npm - @seamless-auth/express - Versions diffs - 0.0.2-beta.8 → 0.0.2-beta.9 - Mend

@seamless-auth/express 0.0.2-beta.8 → 0.0.2-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,4 @@
 import { Router, Request, Response, NextFunction, RequestHandler } from 'express';
-import { JwtPayload } from 'jsonwebtoken';
 interface SeamlessAuthServerOptions {
     authServerUrl: string;
@@ -9,7 +8,6 @@ interface SeamlessAuthServerOptions {
     refreshCookieName?: string;
     preAuthCookieName?: string;
 }
 /**
  * Creates an Express Router that proxies all authentication traffic to a Seamless Auth server.
  *
@@ -56,6 +54,10 @@ interface SeamlessAuthServerOptions {
  */
 declare function createSeamlessAuthServer(opts: SeamlessAuthServerOptions): Router;
+interface RequireAuthOptions {
+    cookieName?: string;
+    cookieSecret: string;
+}
 /**
  * Express middleware that enforces authentication using Seamless Auth cookies.
  *
@@ -106,9 +108,6 @@ declare function createSeamlessAuthServer(opts: SeamlessAuthServerOptions): Rout
  * @returns An Express middleware function that enforces Seamless Auth
  *          authentication on incoming requests.
  */
-interface AuthenticatedRequest extends Request {
-    user?: JwtPayload;
-}
 interface RequireAuthOptions {
     cookieName?: string;
     cookieSecret: string;
@@ -121,32 +120,22 @@ interface RequireAuthOptions {
  * - This middleware does NOT attempt token refresh.
  * - Refresh is handled upstream by ensureCookies().
  */
-declare function requireAuth(opts: RequireAuthOptions): (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
+declare function requireAuth(opts: RequireAuthOptions): (req: Request, res: Response, next: NextFunction) => void;
 /**
- * Express middleware that enforces role-based authorization for Seamless Auth sessions.
- *
- * This guard assumes that `requireAuth()` has already validated the request
- * and populated `req.user` with the decoded Seamless Auth session payload.
- * It then checks whether the user’s roles include the required role (or any
- * of several, when an array is provided).
+ * Express middleware that enforces role-based authorization for Seamless Auth.
  *
- * If the user possesses the required authorization, the request proceeds.
- * Otherwise, the middleware responds with a 403 Forbidden error.
+ * This middleware assumes `requireAuth()` has already:
+ * - authenticated the request
+ * - populated `req.user` with the authenticated session payload
  *
- * ### Responsibilities
- * - Validates that `req.user` is present (enforced upstream by `requireAuth`)
- * - Ensures the authenticated user includes the specified role(s)
- * - Blocks unauthorized access with a standardized JSON 403 response
+ * `requireRole` performs **authorization only**. It does not inspect cookies,
+ * verify tokens, or read environment variables.
  *
- * ### Parameters
- * - **requiredRole** — A role (string) or list of roles the user must have.
- *   If an array is provided, *any* matching role grants access.
- * - **cookieName** — Optional name of the access cookie to inspect.
- *   Defaults to `"seamless-access"`, but typically not needed because
- *   `requireAuth` is expected to run first.
+ * If any of the required roles are present on the user, access is granted.
+ * Otherwise, a 403 Forbidden response is returned.
  *
- * ### Example
+ *  * ### Example
  * ```ts
  * // Require a single role
  * app.get("/admin/users",
@@ -163,13 +152,10 @@ declare function requireAuth(opts: RequireAuthOptions): (req: AuthenticatedReque
  *   requireRole(["admin", "supervisor"]),
  *   updateSettingsHandler
  * );
- * ```
  *
- * @param requiredRole - A role or list of roles required to access the route.
- * @param cookieName - Optional access cookie name (defaults to `seamless-access`).
- * @returns An Express middleware function enforcing role-based access control.
