@sveltebase/auth 1.3.0 → 1.4.1

package/README.md

@@ -168,26 +168,49 @@ Initialize the state once using a Svelte 5 reactive getter:
 
 ---
 
-## 5. WebSocket Sync Verification (Post-Load Security)
+## 5. Sync Worker Verification
 
-To run background cryptographic and database checks, register the `createAuthSync` handler on your sync server:
+Sync authentication is verified inside the standalone sync Worker, not in the SvelteKit app Worker. The app Worker should proxy `/api/sync` to the sync Worker and should not forward resolved auth objects.
+
+Create the sync Worker with `jwtCookieAuth()`:
+
+```typescript
+// src/worker/sync.ts
+import { jwtCookieAuth } from "@sveltebase/auth/sync";
+import { defineSyncWorker, SyncEngine } from "@sveltebase/sync/cloudflare";
+import { handlers } from "$lib/server/sync-handlers";
+
+export default defineSyncWorker({
+  handlers,
+  auth: jwtCookieAuth()
+});
+
+export { SyncEngine };
+```
+
+`jwtCookieAuth()` reads the `sf_session` cookie by default, verifies it with `platform.env.JWT_SECRET`, resolves identity from `user.id`, and marks unauthenticated websocket connections as rejected by default.
+
+Both Workers need the same secret:
+
+```bash
+wrangler secret put JWT_SECRET --config wrangler.jsonc
+wrangler secret put JWT_SECRET --config wrangler.sync.jsonc
+```
+
+Register `createAuthSync()` on the sync Worker handlers to protect the `"users"` channel and optionally check the database:
 
 ```typescript
 // src/lib/server/sync-handlers.ts
 import { createAuthSync } from "@sveltebase/auth/server";
-import { JWT_SECRET } from "$env/static/private";
 import { getDB } from "./db.js";
 
 export const handlers = [
   createAuthSync({
-    jwtSecret: JWT_SECRET,
-    // Database check to verify if the user account is active/valid
     verifyUser: async (user, ctx) => {
       const db = getDB(ctx.platform);
       const activeUser = await db.select().from(users).where(eq(users.id, user.id)).get();
       return !!activeUser && !activeUser.isSuspended;
     },
-    // Optional persistence hook for user mutations (e.g. auth.update)
     onUpdate: async (userId, changes, ctx) => {
       const db = getDB(ctx.platform);
       return await db.update(users).set(changes).where(eq(users.id, userId)).returning();
@@ -197,37 +220,7 @@ export const handlers = [
 ];
 ```
 
-`createAuthSync` registers and protects the `"users"` sync channel. It verifies the session token when the client subscribes to that channel and can call your `verifyUser` hook to check the database.
-
-To make the verified user object available to every other sync handler, resolve connection auth in your `/api/sync` WebSocket upgrade route.
-
-Recommended SvelteKit setup:
-
-```typescript
-// src/routes/api/sync/+server.ts
-import { JWT_SECRET } from "$env/static/private";
-import { getVerifiedUserFromRequest } from "@sveltebase/auth";
-import { handleUpgrade } from "@sveltebase/sync";
-import type { User } from "$lib/server/db/schema";
-import type { RequestEvent, RequestHandler } from "@sveltejs/kit";
-
-export const GET: RequestHandler = async (event: RequestEvent) => {
-  return handleUpgrade(event.request, event.platform, {
-    auth: async (request) => {
-      const user = await getVerifiedUserFromRequest<User>(
-        request,
-        JWT_SECRET
-      );
-
-      return user ? { user } : null;
-    },
-    identity: (auth) => auth.user.id,
-    allowUnauthenticated: false
-  });
-};
-```
-
-After this, other sync handlers can use `ctx.auth.user` for row ownership checks. The `identity` option gives `@sveltebase/sync` a stable user ID for `scope` filtering:
+Other sync handlers can use `ctx.auth?.user` and `ctx.identity` for row ownership checks:
 
 ```typescript
 fetch: async (ctx) => {
@@ -238,7 +231,17 @@ fetch: async (ctx) => {
 }
 ```
 
----
+Keep the browser connecting to the app origin so the session cookie is sent:
+
+```typescript
+// src/routes/api/sync/+server.ts
+import { SYNC_WORKER_URL } from "$env/static/private";
+import { syncProxy } from "@sveltebase/sync/sveltekit";
+
+export const { GET, POST } = syncProxy({
+  fallbackUrl: SYNC_WORKER_URL
+});
+```
 
 ## 6. API Reference
 
@@ -269,7 +272,9 @@ fetch: async (ctx) => {
 ### Sync Server Handler (`@sveltebase/auth/server`)
 
 * **`createAuthSync(config: SyncAuthConfig)`**
-  Establishes the `"users"` sync channel and verifies WebSocket subscriptions for auth state. For unrelated sync channels, use `handleUpgrade(..., { auth, identity })` in your `/api/sync` route to populate `ctx.auth`.
+  Establishes the `"users"` sync channel. Use `jwtCookieAuth()` in the standalone sync Worker to populate `ctx.auth` and `ctx.identity` for all sync handlers.
+* **`jwtCookieAuth(options?)`** from `@sveltebase/auth/sync`
+  Verifies the `sf_session` cookie using `platform.env.JWT_SECRET` during the sync Worker websocket handshake.
 
