@veloxts/auth 0.3.3 → 0.3.4

package/dist/hash.js

@@ -0,0 +1,220 @@
+/**
+ * Password hashing utilities for @veloxts/auth
+ * @module auth/hash
+ */
+import { randomBytes, scrypt, timingSafeEqual } from 'node:crypto';
+import { promisify } from 'node:util';
+const scryptAsync = promisify(scrypt);
+// ============================================================================
+// Constants
+// ============================================================================
+const DEFAULT_BCRYPT_ROUNDS = 12;
+const DEFAULT_ARGON2_MEMORY_COST = 65536; // 64 MB
+const DEFAULT_ARGON2_TIME_COST = 3;
+const DEFAULT_ARGON2_PARALLELISM = 4;
+// ============================================================================
+// Password Hasher Class
+// ============================================================================
+/**
+ * Password hasher with configurable algorithms
+ *
+ * Supports bcrypt and argon2 algorithms. Falls back to scrypt-based
+ * implementation when native modules are not available.
+ *
+ * @example
+ * ```typescript
+ * const hasher = new PasswordHasher({ algorithm: 'bcrypt', bcryptRounds: 12 });
+ *
+ * // Hash a password
+ * const hash = await hasher.hash('mypassword123');
+ *
+ * // Verify a password
+ * const isValid = await hasher.verify('mypassword123', hash);
+ * ```
+ */
+export class PasswordHasher {
+    config;
+    bcrypt = null;
+    argon2 = null;
+    constructor(config = {}) {
+        this.config = {
+            algorithm: config.algorithm ?? 'bcrypt',
+            bcryptRounds: config.bcryptRounds ?? DEFAULT_BCRYPT_ROUNDS,
+            argon2MemoryCost: config.argon2MemoryCost ?? DEFAULT_ARGON2_MEMORY_COST,
+            argon2TimeCost: config.argon2TimeCost ?? DEFAULT_ARGON2_TIME_COST,
+            argon2Parallelism: config.argon2Parallelism ?? DEFAULT_ARGON2_PARALLELISM,
+        };
+    }
+    /**
+     * Lazily load bcrypt module
+     */
+    async loadBcrypt() {
+        if (!this.bcrypt) {
+            try {
+                this.bcrypt = await import('bcrypt');
+            }
+            catch {
+                throw new Error('bcrypt module not found. Install it with: pnpm add bcrypt && pnpm add -D @types/bcrypt');
+            }
+        }
+        return this.bcrypt;
+    }
+    /**
+     * Lazily load argon2 module
+     */
+    async loadArgon2() {
+        if (!this.argon2) {
+            try {
+                this.argon2 = await import('argon2');
+            }
+            catch {
+                throw new Error('argon2 module not found. Install it with: pnpm add argon2');
+            }
+        }
+        return this.argon2;
+    }
+    /**
+     * Hash a password using the configured algorithm
+     */
+    async hash(password) {
+        if (this.config.algorithm === 'argon2') {
+            return this.hashWithArgon2(password);
+        }
+        return this.hashWithBcrypt(password);
+    }
+    /**
+     * Verify a password against a hash
+     */
+    async verify(password, hash) {
+        // Detect hash type from format
+        if (hash.startsWith('$argon2')) {
+            return this.verifyWithArgon2(password, hash);
+        }
+        if (hash.startsWith('$2')) {
+            return this.verifyWithBcrypt(password, hash);
+        }
+        if (hash.startsWith('$scrypt$')) {
+            return this.verifyWithScrypt(password, hash);
+        }
+        throw new Error('Unknown hash format');
+    }
+    /**
+     * Hash using bcrypt
+     */
+    async hashWithBcrypt(password) {
+        try {
+            const bcrypt = await this.loadBcrypt();
+            return bcrypt.hash(password, this.config.bcryptRounds);
+        }
+        catch (error) {
+            // Fallback to scrypt if bcrypt fails
+            if (error.message.includes('not found')) {
+                console.warn('bcrypt not available, falling back to scrypt');
+                return this.hashWithScrypt(password);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Verify using bcrypt
+     */
+    async verifyWithBcrypt(password, hash) {
+        const bcrypt = await this.loadBcrypt();
+        return bcrypt.compare(password, hash);
+    }
+    /**
+     * Hash using argon2
+     */
+    async hashWithArgon2(password) {
+        try {
+            const argon2 = await this.loadArgon2();
+            return argon2.hash(password, {
+                memoryCost: this.config.argon2MemoryCost,
