@seamless-auth/express 0.0.2-beta.2 → 0.0.2-beta.21

package/dist/index.js

@@ -2,561 +2,499 @@
 import express from "express";
 import cookieParser from "cookie-parser";
 
+// src/middleware/ensureCookies.ts
+import { ensureCookies } from "@seamless-auth/core";
+
 // src/internal/cookie.ts
 import jwt from "jsonwebtoken";
-function setSessionCookie(res, payload, domain, ttlSeconds = 300, name = "sa_session") {
-  const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-  if (!COOKIE_SECRET2) {
-    console.warn("[SeamlessAuth] Missing SEAMLESS_COOKIE_SIGNING_KEY env var!");
-    throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-  }
-  const token = jwt.sign(payload, COOKIE_SECRET2, {
+function setSessionCookie(res, opts, signer) {
+  const token = jwt.sign(opts.payload, signer.secret, {
     algorithm: "HS256",
-    expiresIn: `${ttlSeconds}s`
+    expiresIn: `${opts.ttlSeconds}s`
   });
-  res.cookie(name, token, {
+  res.cookie(opts.name, token, {
     httpOnly: true,
-    secure: process.env.NODE_ENV === "production",
-    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax",
+    secure: signer.secure,
+    sameSite: signer.sameSite,
     path: "/",
-    domain,
-    maxAge: ttlSeconds * 1e3
+    domain: opts.domain,
+    maxAge: Number(opts.ttlSeconds) * 1e3
   });
 }
-function clearSessionCookie(res, domain, name = "sa_session") {
+function clearSessionCookie(res, domain, name) {
   res.clearCookie(name, { domain, path: "/" });
 }
-function clearAllCookies(res, domain, accesscookieName, registrationCookieName, refreshCookieName) {
-  res.clearCookie(accesscookieName, { domain, path: "/" });
-  res.clearCookie(registrationCookieName, { domain, path: "/" });
-  res.clearCookie(refreshCookieName, { domain, path: "/" });
+function clearAllCookies(res, domain, ...cookieNames) {
+  for (const name of cookieNames) {
+    res.clearCookie(name, { domain, path: "/" });
+  }
 }
 
-// src/internal/authFetch.ts
-import jwt2 from "jsonwebtoken";
-async function authFetch(req, url, { method = "POST", body, cookies, headers = {} } = {}) {
-  const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
-  if (!serviceKey) {
-    throw new Error(
-      "Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN"
+// src/middleware/ensureCookies.ts
+function createEnsureCookiesMiddleware(opts) {
+  if (!opts.cookieSecret) {
+    throw new Error("Missing cookieSecret");
+  }
+  if (!opts.serviceSecret) {
+    throw new Error("Missing serviceSecret");
+  }
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
+  };
+  return async function ensureCookiesMiddleware(req, res, next) {
+    const result = await ensureCookies(
+      {
+        path: req.path,
+        cookies: req.cookies ?? {}
+      },
+      {
+        authServerUrl: opts.authServerUrl,
+        cookieDomain: opts.cookieDomain,
+        accessCookieName: opts.accessCookieName,
+        registrationCookieName: opts.registrationCookieName,
+        refreshCookieName: opts.refreshCookieName,
+        preAuthCookieName: opts.preAuthCookieName,
+        cookieSecret: opts.cookieSecret,
+        serviceSecret: opts.serviceSecret,
+        issuer: opts.issuer,
+        audience: opts.audience,
+        keyId: opts.keyId
+      }
     );
+    applyResult(res, req, result, opts, cookieSigner);
+    if (result.type === "error") return;
+    next();
+  };
+}
+function applyResult(res, req, result, opts, cookieSigner) {
+  if (result.clearCookies?.length) {
