@seamless-auth/express 0.0.2-beta.1 → 0.0.2-beta.11

package/dist/index.js

@@ -1,5 +1,501 @@
-import { createSeamlessAuthServer } from './createServer.js';
-export { requireAuth } from './middleware/requireAuth.js';
-export { requireRole } from './middleware/requireRole.js';
-export { getSeamlessUser } from './internal/getSeamlessUser.js';
-export default createSeamlessAuthServer;
+// src/createServer.ts
+import express from "express";
+import cookieParser from "cookie-parser";
+
+// src/middleware/ensureCookies.ts
+import { ensureCookies } from "@seamless-auth/core";
+
+// src/internal/cookie.ts
+import jwt from "jsonwebtoken";
+function setSessionCookie(res, opts, signer) {
+  const token = jwt.sign(opts.payload, signer.secret, {
+    algorithm: "HS256",
+    expiresIn: `${opts.ttlSeconds}s`
+  });
+  res.cookie(opts.name, token, {
+    httpOnly: true,
+    secure: signer.secure,
+    sameSite: signer.sameSite,
+    path: "/",
+    domain: opts.domain,
+    maxAge: Number(opts.ttlSeconds) * 1e3
+  });
+}
+function clearSessionCookie(res, domain, name) {
+  res.clearCookie(name, { domain, path: "/" });
+}
+function clearAllCookies(res, domain, ...cookieNames) {
+  for (const name of cookieNames) {
+    res.clearCookie(name, { domain, path: "/" });
+  }
+}
+
+// src/middleware/ensureCookies.ts
+function createEnsureCookiesMiddleware(opts) {
+  if (!opts.cookieSecret) {
+    throw new Error("Missing cookieSecret");
+  }
+  if (!opts.serviceSecret) {
+    throw new Error("Missing serviceSecret");
+  }
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
+  };
+  return async function ensureCookiesMiddleware(req, res, next) {
+    const result = await ensureCookies(
+      {
+        path: req.path,
+        cookies: req.cookies ?? {}
+      },
+      {
+        authServerUrl: opts.authServerUrl,
+        cookieDomain: opts.cookieDomain,
+        accessCookieName: opts.accessCookieName,
+        registrationCookieName: opts.registrationCookieName,
+        refreshCookieName: opts.refreshCookieName,
+        preAuthCookieName: opts.preAuthCookieName,
+        cookieSecret: opts.cookieSecret,
+        serviceSecret: opts.serviceSecret,
+        issuer: opts.issuer,
+        audience: opts.audience,
+        keyId: opts.keyId
+      }
+    );
+    applyResult(res, req, result, opts, cookieSigner);
+    if (result.type === "error") return;
+    next();
+  };
+}
+function applyResult(res, req, result, opts, cookieSigner) {
+  if (result.clearCookies?.length) {
+    clearAllCookies(res, opts.cookieDomain, ...result.clearCookies);
+  }
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: c.name,
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
+      );
+    }
+  }
+  if (result.user) {
+    req.cookiePayload = result.user;
+  }
+  if (result.type === "error") {
+    res.status(result.status ?? 401).json({ error: result.error });
+  }
+}
+
+// src/handlers/login.ts
+import { loginHandler } from "@seamless-auth/core/handlers/login";
+async function login(req, res, opts) {
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
+  };
+  const result = await loginHandler(
+    { body: req.body },
+    {
+      authServerUrl: opts.authServerUrl,
+      cookieDomain: opts.cookieDomain,
+      preAuthCookieName: opts.preAuthCookieName
+    }
+  );
+  if (!cookieSigner.secret) {
+    throw new Error("Missing COOKIE_SIGNING_KEY");
+  }
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: c.name,
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
+      );
+    }
+  }
+  if (result.error) {
+    return res.status(result.status).json(result.error);
+  }
+  res.status(result.status).end();
+}
+
+// src/handlers/finishLogin.ts
