@twin.org/api-auth-entity-storage-service 0.0.1-next.3 → 0.0.1-next.31

package/dist/cjs/index.cjs

@@ -71,13 +71,12 @@ class TokenHelper {
      * @returns The new token and its expiry date.
      */
     static async createToken(vaultConnector, signingKeyName, subject, ttlMinutes) {
-        // Verify was a success so we can now generate a new token.
         const nowSeconds = Math.trunc(Date.now() / 1000);
         const ttlSeconds = ttlMinutes * 60;
-        const jwt = await web.Jwt.encodeWithSigner({ alg: web.JwtAlgorithms.EdDSA }, {
+        const jwt = await web.Jwt.encodeWithSigner({ alg: "EdDSA" }, {
             sub: subject,
             exp: nowSeconds + ttlSeconds
-        }, async (alg, key, payload) => vaultConnector.sign(signingKeyName, payload));
+        }, async (header, payload) => vaultModels.VaultConnectorHelper.jwtSigner(vaultConnector, signingKeyName, header, payload));
         return {
             token: jwt,
             expiry: (nowSeconds + ttlSeconds) * 1000
@@ -95,14 +94,10 @@ class TokenHelper {
         if (!core.Is.stringValue(token)) {
             throw new core.UnauthorizedError(this._CLASS_NAME, "missing");
         }
-        const decoded = await web.Jwt.verifyWithVerifier(token, async (alg, key, payload, signature) => vaultConnector.verify(signingKeyName, payload, signature));
-        // If the signature validation failed or some of the header/payload data
-        // is not properly populated then it is unauthorized.
-        if (!decoded.verified ||
-            !core.Is.object(decoded.header) ||
-            !core.Is.object(decoded.payload) ||
-            !core.Is.stringValue(decoded.payload.sub)) {
-            throw new core.UnauthorizedError(this._CLASS_NAME, "invalidToken");
+        const decoded = await web.Jwt.verifyWithVerifier(token, async (t) => vaultModels.VaultConnectorHelper.jwtVerifier(vaultConnector, signingKeyName, t));
+        // If some of the header/payload data is not properly populated then it is unauthorized.
+        if (!core.Is.stringValue(decoded.payload.sub)) {
+            throw new core.UnauthorizedError(this._CLASS_NAME, "payloadMissingSubject");
         }
         else if (!core.Is.empty(decoded.payload?.exp) &&
             decoded.payload.exp < Math.trunc(Date.now() / 1000)) {
@@ -120,12 +115,13 @@ class TokenHelper {
      * @returns The token if found.
      */
     static extractTokenFromHeaders(headers, cookieName) {
-        const cookiesHeader = headers?.cookie;
-        let token;
-        let location;
-        if (core.Is.string(headers?.authorization) && headers.authorization.startsWith("Bearer ")) {
-            token = headers.authorization.slice(7).trim();
-            location = "authorization";
+        const authHeader = headers?.[web.HeaderTypes.Authorization];
+        const cookiesHeader = headers?.[web.HeaderTypes.Cookie];
+        if (core.Is.string(authHeader) && authHeader.startsWith("Bearer ")) {
+            return {
+                token: authHeader.slice(7).trim(),
+                location: "authorization"
+            };
         }
         else if (core.Is.notEmpty(cookiesHeader) && core.Is.stringValue(cookieName)) {
             const cookies = core.Is.arrayValue(cookiesHeader) ? cookiesHeader : [cookiesHeader];
@@ -136,17 +132,14 @@ class TokenHelper {
                         .map(c => c.trim())
                         .find(c => c.startsWith(cookieName));
                     if (core.Is.stringValue(accessTokenCookie)) {
-                        token = accessTokenCookie.slice(cookieName.length + 1).trim();
-                        location = "cookie";
-                        break;
+                        return {
+                            token: accessTokenCookie.slice(cookieName.length + 1).trim(),
+                            location: "cookie"
+                        };
                     }
                 }
             }
         }
-        return {
-            token,
-            location
-        };
     }
 }
 
