@xcelsior/auth 0.1.1

package/src/email/index.ts

@@ -0,0 +1,22 @@
+import type { IEmailProvider, EmailConfig, SMTPConfig, SESConfig } from './types';
+import { SMTPEmailProvider } from './smtp';
+import { SESEmailProvider } from './ses';
+
+export function createEmailProvider(config: EmailConfig): IEmailProvider {
+    switch (config.type) {
+        case 'smtp':
+            return new SMTPEmailProvider(
+                config.from,
+                config.options as SMTPConfig,
+                config.templates
+            );
+        case 'ses':
+            return new SESEmailProvider(config.from, config.options as SESConfig, config.templates);
+        default:
+            throw new Error(`Unsupported email provider type: ${config.type}`);
+    }
+}
+
+export * from './types';
+export * from './smtp';
+export * from './ses';

package/src/email/ses.ts

@@ -0,0 +1,80 @@
+import { SESv2Client, SendEmailCommand } from '@aws-sdk/client-sesv2';
+import type { IEmailProvider, SESConfig, EmailTemplates } from './types';
+import { defaultTemplates } from './defaultTemplates';
+
+export class SESEmailProvider implements IEmailProvider {
+    private client: SESv2Client;
+    private config: { from: string; templates: EmailTemplates; sourceArn?: string };
+
+    constructor(from: string, config: SESConfig, templates?: EmailTemplates) {
+        this.client = new SESv2Client({
+            region: config.region,
+            credentials: config.credentials,
+        });
+        this.config = {
+            from,
+            templates: templates ?? defaultTemplates,
+            sourceArn: config.sourceArn,
+        };
+    }
+
+    private async sendEmail(to: string, subject: string, html: string): Promise<void> {
+        const command = new SendEmailCommand({
+            FromEmailAddress: this.config.from,
+            FromEmailAddressIdentityArn: this.config.sourceArn,
+            Destination: {
+                ToAddresses: [to],
+            },
+            Content: {
+                Simple: {
+                    Subject: {
+                        Data: subject,
+                        Charset: 'UTF-8',
+                    },
+                    Body: {
+                        Html: {
+                            Data: html,
+                            Charset: 'UTF-8',
+                        },
+                    },
+                },
+            },
+        });
+
+        await this.client.send(command);
+    }
+
+    async sendVerificationEmail(email: string, token: string): Promise<void> {
+        const { subject, html } = this.config.templates.verification;
+        await this.sendEmail(email, subject, html(token));
+    }
+
+    async sendPasswordResetEmail(email: string, token: string): Promise<void> {
+        const { subject, html } = this.config.templates.resetPassword;
+        await this.sendEmail(email, subject, html(token));
+    }
+
+    async verifyConnection(): Promise<boolean> {
+        try {
+            // SES doesn't have a direct verify method, so we'll check if we can describe our sending status
+            await this.client.send(
+                new SendEmailCommand({
+                    FromEmailAddress: this.config.from,
+                    FromEmailAddressIdentityArn: this.config.sourceArn,
+                    Destination: {
+                        ToAddresses: [this.config.from], // Send to ourselves as a test
+                    },
+                    Content: {
+                        Simple: {
+                            Subject: { Data: 'Test Connection', Charset: 'UTF-8' },
+                            Body: { Text: { Data: 'Test', Charset: 'UTF-8' } },
+                        },
+                    },
+                })
+            );
+            return true;
+        } catch (_error) {
+            return false;
+        }
+    }
+}

package/src/email/smtp.ts

@@ -0,0 +1,43 @@
+import nodemailer from 'nodemailer';
+import type { IEmailProvider, SMTPConfig, EmailTemplates } from './types';
+
+export class SMTPEmailProvider implements IEmailProvider {
+    private transporter: nodemailer.Transporter;
+    private config: { from: string; templates: EmailTemplates };
+
+    constructor(from: string, config: SMTPConfig, templates: EmailTemplates) {
+        this.transporter = nodemailer.createTransport(config);
+        this.config = { from, templates };
+    }
+
+    async sendVerificationEmail(email: string, token: string): Promise<void> {
+        const { subject, html } = this.config.templates.verification;
+
+        await this.transporter.sendMail({
+            from: this.config.from,
+            to: email,
+            subject,
+            html: html(token),
+        });
+    }
+
+    async sendPasswordResetEmail(email: string, token: string): Promise<void> {
+        const { subject, html } = this.config.templates.resetPassword;
+
+        await this.transporter.sendMail({
+            from: this.config.from,
+            to: email,
+            subject,
+            html: html(token),
+        });
+    }
+
+    async verifyConnection(): Promise<boolean> {
+        try {
+            await this.transporter.verify();
+            return true;
+        } catch (_error) {
+            return false;
+        }
+    }
+}

