npm - alepha - Versions diffs - 0.14.4 → 0.15.0 - Mend

alepha 0.14.4 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (277) hide show

package/README.md +1 -4
package/dist/api/audits/index.d.ts +619 -731
package/dist/api/audits/index.d.ts.map +1 -1
package/dist/api/files/index.d.ts +185 -298
package/dist/api/files/index.d.ts.map +1 -1
package/dist/api/files/index.js +0 -1
package/dist/api/files/index.js.map +1 -1
package/dist/api/jobs/index.d.ts +245 -356
package/dist/api/jobs/index.d.ts.map +1 -1
package/dist/api/notifications/index.d.ts +238 -350
package/dist/api/notifications/index.d.ts.map +1 -1
package/dist/api/parameters/index.d.ts +499 -611
package/dist/api/parameters/index.d.ts.map +1 -1
package/dist/api/users/index.browser.js +1 -2
package/dist/api/users/index.browser.js.map +1 -1
package/dist/api/users/index.d.ts +1697 -1804
package/dist/api/users/index.d.ts.map +1 -1
package/dist/api/users/index.js +178 -151
package/dist/api/users/index.js.map +1 -1
package/dist/api/verifications/index.d.ts +132 -132
package/dist/api/verifications/index.d.ts.map +1 -1
package/dist/batch/index.d.ts +122 -122
package/dist/batch/index.d.ts.map +1 -1
package/dist/batch/index.js +1 -2
package/dist/batch/index.js.map +1 -1
package/dist/bucket/index.d.ts +163 -163
package/dist/bucket/index.d.ts.map +1 -1
package/dist/cache/core/index.d.ts +46 -46
package/dist/cache/core/index.d.ts.map +1 -1
package/dist/cache/redis/index.d.ts.map +1 -1
package/dist/cli/index.d.ts +302 -299
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +966 -564
package/dist/cli/index.js.map +1 -1
package/dist/command/index.d.ts +303 -299
package/dist/command/index.d.ts.map +1 -1
package/dist/command/index.js +11 -7
package/dist/command/index.js.map +1 -1
package/dist/core/index.browser.js +419 -99
package/dist/core/index.browser.js.map +1 -1
package/dist/core/index.d.ts +718 -625
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +420 -99
package/dist/core/index.js.map +1 -1
package/dist/core/index.native.js +419 -99
package/dist/core/index.native.js.map +1 -1
package/dist/datetime/index.d.ts +44 -44
package/dist/datetime/index.d.ts.map +1 -1
package/dist/datetime/index.js +4 -4
package/dist/datetime/index.js.map +1 -1
package/dist/email/index.d.ts +97 -50
package/dist/email/index.d.ts.map +1 -1
package/dist/email/index.js +129 -33
package/dist/email/index.js.map +1 -1
package/dist/fake/index.d.ts +7981 -14
package/dist/fake/index.d.ts.map +1 -1
package/dist/file/index.d.ts +523 -390
package/dist/file/index.d.ts.map +1 -1
package/dist/file/index.js +253 -1
package/dist/file/index.js.map +1 -1
package/dist/lock/core/index.d.ts +208 -208
package/dist/lock/core/index.d.ts.map +1 -1
package/dist/lock/redis/index.d.ts.map +1 -1
package/dist/logger/index.d.ts +25 -26
package/dist/logger/index.d.ts.map +1 -1
package/dist/mcp/index.d.ts +197 -197
package/dist/mcp/index.d.ts.map +1 -1
package/dist/orm/chunk-DtkW-qnP.js +38 -0
package/dist/orm/index.browser.js.map +1 -1
package/dist/orm/index.bun.js +2814 -0
package/dist/orm/index.bun.js.map +1 -0
package/dist/orm/index.d.ts +1205 -1057
package/dist/orm/index.d.ts.map +1 -1
package/dist/orm/index.js +2056 -1753
package/dist/orm/index.js.map +1 -1
package/dist/queue/core/index.d.ts +248 -248
package/dist/queue/core/index.d.ts.map +1 -1
package/dist/queue/redis/index.d.ts.map +1 -1
package/dist/redis/index.bun.js +285 -0
package/dist/redis/index.bun.js.map +1 -0
package/dist/redis/index.d.ts +118 -136
package/dist/redis/index.d.ts.map +1 -1
package/dist/redis/index.js +18 -38
package/dist/redis/index.js.map +1 -1
package/dist/retry/index.d.ts +69 -69
package/dist/retry/index.d.ts.map +1 -1
package/dist/router/index.d.ts +6 -6
package/dist/router/index.d.ts.map +1 -1
package/dist/scheduler/index.d.ts +25 -25
package/dist/scheduler/index.d.ts.map +1 -1
package/dist/security/index.browser.js +5 -1
package/dist/security/index.browser.js.map +1 -1
package/dist/security/index.d.ts +417 -254
package/dist/security/index.d.ts.map +1 -1
package/dist/security/index.js +386 -86
package/dist/security/index.js.map +1 -1
package/dist/server/auth/index.d.ts +277 -277
package/dist/server/auth/index.d.ts.map +1 -1
package/dist/server/auth/index.js +20 -20
package/dist/server/auth/index.js.map +1 -1
package/dist/server/cache/index.d.ts +60 -57
package/dist/server/cache/index.d.ts.map +1 -1
package/dist/server/cache/index.js +1 -1
package/dist/server/cache/index.js.map +1 -1