+import { finishLoginHandler } from "@seamless-auth/core/handlers/finishLogin";
+
+// src/internal/buildAuthorization.ts
+import { createServiceToken } from "@seamless-auth/core";
+function buildServiceAuthorization(req) {
+  if (!req.cookiePayload?.sub && !req.user.sub) {
+    return void 0;
+  }
+  const token = createServiceToken({
+    subject: req.cookiePayload?.sub || req.user.sub,
+    issuer: process.env.APP_ORIGIN,
+    audience: process.env.AUTH_SERVER_URL,
+    serviceSecret: process.env.API_SERVICE_TOKEN,
+    keyId: "dev-main"
+  });
+  return `Bearer ${token}`;
+}
+
+// src/handlers/finishLogin.ts
+async function finishLogin(req, res, opts) {
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
+  };
+  const authorization = buildServiceAuthorization(req);
+  const result = await finishLoginHandler(
+    { body: req.body, authorization },
+    {
+      authServerUrl: opts.authServerUrl,
+      cookieDomain: opts.cookieDomain,
+      accessCookieName: opts.accessCookieName,
+      refreshCookieName: opts.refreshCookieName
+    }
+  );
+  if (!cookieSigner.secret) {
+    throw new Error("Missing COOKIE_SIGNING_KEY");
+  }
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: c.name,
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
+      );
+    }
+  }
+  if (result.error) {
+    return res.status(result.status).json(result.error);
+  }
+  res.status(result.status).json(result.body).end();
+}
+
+// src/handlers/register.ts
+import { registerHandler } from "@seamless-auth/core/handlers/register";
+async function register(req, res, opts) {
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
+  };
+  const result = await registerHandler(
+    { body: req.body },
+    {
+      authServerUrl: opts.authServerUrl,
+      cookieDomain: opts.cookieDomain,
+      registrationCookieName: opts.registrationCookieName
+    }
+  );
+  if (!cookieSigner.secret) {
+    throw new Error("Missing COOKIE_SIGNING_KEY");
+  }
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: opts.registrationCookieName || "seamless-auth-registraion",
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
+      );
+    }
+  }
+  if (result.error) {
+    return res.status(result.status).json(result.error);
+  }
+  res.status(result.status).json(result.body).end();
+}
+
+// src/handlers/finishRegister.ts
+import { finishRegisterHandler } from "@seamless-auth/core/handlers/finishRegister";
+async function finishRegister(req, res, opts) {
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
+  };
+  const authorization = buildServiceAuthorization(req);
+  const result = await finishRegisterHandler(
+    { body: req.body, authorization },
+    {
+      authServerUrl: opts.authServerUrl,
+      cookieDomain: opts.cookieDomain,
+      accessCookieName: opts.accessCookieName,
+      refreshCookieName: opts.refreshCookieName
+    }
+  );
+  if (!cookieSigner.secret) {
+    throw new Error("Missing COOKIE_SIGNING_KEY");
+  }
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: c.name,
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
+      );
+    }
+  }
+  if (result.error) {
+    return res.status(result.status).json(result.error);
+  }
+  res.status(result.status).end();
+}
+
+// src/handlers/me.ts
+import { meHandler } from "@seamless-auth/core/handlers/me";
+async function me(req, res, opts) {
+  const authorization = buildServiceAuthorization(req);
+  const result = await meHandler({
+    authServerUrl: opts.authServerUrl,
+    preAuthCookieName: opts.preAuthCookieName,
+    authorization
+  });
+  if (result.clearCookies) {
+    for (const name of result.clearCookies) {
+      clearSessionCookie(res, opts.cookieDomain || "", name);
+    }
+  }
+  if (result.error) {
