@veloxts/auth 0.3.3 → 0.3.4

package/dist/jwt.js

@@ -0,0 +1,363 @@
+/**
+ * JWT token utilities for @veloxts/auth
+ * @module auth/jwt
+ */
+import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
+// ============================================================================
+// Constants
+// ============================================================================
+const DEFAULT_ACCESS_EXPIRY = '15m';
+const DEFAULT_REFRESH_EXPIRY = '7d';
+/**
+ * Minimum JWT secret length (64 characters = 512 bits)
+ * HS256 requires at least 256 bits, but we require 512 for extra security margin
+ */
+const MIN_SECRET_LENGTH = 64;
+/**
+ * Minimum unique characters in secret for entropy validation
+ */
+const MIN_SECRET_ENTROPY_CHARS = 16;
+/**
+ * Reserved JWT claims that cannot be overridden via additionalClaims
+ */
+const RESERVED_JWT_CLAIMS = new Set([
+    'sub',
+    'iss',
+    'aud',
+    'exp',
+    'iat',
+    'jti',
+    'nbf',
+    'type',
+    'email',
+]);
+// ============================================================================
+// JWT Implementation
+// ============================================================================
+/**
+ * Parses time string to seconds
+ * Supports: '15m', '1h', '7d', '30d', etc.
+ */
+export function parseTimeToSeconds(time) {
+    const match = time.match(/^(\d+)([smhd])$/);
+    if (!match) {
+        throw new Error(`Invalid time format: ${time}. Use format like '15m', '1h', '7d'`);
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    switch (unit) {
+        case 's':
+            return value;
+        case 'm':
+            return value * 60;
+        case 'h':
+            return value * 60 * 60;
+        case 'd':
+            return value * 60 * 60 * 24;
+        default:
+            throw new Error(`Unknown time unit: ${unit}`);
+    }
+}
+/**
+ * Base64url encode
+ */
+function base64urlEncode(data) {
+    const base64 = Buffer.from(data).toString('base64');
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+/**
+ * Base64url decode
+ */
+function base64urlDecode(data) {
+    const base64 = data.replace(/-/g, '+').replace(/_/g, '/');
+    const padded = base64 + '='.repeat((4 - (base64.length % 4)) % 4);
+    return Buffer.from(padded, 'base64').toString('utf8');
+}
+/**
+ * Create HMAC-SHA256 signature
+ */
+function createSignature(data, secret) {
+    const hmac = createHmac('sha256', secret);
+    hmac.update(data);
+    return base64urlEncode(hmac.digest());
+}
+/**
+ * Generate a unique token ID
+ */
+export function generateTokenId() {
+    return randomBytes(16).toString('hex');
+}
+// ============================================================================
+// JWT Manager Class
+// ============================================================================
+/**
+ * JWT token manager
+ *
+ * Handles token creation, verification, and refresh.
+ * Uses HS256 (HMAC-SHA256) algorithm.