package/dist/server/compress/index.d.ts +3 -3
package/dist/server/compress/index.d.ts.map +1 -1
package/dist/server/cookies/index.d.ts +6 -6
package/dist/server/cookies/index.d.ts.map +1 -1
package/dist/server/cookies/index.js +3 -3
package/dist/server/cookies/index.js.map +1 -1
package/dist/server/core/index.d.ts +242 -150
package/dist/server/core/index.d.ts.map +1 -1
package/dist/server/core/index.js +288 -122
package/dist/server/core/index.js.map +1 -1
package/dist/server/cors/index.d.ts +11 -12
package/dist/server/cors/index.d.ts.map +1 -1
package/dist/server/health/index.d.ts +0 -1
package/dist/server/health/index.d.ts.map +1 -1
package/dist/server/helmet/index.d.ts +2 -2
package/dist/server/helmet/index.d.ts.map +1 -1
package/dist/server/links/index.browser.js.map +1 -1
package/dist/server/links/index.d.ts +84 -85
package/dist/server/links/index.d.ts.map +1 -1
package/dist/server/links/index.js +1 -2
package/dist/server/links/index.js.map +1 -1
package/dist/server/metrics/index.d.ts.map +1 -1
package/dist/server/multipart/index.d.ts +6 -6
package/dist/server/multipart/index.d.ts.map +1 -1
package/dist/server/proxy/index.d.ts +102 -103
package/dist/server/proxy/index.d.ts.map +1 -1
package/dist/server/rate-limit/index.d.ts +16 -16
package/dist/server/rate-limit/index.d.ts.map +1 -1
package/dist/server/static/index.d.ts +44 -44
package/dist/server/static/index.d.ts.map +1 -1
package/dist/server/swagger/index.d.ts +48 -49
package/dist/server/swagger/index.d.ts.map +1 -1
package/dist/server/swagger/index.js +1 -2
package/dist/server/swagger/index.js.map +1 -1
package/dist/sms/index.d.ts +13 -11
package/dist/sms/index.d.ts.map +1 -1
package/dist/sms/index.js +7 -7
package/dist/sms/index.js.map +1 -1
package/dist/thread/index.d.ts +71 -72
package/dist/thread/index.d.ts.map +1 -1
package/dist/topic/core/index.d.ts +318 -318
package/dist/topic/core/index.d.ts.map +1 -1
package/dist/topic/redis/index.d.ts +6 -6
package/dist/topic/redis/index.d.ts.map +1 -1
package/dist/vite/index.d.ts +5720 -159
package/dist/vite/index.d.ts.map +1 -1
package/dist/vite/index.js +41 -18
package/dist/vite/index.js.map +1 -1
package/dist/websocket/index.browser.js +6 -6
package/dist/websocket/index.browser.js.map +1 -1
package/dist/websocket/index.d.ts +247 -247
package/dist/websocket/index.d.ts.map +1 -1
package/dist/websocket/index.js +6 -6
package/dist/websocket/index.js.map +1 -1
package/package.json +9 -14
package/src/api/files/controllers/AdminFileStatsController.ts +0 -1
package/src/api/users/atoms/realmAuthSettingsAtom.ts +5 -0
package/src/api/users/controllers/{UserRealmController.ts → RealmController.ts} +11 -11
package/src/api/users/entities/users.ts +1 -1
package/src/api/users/index.ts +8 -8
package/src/api/users/primitives/{$userRealm.ts → $realm.ts} +17 -19
package/src/api/users/providers/{UserRealmProvider.ts → RealmProvider.ts} +26 -30
package/src/api/users/schemas/{userRealmConfigSchema.ts → realmConfigSchema.ts} +2 -2
package/src/api/users/services/CredentialService.ts +7 -7
package/src/api/users/services/IdentityService.ts +4 -4
package/src/api/users/services/RegistrationService.spec.ts +25 -27
package/src/api/users/services/RegistrationService.ts +38 -27
package/src/api/users/services/SessionCrudService.ts +3 -3
package/src/api/users/services/SessionService.spec.ts +3 -3
package/src/api/users/services/SessionService.ts +28 -9
package/src/api/users/services/UserService.ts +7 -7
package/src/batch/providers/BatchProvider.ts +1 -2
package/src/cli/apps/AlephaPackageBuilderCli.ts +38 -19
package/src/cli/assets/apiHelloControllerTs.ts +18 -0
package/src/cli/assets/apiIndexTs.ts +16 -0
package/src/cli/assets/claudeMd.ts +303 -0
package/src/cli/assets/mainBrowserTs.ts +2 -2
package/src/cli/assets/mainServerTs.ts +24 -0
package/src/cli/assets/webAppRouterTs.ts +15 -0
package/src/cli/assets/webHelloComponentTsx.ts +16 -0
package/src/cli/assets/webIndexTs.ts +16 -0
package/src/cli/commands/build.ts +41 -21
package/src/cli/commands/db.ts +21 -18
package/src/cli/commands/deploy.ts +17 -5
package/src/cli/commands/dev.ts +13 -17
package/src/cli/commands/format.ts +8 -2
package/src/cli/commands/init.ts +74 -29
package/src/cli/commands/lint.ts +8 -2
package/src/cli/commands/test.ts +8 -2
package/src/cli/commands/typecheck.ts +5 -1
package/src/cli/commands/verify.ts +4 -2
package/src/cli/services/AlephaCliUtils.ts +39 -600
package/src/cli/services/PackageManagerUtils.ts +301 -0
