@veloxts/auth 0.3.3 → 0.3.5

package/dist/middleware.js

@@ -0,0 +1,253 @@
+/**
+ * Authentication middleware for @veloxts/auth
+ * @module auth/middleware
+ */
+import { executeGuards } from './guards.js';
+import { JwtManager } from './jwt.js';
+import { AuthError } from './types.js';
+// ============================================================================
+// Auth Middleware Factory
+// ============================================================================
+/**
+ * Creates an authentication middleware for procedures (succinct API)
+ *
+ * This middleware:
+ * 1. Extracts JWT from Authorization header
+ * 2. Verifies the token
+ * 3. Loads user from database (if userLoader provided)
+ * 4. Adds user and auth context to ctx
+ * 5. Runs guards if specified
+ *
+ * @example
+ * ```typescript
+ * const auth = authMiddleware(authConfig);
+ *
+ * // Use in procedures
+ * const getProfile = procedure()
+ *   .use(auth.middleware())
+ *   .query(async ({ ctx }) => {
+ *     return ctx.user; // Guaranteed to exist
+ *   });
+ *
+ * // Optional auth (user may be undefined)
+ * const getPosts = procedure()
+ *   .use(auth.middleware({ optional: true }))
+ *   .query(async ({ ctx }) => {
+ *     // ctx.user may be undefined
+ *     return fetchPosts(ctx.user?.id);
+ *   });
+ *
+ * // With guards
+ * const adminOnly = procedure()
+ *   .use(auth.middleware({ guards: [hasRole('admin')] }))
+ *   .query(async ({ ctx }) => {
+ *     // Only admins get here
+ *   });
+ * ```
+ */
+export function authMiddleware(config) {
+    const jwt = new JwtManager(config.jwt);
+    /**
+     * Creates the actual middleware function
+     */
+    function middleware(options = {}) {
+        return async ({ ctx, next }) => {
+            const request = ctx.request;
+            // Extract token from header
+            const authHeader = request.headers.authorization;
+            const token = jwt.extractFromHeader(authHeader);
+            // No token handling
+            if (!token) {
+                if (options.optional) {
+                    // Optional auth - continue without user
+                    const authContext = {
+                        user: undefined,
+                        token: undefined,
+                        isAuthenticated: false,
+                    };
+                    return next({
+                        ctx: {
+                            ...ctx,
+                            auth: authContext,
+                            user: undefined,
+                        },
+                    });
+                }
+                // Required auth - reject
+                throw new AuthError('Authorization header required', 401);
+            }
+            // Verify token
+            let payload;
+            try {
+                payload = jwt.verifyToken(token);
+            }
+            catch (error) {
+                if (options.optional) {
+                    // Invalid token with optional auth - continue without user
+                    const authContext = {
+                        user: undefined,
+                        token: undefined,
+                        isAuthenticated: false,
+                    };
+                    return next({
+                        ctx: {
+                            ...ctx,
+                            auth: authContext,
+                            user: undefined,
+                        },
+                    });
+                }
+                throw new AuthError(error instanceof Error ? error.message : 'Invalid token', 401);
+            }
+            // Check if token is revoked
+            if (config.isTokenRevoked && payload.jti) {
+                const revoked = await config.isTokenRevoked(payload.jti);
+                if (revoked) {
+                    throw new AuthError('Token has been revoked', 401, 'TOKEN_REVOKED');
+                }
+            }
+            // Load user from database
+            let user = null;
+            if (config.userLoader) {
+                user = await config.userLoader(payload.sub);
+                if (!user && !options.optional) {
+                    throw new AuthError('User not found', 401, 'USER_NOT_FOUND');
+                }
+            }
+            else {
+                // No user loader - create minimal user from token
+                user = {
+                    id: payload.sub,
+                    email: payload.email,
