@ucptools/validator 1.0.0 → 1.1.0

package/dist/auth/config.d.ts

@@ -0,0 +1,20 @@
+import type { AuthConfig } from '@auth/core';
+/**
+ * Auth.js configuration for UCPtools
+ * Supports:
+ * - Email/password authentication
+ * - Google OAuth
+ * - GitHub OAuth
+ */
+export declare function getAuthConfig(): AuthConfig;
+declare module '@auth/core/types' {
+    interface Session {
+        user: {
+            id: string;
+            email: string;
+            name?: string | null;
+            image?: string | null;
+        };
+    }
+}
+//# sourceMappingURL=config.d.ts.map

package/dist/auth/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/auth/config.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAQ7C;;;;;;GAMG;AACH,wBAAgB,aAAa,IAAI,UAAU,CAqG1C;AAGD,OAAO,QAAQ,kBAAkB,CAAC;IAChC,UAAU,OAAO;QACf,IAAI,EAAE;YACJ,EAAE,EAAE,MAAM,CAAC;YACX,KAAK,EAAE,MAAM,CAAC;YACd,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;YACrB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;SACvB,CAAC;KACH;CACF"}

package/dist/auth/config.js

@@ -0,0 +1,114 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAuthConfig = getAuthConfig;
+const drizzle_adapter_1 = require("@auth/drizzle-adapter");
+const credentials_1 = __importDefault(require("@auth/core/providers/credentials"));
+const google_1 = __importDefault(require("@auth/core/providers/google"));
+const github_1 = __importDefault(require("@auth/core/providers/github"));
+const bcryptjs_1 = require("bcryptjs");
+const drizzle_orm_1 = require("drizzle-orm");
+const index_js_1 = require("../db/index.js");
+/**
+ * Auth.js configuration for UCPtools
+ * Supports:
+ * - Email/password authentication
+ * - Google OAuth
+ * - GitHub OAuth
+ */
+function getAuthConfig() {
+    const db = (0, index_js_1.getDb)();
+    // Type assertion needed for PostgreSQL compatibility
+    // The DrizzleAdapter works with PostgreSQL at runtime
+    const adapter = (0, drizzle_adapter_1.DrizzleAdapter)(db, {
+        usersTable: index_js_1.users,
+        accountsTable: index_js_1.accounts,
+        sessionsTable: index_js_1.sessions,
+        verificationTokensTable: index_js_1.verificationTokens,
+    });
+    return {
+        adapter,
+        providers: [
+            // Email/Password authentication
+            (0, credentials_1.default)({
+                name: 'credentials',
+                credentials: {
+                    email: { label: 'Email', type: 'email' },
+                    password: { label: 'Password', type: 'password' },
+                },
+                async authorize(credentials) {
+                    if (!credentials?.email || !credentials?.password) {
+                        return null;
+                    }
+                    const email = credentials.email;
+                    const password = credentials.password;
+                    // Find user by email
+                    const user = await db
+                        .select()
+                        .from(index_js_1.users)
+                        .where((0, drizzle_orm_1.eq)(index_js_1.users.email, email))
+                        .limit(1)
+                        .then((rows) => rows[0]);
+                    if (!user || !user.passwordHash) {
+                        return null;
+                    }
+                    // Verify password
+                    const isValidPassword = await (0, bcryptjs_1.compare)(password, user.passwordHash);
+                    if (!isValidPassword) {
+                        return null;
+                    }
+                    return {
+                        id: user.id,
+                        email: user.email,
+                        name: user.name,
+                        image: user.image,
+                    };
+                },
+            }),
+            // Google OAuth
+            (0, google_1.default)({
+                clientId: process.env.GOOGLE_CLIENT_ID || '',
+                clientSecret: process.env.GOOGLE_CLIENT_SECRET || '',
+                allowDangerousEmailAccountLinking: true,
+            }),
+            // GitHub OAuth
+            (0, github_1.default)({
+                clientId: process.env.GITHUB_CLIENT_ID || '',
+                clientSecret: process.env.GITHUB_CLIENT_SECRET || '',
+                allowDangerousEmailAccountLinking: true,
+            }),
+        ],
+        session: {
+            strategy: 'jwt',
+            maxAge: 30 * 24 * 60 * 60, // 30 days
+        },
+        pages: {
+            signIn: '/auth/signin',
+            signOut: '/auth/signout',
+            error: '/auth/error',
+            verifyRequest: '/auth/verify-request',
+        },
+        callbacks: {
+            async jwt({ token, user, account }) {
+                if (user) {
+                    token.id = user.id;
+                }
+                if (account) {
+                    token.provider = account.provider;
+                }
+                return token;
+            },
+            async session({ session, token }) {
+                if (session.user && token.id) {
+                    session.user.id = token.id;
+                }
+                return session;
+            },
+        },
+        trustHost: true,