@@ -156,6 +149,10 @@ class TokenHelper {
  * Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.
  */
 class AuthHeaderProcessor {
+    /**
+     * The namespace supported by the processor.
+     */
+    static NAMESPACE = "auth-header";
     /**
      * The default name for the access token as a cookie.
      * @internal
@@ -188,8 +185,6 @@ class AuthHeaderProcessor {
     /**
      * Create a new instance of AuthCookiePreProcessor.
      * @param options Options for the processor.
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the processor.
      */
     constructor(options) {
         this._vaultConnector = vaultModels.VaultConnectorFactory.get(options?.vaultConnectorType ?? "vault");
@@ -218,10 +213,10 @@ class AuthHeaderProcessor {
         if (!core.Is.empty(route) && !(route.skipAuth ?? false)) {
             try {
                 const tokenAndLocation = TokenHelper.extractTokenFromHeaders(request.headers, this._cookieName);
-                const headerAndPayload = await TokenHelper.verify(this._vaultConnector, `${this._nodeIdentity}/${this._signingKeyName}`, tokenAndLocation.token);
+                const headerAndPayload = await TokenHelper.verify(this._vaultConnector, `${this._nodeIdentity}/${this._signingKeyName}`, tokenAndLocation?.token);
                 requestIdentity.userIdentity = headerAndPayload.payload?.sub;
-                processorState.authToken = tokenAndLocation.token;
-                processorState.authTokenLocation = tokenAndLocation.location;
+                processorState.authToken = tokenAndLocation?.token;
+                processorState.authTokenLocation = tokenAndLocation?.location;
             }
             catch (err) {
                 const error = core.BaseError.fromError(err);
@@ -246,13 +241,13 @@ class AuthHeaderProcessor {
             if ((responseAuthOperation === "login" || responseAuthOperation === "refresh") &&
                 core.Is.stringValue(response.body?.token)) {
                 response.headers ??= {};
-                response.headers["Set-Cookie"] =
+                response.headers[web.HeaderTypes.SetCookie] =
                     `${this._cookieName}=${response.body.token}; Secure; HttpOnly; SameSite=None; Path=/`;
                 delete response.body.token;
             }
             else if (responseAuthOperation === "logout") {
                 response.headers ??= {};
-                response.headers["Set-Cookie"] =
+                response.headers[web.HeaderTypes.SetCookie] =
                     `${this._cookieName}=; Max-Age=0; Secure; HttpOnly; SameSite=None; Path=/`;
             }
         }
@@ -504,6 +499,10 @@ class PasswordHelper {
  * Implementation of the authentication component using entity storage.
  */
 class EntityStorageAuthenticationService {
+    /**
+     * The namespace supported by the authentication service.
+     */
+    static NAMESPACE = "authentication-entity-storage";
     /**
      * Default TTL in minutes.
      * @internal
@@ -541,9 +540,6 @@ class EntityStorageAuthenticationService {
     /**
      * Create a new instance of EntityStorageAuthentication.
      * @param options The dependencies for the identity connector.
-     * @param options.userEntityStorageType The entity storage for the users, defaults to "authentication-user".
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the authentication.
      */
     constructor(options) {
         this._userEntityStorage = entityStorageModels.EntityStorageConnectorFactory.get(options?.userEntityStorageType ?? "authentication-user");

package/dist/esm/index.mjs

@@ -1,8 +1,8 @@
 import { property, entity, EntitySchemaFactory, EntitySchemaHelper } from '@twin.org/entity';
 import { HttpErrorHelper } from '@twin.org/api-models';
 import { Is, UnauthorizedError, Guards, BaseError, ComponentFactory, Converter, GeneralError } from '@twin.org/core';
-import { VaultConnectorFactory } from '@twin.org/vault-models';
-import { Jwt, JwtAlgorithms, HttpStatusCode } from '@twin.org/web';
+import { VaultConnectorHelper, VaultConnectorFactory } from '@twin.org/vault-models';
+import { Jwt, HeaderTypes, HttpStatusCode } from '@twin.org/web';
 import { EntityStorageConnectorFactory } from '@twin.org/entity-storage-models';
 import { Blake2b } from '@twin.org/crypto';
 
@@ -69,13 +69,12 @@ class TokenHelper {
      * @returns The new token and its expiry date.
      */
     static async createToken(vaultConnector, signingKeyName, subject, ttlMinutes) {
-        // Verify was a success so we can now generate a new token.
         const nowSeconds = Math.trunc(Date.now() / 1000);
         const ttlSeconds = ttlMinutes * 60;
-        const jwt = await Jwt.encodeWithSigner({ alg: JwtAlgorithms.EdDSA }, {
+        const jwt = await Jwt.encodeWithSigner({ alg: "EdDSA" }, {
             sub: subject,
             exp: nowSeconds + ttlSeconds
-        }, async (alg, key, payload) => vaultConnector.sign(signingKeyName, payload));
+        }, async (header, payload) => VaultConnectorHelper.jwtSigner(vaultConnector, signingKeyName, header, payload));
         return {
             token: jwt,
             expiry: (nowSeconds + ttlSeconds) * 1000
@@ -93,14 +92,10 @@ class TokenHelper {
         if (!Is.stringValue(token)) {
             throw new UnauthorizedError(this._CLASS_NAME, "missing");
         }
-        const decoded = await Jwt.verifyWithVerifier(token, async (alg, key, payload, signature) => vaultConnector.verify(signingKeyName, payload, signature));
-        // If the signature validation failed or some of the header/payload data
-        // is not properly populated then it is unauthorized.
-        if (!decoded.verified ||
-            !Is.object(decoded.header) ||
-            !Is.object(decoded.payload) ||
-            !Is.stringValue(decoded.payload.sub)) {
-            throw new UnauthorizedError(this._CLASS_NAME, "invalidToken");
+        const decoded = await Jwt.verifyWithVerifier(token, async (t) => VaultConnectorHelper.jwtVerifier(vaultConnector, signingKeyName, t));
+        // If some of the header/payload data is not properly populated then it is unauthorized.
+        if (!Is.stringValue(decoded.payload.sub)) {
+            throw new UnauthorizedError(this._CLASS_NAME, "payloadMissingSubject");
         }
         else if (!Is.empty(decoded.payload?.exp) &&
             decoded.payload.exp < Math.trunc(Date.now() / 1000)) {
@@ -118,12 +113,13 @@ class TokenHelper {
      * @returns The token if found.
      */
     static extractTokenFromHeaders(headers, cookieName) {
-        const cookiesHeader = headers?.cookie;
-        let token;
-        let location;
-        if (Is.string(headers?.authorization) && headers.authorization.startsWith("Bearer ")) {
-            token = headers.authorization.slice(7).trim();
-            location = "authorization";
+        const authHeader = headers?.[HeaderTypes.Authorization];
+        const cookiesHeader = headers?.[HeaderTypes.Cookie];
+        if (Is.string(authHeader) && authHeader.startsWith("Bearer ")) {
+            return {
+                token: authHeader.slice(7).trim(),
+                location: "authorization"
+            };
         }
         else if (Is.notEmpty(cookiesHeader) && Is.stringValue(cookieName)) {
             const cookies = Is.arrayValue(cookiesHeader) ? cookiesHeader : [cookiesHeader];
@@ -134,17 +130,14 @@ class TokenHelper {
                         .map(c => c.trim())
                         .find(c => c.startsWith(cookieName));
                     if (Is.stringValue(accessTokenCookie)) {
-                        token = accessTokenCookie.slice(cookieName.length + 1).trim();
-                        location = "cookie";
-                        break;
+                        return {
+                            token: accessTokenCookie.slice(cookieName.length + 1).trim(),
+                            location: "cookie"
+                        };
                     }
                 }
             }
         }
-        return {
-            token,
-            location
-        };
     }
 }
 
