npm - dauth-md-node - Versions diffs - 3.0.2 → 4.1.0 - Mend

dauth-md-node 3.0.2 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/README.md +161 -134
package/dist/chunk-RKH7YKIR.mjs +82 -0
package/dist/chunk-RKH7YKIR.mjs.map +1 -0
package/dist/index.d.mts +44 -2
package/dist/index.d.ts +44 -2
package/dist/index.js +151 -6
package/dist/index.js.map +1 -1
package/dist/index.mjs +104 -20
package/dist/index.mjs.map +1 -1
package/dist/router.d.mts +16 -0
package/dist/router.d.ts +16 -0
package/dist/router.js +428 -0
package/dist/router.js.map +1 -0
package/dist/router.mjs +325 -0
package/dist/router.mjs.map +1 -0
package/package.json +36 -2
package/src/api/dauth.api.ts +80 -0
package/src/csrf.ts +17 -0
package/src/index.ts +74 -7
package/src/router.ts +428 -0
package/src/session.ts +78 -0

package/dist/router.mjs ADDED Viewed

@@ -0,0 +1,325 @@
+import {
+  decryptSessionWithKeys,
+  deriveEncryptionKey,
+  encryptSession,
+  getServerBasePath
+} from "./chunk-RKH7YKIR.mjs";
+// src/router.ts
+import { Router } from "express";
+import jwt from "jsonwebtoken";
+// src/csrf.ts
+import crypto from "crypto";
+function generateCsrfToken() {
+  return crypto.randomBytes(32).toString("hex");
+}
+function verifyCsrf(req, csrfCookieName) {
+  const headerToken = req.headers["x-csrf-token"];
+  const cookieToken = req.cookies?.[csrfCookieName];
+  if (!headerToken || !cookieToken) return false;
+  if (headerToken.length !== cookieToken.length) return false;
+  return crypto.timingSafeEqual(
+    Buffer.from(headerToken),
+    Buffer.from(cookieToken)
+  );
+}
+// src/router.ts
+var refreshLocks = /* @__PURE__ */ new Map();
+function lockKey(refreshToken) {
+  return refreshToken.substring(0, 16);
+}
+function clearStaleLocks() {
+  if (refreshLocks.size > 100) refreshLocks.clear();
+}
+async function resolveConfig(opts) {
+  const secure = opts.secure ?? process.env.NODE_ENV !== "development";
+  const cookieName = opts.cookieName ?? (secure ? "__Host-dauth-session" : "dauth-session");
+  const csrfCookieName = opts.csrfCookieName ?? (secure ? "__Host-csrf" : "csrf-token");
+  const maxAgeMs = (opts.maxAge ?? 30 * 24 * 3600) * 1e3;
+  const keys = [];
+  keys.push(await deriveEncryptionKey(opts.tsk, opts.sessionSalt));
+  if (opts.previousTsk) {
+    keys.push(await deriveEncryptionKey(opts.previousTsk, opts.sessionSalt));
+  }
+  let dauthBasePath;
+  if (opts.dauthUrl) {
+    dauthBasePath = `${opts.dauthUrl.replace(/\/+$/, "")}/api/v1`;
+  } else {
+    dauthBasePath = getServerBasePath();
+  }
+  return {
+    domainName: opts.domainName,
+    dauthBasePath,
+    cookieName,
+    csrfCookieName,
+    maxAgeMs,
+    secure,
+    encKeys: keys
+  };
+}
+function setSessionCookie(res, payload, config) {
+  const encrypted = encryptSession(payload, config.encKeys[0]);
+  const cookieOpts = {
+    httpOnly: true,
+    secure: config.secure,
+    sameSite: "lax",
+    maxAge: config.maxAgeMs,
+    path: "/"
+  };
+  if (!config.secure) {
+  }
+  res.cookie(config.cookieName, encrypted, cookieOpts);
+}
+function setCsrfCookie(res, config) {
+  const csrfToken = generateCsrfToken();
+  res.cookie(config.csrfCookieName, csrfToken, {
+    httpOnly: false,
+    secure: config.secure,
+    sameSite: "lax",
+    maxAge: config.maxAgeMs,
+    path: "/"
+  });
+}
+function clearCookies(res, config) {
+  const baseOpts = { path: "/", secure: config.secure };
+  res.clearCookie(config.cookieName, baseOpts);
+  res.clearCookie(config.csrfCookieName, baseOpts);
+}
+function readSession(req, config) {
+  const cookie = req.cookies?.[config.cookieName];
+  if (!cookie) return null;
+  return decryptSessionWithKeys(cookie, config.encKeys);
+}
+function isTokenExpiringSoon(token, thresholdMs = 3e5) {
+  try {
+    const decoded = jwt.decode(token);
+    if (!decoded?.exp) return true;
+    return decoded.exp * 1e3 - Date.now() < thresholdMs;
+  } catch {
+    return true;
+  }
+}
+async function maybeRefreshTokens(session, config, res) {
+  if (!isTokenExpiringSoon(session.accessToken)) return session;
+  const key = lockKey(session.refreshToken);
+  clearStaleLocks();
+  const existingLock = refreshLocks.get(key);
+  if (existingLock) {
+    const result2 = await existingLock;
+    return result2 ?? session;
+  }
+  const refreshPromise = (async () => {
+    try {
+      const response = await fetch(
+        `${config.dauthBasePath}/app/${config.domainName}/refresh-token`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            refreshToken: session.refreshToken
+          })
+        }
+      );
+      if (!response.ok) return null;
+      const data = await response.json();
+      if (!data.accessToken || !data.refreshToken) return null;
+      const newSession = {
+        accessToken: data.accessToken,
+        refreshToken: data.refreshToken
+      };
+      setSessionCookie(res, newSession, config);
+      return newSession;
