@xenterprises/fastify-xconfig 0.0.10 → 1.0.0

package/README.md

@@ -8,7 +8,7 @@ This plugin provides a comprehensive setup for configuring various services such
 
 - Handles CORS, rate-limiting, multipart handling, and error handling out of the box.
 - Integrates with third-party services such as SendGrid, Twilio, Cloudinary, Stripe, and Bugsnag.
-- Provides authentication setup for both Admin and User, with JWT-based token handling.
+- Provides authentication setup for both Admin and User, with Stack Auth integration.
 - Includes Prisma database connection and gracefully handles disconnecting on server shutdown.
 - Adds health check routes and resource usage monitoring, with environment validation.
 - Customizes route listing and applies various performance and security options.
@@ -38,8 +38,19 @@ fastify.register(xConfig, {
     apiSecret: "your-api-secret",
   },
   auth: {
-    admin: { secret: "admin-jwt-secret", expiresIn: "1h" },
-    user: { secret: "user-jwt-secret", expiresIn: "1h" },
+    excludedPaths: ["/public", "/portal/auth/register"],
+    admin: {
+      active: true,
+      stackProjectId: "your-admin-stack-project-id",
+      publishableKey: "your-admin-stack-publishable-key",
+      secretKey: "your-admin-stack-secret-key",
+    },
+    user: {
+      active: true,
+      stackProjectId: "your-user-stack-project-id",
+      publishableKey: "your-user-stack-publishable-key",
+      secretKey: "your-user-stack-secret-key",
+    },
   },
   cors: { origin: ["https://your-frontend.com"], credentials: true },
 });
@@ -53,7 +64,7 @@ fastify.listen({ port: 3000 });
 - **sendGrid**: SendGrid configuration for email services (optional).
 - **twilio**: Twilio configuration for SMS services (optional).
 - **cloudinary**: Cloudinary configuration for media upload services (optional).
-- **auth**: Authentication configuration for Admin and User JWT tokens (optional).
+- **auth**: Authentication configuration for Admin and User with Stack Auth integration (optional).
 - **cors**: CORS configuration (optional).
 - **rateLimit**: Rate-limiting options (optional).
 - **multipart**: Multipart handling options for file uploads (optional).
@@ -62,12 +73,29 @@ fastify.listen({ port: 3000 });
 
 ## Authentication
 
-The plugin provides both Admin and User authentication with JWT support. It sets secure cookies, manages token refresh, and validates tokens on protected routes.
+The plugin provides both Admin and User authentication with Stack Auth integration. It handles token verification, protected routes, and authentication endpoints.
+
+### User Authentication
+
+- `/portal/auth/login` - User login endpoint
+- `/portal/auth/me` - Get current user information
+- `/portal/auth/verify` - Verify a user token
+
+### Admin Authentication
 
-- `/admin/auth/login` for admin login.
-- `/portal/auth/login` for user login.
-- `/admin/auth/me` to check authentication status for admins.
-- `/portal/auth/me` to check authentication status for users.
+- `/admin/auth/login` - Admin login endpoint
+- `/admin/auth/me` - Get current admin information
+- `/admin/auth/verify` - Verify an admin token
+
+### Stack Auth Integration
+
+The plugin integrates with [Stack Auth](https://stack-auth.com) for secure authentication. You'll need to provide:
+
+- `stackProjectId` - Your Stack Auth project ID
+- `publishableKey` - Your Stack Auth publishable client key
+- `secretKey` - Your Stack Auth secret server key
+
+These can be provided via environment variables or in the plugin options.
 
 ## Health Check
 
@@ -79,11 +107,11 @@ The `/health` route provides a health check with details about uptime, memory us
 - **SendGrid**: Provides an email sending service through SendGrid, integrated with the Fastify instance.
 - **Twilio**: Provides SMS sending and phone number validation services.
 - **Cloudinary**: Handles file uploads to Cloudinary and deletion of media files.
-- **Authentication**: JWT-based authentication for Admin and User with token-based sessions.
+- **Authentication**: Stack Auth integration for secure user and admin authentication.
 
 ## Hooks
 
-- **onRequest**: Validates JWT tokens for protected routes.
+- **onRequest**: Validates tokens for protected routes.
 - **onClose**: Gracefully disconnects Prisma and other services on server shutdown.
 
 ## Error Handling
@@ -100,11 +128,23 @@ The following dependencies are used for various services and integrations:
 
 - Prisma Client, SendGrid, Twilio, Cloudinary, Fastify CORS, Fastify Rate Limit, Fastify Multipart, Fastify Under Pressure, and Fastify Bugsnag.
 
