@veloxts/auth 0.6.90 → 0.6.91

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @veloxts/auth
 
+## 0.6.91
+
+### Patch Changes
+
+- removed unused DI system
+- Updated dependencies
+  - @veloxts/core@0.6.91
+  - @veloxts/router@0.6.91
+
 ## 0.6.90
 
 ### Patch Changes

package/GUIDE.md

@@ -22,9 +22,13 @@ const session = sessionMiddleware({
 });
 
 const getProfile = procedure()
-  .use(session.requireAuth())
+  .use(session.required())
   .query(({ ctx }) => ctx.user);
 
+const publicPage = procedure()
+  .use(session.optional())
+  .query(({ ctx }) => ({ user: ctx.user ?? null }));
+
 // Login/Logout
 await ctx.session.login(user);
 await ctx.session.logout();
@@ -47,8 +51,12 @@ const auth = authMiddleware({
 });
 
 const getProfile = procedure()
-  .use(auth.requireAuth())
+  .use(auth.required())
   .query(({ ctx }) => ctx.user);
+
+const publicEndpoint = procedure()
+  .use(auth.optional())
+  .query(({ ctx }) => ({ user: ctx.user ?? null }));
 ```
 
 ## Guards
@@ -81,10 +89,18 @@ const adminWithPermission = procedure()
 ## Password Hashing
 
 ```typescript
-import { hashPassword, verifyPassword } from '@veloxts/auth';
+import { hashPassword, verifyPassword, passwordHasher, DEFAULT_HASH_CONFIG } from '@veloxts/auth';
 