+                timeCost: this.config.argon2TimeCost,
+                parallelism: this.config.argon2Parallelism,
+                type: 2, // argon2id
+            });
+        }
+        catch (error) {
+            // Fallback to scrypt if argon2 fails
+            if (error.message.includes('not found')) {
+                console.warn('argon2 not available, falling back to scrypt');
+                return this.hashWithScrypt(password);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Verify using argon2
+     */
+    async verifyWithArgon2(password, hash) {
+        const argon2 = await this.loadArgon2();
+        return argon2.verify(hash, password);
+    }
+    /**
+     * Hash using Node.js built-in scrypt (fallback)
+     */
+    async hashWithScrypt(password) {
+        const salt = randomBytes(32);
+        const derivedKey = (await scryptAsync(password, salt, 64));
+        return `$scrypt$${salt.toString('hex')}$${derivedKey.toString('hex')}`;
+    }
+    /**
+     * Verify using scrypt
+     */
+    async verifyWithScrypt(password, hash) {
+        const parts = hash.split('$');
+        if (parts.length !== 4 || parts[1] !== 'scrypt') {
+            throw new Error('Invalid scrypt hash format');
+        }
+        const salt = Buffer.from(parts[2], 'hex');
+        const storedKey = Buffer.from(parts[3], 'hex');
+        const derivedKey = (await scryptAsync(password, salt, 64));
+        return timingSafeEqual(storedKey, derivedKey);
+    }
+    /**
+     * Check if a hash needs rehashing (algorithm or cost changed)
+     */
+    needsRehash(hash) {
+        // If using argon2 but hash is bcrypt/scrypt, rehash
+        if (this.config.algorithm === 'argon2' && !hash.startsWith('$argon2')) {
+            return true;
+        }
+        // If using bcrypt but hash is argon2/scrypt, rehash
+        if (this.config.algorithm === 'bcrypt' && !hash.startsWith('$2')) {
+            return true;
+        }
+        // TODO: Check bcrypt rounds from hash and compare
+        // bcrypt hashes include rounds in format: $2b$XX$...
+        return false;
+    }
+}
+/**
+ * Creates a new password hasher instance
+ */
+export function createPasswordHasher(config) {
+    return new PasswordHasher(config);
+}
+/**
+ * Default password hasher instance (bcrypt, 12 rounds)
+ */
+let defaultHasher = null;
+/**
+ * Hash a password using the default hasher
+ */
+export async function hashPassword(password) {
+    if (!defaultHasher) {
+        defaultHasher = new PasswordHasher();
+    }
+    return defaultHasher.hash(password);
+}
+/**
+ * Verify a password using the default hasher
+ */
+export async function verifyPassword(password, hash) {
+    if (!defaultHasher) {
+        defaultHasher = new PasswordHasher();
+    }
+    return defaultHasher.verify(password, hash);
+}
+//# sourceMappingURL=hash.js.map

package/dist/hash.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.js","sourceRoot":"","sources":["../src/hash.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAItC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;AAEtC,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,qBAAqB,GAAG,EAAE,CAAC;AACjC,MAAM,0BAA0B,GAAG,KAAK,CAAC,CAAC,QAAQ;AAClD,MAAM,wBAAwB,GAAG,CAAC,CAAC;AACnC,MAAM,0BAA0B,GAAG,CAAC,CAAC;AAErC,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,cAAc;IACR,MAAM,CAAuB;IACtC,MAAM,GAAmC,IAAI,CAAC;IAC9C,MAAM,GAAmC,IAAI,CAAC;IAEtD,YAAY,SAAqB,EAAE;QACjC,IAAI,CAAC,MAAM,GAAG;YACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,QAAQ;YACvC,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,qBAAqB;YAC1D,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,0BAA0B;YACvE,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,wBAAwB;YACjE,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,0BAA0B;SAC1E,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,IAAI,CAAC,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,KAAK,CACb,wFAAwF,CACzF,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,IAAI,CAAC,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,QAAgB;QACzB,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,IAAY;QACzC,+BAA+B;QAC/B,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,cAAc,CAAC,QAAgB;QAC3C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YACvC,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACzD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qCAAqC;YACrC,IAAK,KAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACnD,OAAO,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;gBAC7D,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACvC,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAAC,QAAgB,EAAE,IAAY;QAC3D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,cAAc,CAAC,QAAgB;QAC3C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YACvC,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE;gBAC3B,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB;gBACxC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc;gBACpC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB;gBAC1C,IAAI,EAAE,CAAC,EAAE,WAAW;aACrB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qCAAqC;YACrC,IAAK,KAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACnD,OAAO,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;gBAC7D,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACvC,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAAC,QAAgB,EAAE,IAAY;QAC3D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,cAAc,CAAC,QAAgB;QAC3C,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAC7B,MAAM,UAAU,GAAG,CAAC,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,CAAW,CAAC;QACrE,OAAO,WAAW,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IACzE,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAAC,QAAgB,EAAE,IAAY;QAC3D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,CAAC,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,CAAW,CAAC;QAErE,OAAO,eAAe,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,IAAY;QACtB,oDAAoD;QACpD,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACtE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,oDAAoD;QACpD,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,kDAAkD;QAClD,qDAAqD;QAErD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAmB;IACtD,OAAO,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,IAAI,aAAa,GAA0B,IAAI,CAAC;AAEhD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,aAAa,GAAG,IAAI,cAAc,EAAE,CAAC;IACvC,CAAC;IACD,OAAO,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,IAAY;IACjE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,aAAa,GAAG,IAAI,cAAc,EAAE,CAAC;IACvC,CAAC;IACD,OAAO,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;AAC9C,CAAC"}

package/dist/index.d.ts

@@ -1,40 +1,33 @@
 /**
  * @veloxts/auth - Authentication and authorization system
  *
- * Provides authentication middleware, session management, and authorization
- * guards for VeloxTS applications. Deferred to v1.1+ release.
+ * Provides JWT authentication, password hashing, authorization guards,
+ * resource policies, and rate limiting for VeloxTS applications.
  *
- * @note This package is a placeholder for MVP (v0.1.0)
+ * @packageDocumentation
+ * @module @veloxts/auth
  */
-/** Auth package version */
-export declare const AUTH_VERSION: string;
+export { AUTH_VERSION } from './plugin.js';
+export type { AuthConfig, AuthContext, AuthMiddlewareOptions, GuardDefinition, GuardFunction, HashConfig, JwtConfig, 
 /**
- * User interface for authenticated requests
+ * @deprecated Use SessionConfig from session.ts for full session management
  */
-export interface User {
-    id: string;
-    email: string;
-    [key: string]: unknown;
-}
-/**
- * Creates an authentication plugin for VeloxTS
- *
- * @param _config
- * @returns Auth plugin
- *
- * @note Full implementation coming in v1.1+
- */
-export declare function createAuth(_config?: {
-    secret?: string;
-    sessionStore?: unknown;
-}): {
-    version: string;
-    middleware: () => void;
-};
-/**
- * Authorization guard decorator (placeholder)
- *
- * @note Full implementation coming in v1.1+
- */
-export declare function guard(permissions: string[]): (target: unknown) => unknown;
+LegacySessionConfig, PolicyAction, PolicyDefinition, RateLimitConfig, TokenPair, TokenPayload, User, } from './types.js';
+export { AuthError } from './types.js';
+export type { TokenStore } from './jwt.js';
+export { createInMemoryTokenStore, createJwtManager, generateTokenId, JwtManager, parseTimeToSeconds, } from './jwt.js';
+export { createPasswordHasher, hashPassword, PasswordHasher, verifyPassword, } from './hash.js';
+export { allOf, anyOf, authenticated, defineGuard, emailVerified, executeGuard, executeGuards, guard, hasAnyPermission, hasPermission, hasRole, not, userCan, } from './guards.js';
