@xcelsior/auth 1.0.0 → 1.1.0

package/dist/index.js

@@ -32,7 +32,9 @@ var index_exports = {};
 __export(index_exports, {
   AuthMiddleware: () => AuthMiddleware,
   AuthService: () => AuthService,
-  UserRoleSchema: () => UserRoleSchema,
+  CreateSessionSchema: () => CreateSessionSchema,
+  CreateUserSchema: () => CreateUserSchema,
+  SessionSchema: () => SessionSchema,
   UserSchema: () => UserSchema
 });
 module.exports = __toCommonJS(index_exports);
@@ -41,170 +43,10 @@ module.exports = __toCommonJS(index_exports);
 var import_bcryptjs = __toESM(require("bcryptjs"));
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
 var import_uuid = require("uuid");
-
-// src/storage/dynamodb.ts
-var import_client_dynamodb = require("@aws-sdk/client-dynamodb");
-var import_lib_dynamodb = require("@aws-sdk/lib-dynamodb");
-var DynamoDBStorageProvider = class {
-  constructor(config) {
-    const dbClient = new import_client_dynamodb.DynamoDBClient({ region: config.region });
-    this.client = import_lib_dynamodb.DynamoDBDocumentClient.from(dbClient, {});
-    this.tableName = config.tableName;
-  }
-  async createUser(user) {
-    await this.client.send(
-      new import_lib_dynamodb.PutCommand({
-        TableName: this.tableName,
-        Item: user,
-        ConditionExpression: "attribute_not_exists(email)"
-      })
-    );
-  }
-  async getUserByResetPasswordToken(resetPasswordToken) {
-    const response = await this.client.send(
-      new import_lib_dynamodb.QueryCommand({
-        TableName: this.tableName,
-        IndexName: "ResetPasswordTokenIndex",
-        KeyConditionExpression: "resetPasswordToken = :token",
-        ExpressionAttributeValues: {
-          ":token": resetPasswordToken
-        }
-      })
-    );
-    return response.Items?.[0];
-  }
-  async getUserByVerifyEmailToken(verifyEmailToken) {
-    const response = await this.client.send(
-      new import_lib_dynamodb.QueryCommand({
-        TableName: this.tableName,
-        IndexName: "VerifyEmailTokenIndex",
-        KeyConditionExpression: "verificationToken = :token",
-        ExpressionAttributeValues: {
-          ":token": verifyEmailToken
-        }
-      })
-    );
-    return response.Items?.[0];
-  }
-  async getUserById(id) {
-    const response = await this.client.send(
-      new import_lib_dynamodb.GetCommand({
-        TableName: this.tableName,
-        Key: { id }
-      })
-    );
-    return response.Item;
-  }
-  async getUserByEmail(email) {
-    const response = await this.client.send(
-      new import_lib_dynamodb.QueryCommand({
-        TableName: this.tableName,
-        IndexName: "EmailIndex",
-        KeyConditionExpression: "email = :email",
-        ExpressionAttributeValues: {
-          ":email": email
-        }
-      })
-    );
-    return response.Items?.[0];
-  }
-  async updateUser(id, updates) {
-    const toSet = {};
-    const toRemove = [];
-    Object.entries(updates).forEach(([key, value]) => {
-      if (value === void 0) {
-        toRemove.push(key);
-      } else {
-        toSet[key] = value;
-      }
-    });
-    if (Object.keys(toSet).length === 0 && toRemove.length === 0) {
-      return;
-    }
-    const setPart = Object.keys(toSet).length > 0 ? `SET ${Object.keys(toSet).map((key) => `#${key} = :${key}`).join(", ")}` : "";
-    const removePart = toRemove.length > 0 ? `REMOVE ${toRemove.map((key) => `#${key}`).join(", ")}` : "";
-    const updateExpression = [setPart, removePart].filter(Boolean).join(" ");
-    const expressionAttributeNames = [...Object.keys(toSet), ...toRemove].reduce(
-      (acc, key) => ({ ...acc, [`#${key}`]: key }),
-      {}
-    );
-    const expressionAttributeValues = Object.entries(toSet).reduce(
-      (acc, [key, value]) => ({ ...acc, [`:${key}`]: value }),
-      {}
-    );
-    await this.client.send(
-      new import_lib_dynamodb.UpdateCommand({