+        secret: process.env.AUTH_SECRET,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/auth/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/auth/config.ts"],"names":[],"mappings":";;;;;AAgBA,sCAqGC;AArHD,2DAAuD;AAEvD,mFAA2D;AAC3D,yEAAiD;AACjD,yEAAiD;AACjD,uCAAmC;AACnC,6CAAiC;AACjC,6CAAsF;AAEtF;;;;;;GAMG;AACH,SAAgB,aAAa;IAC3B,MAAM,EAAE,GAAG,IAAA,gBAAK,GAAE,CAAC;IAEnB,qDAAqD;IACrD,sDAAsD;IACtD,MAAM,OAAO,GAAG,IAAA,gCAAc,EAAC,EAAS,EAAE;QACxC,UAAU,EAAE,gBAAY;QACxB,aAAa,EAAE,mBAAe;QAC9B,aAAa,EAAE,mBAAe;QAC9B,uBAAuB,EAAE,6BAAyB;KACnD,CAAC,CAAC;IAEH,OAAO;QACL,OAAO;QACP,SAAS,EAAE;YACT,gCAAgC;YAChC,IAAA,qBAAW,EAAC;gBACV,IAAI,EAAE,aAAa;gBACnB,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE;oBACxC,QAAQ,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE;iBAClD;gBACD,KAAK,CAAC,SAAS,CAAC,WAAW;oBACzB,IAAI,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,WAAW,EAAE,QAAQ,EAAE,CAAC;wBAClD,OAAO,IAAI,CAAC;oBACd,CAAC;oBAED,MAAM,KAAK,GAAG,WAAW,CAAC,KAAe,CAAC;oBAC1C,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAkB,CAAC;oBAEhD,qBAAqB;oBACrB,MAAM,IAAI,GAAG,MAAM,EAAE;yBAClB,MAAM,EAAE;yBACR,IAAI,CAAC,gBAAK,CAAC;yBACX,KAAK,CAAC,IAAA,gBAAE,EAAC,gBAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;yBAC7B,KAAK,CAAC,CAAC,CAAC;yBACR,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;oBAE3B,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;wBAChC,OAAO,IAAI,CAAC;oBACd,CAAC;oBAED,kBAAkB;oBAClB,MAAM,eAAe,GAAG,MAAM,IAAA,kBAAO,EAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;oBACnE,IAAI,CAAC,eAAe,EAAE,CAAC;wBACrB,OAAO,IAAI,CAAC;oBACd,CAAC;oBAED,OAAO;wBACL,EAAE,EAAE,IAAI,CAAC,EAAE;wBACX,KAAK,EAAE,IAAI,CAAC,KAAK;wBACjB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,KAAK,EAAE,IAAI,CAAC,KAAK;qBAClB,CAAC;gBACJ,CAAC;aACF,CAAC;YAEF,eAAe;YACf,IAAA,gBAAM,EAAC;gBACL,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,EAAE;gBAC5C,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE;gBACpD,iCAAiC,EAAE,IAAI;aACxC,CAAC;YAEF,eAAe;YACf,IAAA,gBAAM,EAAC;gBACL,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,EAAE;gBAC5C,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE;gBACpD,iCAAiC,EAAE,IAAI;aACxC,CAAC;SACH;QACD,OAAO,EAAE;YACP,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU;SACtC;QACD,KAAK,EAAE;YACL,MAAM,EAAE,cAAc;YACtB,OAAO,EAAE,eAAe;YACxB,KAAK,EAAE,aAAa;YACpB,aAAa,EAAE,sBAAsB;SACtC;QACD,SAAS,EAAE;YACT,KAAK,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE;gBAChC,IAAI,IAAI,EAAE,CAAC;oBACT,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;gBACrB,CAAC;gBACD,IAAI,OAAO,EAAE,CAAC;oBACZ,KAAK,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;gBACpC,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;YACD,KAAK,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE;gBAC9B,IAAI,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC,EAAE,EAAE,CAAC;oBAC7B,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,CAAC,EAAY,CAAC;gBACvC,CAAC;gBACD,OAAO,OAAO,CAAC;YACjB,CAAC;SACF;QACD,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW;KAChC,CAAC;AACJ,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,5 @@
+export { getAuthConfig } from './config.js';
+export { authService, AuthService } from './service.js';
+export type { SignupInput, LoginInput, AuthResult, TokenResult } from './service.js';
+export { requireAuth, optionalAuth, sessionMiddleware, requireTier, rateLimitByTier, csrfProtection, } from './middleware.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACxD,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACrF,OAAO,EACL,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,cAAc,GACf,MAAM,iBAAiB,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.csrfProtection = exports.rateLimitByTier = exports.requireTier = exports.sessionMiddleware = exports.optionalAuth = exports.requireAuth = exports.AuthService = exports.authService = exports.getAuthConfig = void 0;
+// Auth module exports
+var config_js_1 = require("./config.js");
+Object.defineProperty(exports, "getAuthConfig", { enumerable: true, get: function () { return config_js_1.getAuthConfig; } });
+var service_js_1 = require("./service.js");
+Object.defineProperty(exports, "authService", { enumerable: true, get: function () { return service_js_1.authService; } });
+Object.defineProperty(exports, "AuthService", { enumerable: true, get: function () { return service_js_1.AuthService; } });
+var middleware_js_1 = require("./middleware.js");
+Object.defineProperty(exports, "requireAuth", { enumerable: true, get: function () { return middleware_js_1.requireAuth; } });
+Object.defineProperty(exports, "optionalAuth", { enumerable: true, get: function () { return middleware_js_1.optionalAuth; } });
+Object.defineProperty(exports, "sessionMiddleware", { enumerable: true, get: function () { return middleware_js_1.sessionMiddleware; } });
+Object.defineProperty(exports, "requireTier", { enumerable: true, get: function () { return middleware_js_1.requireTier; } });
+Object.defineProperty(exports, "rateLimitByTier", { enumerable: true, get: function () { return middleware_js_1.rateLimitByTier; } });
+Object.defineProperty(exports, "csrfProtection", { enumerable: true, get: function () { return middleware_js_1.csrfProtection; } });
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":";;;AAAA,sBAAsB;AACtB,yCAA4C;AAAnC,0GAAA,aAAa,OAAA;AACtB,2CAAwD;AAA/C,yGAAA,WAAW,OAAA;AAAE,yGAAA,WAAW,OAAA;AAEjC,iDAOyB;AANvB,4GAAA,WAAW,OAAA;AACX,6GAAA,YAAY,OAAA;AACZ,kHAAA,iBAAiB,OAAA;AACjB,4GAAA,WAAW,OAAA;AACX,gHAAA,eAAe,OAAA;AACf,+GAAA,cAAc,OAAA"}

