@veloxts/auth 0.3.3 → 0.3.5

package/dist/jwt.js

@@ -0,0 +1,489 @@
+/**
+ * JWT token utilities for @veloxts/auth
+ * @module auth/jwt
+ */
+import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
+import { AuthError } from './types.js';
+// ============================================================================
+// Constants
+// ============================================================================
+const DEFAULT_ACCESS_EXPIRY = '15m';
+const DEFAULT_REFRESH_EXPIRY = '7d';
+/**
+ * Minimum JWT secret length (64 characters = 512 bits)
+ * HS256 requires at least 256 bits, but we require 512 for extra security margin
+ */
+const MIN_SECRET_LENGTH = 64;
+/**
+ * Minimum unique characters in secret for entropy validation
+ */
+const MIN_SECRET_ENTROPY_CHARS = 16;
+// ============================================================================
+// Token Expiration Bounds (Security Phase 3.1)
+// ============================================================================
+/**
+ * Minimum access token expiry: 1 minute
+ * Shorter tokens increase security but may impact UX
+ */
+const MIN_ACCESS_TOKEN_SECONDS = 60;
+/**
+ * Maximum access token expiry: 1 hour
+ * Longer lived tokens are a security risk if stolen
+ */
+const MAX_ACCESS_TOKEN_SECONDS = 60 * 60;
+/**
+ * Minimum refresh token expiry: 1 hour
+ * Too short reduces usability
+ */
+const MIN_REFRESH_TOKEN_SECONDS = 60 * 60;
+/**
+ * Maximum refresh token expiry: 30 days
+ * Longer lived refresh tokens increase risk window
+ */
+const MAX_REFRESH_TOKEN_SECONDS = 30 * 24 * 60 * 60;
+/**
+ * Recommended maximum access token expiry: 15 minutes
+ * Beyond this, consider shorter lived tokens with refresh
+ */
+const RECOMMENDED_MAX_ACCESS_SECONDS = 15 * 60;
+/**
+ * Recommended maximum refresh token expiry: 7 days
+ */
+const RECOMMENDED_MAX_REFRESH_SECONDS = 7 * 24 * 60 * 60;
+/**
+ * Reserved JWT claims that cannot be overridden via additionalClaims
+ */
+const RESERVED_JWT_CLAIMS = new Set([
+    'sub',
+    'iss',
+    'aud',
+    'exp',
+    'iat',
+    'jti',
+    'nbf',
+    'type',
+    'email',
+]);
+// ============================================================================
+// JWT Implementation
+// ============================================================================
+/**
+ * Validates a time string format
+ * Supports: '1s', '15m', '1h', '7d', etc.
+ * Minimum valid value is '1s' (1 second)
+ *
+ * @returns true if valid, false otherwise
+ */
+export function isValidTimespan(time) {
+    const match = time.match(/^(\d+)([smhd])$/);
+    if (!match) {
+        return false;
+    }
+    const value = parseInt(match[1], 10);
+    // Value must be at least 1
+    return value >= 1;
+}
+/**
+ * Parses time string to seconds
+ * Supports: '15m', '1h', '7d', '30d', etc.
