@sveltebase/auth 1.0.0

package/dist/index.d.ts

@@ -0,0 +1,82 @@
+import type { Cookies } from "@sveltejs/kit";
+export type SessionUser<User> = User & {
+    token: string;
+};
+export interface AuthConfig {
+    /**
+     * Secret key used to sign and verify JWTs.
+     */
+    jwtSecret: string;
+    /**
+     * Name of the cookie storing the session token.
+     * @default "sf_session"
+     */
+    cookieName?: string;
+    /**
+     * Default cookie settings.
+     */
+    cookieOptions?: {
+        path?: string;
+        httpOnly?: boolean;
+        secure?: boolean;
+        sameSite?: "lax" | "strict" | "none";
+        domain?: string;
+        maxAge?: number;
+    };
+}
+export declare function base64urlEncode(uint8Array: Uint8Array): string;
+export declare function base64urlDecode(str: string): Uint8Array;
+/**
+ * Signs a payload into a JWT using HMAC-SHA256.
+ */
+export declare function signJWT(payload: Record<string, any>, secret: string, expiresAt?: number): Promise<string>;
+/**
+ * Verifies a JWT using HMAC-SHA256 and returns its payload.
+ */
+export declare function verifyJWT(token: string, secret: string): Promise<Record<string, any>>;
+/**
+ * Decodes the raw user session from cookies without verifying the JWT.
+ * Best used in layout load functions for super-fast, database-free SSR.
+ */
+/**
+ * Decodes the raw user session from cookies without verifying the JWT.
+ * Best used in layout load functions for super-fast, database-free SSR.
+ */
+export declare function getUserFromCookie<User>(cookies: Cookies, cookieName?: string): SessionUser<User> | null;
+/**
+ * Parses a raw Cookie header string into key-value pairs.
+ */
+export declare function parseCookies(cookieHeader: string): Record<string, string>;
+/**
+ * Extracts and decodes the user session from standard Request headers without verifying it.
+ */
+export declare function getUserFromRequest<User>(request: Request, cookieName?: string): SessionUser<User> | null;
+/**
+ * Extracts and cryptographically verifies the user session from standard Request headers.
+ * Best used in write/mutation contexts.
+ */
+export declare function getVerifiedUserFromRequest<User extends {
+    id: any;
+}>(request: Request, jwtSecret: string, cookieName?: string): Promise<SessionUser<User> | null>;
+/**
+ * Creates SvelteKit server-side session management helpers.
+ */
+export declare function createServerAuth<User extends {
+    id: any;
+}>(config: AuthConfig): {
+    /**
+     * Signs the user object into a JWT, embeds the token, and writes it to the SvelteKit cookies.
+     */
+    login(cookies: Cookies, userPayload: User, options?: {
+        maxAge?: number;
+        expires?: Date;
+    }): Promise<SessionUser<User>>;
+    /**
+     * Deletes the session cookie to clear the session.
+     */
+    logout(cookies: Cookies, options?: {
+        path?: string;
+        domain?: string;
+    }): void;
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAE7C,MAAM,MAAM,WAAW,CAAC,IAAI,IAAI,IAAI,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzD,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,aAAa,CAAC,EAAE;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;QACrC,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAGD,wBAAgB,eAAe,CAAC,UAAU,EAAE,UAAU,GAAG,MAAM,CAQ9D;AAGD,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAWvD;AAuBD;;GAEG;AACH,wBAAsB,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAgB/G;AAED;;GAEG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAsB3F;AAED;;;GAGG;AACH;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EACpC,OAAO,EAAE,OAAO,EAChB,UAAU,SAAe,GACxB,WAAW,CAAC,IAAI,CAAC,GAAG,IAAI,CAU1B;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAUzE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EACrC,OAAO,EAAE,OAAO,EAChB,UAAU,SAAe,GACxB,WAAW,CAAC,IAAI,CAAC,GAAG,IAAI,CAc1B;AAED;;;GAGG;AACH,wBAAsB,0BAA0B,CAAC,IAAI,SAAS;IAAE,EAAE,EAAE,GAAG,CAAA;CAAE,EACvE,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,MAAM,EACjB,UAAU,SAAe,GACxB,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAUnC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,SAAS;IAAE,EAAE,EAAE,GAAG,CAAA;CAAE,EAAE,MAAM,EAAE,UAAU;IAWzE;;OAEG;mBAEQ,OAAO,eACH,IAAI,YACP;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,IAAI,CAAA;KAAE,GAC5C,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IA2B7B;;OAEG;oBACa,OAAO,YAAY;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;EAO/E"}