package/dist/auth/middleware.d.ts

@@ -0,0 +1,45 @@
+import type { Request, Response, NextFunction } from 'express';
+import type { User } from '../db/schema.js';
+declare global {
+    namespace Express {
+        interface Request {
+            user?: User;
+            session?: {
+                user: {
+                    id: string;
+                    email: string;
+                    name?: string | null;
+                    image?: string | null;
+                };
+            };
+        }
+    }
+}
+/**
+ * Middleware to require authentication
+ * Blocks request if user is not authenticated
+ */
+export declare function requireAuth(req: Request, res: Response, next: NextFunction): void;
+/**
+ * Middleware to optionally load user if authenticated
+ * Does not block request if user is not authenticated
+ */
+export declare function optionalAuth(req: Request, res: Response, next: NextFunction): void;
+/**
+ * Middleware to load session and user from request
+ * Should be applied globally
+ */
+export declare function sessionMiddleware(req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * Middleware to require specific subscription tiers
+ */
+export declare function requireTier(...allowedTiers: string[]): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+/**
+ * Rate limiting middleware based on subscription tier
+ */
+export declare function rateLimitByTier(): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+/**
+ * CSRF protection middleware
+ */
+export declare function csrfProtection(req: Request, res: Response, next: NextFunction): void;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAK/D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAM5C,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,IAAI,CAAC;YACZ,OAAO,CAAC,EAAE;gBACR,IAAI,EAAE;oBACJ,EAAE,EAAE,MAAM,CAAC;oBACX,KAAK,EAAE,MAAM,CAAC;oBACd,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;oBACrB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;iBACvB,CAAC;aACH,CAAC;SACH;KACF;CACF;AAoDD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAMjF;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAGlF;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CAuCf;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,YAAY,EAAE,MAAM,EAAE,IACrC,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC,CAU9E;AAED;;GAEG;AACH,wBAAgB,eAAe,KAQf,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC,CAK9E;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAwBpF"}