+                };
+            }
+            // Create auth context
+            const authContext = {
+                user: user ?? undefined,
+                token: payload,
+                isAuthenticated: !!user,
+            };
+            // Build extended context
+            const extendedCtx = {
+                ...ctx,
+                auth: authContext,
+                user: user ?? undefined,
+            };
+            // Run guards if specified
+            if (options.guards && options.guards.length > 0) {
+                // Validate that all guards are GuardDefinition objects (strings are not supported)
+                const guardDefs = options.guards.map((g) => {
+                    if (typeof g === 'string') {
+                        throw new AuthError(`String guard references are not supported. Use a GuardDefinition object instead of "${g}"`, 500, 'INVALID_GUARD');
+                    }
+                    return g;
+                });
+                const result = await executeGuards(guardDefs, extendedCtx, request, ctx.reply);
+                if (!result.passed) {
+                    throw new AuthError(result.message ?? `Guard failed: ${result.failedGuard}`, result.statusCode ?? 403, 'GUARD_FAILED');
+                }
+            }
+            // Continue to next middleware/handler
+            return next({ ctx: extendedCtx });
+        };
+    }
+    /**
+     * Shorthand for required authentication
+     */
+    function requireAuth(guards) {
+        return middleware({ optional: false, guards });
+    }
+    /**
+     * Shorthand for optional authentication
+     */
+    function optionalAuth() {
+        return middleware({ optional: true });
+    }
+    return {
+        middleware,
+        requireAuth,
+        optionalAuth,
+        jwt,
+    };
+}
+/**
+ * Creates an authentication middleware for procedures
+ *
+ * @deprecated Use `authMiddleware()` instead. Will be removed in v0.9.
+ */
+export const createAuthMiddleware = authMiddleware;
+// ============================================================================
+// Error Helpers
+// ============================================================================
+// AuthError is now imported from types.ts
+// ============================================================================
+// Rate Limiting Middleware
+// ============================================================================
+/**
+ * Simple in-memory rate limiter
+ * For production, use Redis-based rate limiting
+ */
+const rateLimitStore = new Map();
+/**
+ * Creates a rate limiting middleware (succinct API)
+ *
+ * @example
+ * ```typescript
+ * const rateLimit = rateLimitMiddleware({
+ *   max: 100,
+ *   windowMs: 60000, // 1 minute
+ * });
+ *
+ * const login = procedure()
+ *   .use(rateLimit)
+ *   .input(LoginSchema)
+ *   .mutation(handler);
+ * ```
+ */
+export function rateLimitMiddleware(options) {
+    const max = options.max ?? 100;
+    const windowMs = options.windowMs ?? 60000;
+    const keyGenerator = options.keyGenerator ?? ((ctx) => ctx.request.ip ?? 'unknown');
+    const message = options.message ?? 'Too many requests, please try again later';
+    return async ({ ctx, next }) => {
+        const key = keyGenerator(ctx);
+        const now = Date.now();
+        let record = rateLimitStore.get(key);
+        // Clean up expired record
+        if (record && record.resetAt <= now) {
+            rateLimitStore.delete(key);
+            record = undefined;
+        }
+        if (!record) {
+            // First request in window
+            record = { count: 1, resetAt: now + windowMs };
+            rateLimitStore.set(key, record);
+        }
+        else {
+            // Increment count
+            record.count++;
+        }
+        // Add rate limit headers (always, even on 429 responses)
+        ctx.reply.header('X-RateLimit-Limit', String(max));
+        ctx.reply.header('X-RateLimit-Remaining', String(Math.max(0, max - record.count)));
+        ctx.reply.header('X-RateLimit-Reset', String(Math.ceil(record.resetAt / 1000)));
+        // Check limit (after setting headers so they're included in 429 response)
+        if (record.count > max) {
+            throw new AuthError(message, 429, 'RATE_LIMIT_EXCEEDED');
+        }
+        return next();
+    };
+}
+/**
+ * Creates a rate limiting middleware
+ *
+ * @deprecated Use `rateLimitMiddleware()` instead. Will be removed in v0.9.