-        TableName: this.tableName,
-        Key: { id },
-        UpdateExpression: updateExpression,
-        ExpressionAttributeNames: expressionAttributeNames,
-        ...Object.keys(expressionAttributeValues).length > 0 && {
-          ExpressionAttributeValues: expressionAttributeValues
-        }
-      })
-    );
-  }
-  async deleteUser(id) {
-    await this.client.send(
-      new import_lib_dynamodb.DeleteCommand({
-        TableName: this.tableName,
-        Key: { id }
-      })
-    );
-  }
-};
-
-// src/storage/index.ts
-function createStorageProvider(config) {
-  switch (config.type) {
-    case "dynamodb":
-      return new DynamoDBStorageProvider(config.options);
-    case "mongodb":
-      throw new Error("MongoDB storage provider not implemented yet");
-    case "postgres":
-      throw new Error("PostgreSQL storage provider not implemented yet");
-    default:
-      throw new Error(`Unsupported storage type: ${config.type}`);
-  }
-}
+var import_crypto = __toESM(require("crypto"));
 
 // src/email/smtp.ts
 var import_nodemailer = __toESM(require("nodemailer"));
-var SMTPEmailProvider = class {
-  constructor(from, config, templates) {
-    this.transporter = import_nodemailer.default.createTransport(config);
-    this.config = { from, templates };
-  }
-  async sendVerificationEmail(email, token) {
-    const { subject, html } = this.config.templates.verification;
-    await this.transporter.sendMail({
-      from: this.config.from,
-      to: email,
-      subject,
-      html: html(token)
-    });
-  }
-  async sendPasswordResetEmail(email, token) {
-    const { subject, html } = this.config.templates.resetPassword;
-    await this.transporter.sendMail({
-      from: this.config.from,
-      to: email,
-      subject,
-      html: html(token)
-    });
-  }
-  async verifyConnection() {
-    try {
-      await this.transporter.verify();
-      return true;
-    } catch (_error) {
-      return false;
-    }
-  }
-};
-
-// src/email/ses.ts
-var import_client_sesv2 = require("@aws-sdk/client-sesv2");
 
 // src/email/defaultTemplates.ts
 var defaultTemplates = {
@@ -263,7 +105,42 @@ var defaultTemplates = {
   }
 };
 
+// src/email/smtp.ts
+var SMTPEmailProvider = class {
+  constructor(from, config, templates) {
+    this.transporter = import_nodemailer.default.createTransport(config);
+    this.config = { from, templates: templates ?? defaultTemplates };
+  }
+  async sendVerificationEmail(email, token) {
+    const { subject, html } = this.config.templates.verification;
+    await this.transporter.sendMail({
+      from: this.config.from,
+      to: email,
+      subject,
+      html: html(token)
+    });
+  }
+  async sendPasswordResetEmail(email, token) {
+    const { subject, html } = this.config.templates.resetPassword;
+    await this.transporter.sendMail({
+      from: this.config.from,
+      to: email,
+      subject,
+      html: html(token)
+    });
+  }
+  async verifyConnection() {
+    try {
+      await this.transporter.verify();
+      return true;
+    } catch (_error) {
+      return false;
+    }
+  }
+};
+
 // src/email/ses.ts
+var import_client_sesv2 = require("@aws-sdk/client-sesv2");
 var SESEmailProvider = class {
   constructor(from, config, templates) {
     this.client = new import_client_sesv2.SESv2Client({
@@ -353,10 +230,10 @@ function createEmailProvider(config) {
 var AuthService = class {
   constructor(config) {
     this.config = config;
-    this.storage = createStorageProvider(config.storage);
+    this.storage = config.storage;
     this.email = createEmailProvider(config.email);
   }
-  generateToken(user) {
+  generateAccessToken(user) {
     return import_jsonwebtoken.default.sign(
       {
         id: user.id,
@@ -372,31 +249,100 @@ var AuthService = class {
       }
     );
   }
+  generateRefreshToken(sessionId, userId) {
+    const payload = {
+      sessionId,
+      userId,