package/dist/auth/middleware.js

@@ -0,0 +1,170 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireAuth = requireAuth;
+exports.optionalAuth = optionalAuth;
+exports.sessionMiddleware = sessionMiddleware;
+exports.requireTier = requireTier;
+exports.rateLimitByTier = rateLimitByTier;
+exports.csrfProtection = csrfProtection;
+const jose_1 = require("jose");
+const core_1 = require("@auth/core");
+const config_js_1 = require("./config.js");
+const service_js_1 = require("./service.js");
+// JWT secret - must match the one in auth routes
+const JWT_SECRET = new TextEncoder().encode(process.env.JWT_SECRET || 'ucp-tools-jwt-secret-dev');
+/**
+ * Extract session from request using Auth.js
+ */
+async function getSessionFromRequest(req) {
+    try {
+        // Get session token from cookie or authorization header
+        const sessionToken = req.cookies?.['authjs.session-token'] ||
+            req.cookies?.['__Secure-authjs.session-token'] ||
+            extractBearerToken(req.headers.authorization);
+        if (!sessionToken) {
+            return null;
+        }
+        // For JWT sessions, decode the token
+        // This is a simplified version - in production you'd verify the JWT
+        const config = (0, config_js_1.getAuthConfig)();
+        // Create a mock request for Auth.js
+        const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+        const headers = new Headers();
+        Object.entries(req.headers).forEach(([key, value]) => {
+            if (value) {
+                headers.set(key, Array.isArray(value) ? value.join(', ') : value);
+            }
+        });
+        const authRequest = new Request(url, {
+            method: req.method,
+            headers,
+        });
+        const response = await (0, core_1.Auth)(authRequest, config);
+        // Parse session from response if available
+        // This is a fallback - primarily we rely on the session cookie
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+function extractBearerToken(header) {
+    if (!header?.startsWith('Bearer ')) {
+        return null;
+    }
+    return header.slice(7);
+}
+/**
+ * Middleware to require authentication
+ * Blocks request if user is not authenticated
+ */
+function requireAuth(req, res, next) {
+    if (!req.user) {
+        res.status(401).json({ error: 'Authentication required' });
+        return;
+    }
+    next();
+}
+/**
+ * Middleware to optionally load user if authenticated
+ * Does not block request if user is not authenticated
+ */
+function optionalAuth(req, res, next) {
+    // User is loaded by sessionMiddleware if present
+    next();
+}
+/**
+ * Middleware to load session and user from request
+ * Should be applied globally
+ */
+async function sessionMiddleware(req, res, next) {
+    try {
+        // Try to get token from Authorization header or session cookie
+        const bearerToken = extractBearerToken(req.headers.authorization);
+        const sessionToken = req.cookies?.['authjs.session-token'] ||
+            req.cookies?.['__Secure-authjs.session-token'];
+        const token = bearerToken || sessionToken;
+        if (token) {
+            try {
+                // Verify JWT token
+                const { payload } = await (0, jose_1.jwtVerify)(token, JWT_SECRET);
+                if (payload.userId && typeof payload.userId === 'string') {
+                    // Load user from database
+                    const user = await service_js_1.authService.getUserById(payload.userId);
+                    if (user) {
+                        req.user = user;
+                        req.userId = user.id;
+                    }
+                }
+            }
+            catch (jwtError) {
+                // Token verification failed - continue without auth
+                // This could be an expired token or invalid signature
+            }
+        }
+        // Also check for API key authentication
+        const apiKey = req.headers['x-api-key'];
+        if (apiKey && !req.user) {
+            // API key auth will be handled by a separate middleware
+        }
+        next();
+    }
+    catch (error) {
+        next();
+    }
+}
+/**
+ * Middleware to require specific subscription tiers
+ */
+function requireTier(...allowedTiers) {
+    return async (req, res, next) => {
+        if (!req.user) {
+            res.status(401).json({ error: 'Authentication required' });
+            return;
+        }
+        // TODO: Load user subscription and check tier
+        // For now, allow all authenticated users
+        next();
+    };
+}
+/**
+ * Rate limiting middleware based on subscription tier
+ */
+function rateLimitByTier() {
+    const limits = {
+        free: 100,
+        pro: 1000,
+        business: 5000,
+        agency: 25000,
+    };
+    return async (req, res, next) => {
+        // TODO: Implement rate limiting based on user's subscription tier
+        // For now, pass through
+        next();
+    };
+}
+/**
+ * CSRF protection middleware
+ */
+function csrfProtection(req, res, next) {
+    // Skip CSRF for API routes with API key auth
+    if (req.headers['x-api-key']) {
+        next();
+        return;
+    }
+    // Skip for safe methods
+    if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {
+        next();
+        return;
+    }
+    // Check CSRF token
+    const csrfToken = req.headers['x-csrf-token'] || req.body?._csrf;
+    const sessionCsrf = req.cookies?.['csrf-token'];
+    if (!csrfToken || csrfToken !== sessionCsrf) {
+        // For now, log warning but don't block
+        // In production, uncomment the next line:
+        // return res.status(403).json({ error: 'Invalid CSRF token' });
+    }
+    next();
+}
+//# sourceMappingURL=middleware.js.map