-## Notes
+## Environment Variables
+
+### Required for Authentication
+
+- `ADMIN_STACK_PROJECT_ID` - Stack Auth project ID for admin authentication
+- `ADMIN_STACK_PUBLISHABLE_CLIENT_KEY` - Stack Auth publishable key for admin authentication
+- `ADMIN_STACK_SECRET_SERVER_KEY` - Stack Auth secret key for admin authentication
+- `USER_STACK_PROJECT_ID` - Stack Auth project ID for user authentication
+- `USER_STACK_PUBLISHABLE_CLIENT_KEY` - Stack Auth publishable key for user authentication
+- `USER_STACK_SECRET_SERVER_KEY` - Stack Auth secret key for user authentication
+
+### Other Environment Variables
 
-- Environment variables such as `DATABASE_URL`, `ADMIN_JWT_SECRET`, and `USER_JWT_SECRET` are expected to be set.
-- Services like SendGrid, Twilio, and Cloudinary require API keys to be passed via the options.
-- This plugin is highly customizable, with options to enable/disable each feature.
+- `DATABASE_URL` - Required for Prisma Client
+- `SENDGRID_API_KEY` - Required for SendGrid integration
+- `TWILIO_ACCOUNT_SID`, `TWILIO_AUTH_TOKEN`, `TWILIO_PHONE_NUMBER` - Required for Twilio integration
+- `CLOUDINARY_CLOUD_NAME`, `CLOUDINARY_API_KEY`, `CLOUDINARY_API_SECRET` - Required for Cloudinary integration
 
 ## Example Configuration
 
@@ -123,21 +163,18 @@ fastify.register(xConfig, {
     apiSecret: "your-api-secret",
   },
   auth: {
+    excludedPaths: ["/public", "/portal/auth/login", "/portal/auth/register"],
     admin: {
-      secret: "admin-secret",
-      expiresIn: "1h",
-      cookieOptions: {
-        name: "adminCookie",
-        refreshTokenName: "adminRefreshToken",
-      },
+      active: true,
+      stackProjectId: "your-admin-stack-project-id",
+      publishableKey: "your-admin-stack-publishable-key",
+      secretKey: "your-admin-stack-secret-key",
     },
     user: {
-      secret: "user-secret",
-      expiresIn: "1h",
-      cookieOptions: {
-        name: "userCookie",
-        refreshTokenName: "userRefreshToken",
-      },
+      active: true,
+      stackProjectId: "your-user-stack-project-id",
+      publishableKey: "your-user-stack-publishable-key",
+      secretKey: "your-user-stack-secret-key",
     },
   },
   cors: { origin: ["https://your-frontend.com"], credentials: true },

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@xenterprises/fastify-xconfig",
   "type": "module",
-  "version": "0.0.10",
+  "version": "1.0.0",
   "description": "Fastify configuration plugin for setting up middleware, services, and route handling.",
   "main": "src/xConfig.js",
   "scripts": {

package/server/app.js

@@ -62,14 +62,7 @@ export default async function (fastify, opts) {
       },
       user: {
         active: true,
-        secret: process.env.USER_JWT_SECRET,
-        expiresIn: '1h',
-        cookieOptions: {
-          name: 'userToken',
-          httpOnly: true,
-          secure: true,
-          sameSite: 'strict',
-        },
+        portalStackProjectId: process.env.STACK_PROJECT_ID,
         me: {
           isOnboarded: true
         },
@@ -89,4 +82,4 @@ export default async function (fastify, opts) {
     return { status: fastify.xEcho() }
   })
 
-};
+};

package/src/auth/admin.js

@@ -1,67 +1,74 @@
-import jwt from "@fastify/jwt";
-import bcrypt from "bcrypt";
+import * as jose from "jose";
 const isProduction = process.env.NODE_ENV === 'production';
+
 export async function setupAdminAuth(fastify, options) {
   if (options.admin?.active !== false) {
+    // Get configuration
+    const projectId = options.admin.stackProjectId || process.env.ADMIN_STACK_PROJECT_ID;
+    const publishableKey = options.admin.publishableKey || process.env.ADMIN_STACK_PUBLISHABLE_CLIENT_KEY;
+    const secretKey = options.admin.secretKey || process.env.ADMIN_STACK_SECRET_SERVER_KEY;
+
+    if (!projectId) {
+      throw new Error("Stack Auth admin project ID is required");
+    }
 
-    // Ensure the admin JWT secret is provided
-    if (!options.admin.secret) {
-      throw new Error("Admin JWT secret must be provided.");
+    if (!publishableKey || !secretKey) {
+      throw new Error("Stack Auth admin publishable and secret keys are required");
     }
 
-    const adminAuthOptions = options.admin;
-    const adminCookieName =
-      adminAuthOptions.cookieOptions?.name || "adminToken";
-    const adminRefreshCookieName =
-      adminAuthOptions.cookieOptions?.refreshTokenName || "adminRefreshToken";
-    const adminCookieOptions = {
-      httpOnly: true,  // Ensures the cookie is not accessible via JavaScript
-      secure: isProduction,  // true in production (HTTPS), false in development (HTTP)
-      sameSite: isProduction ? 'None' : 'Lax',  // 'None' for cross-origin, 'Lax' for development
-      path: '/',  // Ensure cookies are valid for the entire site
-    };
-    const adminExcludedPaths = adminAuthOptions.excludedPaths || [
+    const adminExcludedPaths = options.admin.excludedPaths || [
       "/admin/auth/login",
       "/admin/auth/logout",
     ];
 