+ *
+ * @example
+ * ```typescript
+ * const jwt = new JwtManager({
+ *   secret: process.env.JWT_SECRET!,
+ *   accessTokenExpiry: '15m',
+ *   refreshTokenExpiry: '7d',
+ * });
+ *
+ * // Create tokens for user
+ * const tokens = jwt.createTokenPair(user);
+ *
+ * // Verify access token
+ * const payload = jwt.verifyToken(tokens.accessToken);
+ *
+ * // Refresh tokens
+ * const newTokens = jwt.refreshTokens(tokens.refreshToken);
+ * ```
+ */
+export class JwtManager {
+    config;
+    constructor(config) {
+        // Validate secret length (Critical Fix #1)
+        if (!config.secret || config.secret.length < MIN_SECRET_LENGTH) {
+            throw new Error(`JWT secret must be at least ${MIN_SECRET_LENGTH} characters long (512 bits). ` +
+                'Generate with: openssl rand -base64 64');
+        }
+        // Validate secret entropy - check for sufficient unique characters
+        const uniqueChars = new Set(config.secret).size;
+        if (uniqueChars < MIN_SECRET_ENTROPY_CHARS) {
+            throw new Error(`JWT secret has insufficient entropy (only ${uniqueChars} unique characters). ` +
+                'Use cryptographically random data with at least 16 unique characters.');
+        }
+        this.config = {
+            ...config,
+            accessTokenExpiry: config.accessTokenExpiry ?? DEFAULT_ACCESS_EXPIRY,
+            refreshTokenExpiry: config.refreshTokenExpiry ?? DEFAULT_REFRESH_EXPIRY,
+        };
+    }
+    /**
+     * Creates a JWT token with the given payload
+     */
+    createToken(payload, expiresIn) {
+        const now = Math.floor(Date.now() / 1000);
+        const exp = now + parseTimeToSeconds(expiresIn);
+        const fullPayload = {
+            ...payload,
+            iat: now,
+            exp,
+        };
+        // Create header
+        const header = { alg: 'HS256', typ: 'JWT' };
+        const encodedHeader = base64urlEncode(JSON.stringify(header));
+        const encodedPayload = base64urlEncode(JSON.stringify(fullPayload));
+        // Create signature
+        const signatureInput = `${encodedHeader}.${encodedPayload}`;
+        const signature = createSignature(signatureInput, this.config.secret);
+        return `${signatureInput}.${signature}`;
+    }
+    /**
+     * Verifies a JWT token and returns the payload
+     *
+     * @throws Error if token is invalid or expired
+     */
+    verifyToken(token) {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            throw new Error('Invalid token format');
+        }
+        const [encodedHeader, encodedPayload, signature] = parts;
+        // Critical Fix #2: Validate algorithm BEFORE signature verification
+        // This prevents algorithm confusion attacks (CVE-2015-9235)
+        let header;
+        try {
+            header = JSON.parse(base64urlDecode(encodedHeader));
+        }
+        catch {
+            throw new Error('Invalid token header');
+        }
+        // Only allow HS256 - reject "none", RS256, and other algorithms
+        if (header.alg !== 'HS256') {
+            throw new Error(`Invalid algorithm: ${header.alg}. Only HS256 is supported.`);
+        }
+        if (header.typ !== 'JWT') {
+            throw new Error('Invalid token type in header');
+        }
+        // Verify signature using timing-safe comparison to prevent timing attacks
+        const signatureInput = `${encodedHeader}.${encodedPayload}`;
+        const expectedSignature = createSignature(signatureInput, this.config.secret);
+        const sigBuffer = Buffer.from(signature, 'utf8');
+        const expectedBuffer = Buffer.from(expectedSignature, 'utf8');
+        if (sigBuffer.length !== expectedBuffer.length || !timingSafeEqual(sigBuffer, expectedBuffer)) {
+            throw new Error('Invalid token signature');
+        }
+        // Decode payload
+        let payload;
+        try {
+            const decoded = JSON.parse(base64urlDecode(encodedPayload));
+            // Validate required fields
+            if (typeof decoded.sub !== 'string' ||
+                typeof decoded.email !== 'string' ||
+                typeof decoded.iat !== 'number' ||
+                typeof decoded.exp !== 'number' ||
+                (decoded.type !== 'access' && decoded.type !== 'refresh')) {
+                throw new Error('Missing required token fields');