+ */
+export const createRateLimitMiddleware = rateLimitMiddleware;
+/**
+ * Clears rate limit store (useful for testing)
+ */
+export function clearRateLimitStore() {
+    rateLimitStore.clear();
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAStC,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,MAAM,UAAU,cAAc,CAAC,MAAkB;IAC/C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAEvC;;OAEG;IACH,SAAS,UAAU,CACjB,UAAiC,EAAE;QAEnC,OAAO,KAAK,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE;YAC7B,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;YAE5B,4BAA4B;YAC5B,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;YACjD,MAAM,KAAK,GAAG,GAAG,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAEhD,oBAAoB;YACpB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,wCAAwC;oBACxC,MAAM,WAAW,GAAgB;wBAC/B,IAAI,EAAE,SAAS;wBACf,KAAK,EAAE,SAAS;wBAChB,eAAe,EAAE,KAAK;qBACvB,CAAC;oBAEF,OAAO,IAAI,CAAC;wBACV,GAAG,EAAE;4BACH,GAAG,GAAG;4BACN,IAAI,EAAE,WAAW;4BACjB,IAAI,EAAE,SAAS;yBAChB;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,yBAAyB;gBACzB,MAAM,IAAI,SAAS,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;YAC5D,CAAC;YAED,eAAe;YACf,IAAI,OAAqB,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,2DAA2D;oBAC3D,MAAM,WAAW,GAAgB;wBAC/B,IAAI,EAAE,SAAS;wBACf,KAAK,EAAE,SAAS;wBAChB,eAAe,EAAE,KAAK;qBACvB,CAAC;oBAEF,OAAO,IAAI,CAAC;wBACV,GAAG,EAAE;4BACH,GAAG,GAAG;4BACN,IAAI,EAAE,WAAW;4BACjB,IAAI,EAAE,SAAS;yBAChB;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,IAAI,SAAS,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;YACrF,CAAC;YAED,4BAA4B;YAC5B,IAAI,MAAM,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACzD,IAAI,OAAO,EAAE,CAAC;oBACZ,MAAM,IAAI,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;gBACtE,CAAC;YACH,CAAC;YAED,0BAA0B;YAC1B,IAAI,IAAI,GAAgB,IAAI,CAAC;YAC7B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAC5C,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;oBAC/B,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;gBAC/D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,kDAAkD;gBAClD,IAAI,GAAG;oBACL,EAAE,EAAE,OAAO,CAAC,GAAG;oBACf,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB,CAAC;YACJ,CAAC;YAED,sBAAsB;YACtB,MAAM,WAAW,GAAgB;gBAC/B,IAAI,EAAE,IAAI,IAAI,SAAS;gBACvB,KAAK,EAAE,OAAO;gBACd,eAAe,EAAE,CAAC,CAAC,IAAI;aACxB,CAAC;YAEF,yBAAyB;YACzB,MAAM,WAAW,GAAG;gBAClB,GAAG,GAAG;gBACN,IAAI,EAAE,WAAW;gBACjB,IAAI,EAAE,IAAI,IAAI,SAAS;aACxB,CAAC;YAEF,0BAA0B;YAC1B,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChD,mFAAmF;gBACnF,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;oBACzC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;wBAC1B,MAAM,IAAI,SAAS,CACjB,uFAAuF,CAAC,GAAG,EAC3F,GAAG,EACH,eAAe,CAChB,CAAC;oBACJ,CAAC;oBACD,OAAO,CAAC,CAAC;gBACX,CAAC,CAA0C,CAAC;gBAE5C,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;gBAE/E,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,SAAS,CACjB,MAAM,CAAC,OAAO,IAAI,iBAAiB,MAAM,CAAC,WAAW,EAAE,EACvD,MAAM,CAAC,UAAU,IAAI,GAAG,EACxB,cAAc,CACf,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,sCAAsC;YACtC,OAAO,IAAI,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC;QACpC,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS,WAAW,CAClB,MAAwC;QAExC,OAAO,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,CAK5C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS,YAAY;QAMnB,OAAO,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,OAAO;QACL,UAAU;QACV,WAAW;QACX,YAAY;QACZ,GAAG;KACJ,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,cAAc,CAAC;AAEnD,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E,0CAA0C;AAE1C,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,cAAc,GAAG,IAAI,GAAG,EAA8C,CAAC;AAE7E;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,mBAAmB,CAAgD,OAKlF;IACC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC;IAC3C,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,SAAS,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,2CAA2C,CAAC;IAE/E,OAAO,KAAK,