dauth-md-node 4.0.0 → 4.1.0

package/README.md

@@ -1,16 +1,37 @@
 # dauth-md-node
 
-Express middleware for JWT-based authentication against the [Dauth](https://dauth.ovh) service. Verifies tenant JWTs and fetches the authenticated user from the Dauth backend, attaching it to `req.user`.
+Express middleware and router for JWT-based authentication against the [dauth](https://dauth.ovh) service. Two exports: `dauth()` middleware that verifies JWTs (via Authorization header or encrypted session cookies) and attaches `req.user`, and `dauthRouter()` that provides pre-built session-based auth routes with encrypted cookies, CSRF protection, and automatic token refresh.
 
 ## Installation
 
 ```bash
 npm install dauth-md-node
 # or
-yarn add dauth-md-node
+pnpm add dauth-md-node
 ```
 
-## Quick Start
+For session cookie mode or the router, also install `cookie-parser`:
+
+```bash
+pnpm add cookie-parser
+```
+
+## Tech Stack
+
+| Technology | Version | Purpose |
+|---|---|---|
+| Node.js | >= 18 | Runtime (native fetch required) |
+| TypeScript | 5.9 | Type safety |
+| jsonwebtoken | 9 | JWT verification (runtime dependency) |
+| Express | 4.18+ / 5 | Peer dependency |
+| cookie-parser | 1.4+ | Optional peer dependency (session/router mode) |
+| tsup | 8 | Build tool (CJS + ESM bundles, two entry points) |
+| vitest | 4 | Testing framework |
+| size-limit | 12 | Bundle size budget (10KB per entry) |
+
+## Usage
+
+### Middleware (Authorization header mode)
 
 ```typescript
 import express from 'express';
@@ -18,186 +39,192 @@ import { dauth, IRequestDauth } from 'dauth-md-node';
 
 const app = express();
 
-// Apply DAuth middleware to protected routes
 const dauthMiddleware = dauth({
   domainName: 'your-domain-name',
   tsk: 'your-tenant-secret-key',
 });
 
 app.get('/api/protected', dauthMiddleware, (req, res) => {
-  // req.user is populated with the authenticated user object
-  res.json({ user: req.user });
+  res.json({ user: (req as IRequestDauth).user });
 });
+```
+
+### Middleware (session cookie mode)
+
+```typescript
+import express from 'express';
+import cookieParser from 'cookie-parser';
+import { dauth } from 'dauth-md-node';
 
-app.listen(4000);
+const app = express();
+app.use(cookieParser());
+
+const dauthMiddleware = dauth({
+  domainName: 'your-domain-name',
+  tsk: 'your-tenant-secret-key',
+  session: {},
+});
+
+app.get('/api/protected', dauthMiddleware, (req, res) => {
+  res.json({ user: req.user });
+});
 ```
 
-## API
+### Router (session-based auth routes)
+
+```typescript
+import express from 'express';
+import cookieParser from 'cookie-parser';
+import { dauthRouter } from 'dauth-md-node/router';
 
-### `dauth(options)`
+const app = express();
+app.use(express.json());
+app.use(cookieParser());
 
-Factory function that returns an Express middleware.
+app.use('/api/auth', dauthRouter({
+  domainName: 'your-domain-name',
+  tsk: 'your-tenant-secret-key',
+}));
+
+// Available routes:
+// POST /api/auth/exchange-code
+// GET  /api/auth/session
+// POST /api/auth/logout         (CSRF required)
+// PATCH /api/auth/user          (CSRF required)
+// DELETE /api/auth/user         (CSRF required)
+// GET  /api/auth/profile-redirect (CSRF required)
+```
 
-| Parameter | Type | Description |
-|---|---|---|
-| `domainName` | `string` | Your Dauth domain name (used for API routing) |
-| `tsk` | `string` | Tenant Secret Key for local JWT verification |
+## API Reference
 
-### Middleware Behavior
+### `dauth(options: DauthOptions)`
 
-1. Extracts the `Authorization` header from the request
-2. Verifies the JWT locally using the provided `tsk` (Tenant Secret Key)
-3. Fetches the full user object from the Dauth backend (`GET /app/:domainName/user`)
-4. Attaches the user to `req.user`
-5. Calls `next()` on success
+Returns an Express middleware.
 