@@ -154,6 +147,10 @@ class TokenHelper {
  * Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.
  */
 class AuthHeaderProcessor {
+    /**
+     * The namespace supported by the processor.
+     */
+    static NAMESPACE = "auth-header";
     /**
      * The default name for the access token as a cookie.
      * @internal
@@ -186,8 +183,6 @@ class AuthHeaderProcessor {
     /**
      * Create a new instance of AuthCookiePreProcessor.
      * @param options Options for the processor.
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the processor.
      */
     constructor(options) {
         this._vaultConnector = VaultConnectorFactory.get(options?.vaultConnectorType ?? "vault");
@@ -216,10 +211,10 @@ class AuthHeaderProcessor {
         if (!Is.empty(route) && !(route.skipAuth ?? false)) {
             try {
                 const tokenAndLocation = TokenHelper.extractTokenFromHeaders(request.headers, this._cookieName);
-                const headerAndPayload = await TokenHelper.verify(this._vaultConnector, `${this._nodeIdentity}/${this._signingKeyName}`, tokenAndLocation.token);
+                const headerAndPayload = await TokenHelper.verify(this._vaultConnector, `${this._nodeIdentity}/${this._signingKeyName}`, tokenAndLocation?.token);
                 requestIdentity.userIdentity = headerAndPayload.payload?.sub;
-                processorState.authToken = tokenAndLocation.token;
-                processorState.authTokenLocation = tokenAndLocation.location;
+                processorState.authToken = tokenAndLocation?.token;
+                processorState.authTokenLocation = tokenAndLocation?.location;
             }
             catch (err) {
                 const error = BaseError.fromError(err);
@@ -244,13 +239,13 @@ class AuthHeaderProcessor {
             if ((responseAuthOperation === "login" || responseAuthOperation === "refresh") &&
                 Is.stringValue(response.body?.token)) {
                 response.headers ??= {};
-                response.headers["Set-Cookie"] =
+                response.headers[HeaderTypes.SetCookie] =
                     `${this._cookieName}=${response.body.token}; Secure; HttpOnly; SameSite=None; Path=/`;
                 delete response.body.token;
             }
             else if (responseAuthOperation === "logout") {
                 response.headers ??= {};
-                response.headers["Set-Cookie"] =
+                response.headers[HeaderTypes.SetCookie] =
                     `${this._cookieName}=; Max-Age=0; Secure; HttpOnly; SameSite=None; Path=/`;
             }
         }
@@ -502,6 +497,10 @@ class PasswordHelper {
  * Implementation of the authentication component using entity storage.
  */
 class EntityStorageAuthenticationService {
+    /**
+     * The namespace supported by the authentication service.
+     */
+    static NAMESPACE = "authentication-entity-storage";
     /**
      * Default TTL in minutes.
      * @internal
@@ -539,9 +538,6 @@ class EntityStorageAuthenticationService {
     /**
      * Create a new instance of EntityStorageAuthentication.
      * @param options The dependencies for the identity connector.
-     * @param options.userEntityStorageType The entity storage for the users, defaults to "authentication-user".
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the authentication.
      */
     constructor(options) {
         this._userEntityStorage = EntityStorageConnectorFactory.get(options?.userEntityStorageType ?? "authentication-user");

package/dist/types/index.d.ts

@@ -1,6 +1,8 @@
 export * from "./entities/authenticationUser";
 export * from "./models/IAuthHeaderProcessorConfig";
+export * from "./models/IAuthHeaderProcessorConstructorOptions";
 export * from "./models/IEntityStorageAuthenticationServiceConfig";
+export * from "./models/IEntityStorageAuthenticationServiceConstructorOptions";
 export * from "./processors/authHeaderProcessor";
 export * from "./restEntryPoints";
 export * from "./routes/entityStorageAuthenticationRoutes";

package/dist/types/models/IAuthHeaderProcessorConstructorOptions.d.ts

@@ -0,0 +1,15 @@
+import type { IAuthHeaderProcessorConfig } from "./IAuthHeaderProcessorConfig";
+/**
+ * Options for the AuthHeaderProcessor constructor.
+ */
+export interface IAuthHeaderProcessorConstructorOptions {
+    /**
+     * The vault for the private keys.
+     * @default vault
+     */
+    vaultConnectorType?: string;
+    /**
+     * The configuration for the processor.
+     */
+    config?: IAuthHeaderProcessorConfig;
+}

package/dist/types/models/IEntityStorageAuthenticationServiceConstructorOptions.d.ts