package/dist/index.js

@@ -0,0 +1,194 @@
+// Helper: Safe Base64URL encoding (Works in Edge / Node / Cloudflare Workers)
+export function base64urlEncode(uint8Array) {
+    let binary = "";
+    const len = uint8Array.byteLength;
+    for (let i = 0; i < len; i++) {
+        binary += String.fromCharCode(uint8Array[i]);
+    }
+    const base64 = btoa(binary);
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+// Helper: Safe Base64URL decoding (Works in Edge / Node / Cloudflare Workers)
+export function base64urlDecode(str) {
+    let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+    while (base64.length % 4) {
+        base64 += "=";
+    }
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+function stringToBase64url(str) {
+    return base64urlEncode(new TextEncoder().encode(str));
+}
+function base64urlToString(str) {
+    return new TextDecoder().decode(base64urlDecode(str));
+}
+// Import CryptoKey helper using Web Crypto API
+async function getCryptoKey(secret) {
+    const encoder = new TextEncoder();
+    const keyData = encoder.encode(secret);
+    return await crypto.subtle.importKey("raw", keyData, { name: "HMAC", hash: "SHA-256" }, false, ["sign", "verify"]);
+}
+/**
+ * Signs a payload into a JWT using HMAC-SHA256.
+ */
+export async function signJWT(payload, secret, expiresAt) {
+    const header = { alg: "HS256", typ: "JWT" };
+    const fullPayload = {
+        ...payload,
+        ...(expiresAt ? { exp: Math.floor(expiresAt / 1000) } : {})
+    };
+    const headerStr = stringToBase64url(JSON.stringify(header));
+    const payloadStr = stringToBase64url(JSON.stringify(fullPayload));
+    const dataToSign = new TextEncoder().encode(`${headerStr}.${payloadStr}`);
+    const key = await getCryptoKey(secret);
+    const signatureBuffer = await crypto.subtle.sign("HMAC", key, dataToSign);
+    const signatureStr = base64urlEncode(new Uint8Array(signatureBuffer));
+    return `${headerStr}.${payloadStr}.${signatureStr}`;
+}
+/**
+ * Verifies a JWT using HMAC-SHA256 and returns its payload.
+ */
+export async function verifyJWT(token, secret) {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+        throw new Error("Invalid token format");
+    }
+    const [headerStr, payloadStr, signatureStr] = parts;
+    const dataToVerify = new TextEncoder().encode(`${headerStr}.${payloadStr}`);
+    const signatureBytes = base64urlDecode(signatureStr);
+    const key = await getCryptoKey(secret);
+    const isValid = await crypto.subtle.verify("HMAC", key, signatureBytes, dataToVerify);
+    if (!isValid) {
+        throw new Error("Invalid signature");
+    }
+    const payload = JSON.parse(base64urlToString(payloadStr));
+    if (payload.exp && Date.now() >= payload.exp * 1000) {
+        throw new Error("Token expired");
+    }
+    return payload;
+}
+/**
+ * Decodes the raw user session from cookies without verifying the JWT.
+ * Best used in layout load functions for super-fast, database-free SSR.
+ */
+/**
+ * Decodes the raw user session from cookies without verifying the JWT.
+ * Best used in layout load functions for super-fast, database-free SSR.
+ */
+export function getUserFromCookie(cookies, cookieName = "sf_session") {
+    const cookieVal = cookies.get(cookieName);
+    if (!cookieVal)
+        return null;
+    try {
+        const jsonStr = atob(cookieVal);
+        return JSON.parse(jsonStr);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Parses a raw Cookie header string into key-value pairs.
+ */
+export function parseCookies(cookieHeader) {
+    const cookies = {};
+    cookieHeader.split(";").forEach((cookie) => {
+        const parts = cookie.split("=");
+        const name = parts.shift()?.trim();
+        if (name) {
+            cookies[name] = decodeURIComponent(parts.join("="));
+        }
+    });
+    return cookies;
+}
+/**
+ * Extracts and decodes the user session from standard Request headers without verifying it.
+ */
+export function getUserFromRequest(request, cookieName = "sf_session") {
+    const cookieHeader = request.headers.get("Cookie");
+    if (!cookieHeader)
+        return null;
+    const cookies = parseCookies(cookieHeader);
+    const rawSession = cookies[cookieName];
+    if (!rawSession)
+        return null;
+    try {
+        const jsonStr = atob(rawSession);
+        return JSON.parse(jsonStr);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Extracts and cryptographically verifies the user session from standard Request headers.
+ * Best used in write/mutation contexts.
+ */
+export async function getVerifiedUserFromRequest(request, jwtSecret, cookieName = "sf_session") {
+    const user = getUserFromRequest(request, cookieName);
+    if (!user)
+        return null;
+    try {
+        await verifyJWT(user.token, jwtSecret);
+        return user;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Creates SvelteKit server-side session management helpers.
+ */
+export function createServerAuth(config) {
+    const cookieName = config.cookieName || "sf_session";
+    const defaultCookieOptions = {
+        path: "/",
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax",
+        ...config.cookieOptions,
+    };
+    return {
+        /**
+         * Signs the user object into a JWT, embeds the token, and writes it to the SvelteKit cookies.
+         */
+        async login(cookies, userPayload, options) {
+            let expiresAt;
+            if (options?.maxAge) {
+                expiresAt = Date.now() + options.maxAge * 1000;
+            }
+            else if (options?.expires) {
+                expiresAt = options.expires.getTime();
+            }
+            else if (defaultCookieOptions.maxAge) {
+                expiresAt = Date.now() + defaultCookieOptions.maxAge * 1000;
+            }
+            // Generate the verified JWT token using user id
+            const token = await signJWT({ id: userPayload.id }, config.jwtSecret, expiresAt);
+            const sessionUser = {
+                ...userPayload,
+                token,
+            };
+            const cookieVal = btoa(JSON.stringify(sessionUser));
+            cookies.set(cookieName, cookieVal, {
+                ...defaultCookieOptions,
+                ...options,
+            });
+            return sessionUser;
+        },
+        /**
+         * Deletes the session cookie to clear the session.
+         */
+        logout(cookies, options) {
+            cookies.delete(cookieName, {
+                path: "/",
+                ...options,
+            });
+        }
+    };
+}

