authenik8-core 0.1.0

package/dist/tests/full.intergration.test.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+// tests/full.integration.test.ts
+const testApp_1 = require("./testApp");
+describe("Authenik8 Full Integration", () => {
+    let request;
+    let auth;
+    let accessToken;
+    let refreshToken;
+    beforeAll(async () => {
+        const setup = await (0, testApp_1.createTestApp)();
+        request = setup.request;
+        auth = setup.auth;
+    });
+    afterAll(async () => {
+        if (auth.redis) {
+            await auth.redis.flushdb();
+            await auth.redis.quit();
+        }
+    });
+    // 🔐 LOGIN
+    test("should login and receive tokens", async () => {
+        const res = await request.post("/login");
+        expect(res.status).toBe(200);
+        expect(res.body).toHaveProperty("accessToken");
+        expect(res.body).toHaveProperty("refreshToken");
+        accessToken = res.body.accessToken;
+        refreshToken = res.body.refreshToken;
+    });
+    // 🔒 PROTECTED ROUTE
+    test("should access protected route with valid token", async () => {
+        const res = await request
+            .get("/protected")
+            .set("Authorization", `Bearer ${accessToken}`);
+        expect(res.status).toBe(200);
+        expect(res.body).toHaveProperty("data", "secure data");
+    });
+    // 🚫 NO TOKEN
+    test("should reject request without token", async () => {
+        const res = await request.get("/protected");
+        expect(res.status).toBe(401);
+    });
+    // 🔄 REFRESH TOKEN
+    test("should refresh access token", async () => {
+        const res = await request
+            .post("/refresh")
+            .send({ refreshToken });
+        expect(res.status).toBe(200);
+        expect(res.body).toHaveProperty("accessToken");
+        expect(res.body).toHaveProperty("refreshToken");
+        // update tokens
+        accessToken = res.body.accessToken;
+        refreshToken = res.body.refreshToken;
+        if (res.body.refreshToken) {
+            refreshToken = res.body.refreshToken;
+        }
+    });
+    // 🔥 ROTATION (IMPORTANT)
+    test("should NOT allow reuse of old refresh token", async () => {
+        const originalToken = refreshToken;
+        // first use → rotates token
+        const firstRes = await request
+            .post("/refresh")
+            .send({ refreshToken: originalToken });
+        expect(firstRes.status).toBe(200);
+        const newToken = firstRes.body.refreshToken;
+        // second use with OLD token → should fail
+        const res = await request
+            .post("/refresh")
+            .send({ refreshToken: originalToken });
+        expect(res.status).toBe(401);
+        // sanity check: new token should work
+        const validRes = await request
+            .post("/refresh")
+            .send({ refreshToken: newToken });
+        expect(validRes.status).toBe(200);
+    });
+});
+//# sourceMappingURL=full.intergration.test.js.map

package/dist/tests/full.intergration.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"full.intergration.test.js","sourceRoot":"","sources":["../../src/tests/full.intergration.test.ts"],"names":[],"mappings":";;AAAA,iCAAiC;AACjC,uCAA0C;AAE1C,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,IAAI,OAAY,CAAC;IACjB,IAAI,IAAS,CAAC;IAEd,IAAI,WAAmB,CAAC;IACxB,IAAI,YAAoB,CAAC;IAEzB,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,KAAK,GAAG,MAAM,IAAA,uBAAa,GAAE,CAAC;QACpC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;QACxB,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,WAAW;IACX,IAAI,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEzC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC;QAEhD,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;QACnC,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,qBAAqB;IACrB,IAAI,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,GAAG,GAAG,MAAM,OAAO;aACtB,GAAG,CAAC,YAAY,CAAC;aACjB,GAAG,CAAC,eAAe,EAAE,UAAU,WAAW,EAAE,CAAC,CAAC;QAEjD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,cAAc;IACd,IAAI,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAE5C,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,mBAAmB;IACnB,IAAI,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,GAAG,GAAG,MAAM,OAAO;aACtB,IAAI,CAAC,UAAU,CAAC;aAChB,IAAI,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC;QAE1B,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC;QAEhD,gBAAgB;QAChB,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;QACnC,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;QAErC,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAC9B,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;QACvC,CAAC;IAEC,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAC1B,IAAI,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,aAAa,GAAG,YAAY,CAAC;QAEnC,4BAA4B;QAC5B,MAAM,QAAQ,GAAG,MAAM,OAAO;aAC3B,IAAI,CAAC,UAAU,CAAC;aAChB,IAAI,CAAC,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC,CAAC;QAEzC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAElC,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC;QAE5C,0CAA0C;QAC1C,MAAM,GAAG,GAAG,MAAM,OAAO;aACtB,IAAI,CAAC,UAAU,CAAC;aAChB,IAAI,CAAC,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC,CAAC;QAEzC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE7B,sCAAsC;QACtC,MAAM,QAAQ,GAAG,MAAM,OAAO;aAC3B,IAAI,CAAC,UAAU,CAAC;aAChB,IAAI,CAAC,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC,CAAC;QAEpC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACD,CAAC,CAAC,CAAC"}