+    clearAllCookies(res, opts.cookieDomain, ...result.clearCookies);
   }
-  const token = jwt2.sign(
-    {
-      iss: process.env.FRONTEND_URL,
-      aud: process.env.AUTH_SERVER_URL,
-      sub: req.cookiePayload?.sub,
-      roles: req.cookiePayload?.roles ?? [],
-      iat: Math.floor(Date.now() / 1e3)
-    },
-    serviceKey,
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: c.name,
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
+      );
+    }
+  }
+  if (result.user) {
+    req.cookiePayload = result.user;
+  }
+  if (result.type === "error") {
+    res.status(result.status ?? 401).json({ error: result.error });
+  }
+}
+
+// src/handlers/login.ts
+import { loginHandler } from "@seamless-auth/core/handlers/login";
+async function login(req, res, opts) {
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
+  };
+  const result = await loginHandler(
+    { body: req.body },
     {
-      expiresIn: "60s",
-      // Short-lived
-      algorithm: "HS256"
-      // HMAC-based
+      authServerUrl: opts.authServerUrl,
+      cookieDomain: opts.cookieDomain,
+      preAuthCookieName: opts.preAuthCookieName
     }
   );
-  const finalHeaders = {
-    ...method !== "GET" && { "Content-Type": "application/json" },
-    ...cookies ? { Cookie: cookies.join("; ") } : {},
-    Authorization: `Bearer ${token}`,
-    ...headers
-  };
-  let finalUrl = url;
-  if (method === "GET" && body && typeof body === "object") {
-    const qs = new URLSearchParams(body).toString();
-    finalUrl += url.includes("?") ? `&${qs}` : `?${qs}`;
+  if (!cookieSigner.secret) {
+    throw new Error("Missing COOKIE_SIGNING_KEY");
   }
-  const res = await fetch(finalUrl, {
-    method,
-    headers: finalHeaders,
-    ...method !== "GET" && body ? { body: JSON.stringify(body) } : {}
-  });
-  return res;
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: c.name,
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
+      );
+    }
+  }
+  if (result.error) {
+    return res.status(result.status).json(result.error);
+  }
+  res.status(result.status).end();
 }
 
-// src/internal/verifyCookieJwt.ts
-import jwt3 from "jsonwebtoken";
-var COOKIE_SECRET = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-function verifyCookieJwt(token) {
-  try {
-    return jwt3.verify(token, COOKIE_SECRET, {
-      algorithms: ["HS256"]
-    });
-  } catch (err) {
-    console.error("[SeamlessAuth] Cookie JWT verification failed:", err);
-    return null;
+// src/handlers/finishLogin.ts
+import { finishLoginHandler } from "@seamless-auth/core/handlers/finishLogin";
+
+// src/internal/buildAuthorization.ts
+import { createServiceToken } from "@seamless-auth/core";
+function buildServiceAuthorization(req, opts) {
+  if (!req.cookiePayload?.sub && !req.user.sub) {
+    return void 0;
   }
+  const token = createServiceToken({
+    subject: req.cookiePayload?.sub || req.user.sub,
+    issuer: opts.issuer,
+    audience: opts.audience,
+    serviceSecret: opts.serviceSecret,
+    keyId: opts.jwksKid || "dev-main"
+  });
+  return `Bearer ${token}`;
 }
 
-// src/internal/refreshAccessToken.ts
-import jwt4 from "jsonwebtoken";
-async function refreshAccessToken(req, authServerUrl, refreshToken) {
-  try {
-    const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-    if (!COOKIE_SECRET2) {
-      console.warn(
-        "[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing \u2014 requireAuth will always fail."