package/dist/server/index.d.ts

@@ -0,0 +1,28 @@
+import { type SyncContext } from "@sveltebase/sync";
+export interface SyncAuthConfig<User = any> {
+    /**
+     * Secret key used to verify the JWT tokens.
+     */
+    jwtSecret: string;
+    /**
+     * Name of the session cookie.
+     * @default "sf_session"
+     */
+    cookieName?: string;
+    /**
+     * Optional database hook to verify if the user still exists or is active.
+     */
+    verifyUser?: (user: User, ctx: SyncContext) => Promise<boolean>;
+    /**
+     * Optional database hook to persist user mutations.
+     */
+    onUpdate?: (userId: User extends {
+        id: infer Id;
+    } ? Id : string, changes: Partial<User>, ctx: SyncContext) => Promise<User>;
+}
+/**
+ * Creates a Svelteflare Sync handler for WebSocket-based session validation.
+ * Registers the read-only "users" channel.
+ */
+export declare function createAuthSync<User = any>(config: SyncAuthConfig<User>): import("@sveltebase/sync").SyncHandler<User>;
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAGhE,MAAM,WAAW,cAAc,CAAC,IAAI,GAAG,GAAG;IACxC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAChE;;OAEG;IACH,QAAQ,CAAC,EAAE,CACT,MAAM,EAAE,IAAI,SAAS;QAAE,EAAE,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,EAAE,GAAG,MAAM,EACnD,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,EACtB,GAAG,EAAE,WAAW,KACb,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,GAAG,GAAG,EAAE,MAAM,EAAE,cAAc,CAAC,IAAI,CAAC,gDA0EtE"}