+            }
+            payload = decoded;
+        }
+        catch (error) {
+            throw new Error(error instanceof Error ? error.message : 'Invalid token payload');
+        }
+        // Check expiration
+        const now = Math.floor(Date.now() / 1000);
+        if (payload.exp < now) {
+            throw new Error('Token has expired');
+        }
+        // Check not-before claim if present (Medium Fix #10)
+        if (typeof payload.nbf === 'number' && payload.nbf > now) {
+            throw new Error('Token not yet valid');
+        }
+        // Verify issuer if configured
+        if (this.config.issuer && payload.iss !== this.config.issuer) {
+            throw new Error('Invalid token issuer');
+        }
+        // Verify audience if configured
+        if (this.config.audience && payload.aud !== this.config.audience) {
+            throw new Error('Invalid token audience');
+        }
+        return payload;
+    }
+    /**
+     * Creates an access/refresh token pair for a user
+     *
+     * @param user - The user to create tokens for
+     * @param additionalClaims - Custom claims to include (cannot override reserved claims)
+     * @throws Error if additionalClaims contains reserved JWT claims
+     */
+    createTokenPair(user, additionalClaims) {
+        // Critical Fix #3: Validate additionalClaims don't contain reserved claims
+        if (additionalClaims) {
+            for (const key of Object.keys(additionalClaims)) {
+                if (RESERVED_JWT_CLAIMS.has(key)) {
+                    throw new Error(`Cannot override reserved JWT claim: ${key}. ` +
+                        `Reserved claims are: ${[...RESERVED_JWT_CLAIMS].join(', ')}`);
+                }
+            }
+        }
+        const tokenId = generateTokenId();
+        const basePayload = {
+            sub: user.id,
+            email: user.email,
+            jti: tokenId,
+            ...(this.config.issuer && { iss: this.config.issuer }),
+            ...(this.config.audience && { aud: this.config.audience }),
+            ...additionalClaims,
+        };
+        const accessToken = this.createToken({ ...basePayload, type: 'access' }, this.config.accessTokenExpiry);
+        const refreshToken = this.createToken({ ...basePayload, type: 'refresh' }, this.config.refreshTokenExpiry);
+        return {
+            accessToken,
+            refreshToken,
+            expiresIn: parseTimeToSeconds(this.config.accessTokenExpiry),
+            tokenType: 'Bearer',
+        };
+    }
+    refreshTokens(refreshToken, userLoader) {
+        const payload = this.verifyToken(refreshToken);
+        if (payload.type !== 'refresh') {
+            throw new Error('Invalid token type: expected refresh token');
+        }
+        // If userLoader provided, fetch fresh user data
+        if (userLoader) {
+            return userLoader(payload.sub).then((user) => {
+                if (!user) {
+                    throw new Error('User not found');
+                }
+                return this.createTokenPair(user);
+            });
+        }
+        // Otherwise, create new tokens from payload data
+        const user = {
+            id: payload.sub,
+            email: payload.email,
+        };
+        return this.createTokenPair(user);
+    }
+    /**
+     * Decodes a token without verification
+     * Useful for extracting payload from expired tokens
+     */
+    decodeToken(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3) {
+                return null;
+            }
+            return JSON.parse(base64urlDecode(parts[1]));
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Extracts token from Authorization header
+     * Supports 'Bearer <token>' format
+     */
+    extractFromHeader(authHeader) {
+        if (!authHeader) {
+            return null;
+        }
+        const parts = authHeader.split(' ');
+        if (parts.length !== 2 || parts[0].toLowerCase() !== 'bearer') {
+            return null;
+        }
+        return parts[1];
+    }
+}
+/**
+ * Creates a new JWT manager instance
+ */
+export function createJwtManager(config) {
+    return new JwtManager(config);
+}
+/**
+ * Creates an in-memory token store for development and testing
+ *
+ * ⚠️ WARNING: NOT suitable for production!