+    return res.status(result.status).json({ error: result.error });
+  }
+  res.status(result.status).json(result.body);
+}
+
+// src/handlers/logout.ts
+import { logoutHandler } from "@seamless-auth/core/handlers/logout";
+async function logout(req, res, opts) {
+  const result = await logoutHandler({
+    authServerUrl: opts.authServerUrl,
+    accessCookieName: opts.accessCookieName,
+    registrationCookieName: opts.registrationCookieName,
+    refreshCookieName: opts.refreshCookieName
+  });
+  clearAllCookies(res, opts.cookieDomain || "", ...result.clearCookies);
+  res.status(result.status).end();
+}
+
+// src/createServer.ts
+import {
+  authFetch
+} from "@seamless-auth/core";
+function createSeamlessAuthServer(opts) {
+  const r = express.Router();
+  r.use(express.json());
+  r.use(cookieParser());
+  const resolvedOpts = {
+    authServerUrl: opts.authServerUrl,
+    cookieSecret: opts.cookieSecret,
+    serviceSecret: opts.serviceSecret,
+    jwksKid: opts.jwksKid ?? "dev-main",
+    cookieDomain: opts.cookieDomain ?? "",
+    accessCookieName: opts.accessCookieName ?? "seamless-access",
+    registrationCookieName: opts.registrationCookieName ?? "seamless-ephemeral",
+    refreshCookieName: opts.refreshCookieName ?? "seamless-refresh",
+    preAuthCookieName: opts.preAuthCookieName ?? "seamless-ephemeral"
+  };
+  const proxyWithIdentity = (path, identity, method = "POST") => async (req, res) => {
+    if (!req.cookiePayload?.sub) {
+      res.status(401).json({ error: "unauthenticated" });
+      return;
+    }
+    if (identity === "access" && !req.cookies[resolvedOpts.accessCookieName]) {
+      res.status(401).json({ error: "access session required" });
+      return;
+    }
+    if (identity === "preAuth" && !req.cookies[resolvedOpts.preAuthCookieName]) {
+      res.status(401).json({ error: "pre-auth session required" });
+      return;
+    }
+    if (identity === "register" && !req.cookies[resolvedOpts.registrationCookieName]) {
+      res.status(401).json({ error: "registeration session required" });
+      return;
+    }
+    const authorization = buildServiceAuthorization(req);
+    const upstream = await authFetch(
+      `${resolvedOpts.authServerUrl}/${path}`,
+      {
+        method,
+        body: req.body,
+        authorization
+      }
+    );
+    const data = await upstream.json();
+    res.status(upstream.status).json(data);
+  };
+  r.use(
+    createEnsureCookiesMiddleware({
+      authServerUrl: resolvedOpts.authServerUrl,
+      cookieDomain: resolvedOpts.cookieDomain,
+      accessCookieName: resolvedOpts.accessCookieName,
+      registrationCookieName: resolvedOpts.registrationCookieName,
+      refreshCookieName: resolvedOpts.refreshCookieName,
+      preAuthCookieName: resolvedOpts.preAuthCookieName,
+      cookieSecret: resolvedOpts.cookieSecret,
+      serviceSecret: resolvedOpts.serviceSecret,
+      issuer: process.env.APP_ORIGIN,
+      audience: resolvedOpts.authServerUrl,
+      keyId: resolvedOpts.jwksKid
+    })
+  );
+  r.post(
+    "/webAuthn/login/start",
+    proxyWithIdentity("webAuthn/login/start", "preAuth")
+  );
+  r.post(
+    "/webAuthn/login/finish",
+    (req, res) => finishLogin(req, res, resolvedOpts)
+  );
+  r.get(
+    "/webAuthn/register/start",
+    proxyWithIdentity("webAuthn/register/start", "preAuth", "GET")
+  );
+  r.post(
+    "/webAuthn/register/finish",
+    (req, res) => finishRegister(req, res, resolvedOpts)
+  );
+  r.post(
+    "/otp/verify-phone-otp",
+    proxyWithIdentity("otp/verify-phone-otp", "preAuth")
+  );
+  r.post(
+    "/otp/verify-email-otp",
+    proxyWithIdentity("otp/verify-email-otp", "preAuth")
+  );
+  r.post("/login", (req, res) => login(req, res, resolvedOpts));
+  r.post(