+    } catch {
+      return null;
+    }
+  })();
+  refreshLocks.set(key, refreshPromise);
+  const timeout = setTimeout(() => refreshLocks.delete(key), 1e4);
+  refreshPromise.finally(() => {
+    clearTimeout(timeout);
+    refreshLocks.delete(key);
+  });
+  const result = await refreshPromise;
+  return result ?? session;
+}
+function dauthRouter(opts) {
+  const router = Router();
+  let configPromise = null;
+  async function getConfig() {
+    if (!configPromise) configPromise = resolveConfig(opts);
+    return configPromise;
+  }
+  router.post("/exchange-code", async (req, res) => {
+    const config = await getConfig();
+    const { code } = req.body;
+    if (!code) {
+      return res.status(400).send({ status: "code-required", message: "Code required" });
+    }
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/exchange-code`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ code })
+      }
+    );
+    if (!response.ok) {
+      return res.status(response.status).send({ status: "code-invalid", message: "Code invalid" });
+    }
+    const data = await response.json();
+    setSessionCookie(
+      res,
+      {
+        accessToken: data.accessToken,
+        refreshToken: data.refreshToken
+      },
+      config
+    );
+    setCsrfCookie(res, config);
+    const userResponse = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: "GET",
+        headers: { Authorization: data.accessToken }
+      }
+    );
+    const userData = await userResponse.json();
+    return res.status(200).send({
+      user: userData.user,
+      domain: userData.domain,
+      isNewUser: data.isNewUser
+    });
+  });
+  router.get("/session", async (req, res) => {
+    const config = await getConfig();
+    const session = readSession(req, config);
+    if (!session) {
+      return res.status(401).send({ status: "no-session", message: "Not authenticated" });
+    }
+    const refreshed = await maybeRefreshTokens(session, config, res);
+    const userResponse = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: "GET",
+        headers: { Authorization: refreshed.accessToken }
+      }
+    );
+    if (!userResponse.ok) {
+      clearCookies(res, config);
+      return res.status(401).send({ status: "session-invalid", message: "Session expired" });
+    }
+    const userData = await userResponse.json();
+    return res.status(200).send({
+      user: userData.user,
+      domain: userData.domain
+    });
+  });
+  router.post("/logout", async (req, res) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res.status(403).send({ status: "csrf-invalid", message: "CSRF token invalid" });
+    }
+    const session = readSession(req, config);
+    if (session) {
+      fetch(`${config.dauthBasePath}/app/${config.domainName}/logout`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          refreshToken: session.refreshToken
+        })
+      }).catch(() => {
+      });
+    }
+    clearCookies(res, config);
+    return res.status(200).send({ status: "success", message: "Logged out" });
+  });
+  router.patch("/user", async (req, res) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res.status(403).send({ status: "csrf-invalid", message: "CSRF token invalid" });
+    }
+    const session = readSession(req, config);
+    if (!session) {
+      return res.status(401).send({ status: "no-session", message: "Not authenticated" });
+    }
+    const refreshed = await maybeRefreshTokens(session, config, res);
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: "PATCH",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: refreshed.accessToken
+        },
+        body: JSON.stringify(req.body)
+      }
+    );
+    const data = await response.json();
+    return res.status(response.status).send(data);
+  });
+  router.delete("/user", async (req, res) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res.status(403).send({ status: "csrf-invalid", message: "CSRF token invalid" });
+    }
+    const session = readSession(req, config);
+    if (!session) {
+      return res.status(401).send({ status: "no-session", message: "Not authenticated" });
+    }
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: "DELETE",
+        headers: { Authorization: session.accessToken }
+      }
+    );
+    const data = await response.json();
+    clearCookies(res, config);
+    return res.status(response.status).send(data);
+  });
+  router.get("/profile-redirect", async (req, res) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res.status(403).send({
+        status: "csrf-invalid",
+        message: "CSRF token invalid"
+      });
+    }
+    const session = readSession(req, config);
+    if (!session) {
+      return res.status(401).send({
+        status: "no-session",
+        message: "Not authenticated"
+      });
+    }
+    const refreshed = await maybeRefreshTokens(session, config, res);