package/src/cli/services/ProjectScaffolder.ts +306 -0
package/src/command/helpers/Runner.ts +15 -3
package/src/core/__tests__/Alepha-graph.spec.ts +4 -0
package/src/core/index.shared.ts +1 -0
package/src/core/index.ts +2 -0
package/src/core/primitives/$hook.ts +6 -2
package/src/core/primitives/$module.spec.ts +4 -0
package/src/core/providers/AlsProvider.ts +1 -1
package/src/core/providers/CodecManager.spec.ts +12 -6
package/src/core/providers/CodecManager.ts +26 -6
package/src/core/providers/EventManager.ts +169 -13
package/src/core/providers/KeylessJsonSchemaCodec.spec.ts +621 -0
package/src/core/providers/KeylessJsonSchemaCodec.ts +407 -0
package/src/core/providers/StateManager.spec.ts +27 -16
package/src/email/providers/LocalEmailProvider.spec.ts +111 -87
package/src/email/providers/LocalEmailProvider.ts +52 -15
package/src/email/providers/NodemailerEmailProvider.ts +167 -56
package/src/file/errors/FileError.ts +7 -0
package/src/file/index.ts +9 -1
package/src/file/providers/MemoryFileSystemProvider.ts +393 -0
package/src/orm/index.browser.ts +1 -19
package/src/orm/index.bun.ts +77 -0
package/src/orm/index.shared-server.ts +22 -0
package/src/orm/index.shared.ts +15 -0
package/src/orm/index.ts +19 -39
package/src/orm/providers/drivers/BunPostgresProvider.ts +3 -5
package/src/orm/providers/drivers/BunSqliteProvider.ts +1 -1
package/src/orm/providers/drivers/CloudflareD1Provider.ts +4 -0
package/src/orm/providers/drivers/DatabaseProvider.ts +4 -0
package/src/orm/providers/drivers/PglitePostgresProvider.ts +4 -0
package/src/orm/services/Repository.ts +8 -0
package/src/redis/index.bun.ts +35 -0
package/src/redis/providers/BunRedisProvider.ts +12 -43
package/src/redis/providers/BunRedisSubscriberProvider.ts +2 -3
package/src/redis/providers/NodeRedisProvider.ts +16 -34
package/src/{server/security → security}/__tests__/BasicAuth.spec.ts +11 -11
package/src/{server/security → security}/__tests__/ServerSecurityProvider-realm.spec.ts +21 -16
package/src/{server/security/providers → security/__tests__}/ServerSecurityProvider.spec.ts +5 -5
package/src/security/index.browser.ts +5 -0
package/src/security/index.ts +90 -7
package/src/security/primitives/{$realm.spec.ts → $issuer.spec.ts} +11 -11
package/src/security/primitives/{$realm.ts → $issuer.ts} +20 -17
package/src/security/primitives/$role.ts +5 -5
package/src/security/primitives/$serviceAccount.spec.ts +5 -5
package/src/security/primitives/$serviceAccount.ts +3 -3
package/src/{server/security → security}/providers/ServerSecurityProvider.ts +5 -7
package/src/server/auth/primitives/$auth.ts +10 -10
package/src/server/auth/primitives/$authCredentials.ts +3 -3
package/src/server/auth/primitives/$authGithub.ts +3 -3
package/src/server/auth/primitives/$authGoogle.ts +3 -3
package/src/server/auth/providers/ServerAuthProvider.ts +13 -13
package/src/server/cache/providers/ServerCacheProvider.ts +1 -1
package/src/server/cookies/providers/ServerCookiesProvider.ts +3 -3
package/src/server/core/providers/NodeHttpServerProvider.ts +25 -6
package/src/server/core/providers/ServerBodyParserProvider.ts +19 -23
package/src/server/core/providers/ServerLoggerProvider.ts +23 -19
package/src/server/core/providers/ServerProvider.ts +144 -21
package/src/server/core/providers/ServerRouterProvider.ts +259 -115
package/src/server/core/providers/ServerTimingProvider.ts +2 -2
package/src/server/links/index.ts +1 -1
package/src/server/links/providers/LinkProvider.ts +1 -1
package/src/server/swagger/index.ts +1 -1
package/src/sms/providers/LocalSmsProvider.spec.ts +153 -111
package/src/sms/providers/LocalSmsProvider.ts +8 -7
package/src/vite/helpers/boot.ts +28 -17
package/src/vite/tasks/buildServer.ts +12 -1
package/src/vite/tasks/devServer.ts +3 -1
package/src/vite/tasks/generateCloudflare.ts +7 -0
package/dist/server/security/index.browser.js +0 -13
package/dist/server/security/index.browser.js.map +0 -1
package/dist/server/security/index.d.ts +0 -173
package/dist/server/security/index.d.ts.map +0 -1
package/dist/server/security/index.js +0 -311
package/dist/server/security/index.js.map +0 -1
package/src/cli/assets/appRouterTs.ts +0 -9
package/src/cli/assets/mainTs.ts +0 -13
package/src/server/security/index.browser.ts +0 -10
package/src/server/security/index.ts +0 -94
/package/src/{server/security → security}/primitives/$basicAuth.ts +0 -0
/package/src/{server/security → security}/providers/ServerBasicAuthProvider.ts +0 -0