+    "/registration/register",
+    (req, res) => register(req, res, resolvedOpts)
+  );
+  r.get("/users/me", (req, res) => me(req, res, resolvedOpts));
+  r.get("/logout", (req, res) => logout(req, res, resolvedOpts));
+  r.post("/users/update", proxyWithIdentity("users/update", "access"));
+  r.post(
+    "/users/credentials",
+    proxyWithIdentity("users/credentials", "access")
+  );
+  r.delete(
+    "/users/credentials",
+    proxyWithIdentity("users/credentials", "access")
+  );
+  return r;
+}
+
+// src/middleware/requireAuth.ts
+import { verifyCookieJwt } from "@seamless-auth/core";
+function requireAuth(opts) {
+  const { cookieName = "seamless-access", cookieSecret } = opts;
+  if (!cookieSecret) {
+    throw new Error("requireAuth: missing cookieSecret");
+  }
+  return function(req, res, next) {
+    const token = req.cookies?.[cookieName];
+    if (!token) {
+      res.status(401).json({
+        error: "Authentication required"
+      });
+      return;
+    }
+    const payload = verifyCookieJwt(token, cookieSecret);
+    if (!payload || !payload.sub) {
+      res.status(401).json({
+        error: "Invalid or expired session"
+      });
+      return;
+    }
+    const user = {
+      sub: payload.sub,
+      roles: Array.isArray(payload.roles) ? payload.roles : [],
+      email: payload.email,
+      phone: payload.phone,
+      iat: payload.iat,
+      exp: payload.exp
+    };
+    req.user = user;
+    next();
+  };
+}
+
+// src/middleware/requireRole.ts
+function requireRole(requiredRoles) {
+  const roles = Array.isArray(requiredRoles) ? requiredRoles : [requiredRoles];
+  return (req, res, next) => {
+    const user = req.user;
+    if (!user) {
+      res.status(401).json({
+        error: "Authentication required"
+      });
+      return;
+    }
+    if (!Array.isArray(user.roles)) {
+      res.status(403).json({
+        error: "User has no roles assigned"
+      });
+      return;
+    }
+    const hasRole = roles.some((role) => user.roles.includes(role));
+    if (!hasRole) {
+      res.status(403).json({
+        error: "Insufficient role",
+        required: roles,
+        actual: user.roles
+      });
+      return;
+    }
+    next();
+  };
+}
+
+// src/getSeamlessUser.ts
+import {
+  getSeamlessUser as getSeamlessUserCore
+} from "@seamless-auth/core";
+async function getSeamlessUser(req, opts) {
+  const authorization = buildServiceAuthorization(req);
+  return getSeamlessUserCore(req.cookies ?? {}, {
+    authServerUrl: opts.authServerUrl,
+    cookieSecret: opts.cookieSecret,
+    cookieName: opts.cookieName ?? "seamless-access",
+    authorization
+  });
+}
+
+// src/index.ts
+var index_default = createSeamlessAuthServer;
+export {
+  createEnsureCookiesMiddleware,
+  index_default as default,
+  getSeamlessUser,
+  requireAuth,
+  requireRole
+};

package/package.json

@@ -1,37 +1,54 @@
 {
   "name": "@seamless-auth/express",
-  "version": "0.0.2-beta.1",
+  "version": "0.0.2-beta.11",
   "description": "Express adapter for Seamless Auth passwordless authentication",
-  "license": "MIT",
+  "license": "AGPL-3.0-only",
   "type": "module",
   "main": "dist/index.js",
   "types": "./dist/index.d.ts",
   "author": "Fells Code LLC",
+  "files": [
+    "dist",
+    "LICENSE",
+    "LICENSE.md",
+    "README.md"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "engines": {
+    "node": ">=18"
+  },
   "scripts": {
-    "build": "tsc -p tsconfig.json && node build.mjs",
-    "dev": "tsc --watch"
+    "build": "tsup src/index.ts --format esm --out-dir dist --dts --splitting",
+    "dev": "tsc --watch",
+    "test": "npm run build && NODE_OPTIONS=--experimental-vm-modules jest",
+    "test:watch": "npm run build && NODE_OPTIONS=--experimental-vm-modules jest --watch"