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE;QAC7B,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAErC,0BAA0B;QAC1B,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC;YACpC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3B,MAAM,GAAG,SAAS,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,0BAA0B;YAC1B,MAAM,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,QAAQ,EAAE,CAAC;YAC/C,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,kBAAkB;YAClB,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QAED,yDAAyD;QACzD,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACnD,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACnF,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAEhF,0EAA0E;QAC1E,IAAI,MAAM,CAAC,KAAK,GAAG,GAAG,EAAE,CAAC;YACvB,MAAM,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,EAAE,qBAAqB,CAAC,CAAC;QAC3D,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,mBAAmB,CAAC;AAE7D;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,cAAc,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC"}

package/dist/plugin.d.ts

@@ -0,0 +1,125 @@
+/**
+ * VeloxTS Auth Plugin
+ * Fastify plugin that integrates authentication with VeloxApp
+ * @module auth/plugin
+ */
+import type { VeloxPlugin } from '@veloxts/core';
+import { PasswordHasher } from './hash.js';
+import { JwtManager } from './jwt.js';
+import { createAuthMiddleware } from './middleware.js';
+import type { AuthConfig, AuthContext, TokenPair, User } from './types.js';
+/** Auth package version */
+export declare const AUTH_VERSION: string;
+/**
+ * Options for the auth plugin
+ */
+export interface AuthPluginOptions extends AuthConfig {
+    /**
+     * Enable debug logging
+     * @default false
+     */
+    debug?: boolean;
+}
+/**
+ * Auth service instance attached to Fastify
+ * Provides authentication utilities for the application
+ */
+export interface AuthService {
+    /**
+     * JWT manager for token operations
+     */
+    jwt: JwtManager;
+    /**
+     * Password hasher for secure password storage
+     */
+    hasher: PasswordHasher;
+    /**
+     * Creates a token pair for a user
+     */
+    createTokens(user: User, additionalClaims?: Record<string, unknown>): TokenPair;
+    /**
+     * Verifies an access token and returns the auth context
+     */
+    verifyToken(token: string): AuthContext;
+    /**
+     * Refreshes tokens using a refresh token
+     */
+    refreshTokens(refreshToken: string): Promise<TokenPair> | TokenPair;
+    /**
+     * Gets the auth middleware factory
+     */
+    middleware: ReturnType<typeof createAuthMiddleware>;
+}
+declare module 'fastify' {
+    interface FastifyInstance {
+        auth: AuthService;
+    }
+    interface FastifyRequest {
+        auth?: AuthContext;
+        user?: User;
+    }
+}
+/**
+ * Creates the VeloxTS auth plugin (succinct API)
+ *
+ * This plugin provides:
+ * - JWT token management (access + refresh tokens)
+ * - Password hashing (bcrypt/argon2)
+ * - Request decorations for auth context
+ * - Auth middleware factory for procedures
+ *
+ * @example
+ * ```typescript
+ * import { authPlugin } from '@veloxts/auth';
+ *
+ * const auth = authPlugin({
+ *   jwt: {
+ *     secret: process.env.JWT_SECRET!,
+ *     accessTokenExpiry: '15m',
+ *     refreshTokenExpiry: '7d',
+ *   },
+ *   hash: {
+ *     algorithm: 'bcrypt',
+ *     bcryptRounds: 12,
+ *   },
+ *   userLoader: async (userId) => {
+ *     return db.user.findUnique({ where: { id: userId } });
+ *   },
+ * });
+ *
+ * // Register with VeloxApp
+ * await app.register(auth);
+ *
+ * // Use in procedures
+ * const { middleware, requireAuth } = app.auth.middleware;
+ *
+ * const getProfile = procedure()
+ *   .use(requireAuth())
+ *   .query(async ({ ctx }) => ctx.user);
+ * ```
+ */
+export declare function authPlugin(options: AuthPluginOptions): VeloxPlugin<AuthPluginOptions>;
+/**
+ * Creates the VeloxTS auth plugin
+ *
+ * @deprecated Use `authPlugin()` instead. Will be removed in v0.9.