-      );
-      throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+// src/handlers/finishLogin.ts
+async function finishLogin(req, res, opts) {
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
+  };
+  const authorization = buildServiceAuthorization(req, opts);
+  const result = await finishLoginHandler(
+    { body: req.body, authorization },
+    {
+      authServerUrl: opts.authServerUrl,
+      cookieDomain: opts.cookieDomain,
+      accessCookieName: opts.accessCookieName,
+      refreshCookieName: opts.refreshCookieName
     }
-    const serviceKey = process.env.SEAMLESS_SERVICE_TOKEN;
-    if (!serviceKey) {
-      throw new Error(
-        "Cannot sign service token. Missing SEAMLESS_SERVICE_TOKEN"
+  );
+  if (!cookieSigner.secret) {
+    throw new Error("Missing COOKIE_SIGNING_KEY");
+  }
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: c.name,
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
       );
     }
-    const payload = jwt4.verify(refreshToken, COOKIE_SECRET2, {
-      algorithms: ["HS256"]
-    });
-    const token = jwt4.sign(
-      {
-        // Minimal, safe fields
-        iss: process.env.FRONTEND_URL,
-        aud: process.env.AUTH_SERVER_URL,
-        sub: payload.sub,
-        refreshToken: payload.refreshToken,
-        iat: Math.floor(Date.now() / 1e3)
-      },
-      serviceKey,
-      {
-        expiresIn: "60s",
-        // Short-lived = safer
-        algorithm: "HS256",
-        // HMAC-based
-        keyid: "dev-main"
-        // For future rotation
-      }
-    );
-    const response = await fetch(`${authServerUrl}/refresh`, {
-      method: "GET",
-      headers: { Authorization: `Bearer ${token}` }
-    });
-    if (!response.ok) {
-      console.error(
-        "[SeamlessAuth] Refresh token request failed:",
-        response.status
+  }
+  if (result.error) {
+    return res.status(result.status).json(result.error);
+  }
+  res.status(result.status).json(result.body).end();
+}
+
+// src/handlers/register.ts
+import { registerHandler } from "@seamless-auth/core/handlers/register";
+async function register(req, res, opts) {
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
+  };
+  const result = await registerHandler(
+    { body: req.body },
+    {
+      authServerUrl: opts.authServerUrl,
+      cookieDomain: opts.cookieDomain,
+      registrationCookieName: opts.registrationCookieName
+    }
+  );
+  if (!cookieSigner.secret) {
+    throw new Error("Missing COOKIE_SIGNING_KEY");
+  }
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: opts.registrationCookieName || "seamless-auth-registraion",
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
       );
-      return null;
     }
-    const data = await response.json();
-    return data;
-  } catch (err) {
-    console.error("[SeamlessAuth] refreshAccessToken error:", err);
-    return null;
   }
+  if (result.error) {
+    return res.status(result.status).json(result.error);
+  }
+  res.status(result.status).json(result.body).end();
 }
 
-// src/middleware/ensureCookies.ts
-function createEnsureCookiesMiddleware(opts) {
-  const COOKIE_REQUIREMENTS = {
-    "/webAuthn/login/finish": { name: opts.preAuthCookieName, required: true },
-    "/webAuthn/login/start": { name: opts.preAuthCookieName, required: true },
-    "/webAuthn/register/start": {
-      name: opts.registrationCookieName,
-      required: true
-    },
-    "/webAuthn/register/finish": {
-      name: opts.registrationCookieName,
-      required: true
-    },
-    "/otp/verify-email-otp": {
-      name: opts.registrationCookieName,
-      required: true
-    },
-    "/otp/verify-phone-otp": {
-      name: opts.registrationCookieName,
-      required: true
-    },
-    "/logout": { name: opts.accesscookieName, required: true },
-    "/users/me": { name: opts.accesscookieName, required: true }
+// src/handlers/finishRegister.ts
+import { finishRegisterHandler } from "@seamless-auth/core/handlers/finishRegister";
+async function finishRegister(req, res, opts) {
+  const cookieSigner = {
+    secret: opts.cookieSecret,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax"
   };
-  return async function ensureCookies(req, res, next, cookieDomain = "") {
-    const match = Object.entries(COOKIE_REQUIREMENTS).find(
-      ([path]) => req.path.startsWith(path)
-    );
-    if (!match) return next();
-    const [, { name, required }] = match;
-    const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL;
-    const cookieValue = req.cookies?.[name];
-    const refreshCookieValue = req.cookies?.[opts.refreshCookieName];
-    if (required && !cookieValue) {
-      if (refreshCookieValue) {
-        console.log("[SeamlessAuth] Access token expired \u2014 attempting refresh");
-        const refreshed = await refreshAccessToken(
-          req,
-          AUTH_SERVER_URL,
-          refreshCookieValue
-        );
-        if (!refreshed?.token) {
-          clearAllCookies(
-            res,
-            cookieDomain,
-            name,
-            opts.registrationCookieName,
-            opts.refreshCookieName
-          );
-          res.status(401).json({ error: "Refresh failed" });
-          return;
-        }
-        setSessionCookie(
-          res,
-          {
-            sub: refreshed.sub,
-            token: refreshed.token,
-            roles: refreshed.roles
-          },
-          cookieDomain,
-          refreshed.ttl,
-          name
-        );
-        setSessionCookie(
-          res,
-          { sub: refreshed.sub, refreshToken: refreshed.refreshToken },
-          cookieDomain,
-          refreshed.refreshTtl,
-          opts.refreshCookieName
-        );
-        req.cookiePayload = {
-          sub: refreshed.sub,
-          roles: refreshed.roles
-        };
-        return next();
-      }
-      return res.status(400).json({
-        error: `Missing required cookie "${name}" for route ${req.path}`,
-        hint: "Did you forget to call /auth/login/start first?"