package/dist/server/index.js

@@ -0,0 +1,70 @@
+import { defineSync } from "@sveltebase/sync";
+import { getUserFromRequest, verifyJWT, getVerifiedUserFromRequest } from "../index.js";
+/**
+ * Creates a Svelteflare Sync handler for WebSocket-based session validation.
+ * Registers the read-only "users" channel.
+ */
+export function createAuthSync(config) {
+    const cookieName = config.cookieName || "sf_session";
+    return defineSync({
+        channel: "users",
+        // Runs automatically when the client queries/subscribes to the "users" channel
+        authorize: async (ctx) => {
+            const user = getUserFromRequest(ctx.request, cookieName);
+            if (!user) {
+                throw new Error("Unauthorized: No session cookie found");
+            }
+            // 1. Cryptographically verify the token
+            let payload;
+            try {
+                payload = await verifyJWT(user.token, config.jwtSecret);
+            }
+            catch {
+                throw new Error("Unauthorized: Invalid token");
+            }
+            // 2. Perform optional database validation (check if active/deleted)
+            if (config.verifyUser) {
+                const isValid = await config.verifyUser(payload, ctx);
+                if (!isValid) {
+                    throw new Error("Unauthorized: User no longer exists");
+                }
+            }
+        },
+        // Returns the current session user so the client knows it is successfully authorized
+        fetch: async (ctx) => {
+            const user = getUserFromRequest(ctx.request, cookieName);
+            return user ? [user] : [];
+        },
+        create: async () => {
+            throw new Error("Forbidden: User creation is disabled on sync channel");
+        },
+        update: async (ctx, key, changes) => {
+            // Verify token authenticity before allowing writes
+            const user = await getVerifiedUserFromRequest(ctx.request, config.jwtSecret, cookieName);
+            if (!user) {
+                throw new Error("Unauthorized: Invalid session");
+            }
+            // Prevent users from updating other users' records (comparing string representations to support both string and number IDs)
+            if (String(user.id) !== String(key)) {
+                throw new Error("Forbidden: Cannot modify other user profiles");
+            }
+            // Persist update via dev's DB hook if registered
+            if (config.onUpdate) {
+                const typedKey = (typeof user.id === "number" ? Number(key) : key);
+                const dbResult = await config.onUpdate(typedKey, changes, ctx);
+                return {
+                    ...dbResult,
+                    token: user.token
+                };
+            }
+            // Fallback: return merged changes
+            return { ...user, ...changes };
+        },
+        delete: async () => {
+            throw new Error("Forbidden: User deletion is disabled on sync channel");
+        },
+        scope: (ctx, action, data) => {
+            return [String(data.id)];
+        }
+    });
+}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@sveltebase/auth",
+  "version": "1.0.0",
+  "type": "module",
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist"
+  ],
+  "svelte": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "svelte": "./dist/index.js",
+      "default": "./dist/index.js"
+    },
+    "./client": {
+      "types": "./dist/client/index.d.ts",
+      "svelte": "./dist/client/index.js",
+      "default": "./dist/client/index.js"
+    },
+    "./server": {
+      "types": "./dist/server/index.d.ts",
+      "default": "./dist/server/index.js"
+    },
+    "./google": {
+      "types": "./dist/google/index.d.ts",
+      "svelte": "./dist/google/index.js",
+      "default": "./dist/google/index.js"
+    }
+  },
+  "peerDependencies": {
+    "svelte": "^5.0.0",
+    "@sveltejs/kit": "^2.0.0"
+  },
+  "devDependencies": {
+    "@types/google.accounts": "^0.0.14"
+  },
+  "scripts": {
+    "build": "svelte-package --input ./src --output ./dist",
+    "check": "tsc --project tsconfig.json --noEmit",
+    "clean": "rm -rf dist"
+  }
+}