+ */
+export declare const createAuthPlugin: typeof authPlugin;
+/**
+ * Default auth plugin with minimal configuration
+ *
+ * Uses environment variables for configuration:
+ * - `JWT_SECRET` (required): Secret for signing JWT tokens
+ *
+ * @throws {Error} If JWT_SECRET environment variable is not set
+ *
+ * @example
+ * ```typescript
+ * import { defaultAuthPlugin } from '@veloxts/auth';
+ *
+ * // Requires JWT_SECRET environment variable
+ * await app.register(defaultAuthPlugin());
+ * ```
+ */
+export declare function defaultAuthPlugin(): VeloxPlugin<AuthPluginOptions>;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAGjD,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAM3E,2BAA2B;AAC3B,eAAO,MAAM,YAAY,EAAE,MAA+C,CAAC;AAM3E;;GAEG;AACH,MAAM,WAAW,iBAAkB,SAAQ,UAAU;IACnD;;;OAGG;IACH,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAMD;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,GAAG,EAAE,UAAU,CAAC;IAEhB;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC;IAEhF;;OAEG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,CAAC;IAExC;;OAEG;IACH,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC;IAEpE;;OAEG;IACH,UAAU,EAAE,UAAU,CAAC,OAAO,oBAAoB,CAAC,CAAC;CACrD;AAMD,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,eAAe;QACvB,IAAI,EAAE,WAAW,CAAC;KACnB;IAED,UAAU,cAAc;QACtB,IAAI,CAAC,EAAE,WAAW,CAAC;QACnB,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;CACF;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAsHrF;AAED;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,mBAAa,CAAC;AAE3C;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,iBAAiB,IAAI,WAAW,CAAC,iBAAiB,CAAC,CAYlE"}

package/dist/plugin.js

@@ -0,0 +1,193 @@
+/**
+ * VeloxTS Auth Plugin
+ * Fastify plugin that integrates authentication with VeloxApp
+ * @module auth/plugin
+ */
+import { createRequire } from 'node:module';
+import { PasswordHasher } from './hash.js';
+import { JwtManager } from './jwt.js';
+import { createAuthMiddleware } from './middleware.js';
+// Read version from package.json dynamically
+const require = createRequire(import.meta.url);
+const packageJson = require('../package.json');
+/** Auth package version */
+export const AUTH_VERSION = packageJson.version ?? '0.0.0-unknown';
+// ============================================================================
+// Auth Plugin
+// ============================================================================
+/**
+ * Creates the VeloxTS auth plugin (succinct API)
+ *
+ * This plugin provides:
+ * - JWT token management (access + refresh tokens)
+ * - Password hashing (bcrypt/argon2)
+ * - Request decorations for auth context
+ * - Auth middleware factory for procedures
+ *
+ * @example
+ * ```typescript
+ * import { authPlugin } from '@veloxts/auth';
+ *
+ * const auth = authPlugin({
+ *   jwt: {
+ *     secret: process.env.JWT_SECRET!,
+ *     accessTokenExpiry: '15m',
+ *     refreshTokenExpiry: '7d',
+ *   },
+ *   hash: {
+ *     algorithm: 'bcrypt',
+ *     bcryptRounds: 12,
+ *   },
+ *   userLoader: async (userId) => {
+ *     return db.user.findUnique({ where: { id: userId } });
+ *   },
+ * });
+ *
+ * // Register with VeloxApp
+ * await app.register(auth);
+ *
+ * // Use in procedures
+ * const { middleware, requireAuth } = app.auth.middleware;
+ *
+ * const getProfile = procedure()
+ *   .use(requireAuth())
+ *   .query(async ({ ctx }) => ctx.user);
+ * ```
+ */
+export function authPlugin(options) {
+    return {
+        name: '@veloxts/auth',
+        version: AUTH_VERSION,
+        // No explicit dependencies - works with any Fastify instance
+        // The plugin decorates Fastify with auth functionality
+        async register(server, _opts) {
+            const config = { ...options, ..._opts };
+            const { debug = false } = config;
+            if (debug) {
+                server.log.info('Registering @veloxts/auth plugin');
+            }
+            // Create instances
+            const jwt = new JwtManager(config.jwt);
+            const hasher = new PasswordHasher(config.hash);
