app.post("/settings",
- *   requireAuth(),
- *   requireRole(["admin", "supervisor"]),
- *   updateSettingsHandler
- * );
- * ```
- *
- * @param requiredRole - A role or list of roles required to access the route.
- * @param cookieName - Optional access cookie name (defaults to `seamless-access`).
- * @returns An Express middleware function enforcing role-based access control.
- */
-export function requireRole(role, cookieName = "seamless-access") {
-    return (req, res, next) => {
-        try {
-            const COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-            if (!COOKIE_SECRET) {
-                console.warn("[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing — requireRole will always fail.");
-                throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-            }
-            const token = req.cookies?.[cookieName];
-            if (!token) {
-                res.status(401).json({ error: "Missing access cookie" });
-                return;
-            }
-            // Verify JWT signature
-            const payload = jwt.verify(token, COOKIE_SECRET, {
-                algorithms: ["HS256"],
-            });
-            // Check role membership
-            if (!payload.roles?.includes(role)) {
-                res.status(403).json({ error: `Forbidden: ${role} role required` });
-                return;
-            }
-            next();
-        }
-        catch (err) {
-            console.error(`[RequireRole] requireRole(${role}) failed:`, err.message);
-            res.status(401).json({ error: "Invalid or expired access cookie" });
-        }
-    };
-}

package/dist/types.d.ts DELETED Viewed

@@ -1,9 +0,0 @@
-export interface SeamlessAuthServerOptions {
-    authServerUrl: string;
-    cookieDomain?: string;
-    accesscookieName?: string;
-    registrationCookieName?: string;
-    refreshCookieName?: string;
-    preAuthCookieName?: string;
-}
-//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,yBAAyB;IACxC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B"}

package/dist/types.js DELETED Viewed

	@@ -1 +0,0 @@
1	- export {};