package/src/security/index.ts CHANGED Viewed

@@ -1,27 +1,37 @@
-import { $module } from "alepha";
+import { $module, type Alepha } from "alepha";
+import { AlephaServer, type FetchOptions } from "alepha/server";
+import type { UserAccountToken } from "./interfaces/UserAccountToken.ts";
+import { $basicAuth } from "./primitives/$basicAuth.ts";
+import { $issuer } from "./primitives/$issuer.ts";
 import { $permission } from "./primitives/$permission.ts";
-import { $realm } from "./primitives/$realm.ts";
 import { $role } from "./primitives/$role.ts";
 import { CryptoProvider } from "./providers/CryptoProvider.ts";
 import { JwtProvider } from "./providers/JwtProvider.ts";
 import { SecurityProvider } from "./providers/SecurityProvider.ts";
+import { ServerBasicAuthProvider } from "./providers/ServerBasicAuthProvider.ts";
+import { ServerSecurityProvider } from "./providers/ServerSecurityProvider.ts";
 import type { UserAccount } from "./schemas/userAccountInfoSchema.ts";
 export * from "./errors/InvalidCredentialsError.ts";
 export * from "./errors/InvalidPermissionError.ts";
 export * from "./errors/SecurityError.ts";
 export * from "./interfaces/UserAccountToken.ts";
+export * from "./primitives/$basicAuth.ts";
+export * from "./primitives/$issuer.ts";
 export * from "./primitives/$permission.ts";
-export * from "./primitives/$realm.ts";
 export * from "./primitives/$role.ts";
 export * from "./primitives/$serviceAccount.ts";
 export * from "./providers/CryptoProvider.ts";
 export * from "./providers/JwtProvider.ts";
 export * from "./providers/SecurityProvider.ts";
+export * from "./providers/ServerBasicAuthProvider.ts";
+export * from "./providers/ServerSecurityProvider.ts";
 export * from "./schemas/permissionSchema.ts";
 export * from "./schemas/roleSchema.ts";
 export * from "./schemas/userAccountInfoSchema.ts";
+import type { ServerRouteSecure } from "./providers/ServerSecurityProvider.ts";
 declare module "alepha" {
   interface Hooks {
     "security:user:created": {
@@ -29,22 +39,95 @@ declare module "alepha" {
       user: UserAccount;
     };
   }
+  interface State {
+    /**
+     * Real (or fake) user account, used for internal actions.
+     *
+     * If you define this, you assume that all actions are executed by this user by default.
+     * > To force a different user, you need to pass it explicitly in the options.
+     */
+    "alepha.server.security.system.user"?: UserAccountToken;
+    /**
+     * The authenticated user account attached to the server request state.
+     *
+     * @internal
+     */
+    "alepha.server.request.user"?: UserAccount;
+  }
+}
+declare module "alepha/server" {
+  interface ServerRequest<TConfig> {
+    user?: UserAccountToken; // for all routes, user is maybe present
+  }
+  interface ServerActionRequest<TConfig> {
+    user: UserAccountToken; // for actions, user is always present
+  }
+  interface ServerRoute {
+    /**
+     * If true, the route will be protected by the security provider.
+     * All actions are secure by default, but you can disable it for specific actions.
+     */
+    secure?: boolean | ServerRouteSecure;
+  }
+  interface ClientRequestOptions extends FetchOptions {
+    /**
+     * Forward user from the previous request.
+     * If "system", use system user. @see {ServerSecurityProvider.localSystemUser}
+     * If "context", use the user from the current context (e.g. request).
+     *
+     * @default "system" if provided, else "context" if available.
+     */
+    user?: UserAccountToken | "system" | "context";
+  }
 }
 /**
  * Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.
  *
- * The security module enables building secure applications using primitives like `$realm`, `$role`, and `$permission`
+ * The security module enables building secure applications using primitives like `$issuer`, `$role`, and `$permission`
  * on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless
  * integration with various authentication providers and user management systems.
  *
- * @see {@link $realm}
+ * When used with `AlephaServer`, this module automatically registers `ServerSecurityProvider` and `ServerBasicAuthProvider`
+ * to protect HTTP routes and actions with JWT and Basic Auth.
+ *
+ * @see {@link $issuer}
  * @see {@link $role}
  * @see {@link $permission}
+ * @see {@link $basicAuth}
  * @module alepha.security
  */
 export const AlephaSecurity = $module({
   name: "alepha.security",
-  primitives: [$realm, $role, $permission],
-  services: [SecurityProvider, JwtProvider, CryptoProvider],
+  primitives: [$issuer, $role, $permission, $basicAuth],
+  services: [
+    SecurityProvider,
+    JwtProvider,
+    CryptoProvider,
+    ServerSecurityProvider,
+    ServerBasicAuthProvider,
+  ],
+  register: (alepha: Alepha) => {
+    // Always register core security providers
+    alepha.with(SecurityProvider);
+    alepha.with(JwtProvider);
+    alepha.with(CryptoProvider);
+    // Register server security providers only if AlephaServer is available
+    if (alepha.has(AlephaServer)) {
+      alepha.with(ServerSecurityProvider);
+      alepha.with(ServerBasicAuthProvider);
+    }
+  },
 });
+/**
+ * @deprecated Use `AlephaSecurity` instead. Server security providers are automatically registered when `AlephaServer` is available.
+ */
+export const AlephaServerSecurity = AlephaSecurity;