+export { authorize, can, cannot, clearPolicies, createAdminOnlyPolicy, createOwnerOrAdminPolicy, createPolicyBuilder, createReadOnlyPolicy, definePolicy, getPolicy, registerPolicy, } from './policies.js';
+export { clearRateLimitStore, createAuthMiddleware, createRateLimitMiddleware, } from './middleware.js';
+export type { AuthPluginOptions, AuthService } from './plugin.js';
+export { authPlugin, createAuthPlugin } from './plugin.js';
+export type { CsrfConfig, CsrfContext, CsrfCookieConfig, CsrfErrorCode, CsrfManager, CsrfMiddlewareOptions, CsrfTokenConfig, CsrfTokenData, CsrfTokenResult, CsrfValidationConfig, } from './csrf.js';
+export { CsrfError, createCsrfManager, createCsrfMiddleware } from './csrf.js';
+export type { Session, SessionAuthContext, SessionConfig, SessionContext, SessionCookieConfig, SessionData, SessionExpirationConfig, SessionManager, SessionMiddlewareOptions, SessionStore, StoredSession, } from './session.js';
+export { createInMemorySessionStore, createSessionManager, createSessionMiddleware, isSessionAuthenticated, loginSession, logoutSession, } from './session.js';
+export type { AdapterAuthContext, AdapterHttpMethod, AdapterMiddlewareOptions, AdapterRoute, AdapterSession, AdapterSessionResult, AdapterUser, AuthAdapter, AuthAdapterConfig, AuthAdapterErrorCode, AuthAdapterPluginOptions, InferAdapterConfig, } from './adapter.js';
+export { AuthAdapterError, BaseAuthAdapter, createAdapterAuthMiddleware, createAuthAdapterPlugin, defineAuthAdapter, isAuthAdapter, } from './adapter.js';
+export type { BetterAuthAdapterConfig, BetterAuthApi, BetterAuthHandler, BetterAuthInstance, BetterAuthSession, BetterAuthSessionResult, BetterAuthUser, } from './adapters/better-auth.js';
+export { BetterAuthAdapter, createBetterAuthAdapter } from './adapters/better-auth.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH,2BAA2B;AAC3B,eAAO,MAAM,YAAY,EAAE,MAA+C,CAAC;AAE3E;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,OAAO,GAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,OAAO,CAAA;CAAO;;;EAOnF;AAED;;;;GAIG;AACH,wBAAgB,KAAK,CAAC,WAAW,EAAE,MAAM,EAAE,IACjC,QAAQ,OAAO,aAIxB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAM3C,YAAY,EACV,UAAU,EACV,WAAW,EACX,qBAAqB,EACrB,eAAe,EAEf,aAAa,EACb,UAAU,EAEV,SAAS;AACT;;GAEG;AACH,mBAAmB,EAEnB,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,SAAS,EACT,YAAY,EAEZ,IAAI,GACL,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAMvC,YAAY,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EACL,wBAAwB,EACxB,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,kBAAkB,GACnB,MAAM,UAAU,CAAC;AAMlB,OAAO,EACL,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,cAAc,GACf,MAAM,WAAW,CAAC;AAMnB,OAAO,EAEL,KAAK,EACL,KAAK,EAEL,aAAa,EAEb,WAAW,EACX,aAAa,EAEb,YAAY,EACZ,aAAa,EACb,KAAK,EACL,gBAAgB,EAChB,aAAa,EACb,OAAO,EACP,GAAG,EACH,OAAO,GACR,MAAM,aAAa,CAAC;AAMrB,OAAO,EACL,SAAS,EAET,GAAG,EACH,MAAM,EACN,aAAa,EACb,qBAAqB,EAErB,wBAAwB,EACxB,mBAAmB,EACnB,oBAAoB,EAEpB,YAAY,EACZ,SAAS,EAET,cAAc,GACf,MAAM,eAAe,CAAC;AAMvB,OAAO,EACL,mBAAmB,EACnB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AAMzB,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAM3D,YAAY,EACV,UAAU,EACV,WAAW,EACX,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,qBAAqB,EACrB,eAAe,EACf,aAAa,EACb,eAAe,EACf,oBAAoB,GACrB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AAM/E,YAAY,EAEV,OAAO,EAEP,kBAAkB,EAElB,aAAa,EACb,cAAc,EACd,mBAAmB,EAEnB,WAAW,EACX,uBAAuB,EAEvB,cAAc,EAEd,wBAAwB,EAExB,YAAY,EACZ,aAAa,GACd,MAAM,cAAc,CAAC;AACtB,OAAO,EAEL,0BAA0B,EAE1B,oBAAoB,EAEpB,uBAAuB,EAEvB,sBAAsB,EACtB,YAAY,EACZ,aAAa,GACd,MAAM,cAAc,CAAC;AAMtB,YAAY,EAEV,kBAAkB,EAElB,iBAAiB,EACjB,wBAAwB,EACxB,YAAY,EAEZ,cAAc,EACd,oBAAoB,EACpB,WAAW,EAEX,WAAW,EAEX,iBAAiB,EAEjB,oBAAoB,EAEpB,wBAAwB,EAExB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AACtB,OAAO,EAEL,gBAAgB,EAEhB,eAAe,EAEf,2BAA2B,EAC3B,uBAAuB,EACvB,iBAAiB,EAEjB,aAAa,GACd,MAAM,cAAc,CAAC;AAMtB,YAAY,EACV,uBAAuB,EACvB,aAAa,EACb,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,EACvB,cAAc,GACf,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC"}

package/dist/index.js

@@ -1,42 +1,69 @@
 /**
  * @veloxts/auth - Authentication and authorization system
  *
- * Provides authentication middleware, session management, and authorization
- * guards for VeloxTS applications. Deferred to v1.1+ release.
