jcc-express-mvc 1.8.8 → 1.8.9

package/index.d.ts

@@ -12,25 +12,28 @@ export {
   verifyHash,
   jwtSign,
   jwtVerify,
+  jwtTokenType,
+  assertProductionJwtSecret,
   saveImage,
   asyncHandler,
   cloudinaryUpload,
   rootPath,
 } from "./lib/util";
+export { loginRateLimit, registerRateLimit } from "./lib/Auth/loginRateLimit";
 export declare const guest: (
   req: import("./lib/Interface").AppRequest,
   res: import("./lib/Interface").AppResponse,
-  next: import("./lib/Interface").AppNext
+  next: import("./lib/Interface").AppNext,
 ) => any;
 export declare const apiAuth: (
   req: import("./lib/Interface").AppRequest,
   res: import("./lib/Interface").AppResponse,
-  next: import("./lib/Interface").AppNext
+  next: import("./lib/Interface").AppNext,
 ) => Promise<import("./lib/Interface").AppResponse | undefined>;
 export declare const auth: (
   req: import("./lib/Interface").AppRequest,
   res: import("./lib/Interface").AppResponse,
-  next: import("./lib/Interface").AppNext
+  next: import("./lib/Interface").AppNext,
 ) => Promise<void>;
 export declare const httpContext: AppHttpContext;
 //# sourceMappingURL=index.d.ts.map

package/index.js

@@ -1,13 +1,18 @@
 "use strict";
+
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.httpContext =
   exports.auth =
   exports.apiAuth =
   exports.guest =
+  exports.registerRateLimit =
+  exports.loginRateLimit =
   exports.rootPath =
   exports.cloudinaryUpload =
   exports.asyncHandler =
   exports.saveImage =
+  exports.assertProductionJwtSecret =
+  exports.jwtTokenType =
   exports.jwtVerify =
   exports.jwtSign =
   exports.verifyHash =
@@ -55,6 +60,18 @@ Object.defineProperty(exports, "jwtVerify", {
     return util_1.jwtVerify;
   },
 });
+Object.defineProperty(exports, "jwtTokenType", {
+  enumerable: true,
+  get: function () {
+    return util_1.jwtTokenType;
+  },
+});
+Object.defineProperty(exports, "assertProductionJwtSecret", {
+  enumerable: true,
+  get: function () {
+    return util_1.assertProductionJwtSecret;
+  },
+});
 Object.defineProperty(exports, "saveImage", {
   enumerable: true,
   get: function () {
@@ -79,6 +96,19 @@ Object.defineProperty(exports, "rootPath", {
     return util_1.rootPath;
   },
 });
+var loginRateLimit_1 = require("./lib/Auth/loginRateLimit");
+Object.defineProperty(exports, "loginRateLimit", {
+  enumerable: true,
+  get: function () {
+    return loginRateLimit_1.loginRateLimit;
+  },
+});
+Object.defineProperty(exports, "registerRateLimit", {
+  enumerable: true,
+  get: function () {
+    return loginRateLimit_1.registerRateLimit;
+  },
+});
 exports.guest = AuthMiddleware_1.authMiddleware.guest;
 exports.apiAuth = AuthMiddleware_1.authMiddleware.apiAuth;
 exports.auth = AuthMiddleware_1.authMiddleware.auth;

package/lib/Auth/AuthMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthMiddleware.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/AuthMiddleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAIhE,cAAM,cAAc;IAClB,qCAAqC;IACxB,OAAO,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;IAuBxD,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;IAuB3D,KAAK,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;CAgB9D;AAED,eAAO,MAAM,cAAc,gBAAuB,CAAC"}
+{"version":3,"file":"AuthMiddleware.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/AuthMiddleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAyBhE,cAAM,cAAc;IAClB,qCAAqC;IACxB,OAAO,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;IA+BxD,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;IAiC3D,KAAK,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;CAgB9D;AAED,eAAO,MAAM,cAAc,gBAAuB,CAAC"}