-const hash = await hashPassword('password', { cost: 12 });
+// Simple usage (uses DEFAULT_HASH_CONFIG: bcrypt, 12 rounds)
+const hash = await hashPassword('password');
 const valid = await verifyPassword('password', hash);
+
+// Custom configuration
+const hasher = passwordHasher({
+  ...DEFAULT_HASH_CONFIG,
+  bcryptRounds: 14, // Increase for higher security
+});
+const customHash = await hasher.hash('password');
 ```
 
 ## Learn More

package/dist/hash.d.ts

@@ -3,6 +3,31 @@
  * @module auth/hash
  */
 import type { HashConfig } from './types.js';
+/**
+ * Default password hashing configuration
+ *
+ * Uses bcrypt with 12 rounds, which provides a good balance between
+ * security and performance. Increase rounds for higher security
+ * (each increment doubles the computation time).
+ *
+ * @example
+ * ```typescript
+ * import { DEFAULT_HASH_CONFIG, passwordHasher } from '@veloxts/auth';
+ *
+ * // Use defaults explicitly
+ * const hasher = passwordHasher(DEFAULT_HASH_CONFIG);
+ *
+ * // Or customize from defaults
+ * const strongerHasher = passwordHasher({
+ *   ...DEFAULT_HASH_CONFIG,
+ *   bcryptRounds: 14,
+ * });
+ * ```
+ */
+export declare const DEFAULT_HASH_CONFIG: {
+    readonly algorithm: "bcrypt";
+    readonly bcryptRounds: 12;
+};
 /**
  * Password hasher with configurable algorithms
  *

package/dist/hash.js

@@ -12,6 +12,31 @@ const DEFAULT_BCRYPT_ROUNDS = 12;
 const DEFAULT_ARGON2_MEMORY_COST = 65536; // 64 MB
 const DEFAULT_ARGON2_TIME_COST = 3;
 const DEFAULT_ARGON2_PARALLELISM = 4;
+/**
+ * Default password hashing configuration
+ *
+ * Uses bcrypt with 12 rounds, which provides a good balance between
+ * security and performance. Increase rounds for higher security
+ * (each increment doubles the computation time).
+ *
+ * @example
+ * ```typescript
+ * import { DEFAULT_HASH_CONFIG, passwordHasher } from '@veloxts/auth';
+ *
+ * // Use defaults explicitly
+ * const hasher = passwordHasher(DEFAULT_HASH_CONFIG);
+ *
+ * // Or customize from defaults
+ * const strongerHasher = passwordHasher({
+ *   ...DEFAULT_HASH_CONFIG,
+ *   bcryptRounds: 14,
+ * });
+ * ```
+ */
+export const DEFAULT_HASH_CONFIG = {
+    algorithm: 'bcrypt',
+    bcryptRounds: DEFAULT_BCRYPT_ROUNDS,
+};
 // ============================================================================
 // Password Hasher Class
 // ============================================================================

package/dist/index.d.ts

@@ -17,7 +17,7 @@ export type { EnhancedTokenStore, EnhancedTokenStoreOptions } from './token-stor
 export { createEnhancedTokenStore, DEFAULT_ALLOWED_ROLES, parseUserRoles, } from './token-store.js';
 export type { AuthenticatedContext, InferNarrowedContext, NarrowingGuard, RoleNarrowedContext, } from './guards-narrowing.js';
 export { authenticatedNarrow, hasRoleNarrow } from './guards-narrowing.js';
-export { hashPassword, PasswordHasher, passwordHasher, verifyPassword, } from './hash.js';
+export { DEFAULT_HASH_CONFIG, hashPassword, PasswordHasher, passwordHasher, verifyPassword, } from './hash.js';
 export type { GuardBuilder } from './guards.js';
 export { allOf, anyOf, authenticated, defineGuard, emailVerified, executeGuard, executeGuards, guard, hasAnyPermission, hasPermission, hasRole, not, userCan, } from './guards.js';
 export { authorize, can, cannot, clearPolicies, createAdminOnlyPolicy, createOwnerOrAdminPolicy, createPolicyBuilder, createReadOnlyPolicy, definePolicy, getPolicy, registerPolicy, } from './policies.js';
@@ -38,24 +38,3 @@ export type { JwtAdapterConfig } from './adapters/jwt-adapter.js';
 export { createJwtAdapter, JwtAdapter } from './adapters/jwt-adapter.js';
 export type { PasswordPolicyConfig, PasswordValidationResult, UserInfo, } from './password-policy.js';
 export { checkPasswordBreach, checkPasswordStrength, isCommonPassword, PasswordPolicy, PasswordStrength, passwordPolicy, } from './password-policy.js';
-/**
- * DI tokens and providers for @veloxts/auth
- *
- * Use these to integrate auth services with the @veloxts/core DI container.
- *
- * @example
- * ```typescript
- * import { Container } from '@veloxts/core';
- * import { registerAuthProviders, JWT_MANAGER, PASSWORD_HASHER } from '@veloxts/auth';
- *
