@veloxts/auth 0.3.3 → 0.3.5

package/dist/policies.d.ts

@@ -0,0 +1,137 @@
+/**
+ * Resource-level authorization policies for @veloxts/auth
+ * @module auth/policies
+ */
+import type { PolicyAction, PolicyDefinition, User } from './types.js';
+/**
+ * Registers a policy for a resource type
+ *
+ * @example
+ * ```typescript
+ * registerPolicy('Post', {
+ *   view: (user, post) => true, // Anyone can view
+ *   update: (user, post) => user.id === post.authorId,
+ *   delete: (user, post) => user.id === post.authorId || user.role === 'admin',
+ * });
+ * ```
+ */
+export declare function registerPolicy<TUser = User, TResource = unknown>(resourceName: string, policy: PolicyDefinition<TUser, TResource>): void;
+/**
+ * Gets a registered policy by resource name
+ */
+export declare function getPolicy(resourceName: string): PolicyDefinition | undefined;
+/**
+ * Clears all registered policies (useful for testing)
+ */
+export declare function clearPolicies(): void;
+/**
+ * Defines a policy for a resource type
+ *
+ * @example
+ * ```typescript
+ * const PostPolicy = definePolicy<User, Post>({
+ *   view: () => true,
+ *   create: (user) => user.emailVerified,
+ *   update: (user, post) => user.id === post.authorId,
+ *   delete: (user, post) => user.id === post.authorId || user.role === 'admin',
+ *   publish: (user, post) => user.role === 'editor' && user.id === post.authorId,
+ * });
+ *
+ * // Register it
+ * registerPolicy('Post', PostPolicy);
+ * ```
+ */
+export declare function definePolicy<TUser = User, TResource = unknown>(actions: PolicyDefinition<TUser, TResource>): PolicyDefinition<TUser, TResource>;
+/**
+ * Checks if a user can perform an action on a resource
+ *
+ * @example
+ * ```typescript
+ * const canEdit = await can(user, 'update', 'Post', post);
+ * if (!canEdit) {
+ *   throw new ForbiddenError('Cannot edit this post');
+ * }
+ * ```
+ */
+export declare function can<TResource = unknown>(user: User | null | undefined, action: string, resourceName: string, resource?: TResource): Promise<boolean>;
+/**
+ * Checks if a user cannot perform an action (inverse of can)
+ */
+export declare function cannot<TResource = unknown>(user: User | null | undefined, action: string, resourceName: string, resource?: TResource): Promise<boolean>;
+/**
+ * Throws an error if user cannot perform action
+ *
+ * @example
+ * ```typescript
+ * await authorize(ctx.user, 'delete', 'Post', post);
+ * // If we get here, user is authorized
+ * await db.post.delete({ where: { id: post.id } });
+ * ```
+ */
+export declare function authorize<TResource = unknown>(user: User | null | undefined, action: string, resourceName: string, resource?: TResource): Promise<void>;
+/**
+ * Fluent policy builder for complex policies
+ *
+ * @example
+ * ```typescript
+ * const CommentPolicy = createPolicyBuilder<User, Comment>()
+ *   .allow('view', () => true)
+ *   .allow('create', (user) => user.emailVerified)
+ *   .allow('update', (user, comment) => user.id === comment.authorId)
+ *   .allow('delete', (user, comment) =>
+ *     user.id === comment.authorId || user.role === 'admin'
+ *   )
+ *   .build();
+ * ```
+ */
+export declare function createPolicyBuilder<TUser = User, TResource = unknown>(): PolicyBuilder<TUser, TResource>;
+declare class PolicyBuilder<TUser = User, TResource = unknown> {
+    private actions;
+    /**
+     * Allows an action based on the check function
+     */
+    allow(action: string, check: PolicyAction<TUser, TResource>): this;
+    /**
+     * Denies an action (always returns false)
+     */
+    deny(action: string): this;
+    /**
+     * Allows action only for resource owner
+     * Assumes resource has a userId or authorId field
+     */
+    allowOwner(action: string, ownerField?: keyof TResource): this;
+    /**
+     * Allows action for owner OR users with specific role
+     */
+    allowOwnerOr(action: string, roles: string[], ownerField?: keyof TResource): this;
+    /**
+     * Builds the final policy definition
+     */
+    build(): PolicyDefinition<TUser, TResource>;
+    /**
+     * Builds and registers the policy
+     */
+    register(resourceName: string): PolicyDefinition<TUser, TResource>;
