auth-vir 1.3.2 → 2.0.0

package/dist/generated/models/User.js

@@ -0,0 +1 @@
+export {};

package/dist/generated/models.d.ts

@@ -0,0 +1,2 @@
+export type * from './models/User.js';
+export type * from './commonInputTypes.js';

package/dist/generated/models.js

@@ -0,0 +1 @@
+export {};

package/dist/generated/shapes.gen.d.ts

@@ -0,0 +1,8 @@
+import { type UserId } from './models/User.js';
+export declare const UserIdShape: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<UserId>>;
+export declare const UserShape: import("object-shape-tester").Shape<{
+    id: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<UserId>>;
+    createdAt: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<`${number}-${number}-${number}T${number}:${number}:${number}.${number}Z`>>;
+    updatedAt: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<`${number}-${number}-${number}T${number}:${number}:${number}.${number}Z`>>;
+    name: string;
+}>;

package/dist/generated/shapes.gen.js

@@ -0,0 +1,11 @@
+/** AUTO-GENERATED FILE. DO NOT EDIT DIRECTLY. */
+// @ts-nocheck
+import { defineShape, typedStringShape } from 'object-shape-tester';
+import { utcIsoStringShape } from 'date-vir';
+export const UserIdShape = typedStringShape();
+export const UserShape = defineShape({
+    id: UserIdShape,
+    createdAt: utcIsoStringShape(),
+    updatedAt: utcIsoStringShape(),
+    name: '',
+});

package/dist/headers.d.ts

@@ -0,0 +1,20 @@
+/**
+ * All custom headers used by auth-vir.
+ *
+ * @category Internal
+ */
+export declare enum AuthHeaderName {
+    CsrfToken = "csrf-token",
+    AssumedUser = "assumed-user",
+    /**
+     * Used to track if the current user is signed in only with a sign-up cookie, which prevents us
+     * from prematurely wiping their CSRF token.
+     */
+    IsSignUpAuth = "is-sign-up-auth"
+}
+/**
+ * Merges multiple header values into a single array of header values.
+ *
+ * @category Internal
+ */
+export declare function mergeHeaderValues(...values: (string | string[] | undefined)[]): string[];

package/dist/headers.js

@@ -0,0 +1,33 @@
+import { check } from '@augment-vir/assert';
+/**
+ * All custom headers used by auth-vir.
+ *
+ * @category Internal
+ */
+export var AuthHeaderName;
+(function (AuthHeaderName) {
+    AuthHeaderName["CsrfToken"] = "csrf-token";
+    AuthHeaderName["AssumedUser"] = "assumed-user";
+    /**
+     * Used to track if the current user is signed in only with a sign-up cookie, which prevents us
+     * from prematurely wiping their CSRF token.
+     */
+    AuthHeaderName["IsSignUpAuth"] = "is-sign-up-auth";
+})(AuthHeaderName || (AuthHeaderName = {}));
+/**
+ * Merges multiple header values into a single array of header values.
+ *
+ * @category Internal
+ */
+export function mergeHeaderValues(...values) {
+    const finalHeaderValues = [];
+    values.forEach((value) => {
+        if (check.isArray(value)) {
+            finalHeaderValues.push(...value);
+        }
+        else if (check.isString(value)) {
+            finalHeaderValues.push(value);
+        }
+    });
+    return finalHeaderValues;
+}

package/dist/index.d.ts

@@ -1,7 +1,9 @@
+export * from './auth-client/backend-auth.client.js';
 export * from './auth.js';
 export * from './cookie.js';
 export * from './csrf-token.js';
 export * from './hash.js';
+export * from './headers.js';
 export * from './jwt/jwt-keys.js';
 export * from './jwt/jwt.js';
 export * from './jwt/user-jwt.js';

package/dist/index.js

@@ -1,7 +1,9 @@
+export * from './auth-client/backend-auth.client.js';
 export * from './auth.js';
 export * from './cookie.js';
 export * from './csrf-token.js';
 export * from './hash.js';
+export * from './headers.js';
 export * from './jwt/jwt-keys.js';
 export * from './jwt/jwt.js';
 export * from './jwt/user-jwt.js';