- * const container = new Container();
- * registerAuthProviders(container, {
- *   jwt: { secret: process.env.JWT_SECRET! }
- * });
- *
- * const jwt = container.resolve(JWT_MANAGER);
- * const hasher = container.resolve(PASSWORD_HASHER);
- * ```
- */
-export { authServiceProvider, jwtManagerProvider, passwordHasherProvider, passwordHasherProviderWithDefaults, registerAuthProviders, } from './providers.js';
-export { AUTH_CONFIG, AUTH_RATE_LIMITER, AUTH_SERVICE, CSRF_CONFIG, HASH_CONFIG, JWT_CONFIG, JWT_MANAGER, PASSWORD_HASHER, RATE_LIMIT_CONFIG, SESSION_CONFIG, SESSION_STORE, TOKEN_STORE, } from './tokens.js';

package/dist/index.js

@@ -22,7 +22,7 @@ export { authenticatedNarrow, hasRoleNarrow } from './guards-narrowing.js';
 // ============================================================================
 // Password Hashing
 // ============================================================================
-export { hashPassword, PasswordHasher, passwordHasher, verifyPassword, } from './hash.js';
+export { DEFAULT_HASH_CONFIG, hashPassword, PasswordHasher, passwordHasher, verifyPassword, } from './hash.js';
 export { 
 // Combinators
 allOf, anyOf, 
@@ -71,37 +71,3 @@ isAuthAdapter, } from './adapter.js';
 export { BetterAuthAdapter, createBetterAuthAdapter } from './adapters/better-auth.js';
 export { createJwtAdapter, JwtAdapter } from './adapters/jwt-adapter.js';
 export { checkPasswordBreach, checkPasswordStrength, isCommonPassword, PasswordPolicy, PasswordStrength, passwordPolicy, } from './password-policy.js';
-// ============================================================================
-// Dependency Injection
-// ============================================================================
-/**
- * DI tokens and providers for @veloxts/auth
- *
- * Use these to integrate auth services with the @veloxts/core DI container.
- *
- * @example
- * ```typescript
- * import { Container } from '@veloxts/core';
- * import { registerAuthProviders, JWT_MANAGER, PASSWORD_HASHER } from '@veloxts/auth';
- *
- * const container = new Container();
- * registerAuthProviders(container, {
- *   jwt: { secret: process.env.JWT_SECRET! }
- * });
- *
- * const jwt = container.resolve(JWT_MANAGER);
- * const hasher = container.resolve(PASSWORD_HASHER);
- * ```
- */
-// Provider exports - factory functions for registering services
-export { authServiceProvider, jwtManagerProvider, passwordHasherProvider, passwordHasherProviderWithDefaults, 
-// Bulk registration helper
-registerAuthProviders, } from './providers.js';
-// Token exports - unique identifiers for DI resolution
-export { 
-// Config tokens
-AUTH_CONFIG, AUTH_RATE_LIMITER, 
-// Service tokens
-AUTH_SERVICE, CSRF_CONFIG, HASH_CONFIG, JWT_CONFIG, JWT_MANAGER, PASSWORD_HASHER, RATE_LIMIT_CONFIG, SESSION_CONFIG, 
-// Store tokens
-SESSION_STORE, TOKEN_STORE, } from './tokens.js';

package/dist/middleware.d.ts

@@ -20,18 +20,17 @@ import type { AuthConfig, AuthMiddlewareOptions, GuardDefinition, NativeAuthCont
  * ```typescript
  * const auth = authMiddleware(authConfig);
  *
- * // Use in procedures
+ * // Required auth (user guaranteed to exist)
  * const getProfile = procedure()
- *   .use(auth.middleware())
+ *   .use(auth.required())
  *   .query(async ({ ctx }) => {
- *     return ctx.user; // Guaranteed to exist
+ *     return ctx.user;
  *   });
  *
  * // Optional auth (user may be undefined)
  * const getPosts = procedure()
- *   .use(auth.middleware({ optional: true }))
+ *   .use(auth.optional())
  *   .query(async ({ ctx }) => {
- *     // ctx.user may be undefined
  *     return fetchPosts(ctx.user?.id);
  *   });
  *
@@ -56,6 +55,14 @@ export declare function authMiddleware(config: AuthConfig): {
         user?: User;
         auth: NativeAuthContext;
     }, TOutput>;
+    required: <TInput, TContext extends BaseContext, TOutput>(guards?: Array<GuardDefinition | string>) => MiddlewareFunction<TInput, TContext, TContext & {
+        user: User;
+        auth: NativeAuthContext;
+    }, TOutput>;
+    optional: <TInput, TContext extends BaseContext, TOutput>() => MiddlewareFunction<TInput, TContext, TContext & {
+        user?: User;
+        auth: NativeAuthContext;
+    }, TOutput>;
     jwt: JwtManager;
 };
 /**