@@ -0,0 +1,20 @@
+import type { IEntityStorageAuthenticationServiceConfig } from "./IEntityStorageAuthenticationServiceConfig";
+/**
+ * Options for the EntityStorageAuthenticationService constructor.
+ */
+export interface IEntityStorageAuthenticationServiceConstructorOptions {
+    /**
+     * The entity storage for the users.
+     * @default authentication-user
+     */
+    userEntityStorageType?: string;
+    /**
+     * The vault for the private keys.
+     * @default vault
+     */
+    vaultConnectorType?: string;
+    /**
+     * The configuration for the authentication.
+     */
+    config?: IEntityStorageAuthenticationServiceConfig;
+}

package/dist/types/processors/authHeaderProcessor.d.ts

@@ -1,9 +1,13 @@
-import { type IHttpRequestIdentity, type IHttpResponse, type IHttpRestRouteProcessor, type IHttpServerRequest, type IRestRoute } from "@twin.org/api-models";
-import type { IAuthHeaderProcessorConfig } from "../models/IAuthHeaderProcessorConfig";
+import { type IBaseRoute, type IBaseRouteProcessor, type IHttpRequestIdentity, type IHttpResponse, type IHttpServerRequest } from "@twin.org/api-models";
+import type { IAuthHeaderProcessorConstructorOptions } from "../models/IAuthHeaderProcessorConstructorOptions";
 /**
  * Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.
  */
-export declare class AuthHeaderProcessor implements IHttpRestRouteProcessor {
+export declare class AuthHeaderProcessor implements IBaseRouteProcessor {
+    /**
+     * The namespace supported by the processor.
+     */
+    static readonly NAMESPACE: string;
     /**
      * Runtime name for the class.
      */
@@ -11,13 +15,8 @@ export declare class AuthHeaderProcessor implements IHttpRestRouteProcessor {
     /**
      * Create a new instance of AuthCookiePreProcessor.
      * @param options Options for the processor.
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the processor.
      */
-    constructor(options?: {
-        vaultConnectorType?: string;
-        config?: IAuthHeaderProcessorConfig;
-    });
+    constructor(options?: IAuthHeaderProcessorConstructorOptions);
     /**
      * The service needs to be started when the application is initialized.
      * @param nodeIdentity The identity of the node.
@@ -33,7 +32,7 @@ export declare class AuthHeaderProcessor implements IHttpRestRouteProcessor {
      * @param requestIdentity The identity context for the request.
      * @param processorState The state handed through the processors.
      */
-    pre(request: IHttpServerRequest, response: IHttpResponse, route: IRestRoute | undefined, requestIdentity: IHttpRequestIdentity, processorState: {
+    pre(request: IHttpServerRequest, response: IHttpResponse, route: IBaseRoute | undefined, requestIdentity: IHttpRequestIdentity, processorState: {
         [id: string]: unknown;
     }): Promise<void>;
     /**
@@ -44,7 +43,7 @@ export declare class AuthHeaderProcessor implements IHttpRestRouteProcessor {
      * @param requestIdentity The identity context for the request.
      * @param processorState The state handed through the processors.
      */
-    post(request: IHttpServerRequest, response: IHttpResponse, route: IRestRoute | undefined, requestIdentity: IHttpRequestIdentity, processorState: {
+    post(request: IHttpServerRequest, response: IHttpResponse, route: IBaseRoute | undefined, requestIdentity: IHttpRequestIdentity, processorState: {
         [id: string]: unknown;
     }): Promise<void>;
 }

package/dist/types/services/entityStorageAuthenticationService.d.ts

@@ -1,9 +1,13 @@
 import type { IAuthenticationComponent } from "@twin.org/api-auth-entity-storage-models";
-import type { IEntityStorageAuthenticationServiceConfig } from "../models/IEntityStorageAuthenticationServiceConfig";
+import type { IEntityStorageAuthenticationServiceConstructorOptions } from "../models/IEntityStorageAuthenticationServiceConstructorOptions";
 /**
  * Implementation of the authentication component using entity storage.
  */
 export declare class EntityStorageAuthenticationService implements IAuthenticationComponent {
+    /**
+     * The namespace supported by the authentication service.
+     */
+    static readonly NAMESPACE: string;
     /**
      * Runtime name for the class.
      */
@@ -11,15 +15,8 @@ export declare class EntityStorageAuthenticationService implements IAuthenticati
     /**
      * Create a new instance of EntityStorageAuthentication.
      * @param options The dependencies for the identity connector.
-     * @param options.userEntityStorageType The entity storage for the users, defaults to "authentication-user".
-     * @param options.vaultConnectorType The vault for the private keys, defaults to "vault".
-     * @param options.config The configuration for the authentication.
      */
-    constructor(options?: {
-        userEntityStorageType?: string;
-        vaultConnectorType?: string;
-        config?: IEntityStorageAuthenticationServiceConfig;
-    });
+    constructor(options?: IEntityStorageAuthenticationServiceConstructorOptions);
     /**
      * The service needs to be started when the application is initialized.
      * @param nodeIdentity The identity of the node.

