auth-vir 1.3.2 → 2.0.0

package/src/generated/models.ts

@@ -0,0 +1,11 @@
+
+/* !!! This is code generated by Prisma. Do not edit directly. !!! */
+/* eslint-disable */
+// @ts-nocheck 
+/*
+ * This is a barrel export file for all models and their related types.
+ *
+ * 🟢 You can import this file directly.
+ */
+export type * from './models/User.js'
+export type * from './commonInputTypes.js'

package/src/generated/shapes.gen.ts

@@ -0,0 +1,15 @@
+/** AUTO-GENERATED FILE. DO NOT EDIT DIRECTLY. */
+// @ts-nocheck
+import {defineShape, enumShape, unionShape, unknownShape, typedStringShape} from 'object-shape-tester';
+import {JsonValue} from '@prisma/client/runtime/client.js';
+import {utcIsoStringShape} from 'date-vir';
+import {type UserId} from './models/User.js';
+
+export const UserIdShape = typedStringShape<UserId>();
+
+export const UserShape = defineShape({
+    id: UserIdShape,
+    createdAt: utcIsoStringShape(),
+    updatedAt: utcIsoStringShape(),
+    name: '',
+});

package/src/headers.ts

@@ -0,0 +1,35 @@
+import {check} from '@augment-vir/assert';
+
+/**
+ * All custom headers used by auth-vir.
+ *
+ * @category Internal
+ */
+export enum AuthHeaderName {
+    CsrfToken = 'csrf-token',
+    AssumedUser = 'assumed-user',
+    /**
+     * Used to track if the current user is signed in only with a sign-up cookie, which prevents us
+     * from prematurely wiping their CSRF token.
+     */
+    IsSignUpAuth = 'is-sign-up-auth',
+}
+
+/**
+ * Merges multiple header values into a single array of header values.
+ *
+ * @category Internal
+ */
+export function mergeHeaderValues(...values: (string | string[] | undefined)[]): string[] {
+    const finalHeaderValues: string[] = [];
+
+    values.forEach((value) => {
+        if (check.isArray(value)) {
+            finalHeaderValues.push(...value);
+        } else if (check.isString(value)) {
+            finalHeaderValues.push(value);
+        }
+    });
+
+    return finalHeaderValues;
+}

package/src/index.ts

@@ -1,7 +1,9 @@
+export * from './auth-client/backend-auth.client.js';
 export * from './auth.js';
 export * from './cookie.js';
 export * from './csrf-token.js';
 export * from './hash.js';
+export * from './headers.js';
 export * from './jwt/jwt-keys.js';
 export * from './jwt/jwt.js';
 export * from './jwt/user-jwt.js';

package/src/jwt/jwt.ts

@@ -1,12 +1,16 @@
-import {check} from '@augment-vir/assert';
+import {assertWrap, check} from '@augment-vir/assert';
 import {type AnyObject, type PartialWithUndefined} from '@augment-vir/common';
 import {
+    type AnyDuration,
     calculateRelativeDate,
     createFullDateInUserTimezone,
+    createUtcFullDate,
+    type DateLike,
+    type FullDate,
     getNowInUtcTimezone,
+    isDateAfter,
     toTimestamp,
-    type AnyDuration,
-    type DateLike,
+    type UtcTimezone,
 } from 'date-vir';
 import {EncryptJWT, jwtDecrypt, jwtVerify, SignJWT} from 'jose';
 import {type JwtKeys} from './jwt-keys.js';
@@ -118,6 +122,16 @@ export async function createJwt<JwtData extends AnyObject = AnyObject>(
  */
 export type ParseJwtParams = Readonly<Pick<CreateJwtParams, 'issuer' | 'audience' | 'jwtKeys'>>;
 