+            const authMiddleware = createAuthMiddleware(config);
+            // Create auth service
+            const authService = {
+                jwt,
+                hasher,
+                createTokens(user, additionalClaims) {
+                    return jwt.createTokenPair(user, additionalClaims);
+                },
+                verifyToken(token) {
+                    const payload = jwt.verifyToken(token);
+                    return {
+                        user: {
+                            id: payload.sub,
+                            email: payload.email,
+                        },
+                        token: payload,
+                        isAuthenticated: true,
+                    };
+                },
+                refreshTokens(refreshToken) {
+                    if (config.userLoader) {
+                        return jwt.refreshTokens(refreshToken, config.userLoader);
+                    }
+                    return jwt.refreshTokens(refreshToken);
+                },
+                middleware: authMiddleware,
+            };
+            // Decorate server with auth service
+            server.decorate('auth', authService);
+            // Decorate requests with auth context (undefined initial value)
+            server.decorateRequest('auth', undefined);
+            server.decorateRequest('user', undefined);
+            // Add preHandler hook to extract auth from headers (optional)
+            if (config.autoExtract !== false) {
+                server.addHook('preHandler', async (request) => {
+                    const authHeader = request.headers.authorization;
+                    const token = jwt.extractFromHeader(authHeader);
+                    if (token) {
+                        try {
+                            const payload = jwt.verifyToken(token);
+                            // Check if token is revoked
+                            if (config.isTokenRevoked && payload.jti) {
+                                const revoked = await config.isTokenRevoked(payload.jti);
+                                if (revoked) {
+                                    // Token revoked - don't set auth context
+                                    return;
+                                }
+                            }
+                            // Load user if loader provided
+                            let user = null;
+                            if (config.userLoader) {
+                                user = await config.userLoader(payload.sub);
+                            }
+                            else {
+                                user = {
+                                    id: payload.sub,
+                                    email: payload.email,
+                                };
+                            }
+                            if (user) {
+                                request.auth = {
+                                    user,
+                                    token: payload,
+                                    isAuthenticated: true,
+                                };
+                                request.user = user;
+                            }
+                        }
+                        catch {
+                            // Invalid token - silently ignore (optional auth)
+                            if (debug) {
+                                server.log.debug('Invalid auth token in request');
+                            }
+                        }
+                    }
+                });
+            }
+            // Add shutdown hook for cleanup
+            server.addHook('onClose', async () => {
+                if (debug) {
+                    server.log.info('Shutting down @veloxts/auth plugin');
+                }
+            });
+            if (debug) {
+                server.log.info('@veloxts/auth plugin registered successfully');
+            }
+        },
+    };
+}
+/**
+ * Creates the VeloxTS auth plugin
+ *
+ * @deprecated Use `authPlugin()` instead. Will be removed in v0.9.