package/dist/types/utils/tokenHelper.d.ts

@@ -1,4 +1,4 @@
-import type { IVaultConnector } from "@twin.org/vault-models";
+import { type IVaultConnector } from "@twin.org/vault-models";
 import { type IHttpHeaders, type IJwtHeader, type IJwtPayload } from "@twin.org/web";
 /**
  * Helper class for token operations.
@@ -35,7 +35,7 @@ export declare class TokenHelper {
      * @returns The token if found.
      */
     static extractTokenFromHeaders(headers?: IHttpHeaders, cookieName?: string): {
-        token: string | undefined;
-        location: "authorization" | "cookie" | undefined;
-    };
+        token: string;
+        location: "authorization" | "cookie";
+    } | undefined;
 }

package/docs/changelog.md

@@ -1,5 +1,5 @@
 # @twin.org/api-auth-entity-storage-service - Changelog
 
-## v0.0.1-next.3
+## v0.0.1-next.31
 
 - Initial Release

package/docs/reference/classes/AuthHeaderProcessor.md

@@ -4,7 +4,7 @@ Handle a JWT token in the authorization header or cookies and validate it to pop
 
 ## Implements
 
-- `IHttpRestRouteProcessor`
+- `IBaseRouteProcessor`
 
 ## Constructors
 
@@ -16,23 +16,25 @@ Create a new instance of AuthCookiePreProcessor.
 
 #### Parameters
 
-• **options?**
+##### options?
+
+[`IAuthHeaderProcessorConstructorOptions`](../interfaces/IAuthHeaderProcessorConstructorOptions.md)
 
 Options for the processor.
 
-• **options.vaultConnectorType?**: `string`
+#### Returns
 
-The vault for the private keys, defaults to "vault".
+[`AuthHeaderProcessor`](AuthHeaderProcessor.md)
 
-• **options.config?**: [`IAuthHeaderProcessorConfig`](../interfaces/IAuthHeaderProcessorConfig.md)
+## Properties
 
-The configuration for the processor.
+### NAMESPACE
 
-#### Returns
+> `readonly` `static` **NAMESPACE**: `string` = `"auth-header"`
 
-[`AuthHeaderProcessor`](AuthHeaderProcessor.md)
+The namespace supported by the processor.
 
-## Properties
+***
 
 ### CLASS\_NAME
 
@@ -42,7 +44,7 @@ Runtime name for the class.
 
 #### Implementation of
 
-`IHttpRestRouteProcessor.CLASS_NAME`
+`IBaseRouteProcessor.CLASS_NAME`
 
 ## Methods
 
@@ -54,11 +56,15 @@ The service needs to be started when the application is initialized.
 
 #### Parameters
 
-• **nodeIdentity**: `string`
+##### nodeIdentity
+
+`string`
 
 The identity of the node.
 
-• **nodeLoggingConnectorType?**: `string`
+##### nodeLoggingConnectorType?
+
+`string`
 
 The node logging connector type, defaults to "node-logging".
 
@@ -70,7 +76,7 @@ Nothing.
 
 #### Implementation of
 
-`IHttpRestRouteProcessor.start`
+`IBaseRouteProcessor.start`
 
 ***
 
@@ -82,23 +88,31 @@ Pre process the REST request for the specified route.
 
 #### Parameters
 
-• **request**: `IHttpServerRequest`\<`any`\>
+##### request
+
+`IHttpServerRequest`
 
 The incoming request.
 
-• **response**: `IHttpResponse`\<`any`\>
+##### response
+
+`IHttpResponse`
 
 The outgoing response.
 
-• **route**: `undefined` \| `IRestRoute`\<`any`, `any`\>
+##### route
 
 The route to process.
 
-• **requestIdentity**: `IHttpRequestIdentity`
+`undefined` | `IBaseRoute`
+
+##### requestIdentity
+
+`IHttpRequestIdentity`
 
 The identity context for the request.
 
-• **processorState**
+##### processorState
 
 The state handed through the processors.
 
@@ -108,7 +122,7 @@ The state handed through the processors.
 
 #### Implementation of
 
-`IHttpRestRouteProcessor.pre`
+`IBaseRouteProcessor.pre`
 
 ***
 
@@ -120,23 +134,31 @@ Post process the REST request for the specified route.
 
 #### Parameters
 
-• **request**: `IHttpServerRequest`\<`any`\>
+##### request
+
+`IHttpServerRequest`
 
 The incoming request.
 
-• **response**: `IHttpResponse`\<`any`\>
+##### response
+
+`IHttpResponse`
 
 The outgoing response.
 
-• **route**: `undefined` \| `IRestRoute`\<`any`, `any`\>
+##### route
 
 The route to process.
 
-• **requestIdentity**: `IHttpRequestIdentity`
+`undefined` | `IBaseRoute`
+
+##### requestIdentity
+
+`IHttpRequestIdentity`
 
 The identity context for the request.
 
-• **processorState**
+##### processorState
 
 The state handed through the processors.
 