+ */
+export function parseTimeToSeconds(time) {
+    const match = time.match(/^(\d+)([smhd])$/);
+    if (!match) {
+        throw new AuthError(`Invalid time format: ${time}. Use format like '15m', '1h', '7d'`, 400, 'INVALID_TIME_FORMAT');
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    switch (unit) {
+        case 's':
+            return value;
+        case 'm':
+            return value * 60;
+        case 'h':
+            return value * 60 * 60;
+        case 'd':
+            return value * 60 * 60 * 24;
+        default:
+            throw new AuthError(`Unknown time unit: ${unit}`, 400, 'INVALID_TIME_UNIT');
+    }
+}
+/**
+ * Base64url encode
+ */
+function base64urlEncode(data) {
+    const base64 = Buffer.from(data).toString('base64');
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+/**
+ * Base64url decode
+ */
+function base64urlDecode(data) {
+    const base64 = data.replace(/-/g, '+').replace(/_/g, '/');
+    const padded = base64 + '='.repeat((4 - (base64.length % 4)) % 4);
+    return Buffer.from(padded, 'base64').toString('utf8');
+}
+/**
+ * Create HMAC-SHA256 signature
+ */
+function createSignature(data, secret) {
+    const hmac = createHmac('sha256', secret);
+    hmac.update(data);
+    return base64urlEncode(hmac.digest());
+}
+/**
+ * Generate a unique token ID
+ */
+export function generateTokenId() {
+    return randomBytes(16).toString('hex');
+}
+/**
+ * Validates token expiration against security bounds
+ *
+ * @param accessExpiry - Access token expiry string (e.g., '15m')
+ * @param refreshExpiry - Refresh token expiry string (e.g., '7d')
+ * @throws Error if expiration times are outside security bounds
+ */
+export function validateTokenExpiration(accessExpiry, refreshExpiry) {
+    const accessSeconds = parseTimeToSeconds(accessExpiry);
+    const refreshSeconds = parseTimeToSeconds(refreshExpiry);
+    // Validate access token bounds
+    if (accessSeconds < MIN_ACCESS_TOKEN_SECONDS) {
+        throw new AuthError(`Access token expiry (${accessExpiry} = ${accessSeconds}s) is below minimum of ` +
+            `${MIN_ACCESS_TOKEN_SECONDS}s (1 minute). Very short tokens cause excessive refreshes.`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+    if (accessSeconds > MAX_ACCESS_TOKEN_SECONDS) {
+        throw new AuthError(`Access token expiry (${accessExpiry} = ${accessSeconds}s) exceeds maximum of ` +
+            `${MAX_ACCESS_TOKEN_SECONDS}s (1 hour). Long-lived access tokens are a security risk.`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+    // Validate refresh token bounds
+    if (refreshSeconds < MIN_REFRESH_TOKEN_SECONDS) {
+        throw new AuthError(`Refresh token expiry (${refreshExpiry} = ${refreshSeconds}s) is below minimum of ` +
+            `${MIN_REFRESH_TOKEN_SECONDS}s (1 hour). Very short refresh tokens impact usability.`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+    if (refreshSeconds > MAX_REFRESH_TOKEN_SECONDS) {
+        throw new AuthError(`Refresh token expiry (${refreshExpiry} = ${refreshSeconds}s) exceeds maximum of ` +
+            `${MAX_REFRESH_TOKEN_SECONDS}s (30 days). Long-lived refresh tokens increase attack window.`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+    // Warn about exceeding recommended limits (non-fatal)
+    if (accessSeconds > RECOMMENDED_MAX_ACCESS_SECONDS) {
+        console.warn(`[Security] Access token expiry (${accessExpiry}) exceeds recommended maximum of 15 minutes. ` +
+            'Consider using shorter-lived access tokens with refresh.');
+    }
+    if (refreshSeconds > RECOMMENDED_MAX_REFRESH_SECONDS) {
+        console.warn(`[Security] Refresh token expiry (${refreshExpiry}) exceeds recommended maximum of 7 days. ` +
+            'Long-lived refresh tokens increase the window for token theft attacks.');
+    }
+    // Ensure refresh tokens outlive access tokens
+    if (refreshSeconds <= accessSeconds) {
+        throw new AuthError(`Refresh token expiry (${refreshExpiry} = ${refreshSeconds}s) must be longer than ` +
+            `access token expiry (${accessExpiry} = ${accessSeconds}s).`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+}
+// ============================================================================
+// JWT Manager Class
+// ============================================================================
+/**
+ * JWT token manager
+ *
+ * Handles token creation, verification, and refresh.
+ * Uses HS256 (HMAC-SHA256) algorithm.