+ * @param requiredRoles - A role or list of roles required to access the route
  */
-declare function requireRole(role: string, cookieName?: string): RequestHandler;
+declare function requireRole(requiredRoles: string | string[]): RequestHandler;
 interface EnsureCookiesMiddlewareOptions {
     authServerUrl: string;
@@ -184,10 +170,8 @@ interface EnsureCookiesMiddlewareOptions {
     audience: string;
     keyId: string;
 }
-declare function createEnsureCookiesMiddleware(opts: EnsureCookiesMiddlewareOptions): (req: Request & {
-    cookiePayload?: any;
-}, res: Response, next: NextFunction) => Promise<void>;
+declare function createEnsureCookiesMiddleware(opts: EnsureCookiesMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
-declare function getSeamlessUser<T = any>(req: Request, authServerUrl: string, cookieName?: string): Promise<T | null>;
+declare function getSeamlessUser(req: Request, authServerUrl: string, cookieName?: string): Promise<any>;
-export { type SeamlessAuthServerOptions, createEnsureCookiesMiddleware, createSeamlessAuthServer as default, getSeamlessUser, requireAuth, requireRole };
+export { createEnsureCookiesMiddleware, createSeamlessAuthServer as default, getSeamlessUser, requireAuth, requireRole };

package/dist/index.js CHANGED Viewed

@@ -139,11 +139,11 @@ import { finishLoginHandler } from "@seamless-auth/core/handlers/finishLogin";
 // src/internal/buildAuthorization.ts
 import { createServiceToken } from "@seamless-auth/core";
 function buildServiceAuthorization(req) {
-  if (!req.cookiePayload?.sub) {
+  if (!req.cookiePayload?.sub && !req.user.sub) {
     return void 0;
   }
   const token = createServiceToken({
-    subject: req.cookiePayload.sub,
+    subject: req.cookiePayload?.sub || req.user.sub,
     issuer: process.env.APP_ORIGIN,
     audience: process.env.AUTH_SERVER_URL,
     serviceSecret: process.env.API_SERVICE_TOKEN,
@@ -432,58 +432,72 @@ function requireAuth(opts) {
   return function(req, res, next) {
     const token = req.cookies?.[cookieName];
     if (!token) {
-      res.status(401).json({ error: "Missing access cookie" });
+      res.status(401).json({
+        error: "Authentication required"
+      });
       return;
     }
     const payload = verifyCookieJwt(token, cookieSecret);
-    if (!payload) {
-      res.status(401).json({ error: "Invalid or expired access cookie" });
+    if (!payload || !payload.sub) {
+      res.status(401).json({
+        error: "Invalid or expired session"
+      });
       return;
     }
-    req.user = payload;
+    const user = {
+      sub: payload.sub,
+      roles: Array.isArray(payload.roles) ? payload.roles : [],
+      email: payload.email,
+      phone: payload.phone,
+      iat: payload.iat,
+      exp: payload.exp
+    };
+    req.user = user;
     next();
   };
 }
 // src/middleware/requireRole.ts
-import jwt2 from "jsonwebtoken";
-function requireRole(role, cookieName = "seamless-access") {
+function requireRole(requiredRoles) {
+  const roles = Array.isArray(requiredRoles) ? requiredRoles : [requiredRoles];
   return (req, res, next) => {
-    try {
-      const COOKIE_SECRET = process.env.COOKIE_SIGNING_KEY;
-      if (!COOKIE_SECRET) {
-        console.warn(
-          "[SeamlessAuth] COOKIE_SIGNING_KEY missing \u2014 requireRole will always fail."
-        );
-        throw new Error("Missing required env COOKIE_SIGNING_KEY");
-      }
-      const token = req.cookies?.[cookieName];
-      if (!token) {
-        res.status(401).json({ error: "Missing access cookie" });
-        return;
-      }
-      const payload = jwt2.verify(token, COOKIE_SECRET, {
-        algorithms: ["HS256"]
+    const user = req.user;
+    if (!user) {
+      res.status(401).json({
+        error: "Authentication required"
       });
-      if (!payload.roles?.includes(role)) {
-        res.status(403).json({ error: `Forbidden: ${role} role required` });
-        return;
-      }
-      next();
-    } catch (err) {
-      console.error(`[RequireRole] requireRole(${role}) failed:`, err.message);
-      res.status(401).json({ error: "Invalid or expired access cookie" });
+      return;
+    }
+    if (!Array.isArray(user.roles)) {
+      res.status(403).json({
+        error: "User has no roles assigned"
+      });
+      return;
     }
+    const hasRole = roles.some((role) => user.roles.includes(role));
+    if (!hasRole) {
+      res.status(403).json({
+        error: "Insufficient role",
+        required: roles,
+        actual: user.roles
+      });
+      return;
+    }
+    next();
   };
 }
 // src/getSeamlessUser.ts
-import { getSeamlessUser as getSeamlessUserCore } from "@seamless-auth/core";
+import {
+  getSeamlessUser as getSeamlessUserCore
+} from "@seamless-auth/core";
 async function getSeamlessUser(req, authServerUrl, cookieName = "seamless-access") {
+  const authorization = buildServiceAuthorization(req);
   return getSeamlessUserCore(req.cookies ?? {}, {
     authServerUrl,
     cookieSecret: process.env.COOKIE_SIGNING_KEY,
-    cookieName
+    cookieName,
+    authorization
   });
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@seamless-auth/express",
-  "version": "0.0.2-beta.8",
+  "version": "0.0.2-beta.9",
   "description": "Express adapter for Seamless Auth passwordless authentication",
   "license": "AGPL-3.0-only",
   "type": "module",
@@ -37,7 +37,7 @@
     "@types/express": ">=4.17.0"
   },
   "dependencies": {
-    "@seamless-auth/core": "^0.1.0",
+    "@seamless-auth/core": "beta",
     "cookie-parser": "^1.4.6",
     "jsonwebtoken": "^9.0.3"
   },