+ * - Does not persist across server restarts
+ * - Does not work across multiple server instances
+ * - No automatic cleanup of expired token IDs
+ *
+ * For production, use Redis or database-backed storage:
+ * - upstash/redis for serverless
+ * - ioredis for traditional servers
+ * - Database table for audit trail
+ *
+ * @example
+ * ```typescript
+ * // Development/Testing
+ * const tokenStore = createInMemoryTokenStore();
+ *
+ * const authConfig: AuthConfig = {
+ *   jwt: { secret: process.env.JWT_SECRET! },
+ *   isTokenRevoked: tokenStore.isRevoked,
+ * };
+ *
+ * // Revoke on logout
+ * app.post('/logout', async (req) => {
+ *   const tokenId = req.auth.token.jti;
+ *   tokenStore.revoke(tokenId);
+ * });
+ * ```
+ */
+export function createInMemoryTokenStore() {
+    const revokedTokens = new Set();
+    return {
+        revoke: (tokenId) => {
+            revokedTokens.add(tokenId);
+        },
+        isRevoked: (tokenId) => revokedTokens.has(tokenId),
+        clear: () => {
+            revokedTokens.clear();
+        },
+    };
+}
+//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAIvE,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,qBAAqB,GAAG,KAAK,CAAC;AACpC,MAAM,sBAAsB,GAAG,IAAI,CAAC;AAEpC;;;GAGG;AACH,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B;;GAEG;AACH,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC;;GAEG;AACH,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,OAAO;CACR,CAAC,CAAC;AAEH,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,qCAAqC,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,GAAG;YACN,OAAO,KAAK,CAAC;QACf,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,CAAC;QACzB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;QAC9B;YACE,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY,EAAE,MAAc;IACnD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAClB,OAAO,eAAe,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,OAAO,UAAU;IACJ,MAAM,CAGX;IAEZ,YAAY,MAAiB;QAC3B,2CAA2C;QAC3C,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CACb,+BAA+B,iBAAiB,+BAA+B;gBAC7E,wCAAwC,CAC3C,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;QAChD,IAAI,WAAW,GAAG,wBAAwB,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CACb,6CAA6C,WAAW,uBAAuB;gBAC7E,uEAAuE,CAC1E,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,MAAM;YACT,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,qBAAqB;YACpE,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,sBAAsB;SACxE,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,WAAW,CACT,OAIC,EACD,SAAiB;QAEjB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAEhD,MAAM,WAAW,GAAiB;YAChC,GAAG,OAAO;YACV,GAAG,EAAE,GAAG;YACR,GAAG;SACJ,CAAC;QAEF,gBAAgB;QAChB,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QAC5C,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;QAEpE,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAEtE,OAAO,GAAG,cAAc,IAAI,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,WAAW,CAAC,KAAa;QACvB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAEzD,oEAAoE;QACpE,4DAA4D;QAC5D,IAAI,MAAoC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,CAAiC,CAAC;QACtF,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,gEAAgE;QAChE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,sBAAsB,MAAM,CAAC,GAAG,4BAA4B,CAAC,CAAC;QAChF,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,0EAA0E;QAC1E,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,iBAAiB,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAE9E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QAE9D,IAAI,SAAS,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC;YAC9F,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QAED,iBAAiB;QACjB,IAAI,OAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,CAA4B,CAAC;YAEvF,2BAA2B;YAC3B,IACE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;gBACjC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;YACnD,CAAC;YAED,OAAO,GAAG,OAAuB,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC;QACpF,CAAC;QAED,mBAAmB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QAED,qDAAqD;QACrD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACzC,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,gCAAgC;QAChC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACjE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;OAMG;IACH,eAAe,CAAC,IAAU,EAAE,gBAA0C;QACpE,2EAA2E;QAC3E,IAAI,gBAAgB,EAAE,CAAC;YACrB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChD,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,uCAAuC,GAAG,IAAI;wBAC5C,wBAAwB,CAAC,GAAG,mBAAmB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAChE,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAElC,MAAM,WAAW,GAAG;YAClB,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,GAAG,EAAE,OAAO;YACZ,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACtD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC1D,GAAG,gBAAgB;SACpB,CAAC;QAEF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAClC,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,EAClC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;QAEF,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CACnC,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,EACnC