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/profile-code`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: refreshed.accessToken
+        }
+      }
+    );
+    if (!response.ok) {
+      return res.status(response.status).send({
+        status: "profile-code-error",
+        message: "Could not generate profile code"
+      });
+    }
+    const data = await response.json();
+    const dauthFrontendUrl = opts.dauthUrl ? opts.dauthUrl.replace(/\/+$/, "") : process.env.DAUTH_URL ? process.env.DAUTH_URL.replace(/\/+$/, "") : process.env.NODE_ENV === "development" ? "http://localhost:5185" : "https://dauth.ovh";
+    return res.status(200).send({
+      redirectUrl: `${dauthFrontendUrl}/${config.domainName}/update-user?code=${data.code}`
+    });
+  });
+  return router;
+}
+export {
+  dauthRouter
+};
+//# sourceMappingURL=router.mjs.map

package/dist/router.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/router.ts","../src/csrf.ts"],"sourcesContent":["import { Router, Request, Response } from 'express';\nimport jwt from 'jsonwebtoken';\nimport { getServerBasePath } from './api/utils/config';\nimport {\n deriveEncryptionKey,\n encryptSession,\n decryptSessionWithKeys,\n SessionPayload,\n} from './session';\nimport { generateCsrfToken, verifyCsrf } from './csrf';\n\nexport interface DauthRouterOptions {\n domainName: string;\n tsk: string;\n dauthUrl?: string;\n cookieName?: string;\n csrfCookieName?: string;\n maxAge?: number;\n secure?: boolean;\n previousTsk?: string;\n sessionSalt?: string;\n}\n\ninterface ResolvedConfig {\n domainName: string;\n dauthBasePath: string;\n cookieName: string;\n csrfCookieName: string;\n maxAgeMs: number;\n secure: boolean;\n encKeys: Buffer[];\n}\n\n// Refresh lock to prevent race conditions on concurrent token rotation\nconst refreshLocks = new Map<string, Promise<SessionPayload | null>>();\n\nfunction lockKey(refreshToken: string): string {\n return refreshToken.substring(0, 16);\n}\n\nfunction clearStaleLocks(): void {\n if (refreshLocks.size > 100) refreshLocks.clear();\n}\n\nasync function resolveConfig(\n opts: DauthRouterOptions\n): Promise<ResolvedConfig> {\n const secure = opts.secure ?? process.env.NODE_ENV !== 'development';\n const cookieName =\n opts.cookieName ?? (secure ? '__Host-dauth-session' : 'dauth-session');\n const csrfCookieName =\n opts.csrfCookieName ?? (secure ? '__Host-csrf' : 'csrf-token');\n const maxAgeMs = (opts.maxAge ?? 30 * 24 * 3600) * 1000;\n\n const keys: Buffer[] = [];\n keys.push(await deriveEncryptionKey(opts.tsk, opts.sessionSalt));\n if (opts.previousTsk) {\n keys.push(await deriveEncryptionKey(opts.previousTsk, opts.sessionSalt));\n }\n\n let dauthBasePath: string;\n if (opts.dauthUrl) {\n dauthBasePath = `${opts.dauthUrl.replace(/\\/+$/, '')}/api/v1`;\n } else {\n dauthBasePath = getServerBasePath();\n }\n\n return {\n domainName: opts.domainName,\n dauthBasePath,\n cookieName,\n csrfCookieName,\n maxAgeMs,\n secure,\n encKeys: keys,\n };\n}\n\nfunction setSessionCookie(\n res: Response,\n payload: SessionPayload,\n config: ResolvedConfig\n): void {\n const encrypted = encryptSession(payload, config.encKeys[0]);\n const cookieOpts: Record<string, unknown> = {\n httpOnly: true,\n secure: config.secure,\n sameSite: 'lax',\n maxAge: config.maxAgeMs,\n path: '/',\n };\n // __Host- prefix requires no domain attribute\n if (!config.secure) {\n // Dev mode: no __Host- prefix, no domain restriction needed\n }\n res.cookie(config.cookieName, encrypted, cookieOpts);\n}\n\nfunction setCsrfCookie(res: Response, config: ResolvedConfig): void {\n const csrfToken = generateCsrfToken();\n res.cookie(config.csrfCookieName, csrfToken, {\n httpOnly: false,\n secure: config.secure,\n sameSite: 'lax',\n maxAge: config.maxAgeMs,\n path: '/',\n });\n}\n\nfunction clearCookies(res: Response, config: ResolvedConfig): void {\n const baseOpts = { path: '/', secure: config.secure };\n res.clearCookie(config.cookieName, baseOpts);\n res.clearCookie(config.csrfCookieName, baseOpts);\n}\n\nfunction readSession(\n req: Request,\n config: ResolvedConfig\n): SessionPayload | null {\n const cookie = req.cookies?.[config.cookieName];\n if (!cookie) return null;\n return decryptSessionWithKeys(cookie, config.encKeys);\n}\n\nfunction isTokenExpiringSoon(token: string, thresholdMs = 300_000): boolean {\n try {\n const decoded = jwt.decode(token) as { exp?: number } | null;\n if (!decoded?.exp) return true;\n return decoded.exp * 1000 - Date.now() < thresholdMs;\n } catch {\n return true;\n }\n}\n\nasync function maybeRefreshTokens(\n session: SessionPayload,\n config: ResolvedConfig,\n res: Response\n): Promise<SessionPayload> {\n if (!isTokenExpiringSoon(session.accessToken)) return session;\n\n const key = lockKey(session.refreshToken);\n clearStaleLocks();\n\n const existingLock = refreshLocks.get(key);\n if (existingLock) {\n const result = await existingLock;\n