@veloxts/auth 0.6.68 → 0.6.70

package/dist/guards-narrowing.js

@@ -0,0 +1,80 @@
+/**
+ * Narrowing Guards (Experimental)
+ *
+ * These guards provide TypeScript type narrowing after they pass.
+ * When using `guardNarrow(authenticatedNarrow)`, the context type
+ * is narrowed to guarantee `ctx.user` is non-null.
+ *
+ * EXPERIMENTAL: This API may change. The current recommended approach
+ * is to use middleware for context type extension.
+ *
+ * @module auth/guards-narrowing
+ */
+import { authenticated, hasRole as hasRoleBase } from './guards.js';
+// ============================================================================
+// Narrowing Guards
+// ============================================================================
+/**
+ * Authenticated guard with type narrowing.
+ *
+ * When used with `guardNarrow()`, narrows `ctx.user` from `User | undefined`
+ * to `User`, eliminating the need for null checks in the handler.
+ *
+ * @example
+ * ```typescript
+ * import { authenticatedNarrow } from '@veloxts/auth';
+ *
+ * // With guardNarrow (experimental):
+ * procedure()
+ *   .guardNarrow(authenticatedNarrow)
+ *   .query(({ ctx }) => {
+ *     // ctx.user is typed as User (non-null)
+ *     return { email: ctx.user.email };
+ *   });
+ *
+ * // Current recommended alternative using middleware:
+ * procedure()
+ *   .guard(authenticated)
+ *   .use(async ({ ctx, next }) => {
+ *     if (!ctx.user) throw new Error('Unreachable');
+ *     return next({ ctx: { user: ctx.user } });
+ *   })
+ *   .query(({ ctx }) => {
+ *     // ctx.user is non-null via middleware
+ *   });
+ * ```
+ */
+export const authenticatedNarrow = {
+    ...authenticated,
+    // Phantom type: value is never used at runtime, only carries type info.
+    // The `undefined as unknown as T` pattern is standard for phantom types.
+    _narrows: undefined,
+};
+/**
+ * Creates a role-checking guard with type narrowing.
+ *
+ * Narrows `ctx.user` to guarantee non-null with roles array.
+ *
+ * @param roles - Required role(s)
+ * @returns NarrowingGuard that guarantees user with roles
+ *
+ * @example
+ * ```typescript
+ * import { hasRoleNarrow } from '@veloxts/auth';
+ *
+ * procedure()
+ *   .guardNarrow(hasRoleNarrow('admin'))
+ *   .mutation(({ ctx }) => {
+ *     // ctx.user is typed as User (non-null)
+ *     // ctx.user.roles is string[]
+ *   });
+ * ```
+ */
+export function hasRoleNarrow(roles) {
+    const baseGuard = hasRoleBase(roles);
+    return {
+        ...baseGuard,
+        // Phantom type: carries type info for guardNarrow() context narrowing
+        _narrows: undefined,
+    };
+}

package/dist/index.d.ts

@@ -8,30 +8,33 @@
  * @module @veloxts/auth
  */
 export { AUTH_VERSION } from './plugin.js';
-export type { AuthConfig, AuthContext, AuthMiddlewareOptions, GuardDefinition, GuardFunction, HashConfig, JwtConfig, 
-/**
- * @deprecated Use SessionConfig from session.ts for full session management
- */
-LegacySessionConfig, PolicyAction, PolicyDefinition, RateLimitConfig, TokenPair, TokenPayload, User, } from './types.js';
+export type { AdapterAuthContext, AuthConfig, AuthContext, AuthMiddlewareOptions, BaseAuthContext, GuardDefinition, GuardFunction, HashConfig, JwtConfig, NativeAuthContext, PolicyAction, PolicyDefinition, RateLimitConfig, TokenPair, TokenPayload, User, } from './types.js';
 export { AuthError } from './types.js';
+export { AUTH_REGISTERED, checkDoubleRegistration, decorateAuth, getRequestAuth, getRequestUser, setRequestAuth, } from './decoration.js';
 export type { TokenStore } from './jwt.js';
 export { createInMemoryTokenStore, generateTokenId, isValidTimespan, JwtManager, jwtManager, parseTimeToSeconds, validateTokenExpiration, } from './jwt.js';
+export type { EnhancedTokenStore, EnhancedTokenStoreOptions } from './token-store.js';
+export { createEnhancedTokenStore, DEFAULT_ALLOWED_ROLES, parseUserRoles, } from './token-store.js';
+export type { AuthenticatedContext, InferNarrowedContext, NarrowingGuard, RoleNarrowedContext, } from './guards-narrowing.js';
+export { authenticatedNarrow, hasRoleNarrow } from './guards-narrowing.js';