-      });
+  const authorization = buildServiceAuthorization(req, opts);
+  const result = await finishRegisterHandler(
+    { body: req.body, authorization },
+    {
+      authServerUrl: opts.authServerUrl,
+      cookieDomain: opts.cookieDomain,
+      accessCookieName: opts.accessCookieName,
+      refreshCookieName: opts.refreshCookieName
     }
-    if (cookieValue) {
-      const payload = verifyCookieJwt(cookieValue);
-      if (!payload) {
-        return res.status(401).json({ error: `Invalid or expired ${name} cookie` });
-      }
-      req.cookiePayload = payload;
+  );
+  if (!cookieSigner.secret) {
+    throw new Error("Missing COOKIE_SIGNING_KEY");
+  }
+  if (result.setCookies) {
+    for (const c of result.setCookies) {
+      setSessionCookie(
+        res,
+        {
+          name: c.name,
+          payload: c.value,
+          domain: c.domain,
+          ttlSeconds: c.ttl
+        },
+        cookieSigner
+      );
     }
-    next();
-  };
+  }
+  if (result.error) {
+    return res.status(result.status).json(result.error);
+  }
+  res.status(result.status).json({ message: "success" });
 }
 
-// src/internal/verifySignedAuthResponse.ts
-import { createRemoteJWKSet, jwtVerify } from "jose";
-async function verifySignedAuthResponse(token, authServerUrl) {
-  try {
-    const jwksUrl = new URL("/.well-known/jwks.json", authServerUrl).toString();
-    const JWKS = createRemoteJWKSet(new URL(jwksUrl));
-    const { payload } = await jwtVerify(token, JWKS, {
-      algorithms: ["RS256"],
-      issuer: authServerUrl
-    });
-    return payload;
-  } catch (err) {
-    console.error("[SeamlessAuth] Failed to verify signed auth response:", err);
-    return null;
+// src/handlers/me.ts
+import { meHandler } from "@seamless-auth/core/handlers/me";
+async function me(req, res, opts) {
+  const authorization = buildServiceAuthorization(req, opts);
+  const result = await meHandler({
+    authServerUrl: opts.authServerUrl,
+    preAuthCookieName: opts.preAuthCookieName,
+    authorization
+  });
+  if (result.clearCookies) {
+    for (const name of result.clearCookies) {
+      clearSessionCookie(res, opts.cookieDomain || "", name);
+    }
+  }
+  if (result.error) {
+    return res.status(result.status).json({ error: result.error });
   }
+  res.status(result.status).json(result.body);
+}
+
+// src/handlers/logout.ts
+import { logoutHandler } from "@seamless-auth/core/handlers/logout";
+async function logout(req, res, opts) {
+  const result = await logoutHandler({
+    authServerUrl: opts.authServerUrl,
+    accessCookieName: opts.accessCookieName,
+    registrationCookieName: opts.registrationCookieName,
+    refreshCookieName: opts.refreshCookieName
+  });
+  clearAllCookies(res, opts.cookieDomain || "", ...result.clearCookies);
+  res.status(result.status).end();
 }
 
 // src/createServer.ts
+import {
+  authFetch
+} from "@seamless-auth/core";
 function createSeamlessAuthServer(opts) {
   const r = express.Router();
   r.use(express.json());
   r.use(cookieParser());
-  const {
-    authServerUrl,
-    cookieDomain = "",
-    accesscookieName = "seamless-access",
-    registrationCookieName = "seamless-ephemeral",
-    refreshCookieName = "seamless-refresh",
-    preAuthCookieName = "seamless-ephemeral"
-  } = opts;
-  const proxy = (path, method = "POST") => async (req, res) => {
-    try {
-      const response = await authFetch(req, `${authServerUrl}/${path}`, {
-        method,
-        body: req.body
-      });
-      res.status(response.status).json(await response.json());
-    } catch (error) {
-      console.error(`Failed to proxy to route. Error: ${error}`);