return result ?? session;\n }\n\n const refreshPromise = (async (): Promise<SessionPayload | null> => {\n try {\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/refresh-token`,\n {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n refreshToken: session.refreshToken,\n }),\n }\n );\n if (!response.ok) return null;\n const data = (await response.json()) as {\n accessToken?: string;\n refreshToken?: string;\n };\n if (!data.accessToken || !data.refreshToken) return null;\n const newSession: SessionPayload = {\n accessToken: data.accessToken,\n refreshToken: data.refreshToken,\n };\n setSessionCookie(res, newSession, config);\n return newSession;\n } catch {\n return null;\n }\n })();\n\n refreshLocks.set(key, refreshPromise);\n\n // Timeout safety net: clean lock after 10s\n const timeout = setTimeout(() => refreshLocks.delete(key), 10_000);\n refreshPromise.finally(() => {\n clearTimeout(timeout);\n refreshLocks.delete(key);\n });\n\n const result = await refreshPromise;\n return result ?? session;\n}\n\nexport function dauthRouter(opts: DauthRouterOptions): Router {\n const router = Router();\n let configPromise: Promise<ResolvedConfig> | null = null;\n\n async function getConfig(): Promise<ResolvedConfig> {\n if (!configPromise) configPromise = resolveConfig(opts);\n return configPromise;\n }\n\n // POST /exchange-code — no CSRF (no prior session)\n router.post('/exchange-code', async (req: Request, res: Response) => {\n const config = await getConfig();\n const { code } = req.body;\n if (!code) {\n return res\n .status(400)\n .send({ status: 'code-required', message: 'Code required' });\n }\n\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/exchange-code`,\n {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ code }),\n }\n );\n if (!response.ok) {\n return res\n .status(response.status)\n .send({ status: 'code-invalid', message: 'Code invalid' });\n }\n const data = (await response.json()) as {\n accessToken: string;\n refreshToken: string;\n isNewUser: boolean;\n };\n\n setSessionCookie(\n res,\n {\n accessToken: data.accessToken,\n refreshToken: data.refreshToken,\n },\n config\n );\n setCsrfCookie(res, config);\n\n // Fetch user data to return\n const userResponse = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/user`,\n {\n method: 'GET',\n headers: { Authorization: data.accessToken },\n }\n );\n const userData = (await userResponse.json()) as {\n user?: unknown;\n domain?: unknown;\n };\n\n return res.status(200).send({\n user: userData.user,\n domain: userData.domain,\n isNewUser: data.isNewUser,\n });\n });\n\n // GET /session — no CSRF (read-only)\n router.get('/session', async (req: Request, res: Response) => {\n const config = await getConfig();\n const session = readSession(req, config);\n if (!session) {\n return res\n .status(401)\n .send({ status: 'no-session', message: 'Not authenticated' });\n }\n\n const refreshed = await maybeRefreshTokens(session, config, res);\n\n const userResponse = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/user`,\n {\n method: 'GET',\n headers: { Authorization: refreshed.accessToken },\n }\n );\n if (!userResponse.ok) {\n clearCookies(res, config);\n return res\n .status(401)\n .send({ status: 'session-invalid', message: 'Session expired' });\n }\n const userData = (await userResponse.json()) as {\n user?: unknown;\n domain?: unknown;\n };\n return res.status(200).send({\n user: userData.user,\n domain: userData.domain,\n });\n });\n\n // POST /logout — CSRF required\n router.post('/logout', async (req: Request, res: Response) => {\n const config = await getConfig();\n if (!verifyCsrf(req, config.csrfCookieName)) {\n return res\n .status(403)\n .send({ status: 'csrf-invalid', message: 'CSRF token invalid' });\n }\n const session = readSession(req, config);\n if (session) {\n // Revoke refresh token server-to-server (fire-and-forget)\n fetch(`${config.dauthBasePath}/app/${config.domainName}/logout`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n refreshToken: session.refreshToken,\n }),\n }).catch(() => {});\n }\n clearCookies(res, config);\n return res.status(200).send({ status: 'success', message: 'Logged out' });\n });\n\n // PATCH /user — CSRF required\n router.patch('/user', async (req: Request, res: Response) => {\n const config = await getConfig();\n if (!verifyCsrf(req, config.csrfCookieName)) {\n return res\n .status(403)\n .send({ status: 'csrf-invalid', message: 'CSRF token invalid' });\n }\n const session = readSession(req, config);\n if (!session) {\n return res\n .status(401)\n .send({ status: 'no-session', message: 'Not authenticated' });\n }\n const refreshed = await maybeRefreshTokens(session, config, res);\n\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/user`,\n {\n method: 'PATCH',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: refreshed.accessToken,\n },\n body: JSON.stringify(req.body),\n }\n );\n const data = await response.json();\n return res.status(response.status).send(data);\n });\n\n // DELETE /user — CSRF required\n router.delete('/user', async (req: Request, res: Response) => {\n const config = await getConfig();\n if (!verifyCsrf(req, config.csrfCookieName)) {\n return res\n .status(403)\n .send({ status: 'csrf-invalid', message: 'CSRF token invalid' });\n }\n const session = readSession(req, config);\n if (!session) {\n return res\n .status(401)\n .send({ status: 'no-session', message: 'Not authenticated' });\n }\n\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/user`,\n {\n method: 'DELETE',\n headers: { Authorization: session.accessToken },\n }\n );\n const data = await response.json();\n clearCookies(res, config);\n return res.status(response.status).send(data);\n });\n\n // GET /profile-redirect — CSRF required (generates profile code)\n router.get('/profile-redirect', async (req: Request, res: Response) => {\n const config = await getConfig();\n if (!verifyCsrf(req, config.csrfCookieName)) {\n return res.status(403).send({\n status: 'csrf-invalid',\n message: 'CSRF token invalid',\n });\n }\n const session = readSession(req, config);\n if (!session) {\n return res.status(401).send({\n status: 'no-session',\n message: 'Not authenticated',\n });\n }\n const refreshed = await maybeRefreshTokens(session, config, res);\n\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/profile-code`,\n {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: refreshed.accessToken,\n },\n }\n );\n if (!response.ok) {\n return res.status(response.status).send({\n status: 'profile-code-error',\n message: 'Could not generate profile code',\n });\n }\n const data = (await response.json()) as { code: string };\n\n // Build redirect URL to dauth frontend\n const dauthFrontendUrl = opts.dauthUrl\n ? opts.dauthUrl.replace(/\\/+$/, '')\n : process.env.DAUTH_URL\n ? process.env.DAUTH_URL.replace(/\\/+$/, '')\n : process.env.NODE_ENV === 'development'\n ? 'http://localhost:5185'\n : 'https://dauth.ovh';\n\n return res.status(200).send({\n redirectUrl: `${dauthFrontendUrl}/${config.domainName}/update-user?code=${data.code}`,\n });\n });\n\n return router;\n}\n","import crypto from 'crypto';\nimport type { Request } from 'express';\n\nexport function generateCsrfToken(): string {\n return crypto.randomBytes(32).toString('hex');\n}\n\nexport function verifyCsrf(req: Request, csrfCookieName: string): boolean {\n const headerToken = req.headers['x-csrf-token'] as string | undefined;\n const cookieToken = req.cookies?.[csrfCookieName] as string | undefined;\n if (!headerToken || !cookieToken) return false;\n if (headerToken.length !== cookieToken.length) return false;\n return crypto.timingSafeEqual(\n Buffer.from(headerToken),\n Buffer.from(cookieToken)\n );\n}\n"],"mappings":";;;;;;;;AAAA,SAAS,cAAiC;AAC1C,OAAO,SAAS;;;ACDhB,OAAO,YAAY;AAGZ,SAAS,oBAA4B;AAC1C,SAAO,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAC9C;AAEO,SAAS,WAAW,KAAc,gBAAiC;AACxE,QAAM,cAAc,IAAI,QAAQ,cAAc;AAC9C,QAAM,cAAc,IAAI,UAAU,cAAc;AAChD,MAAI,CAAC,eAAe,CAAC,YAAa,QAAO;AACzC,MAAI,YAAY,WAAW,YAAY,OAAQ,QAAO;AACtD,SAAO,OAAO;AAAA,IACZ,OAAO,KAAK,WAAW;AAAA,IACvB,OAAO,KAAK,WAAW;AAAA,EACzB;AACF;;;ADkBA,IAAM,eAAe,oBAAI,IAA4C;AAErE,SAAS,QAAQ,cAA8B;AAC7C,SAAO,aAAa,UAAU,GAAG,EAAE;AACrC;AAEA,SAAS,kBAAwB;AAC/B,MAAI,aAAa,OAAO,IAAK,cAAa,MAAM;AAClD;AAEA,eAAe,cACb,MACyB;AACzB,QAAM,SAAS,KAAK,UAAU,QAAQ,IAAI,aAAa;AACvD,QAAM,aACJ,KAAK,eAAe,SAAS,yBAAyB;AACxD,QAAM,iBACJ,KAAK,mBAAmB,SAAS,gBAAgB;AACnD,QAAM,YAAY,KAAK,UAAU,KAAK,KAAK,QAAQ;AAEnD,QAAM,OAAiB,CAAC;AACxB,OAAK,KAAK,MAAM,oBAAoB,KAAK,KAAK,KAAK,WAAW,CAAC;AAC/D,MAAI,KAAK,aAAa;AACpB,SAAK,KAAK,MAAM,oBAAoB,KAAK,aAAa,KAAK,WAAW,CAAC;AAAA,EACzE;AAEA,MAAI;AACJ,MAAI,KAAK,UAAU;AACjB,oBAAgB,GAAG,KAAK,SAAS,QAAQ,QAAQ,EAAE,CAAC;AAAA,EACtD,OAAO;AACL,oBAAgB,kBAAkB;AAAA,EACpC;AAEA,SAAO;AAAA,IACL,YAAY,KAAK;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX;AACF;AAEA,SAAS,iBACP,KACA,SACA,QACM;AACN,QAAM,YAAY,eAAe,SAAS,OAAO,QAAQ,CAAC,CAAC;AAC3D,QAAM,aAAsC;AAAA,IAC1C,UAAU;AAAA,IACV,QAAQ,OAAO;AAAA,IACf,UAAU;AAAA,IACV,QAAQ,OAAO;AAAA,IACf,MAAM;AAAA,EACR;AAEA,MAAI,CAAC,OAAO,QAAQ;AAAA,EAEpB;AACA,MAAI,OAAO,OAAO,YAAY,WAAW,UAAU;AACrD;AAEA,SAAS,cAAc,KAAe,QAA8B;AAClE,QAAM,YAAY,kBAAkB;AACpC,MAAI,OAAO,OAAO,gBAAgB,WAAW;AAAA,IAC3C,UAAU;AAAA,IACV,QAAQ,OAAO;AAAA,IACf,UAAU;AAAA,IACV,QAAQ,OAAO;AAAA,IACf,MAAM;AAAA,EACR,CAAC;AACH;AAEA,SAAS,aAAa,KAAe,QAA8B;AACjE,QAAM,WAAW,EAAE,MAAM,KAAK,QAAQ,OAAO,OAAO;AACpD,MAAI,YAAY,OAAO,YAAY,QAAQ;AAC3C,MAAI,YAAY,OAAO,gBAAgB,QAAQ;AACjD;AAEA,SAAS,YACP,KACA,QACuB;AACvB,QAAM,SAAS,IAAI,UAAU,OAAO,UAAU;AAC9C,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO,uBAAuB,QAAQ,OAAO,OAAO;AACtD;AAEA,SAAS,oBAAoB,OAAe,cAAc,KAAkB;AAC1E,MAAI;AACF,UAAM,UAAU,IAAI,OAAO,KAAK;AAChC,QAAI,CAAC,SAAS,IAAK,QAAO;AAC1B,WAAO,QAAQ,MAAM,MAAO,KAAK,IAAI,IAAI;AAAA,EAC3C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,mBACb,SACA,QACA,KACyB;AACzB,MAAI,CAAC,oBAAoB,QAAQ,WAAW,EAAG,QAAO;AAEtD,QAAM,MAAM,QAAQ,QAAQ,YAAY;AACxC,kBAAgB;AAEhB,QAAM,eAAe,aAAa,IAAI,GAAG;AACzC,MAAI,cAAc;AAChB,UAAMA,UAAS,MAAM;AACrB,WAAOA,WAAU;AAAA,EACnB;AAEA,QAAM,kBAAkB,YAA4C;AAClE,QAAI;AACF,YAAM,WAAW,MAAM;AAAA,QACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,QAChD;AAAA,UACE,QAAQ;AAAA,UACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,UAC9C,MAAM,KAAK,UAAU;AAAA,YACnB,cAAc,QAAQ;AAAA,UACxB,CAAC;AAAA,QACH;AAAA,MACF;AACA,UAAI,CAAC,SAAS,GAAI,QAAO;AACzB,YAAM,OAAQ,MAAM,SAAS,KAAK;AAIlC,UAAI,CAAC,KAAK,eAAe,CAAC,KAAK,aAAc,QAAO;AACpD,YAAM,aAA6B;AAAA,QACjC,aAAa,KAAK;AAAA,QAClB,cAAc,KAAK;AAAA,MACrB;AACA,uBAAiB,KAAK,YAAY,MAAM;AACxC,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF,GAAG;AAEH,eAAa,IAAI,KAAK,cAAc;AAGpC,QAAM,UAAU,WAAW,MAAM,aAAa,OAAO,GAAG,GAAG,GAAM;AACjE,iBAAe,QAAQ,MAAM;AAC3B,iBAAa,OAAO;AACpB,iBAAa,OAAO,GAAG;AAAA,EACzB,CAAC;AAED,QAAM,SAAS,MAAM;AACrB,SAAO,UAAU;AACnB;AAEO,SAAS,YAAY,MAAkC;AAC5D,QAAM,SAAS,OAAO;AACtB,MAAI,gBAAgD;AAEpD,iBAAe,YAAqC;AAClD,QAAI,CAAC,cAAe,iBAAgB,cAAc,IAAI;AACtD,WAAO;AAAA,EACT;AAGA,SAAO,KAAK,kBAAkB,OAAO,KAAc,QAAkB;AACnE,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,EAAE,KAAK,IAAI,IAAI;AACrB,QAAI,CAAC,MAAM;AACT,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,iBAAiB,SAAS,gBAAgB,CAAC;AAAA,IAC/D;AAEA,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,QAC9C,MAAM,KAAK,UAAU,EAAE,KAAK,CAAC;AAAA,MAC/B;AAAA,IACF;AACA,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO,IACJ,OAAO,SAAS,MAAM,EACtB,KAAK,EAAE,QAAQ,gBAAgB,SAAS,eAAe,CAAC;AAAA,IAC7D;AACA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAMlC;AAAA,MACE;AAAA,MACA;AAAA,QACE,aAAa,KAAK;AAAA,QAClB,cAAc,KAAK;AAAA,MACrB;AAAA,MACA;AAAA,IACF;AACA,kBAAc,KAAK,MAAM;AAGzB,UAAM,eAAe,MAAM;AAAA,MACzB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS,EAAE,eAAe,KAAK,YAAY;AAAA,MAC7C;AAAA,IACF;AACA,UAAM,WAAY,MAAM,aAAa,KAAK;AAK1C,WAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,MAC1B,MAAM,SAAS;AAAA,MACf,QAAQ,SAAS;AAAA,MACjB,WAAW,KAAK;AAAA,IAClB,CAAC;AAAA,EACH,CAAC;AAGD,SAAO,IAAI,YAAY,OAAO,KAAc,QAAkB;AAC5D,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,UAAU,YAAY,KAAK,MAAM;AACvC,QAAI,CAAC,SAAS;AACZ,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,cAAc,SAAS,oBAAoB,CAAC;AAAA,IAChE;AAEA,UAAM,YAAY,MAAM,mBAAmB,SAAS,QAAQ,GAAG;AAE/D,UAAM,eAAe,MAAM;AAAA,MACzB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS,EAAE,eAAe,UAAU,YAAY;AAAA,MAClD;AAAA,IACF;AACA,QAAI,CAAC,aAAa,IAAI;AACpB,mBAAa,KAAK,MAAM;AACxB,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,mBAAmB,SAAS,kBAAkB,CAAC;AAAA,IACnE;AACA,UAAM,WAAY,MAAM,aAAa,KAAK;AAI1C,WAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,MAC1B,MAAM,SAAS;AAAA,MACf,QAAQ,SAAS;AAAA,IACnB,CAAC;AAAA,EACH,CAAC;AAGD,SAAO,KAAK,WAAW,OAAO,KAAc,QAAkB;AAC5D,UAAM,SAAS,MAAM,UAAU;AAC/B,QAAI,CAAC,WAAW,KAAK,OAAO,cAAc,GAAG;AAC3C,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,gBAAgB,SAAS,qBAAqB,CAAC;AAAA,IACnE;AACA,UAAM,UAAU,YAAY,KAAK,MAAM;AACvC,QAAI,SAAS;AAEX,YAAM,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU,WAAW;AAAA,QAC/D,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,QAC9C,MAAM,KAAK,UAAU;AAAA,UACnB,cAAc,QAAQ;AAAA,QACxB,CAAC;AAAA,MACH,CAAC,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAAA,IACnB;AACA,iBAAa,KAAK,MAAM;AACxB,WAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,QAAQ,WAAW,SAAS,aAAa,CAAC;AAAA,EAC1E,CAAC;AAGD,SAAO,MAAM,SAAS,OAAO,KAAc,QAAkB;AAC3D,UAAM,SAAS,MAAM,UAAU;AAC/B,QAAI,CAAC,WAAW,KAAK,OAAO,cAAc,GAAG;AAC3C,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,gBAAgB,SAAS,qBAAqB,CAAC;AAAA,IACnE;AACA,UAAM,UAAU,YAAY,KAAK,MAAM;AACvC,QAAI,CAAC,SAAS;AACZ,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,cAAc,SAAS,oBAAoB,CAAC;AAAA,IAChE;AACA,UAAM,YAAY,MAAM,mBAAmB,SAAS,QAAQ,GAAG;AAE/D,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU;AAAA,QAC3B;AAAA,QACA,MAAM,KAAK,UAAU,IAAI,IAAI;AAAA,MAC/B;AAAA,IACF;AACA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,WAAO,IAAI,OAAO,SAAS,MAAM,EAAE,KAAK,IAAI;AAAA,EAC9C,CAAC;AAGD,SAAO,OAAO,SAAS,OAAO,KAAc,QAAkB;AAC5D,UAAM,SAAS,MAAM,UAAU;AAC/B,QAAI,CAAC,WAAW,KAAK,OAAO,cAAc,GAAG;AAC3C,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,gBAAgB,SAAS,qBAAqB,CAAC;AAAA,IACnE;AACA,UAAM,UAAU,YAAY,KAAK,MAAM;AACvC,QAAI,CAAC,SAAS;AACZ,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,cAAc,SAAS,oBAAoB,CAAC;AAAA,IAChE;AAEA,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS,EAAE,eAAe,QAAQ,YAAY;AAAA,MAChD;AAAA,IACF;AACA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,iBAAa,KAAK,MAAM;AACxB,WAAO,IAAI,OAAO,SAAS,MAAM,EAAE,KAAK,IAAI;AAAA,EAC9C,CAAC;AAGD,SAAO,IAAI,qBAAqB,OAAO,KAAc,QAAkB;AACrE,UAAM,SAAS,MAAM,UAAU;AAC/B,QAAI,CAAC,WAAW,KAAK,OAAO,cAAc,GAAG;AAC3C,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QAC1B,QAAQ;AAAA,QACR,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AACA,UAAM,UAAU,YAAY,KAAK,MAAM;AACvC,QAAI,CAAC,SAAS;AACZ,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