+ *
+ * @example
+ * ```typescript
+ * const jwt = new JwtManager({
+ *   secret: process.env.JWT_SECRET!,
+ *   accessTokenExpiry: '15m',
+ *   refreshTokenExpiry: '7d',
+ * });
+ *
+ * // Create tokens for user
+ * const tokens = jwt.createTokenPair(user);
+ *
+ * // Verify access token
+ * const payload = jwt.verifyToken(tokens.accessToken);
+ *
+ * // Refresh tokens
+ * const newTokens = jwt.refreshTokens(tokens.refreshToken);
+ * ```
+ */
+export class JwtManager {
+    config;
+    constructor(config) {
+        // Validate secret length (Critical Fix #1)
+        if (!config.secret || config.secret.length < MIN_SECRET_LENGTH) {
+            throw new AuthError(`JWT secret must be at least ${MIN_SECRET_LENGTH} characters long (512 bits). ` +
+                'Generate with: openssl rand -base64 64', 500, 'INVALID_JWT_SECRET');
+        }
+        // Validate secret entropy - check for sufficient unique characters
+        const uniqueChars = new Set(config.secret).size;
+        if (uniqueChars < MIN_SECRET_ENTROPY_CHARS) {
+            throw new AuthError(`JWT secret has insufficient entropy (only ${uniqueChars} unique characters). ` +
+                'Use cryptographically random data with at least 16 unique characters.', 500, 'INVALID_JWT_SECRET');
+        }
+        // Validate accessTokenExpiry format if provided
+        if (config.accessTokenExpiry !== undefined && !isValidTimespan(config.accessTokenExpiry)) {
+            throw new AuthError(`Invalid accessTokenExpiry "${config.accessTokenExpiry}". ` +
+                `Use formats like "15m", "1h", "7d". Minimum is "1s".`, 400, 'INVALID_TOKEN_EXPIRY');
+        }
+        // Validate refreshTokenExpiry format if provided
+        if (config.refreshTokenExpiry !== undefined && !isValidTimespan(config.refreshTokenExpiry)) {
+            throw new AuthError(`Invalid refreshTokenExpiry "${config.refreshTokenExpiry}". ` +
+                `Use formats like "15m", "1h", "7d". Minimum is "1s".`, 400, 'INVALID_TOKEN_EXPIRY');
+        }
+        // Store config with defaults
+        const accessExpiry = config.accessTokenExpiry ?? DEFAULT_ACCESS_EXPIRY;
+        const refreshExpiry = config.refreshTokenExpiry ?? DEFAULT_REFRESH_EXPIRY;
+        // Validate expiration bounds (Security Phase 3.1)
+        // This prevents developers from setting insecure expiration times
+        validateTokenExpiration(accessExpiry, refreshExpiry);
+        this.config = {
+            ...config,
+            accessTokenExpiry: accessExpiry,
+            refreshTokenExpiry: refreshExpiry,
+        };
+    }
+    /**
+     * Creates a JWT token with the given payload
+     *
+     * @param payload - Token payload (sub, email, type required)
+     * @param expiresIn - Expiration time string (e.g., '15m', '7d')
+     * @param options - Additional options
+     * @param options.notBefore - Delay in seconds before token becomes valid (default: 0)
+     */
+    createToken(payload, expiresIn, options) {
+        const now = Math.floor(Date.now() / 1000);
+        const exp = now + parseTimeToSeconds(expiresIn);
+        // Security Phase 3.3: Add not-before (nbf) claim
+        // nbf = issued at + optional delay (default: 0, meaning valid immediately)
+        const nbf = now + (options?.notBefore ?? 0);
+        const fullPayload = {
+            ...payload,
+            iat: now,
+            exp,
+            nbf, // Token is not valid before this time
+        };
+        // Create header
+        const header = { alg: 'HS256', typ: 'JWT' };
+        const encodedHeader = base64urlEncode(JSON.stringify(header));
+        const encodedPayload = base64urlEncode(JSON.stringify(fullPayload));
+        // Create signature
+        const signatureInput = `${encodedHeader}.${encodedPayload}`;
+        const signature = createSignature(signatureInput, this.config.secret);
+        return `${signatureInput}.${signature}`;
+    }
+    /**
+     * Verifies a JWT token and returns the payload
+     *
+     * @throws AuthError if token is invalid or expired
+     */
+    verifyToken(token) {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            throw new AuthError('Invalid token format', 401, 'INVALID_TOKEN');
+        }