package/src/security/primitives/{$realm.spec.ts → $issuer.spec.ts} RENAMED Viewed

@@ -2,9 +2,9 @@ import { randomUUID } from "node:crypto";
 import { Alepha } from "alepha";
 import { DateTimeProvider } from "alepha/datetime";
 import { describe, test } from "vitest";
-import { $realm } from "../index.ts";
+import { $issuer } from "../index.ts";
-describe("$realm", () => {
+describe("$issuer", () => {
   const roles = [
     {
       name: "admin",
@@ -18,7 +18,7 @@ describe("$realm", () => {
   test("should create token (access & refresh)", async ({ expect }) => {
     class App {
-      realm = $realm({
+      issuer = $issuer({
         secret: "test",
         roles,
       });
@@ -37,15 +37,15 @@ describe("$realm", () => {
     const now = dt.pause();
-    const token = await app.realm.createToken(user);
+    const token = await app.issuer.createToken(user);
     expect(token).toEqual({
       access_token: expect.any(String),
-      expires_in: app.realm.accessTokenExpiration.asSeconds(),
+      expires_in: app.issuer.accessTokenExpiration.asSeconds(),
       refresh_token: expect.any(String),
       token_type: "Bearer",
       issued_at: now.unix(),
-      refresh_token_expires_in: app.realm.refreshTokenExpiration.asSeconds(),
+      refresh_token_expires_in: app.issuer.refreshTokenExpiration.asSeconds(),
     });
     expect(
@@ -54,9 +54,9 @@ describe("$realm", () => {
       ),
     ).toEqual({
       sub: user.id,
-      aud: app.realm.name,
+      aud: app.issuer.name,
       iat: now.unix(),
-      exp: now.unix() + app.realm.accessTokenExpiration.asSeconds(),
+      exp: now.unix() + app.issuer.accessTokenExpiration.asSeconds(),
       name: user.name,
       roles: ["admin", "user"],
       sid: expect.any(String),
@@ -71,9 +71,9 @@ describe("$realm", () => {
       ),
     ).toEqual({
       sub: user.id,
-      aud: app.realm.name,
+      aud: app.issuer.name,
       iat: now.unix(),
-      exp: now.unix() + app.realm.refreshTokenExpiration.asSeconds(),
+      exp: now.unix() + app.issuer.refreshTokenExpiration.asSeconds(),
     });
     expect(
@@ -88,7 +88,7 @@ describe("$realm", () => {
       typ: "refresh",
     });
-    const newToken = await app.realm.createToken(user, token);
+    const newToken = await app.issuer.createToken(user, token);
     expect(newToken).toEqual({
       access_token: expect.any(String),
       issued_at: now.unix(),