-    // Decorator to hash admin passwords
-    async function hashAdminPassword(password) {
-      const saltRounds = 10;  // Number of salt rounds for bcrypt (10 is generally a good default)
-      try {
-        const hashedPassword = await bcrypt.hash(password, saltRounds);
-        return hashedPassword;
-      } catch (error) {
-        throw new Error("Failed to hash password: " + error.message);
+    // Base URL for Stack Auth API
+    const stackAuthBaseUrl = `https://api.stack-auth.com/api/v1`;
+    const jwksUrl = `${stackAuthBaseUrl}/projects/${projectId}/.well-known/jwks.json`;
+
+    // Create JWKS for token verification
+    const jwks = jose.createRemoteJWKSet(new URL(jwksUrl));
+
+    // Helper for Stack Auth API headers
+    fastify.decorate('getAdminStackAuthHeaders', function (accessType = "server") {
+      const headers = {
+        'Content-Type': 'application/json',
+        'Accept': 'application/json',
+        'X-Stack-Access-Type': accessType,
+        'X-Stack-Project-Id': projectId,
+      };
+
+      if (accessType === "client") {
+        headers['X-Stack-Publishable-Client-Key'] = publishableKey;
+      } else if (accessType === "server") {
+        headers['X-Stack-Secret-Server-Key'] = secretKey;
       }
-    }
 
-    fastify.decorate("hashAdminPassword", hashAdminPassword);
-
-    // Register JWT for admin
-    await fastify.register(jwt, {
-      secret: adminAuthOptions.secret,
-      sign: { algorithm: 'HS256', expiresIn: adminAuthOptions.expiresIn || "15m" },
-      cookie: {
-        cookieName: adminCookieName,
-        signed: false,
-      },
-      namespace: "adminJwt",
-      jwtVerify: "adminJwtVerify",
-      jwtSign: "adminJwtSign",
+      return headers;
     });
 
-    // Common function to set tokens as cookies
-    const setAdminAuthCookies = (reply, accessToken, refreshToken) => {
-      reply.setCookie(adminCookieName, accessToken, adminCookieOptions);
-      reply.setCookie(adminRefreshCookieName, refreshToken, {
-        // ...adminCookieOptions,
-        httpOnly: true,  // Ensures the cookie is not accessible via JavaScript
-        secure: isProduction,  // true in production (HTTPS), false in development (HTTP)
-        sameSite: isProduction ? 'None' : 'Lax',  // 'None' for cross-origin, 'Lax' for development
-        path: '/',  // Ensure cookies are valid for the entire site
-      });
-    };
+    // JWT verification helper
+    fastify.decorate('verifyAdminStackJWT', async function (accessToken) {
+      try {
+        // Add validation to ensure accessToken is a valid string
+        if (!accessToken || typeof accessToken !== 'string') {
+          fastify.log.error('Invalid admin token format: token must be a non-empty string');
+          return null;
+        }
+
+        const { payload } = await jose.jwtVerify(accessToken, jwks);
+
+        // Verify the payload has expected properties
+        if (!payload || !payload.sub) {
+          fastify.log.error('Invalid admin token payload: missing required claims');
+          return null;
+        }
+
+        return payload;
+      } catch (error) {
+        fastify.log.error(error);
+        return null;
+      }
+    });
 
     // Admin authentication hook
     fastify.addHook("onRequest", async (request, reply) => {
@@ -74,168 +81,101 @@ export async function setupAdminAuth(fastify, options) {
 
       if (url.startsWith("/admin")) {
         try {
-          // Extract token from cookie or Authorization header
+          // Get token from header
           const authHeader = request.headers.authorization;
-          const authToken =
-            authHeader && authHeader.startsWith("Bearer ")
-              ? authHeader.slice(7)
-              : null;
-          const token = request.cookies[adminCookieName] || authToken;
-
-          if (!token) {
-            throw fastify.httpErrors.unauthorized(
-              "Admin access token not provided"
-            );
+          if (!authHeader || !authHeader.startsWith("Bearer ")) {
+            return reply.code(401).send({ error: "Admin access token required" });
+          }
+
+          // Verify token
+          const token = authHeader.slice(7);
+          const payload = await fastify.verifyAdminStackJWT(token);
+
+          if (!payload) {
+            return reply.code(401).send({ error: "Invalid admin token" });
           }
 
-          // Verify access token
-          const decoded = await request.adminJwtVerify(token);
-          request.adminAuth = decoded; // Attach admin auth context
+          // Set admin info on request
+          request.admin = payload;
+          request.adminAuth = { id: payload.sub };
         } catch (err) {
-          // Use built-in HTTP error handling
-          reply.send(
-            fastify.httpErrors.unauthorized("Invalid or expired access token")
-          );
+          return reply.code(401).send({ error: "Admin authentication failed" });
         }
       }
     });
 
-    // Admin login route
+    // Admin login endpoint
     fastify.post("/admin/auth/login", async (req, reply) => {
       try {
         const { email, password } = req.body;
 
-        // Validate input
         if (!email || !password) {
-          throw fastify.httpErrors.badRequest(
-            "Email and password are required"
-          );
-        }
-
-        // Fetch admin from the database
-        const admin = await fastify.prisma.admins.findUnique({
-          where: { email },
-        });
-        if (!admin) {
-          throw fastify.httpErrors.unauthorized("Invalid credentials");
+          return reply.code(400).send({ error: "Email and password required" });
         }
 