+        const [encodedHeader, encodedPayload, signature] = parts;
+        // Critical Fix #2: Validate algorithm BEFORE signature verification
+        // This prevents algorithm confusion attacks (CVE-2015-9235)
+        let header;
+        try {
+            header = JSON.parse(base64urlDecode(encodedHeader));
+        }
+        catch {
+            throw new AuthError('Invalid token header', 401, 'INVALID_TOKEN');
+        }
+        // Only allow HS256 - reject "none", RS256, and other algorithms
+        if (header.alg !== 'HS256') {
+            throw new AuthError(`Invalid algorithm: ${header.alg}. Only HS256 is supported.`, 401, 'INVALID_TOKEN');
+        }
+        if (header.typ !== 'JWT') {
+            throw new AuthError('Invalid token type in header', 401, 'INVALID_TOKEN');
+        }
+        // Verify signature using timing-safe comparison to prevent timing attacks
+        const signatureInput = `${encodedHeader}.${encodedPayload}`;
+        const expectedSignature = createSignature(signatureInput, this.config.secret);
+        const sigBuffer = Buffer.from(signature, 'utf8');
+        const expectedBuffer = Buffer.from(expectedSignature, 'utf8');
+        if (sigBuffer.length !== expectedBuffer.length || !timingSafeEqual(sigBuffer, expectedBuffer)) {
+            throw new AuthError('Invalid token signature', 401, 'INVALID_TOKEN');
+        }
+        // Decode payload
+        let payload;
+        try {
+            const decoded = JSON.parse(base64urlDecode(encodedPayload));
+            // Validate required fields
+            if (typeof decoded.sub !== 'string' ||
+                typeof decoded.email !== 'string' ||
+                typeof decoded.iat !== 'number' ||
+                typeof decoded.exp !== 'number' ||
+                (decoded.type !== 'access' && decoded.type !== 'refresh')) {
+                throw new AuthError('Missing required token fields', 401, 'INVALID_TOKEN');
+            }
+            payload = decoded;
+        }
+        catch (error) {
+            if (error instanceof AuthError) {
+                throw error;
+            }
+            throw new AuthError(error instanceof Error ? error.message : 'Invalid token payload', 401, 'INVALID_TOKEN');
+        }
+        // Check expiration
+        const now = Math.floor(Date.now() / 1000);
+        if (payload.exp < now) {
+            throw new AuthError('Token has expired', 401, 'TOKEN_EXPIRED');
+        }
+        // Check not-before claim if present (Medium Fix #10)
+        if (typeof payload.nbf === 'number' && payload.nbf > now) {
+            throw new AuthError('Token not yet valid', 401, 'TOKEN_NOT_YET_VALID');
+        }
+        // Verify issuer if configured
+        if (this.config.issuer && payload.iss !== this.config.issuer) {
+            throw new AuthError('Invalid token issuer', 401, 'INVALID_TOKEN');
+        }
+        // Verify audience if configured
+        if (this.config.audience && payload.aud !== this.config.audience) {
+            throw new AuthError('Invalid token audience', 401, 'INVALID_TOKEN');
+        }
+        return payload;
+    }
+    /**
+     * Creates an access/refresh token pair for a user
+     *
+     * @param user - The user to create tokens for
+     * @param additionalClaims - Custom claims to include (cannot override reserved claims)
+     * @throws AuthError if additionalClaims contains reserved JWT claims
+     */
+    createTokenPair(user, additionalClaims) {
+        // Critical Fix #3: Validate additionalClaims don't contain reserved claims
+        if (additionalClaims) {
+            for (const key of Object.keys(additionalClaims)) {
+                if (RESERVED_JWT_CLAIMS.has(key)) {
+                    throw new AuthError(`Cannot override reserved JWT claim: ${key}. ` +
+                        `Reserved claims are: ${[...RESERVED_JWT_CLAIMS].join(', ')}`, 400, 'INVALID_CLAIMS');
+                }
+            }
+        }
+        const tokenId = generateTokenId();
+        const basePayload = {
+            sub: user.id,
+            email: user.email,
+            jti: tokenId,
+            ...(this.config.issuer && { iss: this.config.issuer }),
+            ...(this.config.audience && { aud: this.config.audience }),