+      type: "refresh"
+    };
+    return import_jsonwebtoken.default.sign(payload, this.config.jwt.privateKey, {
+      algorithm: "RS256",
+      expiresIn: this.config.jwt.refreshTokenExpiresIn || "7d",
+      keyid: this.config.jwt.keyId
+    });
+  }
+  verifyRefreshToken(token) {
+    try {
+      const payload = import_jsonwebtoken.default.verify(token, this.config.jwt.publicKey, {
+        algorithms: ["RS256"]
+      });
+      if (payload.type !== "refresh") {
+        throw new Error("Invalid token type");
+      }
+      return payload;
+    } catch (_error) {
+      throw new Error("Invalid refresh token");
+    }
+  }
+  hashToken(token) {
+    return import_crypto.default.createHash("sha256").update(token).digest("hex");
+  }
+  getRefreshTokenExpiryMs() {
+    const expiresIn = this.config.jwt.refreshTokenExpiresIn || "7d";
+    const match = expiresIn.match(/^(\d+)([smhd])$/);
+    if (!match) {
+      return 7 * 24 * 60 * 60 * 1e3;
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    const multipliers = {
+      s: 1e3,
+      m: 60 * 1e3,
+      h: 60 * 60 * 1e3,
+      d: 24 * 60 * 60 * 1e3
+    };
+    return value * multipliers[unit];
+  }
   async hashPassword(password) {
     return import_bcryptjs.default.hash(password, 10);
   }
-  async signup(email, password, roles = ["USER"]) {
-    const existingUser = await this.storage.getUserByEmail(email);
+  async createSession(userId, options = {}) {
+    const now = Date.now();
+    const sessionId = this.config.idGeneration === "uuid" ? (0, import_uuid.v4)() : void 0;
+    const tempSession = {
+      ...sessionId ? { id: sessionId } : {},
+      userId,
+      refreshTokenHash: "",
+      userAgent: options.userAgent,
+      ipAddress: options.ipAddress,
+      deviceName: options.deviceName,
+      createdAt: now,
+      lastUsedAt: now,
+      expiresAt: now + this.getRefreshTokenExpiryMs()
+    };
+    const session = await this.storage.createSession(tempSession);
+    const refreshToken = this.generateRefreshToken(session.id, userId);
+    await this.storage.updateSession(session.id, {
+      refreshTokenHash: this.hashToken(refreshToken)
+    });
+    return {
+      session: { ...session, refreshTokenHash: this.hashToken(refreshToken) },
+      refreshToken
+    };
+  }
+  async signup(createUserInput, password, options = {}) {
+    const existingUser = await this.storage.getUserByEmail(createUserInput.email);
     if (existingUser) {
       throw new Error("User already exists");
     }
     const verificationToken = (0, import_uuid.v4)();
+    const id = this.config.idGeneration === "uuid" ? (0, import_uuid.v4)() : void 0;
     const user = {
-      id: (0, import_uuid.v4)(),
-      email,
+      ...createUserInput,
+      id,
       passwordHash: await this.hashPassword(password),
-      roles,
       isEmailVerified: false,
       verificationToken,
       createdAt: Date.now(),
       updatedAt: Date.now()
     };
-    await this.storage.createUser(user);
-    await this.email.sendVerificationEmail(email, verificationToken);
-    const token = this.generateToken(user);
-    return { user, token };
+    const createdUser = await this.storage.createUser(user);
+    await this.email.sendVerificationEmail(createUserInput.email, verificationToken);
+    const { refreshToken } = await this.createSession(createdUser.id, options);
+    const accessToken = this.generateAccessToken(createdUser);
+    return { user: createdUser, tokens: { accessToken, refreshToken } };
   }
-  async signin(email, password) {
+  async signin(email, password, options = {}) {
     const user = await this.storage.getUserByEmail(email);
     if (!user) {
       throw new Error("Invalid credentials");
@@ -408,8 +354,86 @@ var AuthService = class {
     if (!user.isEmailVerified) {
       throw new Error("Please verify your email before signing in");
     }