-        // Compare passwords using bcrypt
-        const isValidPassword = await bcrypt.compare(password, admin.password);
-        if (!isValidPassword) {
-          throw fastify.httpErrors.unauthorized("Invalid credentials");
-        }
-
-        // Issue access token
-        const accessToken = await reply.adminJwtSign({ id: admin.id });
-
-        // Generate refresh token
-        const refreshToken = await fastify.randomUUID();
-        const hashedRefreshToken = await bcrypt.hash(refreshToken, 10);
-
-        // Store hashed refresh token in the database
-        await fastify.prisma.admins.update({
-          where: { id: admin.id },
-          data: { refreshToken: hashedRefreshToken },
-        });
-
-        // Set tokens as cookies
-        setAdminAuthCookies(reply, accessToken, refreshToken);
+        // Call Stack Auth API for password sign-in
+        const response = await fetch(
+          `${stackAuthBaseUrl}/auth/password/sign-in`,
+          {
+            method: 'POST',
+            headers: fastify.getAdminStackAuthHeaders("server"),
+            body: JSON.stringify({ email, password })
+          }
+        );
 
-        reply.send({ accessToken });
-      } catch (err) {
-        reply.send(err);
-      }
-    });
+        const data = await response.json().catch(() => ({}));
 
-    // Admin refresh token route
-    fastify.post("/admin/auth/refresh", async (req, reply) => {
-      try {
-        const adminAuth = req.adminAuth;
-        const refreshToken = req.cookies[adminRefreshCookieName];
-        if (!refreshToken) {
-          throw fastify.httpErrors.unauthorized("Refresh token not provided");
+        if (!response.ok) {
+          return reply.code(response.status || 400).send({
+            error: data.message || "Authentication failed"
+          });
         }
 
-        // Fetch admin from the database using the refresh token
-        const admin = await fastify.prisma.admins.findFirst({
-          where: { id: adminAuth.id, refreshToken: { not: null } },
-        });
-        if (!admin) {
-          throw fastify.httpErrors.unauthorized("Invalid refresh token");
+        // Check if we have the expected response properties
+        if (!data.access_token || !data.refresh_token || !data.user_id) {
+          return reply.code(500).send({ error: "Invalid response from authentication service" });
         }
 
-        // Verify the refresh token
-        const isValid = await bcrypt.compare(refreshToken, admin.refreshToken);
-        if (!isValid) {
-          throw fastify.httpErrors.unauthorized("Invalid refresh token");
+        // Verify token
+        const payload = await fastify.verifyAdminStackJWT(data.access_token);
+        if (!payload) {
+          return reply.code(401).send({ error: "Invalid token received" });
         }
 
-        // Issue new access token
-        const accessToken = await reply.adminJwtSign({ id: admin.id });
-
-        // Generate new refresh token
-        const newRefreshToken = await fastify.randomUUID();
-        const hashedNewRefreshToken = await bcrypt.hash(newRefreshToken, 10);
-
-        // Update refresh token in the database
-        await fastify.prisma.admins.update({
-          where: { id: admin.id },
-          data: { refreshToken: hashedNewRefreshToken },
+        reply.send({
+          accessToken: data.access_token,
+          refreshToken: data.refresh_token,
+          admin: payload,
+          adminId: data.user_id
         });
-
-        // Set new tokens as cookies
-        setAdminAuthCookies(reply, accessToken, newRefreshToken);
-
-        reply.send({ accessToken });
       } catch (err) {
-        reply.send(err);
+        fastify.log.error(err);
+        reply.code(500).send({ error: "Internal server error" });
       }
     });
 
-    // Admin logout route
-    fastify.post("/admin/auth/logout", async (req, reply) => {
-      try {
-        const adminAuth = req.adminAuth;
-        if (adminAuth) {
-          // Delete refresh token from the database
-          await fastify.prisma.admins.update({
-            where: { id: adminAuth.id },
-            data: { refreshToken: null },
-          });
-        }
-
-        // Clear cookies
-        reply.clearCookie(adminCookieName, { path: "/" });
-        reply.clearCookie(adminRefreshCookieName, { path: "/" });
-
-        reply.send({ message: "Logged out successfully" });
-      } catch (err) {
-        reply.send(err);
-      }
+    // Admin info endpoint
+    fastify.get("/admin/auth/me", async (req, reply) => {
+      reply.send(req.admin || { authenticated: false });
     });
 
-    // Admin authentication status route
-    fastify.get("/admin/auth/me", async (req, reply) => {
-      try {
-        const adminAuth = req.adminAuth;
+    // Token verification endpoint
+    fastify.post("/admin/auth/verify", async (req, reply) => {
+      const { token } = req.body;
 
-        // Fetch admin details from database
-        const admin = await fastify.prisma.admins.findUnique({
-          where: { id: adminAuth.id },
-          select: { id: true, firstName: true, lastName: true, email: true },
-        });
+      if (!token) {
+        return reply.code(400).send({ error: "Token required" });
+      }
 
-        if (!admin) {
-          throw fastify.httpErrors.notFound("Admin not found");
-        }
+      const payload = await fastify.verifyAdminStackJWT(token);
 