+}
+/**
+ * Creates a policy that allows all actions for admins
+ * and owner-only for regular users
+ */
+export declare function createOwnerOrAdminPolicy<TResource extends {
+    userId?: string;
+    authorId?: string;
+}>(ownerField?: 'userId' | 'authorId'): PolicyDefinition<User & {
+    role?: string;
+}, TResource>;
+/**
+ * Creates a read-only policy (only view allowed)
+ */
+export declare function createReadOnlyPolicy<TResource>(): PolicyDefinition<User, TResource>;
+/**
+ * Creates a policy for admin-only resources
+ */
+export declare function createAdminOnlyPolicy<TResource>(): PolicyDefinition<User & {
+    role?: string;
+}, TResource>;
+export {};
+//# sourceMappingURL=policies.d.ts.map

package/dist/policies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies.d.ts","sourceRoot":"","sources":["../src/policies.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAYvE;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,KAAK,GAAG,IAAI,EAAE,SAAS,GAAG,OAAO,EAC9D,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC,GACzC,IAAI,CAEN;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS,CAE5E;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,YAAY,CAAC,KAAK,GAAG,IAAI,EAAE,SAAS,GAAG,OAAO,EAC5D,OAAO,EAAE,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC,GAC1C,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC,CAEpC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,GAAG,CAAC,SAAS,GAAG,OAAO,EAC3C,IAAI,EAAE,IAAI,GAAG,IAAI,GAAG,SAAS,EAC7B,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,SAAS,GACnB,OAAO,CAAC,OAAO,CAAC,CAoBlB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAAC,SAAS,GAAG,OAAO,EAC9C,IAAI,EAAE,IAAI,GAAG,IAAI,GAAG,SAAS,EAC7B,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,SAAS,GACnB,OAAO,CAAC,OAAO,CAAC,CAElB;AAED;;;;;;;;;GASG;AACH,wBAAsB,SAAS,CAAC,SAAS,GAAG,OAAO,EACjD,IAAI,EAAE,IAAI,GAAG,IAAI,GAAG,SAAS,EAC7B,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,SAAS,GACnB,OAAO,CAAC,IAAI,CAAC,CASf;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,GAAG,IAAI,EAAE,SAAS,GAAG,OAAO,KAAK,aAAa,CACrF,KAAK,EACL,SAAS,CACV,CAEA;AAED,cAAM,aAAa,CAAC,KAAK,GAAG,IAAI,EAAE,SAAS,GAAG,OAAO;IACnD,OAAO,CAAC,OAAO,CAA0C;IAEzD;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC,GAAG,IAAI;IAKlE;;OAEG;IACH,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAK1B;;;OAGG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,GAAE,MAAM,SAAuC,GAAG,IAAI;IAQ3F;;OAEG;IACH,YAAY,CACV,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EAAE,EACf,UAAU,GAAE,MAAM,SAAuC,GACxD,IAAI;IAWP;;OAEG;IACH,KAAK,IAAI,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC;IAI3C;;OAEG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC;CAKnE;AAMD;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,SAAS,SAAS;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,EAC/F,UAAU,GAAE,QAAQ,GAAG,UAAqB,GAC3C,gBAAgB,CAAC,IAAI,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,EAAE,SAAS,CAAC,CAevD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,KAAK,gBAAgB,CAAC,IAAI,EAAE,SAAS,CAAC,CAOnF;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,KAAK,gBAAgB,CAClE,IAAI,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,EACxB,SAAS,CACV,CASA"}

package/dist/policies.js

@@ -0,0 +1,240 @@
+/**
+ * Resource-level authorization policies for @veloxts/auth
+ * @module auth/policies
+ */
+// ============================================================================
+// Policy Registry
+// ============================================================================
+/**
+ * Global policy registry
+ * Maps resource names to their policy definitions
+ */
+const policyRegistry = new Map();
+/**
+ * Registers a policy for a resource type
+ *
+ * @example
+ * ```typescript
+ * registerPolicy('Post', {
+ *   view: (user, post) => true, // Anyone can view
+ *   update: (user, post) => user.id === post.authorId,
+ *   delete: (user, post) => user.id === post.authorId || user.role === 'admin',
+ * });
+ * ```
+ */
+export function registerPolicy(resourceName, policy) {
+    policyRegistry.set(resourceName, policy);
+}
+/**
+ * Gets a registered policy by resource name
+ */
+export function getPolicy(resourceName) {