 export { hashPassword, PasswordHasher, passwordHasher, verifyPassword, } from './hash.js';
 export { allOf, anyOf, authenticated, defineGuard, emailVerified, executeGuard, executeGuards, guard, hasAnyPermission, hasPermission, hasRole, not, userCan, } from './guards.js';
 export { authorize, can, cannot, clearPolicies, createAdminOnlyPolicy, createOwnerOrAdminPolicy, createPolicyBuilder, createReadOnlyPolicy, definePolicy, getPolicy, registerPolicy, } from './policies.js';
 export { authMiddleware, clearRateLimitStore, rateLimitMiddleware, } from './middleware.js';
 export type { AuthRateLimitConfig, AuthRateLimiter, AuthRateLimiterConfig } from './rate-limit.js';
 export { authRateLimiter, clearAuthRateLimitStore, createAuthRateLimiter, stopAuthRateLimitCleanup, } from './rate-limit.js';
-export type { AuthPluginOptions, AuthService } from './plugin.js';
-export { authPlugin, defaultAuthPlugin, } from './plugin.js';
+export type { AuthPluginOptions, AuthService, JwtAuthOptions } from './plugin.js';
+export { authPlugin, defaultAuthPlugin, jwtAuth, } from './plugin.js';
 export type { CsrfConfig, CsrfContext, CsrfCookieConfig, CsrfErrorCode, CsrfManager, CsrfMiddlewareOptions, CsrfTokenConfig, CsrfTokenData, CsrfTokenResult, CsrfValidationConfig, } from './csrf.js';
 export { CsrfError, csrfManager, csrfMiddleware, } from './csrf.js';
 export type { Session, SessionAuthContext, SessionConfig, SessionContext, SessionCookieConfig, SessionData, SessionExpirationConfig, SessionManager, SessionMiddlewareOptions, SessionStore, StoredSession, } from './session.js';
 export { inMemorySessionStore, sessionManager, sessionMiddleware, } from './session.js';
-export type { AdapterAuthContext, AdapterHttpMethod, AdapterMiddlewareOptions, AdapterRoute, AdapterSession, AdapterSessionResult, AdapterUser, AuthAdapter, AuthAdapterConfig, AuthAdapterErrorCode, AuthAdapterPluginOptions, InferAdapterConfig, } from './adapter.js';
+export type { AdapterHttpMethod, AdapterMiddlewareContext, AdapterMiddlewareOptions, AdapterRoute, AdapterSession, AdapterSessionResult, AdapterUser, AuthAdapter, AuthAdapterConfig, AuthAdapterErrorCode, AuthAdapterPluginOptions, InferAdapterConfig, } from './adapter.js';
 export { AuthAdapterError, BaseAuthAdapter, createAdapterAuthMiddleware, createAuthAdapterPlugin, defineAuthAdapter, isAuthAdapter, } from './adapter.js';
 export type { BetterAuthAdapterConfig, BetterAuthApi, BetterAuthHandler, BetterAuthInstance, BetterAuthSession, BetterAuthSessionResult, BetterAuthUser, } from './adapters/better-auth.js';
 export { BetterAuthAdapter, createBetterAuthAdapter } from './adapters/better-auth.js';
+export type { JwtAdapterConfig } from './adapters/jwt-adapter.js';
+export { createJwtAdapter, JwtAdapter } from './adapters/jwt-adapter.js';
 export type { PasswordPolicyConfig, PasswordValidationResult, UserInfo, } from './password-policy.js';
 export { checkPasswordBreach, checkPasswordStrength, isCommonPassword, PasswordPolicy, PasswordStrength, passwordPolicy, } from './password-policy.js';
 /**

package/dist/index.js

@@ -12,7 +12,13 @@
 // ============================================================================
 export { AUTH_VERSION } from './plugin.js';
 export { AuthError } from './types.js';
+// ============================================================================
+// Decoration Utilities
+// ============================================================================
+export { AUTH_REGISTERED, checkDoubleRegistration, decorateAuth, getRequestAuth, getRequestUser, setRequestAuth, } from './decoration.js';
 export { createInMemoryTokenStore, generateTokenId, isValidTimespan, JwtManager, jwtManager, parseTimeToSeconds, validateTokenExpiration, } from './jwt.js';
+export { createEnhancedTokenStore, DEFAULT_ALLOWED_ROLES, parseUserRoles, } from './token-store.js';
+export { authenticatedNarrow, hasRoleNarrow } from './guards-narrowing.js';
 // ============================================================================
 // Password Hashing
 // ============================================================================