-### Error Responses
+| Parameter | Type | Required | Default | Description |
+|---|---|---|---|---|
+| `domainName` | `string` | yes | - | Tenant identifier (used in API path) |
+| `tsk` | `string` | yes | - | Tenant Secret Key for JWT verification |
+| `cache` | `{ ttlMs: number }` | no | - | Enable in-memory user cache with TTL |
+| `session` | `SessionOptions` | no | - | Enable session cookie mode |
 
-| Scenario | Status | Response Status Field |
-|---|---|---|
-| Missing `Authorization` header | 403 | `token-not-found` |
-| JWT expired | 401 | `token-expired` |
-| Invalid JWT or bad TSK | 401 | `tsk-not-invalid` or `token-invalid` |
-| User not found in Dauth backend | 404 | `user-not-found` |
-| Dauth backend server error | 500 | `error` |
-| Other backend status | 501 | `request-error` |
+**SessionOptions:**
 
-### `req.user` Object
+| Parameter | Type | Default | Description |
+|---|---|---|---|
+| `cookieName` | `string` | `__Host-dauth-session` (prod) / `dauth-session` (dev) | Session cookie name |
+| `secure` | `boolean` | `true` (except `NODE_ENV=development`) | Cookie `Secure` flag |
+| `previousTsk` | `string` | - | Previous TSK for zero-downtime key rotation |
+| `sessionSalt` | `string` | built-in default | Custom HKDF salt (hex string) |
 
-When authentication succeeds, `req.user` contains:
+**Without `session`**: extracts `Authorization` header, verifies JWT with `tsk`, fetches user from dauth backend, attaches to `req.user`.
 
-```typescript
-interface IDauthUser {
-  _id: string;
-  name: string;
-  lastname: string;
-  nickname: string;
-  email: string;
-  isVerified: boolean;
-  language: string;
-  avatar: { id: string; url: string };
-  role: string;
-  telPrefix: string;
-  telSuffix: string;
-  createdAt: Date;
-  updatedAt: Date;
-  lastLogin: Date;
-}
-```
+**With `session`**: reads encrypted session cookie, decrypts with key derived from `tsk` (falls back to `previousTsk`), extracts access token, verifies JWT, fetches user, attaches to `req.user`.
 
-Both `IDauthUser` and `IRequestDauth` are exported from the package for type-safe usage in consumer code.
+### `dauthRouter(options: DauthRouterOptions)`
 
-## Real-World Integration Example
+Returns an Express Router. Requires `cookie-parser` middleware. Import from `dauth-md-node/router`.
 
-This is the pattern used in `easymediacloud-backend-node`, which delegates all user authentication to Dauth.
+| Parameter | Type | Default | Description |
+|---|---|---|---|
+| `domainName` | `string` | (required) | Tenant identifier |
+| `tsk` | `string` | (required) | Tenant Secret Key |
+| `dauthUrl` | `string` | auto-detected | Override dauth backend URL |
+| `cookieName` | `string` | `__Host-dauth-session` / `dauth-session` | Session cookie name |
+| `csrfCookieName` | `string` | `__Host-csrf` / `csrf-token` | CSRF cookie name |
+| `maxAge` | `number` | `2592000` (30 days) | Cookie max age in seconds |
+| `secure` | `boolean` | `true` (except dev) | Cookie `Secure` flag |
+| `previousTsk` | `string` | - | Previous TSK for key rotation |
+| `sessionSalt` | `string` | built-in default | Custom HKDF salt (hex string) |
 
-### 1. Initialize the middleware from environment variables
+**Router routes:**
 
-```typescript
-// src/middlewares/auth.middleware.ts
-import { dauth, IRequestDauth } from 'dauth-md-node';
-import config from '../config/config';
+| Method | Path | CSRF | Description |
+|---|---|---|---|
+| `POST` | `/exchange-code` | No | Exchange auth code for session, set cookies, return `{ user, domain, isNewUser }` |
+| `GET` | `/session` | No | Check session, auto-refresh if token expires within 5min, return `{ user, domain }` |
+| `POST` | `/logout` | Yes | Revoke refresh token (fire-and-forget), clear cookies |
+| `PATCH` | `/user` | Yes | Proxy user update to dauth backend with auto-refresh |
+| `DELETE` | `/user` | Yes | Delete user account, clear cookies |
+| `GET` | `/profile-redirect` | Yes | Generate profile code, return `{ redirectUrl }` |
 
-export const dauth_md = dauth({
-  tsk: config.dauth.TSK as string,
-  domainName: config.dauth.DOMAIN_NAME as string,
-});
-```
+CSRF uses the double-submit cookie pattern: `POST /exchange-code` sets a CSRF cookie (`httpOnly: false`), and subsequent state-changing requests must include the cookie value as the `x-csrf-token` header.
 