-        reply.send(admin);
-      } catch (err) {
-        reply.send(err);
+      if (!payload) {
+        return reply.code(401).send({ valid: false });
       }
+
+      reply.send({ valid: true, admin: payload });
     });
 
     console.info("   ✅ Auth Admin Enabled");
   }
-}
+}

package/src/auth/portal.js

@@ -1,25 +1,22 @@
-import jwt from "@fastify/jwt";
-import bcrypt from "bcrypt";
-import { config } from "process";
-const isProduction = process.env.NODE_ENV === 'production';
+import * as jose from "jose";
+import fetch from "node-fetch";
+
 export async function setupAuth(fastify, options) {
   if (options.user?.active !== false) {
-    // Ensure the user JWT secret is provided
-    if (!options.user.secret) {
-      throw new Error("User JWT secret must be provided.");
+    // Get configuration
+    const projectId = options.user.portalStackProjectId || process.env.STACK_PROJECT_ID;
+    const publishableKey = options.user.publishableKey || process.env.STACK_PUBLISHABLE_CLIENT_KEY;
+    const secretKey = options.user.secretKey || process.env.STACK_SECRET_SERVER_KEY;
+
+    if (!projectId) {
+      throw new Error("Stack Auth project ID is required");
     }
 
-    const userAuthOptions = options.user;
-    const userCookieName = userAuthOptions.cookieOptions?.name || "userToken";
-    const userRefreshCookieName =
-      userAuthOptions.cookieOptions?.refreshTokenName || "userRefreshToken";
-    const userCookieOptions = {
-      httpOnly: true,  // Ensures the cookie is not accessible via JavaScript
-      secure: isProduction,  // true in production (HTTPS), false in development (HTTP)
-      sameSite: isProduction ? 'None' : 'Lax',  // 'None' for cross-origin, 'Lax' for development
-      path: '/',  // Ensure cookies are valid for the entire site
-    };
-    const userExcludedPaths = userAuthOptions.excludedPaths || [
+    if (!publishableKey || !secretKey) {
+      throw new Error("Stack Auth publishable and secret keys are required");
+    }
+
+    const userExcludedPaths = options.user.excludedPaths || [
       "/portal/auth/login",
       "/portal/auth/logout",
       "/portal/auth/register",
@@ -27,260 +24,154 @@ export async function setupAuth(fastify, options) {
       "/portal/auth/reset-password"
     ];
 
-    // Register JWT for user
-    await fastify.register(jwt, {
-      secret: userAuthOptions.secret,
-      sign: { algorithm: 'HS256', expiresIn: userAuthOptions.expiresIn || "15m" },
-      cookie: { cookieName: userCookieName, signed: false },
-      namespace: "userJwt",
-      jwtVerify: "userJwtVerify",
-      jwtSign: "userJwtSign",
+    // Base URL for Stack Auth API
+    const stackAuthBaseUrl = `https://api.stack-auth.com/api/v1`;
+    const jwksUrl = `${stackAuthBaseUrl}/projects/${projectId}/.well-known/jwks.json`;
+
+    // Create JWKS for token verification
+    const jwks = jose.createRemoteJWKSet(new URL(jwksUrl));
+
+    // Helper for Stack Auth API headers
+    fastify.decorate('getStackAuthHeaders', function (accessType = "server") {
+      const headers = {
+        'Content-Type': 'application/json',
+        'Accept': 'application/json',
+        'X-Stack-Access-Type': accessType,
+        'X-Stack-Project-Id': projectId,
+      };
+
+      if (accessType === "client") {
+        headers['X-Stack-Publishable-Client-Key'] = publishableKey;
+      } else if (accessType === "server") {
+        headers['X-Stack-Secret-Server-Key'] = secretKey;
+      }
+
+      return headers;
     });
 
-    // Common function to set tokens as cookies
-    const setAuthCookies = (reply, accessToken, refreshToken) => {
-      reply.setCookie(userCookieName, accessToken, userCookieOptions);
-      reply.setCookie(userRefreshCookieName, refreshToken, {
-        // ...userCookieOptions,
-        httpOnly: true,  // Ensures the cookie is not accessible via JavaScript
-        secure: isProduction,  // true in production (HTTPS), false in development (HTTP)
-        sameSite: isProduction ? 'None' : 'Lax',  // 'None' for cross-origin, 'Lax' for development
-        path: '/',  // Ensure cookies are valid for the entire site
-      });
-    };
-
-    // User authentication hook
+    // JWT verification helper
+    fastify.decorate('verifyStackJWT', async function (accessToken) {
+      try {
+        const { payload } = await jose.jwtVerify(accessToken, jwks);
+        return payload;
+      } catch (error) {
+        fastify.log.error(error);
+        return null;
+      }
+    });
+
+    // API URL helper
+    fastify.decorate('getStackAuthApiUrl', function () {
+      return stackAuthBaseUrl;
+    });
+
+    // Authentication middleware
     fastify.addHook("onRequest", async (request, reply) => {
       const url = request.url;
 
-      // Skip authentication for excluded paths
-      if (userExcludedPaths.some((path) => url.startsWith(path))) {
+      // Skip excluded paths
+      if (userExcludedPaths.some(path => url.startsWith(path))) {
         return;
       }
 
       if (url.startsWith("/portal")) {
         try {
-          // Extract token from cookie or Authorization header
+          // Get token from header
           const authHeader = request.headers.authorization;
-          const authToken =
-            authHeader && authHeader.startsWith("Bearer ")
-              ? authHeader.slice(7)
-              : null;
-          const token = request.cookies[userCookieName] || authToken;
-
-          if (!token) {
-            throw fastify.httpErrors.unauthorized(
-              "User access token not provided"
-            );
+          if (!authHeader || !authHeader.startsWith("Bearer ")) {
+            return reply.code(401).send({ error: "Access token required" });
           }
 