@@ -52,7 +58,7 @@ authRateLimiter,
 clearAuthRateLimitStore, 
 // Factory
 createAuthRateLimiter, stopAuthRateLimitCleanup, } from './rate-limit.js';
-export { authPlugin, defaultAuthPlugin, } from './plugin.js';
+export { authPlugin, defaultAuthPlugin, jwtAuth, } from './plugin.js';
 export { CsrfError, csrfManager, csrfMiddleware, } from './csrf.js';
 export { inMemorySessionStore, sessionManager, sessionMiddleware, } from './session.js';
 export { 
@@ -65,6 +71,7 @@ createAdapterAuthMiddleware, createAuthAdapterPlugin, defineAuthAdapter,
 // Type guard
 isAuthAdapter, } from './adapter.js';
 export { BetterAuthAdapter, createBetterAuthAdapter } from './adapters/better-auth.js';
+export { createJwtAdapter, JwtAdapter } from './adapters/jwt-adapter.js';
 export { checkPasswordBreach, checkPasswordStrength, isCommonPassword, PasswordPolicy, PasswordStrength, passwordPolicy, } from './password-policy.js';
 // ============================================================================
 // Dependency Injection

package/dist/middleware.d.ts

@@ -5,7 +5,7 @@
 import type { BaseContext } from '@veloxts/core';
 import type { MiddlewareFunction } from '@veloxts/router';
 import { JwtManager } from './jwt.js';
-import type { AuthConfig, AuthContext, AuthMiddlewareOptions, GuardDefinition, User } from './types.js';
+import type { AuthConfig, AuthMiddlewareOptions, GuardDefinition, NativeAuthContext, User } from './types.js';
 /**
  * Creates an authentication middleware for procedures (succinct API)
  *
@@ -46,15 +46,15 @@ import type { AuthConfig, AuthContext, AuthMiddlewareOptions, GuardDefinition, U
 export declare function authMiddleware(config: AuthConfig): {
     middleware: <TInput, TContext extends BaseContext, TOutput>(options?: AuthMiddlewareOptions) => MiddlewareFunction<TInput, TContext, TContext & {
         user?: User;
-        auth: AuthContext;
+        auth: NativeAuthContext;
     }, TOutput>;
     requireAuth: <TInput, TContext extends BaseContext, TOutput>(guards?: Array<GuardDefinition | string>) => MiddlewareFunction<TInput, TContext, TContext & {
         user: User;
-        auth: AuthContext;
+        auth: NativeAuthContext;
     }, TOutput>;
     optionalAuth: <TInput, TContext extends BaseContext, TOutput>() => MiddlewareFunction<TInput, TContext, TContext & {
         user?: User;
-        auth: AuthContext;
+        auth: NativeAuthContext;
     }, TOutput>;
     jwt: JwtManager;
 };

package/dist/middleware.js

@@ -61,8 +61,10 @@ export function authMiddleware(config) {
                 if (options.optional) {
                     // Optional auth - continue without user
                     const authContext = {
+                        authMode: 'native',
                         user: undefined,
                         token: undefined,
+                        payload: undefined,
                         isAuthenticated: false,
                     };
                     return next({
@@ -85,8 +87,10 @@ export function authMiddleware(config) {
                 if (options.optional) {
                     // Invalid token with optional auth - continue without user
                     const authContext = {
+                        authMode: 'native',
                         user: undefined,
                         token: undefined,
+                        payload: undefined,
                         isAuthenticated: false,
                     };
                     return next({
@@ -123,8 +127,10 @@ export function authMiddleware(config) {
             }
             // Create auth context
             const authContext = {
+                authMode: 'native',
                 user: user ?? undefined,
-                token: payload,
+                token,
+                payload,
                 isAuthenticated: !!user,
             };
             // Build extended context

package/dist/plugin.d.ts

@@ -1,13 +1,18 @@
 /**
  * VeloxTS Auth Plugin
- * Fastify plugin that integrates authentication with VeloxApp
+ *
+ * Unified authentication using the adapter pattern internally.