-    const token = this.generateToken(user);
-    return { user, token };
+    const { refreshToken } = await this.createSession(user.id, options);
+    const accessToken = this.generateAccessToken(user);
+    return { user, tokens: { accessToken, refreshToken } };
+  }
+  async refreshAccessToken(refreshToken) {
+    const payload = this.verifyRefreshToken(refreshToken);
+    const session = await this.storage.getSessionById(payload.sessionId);
+    if (!session) {
+      throw new Error("Session not found");
+    }
+    const tokenHash = this.hashToken(refreshToken);
+    if (session.refreshTokenHash !== tokenHash) {
+      throw new Error("Invalid refresh token");
+    }
+    if (session.expiresAt < Date.now()) {
+      await this.storage.deleteSession(session.id);
+      throw new Error("Session expired");
+    }
+    const user = await this.storage.getUserById(session.userId);
+    if (!user) {
+      throw new Error("User not found");
+    }
+    const newRefreshToken = this.generateRefreshToken(session.id, user.id);
+    await this.storage.updateSession(session.id, {
+      refreshTokenHash: this.hashToken(newRefreshToken),
+      lastUsedAt: Date.now(),
+      expiresAt: Date.now() + this.getRefreshTokenExpiryMs()
+    });
+    const accessToken = this.generateAccessToken(user);
+    return { accessToken, refreshToken: newRefreshToken };
+  }
+  /**
+   * Logout from current session only
+   */
+  async logout(refreshToken) {
+    try {
+      const payload = this.verifyRefreshToken(refreshToken);
+      await this.storage.deleteSession(payload.sessionId);
+    } catch {
+    }
+  }
+  /**
+   * Revoke a specific session by ID
+   */
+  async revokeSession(userId, sessionId) {
+    const session = await this.storage.getSessionById(sessionId);
+    if (!session || session.userId !== userId) {
+      throw new Error("Session not found");
+    }
+    await this.storage.deleteSession(sessionId);
+  }
+  /**
+   * Revoke all sessions for a user (logout from all devices)
+   */
+  async revokeAllSessions(userId) {
+    await this.storage.deleteAllUserSessions(userId);
+  }
+  /**
+   * Get all active sessions for a user
+   */
+  async getSessions(userId, currentRefreshToken) {
+    const sessions = await this.storage.getSessionsByUserId(userId);
+    const now = Date.now();
+    let currentSessionId;
+    if (currentRefreshToken) {
+      try {
+        const payload = this.verifyRefreshToken(currentRefreshToken);
+        currentSessionId = payload.sessionId;
+      } catch {
+      }
+    }
+    return sessions.filter((s) => s.expiresAt > now).map((session) => ({
+      id: session.id,
+      deviceName: session.deviceName,
+      userAgent: session.userAgent,
+      ipAddress: session.ipAddress,
+      createdAt: session.createdAt,
+      lastUsedAt: session.lastUsedAt,
+      isCurrent: session.id === currentSessionId
+    }));
   }
   async verifyEmail(token) {
     const user = await this.storage.getUserByVerifyEmailToken(token);
@@ -452,6 +476,7 @@ var AuthService = class {
     try {
       return import_jsonwebtoken.default.verify(token, this.config.jwt.publicKey, { algorithms: ["RS256"] });
     } catch (_error) {
+      console.log("Token verification failed:", _error);
       throw new Error("Invalid token");
     }
   }
@@ -462,6 +487,74 @@ var AuthService = class {
     }
     return requiredRoles.some((role) => user.roles.includes(role));
   }
+  // ==================== User Management ====================
+  /**
+   * Get a user by ID
+   */
+  async getUserById(id) {
+    return this.storage.getUserById(id);
+  }
+  /**
+   * Get a user by email
+   */
+  async getUserByEmail(email) {
+    return this.storage.getUserByEmail(email);
+  }
+  /**
+   * Update a user's profile information.
+   * Supports predefined fields (email, firstName, lastName, roles, isEmailVerified)
+   * as well as any additional custom fields.