+            ...additionalClaims,
+        };
+        const accessToken = this.createToken({ ...basePayload, type: 'access' }, this.config.accessTokenExpiry);
+        const refreshToken = this.createToken({ ...basePayload, type: 'refresh' }, this.config.refreshTokenExpiry);
+        return {
+            accessToken,
+            refreshToken,
+            expiresIn: parseTimeToSeconds(this.config.accessTokenExpiry),
+            tokenType: 'Bearer',
+        };
+    }
+    refreshTokens(refreshToken, userLoader) {
+        const payload = this.verifyToken(refreshToken);
+        if (payload.type !== 'refresh') {
+            throw new AuthError('Invalid token type: expected refresh token', 401, 'INVALID_TOKEN');
+        }
+        // If userLoader provided, fetch fresh user data
+        if (userLoader) {
+            return userLoader(payload.sub).then((user) => {
+                if (!user) {
+                    throw new AuthError('User not found', 401, 'USER_NOT_FOUND');
+                }
+                return this.createTokenPair(user);
+            });
+        }
+        // Otherwise, create new tokens from payload data
+        const user = {
+            id: payload.sub,
+            email: payload.email,
+        };
+        return this.createTokenPair(user);
+    }
+    /**
+     * Decodes a token without verification
+     * Useful for extracting payload from expired tokens
+     */
+    decodeToken(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3) {
+                return null;
+            }
+            return JSON.parse(base64urlDecode(parts[1]));
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Extracts token from Authorization header
+     * Supports 'Bearer <token>' format
+     */
+    extractFromHeader(authHeader) {
+        if (!authHeader) {
+            return null;
+        }
+        const parts = authHeader.split(' ');
+        if (parts.length !== 2 || parts[0].toLowerCase() !== 'bearer') {
+            return null;
+        }
+        return parts[1];
+    }
+}
+/**
+ * Creates a new JWT manager instance (succinct API)
+ */
+export function jwtManager(config) {
+    return new JwtManager(config);
+}
+/**
+ * Creates a new JWT manager instance
+ *
+ * @deprecated Use `jwtManager()` instead. Will be removed in v0.9.
+ */
+export const createJwtManager = jwtManager;
+/**
+ * Creates an in-memory token store for development and testing
+ *
+ * ⚠️ WARNING: NOT suitable for production!
+ * - Does not persist across server restarts
+ * - Does not work across multiple server instances
+ * - No automatic cleanup of expired token IDs
+ *
+ * For production, use Redis or database-backed storage:
+ * - upstash/redis for serverless
+ * - ioredis for traditional servers
+ * - Database table for audit trail
+ *
+ * @example
+ * ```typescript
+ * // Development/Testing
+ * const tokenStore = createInMemoryTokenStore();
+ *
+ * const authConfig: AuthConfig = {
+ *   jwt: { secret: process.env.JWT_SECRET! },
+ *   isTokenRevoked: tokenStore.isRevoked,
+ * };
+ *
+ * // Revoke on logout
+ * app.post('/logout', async (req) => {
+ *   const tokenId = req.auth.token.jti;
+ *   tokenStore.revoke(tokenId);
+ * });
+ * ```
+ */
+export function createInMemoryTokenStore() {
+    const revokedTokens = new Set();
+    return {
+        revoke: (tokenId) => {
+            revokedTokens.add(tokenId);
+        },
+        isRevoked: (tokenId) => revokedTokens.has(tokenId),
+        clear: () => {
+            revokedTokens.clear();
+        },
+    };
+}
+//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGvE,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,qBAAqB,GAAG,KAAK,CAAC;AACpC,MAAM,sBAAsB,GAAG,IAAI,CAAC;AAEpC;;;GAGG;AACH,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B;;GAEG;AACH,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC,+EAA+E;AAC/E,+CAA+C;AAC/C,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC;;;GAGG;AACH,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,CAAC;AAEzC;;;GAGG;AACH,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,CAAC;AAE1C;;;GAGG;AACH,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAEpD;;;GAGG;AACH,MAAM,8BAA8B,GAAG,EAAE,GAAG,EAAE,CAAC;AAE/C;;GAEG;AACH,MAAM,+BAA+B,