@@ -146,4 +168,4 @@ The state handed through the processors.
 
 #### Implementation of
 
-`IHttpRestRouteProcessor.post`
+`IBaseRouteProcessor.post`

package/docs/reference/classes/EntityStorageAuthenticationService.md

@@ -16,27 +16,25 @@ Create a new instance of EntityStorageAuthentication.
 
 #### Parameters
 
-• **options?**
+##### options?
 
-The dependencies for the identity connector.
-
-• **options.userEntityStorageType?**: `string`
+[`IEntityStorageAuthenticationServiceConstructorOptions`](../interfaces/IEntityStorageAuthenticationServiceConstructorOptions.md)
 
-The entity storage for the users, defaults to "authentication-user".
+The dependencies for the identity connector.
 
-• **options.vaultConnectorType?**: `string`
+#### Returns
 
-The vault for the private keys, defaults to "vault".
+[`EntityStorageAuthenticationService`](EntityStorageAuthenticationService.md)
 
-• **options.config?**: [`IEntityStorageAuthenticationServiceConfig`](../interfaces/IEntityStorageAuthenticationServiceConfig.md)
+## Properties
 
-The configuration for the authentication.
+### NAMESPACE
 
-#### Returns
+> `readonly` `static` **NAMESPACE**: `string` = `"authentication-entity-storage"`
 
-[`EntityStorageAuthenticationService`](EntityStorageAuthenticationService.md)
+The namespace supported by the authentication service.
 
-## Properties
+***
 
 ### CLASS\_NAME
 
@@ -58,11 +56,15 @@ The service needs to be started when the application is initialized.
 
 #### Parameters
 
-• **nodeIdentity**: `string`
+##### nodeIdentity
+
+`string`
 
 The identity of the node.
 
-• **nodeLoggingConnectorType?**: `string`
+##### nodeLoggingConnectorType?
+
+`string`
 
 The node logging connector type, defaults to "node-logging".
 
@@ -80,34 +82,30 @@ Nothing.
 
 ### login()
 
-> **login**(`email`, `password`): `Promise`\<`object`\>
+> **login**(`email`, `password`): `Promise`\<\{ `token`: `string`; `expiry`: `number`; \}\>
 
 Perform a login for the user.
 
 #### Parameters
 
-• **email**: `string`
+##### email
+
+`string`
 
 The email address for the user.
 
-• **password**: `string`
+##### password
+
+`string`
 
 The password for the user.
 
 #### Returns
 
-`Promise`\<`object`\>
+`Promise`\<\{ `token`: `string`; `expiry`: `number`; \}\>
 
 The authentication token for the user, if it uses a mechanism with public access.
 
-##### token?
-
-> `optional` **token**: `string`
-
-##### expiry
-
-> **expiry**: `number`
-
 #### Implementation of
 
 `IAuthenticationComponent.login`
@@ -122,7 +120,9 @@ Logout the current user.
 
 #### Parameters
 
-• **token?**: `string`
+##### token?
+
+`string`
 
 The token to logout, if it uses a mechanism with public access.
 
@@ -140,30 +140,24 @@ Nothing.
 
 ### refresh()
 
-> **refresh**(`token`?): `Promise`\<`object`\>
+> **refresh**(`token`?): `Promise`\<\{ `token`: `string`; `expiry`: `number`; \}\>
 
 Refresh the token.
 
 #### Parameters
 
-• **token?**: `string`
+##### token?
+
+`string`
 
 The token to refresh, if it uses a mechanism with public access.
 
 #### Returns
 
-`Promise`\<`object`\>
+`Promise`\<\{ `token`: `string`; `expiry`: `number`; \}\>
 
 The refreshed token, if it uses a mechanism with public access.
 
-##### token
-
-> **token**: `string`
-
-##### expiry
-
-> **expiry**: `number`
-
 #### Implementation of
 
 `IAuthenticationComponent.refresh`

package/docs/reference/classes/PasswordHelper.md

@@ -22,11 +22,15 @@ Hash the password for the user.
 
 #### Parameters
 
-• **passwordBytes**: `Uint8Array`
+##### passwordBytes
+
+`Uint8Array`
 
 The password bytes.
 
-• **saltBytes**: `Uint8Array`
+##### saltBytes
+
+`Uint8Array`
 
 The salt bytes.
 

package/docs/reference/classes/TokenHelper.md

@@ -16,78 +16,76 @@ Helper class for token operations.
 
 ### createToken()
 
-> `static` **createToken**(`vaultConnector`, `signingKeyName`, `subject`, `ttlMinutes`): `Promise`\<`object`\>
+> `static` **createToken**(`vaultConnector`, `signingKeyName`, `subject`, `ttlMinutes`): `Promise`\<\{ `token`: `string`; `expiry`: `number`; \}\>
 
 Create a new token.
 
 #### Parameters
 
-• **vaultConnector**: `IVaultConnector`
+##### vaultConnector
+
+`IVaultConnector`
 
 The vault connector.
 
-• **signingKeyName**: `string`
+##### signingKeyName
+
+`string`
 
 The signing key name.
 
-• **subject**: `string`
+##### subject
+
+`string`
 
 The subject for the token.
 
-• **ttlMinutes**: `number`
+##### ttlMinutes
+
+`number`
 
 The time to live for the token in minutes.
 