+    return policyRegistry.get(resourceName);
+}
+/**
+ * Clears all registered policies (useful for testing)
+ */
+export function clearPolicies() {
+    policyRegistry.clear();
+}
+// ============================================================================
+// Policy Definition Helper
+// ============================================================================
+/**
+ * Defines a policy for a resource type
+ *
+ * @example
+ * ```typescript
+ * const PostPolicy = definePolicy<User, Post>({
+ *   view: () => true,
+ *   create: (user) => user.emailVerified,
+ *   update: (user, post) => user.id === post.authorId,
+ *   delete: (user, post) => user.id === post.authorId || user.role === 'admin',
+ *   publish: (user, post) => user.role === 'editor' && user.id === post.authorId,
+ * });
+ *
+ * // Register it
+ * registerPolicy('Post', PostPolicy);
+ * ```
+ */
+export function definePolicy(actions) {
+    return actions;
+}
+// ============================================================================
+// Authorization Checks
+// ============================================================================
+/**
+ * Checks if a user can perform an action on a resource
+ *
+ * @example
+ * ```typescript
+ * const canEdit = await can(user, 'update', 'Post', post);
+ * if (!canEdit) {
+ *   throw new ForbiddenError('Cannot edit this post');
+ * }
+ * ```
+ */
+export async function can(user, action, resourceName, resource) {
+    // No user = no permission
+    if (!user) {
+        return false;
+    }
+    const policy = policyRegistry.get(resourceName);
+    if (!policy) {
+        // No policy registered = deny by default
+        console.warn(`No policy registered for resource: ${resourceName}`);
+        return false;
+    }
+    const actionHandler = policy[action];
+    if (!actionHandler) {
+        // Action not defined = deny by default
+        return false;
+    }
+    return actionHandler(user, resource);
+}
+/**
+ * Checks if a user cannot perform an action (inverse of can)
+ */
+export async function cannot(user, action, resourceName, resource) {
+    return !(await can(user, action, resourceName, resource));
+}
+/**
+ * Throws an error if user cannot perform action
+ *
+ * @example
+ * ```typescript
+ * await authorize(ctx.user, 'delete', 'Post', post);
+ * // If we get here, user is authorized
+ * await db.post.delete({ where: { id: post.id } });
+ * ```
+ */
+export async function authorize(user, action, resourceName, resource) {
+    const allowed = await can(user, action, resourceName, resource);
+    if (!allowed) {
+        const error = new Error(`Unauthorized: cannot ${action} ${resourceName}${resource ? ` (id: ${resource.id ?? 'unknown'})` : ''}`);
+        error.statusCode = 403;
+        throw error;
+    }
+}
+// ============================================================================
+// Policy Builder
+// ============================================================================
+/**
+ * Fluent policy builder for complex policies
+ *
+ * @example
+ * ```typescript
+ * const CommentPolicy = createPolicyBuilder<User, Comment>()
+ *   .allow('view', () => true)
+ *   .allow('create', (user) => user.emailVerified)
+ *   .allow('update', (user, comment) => user.id === comment.authorId)
+ *   .allow('delete', (user, comment) =>
+ *     user.id === comment.authorId || user.role === 'admin'
+ *   )
+ *   .build();
+ * ```
+ */
+export function createPolicyBuilder() {
+    return new PolicyBuilder();
+}
+class PolicyBuilder {
+    actions = {};
+    /**
+     * Allows an action based on the check function
+     */
+    allow(action, check) {
+        this.actions[action] = check;
+        return this;
+    }
+    /**
+     * Denies an action (always returns false)
+     */
+    deny(action) {
+        this.actions[action] = () => false;
+        return this;
+    }
+    /**
+     * Allows action only for resource owner
+     * Assumes resource has a userId or authorId field
+     */
+    allowOwner(action, ownerField = 'userId') {
+        this.actions[action] = (user, resource) => {
+            const ownerId = resource?.[ownerField];
+            return ownerId === user.id;
+        };
+        return this;