package/dist/tests/testApp.d.ts

@@ -0,0 +1,7 @@
+import request from "supertest";
+export declare const createTestApp: () => Promise<{
+    app: import("express-serve-static-core").Express;
+    auth: import("../types/public").Authenik8Instance;
+    request: import("supertest/lib/agent")<request.SuperTestStatic.Test>;
+}>;
+//# sourceMappingURL=testApp.d.ts.map

package/dist/tests/testApp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testApp.d.ts","sourceRoot":"","sources":["../../src/tests/testApp.ts"],"names":[],"mappings":"AAEA,OAAO,OAAO,MAAM,WAAW,CAAC;AAGhC,eAAO,MAAM,aAAa;;;;EAkDzB,CAAC"}

package/dist/tests/testApp.js

@@ -0,0 +1,53 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTestApp = void 0;
+// tests/testApp.ts
+const express_1 = __importDefault(require("express"));
+const supertest_1 = __importDefault(require("supertest"));
+const createAuthenik8_1 = require("../createAuthenik8");
+const createTestApp = async () => {
+    const auth = await (0, createAuthenik8_1.createAuthenik8)({
+        jwtSecret: "test-secret",
+        refreshSecret: "refresh-secret",
+        jwtExpiry: "15m"
+    });
+    const app = (0, express_1.default)();
+    app.use(express_1.default.json());
+    // 🔐 Login (simulate user)
+    app.post("/login", async (req, res) => {
+        const user = { userId: "user_1", email: "test@test.com" };
+        const accessToken = auth.signToken(user);
+        const refreshToken = await auth.generateRefreshToken(user);
+        res.json({ accessToken, refreshToken });
+        console.log("Refresh Token", refreshToken);
+    });
+    // 🔒 Protected route
+    app.get("/protected", (req, res) => {
+        var _a;
+        const token = (_a = req.headers.authorization) === null || _a === void 0 ? void 0 : _a.split(" ")[1];
+        if (!token) {
+            return res.status(401).json({ error: "Invalid token" });
+        }
+        const decoded = auth.verifyToken(token);
+        if (!decoded) {
+            return res.status(401).json({ error: "Unauthorized" });
+        }
+        res.json({ data: "secure data", user: decoded });
+    });
+    // 🔄 Refresh
+    app.post("/refresh", async (req, res) => {
+        try {
+            const result = await auth.refreshToken(req.body.refreshToken);
+            res.json(result);
+        }
+        catch (err) {
+            res.status(401).json({ error: "Invalid refresh token" });
+        }
+    });
+    return { app, auth, request: (0, supertest_1.default)(app) };
+};
+exports.createTestApp = createTestApp;
+//# sourceMappingURL=testApp.js.map