-          // Verify access token using the namespaced verify method
-          const decoded = await request.userJwtVerify(token);
-          request.userAuth = decoded; // Attach user auth context
-        } catch (err) {
-          // Use built-in HTTP error handling
-          reply.send(
-            fastify.httpErrors.unauthorized("Invalid or expired access token")
-          );
-        }
-      }
-    });
-
-    // User registration route
-    fastify.post("/portal/auth/register", async (req, reply) => {
-      try {
-        const { email, password, firstName, lastName } = req.body;
+          // Verify token
+          const token = authHeader.slice(7);
+          const payload = await fastify.verifyStackJWT(token);
 
-        // Validate input
-        if (!email || !password || !firstName || !lastName) {
-          throw fastify.httpErrors.badRequest("Missing required fields");
-        }
+          if (!payload) {
+            return reply.code(401).send({ error: "Invalid token" });
+          }
 
-        // Check if user already exists
-        const existingUser = await fastify.prisma.users.findUnique({
-          where: { email },
-        });
-        if (existingUser) {
-          throw fastify.httpErrors.conflict("Email already in use");
+          // Set user info on request
+          request.user = payload;
+          request.userAuth = { id: payload.sub };
+        } catch (err) {
+          return reply.code(401).send({ error: "Authentication failed" });
         }
-
-        // Hash the password
-        const hashedPassword = await bcrypt.hash(password, 10);
-
-        // Create the user
-        const user = await fastify.prisma.users.create({
-          data: {
-            email,
-            password: hashedPassword,
-            firstName,
-            lastName,
-          },
-        });
-
-        // // Send welcome email
-        // if (options.user?.sendWelcomeEmail) {
-        //   await fastify.sendGrid.sendEmail(email, auth?.user?.registerEmail?.subject, auth?.user?.registerEmail?.templateId, { name: firstName, email });
-        // }
-
-
-        // Issue access token
-        const accessToken = await reply.userJwtSign({ id: user.id });
-
-        // Generate refresh token
-        const refreshToken = await fastify.randomUUID();
-        const hashedRefreshToken = await bcrypt.hash(refreshToken, 10);
-
-        // Store hashed refresh token in the database
-        await fastify.prisma.users.update({
-          where: { id: user.id },
-          data: { refreshToken: hashedRefreshToken },
-        });
-
-        // Set tokens as cookies
-        setAuthCookies(reply, accessToken, refreshToken);
-
-        reply.send({ accessToken });
-      } catch (err) {
-        reply.send(err);
       }
     });
 
-    // User login route
+    // Login endpoint
     fastify.post("/portal/auth/login", async (req, reply) => {
       try {
         const { email, password } = req.body;
 
         if (!email || !password) {
-          throw fastify.httpErrors.badRequest(
-            "Email and password are required"
-          );
-        }
-
-        // Fetch user from the database
-        const user = await fastify.prisma.users.findUnique({
-          where: { email },
-        });
-        if (!user) {
-          throw fastify.httpErrors.unauthorized("Invalid credentials");
+          return reply.code(400).send({ error: "Email and password required" });
         }
 
-        // Compare passwords using bcrypt
-        const isValidPassword = await bcrypt.compare(password, user.password);
-        if (!isValidPassword) {
-          throw fastify.httpErrors.unauthorized("Invalid credentials");
-        }
-
-        // Issue access token
-        const accessToken = await reply.userJwtSign({ id: user.id });
-
-        // Generate refresh token
-        const refreshToken = await fastify.randomUUID();
-        const hashedRefreshToken = await bcrypt.hash(refreshToken, 10);
-
-        // Store hashed refresh token in the database
-        await fastify.prisma.users.update({
-          where: { id: user.id },
-          data: { refreshToken: hashedRefreshToken },
-        });
+        // Call Stack Auth API for password sign-in
+        const response = await fetch(
+          `${stackAuthBaseUrl}/auth/password/sign-in`,
+          {
+            method: 'POST',
+            headers: fastify.getStackAuthHeaders("server"),
+            body: JSON.stringify({ email, password })
+          }
+        );
 
-        // Set tokens as cookies
-        setAuthCookies(reply, accessToken, refreshToken);
+        const data = await response.json().catch(() => ({}));
 
-        reply.send({ accessToken });
-      } catch (err) {
-        reply.send(err);
-      }
-    });
-
-    // User refresh token route
-    fastify.post("/portal/auth/refresh", async (req, reply) => {
-      try {
-        const userAuth = req.userAuth;
-        const refreshToken = req.cookies[userRefreshCookieName];
-        if (!refreshToken) {
-          throw fastify.httpErrors.unauthorized("Refresh token not provided");
+        if (!response.ok) {
+          return reply.code(response.status || 400).send({
+            error: data.message || "Authentication failed"
+          });
         }
 
-        // Fetch user from the database using the refresh token
-        const user = await fastify.prisma.users.findFirst({
-          where: { id: userAuth?.id, refreshToken: { not: null } },
-        });
-
-        if (!user) {
-          throw fastify.httpErrors.unauthorized("Invalid refresh token");
+        // Check if we have the expected response properties
+        if (!data.access_token || !data.refresh_token || !data.user_id) {
+          return reply.code(500).send({ error: "Invalid response from authentication service" });
         }
 