+ * This plugin provides a convenient API while using JwtAdapter under the hood.
+ *
  * @module auth/plugin
  */
 import type { Container, VeloxPlugin } from '@veloxts/core';
+import type { AuthAdapterPluginOptions } from './adapter.js';
+import type { JwtAdapterConfig } from './adapters/jwt-adapter.js';
 import { PasswordHasher } from './hash.js';
-import { JwtManager } from './jwt.js';
+import type { JwtManager, TokenStore } from './jwt.js';
 import { authMiddleware } from './middleware.js';
-import type { AuthConfig, AuthContext, TokenPair, User } from './types.js';
+import type { AdapterAuthContext, AuthConfig, TokenPair, User } from './types.js';
 /** Auth package version */
 export declare const AUTH_VERSION: string;
 /**
@@ -59,6 +64,10 @@ export interface AuthService {
      * Password hasher for secure password storage
      */
     hasher: PasswordHasher;
+    /**
+     * Token store for revocation (if configured)
+     */
+    tokenStore?: TokenStore;
     /**
      * Creates a token pair for a user
      */
@@ -66,7 +75,7 @@ export interface AuthService {
     /**
      * Verifies an access token and returns the auth context
      */
-    verifyToken(token: string): AuthContext;
+    verifyToken(token: string): AdapterAuthContext;
     /**
      * Refreshes tokens using a refresh token
      */
@@ -76,6 +85,7 @@ export interface AuthService {
      */
     middleware: ReturnType<typeof authMiddleware>;
 }
+import type { AuthContext } from './types.js';
 declare module 'fastify' {
     interface FastifyInstance {
         auth: AuthService;
@@ -86,7 +96,10 @@ declare module 'fastify' {
     }
 }
 /**
- * Creates the VeloxTS auth plugin (succinct API)
+ * Creates the VeloxTS auth plugin
+ *
+ * **Internally uses the JwtAdapter** for unified architecture.
+ * All authentication in VeloxTS uses the adapter pattern.
  *
  * This plugin provides:
  * - JWT token management (access + refresh tokens)
@@ -142,3 +155,55 @@ export declare function authPlugin(options: AuthPluginOptions): VeloxPlugin<Auth
  * ```
  */
 export declare function defaultAuthPlugin(): VeloxPlugin<AuthPluginOptions>;
+/**
+ * Options for jwtAuth convenience function
+ *
+ * Omits the 'name' field since it's auto-set to 'jwt'.
+ */
+export type JwtAuthOptions = Omit<JwtAdapterConfig, 'name'>;
+/**
+ * Creates JWT auth using the adapter pattern directly
+ *
+ * This is an alternative to `authPlugin` that gives you more control over
+ * adapter-specific features like built-in routes and route prefixes.
+ *
+ * **Note:** Both `authPlugin` and `jwtAuth` now use the adapter pattern internally.
+ * Choose based on your needs:
+ *
+ * **Use `authPlugin` when:**
+ * - You need the `authMiddleware` factory for fine-grained procedure control
+ * - You're using DI container integration
+ * - You want the familiar VeloxTS auth API (`fastify.auth.createTokens()`, etc.)