package/src/email/types.ts

@@ -0,0 +1,42 @@
+export interface IEmailProvider {
+    sendVerificationEmail(email: string, token: string): Promise<void>;
+    sendPasswordResetEmail(email: string, token: string): Promise<void>;
+    verifyConnection(): Promise<boolean>;
+}
+
+export interface EmailTemplates {
+    verification: {
+        subject: string;
+        html: (token: string) => string;
+    };
+    resetPassword: {
+        subject: string;
+        html: (token: string) => string;
+    };
+}
+
+export interface SMTPConfig {
+    host: string;
+    port: number;
+    secure: boolean;
+    auth: {
+        user: string;
+        pass: string;
+    };
+}
+
+export interface SESConfig {
+    region: string;
+    credentials?: {
+        accessKeyId: string;
+        secretAccessKey: string;
+    };
+    sourceArn?: string;
+}
+
+export interface EmailConfig {
+    type: 'smtp' | 'ses';
+    from: string;
+    options: SMTPConfig | SESConfig;
+    templates?: EmailTemplates;
+}

package/src/index.ts

@@ -0,0 +1,3 @@
+export * from './services/auth';
+export * from './middleware/auth';
+export * from './types';

package/src/middleware/auth.ts

@@ -0,0 +1,50 @@
+import type { AuthService } from '../services/auth';
+import type { UserRole } from '../types';
+
+export class AuthMiddleware {
+    private authService: AuthService;
+
+    constructor(authService: AuthService) {
+        this.authService = authService;
+    }
+
+    verifyToken() {
+        return async (req: any, res: any, next: any) => {
+            try {
+                const token = req.headers.authorization?.split(' ')[1];
+                if (!token) {
+                    throw new Error('No token provided');
+                }
+
+                const decoded = await this.authService.verifyToken(token);
+                req.user = decoded;
+                next();
+            } catch (_error) {
+                res.status(401).json({ error: 'Unauthorized' });
+            }
+        };
+    }
+
+    requireRoles(roles: UserRole[]) {
+        return async (req: any, res: any, next: any) => {
+            try {
+                const hasRole = await this.authService.hasRole(req.user.id, roles);
+                if (!hasRole) {
+                    throw new Error('Insufficient permissions');
+                }
+                next();
+            } catch (_error) {
+                res.status(403).json({ error: 'Forbidden' });
+            }
+        };
+    }
+
+    requireEmailVerified() {
+        return (req: any, res: any, next: any) => {
+            if (!req.user.isEmailVerified) {
+                return res.status(403).json({ error: 'Email not verified' });
+            }
+            next();
+        };
+    }
+}