package/dist/tests/testApp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"testApp.js","sourceRoot":"","sources":["../../src/tests/testApp.ts"],"names":[],"mappings":";;;;;;AAAA,mBAAmB;AACnB,sDAA8B;AAC9B,0DAAgC;AAChC,wDAAqD;AAE9C,MAAM,aAAa,GAAG,KAAK,IAAI,EAAE;IACtC,MAAM,IAAI,GAAG,MAAM,IAAA,iCAAe,EAAC;QACjC,SAAS,EAAE,aAAa;QACxB,aAAa,EAAE,gBAAgB;QAC/B,SAAS,EAAE,KAAK;KACjB,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,iBAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAExB,2BAA2B;IAC3B,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACnC,MAAM,IAAI,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAC,eAAe,EAAE,CAAC;QAEzD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAE3D,GAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAC,YAAY,CAAC,CAAA;IAC3C,CAAC,CAAC,CAAC;IAEH,qBAAqB;IACrB,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;;QACjC,MAAM,KAAK,GAAG,MAAA,GAAG,CAAC,OAAO,CAAC,aAAa,0CAAE,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAEvD,IAAG,CAAC,KAAK,EAAC,CAAC;YACZ,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAC,eAAe,EAAC,CAAC,CAAA;QACnD,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QAExC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,aAAa;IACb,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACtC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC9D,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC3D,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,IAAA,mBAAO,EAAC,GAAG,CAAC,EAAE,CAAC;AAC9C,CAAC,CAAC;AAlDW,QAAA,aAAa,iBAkDxB"}

package/dist/types/admin.d.ts

@@ -0,0 +1,6 @@
+import { Redis } from "ioredis";
+export interface RequireAdminOptions {
+    jwtSecret: string;
+    redis?: Redis;
+}
+//# sourceMappingURL=admin.d.ts.map

package/dist/types/admin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.d.ts","sourceRoot":"","sources":["../../src/types/admin.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAEhC,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf"}

package/dist/types/admin.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=admin.js.map

package/dist/types/admin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.js","sourceRoot":"","sources":["../../src/types/admin.ts"],"names":[],"mappings":""}

package/dist/types/config.d.ts

@@ -0,0 +1,9 @@
+import { SignOptions } from "jsonwebtoken";
+import { Redis } from "ioredis";
+export interface Authenik8Config {
+    jwtSecret: string;
+    jwtExpiry: SignOptions["expiresIn"];
+    refreshSecret: string;
+    redis?: Redis;
+}
+//# sourceMappingURL=config.d.ts.map

package/dist/types/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAEhC,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,WAAW,CAAC,WAAW,CAAC,CAAC;IACpC,aAAa,EAAE,MAAM,CAAC;IAEtB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf"}

package/dist/types/config.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=config.js.map

package/dist/types/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":""}

package/dist/types/public.d.ts

@@ -0,0 +1,17 @@
+export interface Authenik8Instance {
+    signToken: (payload: any) => string;
+    verifyToken: (token: string) => any;
+    guestToken: () => string;
+    refreshToken: (token: string) => Promise<any>;
+    generateRefreshToken: (payload: any) => Promise<string>;
+    rateLimit: any;
+    ipWhitelist: any;
+    helmet: any;
+    addIP: (ip: string) => Promise<void>;
+    removeIP: (ip: string) => Promise<void>;
+    listIPs: () => Promise<string[]>;
+    requireAdmin: any;
+    incognito: any;
+    redis?: any;
+}
+//# sourceMappingURL=public.d.ts.map

package/dist/types/public.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"public.d.ts","sourceRoot":"","sources":["../../src/types/public.ts"],"names":[],"mappings":"AACA,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,MAAM,CAAC;IACpC,WAAW,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,GAAG,CAAC;IACpC,UAAU,EAAE,MAAM,MAAM,CAAC;IAEzB,YAAY,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;IAC9C,oBAAoB,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAExD,SAAS,EAAE,GAAG,CAAC;IACf,WAAW,EAAE,GAAG,CAAC;IACjB,MAAM,EAAE,GAAG,CAAC;IAEZ,KAAK,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,QAAQ,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACxC,OAAO,EAAE,MAAM,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAEjC,YAAY,EAAE,GAAG,CAAC;IAClB,SAAS,EAAE,GAAG,CAAC;IAEf,KAAK,CAAC,EAAE,GAAG,CAAC;CACb"}