package/dist/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":";;AAiFA,kCAMC;AAMD,oCAGC;AAMD,8CA2CC;AAKD,kCAWC;AAKD,0CAaC;AAKD,wCAwBC;AA/MD,+BAAiC;AACjC,qCAAkC;AAClC,2CAA4C;AAC5C,6CAA2C;AAG3C,iDAAiD;AACjD,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,0BAA0B,CAAC,CAAC;AAmBlG;;GAEG;AACH,KAAK,UAAU,qBAAqB,CAAC,GAAY;IAC/C,IAAI,CAAC;QACH,wDAAwD;QACxD,MAAM,YAAY,GAChB,GAAG,CAAC,OAAO,EAAE,CAAC,sBAAsB,CAAC;YACrC,GAAG,CAAC,OAAO,EAAE,CAAC,+BAA+B,CAAC;YAC9C,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAEhD,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,qCAAqC;QACrC,oEAAoE;QACpE,MAAM,MAAM,GAAG,IAAA,yBAAa,GAAE,CAAC;QAE/B,oCAAoC;QACpC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC,CAAC;QACjF,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;YACnD,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YACpE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YACnC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO;SACR,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAA,WAAI,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAEjD,2CAA2C;QAC3C,+DAA+D;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAe;IACzC,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED;;;GAGG;AACH,SAAgB,WAAW,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IACzE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;QAC3D,OAAO;IACT,CAAC;IACD,IAAI,EAAE,CAAC;AACT,CAAC;AAED;;;GAGG;AACH,SAAgB,YAAY,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAC1E,iDAAiD;IACjD,IAAI,EAAE,CAAC;AACT,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,iBAAiB,CACrC,GAAY,EACZ,GAAa,EACb,IAAkB;IAElB,IAAI,CAAC;QACH,+DAA+D;QAC/D,MAAM,WAAW,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAClE,MAAM,YAAY,GAChB,GAAG,CAAC,OAAO,EAAE,CAAC,sBAAsB,CAAC;YACrC,GAAG,CAAC,OAAO,EAAE,CAAC,+BAA+B,CAAC,CAAC;QAEjD,MAAM,KAAK,GAAG,WAAW,IAAI,YAAY,CAAC;QAE1C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC;gBACH,mBAAmB;gBACnB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,UAAU,CAAC,CAAC;gBAEvD,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,OAAO,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;oBACzD,0BAA0B;oBAC1B,MAAM,IAAI,GAAG,MAAM,wBAAW,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;oBAC3D,IAAI,IAAI,EAAE,CAAC;wBACT,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;wBACf,GAAW,CAAC,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC;oBAChC,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,QAAQ,EAAE,CAAC;gBAClB,oDAAoD;gBACpD,sDAAsD;YACxD,CAAC;QACH,CAAC;QAED,wCAAwC;QACxC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAW,CAAC;QAClD,IAAI,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACxB,wDAAwD;QAC1D,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,EAAE,CAAC;IACT,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,WAAW,CAAC,GAAG,YAAsB;IACnD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAC9E,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,8CAA8C;QAC9C,yCAAyC;QACzC,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe;IAC7B,MAAM,MAAM,GAA2B;QACrC,IAAI,EAAE,GAAG;QACT,GAAG,EAAE,IAAI;QACT,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,KAAK;KACd,CAAC;IAEF,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAC9E,kEAAkE;QAClE,wBAAwB;QACxB,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAC5E,6CAA6C;IAC7C,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,wBAAwB;IACxB,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACpD,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,mBAAmB;IACnB,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC;IACjE,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,YAAY,CAAC,CAAC;IAEhD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,WAAW,EAAE,CAAC;QAC5C,uCAAuC;QACvC,0CAA0C;QAC1C,gEAAgE;IAClE,CAAC;IAED,IAAI,EAAE,CAAC;AACT,CAAC"}