package/src/services/auth.ts

@@ -0,0 +1,165 @@
+import bcrypt from 'bcryptjs';
+import jwt from 'jsonwebtoken';
+import { v4 as uuidv4 } from 'uuid';
+import type { AuthConfig, User, UserRole } from '../types';
+import type { IStorageProvider } from '../storage/types';
+import type { IEmailProvider } from '../email/types';
+import { createStorageProvider } from '../storage';
+import { createEmailProvider } from '../email';
+
+export class AuthService {
+    private storage: IStorageProvider;
+    private email: IEmailProvider;
+    private config: AuthConfig;
+
+    constructor(config: AuthConfig) {
+        this.config = config;
+        this.storage = createStorageProvider(config.storage);
+        this.email = createEmailProvider(config.email);
+    }
+
+    private generateToken(user: User): string {
+        // @ts-ignore
+        return jwt.sign(
+            {
+                id: user.id,
+                email: user.email,
+                roles: user.roles,
+                isEmailVerified: user.isEmailVerified,
+            },
+            this.config.jwt.privateKey,
+            {
+                algorithm: 'RS256',
+                expiresIn: this.config.jwt.expiresIn,
+                keyid: this.config.jwt.keyId,
+            }
+        );
+    }
+
+    private async hashPassword(password: string): Promise<string> {
+        return bcrypt.hash(password, 10);
+    }
+
+    async signup(
+        email: string,
+        password: string,
+        roles: UserRole[] = ['USER']
+    ): Promise<{ user: User; token: string }> {
+        const existingUser = await this.storage.getUserByEmail(email);
+        if (existingUser) {
+            throw new Error('User already exists');
+        }
+
+        const verificationToken = uuidv4();
+        const user: User = {
+            id: uuidv4(),
+            email,
+            passwordHash: await this.hashPassword(password),
+            roles,
+            isEmailVerified: false,
+            verificationToken,
+            createdAt: Date.now(),
+            updatedAt: Date.now(),
+        };
+
+        await this.storage.createUser(user);
+        await this.email.sendVerificationEmail(email, verificationToken);
+
+        const token = this.generateToken(user);
+        return { user, token };
+    }
+
+    async signin(email: string, password: string): Promise<{ user: User; token: string }> {
+        const user = await this.storage.getUserByEmail(email);
+        if (!user) {
+            throw new Error('Invalid credentials');
+        }
+
+        const isValidPassword = await bcrypt.compare(password, user.passwordHash);
+        if (!isValidPassword) {
+            throw new Error('Invalid credentials');
+        }
+
+        if (!user.isEmailVerified) {
+            throw new Error('Please verify your email before signing in');
+        }
+
+        const token = this.generateToken(user);
+        return { user, token };
+    }
+
+    async verifyEmail(token: string): Promise<void> {
+        const user = await this.storage.getUserByVerifyEmailToken(token);
+        if (!user || user.verificationToken !== token) {
+            throw new Error('Invalid verification token');
+        }
+
+        await this.storage.updateUser(user.id, {
+            isEmailVerified: true,
+            verificationToken: undefined,
+            updatedAt: Date.now(),
+        });
+    }
+
+    async initiatePasswordReset(email: string): Promise<void> {
+        const user = await this.storage.getUserByEmail(email);
+        if (!user) {
+            throw new Error('User not found');
+        }
+
+        const resetToken = uuidv4();
+        const resetExpires = Date.now() + 3600000; // 1 hour
+
+        await this.storage.updateUser(user.id, {
+            resetPasswordToken: resetToken,
+            resetPasswordExpires: resetExpires,
+            updatedAt: Date.now(),
+        });
+
+        await this.email.sendPasswordResetEmail(email, resetToken);
+    }
+
+    async resetPassword(token: string, newPassword: string): Promise<void> {
+        const user = await this.storage.getUserByResetPasswordToken(token);
+        if (
+            !user ||
+            !user.resetPasswordToken ||
+            user.resetPasswordToken !== token ||
+            !user.resetPasswordExpires ||
+            user.resetPasswordExpires < Date.now()
+        ) {
+            throw new Error('Invalid or expired reset token');
+        }
+
+        await this.storage.updateUser(user.id, {
+            passwordHash: await this.hashPassword(newPassword),
+            resetPasswordToken: undefined,
+            resetPasswordExpires: undefined,
+            updatedAt: Date.now(),
+        });
+    }
+
+    async verifyToken(
+        token: string
+    ): Promise<{ id: string; email: string; roles: UserRole[]; isEmailVerified: boolean }> {
+        try {
+            return jwt.verify(token, this.config.jwt.publicKey, { algorithms: ['RS256'] }) as {
+                id: string;
+                email: string;
+                roles: UserRole[];
+                isEmailVerified: boolean;
+            };
+        } catch (_error) {
+            throw new Error('Invalid token');
+        }
+    }
+
+    async hasRole(userId: string, requiredRoles: UserRole[]): Promise<boolean> {
+        const user = await this.storage.getUserById(userId);
+        if (!user) {
+            return false;
+        }
+
+        return requiredRoles.some((role) => user.roles.includes(role));
+    }
+}

