fastify-authz 0.1.3

package/README.md

@@ -0,0 +1,37 @@
+# fastify-authz
+
+Fastify plugin for **JWT verification** and **Prisma-backed RBAC authorization**.
+
+## Install
+
+```bash
+npm install fastify-authz
+```
+
+## Usage
+
+```ts
+import Fastify from "fastify";
+import fastifyAuthz from "fastify-authz";
+import { PrismaClient } from "@prisma/client";
+
+const prisma = new PrismaClient();
+const app = Fastify();
+
+app.register(fastifyAuthz, {
+  prisma,
+  jwt: {
+    secret: process.env.JWT_ACCESS_SECRET!,
+    issuer: process.env.JWT_ISSUER!,
+    audience: process.env.JWT_AUDIENCE!,
+  },
+});
+
+app.get("/roles", {
+  preHandler: [app.auth.verify, app.auth.requirePermission(["IAM_READ"])],
+}, async () => {
+  return await prisma.role.findMany();
+});
+
+app.listen({ port: 3000 });
+```

package/dist/index.d.ts

@@ -0,0 +1,31 @@
+import { FastifyPluginAsync, FastifyReply } from "fastify";
+declare module "@fastify/request-context" {
+    interface RequestContextData {
+        user?: {
+            id: string;
+        };
+    }
+}
+export type FastifyAuthzOptions = {
+    prisma: unknown;
+    jwt: {
+        secret: string;
+        issuer: string;
+        audience: string;
+    };
+};
+declare module "fastify" {
+    interface FastifyRequest {
+        user?: {
+            id: string;
+        };
+    }
+    interface FastifyInstance {
+        auth: {
+            verify: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+            requirePermission: (perms: string[]) => (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+        };
+    }
+}
+declare const _default: FastifyPluginAsync<FastifyAuthzOptions>;
+export default _default;

package/dist/index.js

@@ -0,0 +1,38 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const fastify_plugin_1 = __importDefault(require("fastify-plugin"));
+const verify_1 = require("./verify");
+const permissions_1 = require("./permissions");
+const request_context_1 = require("@fastify/request-context");
+const plugin = async (fastify, opts) => {
+    const { prisma, jwt } = opts;
+    const verify = async (request, reply) => {
+        try {
+            const header = request.headers["authorization"];
+            if (!header?.startsWith("Bearer ")) {
+                reply.code(401).send({ message: "Missing Authorization header" });
+                return;
+            }
+            const token = header.slice("Bearer ".length).trim();
+            const claims = (0, verify_1.verifyJwt)(token, jwt.secret, jwt.issuer, jwt.audience);
+            if (claims.type !== "access") {
+                reply.code(401).send({ message: "Invalid token type" });
+                return;
+            }
+            const user = { id: claims.sub };
+            request.user = user;
+            request_context_1.requestContext.set("user", user);
+        }
+        catch (err) {
+            request.log.error({ err }, "Token verification failed");
+            reply.code(401).send({ message: "Invalid token" });
+            return;
+        }
+    };
+    const requirePermission = (0, permissions_1.requirePermissionFactory)(prisma);
+    fastify.decorate("auth", { verify, requirePermission });
+};
+exports.default = (0, fastify_plugin_1.default)(plugin, { name: "fastify-authz" });

package/dist/permissions.d.ts

@@ -0,0 +1,2 @@
+import { FastifyRequest, FastifyReply } from "fastify";
+export declare function requirePermissionFactory(prisma: any): (perms: string[]) => (request: FastifyRequest, reply: FastifyReply) => Promise<void>;

package/dist/permissions.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requirePermissionFactory = requirePermissionFactory;
+function requirePermissionFactory(prisma) {
+    return (perms) => {
+        return async (request, reply) => {
+            const userId = request.user?.id;
+            if (!userId) {
+                reply.code(401).send({ message: "Unauthorized" });
+                return;
+            }
+            const userPerms = await prisma.userRole.findMany({
+                where: { userId },
+                include: {
+                    role: {
+                        include: { permissions: { include: { permission: true } } },
+                    },
+                },
+            });
+            const allPerms = new Set();
+            userPerms.forEach((ur) => ur.role?.permissions?.forEach((rp) => allPerms.add(rp.permission.code)));
+            if (allPerms.has("SUPERADMIN"))
+                return;
+            const allowed = perms.some((p) => allPerms.has(p));
+            if (!allowed) {
+                reply.code(403).send({ message: "Forbidden: missing permission" });
+            }
+        };
+    };
+}

package/dist/verify.d.ts

@@ -0,0 +1,7 @@
+type Claims = {
+    sub: string;
+    jti: string;
+    type: "access" | "refresh";
+};
+export declare function verifyJwt(token: string, secret: string, issuer: string, audience: string): Claims;
+export {};