+    }
+    /**
+     * Allows action for owner OR users with specific role
+     */
+    allowOwnerOr(action, roles, ownerField = 'userId') {
+        this.actions[action] = (user, resource) => {
+            const ownerId = resource?.[ownerField];
+            const userRole = user.role;
+            const isOwner = ownerId === user.id;
+            const hasRole = typeof userRole === 'string' && roles.includes(userRole);
+            return isOwner || hasRole;
+        };
+        return this;
+    }
+    /**
+     * Builds the final policy definition
+     */
+    build() {
+        return { ...this.actions };
+    }
+    /**
+     * Builds and registers the policy
+     */
+    register(resourceName) {
+        const policy = this.build();
+        registerPolicy(resourceName, policy);
+        return policy;
+    }
+}
+// ============================================================================
+// Common Policy Patterns
+// ============================================================================
+/**
+ * Creates a policy that allows all actions for admins
+ * and owner-only for regular users
+ */
+export function createOwnerOrAdminPolicy(ownerField = 'userId') {
+    const isOwnerOrAdmin = (user, resource) => {
+        if (user.role === 'admin') {
+            return true;
+        }
+        const ownerId = resource[ownerField];
+        return ownerId === user.id;
+    };
+    return {
+        view: () => true,
+        create: () => true,
+        update: isOwnerOrAdmin,
+        delete: isOwnerOrAdmin,
+    };
+}
+/**
+ * Creates a read-only policy (only view allowed)
+ */
+export function createReadOnlyPolicy() {
+    return {
+        view: () => true,
+        create: () => false,
+        update: () => false,
+        delete: () => false,
+    };
+}
+/**
+ * Creates a policy for admin-only resources
+ */
+export function createAdminOnlyPolicy() {
+    const isAdmin = (user) => user.role === 'admin';
+    return {
+        view: isAdmin,
+        create: isAdmin,
+        update: isAdmin,
+        delete: isAdmin,
+    };
+}
+//# sourceMappingURL=policies.js.map

package/dist/policies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies.js","sourceRoot":"","sources":["../src/policies.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,cAAc,GAAG,IAAI,GAAG,EAA4B,CAAC;AAE3D;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAC5B,YAAoB,EACpB,MAA0C;IAE1C,cAAc,CAAC,GAAG,CAAC,YAAY,EAAE,MAA0B,CAAC,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,YAAoB;IAC5C,OAAO,cAAc,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,cAAc,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC;AAED,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,YAAY,CAC1B,OAA2C;IAE3C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,GAAG,CACvB,IAA6B,EAC7B,MAAc,EACd,YAAoB,EACpB,QAAoB;IAEpB,0BAA0B;IAC1B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,yCAAyC;QACzC,OAAO,CAAC,IAAI,CAAC,sCAAsC,YAAY,EAAE,CAAC,CAAC;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAA8C,CAAC;IAClF,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,uCAAuC;QACvC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,aAAa,CAAC,IAAI,EAAE,QAAqB,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,IAA6B,EAC7B,MAAc,EACd,YAAoB,EACpB,QAAoB;IAEpB,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAA6B,EAC7B,MAAc,EACd,YAAoB,EACpB,QAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,IAAI,KAAK,CACrB,wBAAwB,MAAM,IAAI,YAAY,GAAG,QAAQ,CAAC,CAAC,CAAC,SAAU,QAA4B,CAAC,EAAE,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC7H,CAAC;QACD,KAAwC,CAAC,UAAU,GAAG,GAAG,CAAC;QAC3D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,mBAAmB;IAIjC,OAAO,IAAI,aAAa,EAAoB,CAAC;AAC/C,CAAC;AAED,MAAM,aAAa;IACT,OAAO,GAAuC,EAAE,CAAC;IAEzD;;OAEG;IACH,KAAK,CAAC,MAAc,EAAE,KAAqC;QACzD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,MAAc;QACjB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,UAAU,CAAC,MAAc,EAAE,aAA8B,QAA2B;QAClF,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE;YACxC,MAAM,OAAO,GAAG,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAC;YACvC,OAAO,OAAO,KAAM,IAAa,CAAC,EAAE,CAAC;QACvC,CAAC,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