@seamless-auth/express 0.0.2-beta.1 → 0.0.2-beta.2

package/dist/index.js

@@ -1,5 +1,564 @@
-import { createSeamlessAuthServer } from './createServer.js';
-export { requireAuth } from './middleware/requireAuth.js';
-export { requireRole } from './middleware/requireRole.js';
-export { getSeamlessUser } from './internal/getSeamlessUser.js';
-export default createSeamlessAuthServer;
+// src/createServer.ts
+import express from "express";
+import cookieParser from "cookie-parser";
+
+// src/internal/cookie.ts
+import jwt from "jsonwebtoken";
+function setSessionCookie(res, payload, domain, ttlSeconds = 300, name = "sa_session") {
+  const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+  if (!COOKIE_SECRET2) {
+    console.warn("[SeamlessAuth] Missing SEAMLESS_COOKIE_SIGNING_KEY env var!");
+    throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+  }
+  const token = jwt.sign(payload, COOKIE_SECRET2, {
+    algorithm: "HS256",
+    expiresIn: `${ttlSeconds}s`
+  });
+  res.cookie(name, token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax",
+    path: "/",
+    domain,
+    maxAge: ttlSeconds * 1e3
+  });
+}
+function clearSessionCookie(res, domain, name = "sa_session") {
+  res.clearCookie(name, { domain, path: "/" });
+}
+function clearAllCookies(res, domain, accesscookieName, registrationCookieName, refreshCookieName) {
+  res.clearCookie(accesscookieName, { domain, path: "/" });
+  res.clearCookie(registrationCookieName, { domain, path: "/" });
+  res.clearCookie(refreshCookieName, { domain, path: "/" });
+}
+
+// src/internal/authFetch.ts
+import jwt2 from "jsonwebtoken";
+async function authFetch(req, url, { method = "POST", body, cookies, headers = {} } = {}) {
+  const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
+  if (!serviceKey) {
+    throw new Error(
+      "Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN"
+    );
+  }
+  const token = jwt2.sign(
+    {
+      iss: process.env.FRONTEND_URL,
+      aud: process.env.AUTH_SERVER_URL,
+      sub: req.cookiePayload?.sub,
+      roles: req.cookiePayload?.roles ?? [],
+      iat: Math.floor(Date.now() / 1e3)
+    },
+    serviceKey,
+    {
+      expiresIn: "60s",
+      // Short-lived
+      algorithm: "HS256"
+      // HMAC-based
+    }
+  );
+  const finalHeaders = {
+    ...method !== "GET" && { "Content-Type": "application/json" },
+    ...cookies ? { Cookie: cookies.join("; ") } : {},
+    Authorization: `Bearer ${token}`,
+    ...headers
+  };
+  let finalUrl = url;
+  if (method === "GET" && body && typeof body === "object") {
+    const qs = new URLSearchParams(body).toString();
+    finalUrl += url.includes("?") ? `&${qs}` : `?${qs}`;
+  }
+  const res = await fetch(finalUrl, {
+    method,
+    headers: finalHeaders,
+    ...method !== "GET" && body ? { body: JSON.stringify(body) } : {}
+  });
+  return res;
+}
+
+// src/internal/verifyCookieJwt.ts
+import jwt3 from "jsonwebtoken";
+var COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+function verifyCookieJwt(token) {
+  try {
+    return jwt3.verify(token, COOKIE_SECRET, {
+      algorithms: ["HS256"]
+    });
+  } catch (err) {
+    console.error("[SeamlessAuth] Cookie JWT verification failed:", err);
+    return null;
+  }
+}
+
+// src/internal/refreshAccessToken.ts
+import jwt4 from "jsonwebtoken";
+async function refreshAccessToken(req, authServerUrl, refreshToken) {
+  try {
+    const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+    if (!COOKIE_SECRET2) {
+      console.warn(
+        "[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing \u2014 requireAuth will always fail."