package/dist/jwt/jwt.d.ts

@@ -1,5 +1,5 @@
 import { type AnyObject, type PartialWithUndefined } from '@augment-vir/common';
-import { type AnyDuration, type DateLike } from 'date-vir';
+import { type AnyDuration, type DateLike, type FullDate, type UtcTimezone } from 'date-vir';
 import { type JwtKeys } from './jwt-keys.js';
 /**
  * Params for {@link createJwt}.
@@ -74,10 +74,19 @@ data: JwtData, params: Readonly<CreateJwtParams>): Promise<string>;
  * @category Internal
  */
 export type ParseJwtParams = Readonly<Pick<CreateJwtParams, 'issuer' | 'audience' | 'jwtKeys'>>;
+/**
+ * A fully parsed JWT with embedded data.
+ *
+ * @category Internal
+ */
+export type ParsedJwt<JwtData extends AnyObject> = {
+    data: JwtData;
+    jwtExpiration: FullDate<UtcTimezone>;
+};
 /**
  * Parse and extract all data from an encrypted and signed JWT.
  *
  * @category Internal
  * @throws Errors if the decryption, signature verification, or other JWT requirements fail
  */
-export declare function parseJwt<JwtData extends AnyObject = AnyObject>(encryptedJwt: string, params: Readonly<ParseJwtParams>): Promise<JwtData>;
+export declare function parseJwt<JwtData extends AnyObject = AnyObject>(encryptedJwt: string, params: Readonly<ParseJwtParams>): Promise<ParsedJwt<JwtData>>;

package/dist/jwt/jwt.js

@@ -1,5 +1,5 @@
-import { check } from '@augment-vir/assert';
-import { calculateRelativeDate, createFullDateInUserTimezone, getNowInUtcTimezone, toTimestamp, } from 'date-vir';
+import { assertWrap, check } from '@augment-vir/assert';
+import { calculateRelativeDate, createFullDateInUserTimezone, createUtcFullDate, getNowInUtcTimezone, isDateAfter, toTimestamp, } from 'date-vir';
 import { EncryptJWT, jwtDecrypt, jwtVerify, SignJWT } from 'jose';
 const encryptionProtectedHeader = { alg: 'dir', enc: 'A256GCM' };
 const signingProtectedHeader = { alg: 'HS512' };
@@ -57,5 +57,16 @@ export async function parseJwt(encryptedJwt, params) {
     if (!check.deepEquals(verifiedJwt.protectedHeader, signingProtectedHeader)) {
         throw new Error('Invalid signing protected header.');
     }
-    return data;
+    const expirationMs = assertWrap.isDefined(verifiedJwt.payload.exp, 'JWT has no expiration.');
+    const jwtExpiration = createUtcFullDate(expirationMs);
+    if (isDateAfter({
+        fullDate: getNowInUtcTimezone(),
+        relativeTo: jwtExpiration,
+    })) {
+        throw new Error('JWT expired.');
+    }
+    return {
+        data: data,
+        jwtExpiration,
+    };
 }

package/dist/jwt/user-jwt.d.ts

@@ -1,12 +1,12 @@
-import { type CreateJwtParams, type ParseJwtParams } from './jwt.js';
+import { type CreateJwtParams, type ParsedJwt, type ParseJwtParams } from './jwt.js';
 /**
- * Shape definition and source of truth for {@link UserJwtData}.
+ * Shape definition and source of truth for {@link JwtUserData}.
  *
  * @category Internal
  */
 export declare const userJwtDataShape: import("object-shape-tester").Shape<{
     /** The id from your database of the user you're authenticating. */
-    userId: string;
+    userId: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnion<(import("@sinclair/typebox").TString | import("@sinclair/typebox").TNumber)[]>>;
     /**
      * CSRF token. This can be any cryptographically secure randomized string.
      *
@@ -19,20 +19,20 @@ export declare const userJwtDataShape: import("object-shape-tester").Shape<{
  *
  * @category Internal
  */
-export type UserJwtData = typeof userJwtDataShape.runtimeType;
+export type JwtUserData = typeof userJwtDataShape.runtimeType;
 /**
- * Creates a new signed and encrypted {@link UserJwtData} when a client (frontend) successfully
+ * Creates a new signed and encrypted {@link JwtUserData} when a client (frontend) successfully
  * authenticates with the host (backend). This is used by host (backend) code to establish a new
  * user session. The output of this function should be sent to the client (frontend) for storage.
  *
  * @category Internal
  */
-export declare function createUserJwt(data: Readonly<UserJwtData>, params: Readonly<CreateJwtParams>): Promise<string>;
+export declare function createUserJwt(data: Readonly<JwtUserData>, params: Readonly<CreateJwtParams>): Promise<string>;
 /**
- * Parses a {@link UserJwtData} generated from {@link createUserJwt}. This should be used on the host
+ * Parses a {@link JwtUserData} generated from {@link createUserJwt}. This should be used on the host
  * (backend) to a client (frontend) request. Do not use this function in client (frontend) code: it
  * requires JWT signing keys which should not be shared with any client (frontend).
  *
  * @category Internal
  */
-export declare function parseUserJwt(encryptedJwt: string, params: Readonly<ParseJwtParams>): Promise<UserJwtData | undefined>;
+export declare function parseUserJwt(encryptedJwt: string, params: Readonly<ParseJwtParams>): Promise<ParsedJwt<JwtUserData> | undefined>;