,YAAY,CACV,MAAc,EACd,KAAe,EACf,aAA8B,QAA2B;QAEzD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE;YACxC,MAAM,OAAO,GAAG,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAC;YACvC,MAAM,QAAQ,GAAI,IAAiC,CAAC,IAAI,CAAC;YACzD,MAAM,OAAO,GAAG,OAAO,KAAM,IAAa,CAAC,EAAE,CAAC;YAC9C,MAAM,OAAO,GAAG,OAAO,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACzE,OAAO,OAAO,IAAI,OAAO,CAAC;QAC5B,CAAC,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK;QACH,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,YAAoB;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAC5B,cAAc,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACrC,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,aAAoC,QAAQ;IAE5C,MAAM,cAAc,GAAG,CAAC,IAA8B,EAAE,QAAmB,EAAW,EAAE;QACtF,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;QACrC,OAAO,OAAO,KAAK,IAAI,CAAC,EAAE,CAAC;IAC7B,CAAC,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI;QAChB,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;QAClB,MAAM,EAAE,cAAc;QACtB,MAAM,EAAE,cAAc;KACvB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO;QACL,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI;QAChB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;QACnB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;QACnB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;KACpB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB;IAInC,MAAM,OAAO,GAAG,CAAC,IAA8B,EAAW,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,CAAC;IAEnF,OAAO;QACL,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,OAAO;QACf,MAAM,EAAE,OAAO;QACf,MAAM,EAAE,OAAO;KAChB,CAAC;AACJ,CAAC"}

package/dist/rate-limit.d.ts

@@ -0,0 +1,231 @@
+/**
+ * Authentication-specific rate limiting
+ *
+ * Provides specialized rate limiters for authentication endpoints with:
+ * - Per-email+IP tracking (prevents brute force on specific accounts)
+ * - Account lockout detection
+ * - Separate limits for login, register, and password reset
+ * - Progressive backoff support
+ *
+ * @module auth/rate-limit
+ */
+import type { BaseContext } from '@veloxts/core';
+import type { MiddlewareFunction } from '@veloxts/router';
+/**
+ * Configuration for auth rate limiting
+ */
+export interface AuthRateLimitConfig {
+    /**
+     * Maximum attempts before lockout
+     * @default 5
+     */
+    maxAttempts?: number;
+    /**
+     * Window duration in milliseconds
+     * @default 900000 (15 minutes)
+     */
+    windowMs?: number;
+    /**
+     * Lockout duration in milliseconds after max attempts exceeded
+     * @default 900000 (15 minutes)
+     */
+    lockoutDurationMs?: number;
+    /**
+     * Custom key generator for rate limiting
+     * Default uses IP + identifier (email)
+     */
+    keyGenerator?: (ctx: BaseContext, identifier?: string) => string;
+    /**
+     * Error message when rate limited
+     * @default 'Too many attempts. Please try again later.'
+     */
+    message?: string;
+    /**
+     * Enable progressive backoff (double lockout on repeated violations)
+     * @default false
+     */
+    progressiveBackoff?: boolean;
+}
+/**
+ * Configuration for the auth rate limiter factory
+ */
+export interface AuthRateLimiterConfig {
+    /**
+     * Rate limit for login attempts
+     * @default { maxAttempts: 5, windowMs: 900000 }
+     */
+    login?: AuthRateLimitConfig;
+    /**
+     * Rate limit for registration attempts
+     * @default { maxAttempts: 3, windowMs: 3600000 }
+     */
+    register?: AuthRateLimitConfig;
+    /**
+     * Rate limit for password reset requests
+     * @default { maxAttempts: 3, windowMs: 3600000 }
+     */
+    passwordReset?: AuthRateLimitConfig;
+    /**
+     * Rate limit for token refresh
+     * @default { maxAttempts: 10, windowMs: 60000 }
+     */
+    refresh?: AuthRateLimitConfig;
+}
+/**
+ * Stop cleanup interval (for testing)
+ */
+export declare function stopAuthRateLimitCleanup(): void;
+/**
+ * Clear all rate limit entries (for testing)
+ */
+export declare function clearAuthRateLimitStore(): void;
+/**
+ * Creates an authentication rate limiter
+ *
+ * This factory returns rate limit middlewares configured for different
+ * auth operations with sensible defaults.