QAC1B,QAAQ;AAAA,QACR,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AACA,UAAM,YAAY,MAAM,mBAAmB,SAAS,QAAQ,GAAG;AAE/D,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU;AAAA,QAC3B;AAAA,MACF;AAAA,IACF;AACA,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO,IAAI,OAAO,SAAS,MAAM,EAAE,KAAK;AAAA,QACtC,QAAQ;AAAA,QACR,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AACA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAGlC,UAAM,mBAAmB,KAAK,WAC1B,KAAK,SAAS,QAAQ,QAAQ,EAAE,IAChC,QAAQ,IAAI,YACV,QAAQ,IAAI,UAAU,QAAQ,QAAQ,EAAE,IACxC,QAAQ,IAAI,aAAa,gBACvB,0BACA;AAER,WAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,MAC1B,aAAa,GAAG,gBAAgB,IAAI,OAAO,UAAU,qBAAqB,KAAK,IAAI;AAAA,IACrF,CAAC;AAAA,EACH,CAAC;AAED,SAAO;AACT;","names":["result"]}

package/package.json CHANGED Viewed

@@ -1,8 +1,21 @@
 {
   "name": "dauth-md-node",
-  "version": "3.0.2",
+  "version": "4.1.0",
+  "description": "Express middleware for JWT verification and session management against the Dauth authentication service",
   "license": "MIT",
   "author": "David T. Pizarro Frick",
+  "keywords": [
+    "authentication",
+    "passwordless",
+    "magic-link",
+    "passkey",
+    "webauthn",
+    "multi-tenant",
+    "jwt",
+    "express",
+    "middleware",
+    "dauth"
+  ],
   "main": "dist/index.js",
   "module": "dist/index.mjs",
   "typings": "dist/index.d.ts",
@@ -11,6 +24,11 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.mjs",
       "require": "./dist/index.js"
+    },
+    "./router": {
+      "types": "./dist/router.d.ts",
+      "import": "./dist/router.mjs",
+      "require": "./dist/router.js"
     }
   },
   "files": [
@@ -24,6 +42,7 @@
     "start": "tsup --watch",
     "build": "tsup",
     "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
     "typecheck": "tsc --noEmit",
     "format": "prettier --write \"src/**/*.{ts,tsx,js,jsx,json,md}\"",
     "prepare": "tsup",
@@ -45,10 +64,24 @@
     {
       "path": "dist/index.mjs",
       "limit": "10 KB"
+    },
+    {
+      "path": "dist/router.js",
+      "limit": "10 KB"
+    },
+    {
+      "path": "dist/router.mjs",
+      "limit": "10 KB"
     }
   ],
   "peerDependencies": {
-    "express": "^4.18.0 || ^5.0.0"
+    "express": "^4.18.0 || ^5.0.0",
+    "cookie-parser": "^1.4.0"
+  },
+  "peerDependenciesMeta": {
+    "cookie-parser": {
+      "optional": true
+    }
   },
   "dependencies": {
     "jsonwebtoken": "^9.0.3"
@@ -63,6 +96,7 @@
     "@types/express": "^5.0.0",
     "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "~22.19.0",
+    "@vitest/coverage-v8": "^4.0.18",
     "express": "^5.0.0",
     "husky": "^9.1.7",
     "prettier": "^3.8.1",

package/src/api/dauth.api.ts CHANGED Viewed

@@ -5,6 +5,24 @@ interface GetUserResponse {
   data: { user?: any; message?: string };
 }
+export interface TenantUser {
+  _id: string;
+  name: string;
+  lastname: string;
+  email: string;
+  avatar: { id: string; url: string };
+}
+interface TenantUserResponse {
+  response: { status: number };
+  data: { status?: string; data?: TenantUser | null; message?: string };
+}
+interface BatchUsersResponse {
+  response: { status: number };
+  data: { status?: string; data?: TenantUser[]; message?: string };
+}
 export async function getUser(
   token: string,
   domainName: string
@@ -22,3 +40,65 @@ export async function getUser(
   const data = (await response.json()) as GetUserResponse['data'];
   return { response: { status: response.status }, data };
 }
+export async function searchUserByEmail(
+  token: string,
+  domainName: string,
+  email: string
+): Promise<TenantUserResponse> {
+  const params = new URLSearchParams({ email });
+  const response = await fetch(
+    `${getServerBasePath()}/app/${domainName}/users/search?${params}`,
+    {
+      method: 'GET',
+      headers: {
+        Authorization: token,
+        'Content-Type': 'application/json',
+      },
+    }
+  );
+  const data =
+    (await response.json()) as TenantUserResponse['data'];
+  return { response: { status: response.status }, data };
+}
+export async function getUserById(
+  token: string,
+  domainName: string,
+  userId: string
+): Promise<TenantUserResponse> {
+  const response = await fetch(
+    `${getServerBasePath()}/app/${domainName}/users/${userId}`,
+    {
+      method: 'GET',
+      headers: {
+        Authorization: token,
+        'Content-Type': 'application/json',
+      },
+    }
+  );
+  const data =
+    (await response.json()) as TenantUserResponse['data'];
+  return { response: { status: response.status }, data };
+}
+export async function batchGetUsers(
+  token: string,
+  domainName: string,
+  userIds: string[]
+): Promise<BatchUsersResponse> {
+  const response = await fetch(
+    `${getServerBasePath()}/app/${domainName}/users/batch`,
+    {
+      method: 'POST',
+      headers: {