package/dist/verify.js

@@ -0,0 +1,10 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyJwt = verifyJwt;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+function verifyJwt(token, secret, issuer, audience) {
+    return jsonwebtoken_1.default.verify(token, secret, { issuer, audience });
+}

package/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "fastify-authz",
+  "version": "0.1.3",
+  "description": "Fastify plugin for JWT verification and Prisma-based RBAC authorization",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc -w"
+  },
+  "peerDependencies": {
+    "@prisma/client": "^5.0.0",
+    "fastify": "^5.0.0"
+  },
+  "dependencies": {
+    "@fastify/request-context": "^6.2.1",
+    "fastify-plugin": "^4.0.0",
+    "jsonwebtoken": "^9.0.0"
+  },
+  "devDependencies": {
+    "@types/jsonwebtoken": "^9.0.10",
+    "typescript": "^5.4.0"
+  },
+  "license": "MIT"
+}

package/src/index.ts

@@ -0,0 +1,73 @@
+// src/index.ts
+import { FastifyPluginAsync, FastifyRequest, FastifyReply } from "fastify";
+import fp from "fastify-plugin";
+import { verifyJwt } from "./verify";
+import { requirePermissionFactory } from "./permissions";
+import { requestContext } from "@fastify/request-context";
+
+// Augment request-context so requestContext.set("user", ...) is typed
+declare module "@fastify/request-context" {
+  interface RequestContextData {
+    user?: { id: string };
+  }
+}
+
+export type FastifyAuthzOptions = {
+  prisma: unknown; // expects a PrismaClient-like instance
+  jwt: {
+    secret: string;
+    issuer: string;
+    audience: string;
+  };
+};
+
+declare module "fastify" {
+  interface FastifyRequest {
+    user?: { id: string };
+  }
+
+  interface FastifyInstance {
+    auth: {
+      verify: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+      requirePermission: (
+        perms: string[]
+      ) => (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+    };
+  }
+}
+
+const plugin: FastifyPluginAsync<FastifyAuthzOptions> = async (fastify, opts) => {
+  const { prisma, jwt } = opts;
+
+  const verify = async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const header = request.headers["authorization"];
+      if (!header?.startsWith("Bearer ")) {
+        reply.code(401).send({ message: "Missing Authorization header" });
+        return;
+      }
+
+      const token = header.slice("Bearer ".length).trim();
+      const claims = verifyJwt(token, jwt.secret, jwt.issuer, jwt.audience);
+
+      if (claims.type !== "access") {
+        reply.code(401).send({ message: "Invalid token type" });
+        return;
+      }
+
+      const user = { id: claims.sub };
+      request.user = user;
+      requestContext.set("user", user);
+    } catch (err) {
+      request.log.error({ err }, "Token verification failed");
+      reply.code(401).send({ message: "Invalid token" });
+      return;
+    }
+  };
+
+  const requirePermission = requirePermissionFactory(prisma);
+
+  fastify.decorate("auth", { verify, requirePermission });
+};
+
+export default fp(plugin, { name: "fastify-authz" });

package/src/permissions.ts

@@ -0,0 +1,35 @@
+import { FastifyRequest, FastifyReply } from "fastify";
+
+export function requirePermissionFactory(prisma: any) {
+  return (perms: string[]) => {
+    return async (request: FastifyRequest, reply: FastifyReply) => {
+      const userId = request.user?.id;
+      if (!userId) {
+        reply.code(401).send({ message: "Unauthorized" });
+        return;
+      }
+
+      const userPerms = await prisma.userRole.findMany({
+        where: { userId },
+        include: {
+          role: {
+            include: { permissions: { include: { permission: true } } },
+          },
+        },
+      });
+
+      const allPerms = new Set<string>();
+      userPerms.forEach((ur: any) =>
+        ur.role?.permissions?.forEach((rp: any) =>
+          allPerms.add(rp.permission.code)
+        )
+      );
+
+      if (allPerms.has("SUPERADMIN")) return;
+      const allowed = perms.some((p) => allPerms.has(p));
+      if (!allowed) {
+        reply.code(403).send({ message: "Forbidden: missing permission" });
+      }
+    };
+  };
+}

package/src/verify.ts

@@ -0,0 +1,16 @@
+import jwt from "jsonwebtoken";
+
+type Claims = {
+  sub: string;
+  jti: string;
+  type: "access" | "refresh";
+};
+
+export function verifyJwt(
+  token: string,
+  secret: string,
+  issuer: string,
+  audience: string
+): Claims {
+  return jwt.verify(token, secret, { issuer, audience }) as Claims;
+}

package/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "CommonJS",
+    "declaration": true,
+    "outDir": "dist",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true
+  },
+  "include": [
+    "src"
+  ]
+}