package/dist/types/public.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=public.js.map

package/dist/types/public.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"public.js","sourceRoot":"","sources":["../../src/types/public.ts"],"names":[],"mappings":""}

package/dist/types/storage.d.ts

@@ -0,0 +1,14 @@
+export interface User {
+    id: string;
+    email: string;
+    password: string;
+    role?: string;
+    type?: string;
+}
+export interface UserStore {
+    findByEmail(email: string): Promise<User | null>;
+    findById(id: string): Promise<User | null>;
+    create(user: Partial<User>): Promise<User>;
+    update(id: string, data: Partial<User>): Promise<User>;
+}
+//# sourceMappingURL=storage.d.ts.map

package/dist/types/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/types/storage.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,IAAI;IACrB,EAAE,EAAC,MAAM,CAAC;IACV,KAAK,EAAC,MAAM,CAAC;IACb,QAAQ,EAAC,MAAM,CAAC;IAChB,IAAI,CAAC,EAAC,MAAM,CAAC;IACb,IAAI,CAAC,EAAC,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,SAAS;IAC1B,WAAW,CAAC,KAAK,EAAC,MAAM,GAAE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IAC/C,QAAQ,CAAC,EAAE,EAAC,MAAM,GAAE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IACzC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,GAC1B,OAAO,CAAC,IAAI,CAAC,CAAC;IACd,MAAM,CAAC,EAAE,EAAC,MAAM,EAAE,IAAI,EAAC,OAAO,CAAC,IAAI,CAAC,GAAE,OAAO,CAAC,IAAI,CAAC,CAAC;CACnD"}

package/dist/types/storage.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=storage.js.map

package/dist/types/storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../src/types/storage.ts"],"names":[],"mappings":""}

package/jest.config.js

@@ -0,0 +1,11 @@
+const { createDefaultPreset } = require("ts-jest");
+
+const tsJestTransformCfg = createDefaultPreset().transform;
+
+/** @type {import("jest").Config} **/
+module.exports = {
+  testEnvironment: "node",
+  transform: {
+    ...tsJestTransformCfg,
+  },
+};

package/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "authenik8-core",
+  "version": "0.1.0",
+  "description": "Security-First authentication toolkit for nodejs APIs",
+  "keywords": [
+    "authentication",
+    "jwt",
+    "rate-limiter",
+    "api-security",
+    "redis",
+    "express",
+    "nodejs",
+    "auth"
+  ],
+  "homepage": "https://gitlab.com/COD434/authenik8-core#readme",
+  "bugs": {
+    "url": "https://gitlab.com/COD434/authenik8-core/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://gitlab.com/COD434/authenik8-core.git"
+  },
+  "license": "MIT",
+  "author": "Karabo Seeisa",
+  "type": "commonjs",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "test": "jest",
+    "build": "tsc",
+    "files": [
+      "dist"
+    ]
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.6",
+    "@types/jest": "^30.0.0",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/node": "^25.5.0",
+    "@types/supertest": "^7.2.0",
+    "jest": "^30.3.0",
+    "supertest": "^7.2.2",
+    "ts-jest": "^29.4.6",
+    "typescript": "^5.9.3"
+  },
+  "dependencies": {
+    "connect-redis": "^9.0.0",
+    "dotenv": "^17.3.1",
+    "express": "^5.2.1",
+    "helmet": "^8.1.0",
+    "ioredis": "^5.10.0",
+    "ip-cidr": "^4.0.2",
+    "jsonwebtoken": "^9.0.3",
+    "rate-limiter-flexible": "^10.0.1"
+  }
+}

package/src/1

@@ -0,0 +1,22 @@
+import {Authenik8Config} from "./types/config";
+import  {Incognito} from "./auth/guestModeService"
+import {requireAdmin} from "./middleware/adminService";
+
+export const createAuthenik8 =(config:Authenik8Config)=>{
+	const jwtService =new JWTService({
+	secret:config.jwtSecret,
+	expiry:config.jwtExpiry,
+	redisClient:config.redis
+	});
+return{
+	//auth
+	signToken:jwtService.signToken.bind(jwtService),
+	verifyToken:jwtService.verifyToken.bind(jwtService),
+	guestToken:jwtService.guestToken.bind(jwtService)
+
+	//middleware
+requireAdmin :requireAdmin(config),
+incognito:Incognito
+
+}
+}