+ */
+export const createAuthPlugin = authPlugin;
+/**
+ * Default auth plugin with minimal configuration
+ *
+ * Uses environment variables for configuration:
+ * - `JWT_SECRET` (required): Secret for signing JWT tokens
+ *
+ * @throws {Error} If JWT_SECRET environment variable is not set
+ *
+ * @example
+ * ```typescript
+ * import { defaultAuthPlugin } from '@veloxts/auth';
+ *
+ * // Requires JWT_SECRET environment variable
+ * await app.register(defaultAuthPlugin());
+ * ```
+ */
+export function defaultAuthPlugin() {
+    const secret = process.env.JWT_SECRET;
+    if (!secret) {
+        throw new Error('JWT_SECRET environment variable is required for auth plugin. ' +
+            'Set it to a secure random string of at least 32 characters.');
+    }
+    return authPlugin({
+        jwt: { secret },
+    });
+}
+//# sourceMappingURL=plugin.js.map

package/dist/plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.js","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAK5C,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAGvD,6CAA6C;AAC7C,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAwB,CAAC;AAEtE,2BAA2B;AAC3B,MAAM,CAAC,MAAM,YAAY,GAAW,WAAW,CAAC,OAAO,IAAI,eAAe,CAAC;AAwE3E,+EAA+E;AAC/E,cAAc;AACd,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,MAAM,UAAU,UAAU,CAAC,OAA0B;IACnD,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,YAAY;QACrB,6DAA6D;QAC7D,uDAAuD;QAEvD,KAAK,CAAC,QAAQ,CAAC,MAAuB,EAAE,KAAwB;YAC9D,MAAM,MAAM,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,KAAK,EAAE,CAAC;YACxC,MAAM,EAAE,KAAK,GAAG,KAAK,EAAE,GAAG,MAAM,CAAC;YAEjC,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YACtD,CAAC;YAED,mBAAmB;YACnB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvC,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC/C,MAAM,cAAc,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;YAEpD,sBAAsB;YACtB,MAAM,WAAW,GAAgB;gBAC/B,GAAG;gBACH,MAAM;gBAEN,YAAY,CAAC,IAAU,EAAE,gBAA0C;oBACjE,OAAO,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;gBACrD,CAAC;gBAED,WAAW,CAAC,KAAa;oBACvB,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;oBACvC,OAAO;wBACL,IAAI,EAAE;4BACJ,EAAE,EAAE,OAAO,CAAC,GAAG;4BACf,KAAK,EAAE,OAAO,CAAC,KAAK;yBACrB;wBACD,KAAK,EAAE,OAAO;wBACd,eAAe,EAAE,IAAI;qBACtB,CAAC;gBACJ,CAAC;gBAED,aAAa,CAAC,YAAoB;oBAChC,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;wBACtB,OAAO,GAAG,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;oBAC5D,CAAC;oBACD,OAAO,GAAG,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;gBACzC,CAAC;gBAED,UAAU,EAAE,cAAc;aAC3B,CAAC;YAEF,oCAAoC;YACpC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YAErC,gEAAgE;YAChE,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YAC1C,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YAE1C,8DAA8D;YAC9D,IAAI,MAAM,CAAC,WAAW,KAAK,KAAK,EAAE,CAAC;gBACjC,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,KAAK,EAAE,OAAuB,EAAE,EAAE;oBAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;oBACjD,MAAM,KAAK,GAAG,GAAG,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;oBAEhD,IAAI,KAAK,EAAE,CAAC;wBACV,IAAI,CAAC;4BACH,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;4BAEvC,4BAA4B;4BAC5B,IAAI,MAAM,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gCACzC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gCACzD,IAAI,OAAO,EAAE,CAAC;oCACZ,yCAAyC;oCACzC,OAAO;gCACT,CAAC;4BACH,CAAC;4BAED,+BAA+B;4BAC/B,IAAI,IAAI,GAAgB,IAAI,CAAC;4BAC7B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gCACtB,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;4BAC9C,CAAC;iCAAM,CAAC;gCACN,IAAI,GAAG;oCACL,EAAE,EAAE,OAAO,CAAC,GAAG;oCACf,KAAK,EAAE,OAAO,CAAC,KAAK;iCACrB,CAAC;4BACJ,CAAC;4BAED,IAAI,IAAI,EAAE,CAAC;gCACT,OAAO,CAAC,IAAI,GAAG;oCACb,IAAI;oCACJ,KAAK,EAAE,OAAO;oCACd,eAAe,EAAE,IAAI;iCACtB,CAAC;gCACF,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;4BACtB,CAAC;wBACH,CAAC;wBAAC,MAAM,CAAC;4BACP,kDAAkD;4BAClD,IAAI,KAAK,EAAE,CAAC;gCACV,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;4BACpD,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;YAED,gCAAgC;YAChC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE;gBACnC,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,UAAU,CAAC;AAE3C;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IACtC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,+DAA+D;YAC7D,6DAA6D,CAChE,CAAC;IACJ,CAAC;IAED,OAAO,UAAU,CAAC;QAChB,GAAG,EAAE,EAAE,MAAM,EAAE;KAChB,CAAC,CAAC;AACL,CAAC"}