npm - ideal-auth - Versions diffs - 0.6.1 → 0.7.0 - Mend

ideal-auth 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +0 -12
package/dist/auth-instance.d.ts +1 -1
package/dist/auth.d.ts +6 -7
package/dist/auth.js +5 -6
package/dist/types.d.ts +3 -3
package/package.json +1 -1
package/skills/ideal-auth/SKILL.md +28 -38

package/README.md CHANGED Viewed

@@ -552,18 +552,6 @@ cookie: {
 Zero framework imports. Works in Node, Bun, Deno, and edge runtimes.
-## Claude Code
-If you use [Claude Code](https://claude.com/claude-code), install the ideal-auth plugin so your AI assistant knows the full API, cookie bridge patterns, security best practices, and implementation guides:
-```bash
-claude plugin install github:ramonmalcolm10/ideal-auth
-```
-After installing, Claude Code will automatically help with auth setup, login/registration flows, middleware, 2FA, password reset, rate limiting, and more — using the correct patterns for your framework.
----
 ## Support
 If this saved you time, consider supporting the project:

package/dist/auth-instance.d.ts CHANGED Viewed

@@ -7,7 +7,7 @@ interface AuthInstanceDeps<TUser extends AnyUser> {
     rememberMaxAge: number;
     cookieOptions: ConfigurableCookieOptions;
     resolveUser?: (id: string) => Promise<TUser | null | undefined>;
-    sessionFields?: readonly (keyof TUser & string)[];
+    sessionFields?: (keyof TUser & string)[];
     hash?: HashInstance;
     resolveUserByCredentials?: (credentials: Record<string, any>) => Promise<AnyUser | null | undefined>;
     credentialKey: string;

package/dist/auth.d.ts CHANGED Viewed

@@ -2,12 +2,11 @@ import type { AnyUser, AuthInstance, AuthConfig } from './types';
 /**
  * Create an auth factory.
  *
- * @example
- * // resolveUser — user() returns SafeUser
- * createAuth<SafeUser>({ resolveUser: ... })
+ * `TUser` is the session user type — what `user()` returns.
+ * Do not include sensitive fields like password in this type.
  *
- * // sessionFields — user() returns Pick<DbUser, 'id' | 'email' | 'name'>
- * const sessionFields = ['email', 'name'] as const;
- * createAuth<DbUser, (typeof sessionFields)[number]>({ sessionFields, ... })
+ * @example
+ * type SessionUser = { id: string; email: string; name: string };
+ * createAuth<SessionUser>({ ... })
  */
-export declare function createAuth<TUser extends AnyUser, K extends keyof TUser & string = keyof TUser & string>(config: AuthConfig<TUser>): () => AuthInstance<TUser, Pick<TUser, 'id' | K>>;
+export declare function createAuth<TUser extends AnyUser>(config: AuthConfig<TUser>): () => AuthInstance<TUser>;

package/dist/auth.js CHANGED Viewed

@@ -7,13 +7,12 @@ const SESSION_DEFAULTS = {
 /**
  * Create an auth factory.
  *
- * @example
- * // resolveUser — user() returns SafeUser
- * createAuth<SafeUser>({ resolveUser: ... })
+ * `TUser` is the session user type — what `user()` returns.
+ * Do not include sensitive fields like password in this type.
  *
- * // sessionFields — user() returns Pick<DbUser, 'id' | 'email' | 'name'>
- * const sessionFields = ['email', 'name'] as const;
- * createAuth<DbUser, (typeof sessionFields)[number]>({ sessionFields, ... })
+ * @example
+ * type SessionUser = { id: string; email: string; name: string };
+ * createAuth<SessionUser>({ ... })
  */
 export function createAuth(config) {
     if (!config.secret || config.secret.length < 32) {

package/dist/types.d.ts CHANGED Viewed

@@ -72,19 +72,19 @@ export interface AuthConfigWithResolveUser<TUser extends AnyUser> extends AuthCo
 export interface AuthConfigWithSessionFields<TUser extends AnyUser, K extends keyof TUser & string = keyof TUser & string> extends AuthConfigBase<TUser> {
     /** Cannot use `resolveUser` together with `sessionFields`. */
     resolveUser?: never;
-    sessionFields: readonly K[];
+    sessionFields: K[];
 }
 export type AuthConfig<TUser extends AnyUser = AnyUser> = AuthConfigWithResolveUser<TUser> | AuthConfigWithSessionFields<TUser>;
 export interface HashConfig {
     rounds?: number;
 }
-export interface AuthInstance<TUser extends AnyUser = AnyUser, TSessionUser = TUser> {
+export interface AuthInstance<TUser extends AnyUser = AnyUser> {
     login(user: TUser, options?: LoginOptions): Promise<void>;
     loginById(id: string, options?: LoginOptions): Promise<void>;
     attempt(credentials: Record<string, any>, options?: LoginOptions): Promise<boolean>;
     logout(): Promise<void>;
     check(): Promise<boolean>;
-    user(): Promise<TSessionUser | null>;
+    user(): Promise<TUser | null>;
     id(): Promise<string | null>;
 }
 export interface HashInstance {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ideal-auth",
-  "version": "0.6.1",
+  "version": "0.7.0",
   "description": "Auth primitives for the JS ecosystem. Zero framework dependencies.",
   "scripts": {
     "build": "tsc",