+ *
+ * **Use `jwtAuth` when:**
+ * - You want built-in `/api/auth/refresh` and `/api/auth/logout` routes
+ * - You're building a pure adapter-based setup
+ * - You want direct access to adapter features
+ *
+ * @param options - JWT adapter configuration
+ * @returns VeloxPlugin ready for registration
+ *
+ * @example
+ * ```typescript
+ * import { jwtAuth } from '@veloxts/auth';
+ *
+ * // With built-in routes
+ * app.use(jwtAuth({
+ *   jwt: {
+ *     secret: process.env.JWT_SECRET!,
+ *     accessTokenExpiry: '15m',
+ *     refreshTokenExpiry: '7d',
+ *   },
+ *   userLoader: async (userId) => {
+ *     return db.user.findUnique({ where: { id: userId } });
+ *   },
+ *   enableRoutes: true, // Mount /api/auth/refresh and /api/auth/logout
+ *   routePrefix: '/api/auth',
+ * }));
+ *
+ * // Access JWT utilities via fastify
+ * const tokens = fastify.jwtManager!.createTokenPair(user);
+ * await fastify.tokenStore!.revoke(tokenId);
+ * ```
+ */
+export declare function jwtAuth(options: JwtAuthOptions): VeloxPlugin<AuthAdapterPluginOptions<JwtAdapterConfig>>;

package/dist/plugin.js

@@ -1,11 +1,16 @@
 /**
  * VeloxTS Auth Plugin
- * Fastify plugin that integrates authentication with VeloxApp
+ *
+ * Unified authentication using the adapter pattern internally.
+ * This plugin provides a convenient API while using JwtAdapter under the hood.
+ *
  * @module auth/plugin
  */
 import { createRequire } from 'node:module';
+import { createAuthAdapterPlugin } from './adapter.js';
+import { createJwtAdapter } from './adapters/jwt-adapter.js';
+import { checkDoubleRegistration, decorateAuth } from './decoration.js';
 import { PasswordHasher } from './hash.js';
-import { JwtManager } from './jwt.js';
 import { authMiddleware } from './middleware.js';
 import { registerAuthProviders } from './providers.js';
 import { AUTH_SERVICE } from './tokens.js';
@@ -18,7 +23,26 @@ export const AUTH_VERSION = packageJson.version ?? '0.0.0-unknown';
 // Auth Plugin
 // ============================================================================
 /**
- * Creates the VeloxTS auth plugin (succinct API)
+ * Wraps isTokenRevoked callback as a TokenStore interface
+ * @internal
+ */
+function createCallbackTokenStore(isTokenRevoked) {
+    return {
+        revoke: () => {
+            // No-op: callback-based stores don't support revocation
+            // Users must implement their own revocation mechanism
+        },
+        isRevoked: isTokenRevoked,
+        clear: () => {
+            // No-op
+        },
+    };
+}
+/**
+ * Creates the VeloxTS auth plugin
+ *
+ * **Internally uses the JwtAdapter** for unified architecture.
+ * All authentication in VeloxTS uses the adapter pattern.