+ * Provides JWT authentication, password hashing, authorization guards,
+ * resource policies, and rate limiting for VeloxTS applications.
  *
- * @note This package is a placeholder for MVP (v0.1.0)
+ * @packageDocumentation
+ * @module @veloxts/auth
  */
-import { createRequire } from 'node:module';
-// Read version from package.json dynamically
-const require = createRequire(import.meta.url);
-const packageJson = require('../package.json');
-/** Auth package version */
-export const AUTH_VERSION = packageJson.version ?? '0.0.0-unknown';
-/**
- * Creates an authentication plugin for VeloxTS
- *
- * @param _config
- * @returns Auth plugin
- *
- * @note Full implementation coming in v1.1+
- */
-export function createAuth(_config = {}) {
-    return {
-        version: AUTH_VERSION,
-        middleware: () => {
-            console.log('Auth middleware placeholder (v1.1+)');
-        },
-    };
-}
-/**
- * Authorization guard decorator (placeholder)
- *
- * @note Full implementation coming in v1.1+
- */
-export function guard(permissions) {
-    return (target) => {
-        console.log(`Guard decorator placeholder: ${permissions.join(', ')}`);
-        return target;
-    };
-}
+// ============================================================================
+// Version Export
+// ============================================================================
+export { AUTH_VERSION } from './plugin.js';
+export { AuthError } from './types.js';
+export { createInMemoryTokenStore, createJwtManager, generateTokenId, JwtManager, parseTimeToSeconds, } from './jwt.js';
+// ============================================================================
+// Password Hashing
+// ============================================================================
+export { createPasswordHasher, hashPassword, PasswordHasher, verifyPassword, } from './hash.js';
+// ============================================================================
+// Guards
+// ============================================================================
+export { 
+// Combinators
+allOf, anyOf, 
+// Built-in guards
+authenticated, 
+// Factory functions
+defineGuard, emailVerified, 
+// Execution
+executeGuard, executeGuards, guard, hasAnyPermission, hasPermission, hasRole, not, userCan, } from './guards.js';
+// ============================================================================
+// Policies
+// ============================================================================
+export { authorize, 
+// Authorization checks
+can, cannot, clearPolicies, createAdminOnlyPolicy, 
+// Common patterns
+createOwnerOrAdminPolicy, createPolicyBuilder, createReadOnlyPolicy, 
+// Factory
+definePolicy, getPolicy, 
+// Registry
+registerPolicy, } from './policies.js';
+// ============================================================================
+// Middleware
+// ============================================================================
+export { clearRateLimitStore, createAuthMiddleware, createRateLimitMiddleware, } from './middleware.js';
+export { authPlugin, createAuthPlugin } from './plugin.js';
+export { CsrfError, createCsrfManager, createCsrfMiddleware } from './csrf.js';
+export { 