package/skills/ideal-auth/SKILL.md CHANGED Viewed

@@ -71,33 +71,28 @@ Returns a factory function. Call `auth()` per request to get an `AuthInstance` s
 #### AuthConfig
 ```typescript
-// Session mode — provide exactly ONE of resolveUser or sessionFields
-// TypeScript will error if you provide both or neither
-// resolveUser mode: TUser is the safe type returned by resolveUser and user()
-type AuthConfigWithResolveUser<TUser> = {
-  secret: string;
-  cookie: CookieBridge;
-  resolveUser: (id: string) => Promise<TUser | null | undefined>;
-  sessionFields?: never;
-  // resolveUserByCredentials can return any shape — only needs id + passwordField
-  resolveUserByCredentials?: (credentials: Record<string, any>) => Promise<AnyUser | null | undefined>;
-  hash?: HashInstance;
-  attemptUser?: (credentials: Record<string, any>) => Promise<TUser | null | undefined>;
-  // ...session options
-};
-// sessionFields mode: user() returns Pick<TUser, 'id' | K>
-type AuthConfigWithSessionFields<TUser, K extends keyof TUser> = {
-  secret: string;
-  cookie: CookieBridge;
-  resolveUser?: never;
-  sessionFields: K[];
-  resolveUserByCredentials?: (credentials: Record<string, any>) => Promise<AnyUser | null | undefined>;
-  hash?: HashInstance;
-  attemptUser?: (credentials: Record<string, any>) => Promise<TUser | null | undefined>;
-  // ...session options
-};
+// TUser = session user type — what user() returns. Do not include password.
+// Provide exactly ONE of resolveUser or sessionFields.
+// TypeScript will error if you provide both or neither.
+type AuthConfig<TUser> =
+  | {
+      resolveUser: (id: string) => Promise<TUser | null | undefined>;
+      sessionFields?: never;
+      // resolveUserByCredentials can return any shape — only needs id + passwordField
+      resolveUserByCredentials?: (credentials: Record<string, any>) => Promise<AnyUser | null | undefined>;
+      hash?: HashInstance;
+      attemptUser?: (credentials: Record<string, any>) => Promise<TUser | null | undefined>;
+      // ...session, secret, cookie
+    }
+  | {
+      resolveUser?: never;
+      sessionFields: (keyof TUser & string)[];
+      resolveUserByCredentials?: (credentials: Record<string, any>) => Promise<AnyUser | null | undefined>;
+      hash?: HashInstance;
+      attemptUser?: (credentials: Record<string, any>) => Promise<TUser | null | undefined>;
+      // ...session, secret, cookie
+    };
 ```
 #### Session Modes
@@ -124,29 +119,24 @@ const auth = createAuth<SafeUser>({
 const user = await auth().user(); // Type: SafeUser | null
 ```
-**Cookie-backed (`sessionFields`):** Cookie stores user ID + declared fields. `user()` returns `Pick<TUser, 'id' | K>` — password excluded from the type.
-Define fields once as `const` and derive the type with `(typeof sessionFields)[number]`:
+**Cookie-backed (`sessionFields`):** Cookie stores user ID + declared fields. `user()` returns `TUser | null`. Since `TUser` should not include password, the type is already safe.
 ```typescript
-type DbUser = { id: string; email: string; name: string; role: string; password: string };
-const sessionFields = ['email', 'name', 'role'] as const;
+type SessionUser = { id: string; email: string; name: string; role: string }; // no password
-const auth = createAuth<DbUser, (typeof sessionFields)[number]>({
+const auth = createAuth<SessionUser>({
   secret: process.env.IDEAL_AUTH_SECRET!,
   cookie: createCookieBridge(),
-  sessionFields,
+  sessionFields: ['email', 'name', 'role'],
   resolveUserByCredentials: async (creds) => db.user.findFirst({ where: { email: creds.email } }),
   hash,
 });
-const user = await auth().user(); // Type: Pick<DbUser, 'id' | 'email' | 'name' | 'role'> | null
+const user = await auth().user(); // Type: SessionUser | null
 ```
 Key rules:
+- `TUser` is the session user type — what `user()` returns. Do not include password.
 - Provide exactly one of `resolveUser` or `sessionFields` — TypeScript errors if both or neither
-- `resolveUser` mode: `TUser` is the safe type. Only select non-sensitive fields in your query
-- `sessionFields` mode: `user()` type is `Pick<TUser, 'id' | ...fields>` — password excluded automatically
 - `resolveUserByCredentials` returns `AnyUser` — doesn't need to match `TUser`, only needs `id` + password field
 - Password is stripped from the cached user after `attempt()` — even same-request `user()` won't expose it
 - Cookie limit is ~4KB — store basic fields only