+/**
+ * A fully parsed JWT with embedded data.
+ *
+ * @category Internal
+ */
+export type ParsedJwt<JwtData extends AnyObject> = {
+    data: JwtData;
+    jwtExpiration: FullDate<UtcTimezone>;
+};
+
 /**
  * Parse and extract all data from an encrypted and signed JWT.
  *
@@ -127,7 +141,7 @@ export type ParseJwtParams = Readonly<Pick<CreateJwtParams, 'issuer' | 'audience
 export async function parseJwt<JwtData extends AnyObject = AnyObject>(
     encryptedJwt: string,
     params: Readonly<ParseJwtParams>,
-): Promise<JwtData> {
+): Promise<ParsedJwt<JwtData>> {
     const decryptedJwt = await jwtDecrypt(encryptedJwt, params.jwtKeys.encryptionKey);
 
     if (!check.deepEquals(decryptedJwt.protectedHeader, encryptionProtectedHeader)) {
@@ -156,5 +170,20 @@ export async function parseJwt<JwtData extends AnyObject = AnyObject>(
         throw new Error('Invalid signing protected header.');
     }
 
-    return data as JwtData;
+    const expirationMs = assertWrap.isDefined(verifiedJwt.payload.exp, 'JWT has no expiration.');
+    const jwtExpiration: FullDate<UtcTimezone> = createUtcFullDate(expirationMs);
+
+    if (
+        isDateAfter({
+            fullDate: getNowInUtcTimezone(),
+            relativeTo: jwtExpiration,
+        })
+    ) {
+        throw new Error('JWT expired.');
+    }
+
+    return {
+        data: data as JwtData,
+        jwtExpiration,
+    };
 }

package/src/jwt/user-jwt.ts

@@ -1,15 +1,21 @@
-import {checkValidShape, defineShape} from 'object-shape-tester';
+import {checkValidShape, defineShape, unionShape} from 'object-shape-tester';
 import {type generateCsrfToken} from '../csrf-token.js';
-import {createJwt, type CreateJwtParams, parseJwt, type ParseJwtParams} from './jwt.js';
+import {
+    createJwt,
+    type CreateJwtParams,
+    type ParsedJwt,
+    parseJwt,
+    type ParseJwtParams,
+} from './jwt.js';
 
 /**
- * Shape definition and source of truth for {@link UserJwtData}.
+ * Shape definition and source of truth for {@link JwtUserData}.
  *
  * @category Internal
  */
 export const userJwtDataShape = defineShape({
     /** The id from your database of the user you're authenticating. */
-    userId: '',
+    userId: unionShape('', -1),
     /**
      * CSRF token. This can be any cryptographically secure randomized string.
      *
@@ -23,24 +29,24 @@ export const userJwtDataShape = defineShape({
  *
  * @category Internal
  */
-export type UserJwtData = typeof userJwtDataShape.runtimeType;
+export type JwtUserData = typeof userJwtDataShape.runtimeType;
 
 /**
- * Creates a new signed and encrypted {@link UserJwtData} when a client (frontend) successfully
+ * Creates a new signed and encrypted {@link JwtUserData} when a client (frontend) successfully
  * authenticates with the host (backend). This is used by host (backend) code to establish a new
  * user session. The output of this function should be sent to the client (frontend) for storage.
  *
  * @category Internal
  */
 export async function createUserJwt(
-    data: Readonly<UserJwtData>,
+    data: Readonly<JwtUserData>,
     params: Readonly<CreateJwtParams>,
 ): Promise<string> {
     return await createJwt(data, params);
 }
 
 /**
- * Parses a {@link UserJwtData} generated from {@link createUserJwt}. This should be used on the host
+ * Parses a {@link JwtUserData} generated from {@link createUserJwt}. This should be used on the host
  * (backend) to a client (frontend) request. Do not use this function in client (frontend) code: it
  * requires JWT signing keys which should not be shared with any client (frontend).
  *
@@ -49,12 +55,15 @@ export async function createUserJwt(
 export async function parseUserJwt(
     encryptedJwt: string,
     params: Readonly<ParseJwtParams>,
-): Promise<UserJwtData | undefined> {
-    const parsed = await parseJwt(encryptedJwt, params);
+): Promise<ParsedJwt<JwtUserData> | undefined> {
+    const {data, jwtExpiration} = await parseJwt(encryptedJwt, params);
 
-    if (!checkValidShape(parsed, userJwtDataShape)) {
+    if (!checkValidShape(data, userJwtDataShape)) {
         throw new TypeError('Verified jwt has wrong data.');
     }
 
-    return parsed;
+    return {
+        data,
+        jwtExpiration,
+    };
 }