package/src/security/primitives/{$realm.ts → $issuer.ts} RENAMED Viewed

@@ -13,43 +13,46 @@ import type { Role } from "../schemas/roleSchema.ts";
 import type { UserAccount } from "../schemas/userAccountInfoSchema.ts";
 /**
- * Create a new realm.
+ * Create a new issuer.
+ *
+ * An issuer is responsible for creating and verifying JWT tokens.
+ * It can be internal (with a secret) or external (with a JWKS).
  */
-export const $realm = (options: RealmPrimitiveOptions): RealmPrimitive => {
-  return createPrimitive(RealmPrimitive, options);
+export const $issuer = (options: IssuerPrimitiveOptions): IssuerPrimitive => {
+  return createPrimitive(IssuerPrimitive, options);
 };
 // ---------------------------------------------------------------------------------------------------------------------
-export type RealmPrimitiveOptions = {
+export type IssuerPrimitiveOptions = {
   /**
-   * Define the realm name.
+   * Define the issuer name.
    * If not provided, it will use the property key.
    */
   name?: string;
   /**
-   * Short description about the realm.
+   * Short description about the issuer.
    */
   description?: string;
   /**
-   * All roles available in the realm. Role is a string (role name) or a Role object (embedded role).
+   * All roles available in the issuer. Role is a string (role name) or a Role object (embedded role).
    */
   roles?: Array<string | Role>;
   /**
-   * Realm settings.
+   * Issuer settings.
    */
-  settings?: RealmSettings;
+  settings?: IssuerSettings;
   /**
    * Parse the JWT payload to create a user account info.
    */
   profile?: (jwtPayload: Record<string, any>) => UserAccount;
-} & (RealmInternal | RealmExternal);
+} & (IssuerInternal | IssuerExternal);
-export interface RealmSettings {
+export interface IssuerSettings {
   accessToken?: {
     /**
      * Lifetime of the access token.
@@ -87,14 +90,14 @@ export interface RealmSettings {
   onDeleteSession?: (refreshToken: string) => Promise<void>;
 }
-export type RealmInternal = {
+export type IssuerInternal = {
   /**
    * Internal secret to sign JWT tokens and verify them.
    */
   secret: string;
 };
-export interface RealmExternal {
+export interface IssuerExternal {
   /**
    * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.
    */
@@ -103,7 +106,7 @@ export interface RealmExternal {
 // ---------------------------------------------------------------------------------------------------------------------
-export class RealmPrimitive extends Primitive<RealmPrimitiveOptions> {
+export class IssuerPrimitive extends Primitive<IssuerPrimitiveOptions> {
   protected readonly securityProvider = $inject(SecurityProvider);
   protected readonly dateTimeProvider = $inject(DateTimeProvider);
   protected readonly jwt = $inject(JwtProvider);
@@ -148,14 +151,14 @@ export class RealmPrimitive extends Primitive<RealmPrimitiveOptions> {
   }
   /**
-   * Get all roles in the realm.
+   * Get all roles in the issuer.
    */
   public getRoles(): Role[] {
     return this.securityProvider.getRoles(this.name);
   }
   /**
-   * Set all roles in the realm.
+   * Set all roles in the issuer.
    */
   public async setRoles(roles: Role[]): Promise<void> {
     await this.securityProvider.updateRealm(this.name, roles);
@@ -336,7 +339,7 @@ export class RealmPrimitive extends Primitive<RealmPrimitiveOptions> {
   }
 }
-$realm[KIND] = RealmPrimitive;
+$issuer[KIND] = IssuerPrimitive;
 // ---------------------------------------------------------------------------------------------------------------------

package/src/security/primitives/$role.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { $inject, createPrimitive, KIND, Primitive } from "alepha";
 import { SecurityProvider } from "../providers/SecurityProvider.ts";
+import type { IssuerPrimitive } from "./$issuer.ts";
 import type { PermissionPrimitive } from "./$permission.ts";
-import type { RealmPrimitive } from "./$realm.ts";
 /**
  * Create a new role.
@@ -23,7 +23,7 @@ export interface RolePrimitiveOptions {
    */
   description?: string;
-  realm?: string | RealmPrimitive;
+  issuer?: string | IssuerPrimitive;
   permissions?: Array<
     | string
@@ -60,10 +60,10 @@ export class RolePrimitive extends Primitive<RolePrimitiveOptions> {
   }
   /**
-   * Get the realm of the role.
+   * Get the issuer of the role.
    */
-  public get realm(): string | RealmPrimitive | undefined {
-    return this.options.realm;
+  public get issuer(): string | IssuerPrimitive | undefined {
+    return this.options.issuer;
   }
   public can(permission: string | PermissionPrimitive): boolean {

package/src/security/primitives/$serviceAccount.spec.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { Alepha } from "alepha";
 import { DateTimeProvider } from "alepha/datetime";
 import { describe, expect, it } from "vitest";
-import { $realm, $serviceAccount } from "../index.ts";
+import { $issuer, $serviceAccount } from "../index.ts";
 class App {
   oauth2 = $serviceAccount({
@@ -16,12 +16,12 @@ class App {
     expiresIn: 300, // 5 minutes
   };
-  realm = $realm({
-    secret: "your-realm-secret",
+  issuer = $issuer({
+    secret: "your-issuer-secret",
   });
   jwt = $serviceAccount({
-    realm: this.realm,
+    issuer: this.issuer,
     user: {
       id: "service-account",
     },
@@ -42,7 +42,7 @@ describe("$serviceAccount", () => {
     );
     expect(payload).toEqual({
       sub: expect.any(String),
-      aud: "realm",
+      aud: "issuer",
       iat: expect.any(Number),
       exp: expect.any(Number),
       sid: expect.any(String),