-Environment variables (`.env.development`):
-```
-DAUTH_TSK=your-tenant-secret-key
-DAUTH_DOMAIN_NAME=your-domain-name
-```
+### Exported types (from `dauth-md-node`)
 
-### 2. Build custom middleware chains on top
+- `IDauthUser` -- user object (name, email, avatar, role, language, authMethods, etc.)
+- `AuthMethodType` -- `'magic-link' | 'passkey'`
+- `IRequestDauth` -- extends Express `Request` with `user: IDauthUser`
+- `DauthOptions` -- middleware factory options
+- `SessionOptions` -- session cookie configuration
+- `UserCache` -- cache class (for direct usage/testing)
+- `CacheOptions` -- cache configuration type
 
-After `dauth_md` populates `req.user`, add your own guards:
+### Exported types (from `dauth-md-node/router`)
 
-```typescript
-// src/middlewares/auth.middleware.ts (continued)
-import { Response, NextFunction } from 'express';
-
-export const is_verified = async (req: IRequestDauth, res: Response, next: NextFunction) => {
-  if (req.user.isVerified === false) {
-    return res.status(401).send({ status: 'not-verified', message: 'Email not verified' });
-  }
-  next();
-};
-
-export const ensure_admin = async (req: IRequestDauth, res: Response, next: NextFunction) => {
-  if (req.user.isVerified === false) {
-    return res.status(401).send({ status: 'not-verified', message: 'Email not verified' });
-  }
-  if (req.user.role !== 'admin') {
-    return res.status(401).send({ status: 'not-admin', message: 'Admin role required' });
-  }
-  next();
-};
-```
+- `DauthRouterOptions` -- router factory options
 
-### 3. Apply middleware chains to routes
+### Environment detection
 
-```typescript
-// src/core/licenses/router/licenses.router.ts
-import { Router } from 'express';
-import { dauth_md, is_verified, ensure_admin } from '../../../middlewares/auth.middleware';
-import * as controller from '../controllers/licenses.controller';
+The middleware resolves the dauth backend URL in this order:
 
-const licenseApi = Router();
+1. `DAUTH_URL` environment variable
+2. `NODE_ENV=development` -> `http://localhost:4012/api/v1`
+3. Default -> `https://dauth.ovh/api/v1`
 
-licenseApi
-  .post('/create-license', [dauth_md, is_verified], controller.createLicense)
-  .get('/get-my-licenses', [dauth_md, is_verified], controller.getMyLicenses)
-  .patch('/enable-license/:licenseId', [dauth_md, ensure_admin], controller.enableLicense)
-  .delete('/delete-license/:licenseId', [dauth_md, is_verified], controller.deleteLicense);
+The router also accepts `dauthUrl` in options, which takes priority over the env var.
 
-export default licenseApi;
-```
+### Error responses (middleware)
 
-### 4. Access the user in controllers
+| Scenario | Status | Status Field |
+|---|---|---|
+| Missing `Authorization` header (header mode) | 403 | `token-not-found` |
+| Missing session cookie (session mode) | 401 | `no-session` |
+| Invalid/undecryptable session cookie | 401 | `session-invalid` |
+| JWT expired | 401 | `token-expired` |
+| Invalid JWT or bad TSK | 401 | `tsk-not-invalid` / `token-invalid` |
+| User not found | 404 | `user-not-found` |
+| Backend server error | 500 | `error` |
+| Other backend status | 501 | `request-error` |
 
-```typescript
-// src/core/licenses/controllers/licenses.controller.ts
-export const getMyLicenses = async (req: IRequestDauth, res: Response) => {
-  const userId = req.user._id;
-  const licenses = await License.find({ user: userId });
-  res.status(200).json({ status: 'success', data: licenses });
-};
-```
+## Scripts
 