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAC/B,CAAC;QAEF,OAAO;YACL,WAAW;YACX,YAAY;YACZ,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;YAC5D,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;IAYD,aAAa,CACX,YAAoB,EACpB,UAAqD;QAErD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAE/C,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,gDAAgD;QAChD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC3C,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;gBACpC,CAAC;gBACD,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;QACL,CAAC;QAED,iDAAiD;QACjD,MAAM,IAAI,GAAS;YACjB,EAAE,EAAE,OAAO,CAAC,GAAG;YACf,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;QAEF,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,KAAa;QACvB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAiB,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,iBAAiB,CAAC,UAA8B;QAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAiB;IAChD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAkBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,wBAAwB;IACtC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,OAAO;QACL,MAAM,EAAE,CAAC,OAAe,EAAE,EAAE;YAC1B,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QACD,SAAS,EAAE,CAAC,OAAe,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC;QAC1D,KAAK,EAAE,GAAG,EAAE;YACV,aAAa,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/middleware.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Authentication middleware for @veloxts/auth
+ * @module auth/middleware
+ */
+import type { BaseContext } from '@veloxts/core';
+import type { MiddlewareFunction } from '@veloxts/router';
+import { JwtManager } from './jwt.js';
+import type { AuthConfig, AuthContext, AuthMiddlewareOptions, GuardDefinition, User } from './types.js';
+/**
+ * Creates an authentication middleware for procedures
+ *
+ * This middleware:
+ * 1. Extracts JWT from Authorization header
+ * 2. Verifies the token
+ * 3. Loads user from database (if userLoader provided)
+ * 4. Adds user and auth context to ctx
+ * 5. Runs guards if specified
+ *
+ * @example
+ * ```typescript
+ * const auth = createAuthMiddleware(authConfig);
+ *
+ * // Use in procedures
+ * const getProfile = procedure()
+ *   .use(auth.middleware())
+ *   .query(async ({ ctx }) => {
+ *     return ctx.user; // Guaranteed to exist
+ *   });
+ *
+ * // Optional auth (user may be undefined)
+ * const getPosts = procedure()
+ *   .use(auth.middleware({ optional: true }))
+ *   .query(async ({ ctx }) => {
+ *     // ctx.user may be undefined
+ *     return fetchPosts(ctx.user?.id);
+ *   });
+ *
+ * // With guards
+ * const adminOnly = procedure()
+ *   .use(auth.middleware({ guards: [hasRole('admin')] }))
+ *   .query(async ({ ctx }) => {
+ *     // Only admins get here
+ *   });
+ * ```
+ */
+export declare function createAuthMiddleware(config: AuthConfig): {
+    middleware: <TInput, TContext extends BaseContext, TOutput>(options?: AuthMiddlewareOptions) => MiddlewareFunction<TInput, TContext, TContext & {
+        user?: User;
+        auth: AuthContext;
+    }, TOutput>;
+    requireAuth: <TInput, TContext extends BaseContext, TOutput>(guards?: Array<GuardDefinition | string>) => MiddlewareFunction<TInput, TContext, TContext & {
+        user: User;
+        auth: AuthContext;
+    }, TOutput>;
+    optionalAuth: <TInput, TContext extends BaseContext, TOutput>() => MiddlewareFunction<TInput, TContext, TContext & {
+        user?: User;
+        auth: AuthContext;
+    }, TOutput>;
+    jwt: JwtManager;
+};
+/**
+ * Creates a rate limiting middleware
+ *
+ * @example
+ * ```typescript
+ * const rateLimit = createRateLimitMiddleware({
+ *   max: 100,
+ *   windowMs: 60000, // 1 minute
+ * });
+ *
+ * const login = procedure()
+ *   .use(rateLimit)
+ *   .input(LoginSchema)
+ *   .mutation(handler);
+ * ```
+ */
+export declare function createRateLimitMiddleware<TInput, TContext extends BaseContext, TOutput>(options: {
+    max?: number;
+    windowMs?: number;
+    keyGenerator?: (ctx: TContext) => string;
+    message?: string;
+}): MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+/**
+ * Clears rate limit store (useful for testing)
+ */
+export declare function clearRateLimitStore(): void;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EACX,qBAAqB,EACrB,eAAe,EAEf,IAAI,EACL,MAAM,YAAY,CAAC;AAOpB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,UAAU;iBAMjC,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,YACtD,qBAAqB,KAC7B,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG;QAAE,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAAE,OAAO,CAAC;kBA8H1E,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,WACvD,KAAK,CAAC,eAAe,GAAG,MAAM,CAAC,KACvC,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAAE,OAAO,CAAC;mBAYxE,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,OAAK,kBAAkB,CACxF,MAAM,EACN,QAAQ,EACR,QAAQ,GAAG;QAAE,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAC7C,OAAO,CACR;;EAUF;AAkBD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE;IAChG,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,KAAK,MAAM,CAAC;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAuC1D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}