+  const resolvedOpts = {
+    authServerUrl: opts.authServerUrl,
+    issuer: opts.issuer,
+    audience: opts.audience,
+    cookieSecret: opts.cookieSecret,
+    serviceSecret: opts.serviceSecret,
+    jwksKid: opts.jwksKid ?? "dev-main",
+    cookieDomain: opts.cookieDomain ?? "",
+    accessCookieName: opts.accessCookieName ?? "seamless-access",
+    registrationCookieName: opts.registrationCookieName ?? "seamless-ephemeral",
+    refreshCookieName: opts.refreshCookieName ?? "seamless-refresh",
+    preAuthCookieName: opts.preAuthCookieName ?? "seamless-ephemeral"
+  };
+  const proxyWithIdentity = (path, identity, method = "POST") => async (req, res) => {
+    if (!req.cookiePayload?.sub) {
+      res.status(401).json({ error: "unauthenticated" });
+      return;
     }
+    if (identity === "access" && !req.cookies[resolvedOpts.accessCookieName]) {
+      res.status(401).json({ error: "access session required" });
+      return;
+    }
+    if (identity === "preAuth" && !req.cookies[resolvedOpts.preAuthCookieName]) {
+      res.status(401).json({ error: "pre-auth session required" });
+      return;
+    }
+    if (identity === "register" && !req.cookies[resolvedOpts.registrationCookieName]) {
+      res.status(401).json({ error: "registeration session required" });
+      return;
+    }
+    const authorization = buildServiceAuthorization(req, resolvedOpts);
+    const options = method == "GET" ? { method, authorization } : { method, authorization, body: req.body };
+    const upstream = await authFetch(
+      `${resolvedOpts.authServerUrl}/${path}`,
+      options
+    );
+    const data = await upstream.json();
+    res.status(upstream.status).json(data);
   };
   r.use(
     createEnsureCookiesMiddleware({
-      authServerUrl,
-      cookieDomain,
-      accesscookieName,
-      registrationCookieName,
-      refreshCookieName,
-      preAuthCookieName
+      authServerUrl: resolvedOpts.authServerUrl,
+      cookieDomain: resolvedOpts.cookieDomain,
+      accessCookieName: resolvedOpts.accessCookieName,
+      registrationCookieName: resolvedOpts.registrationCookieName,
+      refreshCookieName: resolvedOpts.refreshCookieName,
+      preAuthCookieName: resolvedOpts.preAuthCookieName,
+      cookieSecret: resolvedOpts.cookieSecret,
+      serviceSecret: resolvedOpts.serviceSecret,
+      issuer: resolvedOpts.issuer,
+      audience: resolvedOpts.authServerUrl,
+      keyId: resolvedOpts.jwksKid
     })
   );
-  r.post("/webAuthn/login/start", proxy("webAuthn/login/start"));
-  r.post("/webAuthn/login/finish", finishLogin);
-  r.get("/webAuthn/register/start", proxy("webAuthn/register/start", "GET"));
-  r.post("/webAuthn/register/finish", finishRegister);
-  r.post("/otp/verify-phone-otp", proxy("otp/verify-phone-otp"));
-  r.post("/otp/verify-email-otp", proxy("otp/verify-email-otp"));
-  r.post("/login", login);
-  r.post("/users/update", proxy("users/update"));
-  r.post("/registration/register", register);
-  r.get("/users/me", me);
-  r.get("/logout", logout);
+  r.post(
+    "/webAuthn/login/start",
+    proxyWithIdentity("webAuthn/login/start", "preAuth")
+  );
+  r.post(
+    "/webAuthn/login/finish",
+    (req, res) => finishLogin(req, res, resolvedOpts)
+  );
+  r.get(
+    "/webAuthn/register/start",
+    proxyWithIdentity("webAuthn/register/start", "preAuth", "GET")
+  );
+  r.post(
+    "/webAuthn/register/finish",
+    (req, res) => finishRegister(req, res, resolvedOpts)
+  );
+  r.post(
+    "/otp/verify-phone-otp",
+    proxyWithIdentity("otp/verify-phone-otp", "preAuth")
+  );
+  r.post(
+    "/otp/verify-email-otp",
+    proxyWithIdentity("otp/verify-email-otp", "preAuth")