-## Environment Detection
+| Script | Description |
+|---|---|
+| `pnpm start` | Watch mode (tsup --watch) |
+| `pnpm build` | Production build (CJS + ESM + types, two entry points) |
+| `pnpm test` | Run vitest tests (80 tests) |
+| `pnpm test:coverage` | Coverage report (v8, 70% threshold) |
+| `pnpm typecheck` | TypeScript type checking |
+| `pnpm size` | Check bundle size (10KB budget per entry) |
+| `pnpm format` | Prettier formatting |
 
-- **Development** (`NODE_ENV=development`): Routes API calls to `http://localhost:4012/api/v1`
-- **Production**: Routes API calls to `https://dauth.ovh/api/v1`
+## Testing
 
-## Development
+80 tests across 7 files using vitest 4 (node environment).
 
 ```bash
-pnpm start         # Watch mode (tsdx watch)
-pnpm build         # Production build (CJS + ESM)
-pnpm test          # Run Jest tests
-pnpm lint          # ESLint via tsdx
-pnpm size          # Check bundle size (10KB budget per entry)
-pnpm analyze       # Bundle size analysis with visualization
+pnpm test
+pnpm test:coverage
 ```
 
-### Bundle Outputs
+## Publishing
 
-- **CJS:** `dist/index.js` (with `.development.js` and `.production.min.js` variants)
-- **ESM:** `dist/dauth-md-node.esm.js`
-- **Types:** `dist/index.d.ts`
+Automated via GitHub Actions. Push a `v*` tag to trigger build, test, and `npm publish`.
 
-## Dependencies
+```bash
+# 1. Bump version in package.json
+# 2. Commit and tag
+git tag v4.0.1
+git push origin main --tags
+# 3. GitHub Actions publishes to npm automatically
+```
 
-- `express` >= 4
-- `jsonwebtoken` >= 9
-- `mongoose` >= 8
-- `node-fetch` ^2.6
+Requires `NPM_TOKEN` secret configured in the GitHub repo.
 
-## Author
+## Code Style
 
-David T. Pizarro Frick
+Prettier: 80 char width, single quotes, semicolons, trailing commas (es5), 2-space indent.
 
 ## License
 

package/dist/{chunk-4A7BR4EM.mjs → chunk-RKH7YKIR.mjs}

@@ -79,4 +79,4 @@ export {
   encryptSession,
   decryptSessionWithKeys
 };
-//# sourceMappingURL=chunk-4A7BR4EM.mjs.map
+//# sourceMappingURL=chunk-RKH7YKIR.mjs.map

