npm - @veloxts/auth - Versions diffs - 0.3.3 → 0.3.4 - Mend

@veloxts/auth 0.3.3 → 0.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/README.md +755 -30
package/dist/adapter.d.ts +710 -0
package/dist/adapter.d.ts.map +1 -0
package/dist/adapter.js +581 -0
package/dist/adapter.js.map +1 -0
package/dist/adapters/better-auth.d.ts +271 -0
package/dist/adapters/better-auth.d.ts.map +1 -0
package/dist/adapters/better-auth.js +341 -0
package/dist/adapters/better-auth.js.map +1 -0
package/dist/adapters/index.d.ts +28 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +28 -0
package/dist/adapters/index.js.map +1 -0
package/dist/csrf.d.ts +294 -0
package/dist/csrf.d.ts.map +1 -0
package/dist/csrf.js +396 -0
package/dist/csrf.js.map +1 -0
package/dist/guards.d.ts +139 -0
package/dist/guards.d.ts.map +1 -0
package/dist/guards.js +247 -0
package/dist/guards.js.map +1 -0
package/dist/hash.d.ts +85 -0
package/dist/hash.d.ts.map +1 -0
package/dist/hash.js +220 -0
package/dist/hash.js.map +1 -0
package/dist/index.d.ts +25 -32
package/dist/index.d.ts.map +1 -1
package/dist/index.js +63 -36
package/dist/index.js.map +1 -1
package/dist/jwt.d.ts +128 -0
package/dist/jwt.d.ts.map +1 -0
package/dist/jwt.js +363 -0
package/dist/jwt.js.map +1 -0
package/dist/middleware.d.ts +87 -0
package/dist/middleware.d.ts.map +1 -0
package/dist/middleware.js +241 -0
package/dist/middleware.js.map +1 -0
package/dist/plugin.d.ts +107 -0
package/dist/plugin.d.ts.map +1 -0
package/dist/plugin.js +174 -0
package/dist/plugin.js.map +1 -0
package/dist/policies.d.ts +137 -0
package/dist/policies.d.ts.map +1 -0
package/dist/policies.js +240 -0
package/dist/policies.js.map +1 -0
package/dist/session.d.ts +494 -0
package/dist/session.d.ts.map +1 -0
package/dist/session.js +795 -0
package/dist/session.js.map +1 -0
package/dist/types.d.ts +251 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +33 -0
package/dist/types.js.map +1 -0
package/package.json +38 -7

package/dist/middleware.js ADDED Viewed

@@ -0,0 +1,241 @@
+/**
+ * Authentication middleware for @veloxts/auth
+ * @module auth/middleware
+ */
+import { executeGuards } from './guards.js';
+import { JwtManager } from './jwt.js';
+import { AuthError } from './types.js';
+// ============================================================================
+// Auth Middleware Factory
+// ============================================================================
+/**
+ * Creates an authentication middleware for procedures
+ *
+ * This middleware:
+ * 1. Extracts JWT from Authorization header
+ * 2. Verifies the token
+ * 3. Loads user from database (if userLoader provided)
+ * 4. Adds user and auth context to ctx
+ * 5. Runs guards if specified
+ *
+ * @example
+ * ```typescript
+ * const auth = createAuthMiddleware(authConfig);
+ *
+ * // Use in procedures
+ * const getProfile = procedure()
+ *   .use(auth.middleware())
+ *   .query(async ({ ctx }) => {
+ *     return ctx.user; // Guaranteed to exist
+ *   });
+ *
+ * // Optional auth (user may be undefined)
+ * const getPosts = procedure()
+ *   .use(auth.middleware({ optional: true }))
+ *   .query(async ({ ctx }) => {
+ *     // ctx.user may be undefined
+ *     return fetchPosts(ctx.user?.id);
+ *   });
+ *
+ * // With guards
+ * const adminOnly = procedure()
+ *   .use(auth.middleware({ guards: [hasRole('admin')] }))
+ *   .query(async ({ ctx }) => {
+ *     // Only admins get here
+ *   });
+ * ```
+ */
+export function createAuthMiddleware(config) {
+    const jwt = new JwtManager(config.jwt);
+    /**
+     * Creates the actual middleware function
+     */
+    function middleware(options = {}) {
+        return async ({ ctx, next }) => {
+            const request = ctx.request;
+            // Extract token from header
+            const authHeader = request.headers.authorization;
+            const token = jwt.extractFromHeader(authHeader);
+            // No token handling
+            if (!token) {
+                if (options.optional) {
+                    // Optional auth - continue without user
+                    const authContext = {
+                        user: undefined,
+                        token: undefined,
+                        isAuthenticated: false,
+                    };
+                    return next({
+                        ctx: {