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAEzD;;GAEG;AACH,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,OAAO;CACR,CAAC,CAAC;AAEH,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,2BAA2B;IAC3B,OAAO,KAAK,IAAI,CAAC,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,SAAS,CACjB,wBAAwB,IAAI,qCAAqC,EACjE,GAAG,EACH,qBAAqB,CACtB,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,GAAG;YACN,OAAO,KAAK,CAAC;QACf,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,CAAC;QACzB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;QAC9B;YACE,MAAM,IAAI,SAAS,CAAC,sBAAsB,IAAI,EAAE,EAAE,GAAG,EAAE,mBAAmB,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY,EAAE,MAAc;IACnD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAClB,OAAO,eAAe,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,YAAoB,EAAE,aAAqB;IACjF,MAAM,aAAa,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IACvD,MAAM,cAAc,GAAG,kBAAkB,CAAC,aAAa,CAAC,CAAC;IAEzD,+BAA+B;IAC/B,IAAI,aAAa,GAAG,wBAAwB,EAAE,CAAC;QAC7C,MAAM,IAAI,SAAS,CACjB,wBAAwB,YAAY,MAAM,aAAa,yBAAyB;YAC9E,GAAG,wBAAwB,4DAA4D,EACzF,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,IAAI,aAAa,GAAG,wBAAwB,EAAE,CAAC;QAC7C,MAAM,IAAI,SAAS,CACjB,wBAAwB,YAAY,MAAM,aAAa,wBAAwB;YAC7E,GAAG,wBAAwB,2DAA2D,EACxF,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,gCAAgC;IAChC,IAAI,cAAc,GAAG,yBAAyB,EAAE,CAAC;QAC/C,MAAM,IAAI,SAAS,CACjB,yBAAyB,aAAa,MAAM,cAAc,yBAAyB;YACjF,GAAG,yBAAyB,yDAAyD,EACvF,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,GAAG,yBAAyB,EAAE,CAAC;QAC/C,MAAM,IAAI,SAAS,CACjB,yBAAyB,aAAa,MAAM,cAAc,wBAAwB;YAChF,GAAG,yBAAyB,gEAAgE,EAC9F,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,sDAAsD;IACtD,IAAI,aAAa,GAAG,8BAA8B,EAAE,CAAC;QACnD,OAAO,CAAC,IAAI,CACV,mCAAmC,YAAY,+CAA+C;YAC5F,0DAA0D,CAC7D,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,GAAG,+BAA+B,EAAE,CAAC;QACrD,OAAO,CAAC,IAAI,CACV,oCAAoC,aAAa,2CAA2C;YAC1F,wEAAwE,CAC3E,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,IAAI,cAAc,IAAI,aAAa,EAAE,CAAC;QACpC,MAAM,IAAI,SAAS,CACjB,yBAAyB,aAAa,MAAM,cAAc,yBAAyB;YACjF,wBAAwB,YAAY,MAAM,aAAa,KAAK,EAC9D,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,OAAO,UAAU;IACJ,MAAM,CAGX;IAEZ,YAAY,MAAiB;QAC3B,2CAA2C;QAC3C,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;YAC/D,MAAM,IAAI,SAAS,CACjB,+BAA+B,iBAAiB,+BAA+B;gBAC7E,wCAAwC,EAC1C,GAAG,EACH,oBAAoB,CACrB,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;QAChD,IAAI,WAAW,GAAG,wBAAwB,EAAE,CAAC;YAC3C,MAAM,IAAI,SAAS,CACjB,6CAA6C,WAAW,uBAAuB;gBAC7E,uEAAuE,EACzE,GAAG,EACH,oBAAoB,CACrB,CAAC;QACJ,CAAC;QAED,gDAAgD;QAChD,IAAI,MAAM,CAAC,iBAAiB,KAAK,SAAS,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACzF,MAAM,IAAI,SAAS,CACjB,8BAA8B,MAAM,CAAC,iBAAiB,KAAK;gBACzD,sDAAsD,EACxD,GAAG,EACH,sBAAsB,CACvB,CAAC;QACJ,CAAC;QAED,iDAAiD;QACjD,IAAI,MAAM,CAAC,kBAAkB,KAAK,SAAS,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC3F,MAAM,IAAI,SAAS,CACjB,+BAA+B,MAAM,CAAC,kBAAkB,KAAK;gBAC3D,sDAAsD,EACxD,GAAG,EACH,sBAAsB,CACvB,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,YAAY,GAAG,MAAM,CAAC,iBAAiB,IAAI,qBAAqB,CAAC;QACvE,MAAM,aAAa,GAAG,MAAM,CAAC,kBAAkB,IAAI,sBAAsB,CAAC;QAE1E,kDAAkD;QAClD,kEAAkE;QAClE,uBAAuB,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;QAErD,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,MAAM;YACT,iBAAiB,EAAE,YAAY;YAC/B,kBAAkB,EAAE,aAAa;SAClC,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,WAAW,CACT,OAIC,EACD,SAAiB,EACjB,OAAgC;QAEhC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAEhD,iDAAiD;QACjD,2EAA2E;QAC3E,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC;QAE5C,MAAM,WAAW,GAAiB;YAChC,GAAG,OAAO;YACV,GAAG,EAAE,GAAG;YACR,GAAG;YACH,GAAG,EAAE,sCAAsC;SAC5C,CAAC;QAEF,gBAAgB;QAChB,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QAC5C,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;QAEpE,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAEtE,OAAO,GAAG,cAAc,IAAI,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,WAAW,CAAC,KAAa;QACvB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAEzD,oEAAoE;QACpE,4DAA4D;QAC5D,IAAI,MAAoC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,CAAiC,CAAC;QACtF,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACpE,CAAC;QAED,gEAAgE;QAChE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,IAAI,SAAS,CACjB