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/fells-code/seamless-auth-server.git"
+    "url": "https://github.com/fells-code/seamless-auth-server/tree/main/packages/express"
   },
-  "files": [
-    "dist"
-  ],
   "peerDependencies": {
-    "@types/express": ">=5.0.0",
-    "express": ">=5.1.0"
+    "express": ">=4.18.0",
+    "@types/express": ">=4.17.0"
   },
   "dependencies": {
+    "@seamless-auth/core": "beta",
     "cookie-parser": "^1.4.6",
-    "dotenv": "^17.2.3",
-    "jose": "^6.1.1",
-    "jsonwebtoken": "^9.0.2",
-    "node-fetch": "^3.3.2"
+    "jsonwebtoken": "^9.0.3"
   },
   "devDependencies": {
     "@types/cookie-parser": "^1.4.10",
+    "@types/jest": "^29.5.14",
     "@types/jsonwebtoken": "^9.0.10",
+    "jest": "^29.7.0",
+    "ts-node": "^10.9.2",
+    "supertest": "^7.2.2",
+    "tsup": "^8.5.1",
     "typescript": "^5.5.0"
   },
   "publishConfig": {

package/dist/createServer.d.ts

@@ -1,48 +0,0 @@
-import { Router } from "express";
-import type { SeamlessAuthServerOptions } from "./types";
-/**
- * Creates an Express Router that proxies all authentication traffic to a Seamless Auth server.
- *
- * This helper wires your API backend to a Seamless Auth instance running in
- * "server mode." It automatically forwards login, registration, WebAuthn,
- * logout, token refresh, and session validation routes to the auth server
- * and handles all cookie management required for a seamless login flow.
- *
- * ### Responsibilities
- * - Proxies all `/auth/*` routes to the upstream Seamless Auth server
- * - Manages `access`, `registration`, `pre-auth`, and `refresh` cookies
- * - Normalizes cookie settings for cross-domain or same-domain deployments
- * - Ensures authentication routes behave consistently across environments
- * - Provides shared middleware for auth flows
- *
- * ### Cookie Types
- * - **accessCookie** – long-lived session cookie for authenticated API requests
- * - **registrationCookie** – ephemeral cookie used during registration and OTP/WebAuthn flows
- * - **preAuthCookie** – short-lived cookie used during login initiation
- * - **refreshCookie** – opaque refresh token cookie used to rotate session tokens
- *
- * All cookie names and their domains may be customized via the `opts` parameter.
- *
- * ### Example
- * ```ts
- * app.use("/auth", createSeamlessAuthServer({
- *   authServerUrl: "https://identifier.seamlessauth.com",
- *   cookieDomain: "mycompany.com",
- *   accesscookieName: "sa_access",
- *   registrationCookieName: "sa_registration",
- *   refreshCookieName: "sa_refresh",
- * }));
- * ```
- *
- * @param opts - Configuration options for the Seamless Auth proxy:
- *   - `authServerUrl` — Base URL of your Seamless Auth instance (required)
- *   - `cookieDomain` — Domain attribute applied to all auth cookies
- *   - `accesscookieName` — Name of the session access cookie
- *   - `registrationCookieName` — Name of the ephemeral registration cookie
- *   - `refreshCookieName` — Name of the refresh token cookie
- *   - `preAuthCookieName` — Name of the cookie used during login initiation
- *
- * @returns An Express `Router` preconfigured with all Seamless Auth routes.
- */
-export declare function createSeamlessAuthServer(opts: SeamlessAuthServerOptions): Router;
-//# sourceMappingURL=createServer.d.ts.map

package/dist/createServer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"createServer.d.ts","sourceRoot":"","sources":["../src/createServer.ts"],"names":[],"mappings":"AAAA,OAAgB,EAAqB,MAAM,EAAE,MAAM,SAAS,CAAC;AAQ7D,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAIzD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,yBAAyB,GAC9B,MAAM,CA0LR"}