+                            ...ctx,
+                            auth: authContext,
+                            user: undefined,
+                        },
+                    });
+                }
+                // Required auth - reject
+                throw new AuthError('Authorization header required', 401);
+            }
+            // Verify token
+            let payload;
+            try {
+                payload = jwt.verifyToken(token);
+            }
+            catch (error) {
+                if (options.optional) {
+                    // Invalid token with optional auth - continue without user
+                    const authContext = {
+                        user: undefined,
+                        token: undefined,
+                        isAuthenticated: false,
+                    };
+                    return next({
+                        ctx: {
+                            ...ctx,
+                            auth: authContext,
+                            user: undefined,
+                        },
+                    });
+                }
+                throw new AuthError(error instanceof Error ? error.message : 'Invalid token', 401);
+            }
+            // Check if token is revoked
+            if (config.isTokenRevoked && payload.jti) {
+                const revoked = await config.isTokenRevoked(payload.jti);
+                if (revoked) {
+                    throw new AuthError('Token has been revoked', 401, 'TOKEN_REVOKED');
+                }
+            }
+            // Load user from database
+            let user = null;
+            if (config.userLoader) {
+                user = await config.userLoader(payload.sub);
+                if (!user && !options.optional) {
+                    throw new AuthError('User not found', 401, 'USER_NOT_FOUND');
+                }
+            }
+            else {
+                // No user loader - create minimal user from token
+                user = {
+                    id: payload.sub,
+                    email: payload.email,
+                };
+            }
+            // Create auth context
+            const authContext = {
+                user: user ?? undefined,
+                token: payload,
+                isAuthenticated: !!user,
+            };
+            // Build extended context
+            const extendedCtx = {
+                ...ctx,
+                auth: authContext,
+                user: user ?? undefined,
+            };
+            // Run guards if specified
+            if (options.guards && options.guards.length > 0) {
+                // Validate that all guards are GuardDefinition objects (strings are not supported)
+                const guardDefs = options.guards.map((g) => {
+                    if (typeof g === 'string') {
+                        throw new AuthError(`String guard references are not supported. Use a GuardDefinition object instead of "${g}"`, 500, 'INVALID_GUARD');
+                    }
+                    return g;
+                });
+                const result = await executeGuards(guardDefs, extendedCtx, request, ctx.reply);
+                if (!result.passed) {
+                    throw new AuthError(result.message ?? `Guard failed: ${result.failedGuard}`, result.statusCode ?? 403, 'GUARD_FAILED');
+                }
+            }
+            // Continue to next middleware/handler
+            return next({ ctx: extendedCtx });
+        };
+    }
+    /**
+     * Shorthand for required authentication
+     */
+    function requireAuth(guards) {
+        return middleware({ optional: false, guards });
+    }
+    /**
+     * Shorthand for optional authentication
+     */
+    function optionalAuth() {
+        return middleware({ optional: true });
+    }
+    return {
+        middleware,
+        requireAuth,
+        optionalAuth,
+        jwt,
+    };
+}
+// ============================================================================
+// Error Helpers
+// ============================================================================
+// AuthError is now imported from types.ts
+// ============================================================================
+// Rate Limiting Middleware
+// ============================================================================