+      );
+      throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+    }
+    const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
+    if (!serviceKey) {
+      throw new Error(
+        "Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN"
+      );
+    }
+    const payload = jwt4.verify(refreshToken, COOKIE_SECRET2, {
+      algorithms: ["HS256"]
+    });
+    const token = jwt4.sign(
+      {
+        // Minimal, safe fields
+        iss: process.env.FRONTEND_URL,
+        aud: process.env.AUTH_SERVER_URL,
+        sub: payload.sub,
+        refreshToken: payload.refreshToken,
+        iat: Math.floor(Date.now() / 1e3)
+      },
+      serviceKey,
+      {
+        expiresIn: "60s",
+        // Short-lived = safer
+        algorithm: "HS256",
+        // HMAC-based
+        keyid: "dev-main"
+        // For future rotation
+      }
+    );
+    const response = await fetch(`${authServerUrl}/refresh`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      console.error(
+        "[SeamlessAuth] Refresh token request failed:",
+        response.status
+      );
+      return null;
+    }
+    const data = await response.json();
+    return data;
+  } catch (err) {
+    console.error("[SeamlessAuth] refreshAccessToken error:", err);
+    return null;
+  }
+}
+
+// src/middleware/ensureCookies.ts
+function createEnsureCookiesMiddleware(opts) {
+  const COOKIE_REQUIREMENTS = {
+    "/webAuthn/login/finish": { name: opts.preAuthCookieName, required: true },
+    "/webAuthn/login/start": { name: opts.preAuthCookieName, required: true },
+    "/webAuthn/register/start": {
+      name: opts.registrationCookieName,
+      required: true
+    },
+    "/webAuthn/register/finish": {
+      name: opts.registrationCookieName,
+      required: true
+    },
+    "/otp/verify-email-otp": {
+      name: opts.registrationCookieName,
+      required: true
+    },
+    "/otp/verify-phone-otp": {
+      name: opts.registrationCookieName,
+      required: true
+    },
+    "/logout": { name: opts.accesscookieName, required: true },
+    "/users/me": { name: opts.accesscookieName, required: true }
+  };
+  return async function ensureCookies(req, res, next, cookieDomain = "") {
+    const match = Object.entries(COOKIE_REQUIREMENTS).find(
+      ([path]) => req.path.startsWith(path)
+    );
+    if (!match) return next();
+    const [, { name, required }] = match;
+    const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL;
+    const cookieValue = req.cookies?.[name];
+    const refreshCookieValue = req.cookies?.[opts.refreshCookieName];
+    if (required && !cookieValue) {
+      if (refreshCookieValue) {
+        console.log("[SeamlessAuth] Access token expired \u2014 attempting refresh");
+        const refreshed = await refreshAccessToken(
+          req,
+          AUTH_SERVER_URL,
+          refreshCookieValue
+        );
+        if (!refreshed?.token) {
+          clearAllCookies(
+            res,
+            cookieDomain,
+            name,
+            opts.registrationCookieName,
+            opts.refreshCookieName
+          );
+          res.status(401).json({ error: "Refresh failed" });
+          return;
+        }
+        setSessionCookie(
+          res,
+          {
+            sub: refreshed.sub,
+            token: refreshed.token,
+            roles: refreshed.roles
+          },
+          cookieDomain,
+          refreshed.ttl,
+          name
+        );
+        setSessionCookie(
+          res,
+          { sub: refreshed.sub, refreshToken: refreshed.refreshToken },
+          cookieDomain,
+          refreshed.refreshTtl,
+          opts.refreshCookieName
+        );
+        req.cookiePayload = {
+          sub: refreshed.sub,
+          roles: refreshed.roles
+        };
+        return next();
+      }
+      return res.status(400).json({
+        error: `Missing required cookie "${name}" for route ${req.path}`,
+        hint: "Did you forget to call /auth/login/start first?"