+  );
+  r.post("/login", (req, res) => login(req, res, resolvedOpts));
+  r.post(
+    "/registration/register",
+    (req, res) => register(req, res, resolvedOpts)
+  );
+  r.get("/users/me", (req, res) => me(req, res, resolvedOpts));
+  r.get("/logout", (req, res) => logout(req, res, resolvedOpts));
+  r.post("/users/update", proxyWithIdentity("users/update", "access"));
+  r.post(
+    "/users/credentials",
+    proxyWithIdentity("users/credentials", "access")
+  );
+  r.delete(
+    "/users/credentials",
+    proxyWithIdentity("users/credentials", "access")
+  );
   return r;
-  async function login(req, res) {
-    const up = await authFetch(req, `${authServerUrl}/login`, {
-      method: "POST",
-      body: req.body
-    });
-    const data = await up.json();
-    if (!up.ok) return res.status(up.status).json(data);
-    const verified = await verifySignedAuthResponse(data.token, authServerUrl);
-    if (!verified) {
-      throw new Error("Invalid signed response from Auth Server");
-    }
-    if (verified.sub !== data.sub) {
-      throw new Error("Signature mismatch with data payload");
-    }
-    setSessionCookie(
-      res,
-      { sub: data.sub },
-      cookieDomain,
-      data.ttl,
-      preAuthCookieName
-    );
-    res.status(204).end();
-  }
-  async function register(req, res) {
-    const up = await authFetch(req, `${authServerUrl}/registration/register`, {
-      method: "POST",
-      body: req.body
-    });
-    const data = await up.json();
-    if (!up.ok) return res.status(up.status).json(data);
-    setSessionCookie(
-      res,
-      { sub: data.sub },
-      cookieDomain,
-      data.ttl,
-      registrationCookieName
-    );
-    res.status(200).json(data).end();
-  }
-  async function finishLogin(req, res) {
-    const up = await authFetch(req, `${authServerUrl}/webAuthn/login/finish`, {
-      method: "POST",
-      body: req.body
-    });
-    const data = await up.json();
-    if (!up.ok) return res.status(up.status).json(data);
-    const verifiedAccessToken = await verifySignedAuthResponse(
-      data.token,
-      authServerUrl
-    );
-    if (!verifiedAccessToken) {
-      throw new Error("Invalid signed response from Auth Server");
-    }
-    if (verifiedAccessToken.sub !== data.sub) {
-      throw new Error("Signature mismatch with data payload");
-    }
-    setSessionCookie(
-      res,
-      { sub: data.sub, roles: data.roles },
-      cookieDomain,
-      data.ttl,
-      accesscookieName
-    );
-    setSessionCookie(
-      res,
-      { sub: data.sub, refreshToken: data.refreshToken },
-      req.hostname,
-      data.refreshTtl,
-      refreshCookieName
-    );
-    res.status(200).json(data).end();
-  }
-  async function finishRegister(req, res) {
-    const up = await authFetch(
-      req,
-      `${authServerUrl}/webAuthn/register/finish`,
-      {
-        method: "POST",
-        body: req.body
-      }
-    );
-    const data = await up.json();
-    if (!up.ok) return res.status(up.status).json(data);
-    setSessionCookie(
-      res,
-      { sub: data.sub, roles: data.roles },
-      cookieDomain,
-      data.ttl,
-      accesscookieName
-    );
-    res.status(204).end();
-  }
-  async function logout(req, res) {
-    await authFetch(req, `${authServerUrl}/logout`, {
-      method: "GET"
-    });
-    clearAllCookies(
-      res,
-      cookieDomain,
-      accesscookieName,
-      registrationCookieName,
-      refreshCookieName
-    );
-    res.status(204).end();
-  }
-  async function me(req, res) {
-    const up = await authFetch(req, `${authServerUrl}/users/me`, {
-      method: "GET"
-    });
-    const data = await up.json();