,sBAAsB,MAAM,CAAC,GAAG,4BAA4B,EAC5D,GAAG,EACH,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,SAAS,CAAC,8BAA8B,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAC5E,CAAC;QAED,0EAA0E;QAC1E,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,iBAAiB,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAE9E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QAE9D,IAAI,SAAS,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC;YAC9F,MAAM,IAAI,SAAS,CAAC,yBAAyB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACvE,CAAC;QAED,iBAAiB;QACjB,IAAI,OAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,CAA4B,CAAC;YAEvF,2BAA2B;YAC3B,IACE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;gBACjC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,MAAM,IAAI,SAAS,CAAC,+BAA+B,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;YAC7E,CAAC;YAED,OAAO,GAAG,OAAuB,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;gBAC/B,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,EAChE,GAAG,EACH,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,mBAAmB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACtB,MAAM,IAAI,SAAS,CAAC,mBAAmB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACjE,CAAC;QAED,qDAAqD;QACrD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACzD,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,GAAG,EAAE,qBAAqB,CAAC,CAAC;QACzE,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YAC7D,MAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACpE,CAAC;QAED,gCAAgC;QAChC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACjE,MAAM,IAAI,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACtE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;OAMG;IACH,eAAe,CAAC,IAAU,EAAE,gBAA0C;QACpE,2EAA2E;QAC3E,IAAI,gBAAgB,EAAE,CAAC;YACrB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChD,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,MAAM,IAAI,SAAS,CACjB,uCAAuC,GAAG,IAAI;wBAC5C,wBAAwB,CAAC,GAAG,mBAAmB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAC/D,GAAG,EACH,gBAAgB,CACjB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAElC,MAAM,WAAW,GAAG;YAClB,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,GAAG,EAAE,OAAO;YACZ,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACtD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC1D,GAAG,gBAAgB;SACpB,CAAC;QAEF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAClC,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,EAClC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;QAEF,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CACnC,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,EACnC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAC/B,CAAC;QAEF,OAAO;YACL,WAAW;YACX,YAAY;YACZ,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;YAC5D,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;IAYD,aAAa,CACX,YAAoB,EACpB,UAAqD;QAErD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAE/C,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,4CAA4C,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAC1F,CAAC;QAED,gDAAgD;QAChD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC3C,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;gBAC/D,CAAC;gBACD,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;QACL,CAAC;QAED,iDAAiD;QACjD,MAAM,IAAI,GAAS;YACjB,EAAE,EAAE,OAAO,CAAC,GAAG;YACf,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;QAEF,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,KAAa;QACvB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAiB,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,iBAAiB,CAAC,UAA8B;QAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,MAAiB;IAC1C,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,UAAU,CAAC;AAkB3C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,wBAAwB;IACtC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,OAAO;QACL,MAAM,EAAE,CAAC,OAAe,EAAE,EAAE;YAC1B,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QACD,SAAS,EAAE,CAAC,OAAe,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC;QAC1D,KAAK,EAAE,GAAG,EAAE;YACV,aAAa,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/middleware.d.ts

@@ -0,0 +1,99 @@
+/**
+ * Authentication middleware for @veloxts/auth
+ * @module auth/middleware
+ */