package/src/auth/guestModeService.ts

@@ -0,0 +1,31 @@
+
+import { Request, Response, NextFunction } from "express";
+
+
+interface User{
+id:string;
+type?: 'guest-mode' | 'authenticated'
+}
+
+const verifyToken = (token: string):User => ({
+	id: "guest",
+type:token ==="temp-token" ? "guest-mode" :  "authenticated"});
+const guestToken = () => "temp-token";
+
+export const Incognito = (req:Request, res:Response, next:NextFunction)=>{
+const authHeader = req.headers.authorization;
+
+        let token = authHeader?.split(" ")[1];
+        let user = token? verifyToken(token) : null;
+
+if(!user){
+const GToken = guestToken();
+user = verifyToken(GToken);
+res.setHeader("X-Guest-Token",GToken);
+}
+if(user?.type === "guest-mode"){
+}
+  (res as any).user = user;
+  next();
+}
+

package/src/auth/jwtAuth.ts

@@ -0,0 +1,99 @@
+
+import {Request, Response, NextFunction} from "express";
+import jwt from "jsonwebtoken";
+import { SignOptions } from "jsonwebtoken"
+import crypto from "crypto"
+
+
+interface JwtPayload {
+userId: string;
+email: string;
+type?:string;
+id?:string;
+createdAt?:number;
+}
+
+export interface JWTOptions{
+jwtSecret:string;
+expiry?:SignOptions["expiresIn"];
+redisClient?:any;
+onGuestToken?: () => void;
+}
+export class JWTService{
+
+private jwtSecret:string;
+private expiry?:SignOptions["expiresIn"]
+
+
+signToken(payload: object){
+return jwt.sign(payload,this.jwtSecret,{
+expiresIn:this.expiry || "1h"})
+};
+
+
+private redisclient?:any;
+private onGuestToken?: () => void;
+
+
+constructor(options:JWTOptions){
+this.jwtSecret = options.jwtSecret;
+this.expiry = options.expiry;
+this.redisclient = options.redisClient;
+this.onGuestToken = options.onGuestToken;
+
+}
+
+
+guestToken(): string{
+const payload = {
+type: "guest",
+id:crypto.randomUUID(),
+createdAt:Date.now()
+}
+if(this.onGuestToken)
+	this.onGuestToken();
+
+return jwt.sign(payload,this.jwtSecret,{expiresIn:this.expiry});
+}
+
+verifyToken(token:string):JwtPayload | null{
+try{
+	return jwt.verify(token,this.jwtSecret)as JwtPayload;}catch{
+	return null
+
+	}
+}
+
+authenticateJWT = async(
+	req:Request,
+	res:Response,
+	next:NextFunction
+) => {
+const authHeader = req.headers.authorization;
+const token = req.cookies?.token || (authHeader?.startsWith("Bearer ") ? authHeader.split(" ")[1]:null);
+
+if(!token){
+return res.status(401).json({message:"Unauthorized"})
+}
+try{
+const decoded =jwt.verify(token,this.jwtSecret)as JwtPayload;
+
+if(this.redisclient && decoded.userId){
+const storedToken = await this.redisclient.get(`session:${decoded.userId}`);
+
+if(storedToken !== token){
+return res
+.status(403)
+.json({success:false,message:"invalid session",errors: []})
+}
+}
+(req as any).user =decoded;
+next();
+
+}catch{
+return res.status(403)
+.json({success:false, message: "invalid or expired token"});
+}
+}
+}
+