  *
  * This plugin provides:
  * - JWT token management (access + refresh tokens)
@@ -60,43 +84,103 @@ export function authPlugin(options) {
     return {
         name: '@veloxts/auth',
         version: AUTH_VERSION,
-        // No explicit dependencies - works with any Fastify instance
-        // The plugin decorates Fastify with auth functionality
         async register(server, _opts) {
             const config = { ...options, ..._opts };
             const { debug = false, container } = config;
+            // Prevent double-registration of auth systems
+            checkDoubleRegistration(server, 'authPlugin');
             if (debug) {
-                server.log.info('Registering @veloxts/auth plugin');
+                server.log.info('Registering @veloxts/auth plugin (adapter-based)');
             }
-            let authService;
+            // DI-enabled path: Use container for service resolution
             if (container) {
-                // DI-enabled path: Register providers and resolve from container
                 if (debug) {
                     server.log.info('Using DI container for auth services');
                 }
                 registerAuthProviders(container, config);
-                authService = container.resolve(AUTH_SERVICE);
+                const authService = container.resolve(AUTH_SERVICE);
+                server.decorate('auth', authService);
+                // Still need to register the adapter plugin for session loading
+                const { adapter, config: adapterConfig } = createJwtAdapter({
+                    jwt: config.jwt,
+                    userLoader: config.userLoader,
+                    tokenStore: config.isTokenRevoked
+                        ? createCallbackTokenStore(config.isTokenRevoked)
+                        : undefined,
+                    enableRoutes: false, // Don't mount routes when using authPlugin
+                    debug,
+                });
+                // Initialize the adapter for session loading
+                await adapter.initialize(server, adapterConfig);
+                // Decorate requests with auth context
+                decorateAuth(server);
+                // Add preHandler hook for session loading
+                server.addHook('preHandler', async (request) => {
+                    if (config.autoExtract === false)
+                        return;
+                    const session = await adapter.getSession(request);
+                    if (session) {
+                        const user = {
+                            id: session.user.id,
+                            email: session.user.email,
+                            ...(session.user.emailVerified !== undefined && {
+                                emailVerified: session.user.emailVerified,
+                            }),
+                            ...session.user.providerData,
+                        };
+                        const authContext = {
+                            authMode: 'adapter',
+                            isAuthenticated: true,
+                            user,
+                            providerId: 'jwt',
+                            session: session.session.providerData,
+                        };
+                        request.auth = authContext;
+                        request.user = user;
+                    }
+                });
             }
             else {
-                // Legacy path: Direct instantiation (backward compatible)
-                const jwt = new JwtManager(config.jwt);
+                // Adapter-based path: Use JwtAdapter directly
+                // Convert isTokenRevoked callback to TokenStore if provided
+                const tokenStore = config.isTokenRevoked
+                    ? createCallbackTokenStore(config.isTokenRevoked)
+                    : undefined;
+                // Create the JWT adapter
+                const { adapter, config: adapterConfig } = createJwtAdapter({
+                    jwt: config.jwt,
+                    userLoader: config.userLoader,
+                    tokenStore,
+                    enableRoutes: false, // authPlugin manages its own API
+                    debug,
+                });
+                // Initialize adapter
+                await adapter.initialize(server, adapterConfig);
+                // Decorate requests with auth context
+                decorateAuth(server);
+                // Get JWT manager from adapter
+                const jwt = adapter.getJwtManager();
                 const hasher = new PasswordHasher(config.hash);
                 const authMw = authMiddleware(config);
-                authService = {
+                // Build AuthService from adapter
+                const authService = {
                     jwt,
                     hasher,
+                    tokenStore: adapter.getTokenStore(),
                     createTokens(user, additionalClaims) {
                         return jwt.createTokenPair(user, additionalClaims);
                     },
                     verifyToken(token) {
                         const payload = jwt.verifyToken(token);
                         return {
+                            authMode: 'adapter',
                             user: {
                                 id: payload.sub,
                                 email: payload.email,
                             },
-                            token: payload,
                             isAuthenticated: true,
+                            providerId: 'jwt',
+                            session: { token, payload },
                         };
                     },
                     refreshTokens(refreshToken) {
@@ -107,56 +191,33 @@ export function authPlugin(options) {
                     },
                     middleware: authMw,
                 };
-            }
-            // Decorate server with auth service
-            server.decorate('auth', authService);
-            // Decorate requests with auth context (undefined initial value)
-            server.decorateRequest('auth', undefined);
-            server.decorateRequest('user', undefined);