 ---
 

package/dist/server/index.d.ts

@@ -2,8 +2,10 @@ import { type SyncContext } from "@sveltebase/sync";
 export interface SyncAuthConfig<User = any> {
     /**
      * Secret key used to verify the JWT tokens.
+     * Optional when the sync Worker uses jwtCookieAuth(), because ctx.auth.user
+     * is already verified during the websocket handshake.
      */
-    jwtSecret: string;
+    jwtSecret?: string;
     /**
      * Name of the session cookie.
      * @default "sf_session"
@@ -24,5 +26,5 @@ export interface SyncAuthConfig<User = any> {
  * Creates a Svelteflare Sync handler for WebSocket-based session validation.
  * Registers the read-only "users" channel.
  */
-export declare function createAuthSync<User = any>(config: SyncAuthConfig<User>): import("@sveltebase/sync").SyncHandler<User>;
+export declare function createAuthSync<User = any>(config: SyncAuthConfig<User>): import("@sveltebase/sync").SyncHandler<User, any>;
 //# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAGhE,MAAM,WAAW,cAAc,CAAC,IAAI,GAAG,GAAG;IACxC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAChE;;OAEG;IACH,QAAQ,CAAC,EAAE,CACT,MAAM,EAAE,IAAI,SAAS;QAAE,EAAE,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,EAAE,GAAG,MAAM,EACnD,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,EACtB,GAAG,EAAE,WAAW,KACb,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,GAAG,GAAG,EAAE,MAAM,EAAE,cAAc,CAAC,IAAI,CAAC,gDA0EtE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAGhE,MAAM,WAAW,cAAc,CAAC,IAAI,GAAG,GAAG;IACxC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAChE;;OAEG;IACH,QAAQ,CAAC,EAAE,CACT,MAAM,EAAE,IAAI,SAAS;QAAE,EAAE,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,EAAE,GAAG,MAAM,EACnD,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,EACtB,GAAG,EAAE,WAAW,KACb,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,GAAG,GAAG,EAAE,MAAM,EAAE,cAAc,CAAC,IAAI,CAAC,qDAuGtE"}

package/dist/server/index.js

@@ -10,6 +10,19 @@ export function createAuthSync(config) {
         channel: "users",
         // Runs automatically when the client queries/subscribes to the "users" channel
         authorize: async (ctx) => {
+            const authenticatedUser = ctx.auth?.user;
+            if (authenticatedUser) {
+                if (config.verifyUser) {
+                    const isValid = await config.verifyUser(authenticatedUser, ctx);
+                    if (!isValid) {
+                        throw new Error("Unauthorized: User no longer exists");
+                    }
+                }
+                return;
+            }
+            if (!config.jwtSecret) {
+                throw new Error("Unauthorized: No verified sync auth found");
+            }
             const user = getUserFromRequest(ctx.request, cookieName);
             if (!user) {
                 throw new Error("Unauthorized: No session cookie found");
@@ -32,6 +45,9 @@ export function createAuthSync(config) {
         },
         // Returns the current session user so the client knows it is successfully authorized
         fetch: async (ctx) => {
+            const authenticatedUser = ctx.auth?.user;
+            if (authenticatedUser)
+                return [authenticatedUser];
             const user = getUserFromRequest(ctx.request, cookieName);
             return user ? [user] : [];
         },
@@ -40,7 +56,10 @@ export function createAuthSync(config) {
         },
         update: async (ctx, key, changes) => {
             // Verify token authenticity before allowing writes
-            const user = await getVerifiedUserFromRequest(ctx.request, config.jwtSecret, cookieName);
+            const user = ctx.auth?.user ??
+                (config.jwtSecret
+                    ? await getVerifiedUserFromRequest(ctx.request, config.jwtSecret, cookieName)
+                    : null);
             if (!user) {
                 throw new Error("Unauthorized: Invalid session");
             }

package/dist/sync/index.d.ts

@@ -0,0 +1,14 @@
+import type { SyncPlatform } from "@sveltebase/sync";
+export declare function jwtCookieAuth<User extends {
+    id: any;
+}>(options?: {
+    secretBinding?: string;
+    cookieName?: string;
+    identity?: (user: User) => string | number | bigint | null | undefined;
+}): ((request: Request, platform: SyncPlatform) => Promise<{
+    user: import("../index.js").SessionUser<User>;
+    identity: string | null;
+} | null>) & {
+    allowUnauthenticated: boolean;
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/sync/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sync/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAErD,wBAAgB,aAAa,CAAC,IAAI,SAAS;IAAE,EAAE,EAAE,GAAG,CAAA;CAAE,EAAE,OAAO,CAAC,EAAE;IAChE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,KAAK,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;CACxE,cACkC,OAAO,YAAY,YAAY;;;;;EA0BjE"}

package/dist/sync/index.js

@@ -0,0 +1,21 @@
+import { getVerifiedUserFromRequest } from "../index.js";
+export function jwtCookieAuth(options) {
+    const resolver = async (request, platform) => {
+        const secretBinding = options?.secretBinding ?? "JWT_SECRET";
+        const secret = platform.env[secretBinding];
+        if (!secret) {
+            throw new Error(`Missing ${secretBinding} binding for sync auth`);
+        }
+        const user = await getVerifiedUserFromRequest(request, String(secret), options?.cookieName);
+        if (!user)
+            return null;
+        const identityValue = options?.identity
+            ? options.identity(user)
+            : user.id;
+        const identity = identityValue == null ? null : String(identityValue);
+        return { user, identity };
+    };
+    return Object.assign(resolver, {
+        allowUnauthenticated: false,
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sveltebase/auth",
-  "version": "1.3.0",
+  "version": "1.4.1",
   "type": "module",
   "publishConfig": {
     "access": "public"
@@ -25,6 +25,10 @@
       "types": "./dist/server/index.d.ts",
       "default": "./dist/server/index.js"
     },
+    "./sync": {
+      "types": "./dist/sync/index.d.ts",
+      "default": "./dist/sync/index.js"
+    },
     "./google": {
       "types": "./dist/google/index.d.ts",
       "svelte": "./dist/google/index.js",