+      });
+    }
+    if (cookieValue) {
+      const payload = verifyCookieJwt(cookieValue);
+      if (!payload) {
+        return res.status(401).json({ error: `Invalid or expired ${name} cookie` });
+      }
+      req.cookiePayload = payload;
+    }
+    next();
+  };
+}
+
+// src/internal/verifySignedAuthResponse.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+async function verifySignedAuthResponse(token, authServerUrl) {
+  try {
+    const jwksUrl = new URL("/.well-known/jwks.json", authServerUrl).toString();
+    const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+    const { payload } = await jwtVerify(token, JWKS, {
+      algorithms: ["RS256"],
+      issuer: authServerUrl
+    });
+    return payload;
+  } catch (err) {
+    console.error("[SeamlessAuth] Failed to verify signed auth response:", err);
+    return null;
+  }
+}
+
+// src/createServer.ts
+function createSeamlessAuthServer(opts) {
+  const r = express.Router();
+  r.use(express.json());
+  r.use(cookieParser());
+  const {
+    authServerUrl,
+    cookieDomain = "",
+    accesscookieName = "seamless-access",
+    registrationCookieName = "seamless-ephemeral",
+    refreshCookieName = "seamless-refresh",
+    preAuthCookieName = "seamless-ephemeral"
+  } = opts;
+  const proxy = (path, method = "POST") => async (req, res) => {
+    try {
+      const response = await authFetch(req, `${authServerUrl}/${path}`, {
+        method,
+        body: req.body
+      });
+      res.status(response.status).json(await response.json());
+    } catch (error) {
+      console.error(`Failed to proxy to route. Error: ${error}`);
+    }
+  };
+  r.use(
+    createEnsureCookiesMiddleware({
+      authServerUrl,
+      cookieDomain,
+      accesscookieName,
+      registrationCookieName,
+      refreshCookieName,
+      preAuthCookieName
+    })
+  );
+  r.post("/webAuthn/login/start", proxy("webAuthn/login/start"));
+  r.post("/webAuthn/login/finish", finishLogin);
+  r.get("/webAuthn/register/start", proxy("webAuthn/register/start", "GET"));
+  r.post("/webAuthn/register/finish", finishRegister);
+  r.post("/otp/verify-phone-otp", proxy("otp/verify-phone-otp"));
+  r.post("/otp/verify-email-otp", proxy("otp/verify-email-otp"));
+  r.post("/login", login);
+  r.post("/users/update", proxy("users/update"));
+  r.post("/registration/register", register);
+  r.get("/users/me", me);
+  r.get("/logout", logout);
+  return r;
+  async function login(req, res) {
+    const up = await authFetch(req, `${authServerUrl}/login`, {
+      method: "POST",
+      body: req.body
+    });
+    const data = await up.json();
+    if (!up.ok) return res.status(up.status).json(data);
+    const verified = await verifySignedAuthResponse(data.token, authServerUrl);
+    if (!verified) {
+      throw new Error("Invalid signed response from Auth Server");
+    }
+    if (verified.sub !== data.sub) {
+      throw new Error("Signature mismatch with data payload");
+    }
+    setSessionCookie(
+      res,
+      { sub: data.sub },
+      cookieDomain,
+      data.ttl,
+      preAuthCookieName
+    );
+    res.status(204).end();
+  }
+  async function register(req, res) {
+    const up = await authFetch(req, `${authServerUrl}/registration/register`, {
+      method: "POST",
+      body: req.body
+    });
+    const data = await up.json();
+    if (!up.ok) return res.status(up.status).json(data);
+    setSessionCookie(
+      res,
+      { sub: data.sub },
+      cookieDomain,
+      data.ttl,
+      registrationCookieName
+    );
+    res.status(200).json(data).end();
+  }
+  async function finishLogin(req, res) {
+    const up = await authFetch(req, `${authServerUrl}/webAuthn/login/finish`, {
+      method: "POST",
+      body: req.body
+    });
+    const data = await up.json();
+    if (!up.ok) return res.status(up.status).json(data);
+    const verifiedAccessToken = await verifySignedAuthResponse(
+      data.token,
+      authServerUrl
+    );
+    if (!verifiedAccessToken) {
+      throw new Error("Invalid signed response from Auth Server");
+    }
+    if (verifiedAccessToken.sub !== data.sub) {
+      throw new Error("Signature mismatch with data payload");
+    }
+    setSessionCookie(
+      res,
+      { sub: data.sub, roles: data.roles },
+      cookieDomain,
+      data.ttl,
+      accesscookieName
+    );
+    setSessionCookie(
+      res,
+      { sub: data.sub, refreshToken: data.refreshToken },
+      req.hostname,
+      data.refreshTtl,
+      refreshCookieName
+    );
+    res.status(200).json(data).end();
+  }
+  async function finishRegister(req, res) {
+    const up = await authFetch(
+      req,
+      `${authServerUrl}/webAuthn/register/finish`,
+      {
+        method: "POST",
+        body: req.body
+      }
+    );
+    const data = await up.json();
+    if (!up.ok) return res.status(up.status).json(data);
+    setSessionCookie(
+      res,
+      { sub: data.sub, roles: data.roles },
+      cookieDomain,
+      data.ttl,
+      accesscookieName
+    );
+    res.status(204).end();
+  }
+  async function logout(req, res) {
+    await authFetch(req, `${authServerUrl}/logout`, {
+      method: "GET"
+    });
+    clearAllCookies(
+      res,
+      cookieDomain,
+      accesscookieName,
+      registrationCookieName,
+      refreshCookieName
+    );
+    res.status(204).end();
+  }
+  async function me(req, res) {
+    const up = await authFetch(req, `${authServerUrl}/users/me`, {
+      method: "GET"
+    });
+    const data = await up.json();
+    clearSessionCookie(res, cookieDomain, preAuthCookieName);
+    if (!data.user) return res.status(401).json({ error: "unauthenticated" });
+    res.json({ user: data.user });
+  }
+}
+
+// src/middleware/requireAuth.ts
+import jwt5 from "jsonwebtoken";
+function requireAuth(cookieName = "seamless-access", refreshCookieName = "seamless-refresh", cookieDomain = "/") {
+  const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+  if (!COOKIE_SECRET2) {
+    console.warn(
+      "[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing \u2014 requireAuth will always fail."