package/dist/auth/service.d.ts

@@ -0,0 +1,80 @@
+import type { User } from '../db/schema.js';
+export interface SignupInput {
+    email: string;
+    password: string;
+    name?: string;
+}
+export interface LoginInput {
+    email: string;
+    password: string;
+}
+export interface AuthResult {
+    success: boolean;
+    user?: User;
+    error?: string;
+}
+export interface TokenResult {
+    success: boolean;
+    token?: string;
+    error?: string;
+}
+/**
+ * Auth service for user management
+ */
+export declare class AuthService {
+    private db;
+    /**
+     * Register a new user with email and password
+     */
+    signup(input: SignupInput): Promise<AuthResult>;
+    /**
+     * Authenticate user with email and password
+     */
+    login(input: LoginInput): Promise<AuthResult>;
+    /**
+     * Generate email verification token
+     */
+    createVerificationToken(email: string): Promise<TokenResult>;
+    /**
+     * Verify email with token
+     */
+    verifyEmail(email: string, token: string): Promise<AuthResult>;
+    /**
+     * Create password reset token
+     */
+    createPasswordResetToken(email: string): Promise<TokenResult>;
+    /**
+     * Reset password with token
+     */
+    resetPassword(email: string, token: string, newPassword: string): Promise<AuthResult>;
+    /**
+     * Get user by ID
+     */
+    getUserById(id: string): Promise<User | null>;
+    /**
+     * Get user by email
+     */
+    getUserByEmail(email: string): Promise<User | null>;
+    /**
+     * Update user profile
+     */
+    updateProfile(userId: string, data: {
+        name?: string;
+        image?: string;
+    }): Promise<AuthResult>;
+    /**
+     * Change password for authenticated user
+     */
+    changePassword(userId: string, currentPassword: string, newPassword: string): Promise<AuthResult>;
+    /**
+     * Delete user account
+     */
+    deleteAccount(userId: string): Promise<{
+        success: boolean;
+        error?: string;
+    }>;
+    private isValidEmail;
+    private validatePassword;
+}
+export declare const authService: AuthService;
+//# sourceMappingURL=service.d.ts.map

package/dist/auth/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../../src/auth/service.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,IAAI,EAAW,MAAM,iBAAiB,CAAC;AAKrD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,EAAE,CAAW;IAErB;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;IAiDrD;;OAEG;IACG,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IA4BnD;;OAEG;IACG,uBAAuB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAalE;;OAEG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAmCpE;;OAEG;IACG,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAgCnE;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAwC3F;;OAEG;IACG,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IAgBnD;;OAEG;IACG,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IAWzD;;OAEG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GACtC,OAAO,CAAC,UAAU,CAAC;IAmBtB;;OAEG;IACG,cAAc,CAClB,MAAM,EAAE,MAAM,EACd,eAAe,EAAE,MAAM,EACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,UAAU,CAAC;IA0BtB;;OAEG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAOlF,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,gBAAgB;CAezB;AAGD,eAAO,MAAM,WAAW,aAAoB,CAAC"}