-        // Verify the refresh token
-        const isValid = await bcrypt.compare(refreshToken, user.refreshToken);
-        if (!isValid) {
-          throw fastify.httpErrors.unauthorized("Invalid refresh token");
+        // Verify token
+        const payload = await fastify.verifyStackJWT(data.access_token);
+        if (!payload) {
+          return reply.code(401).send({ error: "Invalid token received" });
         }
 
-        // Issue new access token
-        const accessToken = await reply.userJwtSign({ id: user.id });
-
-        // Generate new refresh token
-        const newRefreshToken = fastify.randomUUID();
-        const hashedNewRefreshToken = await bcrypt.hash(newRefreshToken, 10);
-
-        // Update refresh token in the database
-        await fastify.prisma.users.update({
-          where: { id: user.id },
-          data: { refreshToken: hashedNewRefreshToken },
+        reply.send({
+          accessToken: data.access_token,
+          refreshToken: data.refresh_token,
+          user: payload,
+          userId: data.user_id
         });
-
-        // Set new tokens as cookies
-        setAuthCookies(reply, accessToken, newRefreshToken);
-
-        reply.send({ accessToken });
       } catch (err) {
-        reply.send(err);
+        fastify.log.error(err);
+        reply.code(500).send({ error: "Internal server error" });
       }
     });
 
-    // User logout route
-    fastify.post("/portal/auth/logout", async (req, reply) => {
-      try {
-        const userAuth = req.userAuth;
-        if (userAuth) {
-          // Delete refresh token from the database
-          await fastify.prisma.users.update({
-            where: { id: userAuth.id },
-            data: { refreshToken: null },
-          });
-        }
-
-        // Clear cookies
-        reply.clearCookie(userCookieName, { path: "/" });
-        reply.clearCookie(userRefreshCookieName, { path: "/" });
 
-        reply.send({ message: "Logged out successfully" });
-      } catch (err) {
-        reply.send(err);
-      }
+    // User info endpoint
+    fastify.get("/portal/auth/me", async (req, reply) => {
+      reply.send(req.user || { authenticated: false });
     });
 
-    // User authentication status route
-    fastify.get("/portal/auth/me", async (req, reply) => {
-      try {
-        const userAuth = req.userAuth;
+    // Token verification endpoint
+    fastify.post("/portal/auth/verify", async (req, reply) => {
+      const { token } = req.body;
 
-        // Fetch user details from database
-        const user = await fastify.prisma.users.findUnique({
-          where: { id: userAuth.id },
-          select: { id: true, email: true, firstName: true, lastName: true, ...userAuthOptions.me },
-        });
+      if (!token) {
+        return reply.code(400).send({ error: "Token required" });
+      }
 
-        if (!user) {
-          throw fastify.httpErrors.notFound("User not found");
-        }
+      const payload = await fastify.verifyStackJWT(token);
 
-        reply.send(user);
-      } catch (err) {
-        reply.send(err);
+      if (!payload) {
+        return reply.code(401).send({ valid: false });
       }
+
+      reply.send({ valid: true, user: payload });
     });
 