package/dist/middleware.js

@@ -22,18 +22,17 @@ import { AuthError } from './types.js';
  * ```typescript
  * const auth = authMiddleware(authConfig);
  *
- * // Use in procedures
+ * // Required auth (user guaranteed to exist)
  * const getProfile = procedure()
- *   .use(auth.middleware())
+ *   .use(auth.required())
  *   .query(async ({ ctx }) => {
- *     return ctx.user; // Guaranteed to exist
+ *     return ctx.user;
  *   });
  *
  * // Optional auth (user may be undefined)
  * const getPosts = procedure()
- *   .use(auth.middleware({ optional: true }))
+ *   .use(auth.optional())
  *   .query(async ({ ctx }) => {
- *     // ctx.user may be undefined
  *     return fetchPosts(ctx.user?.id);
  *   });
  *
@@ -173,6 +172,9 @@ export function authMiddleware(config) {
         middleware,
         requireAuth,
         optionalAuth,
+        // Terse aliases (Laravel-inspired)
+        required: requireAuth,
+        optional: optionalAuth,
         jwt,
     };
 }

package/dist/plugin.d.ts

@@ -6,13 +6,14 @@
  *
  * @module auth/plugin
  */
-import type { Container, VeloxPlugin } from '@veloxts/core';
-import type { AuthAdapterPluginOptions } from './adapter.js';
+import type { VeloxPlugin } from '@veloxts/core';
+import type { FastifyReply, FastifyRequest } from 'fastify';
+import type { AdapterUser, AuthAdapterError, AuthAdapterPluginOptions } from './adapter.js';
 import type { JwtAdapterConfig } from './adapters/jwt-adapter.js';
 import { PasswordHasher } from './hash.js';
 import type { JwtManager, TokenStore } from './jwt.js';
 import { authMiddleware } from './middleware.js';
-import type { AdapterAuthContext, AuthConfig, TokenPair, User } from './types.js';
+import type { AdapterAuthContext, AuthConfig, JwtConfig, TokenPair, User } from './types.js';
 /** Auth package version */
 export declare const AUTH_VERSION: string;
 /**
@@ -24,32 +25,6 @@ export interface AuthPluginOptions extends AuthConfig {
      * @default false
      */
     debug?: boolean;
-    /**
-     * DI container for service registration and resolution (optional)
-     *
-     * When provided, auth services are registered with the container and can be:
-     * - Resolved from the container directly
-     * - Mocked in tests by overriding registrations
-     * - Managed alongside other application services
-     *
-     * When not provided, services are created directly (legacy behavior).
-     *
-     * @example
-     * ```typescript
-     * import { Container } from '@veloxts/core';
-     * import { authPlugin, JWT_MANAGER } from '@veloxts/auth';
-     *
-     * const container = new Container();
-     * app.register(authPlugin({
-     *   jwt: { secret: '...' },
-     *   container,
-     * }));
-     *
-     * // Services now available from container
-     * const jwt = container.resolve(JWT_MANAGER);
-     * ```
-     */
-    container?: Container;
 }
 /**
  * Auth service instance attached to Fastify
@@ -158,9 +133,68 @@ export declare function defaultAuthPlugin(): VeloxPlugin<AuthPluginOptions>;
 /**
  * Options for jwtAuth convenience function
  *
- * Omits the 'name' field since it's auto-set to 'jwt'.
+ * Explicit interface for better discoverability (name is auto-set to 'jwt').
  */
-export type JwtAuthOptions = Omit<JwtAdapterConfig, 'name'>;
+export interface JwtAuthOptions {
+    /**
+     * JWT configuration (secret, expiry, etc.)
+     *
+     * This is passed directly to JwtManager.
+     */
+    jwt: JwtConfig;
+    /**
+     * Token store for revocation tracking
+     *
+     * Used to check if tokens have been revoked (e.g., on logout).
+     * Defaults to in-memory store (not suitable for production).
+     */
+    tokenStore?: TokenStore;
+    /**
+     * Load user by ID
+     *
+     * Called when verifying tokens to load the full user object.
+     * If not provided, a minimal user object is created from token claims.
+     */
+    userLoader?: (userId: string) => Promise<User | null>;
+    /**
+     * Enable built-in auth routes
+     *
+     * When true, mounts routes for token refresh and logout:
+     * - POST `${routePrefix}/refresh` - Refresh access token
+     * - POST `${routePrefix}/logout` - Revoke current token
+     *
+     * @default true
+     */
+    enableRoutes?: boolean;
+    /**
+     * Base path for auth routes
+     *
+     * Only used when `enableRoutes` is true.
+     *
+     * @default '/api/auth'
+     */
+    routePrefix?: string;
+    /**
+     * Enable debug logging
+     *
+     * @default false
+     */
+    debug?: boolean;
+    /**
+     * Transform adapter user to VeloxTS User
+     *
+     * Override to customize how token claims are transformed to User.
+     */
+    transformUser?: (adapterUser: AdapterUser) => User;
+    /**
+     * Routes to exclude from automatic session loading
+     */
+    excludeRoutes?: string[];
+    /**
+     * Custom error handler for adapter errors
+     */
+    onError?: (error: AuthAdapterError, request: FastifyRequest, reply: FastifyReply) => void | Promise<void>;