-    clearSessionCookie(res, cookieDomain, preAuthCookieName);
-    if (!data.user) return res.status(401).json({ error: "unauthenticated" });
-    res.json({ user: data.user });
-  }
 }
 
 // src/middleware/requireAuth.ts
-import jwt5 from "jsonwebtoken";
-function requireAuth(cookieName = "seamless-access", refreshCookieName = "seamless-refresh", cookieDomain = "/") {
-  const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-  if (!COOKIE_SECRET2) {
-    console.warn(
-      "[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing \u2014 requireAuth will always fail."
-    );
-    throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
+import { verifyCookieJwt } from "@seamless-auth/core";
+function requireAuth(opts) {
+  const { cookieName = "seamless-access", cookieSecret } = opts;
+  if (!cookieSecret) {
+    throw new Error("requireAuth: missing cookieSecret");
   }
-  const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL;
-  return async (req, res, next) => {
-    try {
-      if (!COOKIE_SECRET2) {
-        throw new Error("Missing required SEAMLESS_COOKIE_SIGNING_KEY env");
-      }
-      const token = req.cookies?.[cookieName];
-      if (!token) {
-        res.status(401).json({ error: "Missing access cookie" });
-        return;
-      }
-      try {
-        const payload = jwt5.verify(token, COOKIE_SECRET2, {
-          algorithms: ["HS256"]
-        });
-        req.user = payload;
-        return next();
-      } catch (err) {
-        if (err.name !== "TokenExpiredError") {
-          console.warn("[SeamlessAuth] Invalid token:", err.message);
-          res.status(401).json({ error: "Invalid token" });
-          return;
-        }
-        const refreshToken = req.cookies?.[refreshCookieName];
-        if (!refreshToken) {
-          res.status(401).json({ error: "Session expired; re-login required" });
-          return;
-        }
-        console.log("[SeamlessAuth] Access token expired \u2014 attempting refresh");
-        const refreshed = await refreshAccessToken(
-          req,
-          AUTH_SERVER_URL,
-          refreshToken
-        );
-        if (!refreshed?.token) {
-          res.status(401).json({ error: "Refresh failed" });
-          return;
-        }
-        setSessionCookie(
-          res,
-          {
-            sub: refreshed.sub,
-            token: refreshed.token,
-            roles: refreshed.roles
-          },
-          cookieDomain,
-          refreshed.ttl,
-          cookieName
-        );
-        setSessionCookie(
-          res,
-          { sub: refreshed.sub, refreshToken: refreshed.refreshToken },
-          req.hostname,
-          refreshed.refreshTtl,
-          refreshCookieName
-        );
-        const payload = jwt5.verify(refreshed.token, COOKIE_SECRET2, {
-          algorithms: ["HS256"]
-        });
-        req.user = payload;
-        next();
-      }
-    } catch (err) {
-      console.error("[SeamlessAuth] requireAuth error:", err.message);
-      res.status(401).json({ error: "Invalid or expired access cookie" });
+  return function(req, res, next) {
+    const token = req.cookies?.[cookieName];
+    if (!token) {
+      res.status(401).json({
+        error: "Authentication required"
+      });
       return;
     }
+    const payload = verifyCookieJwt(token, cookieSecret);
+    if (!payload || !payload.sub) {
+      res.status(401).json({
+        error: "Invalid or expired session"
+      });
+      return;
+    }
+    const user = {
+      id: payload.sub,
+      sub: payload.sub,
+      // TODO: Silly to store the same value twice. Search every where its used and phase this out.