+/**
+ * Simple in-memory rate limiter
+ * For production, use Redis-based rate limiting
+ */
+const rateLimitStore = new Map();
+/**
+ * Creates a rate limiting middleware
+ *
+ * @example
+ * ```typescript
+ * const rateLimit = createRateLimitMiddleware({
+ *   max: 100,
+ *   windowMs: 60000, // 1 minute
+ * });
+ *
+ * const login = procedure()
+ *   .use(rateLimit)
+ *   .input(LoginSchema)
+ *   .mutation(handler);
+ * ```
+ */
+export function createRateLimitMiddleware(options) {
+    const max = options.max ?? 100;
+    const windowMs = options.windowMs ?? 60000;
+    const keyGenerator = options.keyGenerator ?? ((ctx) => ctx.request.ip ?? 'unknown');
+    const message = options.message ?? 'Too many requests, please try again later';
+    return async ({ ctx, next }) => {
+        const key = keyGenerator(ctx);
+        const now = Date.now();
+        let record = rateLimitStore.get(key);
+        // Clean up expired record
+        if (record && record.resetAt <= now) {
+            rateLimitStore.delete(key);
+            record = undefined;
+        }
+        if (!record) {
+            // First request in window
+            record = { count: 1, resetAt: now + windowMs };
+            rateLimitStore.set(key, record);
+        }
+        else {
+            // Increment count
+            record.count++;
+        }
+        // Check limit
+        if (record.count > max) {
+            throw new AuthError(message, 429, 'RATE_LIMIT_EXCEEDED');
+        }
+        // Add rate limit headers
+        ctx.reply.header('X-RateLimit-Limit', String(max));
+        ctx.reply.header('X-RateLimit-Remaining', String(Math.max(0, max - record.count)));
+        ctx.reply.header('X-RateLimit-Reset', String(Math.ceil(record.resetAt / 1000)));
+        return next();
+    };
+}
+/**
+ * Clears rate limit store (useful for testing)
+ */
+export function clearRateLimitStore() {
+    rateLimitStore.clear();
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAStC,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAkB;IACrD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAEvC;;OAEG;IACH,SAAS,UAAU,CACjB,UAAiC,EAAE;QAEnC,OAAO,KAAK,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE;YAC7B,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;YAE5B,4BAA4B;YAC5B,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;YACjD,MAAM,KAAK,GAAG,GAAG,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAEhD,oBAAoB;YACpB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,wCAAwC;oBACxC,MAAM,WAAW,GAAgB;wBAC/B,IAAI,EAAE,SAAS;wBACf,KAAK,EAAE,SAAS;wBAChB,eAAe,EAAE,KAAK;qBACvB,CAAC;oBAEF,OAAO,IAAI,CAAC;wBACV,GAAG,EAAE;4BACH,GAAG,GAAG;4BACN,IAAI,EAAE,WAAW;4BACjB,IAAI,EAAE,SAAS;yBAChB;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,yBAAyB;gBACzB,MAAM,IAAI,SAAS,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;YAC5D,CAAC;YAED,eAAe;YACf,IAAI,OAAqB,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,2DAA2D;oBAC3D,MAAM,WAAW,GAAgB;wBAC/B,IAAI,EAAE,SAAS;wBACf,KAAK,EAAE,SAAS;wBAChB,eAAe,EAAE,KAAK;qBACvB,CAAC;oBAEF,OAAO,IAAI,CAAC;wBACV,GAAG,EAAE;4BACH,GAAG,GAAG;4BACN,IAAI,EAAE,WAAW;4BACjB,IAAI,EAAE,SAAS;yBAChB;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,IAAI,SAAS,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;YACrF,CAAC;YAED,4BAA4B;YAC5B,IAAI,MAAM,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACzD,IAAI,OAAO,EAAE,CAAC;oBACZ,MAAM,IAAI,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;gBACtE,CAAC;YACH,CAAC;YAED,0BAA0B;YAC1B,IAAI,IAAI,GAAgB,IAAI,CAAC;YAC7B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAC5C,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;oBAC/B,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;gBAC/D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,kDAAkD;gBAClD,IAAI,GAAG;oBACL,EAAE,EAAE,OAAO,CAAC,GAAG;oBACf,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB,CAAC;YACJ,CAAC;YAED,sBAAsB;YACtB,MAAM,WAAW,GAAgB;gBAC/B,IAAI,EAAE,IAAI,IAAI,SAAS;gBACvB,KAAK,EAAE,OAAO;gBACd,eAAe,EAAE,CAAC,CAAC,IAAI;aACxB,CAAC;YAEF,yBAAyB;YACzB,MAAM,WAAW,GAAG;gBAClB,GAAG,GAAG;gBACN,IAAI,EAAE,WAAW;gBACjB,IAAI,EAAE,IAAI,IAAI,SAAS;aACxB,CAAC;YAEF,0BAA0B;YAC1B,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChD,mFAAmF;gBACnF,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