package/dist/jwt/user-jwt.js

@@ -1,13 +1,13 @@
-import { checkValidShape, defineShape } from 'object-shape-tester';
-import { createJwt, parseJwt } from './jwt.js';
+import { checkValidShape, defineShape, unionShape } from 'object-shape-tester';
+import { createJwt, parseJwt, } from './jwt.js';
 /**
- * Shape definition and source of truth for {@link UserJwtData}.
+ * Shape definition and source of truth for {@link JwtUserData}.
  *
  * @category Internal
  */
 export const userJwtDataShape = defineShape({
     /** The id from your database of the user you're authenticating. */
-    userId: '',
+    userId: unionShape('', -1),
     /**
      * CSRF token. This can be any cryptographically secure randomized string.
      *
@@ -16,7 +16,7 @@ export const userJwtDataShape = defineShape({
     csrfToken: '',
 });
 /**
- * Creates a new signed and encrypted {@link UserJwtData} when a client (frontend) successfully
+ * Creates a new signed and encrypted {@link JwtUserData} when a client (frontend) successfully
  * authenticates with the host (backend). This is used by host (backend) code to establish a new
  * user session. The output of this function should be sent to the client (frontend) for storage.
  *
@@ -26,16 +26,19 @@ export async function createUserJwt(data, params) {
     return await createJwt(data, params);
 }
 /**
- * Parses a {@link UserJwtData} generated from {@link createUserJwt}. This should be used on the host
+ * Parses a {@link JwtUserData} generated from {@link createUserJwt}. This should be used on the host
  * (backend) to a client (frontend) request. Do not use this function in client (frontend) code: it
  * requires JWT signing keys which should not be shared with any client (frontend).
  *
  * @category Internal
  */
 export async function parseUserJwt(encryptedJwt, params) {
-    const parsed = await parseJwt(encryptedJwt, params);
-    if (!checkValidShape(parsed, userJwtDataShape)) {
+    const { data, jwtExpiration } = await parseJwt(encryptedJwt, params);
+    if (!checkValidShape(data, userJwtDataShape)) {
         throw new TypeError('Verified jwt has wrong data.');
     }
-    return parsed;
+    return {
+        data,
+        jwtExpiration,
+    };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "auth-vir",
-    "version": "1.3.2",
+    "version": "2.0.0",
     "description": "Auth made easy and secure via JWT cookies, CSRF tokens, and password hashing helpers.",
     "keywords": [
         "auth",
@@ -33,15 +33,17 @@
         "build": "virmator frontend build",
         "compile": "virmator compile",
         "docs": "virmator docs",
+        "init": "node -e \"require('fs').rmSync('src/generated', { recursive: true, force: true })\" && prisma generate --no-hints --schema test-files/schema.prisma",
         "start": "virmator frontend",
-        "test": "virmator test web",
-        "test:coverage": "npm run test coverage",
+        "test": "runstorm --names web,node, \"npm run test:web\" \"npm run test:node\"",
         "test:docs": "virmator docs check",
-        "test:update": "npm test update"
+        "test:node": "virmator test node 'src/**/*.test.node.ts'",
+        "test:update": "npm test update",
+        "test:web": "virmator test web"
     },
     "dependencies": {
-        "@augment-vir/assert": "^31.40.0",
-        "@augment-vir/common": "^31.40.0",
+        "@augment-vir/assert": "^31.41.0",
+        "@augment-vir/common": "^31.41.0",
         "date-vir": "^8.0.0",
         "hash-wasm": "^4.12.0",
         "jose": "^6.1.0",
@@ -50,7 +52,9 @@
         "url-vir": "^2.1.6"
     },
     "devDependencies": {
-        "@augment-vir/test": "^31.40.0",
+        "@augment-vir/test": "^31.41.0",
+        "@prisma/client": "^6.17.1",
+        "@types/node": "^24.8.1",
         "@web/dev-server-esbuild": "^1.0.4",
         "@web/test-runner": "^0.20.2",
         "@web/test-runner-commands": "^0.9.0",
@@ -58,6 +62,7 @@
         "@web/test-runner-visual-regression": "^0.10.0",
         "istanbul-smart-text-reporter": "^1.1.5",
         "markdown-code-example-inserter": "^3.0.3",
+        "prisma-vir": "^1.2.2",
         "typedoc": "^0.28.14"
     },
     "engines": {