+    );
+    throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+  }
+  const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL;
+  return async (req, res, next) => {
+    try {
+      if (!COOKIE_SECRET2) {
+        throw new Error("Missing required SEAMLESS_COOKIE_SIGNING_KEY env");
+      }
+      const token = req.cookies?.[cookieName];
+      if (!token) {
+        res.status(401).json({ error: "Missing access cookie" });
+        return;
+      }
+      try {
+        const payload = jwt5.verify(token, COOKIE_SECRET2, {
+          algorithms: ["HS256"]
+        });
+        req.user = payload;
+        return next();
+      } catch (err) {
+        if (err.name !== "TokenExpiredError") {
+          console.warn("[SeamlessAuth] Invalid token:", err.message);
+          res.status(401).json({ error: "Invalid token" });
+          return;
+        }
+        const refreshToken = req.cookies?.[refreshCookieName];
+        if (!refreshToken) {
+          res.status(401).json({ error: "Session expired; re-login required" });
+          return;
+        }
+        console.log("[SeamlessAuth] Access token expired \u2014 attempting refresh");
+        const refreshed = await refreshAccessToken(
+          req,
+          AUTH_SERVER_URL,
+          refreshToken
+        );
+        if (!refreshed?.token) {
+          res.status(401).json({ error: "Refresh failed" });
+          return;
+        }
+        setSessionCookie(
+          res,
+          {
+            sub: refreshed.sub,
+            token: refreshed.token,
+            roles: refreshed.roles
+          },
+          cookieDomain,
+          refreshed.ttl,
+          cookieName
+        );
+        setSessionCookie(
+          res,
+          { sub: refreshed.sub, refreshToken: refreshed.refreshToken },
+          req.hostname,
+          refreshed.refreshTtl,
+          refreshCookieName
+        );
+        const payload = jwt5.verify(refreshed.token, COOKIE_SECRET2, {
+          algorithms: ["HS256"]
+        });
+        req.user = payload;
+        next();
+      }
+    } catch (err) {
+      console.error("[SeamlessAuth] requireAuth error:", err.message);
+      res.status(401).json({ error: "Invalid or expired access cookie" });
+      return;
+    }
+  };
+}
+
+// src/middleware/requireRole.ts
+import jwt6 from "jsonwebtoken";
+function requireRole(role, cookieName = "seamless-access") {
+  return (req, res, next) => {
+    try {
+      const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
+      if (!COOKIE_SECRET2) {
+        console.warn(
+          "[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing \u2014 requireRole will always fail."