-            // Add preHandler hook to extract auth from headers (optional)
-            if (config.autoExtract !== false) {
-                server.addHook('preHandler', async (request) => {
-                    const authHeader = request.headers.authorization;
-                    const token = authService.jwt.extractFromHeader(authHeader);
-                    if (token) {
-                        try {
-                            const payload = authService.jwt.verifyToken(token);
-                            // Check if token is revoked
-                            if (config.isTokenRevoked && payload.jti) {
-                                const revoked = await config.isTokenRevoked(payload.jti);
-                                if (revoked) {
-                                    // Token revoked - don't set auth context
-                                    return;
-                                }
-                            }
-                            // Load user if loader provided
-                            let user = null;
-                            if (config.userLoader) {
-                                user = await config.userLoader(payload.sub);
-                            }
-                            else {
-                                user = {
-                                    id: payload.sub,
-                                    email: payload.email,
-                                };
-                            }
-                            if (user) {
-                                request.auth = {
-                                    user,
-                                    token: payload,
-                                    isAuthenticated: true,
-                                };
-                                request.user = user;
-                            }
-                        }
-                        catch {
-                            // Invalid token - silently ignore (optional auth)
-                            if (debug) {
-                                server.log.debug('Invalid auth token in request');
-                            }
+                // Decorate server with auth service
+                server.decorate('auth', authService);
+                // Add preHandler hook for session loading (using adapter)
+                if (config.autoExtract !== false) {
+                    server.addHook('preHandler', async (request) => {
+                        const session = await adapter.getSession(request);
+                        if (session) {
+                            const user = {
+                                id: session.user.id,
+                                email: session.user.email,
+                                ...(session.user.emailVerified !== undefined && {
+                                    emailVerified: session.user.emailVerified,
+                                }),
+                                ...session.user.providerData,
+                            };
+                            const authContext = {
+                                authMode: 'adapter',
+                                isAuthenticated: true,
+                                user,
+                                providerId: 'jwt',
+                                session: session.session.providerData,
+                            };
+                            request.auth = authContext;
+                            request.user = user;
                         }
-                    }
-                });
+                    });
+                }
             }
             // Add shutdown hook for cleanup
             server.addHook('onClose', async () => {
@@ -196,3 +257,52 @@ export function defaultAuthPlugin() {
         jwt: { secret },
     });
 }
+/**
+ * Creates JWT auth using the adapter pattern directly
+ *
+ * This is an alternative to `authPlugin` that gives you more control over
+ * adapter-specific features like built-in routes and route prefixes.
+ *
+ * **Note:** Both `authPlugin` and `jwtAuth` now use the adapter pattern internally.
+ * Choose based on your needs:
+ *
+ * **Use `authPlugin` when:**
+ * - You need the `authMiddleware` factory for fine-grained procedure control
+ * - You're using DI container integration
+ * - You want the familiar VeloxTS auth API (`fastify.auth.createTokens()`, etc.)
+ *
+ * **Use `jwtAuth` when:**
+ * - You want built-in `/api/auth/refresh` and `/api/auth/logout` routes
+ * - You're building a pure adapter-based setup
+ * - You want direct access to adapter features
+ *
+ * @param options - JWT adapter configuration
+ * @returns VeloxPlugin ready for registration
+ *
+ * @example
+ * ```typescript
+ * import { jwtAuth } from '@veloxts/auth';
+ *
+ * // With built-in routes
+ * app.use(jwtAuth({
+ *   jwt: {
+ *     secret: process.env.JWT_SECRET!,
+ *     accessTokenExpiry: '15m',
+ *     refreshTokenExpiry: '7d',
+ *   },
+ *   userLoader: async (userId) => {
+ *     return db.user.findUnique({ where: { id: userId } });
+ *   },
+ *   enableRoutes: true, // Mount /api/auth/refresh and /api/auth/logout
+ *   routePrefix: '/api/auth',
+ * }));
+ *
+ * // Access JWT utilities via fastify
+ * const tokens = fastify.jwtManager!.createTokenPair(user);
+ * await fastify.tokenStore!.revoke(tokenId);
+ * ```
+ */
+export function jwtAuth(options) {
+    const { adapter, config } = createJwtAdapter(options);
+    return createAuthAdapterPlugin({ adapter, config });
+}

package/dist/providers.js

@@ -109,12 +109,14 @@ export function authServiceProvider() {
                 verifyToken(token) {
                     const payload = jwt.verifyToken(token);
                     return {
+                        authMode: 'adapter',
                         user: {
                             id: payload.sub,
                             email: payload.email,
                         },
-                        token: payload,
                         isAuthenticated: true,
+                        providerId: 'jwt',
+                        session: { token, payload },
                     };
                 },
                 refreshTokens(refreshToken) {