@versini/auth-common 4.4.0 → 4.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +60 -1
- package/dist/index.d.ts +11 -8
- package/dist/index.js +474 -407
- package/package.json +5 -4
package/README.md
CHANGED
|
@@ -1,3 +1,62 @@
|
|
|
1
1
|
# @versini/auth-common
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Shared low-level building blocks (constants, token helpers, PKCE utilities, session helpers) used by `@versini/auth-provider` and any backend or frontend integration that needs to validate / manipulate auth artifacts.
|
|
4
|
+
|
|
5
|
+
## Install
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
pnpm add @versini/auth-common
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
Peer dependency expectations: none (pure ESM, no React required).
|
|
12
|
+
|
|
13
|
+
## Exports Overview
|
|
14
|
+
|
|
15
|
+
All exports are re-exported via the package root:
|
|
16
|
+
|
|
17
|
+
- `AUTH_TYPES` – Enum-like constants describing supported authentication flows (code, passkey, etc.)
|
|
18
|
+
- `verifyAndExtractToken(token: string)` – Verifies a JWT (signature/structure) and returns a decoded payload or throws on failure.
|
|
19
|
+
- `pkceChallengePair()` – Generates a secure PKCE code_verifier and corresponding code_challenge (S256).
|
|
20
|
+
- `getToken(...)` / `getSession(...)` – Helpers to retrieve tokens / session data from storage or cookie contexts (implementation depends on consumer usage pattern).
|
|
21
|
+
- `isGranted(roles: string[], required: string | string[])` – Authorization helper performing role / permission checks (deny-by-default pattern recommended).
|
|
22
|
+
- `constants` – Centralized constants including JWT claim keys (`JWT.USER_ID_KEY`, etc.) and `API_TYPE` for discriminating API operations.
|
|
23
|
+
|
|
24
|
+
> Keep a deny-by-default stance: always guard privileged operations with `isGranted` or equivalent server-side enforcement.
|
|
25
|
+
|
|
26
|
+
## Usage Example
|
|
27
|
+
|
|
28
|
+
```ts
|
|
29
|
+
import {
|
|
30
|
+
AUTH_TYPES,
|
|
31
|
+
pkceChallengePair,
|
|
32
|
+
verifyAndExtractToken,
|
|
33
|
+
isGranted
|
|
34
|
+
} from "@versini/auth-common";
|
|
35
|
+
|
|
36
|
+
async function beginAuth() {
|
|
37
|
+
const { code_verifier, code_challenge } = await pkceChallengePair();
|
|
38
|
+
// send code_challenge to authorization endpoint, persist code_verifier securely (in-memory)
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
async function validate(idToken: string) {
|
|
42
|
+
const jwt = await verifyAndExtractToken(idToken);
|
|
43
|
+
if (!isGranted(jwt.payload.roles || [], "admin")) {
|
|
44
|
+
throw new Error("Not authorized");
|
|
45
|
+
}
|
|
46
|
+
return jwt.payload[AUTH_TYPES.AUTH];
|
|
47
|
+
}
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
## Security Notes
|
|
51
|
+
|
|
52
|
+
- Never persist the PKCE `code_verifier` beyond the user session in plaintext storage.
|
|
53
|
+
- Avoid logging raw tokens; if needed log only the first/last 6 chars.
|
|
54
|
+
- Perform server-side validation even if `verifyAndExtractToken` passes client-side.
|
|
55
|
+
|
|
56
|
+
## TypeScript
|
|
57
|
+
|
|
58
|
+
Distributed with full TypeScript declarations (`dist/*.d.ts`). All functions are strictly typed—avoid using `any`; prefer narrowing unknown data before passing to these helpers.
|
|
59
|
+
|
|
60
|
+
## License
|
|
61
|
+
|
|
62
|
+
MIT © gizmette.com
|
package/dist/index.d.ts
CHANGED
|
@@ -27,6 +27,7 @@ declare const JWT: {
|
|
|
27
27
|
EXPIRES_AT_KEY: string;
|
|
28
28
|
CREATED_AT_KEY: string;
|
|
29
29
|
SCOPES_KEY: string;
|
|
30
|
+
SCOPE_KEY: string;
|
|
30
31
|
CLIENT_ID_KEY: string;
|
|
31
32
|
ISSUER: string;
|
|
32
33
|
};
|
|
@@ -106,10 +107,11 @@ type ScopesGrants = {
|
|
|
106
107
|
* Checks if the given encoded access token grants the required scopes.
|
|
107
108
|
*
|
|
108
109
|
* This function verifies the provided token and extracts its payload.
|
|
109
|
-
* It then checks if the token contains the required scopes. The
|
|
110
|
-
*
|
|
111
|
-
*
|
|
112
|
-
* of the map
|
|
110
|
+
* It then checks if the token contains the required scopes. The function supports
|
|
111
|
+
* scopes in two formats: as an array of strings (JWT.SCOPES_KEY) or as a space-separated
|
|
112
|
+
* string (JWT.SCOPE_KEY). The scopes can be provided either as an array of strings or
|
|
113
|
+
* as a map of string arrays. When the scopes are provided as a map, the function checks
|
|
114
|
+
* if the token contains at least one of the scopes in each of the map's values (OR operation).
|
|
113
115
|
*
|
|
114
116
|
*
|
|
115
117
|
* @async
|
|
@@ -141,10 +143,11 @@ declare const isGranted: (token: string, scopes: ScopesGrants) => Promise<boolea
|
|
|
141
143
|
* Checks if the given non-encoded id token grants the required scopes.
|
|
142
144
|
*
|
|
143
145
|
* This function does not verify the token, it simply extracts its payload.
|
|
144
|
-
* It then checks if the token contains the required scopes. The
|
|
145
|
-
*
|
|
146
|
-
*
|
|
147
|
-
* of the map
|
|
146
|
+
* It then checks if the token contains the required scopes. The function supports
|
|
147
|
+
* scopes in two formats: as an array of strings (JWT.SCOPES_KEY) or as a space-separated
|
|
148
|
+
* string (JWT.SCOPE_KEY). The scopes can be provided either as an array of strings or
|
|
149
|
+
* as a map of string arrays. When the scopes are provided as a map, the function checks
|
|
150
|
+
* if the token contains at least one of the scopes in each of the map's values (OR operation).
|
|
148
151
|
*
|
|
149
152
|
*
|
|
150
153
|
* @function isGrantedSync
|