;oBACzC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;wBAC1B,MAAM,IAAI,SAAS,CACjB,uFAAuF,CAAC,GAAG,EAC3F,GAAG,EACH,eAAe,CAChB,CAAC;oBACJ,CAAC;oBACD,OAAO,CAAC,CAAC;gBACX,CAAC,CAA0C,CAAC;gBAE5C,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;gBAE/E,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,SAAS,CACjB,MAAM,CAAC,OAAO,IAAI,iBAAiB,MAAM,CAAC,WAAW,EAAE,EACvD,MAAM,CAAC,UAAU,IAAI,GAAG,EACxB,cAAc,CACf,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,sCAAsC;YACtC,OAAO,IAAI,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC;QACpC,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS,WAAW,CAClB,MAAwC;QAExC,OAAO,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,CAK5C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS,YAAY;QAMnB,OAAO,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,OAAO;QACL,UAAU;QACV,WAAW;QACX,YAAY;QACZ,GAAG;KACJ,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E,0CAA0C;AAE1C,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,cAAc,GAAG,IAAI,GAAG,EAA8C,CAAC;AAE7E;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,yBAAyB,CAAgD,OAKxF;IACC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC;IAC3C,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,SAAS,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,2CAA2C,CAAC;IAE/E,OAAO,KAAK,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE;QAC7B,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAErC,0BAA0B;QAC1B,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC;YACpC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3B,MAAM,GAAG,SAAS,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,0BAA0B;YAC1B,MAAM,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,QAAQ,EAAE,CAAC;YAC/C,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,kBAAkB;YAClB,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QAED,cAAc;QACd,IAAI,MAAM,CAAC,KAAK,GAAG,GAAG,EAAE,CAAC;YACvB,MAAM,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,EAAE,qBAAqB,CAAC,CAAC;QAC3D,CAAC;QAED,yBAAyB;QACzB,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACnD,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACnF,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAEhF,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,cAAc,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC"}

package/dist/plugin.d.ts ADDED Viewed

@@ -0,0 +1,107 @@
+/**
+ * VeloxTS Auth Plugin
+ * Fastify plugin that integrates authentication with VeloxApp
+ * @module auth/plugin
+ */
+import type { VeloxPlugin } from '@veloxts/core';
+import { PasswordHasher } from './hash.js';
+import { JwtManager } from './jwt.js';
+import { createAuthMiddleware } from './middleware.js';
+import type { AuthConfig, AuthContext, TokenPair, User } from './types.js';
+/** Auth package version */
+export declare const AUTH_VERSION: string;
+/**
+ * Options for the auth plugin
+ */
+export interface AuthPluginOptions extends AuthConfig {
+    /**
+     * Enable debug logging
+     * @default false
+     */
+    debug?: boolean;
+}
+/**
+ * Auth service instance attached to Fastify
+ * Provides authentication utilities for the application
+ */
+export interface AuthService {
+    /**
+     * JWT manager for token operations
+     */
+    jwt: JwtManager;
+    /**
+     * Password hasher for secure password storage
+     */
+    hasher: PasswordHasher;
+    /**
+     * Creates a token pair for a user
+     */
+    createTokens(user: User, additionalClaims?: Record<string, unknown>): TokenPair;
+    /**
+     * Verifies an access token and returns the auth context
+     */
+    verifyToken(token: string): AuthContext;
+    /**
+     * Refreshes tokens using a refresh token
+     */
+    refreshTokens(refreshToken: string): Promise<TokenPair> | TokenPair;
+    /**
+     * Gets the auth middleware factory
+     */
+    middleware: ReturnType<typeof createAuthMiddleware>;
+}
+declare module 'fastify' {
+    interface FastifyInstance {
+        auth: AuthService;
+    }
+    interface FastifyRequest {
+        auth?: AuthContext;
+        user?: User;
+    }
+}
+/**
+ * Creates the VeloxTS auth plugin
+ *
+ * This plugin provides:
+ * - JWT token management (access + refresh tokens)
+ * - Password hashing (bcrypt/argon2)
+ * - Request decorations for auth context