     console.info("   ✅ Auth User Enabled");
   }
-}
+}

package/xConfigReference.js

@@ -8,7 +8,7 @@
  * *Key Features:*
  * - Handles CORS, rate-limiting, multipart handling, and error handling out of the box.
  * - Integrates with third-party services such as SendGrid, Twilio, Cloudinary, Stripe, and Bugsnag.
- * - Provides authentication setup for both Admin and User, with JWT-based token handling.
+ * - Provides authentication setup for both Admin and User, with Stack Auth integration.
  * - Includes Prisma database connection and gracefully handles disconnecting on server shutdown.
  * - Adds health check routes and resource usage monitoring, with environment validation.
  * - Customizes routes listing and applies various performance and security options.
@@ -29,8 +29,19 @@
  *   twilio: { accountSid: 'your-account-sid', authToken: 'your-auth-token', phoneNumber: 'your-twilio-number' },
  *   cloudinary: { cloudName: 'your-cloud-name', apiKey: 'your-api-key', apiSecret: 'your-api-secret' },
  *   auth: {
- *     admin: { secret: 'admin-jwt-secret', expiresIn: '1h' },
- *     user: { secret: 'user-jwt-secret', expiresIn: '1h' },
+ *     excludedPaths: ['/public', '/portal/auth/register'],
+ *     admin: {
+ *       active: true,
+ *       stackProjectId: 'your-admin-stack-project-id',
+ *       publishableKey: 'your-admin-stack-publishable-key',
+ *       secretKey: 'your-admin-stack-secret-key',
+ *     },
+ *     user: {
+ *       active: true,
+ *       stackProjectId: 'your-user-stack-project-id',
+ *       publishableKey: 'your-user-stack-publishable-key',
+ *       secretKey: 'your-user-stack-secret-key',
+ *     },
  *   },
  *   cors: { origin: ['https://your-frontend.com'], credentials: true },
  * });
@@ -44,7 +55,7 @@
  * - sendGrid: SendGrid configuration for email services (optional).
  * - twilio: Twilio configuration for SMS services (optional).
  * - cloudinary: Cloudinary configuration for media upload services (optional).
- * - auth: Authentication configuration for Admin and User JWT tokens (optional).
+ * - auth: Authentication configuration for Admin and User with Stack Auth integration (optional).
  * - cors: CORS configuration (optional).
  * - rateLimit: Rate-limiting options (optional).
  * - multipart: Multipart handling options for file uploads (optional).
@@ -52,12 +63,23 @@
  * - underPressure: Under Pressure plugin options for monitoring and throttling under load (optional).
  *
  * *Authentication:*
- * The plugin provides both Admin and User authentication with JWT support. It sets secure cookies,
- * manages token refresh, and validates tokens on protected routes. For example:
+ * The plugin provides both Admin and User authentication with Stack Auth integration. It handles token verification,
+ * protected routes, and authentication endpoints. For example:
  * - `/admin/auth/login` for admin login.
  * - `/portal/auth/login` for user login.
  * - `/admin/auth/me` to check authentication status for admins.
  * - `/portal/auth/me` to check authentication status for users.
+ * - `/admin/auth/verify` to verify admin tokens.
+ * - `/portal/auth/verify` to verify user tokens.
+ *
+ * *Stack Auth Integration:*
+ * The plugin integrates with Stack Auth (https://stack-auth.com) for secure authentication.
+ * You'll need to provide:
+ * - `stackProjectId` - Your Stack Auth project ID
+ * - `publishableKey` - Your Stack Auth publishable client key
+ * - `secretKey` - Your Stack Auth secret server key
+ *
+ * These can be provided via environment variables or in the plugin options.
  *
  * *Health Check:*
  * The `/health` route provides a health check with details about uptime, memory usage, CPU load,
@@ -68,10 +90,10 @@
  * - **SendGrid**: Provides an email sending service through SendGrid, integrated with the Fastify instance.
  * - **Twilio**: Provides SMS sending and phone number validation services.
  * - **Cloudinary**: Handles file uploads to Cloudinary and deletion of media files.
- * - **Authentication**: JWT-based authentication for Admin and User with token-based sessions.
+ * - **Authentication**: Stack Auth integration for secure user and admin authentication.
  *
  * *Hooks:*
- * - `onRequest`: Validates JWT tokens for protected routes.
+ * - `onRequest`: Validates tokens for protected routes.
  * - `onClose`: Gracefully disconnects Prisma and other services on server shutdown.
  *
  * *Error Handling:*
@@ -86,10 +108,18 @@
  * Fastify Under Pressure, and Fastify Bugsnag are used for various services and integrations.
  *
  * *Notes:*
- * - Environment variables such as `DATABASE_URL`, `ADMIN_JWT_SECRET`, and `USER_JWT_SECRET` are expected to be set.
+ * - Environment variables such as `DATABASE_URL`, `ADMIN_STACK_PROJECT_ID`, and `USER_STACK_PROJECT_ID` are expected to be set.
  * - Services like SendGrid, Twilio, and Cloudinary require API keys to be passed via the options.
  * - This plugin is highly customizable, with options to enable/disable each feature.
  *
+ * *Environment Variables:*
+ * - `ADMIN_STACK_PROJECT_ID` - Stack Auth project ID for admin authentication
+ * - `ADMIN_STACK_PUBLISHABLE_CLIENT_KEY` - Stack Auth publishable key for admin authentication
+ * - `ADMIN_STACK_SECRET_SERVER_KEY` - Stack Auth secret key for admin authentication
+ * - `USER_STACK_PROJECT_ID` - Stack Auth project ID for user authentication
+ * - `USER_STACK_PUBLISHABLE_CLIENT_KEY` - Stack Auth publishable key for user authentication
+ * - `USER_STACK_SECRET_SERVER_KEY` - Stack Auth secret key for user authentication
+ *
  * *Example Configuration:*
  * ```javascript
  * fastify.register(xConfig, {
@@ -106,15 +136,18 @@
  *     apiSecret: 'your-api-secret',
  *   },
  *   auth: {
+ *     excludedPaths: ['/public', '/portal/auth/login', '/portal/auth/register'],
  *     admin: {
- *       secret: 'admin-secret',
- *       expiresIn: '1h',
- *       cookieOptions: { name: 'adminCookie', refreshTokenName: 'adminRefreshToken' },
+ *       active: true,
+ *       stackProjectId: 'your-admin-stack-project-id',
+ *       publishableKey: 'your-admin-stack-publishable-key',
+ *       secretKey: 'your-admin-stack-secret-key',
  *     },
  *     user: {
- *       secret: 'user-secret',
- *       expiresIn: '1h',
- *       cookieOptions: { name: 'userCookie', refreshTokenName: 'userRefreshToken' },
+ *       active: true,
+ *       stackProjectId: 'your-user-stack-project-id',
+ *       publishableKey: 'your-user-stack-publishable-key',
+ *       secretKey: 'your-user-stack-secret-key',
  *     },
  *   },
  *   cors: { origin: ['https://your-frontend.com'], credentials: true },
@@ -123,14 +156,12 @@
  */
 
 import fp from "fastify-plugin";
-import jwt from "@fastify/jwt";
-import bcrypt from "bcrypt";
+import jose from "jose";
 import { PrismaClient } from "@prisma/client";
 import Sendgrid from '@sendgrid/mail';
 import sgClient from '@sendgrid/client';
 import Twilio from "twilio";
 import { v2 as Cloudinary } from "cloudinary";
-import { randomUUID } from "uncrypto"; // Import randomString from uncrypto
 const isProduction = process.env.NODE_ENV === 'production';
 import Stripe from 'stripe';
 /*