package/src/storage/dynamodb.ts

@@ -0,0 +1,153 @@
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
+import {
+    DynamoDBDocumentClient,
+    PutCommand,
+    GetCommand,
+    UpdateCommand,
+    DeleteCommand,
+    QueryCommand,
+} from '@aws-sdk/lib-dynamodb';
+import type { User } from '../types';
+import type { IStorageProvider, DynamoDBConfig } from './types';
+
+export class DynamoDBStorageProvider implements IStorageProvider {
+    private client: DynamoDBDocumentClient;
+    private tableName: string;
+
+    constructor(config: DynamoDBConfig) {
+        const dbClient = new DynamoDBClient({ region: config.region });
+        this.client = DynamoDBDocumentClient.from(dbClient, {});
+        this.tableName = config.tableName;
+    }
+
+    async createUser(user: User): Promise<void> {
+        await this.client.send(
+            new PutCommand({
+                TableName: this.tableName,
+                Item: user,
+                ConditionExpression: 'attribute_not_exists(email)',
+            })
+        );
+    }
+
+    async getUserByResetPasswordToken(resetPasswordToken: string): Promise<User | null> {
+        const response = await this.client.send(
+            new QueryCommand({
+                TableName: this.tableName,
+                IndexName: 'ResetPasswordTokenIndex',
+                KeyConditionExpression: 'resetPasswordToken = :token',
+                ExpressionAttributeValues: {
+                    ':token': resetPasswordToken,
+                },
+            })
+        );
+
+        return response.Items?.[0] as User | null;
+    }
+
+    async getUserByVerifyEmailToken(verifyEmailToken: string): Promise<User | null> {
+        const response = await this.client.send(
+            new QueryCommand({
+                TableName: this.tableName,
+                IndexName: 'VerifyEmailTokenIndex',
+                KeyConditionExpression: 'verificationToken = :token',
+                ExpressionAttributeValues: {
+                    ':token': verifyEmailToken,
+                },
+            })
+        );
+
+        return response.Items?.[0] as User | null;
+    }
+
+    async getUserById(id: string): Promise<User | null> {
+        const response = await this.client.send(
+            new GetCommand({
+                TableName: this.tableName,
+                Key: { id },
+            })
+        );
+
+        return response.Item as User | null;
+    }
+
+    async getUserByEmail(email: string): Promise<User | null> {
+        const response = await this.client.send(
+            new QueryCommand({
+                TableName: this.tableName,
+                IndexName: 'EmailIndex',
+                KeyConditionExpression: 'email = :email',
+                ExpressionAttributeValues: {
+                    ':email': email,
+                },
+            })
+        );
+
+        return response.Items?.[0] as User | null;
+    }
+
+    async updateUser(id: string, updates: Partial<User>): Promise<void> {
+        const toSet: Record<string, any> = {};
+        const toRemove: string[] = [];
+
+        // Separate attributes to set and remove
+        Object.entries(updates).forEach(([key, value]) => {
+            if (value === undefined) {
+                toRemove.push(key);
+            } else {
+                toSet[key] = value;
+            }
+        });
+
+        // If no updates at all, return early
+        if (Object.keys(toSet).length === 0 && toRemove.length === 0) {
+            return;
+        }
+
+        // Build the update expression
+        const setPart =
+            Object.keys(toSet).length > 0
+                ? `SET ${Object.keys(toSet)
+                      .map((key) => `#${key} = :${key}`)
+                      .join(', ')}`
+                : '';
+
+        const removePart =
+            toRemove.length > 0 ? `REMOVE ${toRemove.map((key) => `#${key}`).join(', ')}` : '';
+
+        const updateExpression = [setPart, removePart].filter(Boolean).join(' ');
+
+        // Build expression attribute names (needed for both SET and REMOVE)
+        const expressionAttributeNames = [...Object.keys(toSet), ...toRemove].reduce(
+            (acc, key) => ({ ...acc, [`#${key}`]: key }),
+            {}
+        );
+
+        // Build expression attribute values (only needed for SET)
+        const expressionAttributeValues = Object.entries(toSet).reduce(
+            (acc, [key, value]) => ({ ...acc, [`:${key}`]: value }),
+            {}
+        );
+
+        await this.client.send(
+            new UpdateCommand({
+                TableName: this.tableName,
+                Key: { id },
+                UpdateExpression: updateExpression,
+                ExpressionAttributeNames: expressionAttributeNames,
+                ...(Object.keys(expressionAttributeValues).length > 0 && {
+                    ExpressionAttributeValues: expressionAttributeValues,
+                }),
+            })
+        );
+    }
+
+    async deleteUser(id: string): Promise<void> {
+        await this.client.send(
+            new DeleteCommand({
+                TableName: this.tableName,
+                Key: { id },
+            })
+        );
+    }
+}