+ * - Auth middleware factory for procedures
+ *
+ * @example
+ * ```typescript
+ * import { createAuthPlugin } from '@veloxts/auth';
+ *
+ * const authPlugin = createAuthPlugin({
+ *   jwt: {
+ *     secret: process.env.JWT_SECRET!,
+ *     accessTokenExpiry: '15m',
+ *     refreshTokenExpiry: '7d',
+ *   },
+ *   hash: {
+ *     algorithm: 'bcrypt',
+ *     bcryptRounds: 12,
+ *   },
+ *   userLoader: async (userId) => {
+ *     return db.user.findUnique({ where: { id: userId } });
+ *   },
+ * });
+ *
+ * // Register with VeloxApp
+ * app.register(authPlugin);
+ *
+ * // Use in procedures
+ * const { middleware, requireAuth } = app.auth.middleware;
+ *
+ * const getProfile = procedure()
+ *   .use(requireAuth())
+ *   .query(async ({ ctx }) => ctx.user);
+ * ```
+ */
+export declare function createAuthPlugin(options: AuthPluginOptions): VeloxPlugin<AuthPluginOptions>;
+/**
+ * Default auth plugin with minimal configuration
+ * Requires JWT_SECRET environment variable
+ */
+export declare function authPlugin(): VeloxPlugin<AuthPluginOptions>;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAGjD,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAM3E,2BAA2B;AAC3B,eAAO,MAAM,YAAY,EAAE,MAA+C,CAAC;AAM3E;;GAEG;AACH,MAAM,WAAW,iBAAkB,SAAQ,UAAU;IACnD;;;OAGG;IACH,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAMD;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,GAAG,EAAE,UAAU,CAAC;IAEhB;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC;IAEhF;;OAEG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,CAAC;IAExC;;OAEG;IACH,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC;IAEpE;;OAEG;IACH,UAAU,EAAE,UAAU,CAAC,OAAO,oBAAoB,CAAC,CAAC;CACrD;AAMD,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,eAAe;QACvB,IAAI,EAAE,WAAW,CAAC;KACnB;IAED,UAAU,cAAc;QACtB,IAAI,CAAC,EAAE,WAAW,CAAC;QACnB,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;CACF;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAqH3F;AAED;;;GAGG;AACH,wBAAgB,UAAU,IAAI,WAAW,CAAC,iBAAiB,CAAC,CAY3D"}

package/dist/plugin.js ADDED Viewed

@@ -0,0 +1,174 @@
+/**
+ * VeloxTS Auth Plugin
+ * Fastify plugin that integrates authentication with VeloxApp
+ * @module auth/plugin
+ */
+import { createRequire } from 'node:module';
+import { PasswordHasher } from './hash.js';
+import { JwtManager } from './jwt.js';
+import { createAuthMiddleware } from './middleware.js';
+// Read version from package.json dynamically
+const require = createRequire(import.meta.url);
+const packageJson = require('../package.json');
+/** Auth package version */
+export const AUTH_VERSION = packageJson.version ?? '0.0.0-unknown';
+// ============================================================================
+// Auth Plugin
+// ============================================================================
+/**
+ * Creates the VeloxTS auth plugin
+ *
+ * This plugin provides:
+ * - JWT token management (access + refresh tokens)
+ * - Password hashing (bcrypt/argon2)
+ * - Request decorations for auth context
+ * - Auth middleware factory for procedures
+ *
+ * @example
+ * ```typescript
+ * import { createAuthPlugin } from '@veloxts/auth';
+ *
+ * const authPlugin = createAuthPlugin({
+ *   jwt: {
+ *     secret: process.env.JWT_SECRET!,
+ *     accessTokenExpiry: '15m',
+ *     refreshTokenExpiry: '7d',
+ *   },
+ *   hash: {
+ *     algorithm: 'bcrypt',
+ *     bcryptRounds: 12,
+ *   },
+ *   userLoader: async (userId) => {
+ *     return db.user.findUnique({ where: { id: userId } });
+ *   },
+ * });
+ *
+ * // Register with VeloxApp
+ * app.register(authPlugin);
+ *
+ * // Use in procedures
+ * const { middleware, requireAuth } = app.auth.middleware;
+ *
+ * const getProfile = procedure()
+ *   .use(requireAuth())
+ *   .query(async ({ ctx }) => ctx.user);
+ * ```
+ */
+export function createAuthPlugin(options) {
+    return {
+        name: '@veloxts/auth',
+        version: AUTH_VERSION,
+        dependencies: ['@veloxts/core'],
+        async register(server, _opts) {
+            const config = { ...options, ..._opts };
+            const { debug = false } = config;
+            if (debug) {
+                server.log.info('Registering @veloxts/auth plugin');
+            }
+            // Create instances
+            const jwt = new JwtManager(config.jwt);