package/src/auth/refreshService.ts

@@ -0,0 +1,134 @@
+import jwt from "jsonwebtoken";
+import { SignOptions } from "jsonwebtoken";
+import {randomUUID} from "crypto"
+
+
+export class MissingTokenError extends Error{
+constructor(message="Missing Token")
+{
+super(message);
+this.name ="MissingTokenError";
+}
+}
+
+export class InvalidTokenError extends
+Error{
+constructor(message = "Invalid refresh token"){
+super(message);
+this.name = "InvalidTokenError";
+}
+}
+
+
+interface TokenPayload{
+userId: string;
+email: string;
+}
+
+
+export interface TokenStore{
+get(key:string):Promise<string| null>;
+set?(key: string, value: string, expiry?:number):Promise<void>;
+del?(key :string):Promise<void>;
+
+}
+export interface RefreshServiceOptions {
+	tokenStore:TokenStore;
+	accessTokenSecret:string;
+	refreshTokenSecret:string;
+	accessTokenExpiry:SignOptions["expiresIn"];
+	rotateRefreshTokens?:boolean;
+	refreshTokenExpiry?:string;
+}
+
+export interface RefreshResult{
+accessToken:string;
+refreshToken?:string;
+}
+
+
+export class RefreshService{
+private tokenStore:TokenStore;
+private accessTokenSecret:string;
+private refreshTokenSecret:string;
+private accessTokenExpiry:SignOptions["expiresIn"];
+private rotateRefreshTokens:boolean;
+private refreshTokenExpiry:string;
+
+
+constructor(options:RefreshServiceOptions){
+this.tokenStore =  options.tokenStore;
+this.accessTokenSecret = options.accessTokenSecret;
+this.refreshTokenSecret =options.refreshTokenSecret;
+this.accessTokenExpiry= options.accessTokenExpiry ?? "15m";
+this.rotateRefreshTokens = options.rotateRefreshTokens ?? false;
+this.refreshTokenExpiry = options.refreshTokenExpiry ?? "7d"
+ }
+
+ async generateRefreshToken(payload: TokenPayload): Promise<string> {
+
+	 if (!payload.userId) throw new Error("generateRefreshToken: payload.userId is missing");
+
+	 const token = jwt.sign({...payload,jti:randomUUID(),},this.refreshTokenSecret, {
+    expiresIn: this.refreshTokenExpiry as SignOptions["expiresIn"],
+  });
+
+  if(this.tokenStore.set){
+  await this.tokenStore.set(
+  `refresh:${payload.userId}`,token, 60 * 60 * 24 * 7
+  );
+  }
+
+  console.log("Saving token to Redis:", token);
+  return token
+}
+
+
+ async refresh(refreshToken?:string):Promise<RefreshResult>{
+	 if(!refreshToken){
+	 throw new MissingTokenError()
+	 }
+ 
+let decoded:TokenPayload;
+try {
+decoded = jwt.verify(refreshToken,this.refreshTokenSecret) as TokenPayload;
+}catch(err){
+throw new InvalidTokenError()
+}
+
+const storedToken= await this.tokenStore.get(`refresh:${decoded.userId}`)
+console.log("Stored token:", storedToken);
+console.log("Match:", storedToken === refreshToken);
+
+
+if (storedToken !== refreshToken){
+throw new InvalidTokenError();
+}
+
+const newAccessToken = jwt.sign(
+        { userId: decoded.userId, email: decoded.email },
+        this.accessTokenSecret,
+        { expiresIn: this.accessTokenExpiry as jwt.SignOptions["expiresIn"] }
+    );
+
+let newRefreshToken:string | undefined;
+
+if(this.rotateRefreshTokens && this.tokenStore.set){
+const key = `refresh:${decoded.userId}`
+
+
+ newRefreshToken =jwt.sign({userId:decoded.userId,email : decoded.email,jti:randomUUID(),},
+	this.refreshTokenSecret,
+{expiresIn:this.refreshTokenExpiry as jwt.SignOptions["expiresIn"]});
+
+await this.tokenStore.set(key,newRefreshToken,60 * 60 * 24 * 7)
+  console.log("Stored new refresh token:", newRefreshToken)
+}
+
+ return{
+ accessToken:newAccessToken,
+ refreshToken:newRefreshToken ?? refreshToken
+ };
+}
+}
+