 #### Returns
 
-`Promise`\<`object`\>
+`Promise`\<\{ `token`: `string`; `expiry`: `number`; \}\>
 
 The new token and its expiry date.
 
-##### token
-
-> **token**: `string`
-
-##### expiry
-
-> **expiry**: `number`
-
 ***
 
 ### verify()
 
-> `static` **verify**(`vaultConnector`, `signingKeyName`, `token`): `Promise`\<`object`\>
+> `static` **verify**(`vaultConnector`, `signingKeyName`, `token`): `Promise`\<\{ `header`: `IJwtHeader`; `payload`: `IJwtPayload`; \}\>
 
 Verify the token.
 
 #### Parameters
 
-• **vaultConnector**: `IVaultConnector`
+##### vaultConnector
+
+`IVaultConnector`
 
 The vault connector.
 
-• **signingKeyName**: `string`
+##### signingKeyName
+
+`string`
 
 The signing key name.
 
-• **token**: `undefined` \| `string`
+##### token
 
 The token to verify.
 
+`undefined` | `string`
+
 #### Returns
 
-`Promise`\<`object`\>
+`Promise`\<\{ `header`: `IJwtHeader`; `payload`: `IJwtPayload`; \}\>
 
 The verified details.
 
-##### header
-
-> **header**: `IJwtHeader`
-
-##### payload
-
-> **payload**: `IJwtPayload`
-
 #### Throws
 
 UnauthorizedError if the token is missing, invalid or expired.
@@ -96,30 +94,26 @@ UnauthorizedError if the token is missing, invalid or expired.
 
 ### extractTokenFromHeaders()
 
-> `static` **extractTokenFromHeaders**(`headers`?, `cookieName`?): `object`
+> `static` **extractTokenFromHeaders**(`headers`?, `cookieName`?): `undefined` \| \{ `token`: `string`; `location`: `"authorization"` \| `"cookie"`; \}
 
 Extract the auth token from the headers, either from the authorization header or the cookie header.
 
 #### Parameters
 
-• **headers?**: `IHttpHeaders`
+##### headers?
+
+`IHttpHeaders`
 
 The headers to extract the token from.
 
-• **cookieName?**: `string`
+##### cookieName?
+
+`string`
 
 The name of the cookie to extract the token from.
 
 #### Returns
 
-`object`
+`undefined` \| \{ `token`: `string`; `location`: `"authorization"` \| `"cookie"`; \}
 
 The token if found.
-
-##### token
-
-> **token**: `undefined` \| `string`
-
-##### location
-
-> **location**: `undefined` \| `"authorization"` \| `"cookie"`

package/docs/reference/functions/authenticationLogin.md

@@ -6,15 +6,21 @@ Login to the server.
 
 ## Parameters
 
-• **httpRequestContext**: `IHttpRequestContext`
+### httpRequestContext
+
+`IHttpRequestContext`
 
 The request context for the API.
 
-• **componentName**: `string`
+### componentName
+
+`string`
 
 The name of the component to use in the routes.
 
-• **request**: `ILoginRequest`
+### request
+
+`ILoginRequest`
 
 The request.
 

package/docs/reference/functions/authenticationLogout.md

@@ -6,15 +6,21 @@ Logout from the server.
 
 ## Parameters
 
-• **httpRequestContext**: `IHttpRequestContext`
+### httpRequestContext
+
+`IHttpRequestContext`
 
 The request context for the API.
 
-• **componentName**: `string`
+### componentName
+
+`string`
 
 The name of the component to use in the routes.
 
-• **request**: `ILogoutRequest`
+### request
+
+`ILogoutRequest`
 
 The request.
 

package/docs/reference/functions/authenticationRefreshToken.md

@@ -6,15 +6,21 @@ Refresh the login token.
 
 ## Parameters
 
-• **httpRequestContext**: `IHttpRequestContext`
+### httpRequestContext
+
+`IHttpRequestContext`
 
 The request context for the API.
 
-• **componentName**: `string`
+### componentName
+
+`string`
 
 The name of the component to use in the routes.
 
-• **request**: `IRefreshTokenRequest`
+### request
+
+`IRefreshTokenRequest`
 
 The request.
 

package/docs/reference/functions/generateRestRoutesAuthentication.md

@@ -1,21 +1,25 @@
 # Function: generateRestRoutesAuthentication()
 
-> **generateRestRoutesAuthentication**(`baseRouteName`, `componentName`): `IRestRoute`[]
+> **generateRestRoutesAuthentication**(`baseRouteName`, `componentName`): `IRestRoute`\<`any`, `any`\>[]
 
 The REST routes for authentication.
 
 ## Parameters
 
-• **baseRouteName**: `string`
+### baseRouteName
+
+`string`
 
 Prefix to prepend to the paths.
 
-• **componentName**: `string`
+### componentName
+
+`string`
 
 The name of the component to use in the routes stored in the ComponentFactory.
 