+            const hasher = new PasswordHasher(config.hash);
+            const authMiddleware = createAuthMiddleware(config);
+            // Create auth service
+            const authService = {
+                jwt,
+                hasher,
+                createTokens(user, additionalClaims) {
+                    return jwt.createTokenPair(user, additionalClaims);
+                },
+                verifyToken(token) {
+                    const payload = jwt.verifyToken(token);
+                    return {
+                        user: {
+                            id: payload.sub,
+                            email: payload.email,
+                        },
+                        token: payload,
+                        isAuthenticated: true,
+                    };
+                },
+                refreshTokens(refreshToken) {
+                    if (config.userLoader) {
+                        return jwt.refreshTokens(refreshToken, config.userLoader);
+                    }
+                    return jwt.refreshTokens(refreshToken);
+                },
+                middleware: authMiddleware,
+            };
+            // Decorate server with auth service
+            server.decorate('auth', authService);
+            // Decorate requests with auth context (undefined initial value)
+            server.decorateRequest('auth', undefined);
+            server.decorateRequest('user', undefined);
+            // Add preHandler hook to extract auth from headers (optional)
+            if (config.autoExtract !== false) {
+                server.addHook('preHandler', async (request) => {
+                    const authHeader = request.headers.authorization;
+                    const token = jwt.extractFromHeader(authHeader);
+                    if (token) {
+                        try {
+                            const payload = jwt.verifyToken(token);
+                            // Check if token is revoked
+                            if (config.isTokenRevoked && payload.jti) {
+                                const revoked = await config.isTokenRevoked(payload.jti);
+                                if (revoked) {
+                                    // Token revoked - don't set auth context
+                                    return;
+                                }
+                            }
+                            // Load user if loader provided
+                            let user = null;
+                            if (config.userLoader) {
+                                user = await config.userLoader(payload.sub);
+                            }
+                            else {
+                                user = {
+                                    id: payload.sub,
+                                    email: payload.email,
+                                };
+                            }
+                            if (user) {
+                                request.auth = {
+                                    user,
+                                    token: payload,
+                                    isAuthenticated: true,
+                                };
+                                request.user = user;
+                            }
+                        }
+                        catch {
+                            // Invalid token - silently ignore (optional auth)
+                            if (debug) {
+                                server.log.debug('Invalid auth token in request');
+                            }
+                        }
+                    }
+                });
+            }
+            // Add shutdown hook for cleanup
+            server.addHook('onClose', async () => {
+                if (debug) {
+                    server.log.info('Shutting down @veloxts/auth plugin');
+                }
+            });
+            if (debug) {
+                server.log.info('@veloxts/auth plugin registered successfully');
+            }
+        },
+    };
+}
+/**
+ * Default auth plugin with minimal configuration
+ * Requires JWT_SECRET environment variable
+ */
+export function authPlugin() {
+    const secret = process.env.JWT_SECRET;
+    if (!secret) {
+        throw new Error('JWT_SECRET environment variable is required for auth plugin. ' +