package/src/storage/index.ts

@@ -0,0 +1,18 @@
+import type { DynamoDBConfig, IStorageProvider, StorageConfig } from './types';
+import { DynamoDBStorageProvider } from './dynamodb';
+
+export function createStorageProvider(config: StorageConfig): IStorageProvider {
+    switch (config.type) {
+        case 'dynamodb':
+            return new DynamoDBStorageProvider(config.options as DynamoDBConfig);
+        case 'mongodb':
+            throw new Error('MongoDB storage provider not implemented yet');
+        case 'postgres':
+            throw new Error('PostgreSQL storage provider not implemented yet');
+        default:
+            throw new Error(`Unsupported storage type: ${config.type}`);
+    }
+}
+
+export * from './types';
+export * from './dynamodb';

package/src/storage/types.ts

@@ -0,0 +1,33 @@
+import type { User } from '../types';
+
+export interface IStorageProvider {
+    createUser(user: User): Promise<void>;
+    getUserById(id: string): Promise<User | null>;
+    getUserByEmail(email: string): Promise<User | null>;
+    getUserByResetPasswordToken(resetPasswordToken: string): Promise<User | null>;
+    getUserByVerifyEmailToken(resetPasswordToken: string): Promise<User | null>;
+    updateUser(id: string, updates: Partial<User>): Promise<void>;
+    deleteUser(id: string): Promise<void>;
+}
+
+export interface StorageConfig {
+    type: 'dynamodb' | 'mongodb' | 'postgres';
+    options: DynamoDBConfig | MongoDBConfig | PostgresConfig;
+}
+
+export interface DynamoDBConfig {
+    tableName: string;
+    region: string;
+}
+
+export interface MongoDBConfig {
+    uri: string;
+    dbName: string;
+    collectionName: string;
+}
+
+export interface PostgresConfig {
+    connectionString: string;
+    schema?: string;
+    tableName: string;
+}

package/src/types/index.ts

@@ -0,0 +1,32 @@
+import { z } from 'zod';
+import type { StorageConfig } from '../storage/types';
+import type { EmailConfig } from '../email/types';
+
+export const UserRoleSchema = z.enum(['ADMIN', 'USER', 'GUEST']);
+export type UserRole = z.infer<typeof UserRoleSchema>;
+
+export const UserSchema = z.object({
+    id: z.string(),
+    email: z.string().email(),
+    passwordHash: z.string(),
+    roles: z.array(UserRoleSchema),
+    isEmailVerified: z.boolean(),
+    verificationToken: z.string().optional(),
+    resetPasswordToken: z.string().optional(),
+    resetPasswordExpires: z.number().optional(),
+    createdAt: z.number(),
+    updatedAt: z.number(),
+});
+
+export type User = z.infer<typeof UserSchema>;
+
+export interface AuthConfig {
+    jwt: {
+        privateKey: string;
+        publicKey: string;
+        keyId: string;
+        expiresIn: string;
+    };
+    storage: StorageConfig;
+    email: EmailConfig;
+}

package/tsconfig.json

@@ -0,0 +1,8 @@
+{
+    "extends": "../../../tsconfig.json",
+    "compilerOptions": {
+        "outDir": "dist",
+        "rootDir": "src"
+    },
+    "include": ["src"]
+}

package/tsup.config.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from 'tsup';
+
+export default defineConfig({
+    entry: ['src/index.ts'],
+    format: ['cjs', 'esm'],
+    dts: true,
+    splitting: false,
+    sourcemap: true,
+    clean: true,
+});