 ## Returns
 
-`IRestRoute`[]
+`IRestRoute`\<`any`, `any`\>[]
 
 The generated routes.

package/docs/reference/index.md

@@ -11,7 +11,9 @@
 ## Interfaces
 
 - [IAuthHeaderProcessorConfig](interfaces/IAuthHeaderProcessorConfig.md)
+- [IAuthHeaderProcessorConstructorOptions](interfaces/IAuthHeaderProcessorConstructorOptions.md)
 - [IEntityStorageAuthenticationServiceConfig](interfaces/IEntityStorageAuthenticationServiceConfig.md)
+- [IEntityStorageAuthenticationServiceConstructorOptions](interfaces/IEntityStorageAuthenticationServiceConstructorOptions.md)
 
 ## Variables
 

package/docs/reference/interfaces/IAuthHeaderProcessorConstructorOptions.md

@@ -0,0 +1,25 @@
+# Interface: IAuthHeaderProcessorConstructorOptions
+
+Options for the AuthHeaderProcessor constructor.
+
+## Properties
+
+### vaultConnectorType?
+
+> `optional` **vaultConnectorType**: `string`
+
+The vault for the private keys.
+
+#### Default
+
+```ts
+vault
+```
+
+***
+
+### config?
+
+> `optional` **config**: [`IAuthHeaderProcessorConfig`](IAuthHeaderProcessorConfig.md)
+
+The configuration for the processor.

package/docs/reference/interfaces/IEntityStorageAuthenticationServiceConstructorOptions.md

@@ -0,0 +1,39 @@
+# Interface: IEntityStorageAuthenticationServiceConstructorOptions
+
+Options for the EntityStorageAuthenticationService constructor.
+
+## Properties
+
+### userEntityStorageType?
+
+> `optional` **userEntityStorageType**: `string`
+
+The entity storage for the users.
+
+#### Default
+
+```ts
+authentication-user
+```
+
+***
+
+### vaultConnectorType?
+
+> `optional` **vaultConnectorType**: `string`
+
+The vault for the private keys.
+
+#### Default
+
+```ts
+vault
+```
+
+***
+
+### config?
+
+> `optional` **config**: [`IEntityStorageAuthenticationServiceConfig`](IEntityStorageAuthenticationServiceConfig.md)
+
+The configuration for the authentication.

package/locales/en.json

@@ -11,7 +11,7 @@
 		},
 		"tokenHelper": {
 			"missing": "The JSON Web token could not be found in the authorization header",
-			"invalid": "The JSON Web token signature could not be validated",
+			"payloadMissingSubject": "The JSON Web token payload does not contain a subject",
 			"expired": "The JSON Web token has expired"
 		}
 	}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@twin.org/api-auth-entity-storage-service",
-	"version": "0.0.1-next.3",
+	"version": "0.0.1-next.31",
 	"description": "Auth Entity Storage contract implementation and REST endpoint definitions",
 	"repository": {
 		"type": "git",
@@ -13,23 +13,10 @@
 	"engines": {
 		"node": ">=20.0.0"
 	},
-	"scripts": {
-		"clean": "rimraf dist coverage",
-		"build": "tspc",
-		"test": "vitest --run --config ./vitest.config.ts --no-cache",
-		"coverage": "vitest --run --coverage --config ./vitest.config.ts --no-cache",
-		"bundle:esm": "rollup --config rollup.config.mjs --environment MODULE:esm",
-		"bundle:cjs": "rollup --config rollup.config.mjs --environment MODULE:cjs",
-		"bundle": "npm run bundle:esm && npm run bundle:cjs",
-		"docs:clean": "rimraf docs/reference",
-		"docs:generate": "typedoc",
-		"docs": "npm run docs:clean && npm run docs:generate",
-		"dist": "npm run clean && npm run build && npm run test && npm run bundle && npm run docs"
-	},
 	"dependencies": {
-		"@twin.org/api-auth-entity-storage-models": "0.0.1-next.3",
-		"@twin.org/api-core": "0.0.1-next.3",
-		"@twin.org/api-models": "0.0.1-next.3",
+		"@twin.org/api-auth-entity-storage-models": "0.0.1-next.31",
+		"@twin.org/api-core": "0.0.1-next.31",
+		"@twin.org/api-models": "0.0.1-next.31",
 		"@twin.org/core": "next",
 		"@twin.org/crypto": "next",
 		"@twin.org/entity": "next",
@@ -39,28 +26,14 @@
 		"@twin.org/vault-models": "next",
 		"@twin.org/web": "next"
 	},
-	"devDependencies": {
-		"@twin.org/nameof-transformer": "next",
-		"@vitest/coverage-v8": "2.1.1",
-		"@types/node": "22.5.5",
-		"copyfiles": "2.4.1",
-		"rimraf": "6.0.1",
-		"rollup": "4.21.3",
-		"rollup-plugin-typescript2": "0.36.0",
-		"ts-patch": "3.2.1",
-		"typedoc": "0.26.7",
-		"typedoc-plugin-markdown": "4.2.7",
-		"typescript": "5.6.2",
-		"vitest": "2.1.1"
-	},
 	"main": "./dist/cjs/index.cjs",
 	"module": "./dist/esm/index.mjs",
 	"types": "./dist/types/index.d.ts",
 	"exports": {
 		".": {
+			"types": "./dist/types/index.d.ts",
 			"require": "./dist/cjs/index.cjs",
-			"import": "./dist/esm/index.mjs",
-			"types": "./dist/types/index.d.ts"
+			"import": "./dist/esm/index.mjs"
 		}
 	},
 	"files": [