+      roles: Array.isArray(payload.roles) ? payload.roles : [],
+      email: payload.email,
+      phone: payload.phone,
+      iat: payload.iat,
+      exp: payload.exp
+    };
+    req.user = user;
+    next();
   };
 }
 
 // src/middleware/requireRole.ts
-import jwt6 from "jsonwebtoken";
-function requireRole(role, cookieName = "seamless-access") {
+function requireRole(requiredRoles) {
+  const roles = Array.isArray(requiredRoles) ? requiredRoles : [requiredRoles];
   return (req, res, next) => {
-    try {
-      const COOKIE_SECRET2 = process.env.SEAMLESS_COOKIE_SIGNING_KEY;
-      if (!COOKIE_SECRET2) {
-        console.warn(
-          "[SeamlessAuth] SEAMLESS_COOKIE_SIGNING_KEY missing \u2014 requireRole will always fail."
-        );
-        throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
-      }
-      const token = req.cookies?.[cookieName];
-      if (!token) {
-        res.status(401).json({ error: "Missing access cookie" });
-        return;
-      }
-      const payload = jwt6.verify(token, COOKIE_SECRET2, {
-        algorithms: ["HS256"]
+    const user = req.user;
+    if (!user) {
+      res.status(401).json({
+        error: "Authentication required"
       });
-      if (!payload.roles?.includes(role)) {
-        res.status(403).json({ error: `Forbidden: ${role} role required` });
-        return;
-      }
-      next();
-    } catch (err) {
-      console.error(`[RequireRole] requireRole(${role}) failed:`, err.message);
-      res.status(401).json({ error: "Invalid or expired access cookie" });
+      return;
+    }
+    if (!Array.isArray(user.roles)) {
+      res.status(403).json({
+        error: "User has no roles assigned"
+      });
+      return;
     }
+    const hasRole = roles.some((role) => user.roles.includes(role));
+    if (!hasRole) {
+      res.status(403).json({
+        error: "Insufficient role",
+        required: roles,
+        actual: user.roles
+      });
+      return;
+    }
+    next();
   };
 }
 
-// src/internal/getSeamlessUser.ts
-async function getSeamlessUser(req, authServerUrl, cookieName = "seamless-access") {
-  try {
-    const payload = verifyCookieJwt(req.cookies[cookieName]);
-    if (!payload) {
-      throw new Error("Missing cookie");
-    }
-    req.cookiePayload = payload;
-    const response = await authFetch(req, `${authServerUrl}/users/me`, {
-      method: "GET"
-    });
-    if (!response.ok) {
-      console.warn(`[SeamlessAuth] Auth server responded ${response.status}`);
-      return null;
-    }
-    const data = await response.json();
-    return data.user;
-  } catch (err) {
-    console.error("[SeamlessAuth] getSeamlessUser failed:", err);
-    return null;
-  }
+// src/getSeamlessUser.ts
+import {
+  getSeamlessUser as getSeamlessUserCore
+} from "@seamless-auth/core";
+async function getSeamlessUser(req, opts) {
+  const authorization = buildServiceAuthorization(req, opts);
+  return getSeamlessUserCore(req.cookies ?? {}, {
+    authServerUrl: opts.authServerUrl,
+    cookieSecret: opts.cookieSecret,
+    cookieName: opts.accessCookieName ?? "seamless-access",
+    authorization
+  });
 }
 
 // src/index.ts
 var index_default = createSeamlessAuthServer;
 export {
+  createEnsureCookiesMiddleware,
   index_default as default,
   getSeamlessUser,
   requireAuth,