+   */
+  async updateUser(id, updates) {
+    const user = await this.storage.getUserById(id);
+    if (!user) {
+      throw new Error("User not found");
+    }
+    if (updates.email !== void 0 && updates.email !== user.email) {
+      const existingUser = await this.storage.getUserByEmail(updates.email);
+      if (existingUser) {
+        throw new Error("Email already in use");
+      }
+    }
+    const { email, firstName, lastName, roles, isEmailVerified, ...additionalFields } = updates;
+    const mergedUpdates = {
+      updatedAt: Date.now(),
+      ...additionalFields
+    };
+    if (email !== void 0) mergedUpdates.email = email;
+    if (firstName !== void 0) mergedUpdates.firstName = firstName;
+    if (lastName !== void 0) mergedUpdates.lastName = lastName;
+    if (roles !== void 0) mergedUpdates.roles = roles;
+    if (isEmailVerified !== void 0) mergedUpdates.isEmailVerified = isEmailVerified;
+    await this.storage.updateUser(id, mergedUpdates);
+    return { ...user, ...mergedUpdates };
+  }
+  /**
+   * Delete a user and all their sessions
+   */
+  async deleteUser(id) {
+    const user = await this.storage.getUserById(id);
+    if (!user) {
+      throw new Error("User not found");
+    }
+    await this.storage.deleteUser(id);
+  }
+  /**
+   * Find users with filtering and pagination
+   *
+   * @example
+   * // Find all admins
+   * const { users } = await authService.findUsers({ hasAnyRole: ['ADMIN'] });
+   *
+   * // Find verified users with email containing '@company.com'
+   * const result = await authService.findUsers({
+   *   emailContains: '@company.com',
+   *   isEmailVerified: true
+   * }, { limit: 20 });
+   */
+  async findUsers(filter, options) {
+    return this.storage.findUsers(filter, options);
+  }
 };
 
 // src/middleware/auth.ts
@@ -476,8 +569,7 @@ var AuthMiddleware = class {
         if (!token) {
           throw new Error("No token provided");
         }
-        const decoded = await this.authService.verifyToken(token);
-        req.user = decoded;
+        req.user = await this.authService.verifyToken(token);
         next();
       } catch (_error) {
         res.status(401).json({ error: "Unauthorized" });
@@ -509,12 +601,13 @@ var AuthMiddleware = class {
 
 // src/types/index.ts
 var import_zod = require("zod");
-var UserRoleSchema = import_zod.z.enum(["ADMIN", "USER", "GUEST"]);
 var UserSchema = import_zod.z.object({
-  id: import_zod.z.string(),
+  id: import_zod.z.union([import_zod.z.string(), import_zod.z.number()]),
   email: import_zod.z.string().email(),
+  firstName: import_zod.z.string().optional(),
+  lastName: import_zod.z.string().optional(),
   passwordHash: import_zod.z.string(),
-  roles: import_zod.z.array(UserRoleSchema),
+  roles: import_zod.z.array(import_zod.z.string()),
   isEmailVerified: import_zod.z.boolean(),
   verificationToken: import_zod.z.string().optional(),
   resetPasswordToken: import_zod.z.string().optional(),
@@ -522,11 +615,42 @@ var UserSchema = import_zod.z.object({
   createdAt: import_zod.z.number(),
   updatedAt: import_zod.z.number()
 });
+var CreateUserSchema = UserSchema.omit({
+  id: true,
+  createdAt: true,
+  updatedAt: true
+}).extend({
+  createdAt: import_zod.z.number().optional(),
+  updatedAt: import_zod.z.number().optional(),
+  id: import_zod.z.union([import_zod.z.string(), import_zod.z.number()]).optional()
+});
+var SessionSchema = import_zod.z.object({
+  id: import_zod.z.union([import_zod.z.string(), import_zod.z.number()]),
+  userId: import_zod.z.union([import_zod.z.string(), import_zod.z.number()]),
+  refreshTokenHash: import_zod.z.string(),
+  userAgent: import_zod.z.string().optional(),
+  ipAddress: import_zod.z.string().optional(),
+  deviceName: import_zod.z.string().optional(),
+  createdAt: import_zod.z.number(),
+  lastUsedAt: import_zod.z.number(),
+  expiresAt: import_zod.z.number()
+});
+var CreateSessionSchema = SessionSchema.omit({
+  id: true,
+  createdAt: true,
+  lastUsedAt: true
+}).extend({
+  createdAt: import_zod.z.number().optional(),
+  lastUsedAt: import_zod.z.number().optional(),
+  id: import_zod.z.union([import_zod.z.string(), import_zod.z.number()]).optional()
+});
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuthMiddleware,
   AuthService,
-  UserRoleSchema,
+  CreateSessionSchema,
+  CreateUserSchema,
+  SessionSchema,
   UserSchema
 });
 //# sourceMappingURL=index.js.map