package/dist/chunk-RKH7YKIR.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/api/utils/config.ts","../src/session.ts"],"sourcesContent":["export const apiVersion = 'v1';\nexport const serverDomain = 'dauth.ovh';\n\nexport function getServerBasePath(): string {\n  if (process.env.DAUTH_URL) {\n    const base = process.env.DAUTH_URL.replace(/\\/+$/, '');\n    return `${base}/api/${apiVersion}`;\n  }\n\n  const isLocalhost = process.env.NODE_ENV === 'development';\n  const serverPort = 4012;\n  const serverLocalUrl = `http://localhost:${serverPort}/api/${apiVersion}`;\n  const serverProdUrl = `https://${serverDomain}/api/${apiVersion}`;\n  return isLocalhost ? serverLocalUrl : serverProdUrl;\n}\n","import crypto from 'crypto';\n\nexport interface SessionPayload {\n  accessToken: string;\n  refreshToken: string;\n}\n\nconst INFO = 'dauth-cookie-enc-v1';\nconst DEFAULT_SALT = Buffer.from(\n  'a3f8c1d7e9b24f6081c5d3a7e2f49b0653d81f7a2e94c0b6d8f3a5e1c7b09d42',\n  'hex'\n);\n\nexport async function deriveEncryptionKey(\n  tsk: string,\n  salt?: string\n): Promise<Buffer> {\n  const saltBuf = salt ? Buffer.from(salt, 'hex') : DEFAULT_SALT;\n  return new Promise((resolve, reject) => {\n    crypto.hkdf(\n      'sha256',\n      Buffer.from(tsk),\n      saltBuf,\n      INFO,\n      32,\n      (err, derivedKey) => {\n        if (err) return reject(err);\n        resolve(Buffer.from(derivedKey));\n      }\n    );\n  });\n}\n\nexport function encryptSession(payload: SessionPayload, key: Buffer): string {\n  const nonce = crypto.randomBytes(12);\n  const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce);\n  const plaintext = JSON.stringify(payload);\n  const encrypted = Buffer.concat([\n    cipher.update(plaintext, 'utf8'),\n    cipher.final(),\n  ]);\n  const authTag = cipher.getAuthTag();\n  // Format: base64(nonce + ciphertext + authTag)\n  return Buffer.concat([nonce, encrypted, authTag]).toString('base64');\n}\n\nexport function decryptSession(\n  ciphertext: string,\n  key: Buffer\n): SessionPayload | null {\n  try {\n    const buf = Buffer.from(ciphertext, 'base64');\n    if (buf.length < 12 + 16) return null; // nonce(12) + authTag(16) minimum\n    const nonce = buf.subarray(0, 12);\n    const authTag = buf.subarray(buf.length - 16);\n    const encrypted = buf.subarray(12, buf.length - 16);\n    const decipher = crypto.createDecipheriv('aes-256-gcm', key, nonce);\n    decipher.setAuthTag(authTag);\n    const decrypted = Buffer.concat([\n      decipher.update(encrypted),\n      decipher.final(),\n    ]);\n    return JSON.parse(decrypted.toString('utf8')) as SessionPayload;\n  } catch {\n    return null;\n  }\n}\n\nexport function decryptSessionWithKeys(\n  ciphertext: string,\n  keys: Buffer[]\n): SessionPayload | null {\n  for (const key of keys) {\n    const result = decryptSession(ciphertext, key);\n    if (result) return result;\n  }\n  return null;\n}\n"],"mappings":";AAAO,IAAM,aAAa;AACnB,IAAM,eAAe;AAErB,SAAS,oBAA4B;AAC1C,MAAI,QAAQ,IAAI,WAAW;AACzB,UAAM,OAAO,QAAQ,IAAI,UAAU,QAAQ,QAAQ,EAAE;AACrD,WAAO,GAAG,IAAI,QAAQ,UAAU;AAAA,EAClC;AAEA,QAAM,cAAc,QAAQ,IAAI,aAAa;AAC7C,QAAM,aAAa;AACnB,QAAM,iBAAiB,oBAAoB,UAAU,QAAQ,UAAU;AACvE,QAAM,gBAAgB,WAAW,YAAY,QAAQ,UAAU;AAC/D,SAAO,cAAc,iBAAiB;AACxC;;;ACdA,OAAO,YAAY;AAOnB,IAAM,OAAO;AACb,IAAM,eAAe,OAAO;AAAA,EAC1B;AAAA,EACA;AACF;AAEA,eAAsB,oBACpB,KACA,MACiB;AACjB,QAAM,UAAU,OAAO,OAAO,KAAK,MAAM,KAAK,IAAI;AAClD,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,WAAO;AAAA,MACL;AAAA,MACA,OAAO,KAAK,GAAG;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,MACA,CAAC,KAAK,eAAe;AACnB,YAAI,IAAK,QAAO,OAAO,GAAG;AAC1B,gBAAQ,OAAO,KAAK,UAAU,CAAC;AAAA,MACjC;AAAA,IACF;AAAA,EACF,CAAC;AACH;AAEO,SAAS,eAAe,SAAyB,KAAqB;AAC3E,QAAM,QAAQ,OAAO,YAAY,EAAE;AACnC,QAAM,SAAS,OAAO,eAAe,eAAe,KAAK,KAAK;AAC9D,QAAM,YAAY,KAAK,UAAU,OAAO;AACxC,QAAM,YAAY,OAAO,OAAO;AAAA,IAC9B,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACf,CAAC;AACD,QAAM,UAAU,OAAO,WAAW;AAElC,SAAO,OAAO,OAAO,CAAC,OAAO,WAAW,OAAO,CAAC,EAAE,SAAS,QAAQ;AACrE;AAEO,SAAS,eACd,YACA,KACuB;AACvB,MAAI;AACF,UAAM,MAAM,OAAO,KAAK,YAAY,QAAQ;AAC5C,QAAI,IAAI,SAAS,KAAK,GAAI,QAAO;AACjC,UAAM,QAAQ,IAAI,SAAS,GAAG,EAAE;AAChC,UAAM,UAAU,IAAI,SAAS,IAAI,SAAS,EAAE;AAC5C,UAAM,YAAY,IAAI,SAAS,IAAI,IAAI,SAAS,EAAE;AAClD,UAAM,WAAW,OAAO,iBAAiB,eAAe,KAAK,KAAK;AAClE,aAAS,WAAW,OAAO;AAC3B,UAAM,YAAY,OAAO,OAAO;AAAA,MAC9B,SAAS,OAAO,SAAS;AAAA,MACzB,SAAS,MAAM;AAAA,IACjB,CAAC;AACD,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,uBACd,YACA,MACuB;AACvB,aAAW,OAAO,MAAM;AACtB,UAAM,SAAS,eAAe,YAAY,GAAG;AAC7C,QAAI,OAAQ,QAAO;AAAA,EACrB;AACA,SAAO;AACT;","names":[]}