+}
 /**
  * Creates JWT auth using the adapter pattern directly
  *

package/dist/plugin.js

@@ -12,8 +12,6 @@ import { createJwtAdapter } from './adapters/jwt-adapter.js';
 import { checkDoubleRegistration, decorateAuth } from './decoration.js';
 import { PasswordHasher } from './hash.js';
 import { authMiddleware } from './middleware.js';
-import { registerAuthProviders } from './providers.js';
-import { AUTH_SERVICE } from './tokens.js';
 // Read version from package.json dynamically
 const require = createRequire(import.meta.url);
 const packageJson = require('../package.json');
@@ -86,38 +84,66 @@ export function authPlugin(options) {
         version: AUTH_VERSION,
         async register(server, _opts) {
             const config = { ...options, ..._opts };
-            const { debug = false, container } = config;
+            const { debug = false } = config;
             // Prevent double-registration of auth systems
             checkDoubleRegistration(server, 'authPlugin');
             if (debug) {
                 server.log.info('Registering @veloxts/auth plugin (adapter-based)');
             }
-            // DI-enabled path: Use container for service resolution
-            if (container) {
-                if (debug) {
-                    server.log.info('Using DI container for auth services');
-                }
-                registerAuthProviders(container, config);
-                const authService = container.resolve(AUTH_SERVICE);
-                server.decorate('auth', authService);
-                // Still need to register the adapter plugin for session loading
-                const { adapter, config: adapterConfig } = createJwtAdapter({
-                    jwt: config.jwt,
-                    userLoader: config.userLoader,
-                    tokenStore: config.isTokenRevoked
-                        ? createCallbackTokenStore(config.isTokenRevoked)
-                        : undefined,
-                    enableRoutes: false, // Don't mount routes when using authPlugin
-                    debug,
-                });
-                // Initialize the adapter for session loading
-                await adapter.initialize(server, adapterConfig);
-                // Decorate requests with auth context
-                decorateAuth(server);
-                // Add preHandler hook for session loading
+            // Convert isTokenRevoked callback to TokenStore if provided
+            const tokenStore = config.isTokenRevoked
+                ? createCallbackTokenStore(config.isTokenRevoked)
+                : undefined;
+            // Create the JWT adapter
+            const { adapter, config: adapterConfig } = createJwtAdapter({
+                jwt: config.jwt,
+                userLoader: config.userLoader,
+                tokenStore,
+                enableRoutes: false, // authPlugin manages its own API
+                debug,
+            });
+            // Initialize adapter
+            await adapter.initialize(server, adapterConfig);
+            // Decorate requests with auth context
+            decorateAuth(server);
+            // Get JWT manager from adapter
+            const jwt = adapter.getJwtManager();
+            const hasher = new PasswordHasher(config.hash);
+            const authMw = authMiddleware(config);
+            // Build AuthService from adapter
+            const authService = {
+                jwt,
+                hasher,
+                tokenStore: adapter.getTokenStore(),
+                createTokens(user, additionalClaims) {
+                    return jwt.createTokenPair(user, additionalClaims);
+                },
+                verifyToken(token) {
+                    const payload = jwt.verifyToken(token);
+                    return {
+                        authMode: 'adapter',
+                        user: {
+                            id: payload.sub,
+                            email: payload.email,
+                        },
+                        isAuthenticated: true,
+                        providerId: 'jwt',
+                        session: { token, payload },
+                    };
+                },
+                refreshTokens(refreshToken) {
+                    if (config.userLoader) {
+                        return jwt.refreshTokens(refreshToken, config.userLoader);
+                    }
+                    return jwt.refreshTokens(refreshToken);
+                },
+                middleware: authMw,
+            };
+            // Decorate server with auth service
+            server.decorate('auth', authService);
+            // Add preHandler hook for session loading (using adapter)
+            if (config.autoExtract !== false) {
                 server.addHook('preHandler', async (request) => {
-                    if (config.autoExtract === false)
-                        return;
                     const session = await adapter.getSession(request);