package/src/security/primitives/$serviceAccount.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { $context } from "alepha";
 import { DateTimeProvider } from "alepha/datetime";
 import type { UserAccount } from "../schemas/userAccountInfoSchema.ts";
-import type { AccessTokenResponse, RealmPrimitive } from "./$realm.ts";
+import type { AccessTokenResponse, IssuerPrimitive } from "./$issuer.ts";
 /**
  * Allow to get an access token for a service account.
@@ -138,7 +138,7 @@ export const $serviceAccount = (
         return tokenFromCache;
       }
-      const token = await options.realm.createToken(options.user);
+      const token = await options.issuer.createToken(options.user);
       cacheToken({
         ...token,
@@ -157,7 +157,7 @@ export type ServiceAccountPrimitiveOptions = {
       oauth2: Oauth2ServiceAccountPrimitiveOptions;
     }
   | {
-      realm: RealmPrimitive;
+      issuer: IssuerPrimitive;
       user: UserAccount;
     }
 );

package/src/{server/security → security}/providers/ServerSecurityProvider.ts RENAMED Viewed

@@ -1,19 +1,17 @@
 import { randomUUID } from "node:crypto";
 import { $hook, $inject, Alepha } from "alepha";
 import { $logger } from "alepha/logger";
-import {
-  JwtProvider,
-  type Permission,
-  SecurityProvider,
-  type UserAccountToken,
-  userAccountInfoSchema,
-} from "alepha/security";
 import {
   $action,
   ForbiddenError,
   type ServerRequest,
   UnauthorizedError,
 } from "alepha/server";
+import type { UserAccountToken } from "../interfaces/UserAccountToken.ts";
+import type { Permission } from "../schemas/permissionSchema.ts";
+import { userAccountInfoSchema } from "../schemas/userAccountInfoSchema.ts";
+import { JwtProvider } from "./JwtProvider.ts";
+import { SecurityProvider } from "./SecurityProvider.ts";
 import {
   type BasicAuthOptions,
   isBasicAuth,

package/src/server/auth/primitives/$auth.ts CHANGED Viewed

@@ -9,7 +9,7 @@ import {
 import { DateTimeProvider } from "alepha/datetime";
 import {
   type AccessTokenResponse,
-  type RealmPrimitive,
+  type IssuerPrimitive,
   SecurityError,
   SecurityProvider,
   type UserAccount,
@@ -105,10 +105,10 @@ export type AuthExternal = {
  * When using your own authentication system, e.g. using a database to store user accounts.
  * This is usually used with a custom login form.
  *
- * This relies on the `realm`, which is used to create/verify the access token.
+ * This relies on the `issuer`, which is used to create/verify the access token.
  */
 export type AuthInternal = {
-  realm: RealmPrimitive;
+  issuer: IssuerPrimitive;
 } & (
   | {
       /**
@@ -261,9 +261,9 @@ export class AuthPrimitive extends Primitive<AuthPrimitiveOptions> {
     return this.options.name ?? this.config.propertyKey;
   }
-  public get realm(): RealmPrimitive | undefined {
-    if ("realm" in this.options) {
-      return this.options.realm;
+  public get issuer(): IssuerPrimitive | undefined {
+    if ("issuer" in this.options) {
+      return this.options.issuer;
     }
     return undefined;
   }
@@ -308,13 +308,13 @@ export class AuthPrimitive extends Primitive<AuthPrimitiveOptions> {
     refreshToken: string,
     accessToken?: string,
   ): Promise<AccessTokenResponse> {
-    if ("realm" in this.options) {
-      return this.options.realm
+    if ("issuer" in this.options) {
+      return this.options.issuer
         .refreshToken(refreshToken, accessToken)
         .then((it) => it.tokens)
         .catch((error) => {
           throw new SecurityError(
-            "Failed to refresh access token using the refresh token (realm)",
+            "Failed to refresh access token using the refresh token (issuer)",
             {
               cause: error,
             },
@@ -337,7 +337,7 @@ export class AuthPrimitive extends Primitive<AuthPrimitiveOptions> {
     }
     throw new AlephaError(
-      "No realm or OAuth2 configuration available for refreshing the access token",
+      "No issuer or OAuth2 configuration available for refreshing the access token",
     );
   }

package/src/server/auth/primitives/$authCredentials.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { AlephaError } from "alepha";
-import type { RealmPrimitive } from "alepha/security";
+import type { IssuerPrimitive } from "alepha/security";
 import {
   $auth,
   type CredentialsFn,
@@ -13,7 +13,7 @@ import {
  * Uses username and password to authenticate users.
  */
 export const $authCredentials = (
-  realm: RealmPrimitive & WithLoginFn,
+  realm: IssuerPrimitive & WithLoginFn,
   options: Partial<CredentialsOptions> = {},
 ) => {
   const name = "credentials";
@@ -29,7 +29,7 @@ export const $authCredentials = (
   }
   return $auth({
-    realm,
+    issuer: realm,
     name,
     credentials: {
       account,