package/dist/index.d.mts

@@ -1,5 +1,39 @@
 import { Request, Response, NextFunction } from 'express';
 
+interface TenantUser {
+    _id: string;
+    name: string;
+    lastname: string;
+    email: string;
+    avatar: {
+        id: string;
+        url: string;
+    };
+}
+interface TenantUserResponse {
+    response: {
+        status: number;
+    };
+    data: {
+        status?: string;
+        data?: TenantUser | null;
+        message?: string;
+    };
+}
+interface BatchUsersResponse {
+    response: {
+        status: number;
+    };
+    data: {
+        status?: string;
+        data?: TenantUser[];
+        message?: string;
+    };
+}
+declare function searchUserByEmail(token: string, domainName: string, email: string): Promise<TenantUserResponse>;
+declare function getUserById(token: string, domainName: string, userId: string): Promise<TenantUserResponse>;
+declare function batchGetUsers(token: string, domainName: string, userIds: string[]): Promise<BatchUsersResponse>;
+
 interface CacheOptions {
     ttlMs: number;
 }
@@ -39,6 +73,7 @@ interface IDauthUser {
 }
 interface IRequestDauth extends Request {
     user: IDauthUser;
+    dauthToken: string;
     files: {
         image: {
             path: string;
@@ -68,6 +103,6 @@ interface TCustomResponse extends Response {
     send(body?: unknown): this;
 }
 
-declare const dauth: ({ domainName, tsk, cache, session, }: DauthOptions) => (req: IRequestDauth, res: TCustomResponse, next: NextFunction) => Promise<void | TCustomResponse>;
+declare const dauth: ({ domainName, tsk, cache, session }: DauthOptions) => (req: IRequestDauth, res: TCustomResponse, next: NextFunction) => Promise<void | TCustomResponse>;
 
-export { type AuthMethodType, type CacheOptions, type DauthOptions, type IDauthUser, type IRequestDauth, type SessionOptions, UserCache, dauth };
+export { type AuthMethodType, type CacheOptions, type DauthOptions, type IDauthUser, type IRequestDauth, type SessionOptions, type TenantUser, UserCache, batchGetUsers, dauth, getUserById, searchUserByEmail };

package/dist/index.d.ts

@@ -1,5 +1,39 @@
 import { Request, Response, NextFunction } from 'express';
 
+interface TenantUser {
+    _id: string;
+    name: string;
+    lastname: string;
+    email: string;
+    avatar: {
+        id: string;
+        url: string;
+    };
+}
+interface TenantUserResponse {
+    response: {
+        status: number;
+    };
+    data: {
+        status?: string;
+        data?: TenantUser | null;
+        message?: string;
+    };
+}
+interface BatchUsersResponse {
+    response: {
+        status: number;
+    };
+    data: {
+        status?: string;
+        data?: TenantUser[];
+        message?: string;
+    };
+}
+declare function searchUserByEmail(token: string, domainName: string, email: string): Promise<TenantUserResponse>;
+declare function getUserById(token: string, domainName: string, userId: string): Promise<TenantUserResponse>;
+declare function batchGetUsers(token: string, domainName: string, userIds: string[]): Promise<BatchUsersResponse>;
+
 interface CacheOptions {
     ttlMs: number;
 }
@@ -39,6 +73,7 @@ interface IDauthUser {
 }
 interface IRequestDauth extends Request {
     user: IDauthUser;
+    dauthToken: string;
     files: {
         image: {
             path: string;
@@ -68,6 +103,6 @@ interface TCustomResponse extends Response {
     send(body?: unknown): this;
 }
 