+            'Set it to a secure random string of at least 32 characters.');
+    }
+    return createAuthPlugin({
+        jwt: { secret },
+    });
+}
+//# sourceMappingURL=plugin.js.map

package/dist/plugin.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"plugin.js","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAK5C,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAGvD,6CAA6C;AAC7C,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAwB,CAAC;AAEtE,2BAA2B;AAC3B,MAAM,CAAC,MAAM,YAAY,GAAW,WAAW,CAAC,OAAO,IAAI,eAAe,CAAC;AAwE3E,+EAA+E;AAC/E,cAAc;AACd,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAA0B;IACzD,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,YAAY;QACrB,YAAY,EAAE,CAAC,eAAe,CAAC;QAE/B,KAAK,CAAC,QAAQ,CAAC,MAAuB,EAAE,KAAwB;YAC9D,MAAM,MAAM,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,KAAK,EAAE,CAAC;YACxC,MAAM,EAAE,KAAK,GAAG,KAAK,EAAE,GAAG,MAAM,CAAC;YAEjC,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YACtD,CAAC;YAED,mBAAmB;YACnB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvC,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC/C,MAAM,cAAc,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;YAEpD,sBAAsB;YACtB,MAAM,WAAW,GAAgB;gBAC/B,GAAG;gBACH,MAAM;gBAEN,YAAY,CAAC,IAAU,EAAE,gBAA0C;oBACjE,OAAO,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;gBACrD,CAAC;gBAED,WAAW,CAAC,KAAa;oBACvB,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;oBACvC,OAAO;wBACL,IAAI,EAAE;4BACJ,EAAE,EAAE,OAAO,CAAC,GAAG;4BACf,KAAK,EAAE,OAAO,CAAC,KAAK;yBACrB;wBACD,KAAK,EAAE,OAAO;wBACd,eAAe,EAAE,IAAI;qBACtB,CAAC;gBACJ,CAAC;gBAED,aAAa,CAAC,YAAoB;oBAChC,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;wBACtB,OAAO,GAAG,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;oBAC5D,CAAC;oBACD,OAAO,GAAG,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;gBACzC,CAAC;gBAED,UAAU,EAAE,cAAc;aAC3B,CAAC;YAEF,oCAAoC;YACpC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YAErC,gEAAgE;YAChE,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YAC1C,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YAE1C,8DAA8D;YAC9D,IAAI,MAAM,CAAC,WAAW,KAAK,KAAK,EAAE,CAAC;gBACjC,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,KAAK,EAAE,OAAuB,EAAE,EAAE;oBAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;oBACjD,MAAM,KAAK,GAAG,GAAG,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;oBAEhD,IAAI,KAAK,EAAE,CAAC;wBACV,IAAI,CAAC;4BACH,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;4BAEvC,4BAA4B;4BAC5B,IAAI,MAAM,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gCACzC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gCACzD,IAAI,OAAO,EAAE,CAAC;oCACZ,yCAAyC;oCACzC,OAAO;gCACT,CAAC;4BACH,CAAC;4BAED,+BAA+B;4BAC/B,IAAI,IAAI,GAAgB,IAAI,CAAC;4BAC7B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gCACtB,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;4BAC9C,CAAC;iCAAM,CAAC;gCACN,IAAI,GAAG;oCACL,EAAE,EAAE,OAAO,CAAC,GAAG;oCACf,KAAK,EAAE,OAAO,CAAC,KAAK;iCACrB,CAAC;4BACJ,CAAC;4BAED,IAAI,IAAI,EAAE,CAAC;gCACT,OAAO,CAAC,IAAI,GAAG;oCACb,IAAI;oCACJ,KAAK,EAAE,OAAO;oCACd,eAAe,EAAE,IAAI;iCACtB,CAAC;gCACF,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;4BACtB,CAAC;wBACH,CAAC;wBAAC,MAAM,CAAC;4BACP,kDAAkD;4BAClD,IAAI,KAAK,EAAE,CAAC;gCACV,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;4BACpD,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;YAED,gCAAgC;YAChC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE;gBACnC,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU;IACxB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IACtC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,+DAA+D;YAC7D,6DAA6D,CAChE,CAAC;IACJ,CAAC;IAED,OAAO,gBAAgB,CAAC;QACtB,GAAG,EAAE,EAAE,MAAM,EAAE;KAChB,CAAC,CAAC;AACL,CAAC"}

package/dist/policies.d.ts ADDED Viewed

@@ -0,0 +1,137 @@
+/**
+ * Resource-level authorization policies for @veloxts/auth
+ * @module auth/policies
+ */
+import type { PolicyAction, PolicyDefinition, User } from './types.js';
+/**
+ * Registers a policy for a resource type
+ *
+ * @example
+ * ```typescript
+ * registerPolicy('Post', {
+ *   view: (user, post) => true, // Anyone can view
+ *   update: (user, post) => user.id === post.authorId,
+ *   delete: (user, post) => user.id === post.authorId || user.role === 'admin',
+ * });
+ * ```
+ */