+// Store implementations
+createInMemorySessionStore, 
+// Session manager
+createSessionManager, 
+// Middleware factory
+createSessionMiddleware, 
+// Helper functions
+isSessionAuthenticated, loginSession, logoutSession, } from './session.js';
+export { 
+// Error class
+AuthAdapterError, 
+// Abstract base class
+BaseAuthAdapter, 
+// Factory functions
+createAdapterAuthMiddleware, createAuthAdapterPlugin, defineAuthAdapter, 
+// Type guard
+isAuthAdapter, } from './adapter.js';
+export { BetterAuthAdapter, createBetterAuthAdapter } from './adapters/better-auth.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,6CAA6C;AAC7C,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAwB,CAAC;AAEtE,2BAA2B;AAC3B,MAAM,CAAC,MAAM,YAAY,GAAW,WAAW,CAAC,OAAO,IAAI,eAAe,CAAC;AAW3E;;;;;;;GAOG;AACH,MAAM,UAAU,UAAU,CAAC,UAAuD,EAAE;IAClF,OAAO;QACL,OAAO,EAAE,YAAY;QACrB,UAAU,EAAE,GAAG,EAAE;YACf,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;QACrD,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,KAAK,CAAC,WAAqB;IACzC,OAAO,CAAC,MAAe,EAAE,EAAE;QACzB,OAAO,CAAC,GAAG,CAAC,gCAAgC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtE,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA6B3C,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAOvC,OAAO,EACL,wBAAwB,EACxB,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,kBAAkB,GACnB,MAAM,UAAU,CAAC;AAElB,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,OAAO,EACL,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,cAAc,GACf,MAAM,WAAW,CAAC;AAEnB,+EAA+E;AAC/E,SAAS;AACT,+EAA+E;AAE/E,OAAO;AACL,cAAc;AACd,KAAK,EACL,KAAK;AACL,kBAAkB;AAClB,aAAa;AACb,oBAAoB;AACpB,WAAW,EACX,aAAa;AACb,YAAY;AACZ,YAAY,EACZ,aAAa,EACb,KAAK,EACL,gBAAgB,EAChB,aAAa,EACb,OAAO,EACP,GAAG,EACH,OAAO,GACR,MAAM,aAAa,CAAC;AAErB,+EAA+E;AAC/E,WAAW;AACX,+EAA+E;AAE/E,OAAO,EACL,SAAS;AACT,uBAAuB;AACvB,GAAG,EACH,MAAM,EACN,aAAa,EACb,qBAAqB;AACrB,kBAAkB;AAClB,wBAAwB,EACxB,mBAAmB,EACnB,oBAAoB;AACpB,UAAU;AACV,YAAY,EACZ,SAAS;AACT,WAAW;AACX,cAAc,GACf,MAAM,eAAe,CAAC;AAEvB,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E,OAAO,EACL,mBAAmB,EACnB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AAOzB,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAkB3D,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AA0B/E,OAAO;AACL,wBAAwB;AACxB,0BAA0B;AAC1B,kBAAkB;AAClB,oBAAoB;AACpB,qBAAqB;AACrB,uBAAuB;AACvB,mBAAmB;AACnB,sBAAsB,EACtB,YAAY,EACZ,aAAa,GACd,MAAM,cAAc,CAAC;AA4BtB,OAAO;AACL,cAAc;AACd,gBAAgB;AAChB,sBAAsB;AACtB,eAAe;AACf,oBAAoB;AACpB,2BAA2B,EAC3B,uBAAuB,EACvB,iBAAiB;AACjB,aAAa;AACb,aAAa,GACd,MAAM,cAAc,CAAC;AAetB,OAAO,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC"}

package/dist/jwt.d.ts

@@ -0,0 +1,128 @@
+/**
+ * JWT token utilities for @veloxts/auth
+ * @module auth/jwt
+ */
+import type { JwtConfig, TokenPair, TokenPayload, User } from './types.js';
+/**
+ * Parses time string to seconds
+ * Supports: '15m', '1h', '7d', '30d', etc.
+ */
+export declare function parseTimeToSeconds(time: string): number;
+/**
+ * Generate a unique token ID
+ */
+export declare function generateTokenId(): string;
+/**
+ * JWT token manager
+ *
+ * Handles token creation, verification, and refresh.
+ * Uses HS256 (HMAC-SHA256) algorithm.