-declare const dauth: ({ domainName, tsk, cache, session, }: DauthOptions) => (req: IRequestDauth, res: TCustomResponse, next: NextFunction) => Promise<void | TCustomResponse>;
+declare const dauth: ({ domainName, tsk, cache, session }: DauthOptions) => (req: IRequestDauth, res: TCustomResponse, next: NextFunction) => Promise<void | TCustomResponse>;
 
-export { type AuthMethodType, type CacheOptions, type DauthOptions, type IDauthUser, type IRequestDauth, type SessionOptions, UserCache, dauth };
+export { type AuthMethodType, type CacheOptions, type DauthOptions, type IDauthUser, type IRequestDauth, type SessionOptions, type TenantUser, UserCache, batchGetUsers, dauth, getUserById, searchUserByEmail };

package/dist/index.js

@@ -31,7 +31,10 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var index_exports = {};
 __export(index_exports, {
   UserCache: () => UserCache,
-  dauth: () => dauth
+  batchGetUsers: () => batchGetUsers,
+  dauth: () => dauth,
+  getUserById: () => getUserById,
+  searchUserByEmail: () => searchUserByEmail
 });
 module.exports = __toCommonJS(index_exports);
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
@@ -66,6 +69,50 @@ async function getUser(token, domainName) {
   const data = await response.json();
   return { response: { status: response.status }, data };
 }
+async function searchUserByEmail(token, domainName, email) {
+  const params = new URLSearchParams({ email });
+  const response = await fetch(
+    `${getServerBasePath()}/app/${domainName}/users/search?${params}`,
+    {
+      method: "GET",
+      headers: {
+        Authorization: token,
+        "Content-Type": "application/json"
+      }
+    }
+  );
+  const data = await response.json();
+  return { response: { status: response.status }, data };
+}
+async function getUserById(token, domainName, userId) {
+  const response = await fetch(
+    `${getServerBasePath()}/app/${domainName}/users/${userId}`,
+    {
+      method: "GET",
+      headers: {
+        Authorization: token,
+        "Content-Type": "application/json"
+      }
+    }
+  );
+  const data = await response.json();
+  return { response: { status: response.status }, data };
+}
+async function batchGetUsers(token, domainName, userIds) {
+  const response = await fetch(
+    `${getServerBasePath()}/app/${domainName}/users/batch`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: token,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ userIds })
+    }
+  );
+  const data = await response.json();
+  return { response: { status: response.status }, data };
+}
 
 // src/cache.ts
 var UserCache = class {
@@ -152,27 +199,17 @@ function decryptSessionWithKeys(ciphertext, keys) {
 }
 
 // src/index.ts
-var dauth = ({
-  domainName,
-  tsk,
-  cache,
-  session
-}) => {
+var dauth = ({ domainName, tsk, cache, session }) => {
   const userCache = cache ? new UserCache(cache) : null;
   let keysPromise = null;
   async function getEncKeys() {
     if (!keysPromise) {
       keysPromise = (async () => {
         const keys = [];
-        keys.push(
-          await deriveEncryptionKey(tsk, session?.sessionSalt)
-        );
+        keys.push(await deriveEncryptionKey(tsk, session?.sessionSalt));
         if (session?.previousTsk) {
           keys.push(
-            await deriveEncryptionKey(
-              session.previousTsk,
-              session.sessionSalt
-            )
+            await deriveEncryptionKey(session.previousTsk, session.sessionSalt)
           );
         }
         return keys;
@@ -229,6 +266,7 @@ var dauth = ({
       }
       return res.status(401).send({ status: "token-invalid", message });
     }
+    req.dauthToken = token;
     if (userCache) {
       const cachedUser = userCache.get(token);
       if (cachedUser) {
@@ -270,6 +308,9 @@ var dauth = ({
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   UserCache,
-  dauth
+  batchGetUsers,
+  dauth,
+  getUserById,
+  searchUserByEmail
 });
 //# sourceMappingURL=index.js.map