+export declare function registerPolicy<TUser = User, TResource = unknown>(resourceName: string, policy: PolicyDefinition<TUser, TResource>): void;
+/**
+ * Gets a registered policy by resource name
+ */
+export declare function getPolicy(resourceName: string): PolicyDefinition | undefined;
+/**
+ * Clears all registered policies (useful for testing)
+ */
+export declare function clearPolicies(): void;
+/**
+ * Defines a policy for a resource type
+ *
+ * @example
+ * ```typescript
+ * const PostPolicy = definePolicy<User, Post>({
+ *   view: () => true,
+ *   create: (user) => user.emailVerified,
+ *   update: (user, post) => user.id === post.authorId,
+ *   delete: (user, post) => user.id === post.authorId || user.role === 'admin',
+ *   publish: (user, post) => user.role === 'editor' && user.id === post.authorId,
+ * });
+ *
+ * // Register it
+ * registerPolicy('Post', PostPolicy);
+ * ```
+ */
+export declare function definePolicy<TUser = User, TResource = unknown>(actions: PolicyDefinition<TUser, TResource>): PolicyDefinition<TUser, TResource>;
+/**
+ * Checks if a user can perform an action on a resource
+ *
+ * @example
+ * ```typescript
+ * const canEdit = await can(user, 'update', 'Post', post);
+ * if (!canEdit) {
+ *   throw new ForbiddenError('Cannot edit this post');
+ * }
+ * ```
+ */
+export declare function can<TResource = unknown>(user: User | null | undefined, action: string, resourceName: string, resource?: TResource): Promise<boolean>;
+/**
+ * Checks if a user cannot perform an action (inverse of can)
+ */
+export declare function cannot<TResource = unknown>(user: User | null | undefined, action: string, resourceName: string, resource?: TResource): Promise<boolean>;
+/**
+ * Throws an error if user cannot perform action
+ *
+ * @example
+ * ```typescript
+ * await authorize(ctx.user, 'delete', 'Post', post);
+ * // If we get here, user is authorized
+ * await db.post.delete({ where: { id: post.id } });
+ * ```
+ */
+export declare function authorize<TResource = unknown>(user: User | null | undefined, action: string, resourceName: string, resource?: TResource): Promise<void>;
+/**
+ * Fluent policy builder for complex policies
+ *
+ * @example
+ * ```typescript
+ * const CommentPolicy = createPolicyBuilder<User, Comment>()
+ *   .allow('view', () => true)
+ *   .allow('create', (user) => user.emailVerified)
+ *   .allow('update', (user, comment) => user.id === comment.authorId)
+ *   .allow('delete', (user, comment) =>
+ *     user.id === comment.authorId || user.role === 'admin'
+ *   )
+ *   .build();
+ * ```
+ */
+export declare function createPolicyBuilder<TUser = User, TResource = unknown>(): PolicyBuilder<TUser, TResource>;
+declare class PolicyBuilder<TUser = User, TResource = unknown> {
+    private actions;
+    /**
+     * Allows an action based on the check function
+     */
+    allow(action: string, check: PolicyAction<TUser, TResource>): this;
+    /**
+     * Denies an action (always returns false)
+     */
+    deny(action: string): this;
+    /**
+     * Allows action only for resource owner
+     * Assumes resource has a userId or authorId field
+     */
+    allowOwner(action: string, ownerField?: keyof TResource): this;
+    /**
+     * Allows action for owner OR users with specific role
+     */
+    allowOwnerOr(action: string, roles: string[], ownerField?: keyof TResource): this;
+    /**
+     * Builds the final policy definition
+     */
+    build(): PolicyDefinition<TUser, TResource>;
+    /**
+     * Builds and registers the policy
+     */
+    register(resourceName: string): PolicyDefinition<TUser, TResource>;
+}
+/**
+ * Creates a policy that allows all actions for admins
+ * and owner-only for regular users
+ */
+export declare function createOwnerOrAdminPolicy<TResource extends {
+    userId?: string;
+    authorId?: string;
+}>(ownerField?: 'userId' | 'authorId'): PolicyDefinition<User & {
+    role?: string;
+}, TResource>;
+/**
+ * Creates a read-only policy (only view allowed)
+ */
+export declare function createReadOnlyPolicy<TResource>(): PolicyDefinition<User, TResource>;
+/**
+ * Creates a policy for admin-only resources
+ */
+export declare function createAdminOnlyPolicy<TResource>(): PolicyDefinition<User & {
+    role?: string;
+}, TResource>;
+export {};
+//# sourceMappingURL=policies.d.ts.map