@versini/auth-common 4.5.0 → 4.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +60 -1
  2. package/dist/index.d.ts +2 -0
  3. package/dist/index.js +475 -418
  4. package/package.json +5 -4
package/README.md CHANGED
@@ -1,3 +1,62 @@
1
1
  # @versini/auth-common
2
2
 
3
- This package provides common utilities and constants for both the client and server side of the authentication system.
3
+ Shared low-level building blocks (constants, token helpers, PKCE utilities, session helpers) used by `@versini/auth-provider` and any backend or frontend integration that needs to validate / manipulate auth artifacts.
4
+
5
+ ## Install
6
+
7
+ ```bash
8
+ pnpm add @versini/auth-common
9
+ ```
10
+
11
+ Peer dependency expectations: none (pure ESM, no React required).
12
+
13
+ ## Exports Overview
14
+
15
+ All exports are re-exported via the package root:
16
+
17
+ - `AUTH_TYPES` – Enum-like constants describing supported authentication flows (code, passkey, etc.)
18
+ - `verifyAndExtractToken(token: string)` – Verifies a JWT (signature/structure) and returns a decoded payload or throws on failure.
19
+ - `pkceChallengePair()` – Generates a secure PKCE code_verifier and corresponding code_challenge (S256).
20
+ - `getToken(...)` / `getSession(...)` – Helpers to retrieve tokens / session data from storage or cookie contexts (implementation depends on consumer usage pattern).
21
+ - `isGranted(roles: string[], required: string | string[])` – Authorization helper performing role / permission checks (deny-by-default pattern recommended).
22
+ - `constants` – Centralized constants including JWT claim keys (`JWT.USER_ID_KEY`, etc.) and `API_TYPE` for discriminating API operations.
23
+
24
+ > Keep a deny-by-default stance: always guard privileged operations with `isGranted` or equivalent server-side enforcement.
25
+
26
+ ## Usage Example
27
+
28
+ ```ts
29
+ import {
30
+ AUTH_TYPES,
31
+ pkceChallengePair,
32
+ verifyAndExtractToken,
33
+ isGranted
34
+ } from "@versini/auth-common";
35
+
36
+ async function beginAuth() {
37
+ const { code_verifier, code_challenge } = await pkceChallengePair();
38
+ // send code_challenge to authorization endpoint, persist code_verifier securely (in-memory)
39
+ }
40
+
41
+ async function validate(idToken: string) {
42
+ const jwt = await verifyAndExtractToken(idToken);
43
+ if (!isGranted(jwt.payload.roles || [], "admin")) {
44
+ throw new Error("Not authorized");
45
+ }
46
+ return jwt.payload[AUTH_TYPES.AUTH];
47
+ }
48
+ ```
49
+
50
+ ## Security Notes
51
+
52
+ - Never persist the PKCE `code_verifier` beyond the user session in plaintext storage.
53
+ - Avoid logging raw tokens; if needed log only the first/last 6 chars.
54
+ - Perform server-side validation even if `verifyAndExtractToken` passes client-side.
55
+
56
+ ## TypeScript
57
+
58
+ Distributed with full TypeScript declarations (`dist/*.d.ts`). All functions are strictly typed—avoid using `any`; prefer narrowing unknown data before passing to these helpers.
59
+
60
+ ## License
61
+
62
+ MIT © gizmette.com
package/dist/index.d.ts CHANGED
@@ -8,6 +8,7 @@ declare const AUTH_TYPES: {
8
8
  REFRESH_TOKEN: string;
9
9
  PASSKEY: string;
10
10
  AUTH0: string;
11
+ GOOGLE: string;
11
12
  };
12
13
  declare const HEADERS: {
13
14
  CLIENT_ID: string;
@@ -42,6 +43,7 @@ declare const API_TYPE: {
42
43
  LOGOUT: string;
43
44
  LOGIN: string;
44
45
  REFRESH: string;
46
+ GOOGLE: string;
45
47
  };
46
48
 
47
49
  declare const verifyAndExtractToken: (token: string) => Promise<jose.JWTVerifyResult<jose.JWTPayload> | undefined>;