                     if (session) {
                         const user = {
@@ -140,85 +166,6 @@ export function authPlugin(options) {
                     }
                 });
             }
-            else {
-                // Adapter-based path: Use JwtAdapter directly
-                // Convert isTokenRevoked callback to TokenStore if provided
-                const tokenStore = config.isTokenRevoked
-                    ? createCallbackTokenStore(config.isTokenRevoked)
-                    : undefined;
-                // Create the JWT adapter
-                const { adapter, config: adapterConfig } = createJwtAdapter({
-                    jwt: config.jwt,
-                    userLoader: config.userLoader,
-                    tokenStore,
-                    enableRoutes: false, // authPlugin manages its own API
-                    debug,
-                });
-                // Initialize adapter
-                await adapter.initialize(server, adapterConfig);
-                // Decorate requests with auth context
-                decorateAuth(server);
-                // Get JWT manager from adapter
-                const jwt = adapter.getJwtManager();
-                const hasher = new PasswordHasher(config.hash);
-                const authMw = authMiddleware(config);
-                // Build AuthService from adapter
-                const authService = {
-                    jwt,
-                    hasher,
-                    tokenStore: adapter.getTokenStore(),
-                    createTokens(user, additionalClaims) {
-                        return jwt.createTokenPair(user, additionalClaims);
-                    },
-                    verifyToken(token) {
-                        const payload = jwt.verifyToken(token);
-                        return {
-                            authMode: 'adapter',
-                            user: {
-                                id: payload.sub,
-                                email: payload.email,
-                            },
-                            isAuthenticated: true,
-                            providerId: 'jwt',
-                            session: { token, payload },
-                        };
-                    },
-                    refreshTokens(refreshToken) {
-                        if (config.userLoader) {
-                            return jwt.refreshTokens(refreshToken, config.userLoader);
-                        }
-                        return jwt.refreshTokens(refreshToken);
-                    },
-                    middleware: authMw,
-                };
-                // Decorate server with auth service
-                server.decorate('auth', authService);
-                // Add preHandler hook for session loading (using adapter)
-                if (config.autoExtract !== false) {
-                    server.addHook('preHandler', async (request) => {
-                        const session = await adapter.getSession(request);
-                        if (session) {
-                            const user = {
-                                id: session.user.id,
-                                email: session.user.email,
-                                ...(session.user.emailVerified !== undefined && {
-                                    emailVerified: session.user.emailVerified,
-                                }),
-                                ...session.user.providerData,
-                            };
-                            const authContext = {
-                                authMode: 'adapter',
-                                isAuthenticated: true,
-                                user,
-                                providerId: 'jwt',
-                                session: session.session.providerData,
-                            };
-                            request.auth = authContext;
-                            request.user = user;
-                        }
-                    });
-                }
-            }
             // Add shutdown hook for cleanup
             server.addHook('onClose', async () => {
                 if (debug) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@veloxts/auth",
-  "version": "0.6.90",
+  "version": "0.6.91",
   "description": "Authentication and authorization system for VeloxTS framework",
   "type": "module",
   "main": "dist/index.js",
@@ -61,8 +61,8 @@
   "dependencies": {
     "@fastify/cookie": "11.0.2",
     "fastify": "5.7.2",
-    "@veloxts/core": "0.6.90",
-    "@veloxts/router": "0.6.90"
+    "@veloxts/core": "0.6.91",
+    "@veloxts/router": "0.6.91"
   },
   "peerDependencies": {
     "argon2": ">=0.30.0",
@@ -86,8 +86,8 @@
     "fastify-plugin": "5.1.0",
     "typescript": "5.9.3",
     "vitest": "4.0.18",
-    "@veloxts/validation": "0.6.90",
-    "@veloxts/testing": "0.6.90"
+    "@veloxts/validation": "0.6.91",
+    "@veloxts/testing": "0.6.91"
   },
   "keywords": [
     "velox",