+ *
+ * @example
+ * ```typescript
+ * const authRateLimiter = createAuthRateLimiter({
+ *   login: { maxAttempts: 5, windowMs: 15 * 60 * 1000 },
+ *   register: { maxAttempts: 3, windowMs: 60 * 60 * 1000 },
+ * });
+ *
+ * // Apply to procedures
+ * const login = procedure()
+ *   .use(authRateLimiter.login(ctx => ctx.input.email))
+ *   .mutation(loginHandler);
+ *
+ * const register = procedure()
+ *   .use(authRateLimiter.register())
+ *   .mutation(registerHandler);
+ * ```
+ */
+export declare function createAuthRateLimiter(config?: AuthRateLimiterConfig): {
+    /**
+     * Rate limiter for login attempts
+     *
+     * @param identifierFn - Function to extract identifier (email) from context
+     *
+     * @example
+     * ```typescript
+     * login: procedure()
+     *   .use(authRateLimiter.login((ctx) => (ctx.input as { email: string }).email))
+     *   .input(LoginSchema)
+     *   .mutation(handler)
+     * ```
+     */
+    login: <TInput, TContext extends BaseContext, TOutput>(identifierFn?: (ctx: TContext & {
+        input?: unknown;
+    }) => string) => MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+    /**
+     * Rate limiter for registration attempts
+     * Uses IP-only by default (no identifier needed)
+     */
+    register: <TInput, TContext extends BaseContext, TOutput>() => MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+    /**
+     * Rate limiter for password reset requests
+     *
+     * @param identifierFn - Optional function to extract identifier (email)
+     */
+    passwordReset: <TInput, TContext extends BaseContext, TOutput>(identifierFn?: (ctx: TContext & {
+        input?: unknown;
+    }) => string) => MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+    /**
+     * Rate limiter for token refresh
+     */
+    refresh: <TInput, TContext extends BaseContext, TOutput>() => MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+    /**
+     * Record a failed attempt (call after authentication fails)
+     *
+     * This allows tracking failures even when rate limit hasn't been hit,
+     * enabling account lockout after X failed passwords.
+     *
+     * @param key - Rate limit key (usually IP:email or IP)
+     * @param operation - Operation type for key namespacing
+     */
+    recordFailure: (key: string, operation: "login" | "register" | "password-reset") => void;
+    /**
+     * Reset rate limit for a key (call after successful auth)
+     */
+    resetLimit: (key: string, operation: "login" | "register" | "password-reset") => void;
+    /**
+     * Check if a key is currently locked out
+     */
+    isLockedOut: (key: string, operation: "login" | "register" | "password-reset") => boolean;
+    /**
+     * Get remaining attempts for a key
+     */
+    getRemainingAttempts: (key: string, operation: "login" | "register" | "password-reset" | "refresh") => number;
+};
+/**
+ * Pre-configured auth rate limiter with sensible defaults
+ *
+ * @example
+ * ```typescript
+ * import { authRateLimiter } from '@veloxts/auth';
+ *
+ * const login = procedure()
+ *   .use(authRateLimiter.login((ctx) => ctx.input.email))
+ *   .mutation(handler);
+ * ```
+ */
+export declare const authRateLimiter: {
+    /**
+     * Rate limiter for login attempts
+     *
+     * @param identifierFn - Function to extract identifier (email) from context
+     *
+     * @example
+     * ```typescript
+     * login: procedure()
+     *   .use(authRateLimiter.login((ctx) => (ctx.input as { email: string }).email))
+     *   .input(LoginSchema)
+     *   .mutation(handler)
+     * ```
+     */
+    login: <TInput, TContext extends BaseContext, TOutput>(identifierFn?: (ctx: TContext & {
+        input?: unknown;
+    }) => string) => MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+    /**
+     * Rate limiter for registration attempts
+     * Uses IP-only by default (no identifier needed)
+     */
+    register: <TInput, TContext extends BaseContext, TOutput>() => MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+    /**
+     * Rate limiter for password reset requests
+     *
+     * @param identifierFn - Optional function to extract identifier (email)
+     */
+    passwordReset: <TInput, TContext extends BaseContext, TOutput>(identifierFn?: (ctx: TContext & {
+        input?: unknown;
+    }) => string) => MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+    /**
+     * Rate limiter for token refresh
+     */
+    refresh: <TInput, TContext extends BaseContext, TOutput>() => MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+    /**
+     * Record a failed attempt (call after authentication fails)
+     *
+     * This allows tracking failures even when rate limit hasn't been hit,
+     * enabling account lockout after X failed passwords.