+import type { BaseContext } from '@veloxts/core';
+import type { MiddlewareFunction } from '@veloxts/router';
+import { JwtManager } from './jwt.js';
+import type { AuthConfig, AuthContext, AuthMiddlewareOptions, GuardDefinition, User } from './types.js';
+/**
+ * Creates an authentication middleware for procedures (succinct API)
+ *
+ * This middleware:
+ * 1. Extracts JWT from Authorization header
+ * 2. Verifies the token
+ * 3. Loads user from database (if userLoader provided)
+ * 4. Adds user and auth context to ctx
+ * 5. Runs guards if specified
+ *
+ * @example
+ * ```typescript
+ * const auth = authMiddleware(authConfig);
+ *
+ * // Use in procedures
+ * const getProfile = procedure()
+ *   .use(auth.middleware())
+ *   .query(async ({ ctx }) => {
+ *     return ctx.user; // Guaranteed to exist
+ *   });
+ *
+ * // Optional auth (user may be undefined)
+ * const getPosts = procedure()
+ *   .use(auth.middleware({ optional: true }))
+ *   .query(async ({ ctx }) => {
+ *     // ctx.user may be undefined
+ *     return fetchPosts(ctx.user?.id);
+ *   });
+ *
+ * // With guards
+ * const adminOnly = procedure()
+ *   .use(auth.middleware({ guards: [hasRole('admin')] }))
+ *   .query(async ({ ctx }) => {
+ *     // Only admins get here
+ *   });
+ * ```
+ */
+export declare function authMiddleware(config: AuthConfig): {
+    middleware: <TInput, TContext extends BaseContext, TOutput>(options?: AuthMiddlewareOptions) => MiddlewareFunction<TInput, TContext, TContext & {
+        user?: User;
+        auth: AuthContext;
+    }, TOutput>;
+    requireAuth: <TInput, TContext extends BaseContext, TOutput>(guards?: Array<GuardDefinition | string>) => MiddlewareFunction<TInput, TContext, TContext & {
+        user: User;
+        auth: AuthContext;
+    }, TOutput>;
+    optionalAuth: <TInput, TContext extends BaseContext, TOutput>() => MiddlewareFunction<TInput, TContext, TContext & {
+        user?: User;
+        auth: AuthContext;
+    }, TOutput>;
+    jwt: JwtManager;
+};
+/**
+ * Creates an authentication middleware for procedures
+ *
+ * @deprecated Use `authMiddleware()` instead. Will be removed in v0.9.
+ */
+export declare const createAuthMiddleware: typeof authMiddleware;
+/**
+ * Creates a rate limiting middleware (succinct API)
+ *
+ * @example
+ * ```typescript
+ * const rateLimit = rateLimitMiddleware({
+ *   max: 100,
+ *   windowMs: 60000, // 1 minute
+ * });
+ *
+ * const login = procedure()
+ *   .use(rateLimit)
+ *   .input(LoginSchema)
+ *   .mutation(handler);
+ * ```
+ */
+export declare function rateLimitMiddleware<TInput, TContext extends BaseContext, TOutput>(options: {
+    max?: number;
+    windowMs?: number;
+    keyGenerator?: (ctx: TContext) => string;
+    message?: string;
+}): MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+/**
+ * Creates a rate limiting middleware
+ *
+ * @deprecated Use `rateLimitMiddleware()` instead. Will be removed in v0.9.
+ */
+export declare const createRateLimitMiddleware: typeof rateLimitMiddleware;
+/**
+ * Clears rate limit store (useful for testing)
+ */
+export declare function clearRateLimitStore(): void;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EACX,qBAAqB,EACrB,eAAe,EAEf,IAAI,EACL,MAAM,YAAY,CAAC;AAOpB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU;iBAM3B,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,YACtD,qBAAqB,KAC7B,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG;QAAE,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAAE,OAAO,CAAC;kBA8H1E,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,WACvD,KAAK,CAAC,eAAe,GAAG,MAAM,CAAC,KACvC,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAAE,OAAO,CAAC;mBAYxE,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,OAAK,kBAAkB,CACxF,MAAM,EACN,QAAQ,EACR,QAAQ,GAAG;QAAE,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAC7C,OAAO,CACR;;EAUF;AAED;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,uBAAiB,CAAC;AAkBnD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE;IAC1F,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,KAAK,MAAM,CAAC;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAuC1D;AAED;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,4BAAsB,CAAC;AAE7D;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}