+ *
+ * @example
+ * ```typescript
+ * const jwt = new JwtManager({
+ *   secret: process.env.JWT_SECRET!,
+ *   accessTokenExpiry: '15m',
+ *   refreshTokenExpiry: '7d',
+ * });
+ *
+ * // Create tokens for user
+ * const tokens = jwt.createTokenPair(user);
+ *
+ * // Verify access token
+ * const payload = jwt.verifyToken(tokens.accessToken);
+ *
+ * // Refresh tokens
+ * const newTokens = jwt.refreshTokens(tokens.refreshToken);
+ * ```
+ */
+export declare class JwtManager {
+    private readonly config;
+    constructor(config: JwtConfig);
+    /**
+     * Creates a JWT token with the given payload
+     */
+    createToken(payload: Omit<TokenPayload, 'iat' | 'exp'> & {
+        sub: string;
+        email: string;
+        type: TokenPayload['type'];
+    }, expiresIn: string): string;
+    /**
+     * Verifies a JWT token and returns the payload
+     *
+     * @throws Error if token is invalid or expired
+     */
+    verifyToken(token: string): TokenPayload;
+    /**
+     * Creates an access/refresh token pair for a user
+     *
+     * @param user - The user to create tokens for
+     * @param additionalClaims - Custom claims to include (cannot override reserved claims)
+     * @throws Error if additionalClaims contains reserved JWT claims
+     */
+    createTokenPair(user: User, additionalClaims?: Record<string, unknown>): TokenPair;
+    /**
+     * Refreshes tokens using a valid refresh token
+     *
+     * @throws Error if refresh token is invalid or not a refresh token
+     */
+    refreshTokens(refreshToken: string, userLoader?: (userId: string) => Promise<User | null>): Promise<TokenPair>;
+    refreshTokens(refreshToken: string): TokenPair;
+    /**
+     * Decodes a token without verification
+     * Useful for extracting payload from expired tokens
+     */
+    decodeToken(token: string): TokenPayload | null;
+    /**
+     * Extracts token from Authorization header
+     * Supports 'Bearer <token>' format
+     */
+    extractFromHeader(authHeader: string | undefined): string | null;
+}
+/**
+ * Creates a new JWT manager instance
+ */
+export declare function createJwtManager(config: JwtConfig): JwtManager;
+/**
+ * Token store interface for revocation management
+ */
+export interface TokenStore {
+    /** Revoke a token by its ID (jti) */
+    revoke: (tokenId: string) => void | Promise<void>;
+    /** Check if a token is revoked */
+    isRevoked: (tokenId: string) => boolean | Promise<boolean>;
+    /** Clear all revoked tokens (useful for testing) */
+    clear: () => void;
+}
+/**
+ * Creates an in-memory token store for development and testing
+ *
+ * ⚠️ WARNING: NOT suitable for production!
+ * - Does not persist across server restarts
+ * - Does not work across multiple server instances
+ * - No automatic cleanup of expired token IDs
+ *
+ * For production, use Redis or database-backed storage:
+ * - upstash/redis for serverless
+ * - ioredis for traditional servers
+ * - Database table for audit trail
+ *
+ * @example
+ * ```typescript
+ * // Development/Testing
+ * const tokenStore = createInMemoryTokenStore();
+ *
+ * const authConfig: AuthConfig = {
+ *   jwt: { secret: process.env.JWT_SECRET! },
+ *   isTokenRevoked: tokenStore.isRevoked,
+ * };
+ *
+ * // Revoke on logout
+ * app.post('/logout', async (req) => {
+ *   const tokenId = req.auth.token.jti;
+ *   tokenStore.revoke(tokenId);
+ * });
+ * ```
+ */
+export declare function createInMemoryTokenStore(): TokenStore;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAuC3E;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAqBvD;AA4BD;;GAEG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAMD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAGX;gBAEA,MAAM,EAAE,SAAS;IAyB7B;;OAEG;IACH,WAAW,CACT,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG;QAC3C,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC;KAC5B,EACD,SAAS,EAAE,MAAM,GAChB,MAAM;IAsBT;;;;OAIG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IAkFxC;;;;;;OAMG;IACH,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS;IA0ClF;;;;OAIG;IACH,aAAa,CACX,YAAY,EAAE,MAAM,EACpB,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,GACpD,OAAO,CAAC,SAAS,CAAC;IACrB,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS;IA8B9C;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI;IAa/C;;;OAGG;IACH,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI;CAYjE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,CAE9D;AAMD;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,qCAAqC;IACrC,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,kCAAkC;IAClC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3D,oDAAoD;IACpD,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,wBAAwB,IAAI,UAAU,CAYrD"}