+     *
+     * @param key - Rate limit key (usually IP:email or IP)
+     * @param operation - Operation type for key namespacing
+     */
+    recordFailure: (key: string, operation: "login" | "register" | "password-reset") => void;
+    /**
+     * Reset rate limit for a key (call after successful auth)
+     */
+    resetLimit: (key: string, operation: "login" | "register" | "password-reset") => void;
+    /**
+     * Check if a key is currently locked out
+     */
+    isLockedOut: (key: string, operation: "login" | "register" | "password-reset") => boolean;
+    /**
+     * Get remaining attempts for a key
+     */
+    getRemainingAttempts: (key: string, operation: "login" | "register" | "password-reset" | "refresh") => number;
+};
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../src/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAQ1D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,WAAW,EAAE,UAAU,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IAEjE;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAgBD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,KAAK,CAAC,EAAE,mBAAmB,CAAC;IAE5B;;;OAGG;IACH,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IAE/B;;;OAGG;IACH,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC;;;OAGG;IACH,OAAO,CAAC,EAAE,mBAAmB,CAAC;CAC/B;AAiDD;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAK/C;AAED;;GAEG;AACH,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C;AASD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,GAAE,qBAA0B;IAwCpE;;;;;;;;;;;;OAYG;YACK,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,iBACpC,CAAC,GAAG,EAAE,QAAQ,GAAG;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,KAAK,MAAM,KAC7D,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC;IAI1D;;;OAGG;eACQ,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,OAAK,kBAAkB,CAC7E,MAAM,EACN,QAAQ,EACR,QAAQ,EACR,OAAO,CACR;IAID;;;;OAIG;oBACa,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,iBAC5C,CAAC,GAAG,EAAE,QAAQ,GAAG;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,KAAK,MAAM,KAC7D,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC;IAI1D;;OAEG;cACO,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,OAAK,kBAAkB,CAC5E,MAAM,EACN,QAAQ,EACR,QAAQ,EACR,OAAO,CACR;IAID;;;;;;;;OAQG;yBACkB,MAAM,aAAa,OAAO,GAAG,UAAU,GAAG,gBAAgB;IAiC/E;;OAEG;sBACe,MAAM,aAAa,OAAO,GAAG,UAAU,GAAG,gBAAgB;IAK5E;;OAEG;uBACgB,MAAM,aAAa,OAAO,GAAG,UAAU,GAAG,gBAAgB,KAAG,OAAO;IAYvF;;OAEG;gCAEI,MAAM,aACA,OAAO,GAAG,UAAU,GAAG,gBAAgB,GAAG,SAAS,KAC7D,MAAM;EAkBZ;AA0HD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe;IAtRxB;;;;;;;;;;;;OAYG;YACK,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,iBACpC,CAAC,GAAG,EAAE,QAAQ,GAAG;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,KAAK,MAAM,KAC7D,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC;IAI1D;;;OAGG;eACQ,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,OAAK,kBAAkB,CAC7E,MAAM,EACN,QAAQ,EACR,QAAQ,EACR,OAAO,CACR;IAID;;;;OAIG;oBACa,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,iBAC5C,CAAC,GAAG,EAAE,QAAQ,GAAG;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,KAAK,MAAM,KAC7D,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC;IAI1D;;OAEG;cACO,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,OAAK,kBAAkB,CAC5E,MAAM,EACN,QAAQ,EACR,QAAQ,EACR,OAAO,CACR;IAID;;;;;;;;OAQG;yBACkB,MAAM,aAAa,OAAO,GAAG,UAAU,GAAG,gBAAgB;IAiC/E;;OAEG;sBACe,MAAM,aAAa,OAAO,GAAG,UAAU,GAAG,gBAAgB;IAK5E;;OAEG;uBACgB,MAAM,aAAa,OAAO,GAAG,UAAU,GAAG,gBAAgB,KAAG,OAAO;IAYvF;;OAEG;gCAEI,MAAM,aACA,OAAO,GAAG,UAAU,GAAG,gBAAgB,GAAG,SAAS,KAC7D,MAAM;CAwJyC,CAAC"}