+        Authorization: token,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ userIds }),
+    }
+  );
+  const data =
+    (await response.json()) as BatchUsersResponse['data'];
+  return { response: { status: response.status }, data };
+}

package/src/csrf.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import crypto from 'crypto';
+import type { Request } from 'express';
+export function generateCsrfToken(): string {
+  return crypto.randomBytes(32).toString('hex');
+}
+export function verifyCsrf(req: Request, csrfCookieName: string): boolean {
+  const headerToken = req.headers['x-csrf-token'] as string | undefined;
+  const cookieToken = req.cookies?.[csrfCookieName] as string | undefined;
+  if (!headerToken || !cookieToken) return false;
+  if (headerToken.length !== cookieToken.length) return false;
+  return crypto.timingSafeEqual(
+    Buffer.from(headerToken),
+    Buffer.from(cookieToken)
+  );
+}

package/src/index.ts CHANGED Viewed

@@ -1,8 +1,15 @@
 import { Request, NextFunction, Response as ExpressResponse } from 'express';
 import jwt from 'jsonwebtoken';
 import { getUser } from './api/dauth.api';
+export {
+  searchUserByEmail,
+  getUserById,
+  batchGetUsers,
+} from './api/dauth.api';
+export type { TenantUser } from './api/dauth.api';
 import { UserCache } from './cache';
 import type { CacheOptions } from './cache';
+import { deriveEncryptionKey, decryptSessionWithKeys } from './session';
 export type AuthMethodType = 'magic-link' | 'passkey';
@@ -32,6 +39,7 @@ export interface IDauthUser {
 export interface IRequestDauth extends Request {
   user: IDauthUser;
+  dauthToken: string;
   files: {
     image: { path: string };
     avatar: { path: string };
@@ -41,10 +49,18 @@ export interface IRequestDauth extends Request {
   };
 }
+export interface SessionOptions {
+  cookieName?: string;
+  secure?: boolean;
+  previousTsk?: string;
+  sessionSalt?: string;
+}
 export interface DauthOptions {
   domainName: string;
   tsk: string;
   cache?: CacheOptions;
+  session?: SessionOptions;
 }
 interface TCustomResponse extends ExpressResponse {
@@ -55,21 +71,69 @@ interface TCustomResponse extends ExpressResponse {
 export { UserCache };
 export type { CacheOptions };
-export const dauth = ({ domainName, tsk, cache }: DauthOptions) => {
+export const dauth = ({ domainName, tsk, cache, session }: DauthOptions) => {
   const userCache = cache ? new UserCache(cache) : null;
+  // Lazy-init encryption keys for session cookie mode
+  let keysPromise: Promise<Buffer[]> | null = null;
+  async function getEncKeys(): Promise<Buffer[]> {
+    if (!keysPromise) {
+      keysPromise = (async () => {
+        const keys: Buffer[] = [];
+        keys.push(await deriveEncryptionKey(tsk, session?.sessionSalt));
+        if (session?.previousTsk) {
+          keys.push(
+            await deriveEncryptionKey(session.previousTsk, session.sessionSalt)
+          );
+        }
+        return keys;
+      })();
+    }
+    return keysPromise;
+  }
+  function getSessionCookieName(): string {
+    if (session?.cookieName) return session.cookieName;
+    const secure = session?.secure ?? process.env.NODE_ENV !== 'development';
+    return secure ? '__Host-dauth-session' : 'dauth-session';
+  }
   return async (
     req: IRequestDauth,
     res: TCustomResponse,
     next: NextFunction
   ) => {
-    if (!req.headers.authorization) {
-      return res
-        .status(403)
-        .send({ status: 'token-not-found', message: 'Token not found' });
-    }
+    let token: string;
-    const token = req.headers.authorization.replace(/['"]+/g, '');
+    if (session) {
+      // Session cookie mode: read encrypted cookie
+      const cookieName = getSessionCookieName();
+      const cookie = req.cookies?.[cookieName];
+      if (!cookie) {
+        return res.status(401).send({
+          status: 'no-session',
+          message: 'Not authenticated',
+        });
+      }
+      const keys = await getEncKeys();
+      const payload = decryptSessionWithKeys(cookie, keys);
+      if (!payload) {
+        return res.status(401).send({
+          status: 'session-invalid',
+          message: 'Invalid session',
+        });
+      }
+      token = payload.accessToken;
+    } else {
+      // Authorization header mode
+      if (!req.headers.authorization) {
+        return res.status(403).send({
+          status: 'token-not-found',
+          message: 'Token not found',
+        });
+      }
+      token = req.headers.authorization.replace(/['"]+/g, '');
+    }
     try {
       jwt.verify(token, tsk);
@@ -90,6 +154,9 @@ export const dauth = ({ domainName, tsk, cache }: DauthOptions) => {
       return res.status(401).send({ status: 'token-invalid', message });
     }
+    // Expose the verified access token for downstream API calls
+    req.dauthToken = token;
     if (userCache) {
       const cachedUser = userCache.get(token);
       if (cachedUser) {