+        );
+        throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+      }
+      const token = req.cookies?.[cookieName];
+      if (!token) {
+        res.status(401).json({ error: "Missing access cookie" });
+        return;
+      }
+      const payload = jwt6.verify(token, COOKIE_SECRET2, {
+        algorithms: ["HS256"]
+      });
+      if (!payload.roles?.includes(role)) {
+        res.status(403).json({ error: `Forbidden: ${role} role required` });
+        return;
+      }
+      next();
+    } catch (err) {
+      console.error(`[RequireRole] requireRole(${role}) failed:`, err.message);
+      res.status(401).json({ error: "Invalid or expired access cookie" });
+    }
+  };
+}
+
+// src/internal/getSeamlessUser.ts
+async function getSeamlessUser(req, authServerUrl, cookieName = "seamless-access") {
+  try {
+    const payload = verifyCookieJwt(req.cookies[cookieName]);
+    if (!payload) {
+      throw new Error("Missing cookie");
+    }
+    req.cookiePayload = payload;
+    const response = await authFetch(req, `${authServerUrl}/users/me`, {
+      method: "GET"
+    });
+    if (!response.ok) {
+      console.warn(`[SeamlessAuth] Auth server responded ${response.status}`);
+      return null;
+    }
+    const data = await response.json();
+    return data.user;
+  } catch (err) {
+    console.error("[SeamlessAuth] getSeamlessUser failed:", err);
+    return null;
+  }
+}
+
+// src/index.ts
+var index_default = createSeamlessAuthServer;
+export {
+  index_default as default,
+  getSeamlessUser,
+  requireAuth,
+  requireRole
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seamless-auth/express",
-  "version": "0.0.2-beta.1",
+  "version": "0.0.2-beta.2",
   "description": "Express adapter for Seamless Auth passwordless authentication",
   "license": "MIT",
   "type": "module",
@@ -8,7 +8,7 @@
   "types": "./dist/index.d.ts",
   "author": "Fells Code LLC",
   "scripts": {
-    "build": "tsc -p tsconfig.json && node build.mjs",
+    "build": "tsup src/index.ts --format esm --out-dir dist --splitting",
     "dev": "tsc --watch"
   },
   "repository": {
@@ -32,6 +32,7 @@
   "devDependencies": {
     "@types/cookie-parser": "^1.4.10",
     "@types/jsonwebtoken": "^9.0.10",
+    "tsup": "^8.5.1",
     "typescript": "^5.5.0"
   },
   "publishConfig": {

package/dist/createServer.d.ts

@@ -1,48 +0,0 @@
-import { Router } from "express";
-import type { SeamlessAuthServerOptions } from "./types";
-/**
- * Creates an Express Router that proxies all authentication traffic to a Seamless Auth server.
- *
- * This helper wires your API backend to a Seamless Auth instance running in
- * "server mode." It automatically forwards login, registration, WebAuthn,
- * logout, token refresh, and session validation routes to the auth server
- * and handles all cookie management required for a seamless login flow.
- *
- * ### Responsibilities
- * - Proxies all `/auth/*` routes to the upstream Seamless Auth server
- * - Manages `access`, `registration`, `pre-auth`, and `refresh` cookies
- * - Normalizes cookie settings for cross-domain or same-domain deployments
- * - Ensures authentication routes behave consistently across environments
- * - Provides shared middleware for auth flows
- *
- * ### Cookie Types
- * - **accessCookie** – long-lived session cookie for authenticated API requests
- * - **registrationCookie** – ephemeral cookie used during registration and OTP/WebAuthn flows
- * - **preAuthCookie** – short-lived cookie used during login initiation
- * - **refreshCookie** – opaque refresh token cookie used to rotate session tokens
- *
- * All cookie names and their domains may be customized via the `opts` parameter.
- *
- * ### Example
- * ```ts
- * app.use("/auth", createSeamlessAuthServer({
- *   authServerUrl: "https://identifier.seamlessauth.com",
- *   cookieDomain: "mycompany.com",
- *   accesscookieName: "sa_access",
- *   registrationCookieName: "sa_registration",
- *   refreshCookieName: "sa_refresh",
- * }));
- * ```
- *
- * @param opts - Configuration options for the Seamless Auth proxy:
- *   - `authServerUrl` — Base URL of your Seamless Auth instance (required)
- *   - `cookieDomain` — Domain attribute applied to all auth cookies
- *   - `accesscookieName` — Name of the session access cookie
- *   - `registrationCookieName` — Name of the ephemeral registration cookie
- *   - `refreshCookieName` — Name of the refresh token cookie
- *   - `preAuthCookieName` — Name of the cookie used during login initiation
- *
- * @returns An Express `Router` preconfigured with all Seamless Auth routes.
- */
-export declare function createSeamlessAuthServer(opts: SeamlessAuthServerOptions): Router;
-//# sourceMappingURL=createServer.d.ts.map

package/dist/createServer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"createServer.d.ts","sourceRoot":"","sources":["../src/createServer.ts"],"names":[],"mappings":"AAAA,OAAgB,EAAqB,MAAM,EAAE,MAAM,SAAS,CAAC;AAQ7D,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAIzD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,yBAAyB,GAC9B,MAAM,CA0LR"}