package/src/server/auth/primitives/$authGithub.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { $context, AlephaError, t } from "alepha";
-import type { RealmPrimitive } from "alepha/security";
+import type { IssuerPrimitive } from "alepha/security";
 import type { OAuth2Profile } from "../providers/ServerAuthProvider.ts";
 import {
   $auth,
@@ -19,7 +19,7 @@ import {
  * - `GITHUB_CLIENT_SECRET`: The client secret obtained from the GitHub Developer Settings.
  */
 export const $authGithub = (
-  realm: RealmPrimitive & WithLinkFn,
+  realm: IssuerPrimitive & WithLinkFn,
   options: Partial<OidcOptions> = {},
 ) => {
   const { alepha } = $context();
@@ -45,7 +45,7 @@ export const $authGithub = (
   }
   return $auth({
-    realm,
+    issuer: realm,
     name,
     oauth: {
       clientId: env.GITHUB_CLIENT_ID!,

package/src/server/auth/primitives/$authGoogle.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { $context, AlephaError, t } from "alepha";
-import type { RealmPrimitive } from "alepha/security";
+import type { IssuerPrimitive } from "alepha/security";
 import {
   $auth,
   type LinkAccountFn,
@@ -18,7 +18,7 @@ import {
  * - `GOOGLE_CLIENT_SECRET`: The client secret obtained from the Google Developer Console.
  */
 export const $authGoogle = (
-  realm: RealmPrimitive & WithLinkFn,
+  realm: IssuerPrimitive & WithLinkFn,
   options: Partial<OidcOptions> = {},
 ) => {
   const { alepha } = $context();
@@ -44,7 +44,7 @@ export const $authGoogle = (
   }
   return $auth({
-    realm,
+    issuer: realm,
     name,
     oidc: {
       issuer: "https://accounts.google.com",

package/src/server/auth/providers/ServerAuthProvider.ts CHANGED Viewed

@@ -71,8 +71,8 @@ export class ServerAuthProvider {
     for (const identity of this.identities) {
       if (filters.realmName) {
-        const realm = "realm" in identity.options && identity.options.realm;
-        if (!realm || realm.name !== filters.realmName) {
+        const issuer = identity.issuer;
+        if (!issuer || issuer.name !== filters.realmName) {
           continue;
         }
       }
@@ -145,7 +145,7 @@ export class ServerAuthProvider {
       // [feature] support for auth providers with fallback
       if (!request.headers.authorization) {
         for (const provider of this.identities) {
-          if (!("realm" in provider.options) && !!provider.options.fallback) {
+          if ("fallback" in provider.options && !!provider.options.fallback) {
             const token = await provider.options.fallback();
             if (token) {
               request.headers.authorization = `Bearer ${token}`;
@@ -340,8 +340,8 @@ export class ServerAuthProvider {
         realm: query.realm,
       });
-      const realm = "realm" in provider.options && provider.options.realm;
-      if (!realm) {
+      const issuer = provider.issuer;
+      if (!issuer) {
         throw new SecurityError(
           `Auth provider '${query.provider}' does not support password grant`,
         );
@@ -373,7 +373,7 @@ export class ServerAuthProvider {
       const tokens = {
         provider: query.provider,
-        ...(await realm.createToken(user)),
+        ...(await issuer.createToken(user)),
       };
       // for web applications, we store tokens in cookies
@@ -519,10 +519,10 @@ export class ServerAuthProvider {
       this.authorizationCode.del({ cookies });
-      const realm = "realm" in provider.options && provider.options.realm;
+      const issuer = provider.issuer;
       // external, full OIDC System (e.g. Keycloak, Auth0)
-      if (!realm) {
+      if (!issuer) {
         this.setTokens(externalTokens, cookies);
         reply.redirect(redirectUri);
         return;
@@ -531,7 +531,7 @@ export class ServerAuthProvider {
       // internal, we need to create our own tokens
       const user = await provider.user(externalTokens);
-      const tokens = await realm.createToken(user);
+      const tokens = await issuer.createToken(user);
       this.setTokens(
         {
@@ -570,9 +570,9 @@ export class ServerAuthProvider {
       this.tokens.del({ cookies });
       // for internal providers, we can delete the session - if available
-      if ("realm" in provider.options && tokens.refresh_token) {
+      if (provider.issuer && tokens.refresh_token) {
         const onDeleteSession =
-          provider.options.realm.options.settings?.onDeleteSession;
+          provider.issuer.options.settings?.onDeleteSession;
         if (onDeleteSession) {
           try {
             await onDeleteSession(tokens.refresh_token);
@@ -635,8 +635,8 @@ export class ServerAuthProvider {
         return false;
       }
-      // If realm filter is specified, match against provider's realm
-      if (realmName && identity.realm?.name !== realmName) {
+      // If realm filter is specified, match against provider's issuer
+      if (realmName && identity.issuer?.name !== realmName) {
         return false;
       }

package/src/server/cache/providers/ServerCacheProvider.ts CHANGED Viewed

@@ -204,7 +204,7 @@ export class ServerCacheProvider {
   protected readonly onSend = $hook({
     on: "server:onSend",
-    handler: async ({ route, request }) => {
+    handler: ({ route, request }) => {
       // before sending the response, check if the ETag matches
       // and if so, return a 304 Not Modified response
       // -> this is only relevant for etag-only routes, not cached routes <-