package/lib/Auth/AuthMiddleware.js

@@ -4,6 +4,18 @@ exports.authMiddleware = void 0;
 const Config_1 = require("../Config/Config");
 const util_1 = require("../util");
 const { User } = (0, util_1.getModel)("User");
+const authCookieClear = () => ({
+    path: "/",
+    httpOnly: true,
+    secure: Config_1.config.get("APP_ENV") === "production",
+    sameSite: "lax",
+});
+function accessTokenRejected(payload) {
+    if (Config_1.config.get("JWT_REQUIRE_TYPED_TOKENS", "").toLowerCase() !== "true") {
+        return false;
+    }
+    return (0, util_1.jwtTokenType)(payload) === "legacy";
+}
 class AuthMiddleware {
     /** Middleware: API authentication */
     async apiAuth(req, res, next) {
@@ -11,14 +23,22 @@ class AuthMiddleware {
         if (!token)
             return res.status(401).json({ message: "Not authorized" });
         try {
-            const id = (0, util_1.jwtVerify)(token);
-            const user = Config_1.config.get("DB_ORM") === "mongodb"
+            const payload = (0, util_1.jwtVerify)(token);
+            if ((0, util_1.jwtTokenType)(payload) === "refresh") {
+                return res.status(401).json({ message: "Not authorized" });
+            }
+            if (accessTokenRejected(payload)) {
+                return res.status(401).json({ message: "Not authorized" });
+            }
+            const id = (0, util_1.jwtSubjectId)(payload);
+            const user = Config_1.config.get("DB_ORM") === "mongodb" ||
+                Config_1.config.get("DB_ORM") === "mongoose"
                 ? await User.findById(id)
                 : await User.where("id", id).first();
             if (!user)
                 return res.status(401).json({ message: "Not authorized" });
             req.user = user;
-            req.id = id;
+            req.id = String(id);
             next();
         }
         catch (err) {
@@ -31,10 +51,21 @@ class AuthMiddleware {
             return res.redirect(`/login?redirect=${req.url || "/"}`);
         try {
             const payload = (0, util_1.jwtVerify)(token);
-            const user = await (0, util_1.findUserById)(User, payload.id);
+            if ((0, util_1.jwtTokenType)(payload) === "refresh") {
+                res.clearCookie("auth_token", authCookieClear());
+                res.clearCookie("refresh_token", authCookieClear());
+                return res.redirect(`/login?redirect=${req.url || "/"}`);
+            }
+            if (accessTokenRejected(payload)) {
+                res.clearCookie("auth_token", authCookieClear());
+                res.clearCookie("refresh_token", authCookieClear());
+                return res.redirect(`/login?redirect=${req.url || "/"}`);
+            }
+            const id = (0, util_1.jwtSubjectId)(payload);
+            const user = await (0, util_1.findUserById)(User, id);
             if (!user) {
-                res.clearCookie("auth_token");
-                res.clearCookie("refresh_token");
+                res.clearCookie("auth_token", authCookieClear());
+                res.clearCookie("refresh_token", authCookieClear());
                 return res.redirect(`/login?redirect=${req.url || "/"}`);
             }
             req.user = user;
@@ -42,8 +73,8 @@ class AuthMiddleware {
             next();
         }
         catch (err) {
-            res.clearCookie("auth_token");
-            res.clearCookie("refresh_token");
+            res.clearCookie("auth_token", authCookieClear());
+            res.clearCookie("refresh_token", authCookieClear());
             return res.redirect(`/login?redirect=${req.url || "/"}`);
         }
     }
@@ -55,8 +86,8 @@ class AuthMiddleware {
                     return res.redirect(303, req.previousUrls[1]);
                 }
                 else {
-                    res.clearCookie("auth_token");
-                    res.clearCookie("refresh_token");
+                    res.clearCookie("auth_token", authCookieClear());
+                    res.clearCookie("refresh_token", authCookieClear());
                     return res.redirect(303, req.url);
                 }
             }

package/lib/Auth/index.d.ts

@@ -1,13 +1,17 @@
 import { AppRequest, AppResponse, AppNext } from "../Interface";
+import { type IRefreshTokenStore } from "./refreshTokenStore";
 export declare class Authentication {
+    private static refreshStore;
+    /** Use a shared store (e.g. Redis) when running multiple app instances. */
+    static setRefreshTokenStore(store: IRefreshTokenStore): void;
     /** Get user lookup field (email, phone, username) */
     private static getCredentials;
     /** Fetch user from DB (MongoDB, Sequelize, or JCC ORM) */
     private static getUser;
-    /** Generate and attach tokens to cookies */
+    /** Generate and attach tokens to cookies (refresh is rotated server-side via `jti`). */
     private static setTokens;
     /** Handle user login attempt */
-    static attempt: (req: AppRequest, res: AppResponse, next: AppNext, redirect?: string) => Promise<void | AppResponse>;
+    static attempt: (next: AppNext, redirect?: string) => Promise<void | AppResponse>;
     /** Refresh token middleware */
     static refreshToken(req: AppRequest, res: AppResponse, next: AppNext): Promise<AppResponse | undefined>;
     /** Logout handler */

package/lib/Auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAehE,qBAAa,cAAc;IACzB,qDAAqD;IACrD,OAAO,CAAC,MAAM,CAAC,cAAc;IAc7B,0DAA0D;mBACrC,OAAO;IAoB5B,4CAA4C;IAC5C,OAAO,CAAC,MAAM,CAAC,SAAS;IAuBxB,gCAAgC;IAChC,MAAM,CAAC,OAAO,GACZ,KAAK,UAAU,EACf,KAAK,WAAW,EAChB,MAAM,OAAO,EACb,WAAU,MAAgB,iCAuB1B;IAEF,+BAA+B;WAClB,YAAY,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;IAmB1E,qBAAqB;IACrB,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW;CAKhD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAchE,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AA0C7B,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAC,YAAY,CAAgD;IAE3E,2EAA2E;IAC3E,MAAM,CAAC,oBAAoB,CAAC,KAAK,EAAE,kBAAkB,GAAG,IAAI;IAI5D,qDAAqD;IACrD,OAAO,CAAC,MAAM,CAAC,cAAc;IAc7B,0DAA0D;mBACrC,OAAO;IAoB5B,wFAAwF;IACxF,OAAO,CAAC,MAAM,CAAC,SAAS;IA0BxB,gCAAgC;IAChC,MAAM,CAAC,OAAO,GAGZ,MAAM,OAAO,EACb,WAAU,MAAgB,iCAgC1B;IAEF,+BAA+B;WAClB,YAAY,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;IAqC1E,qBAAqB;IACrB,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW;CAmBhD"}

package/lib/Auth/index.js

@@ -6,8 +6,45 @@ const util_1 = require("../util");
 const Config_1 = require("../Config/Config");
 const ValidationException_v2_1 = require("../Error/ValidationException-v2");
 const Jcc_eloquent_1 = require("../Jcc-eloquent");
+const refreshTokenStore_1 = require("./refreshTokenStore");
 const { User } = (0, util_1.getModel)("User");
+const REFRESH_TTL_MS = 7 * 24 * 60 * 60 * 1000;
+const ACCESS_MAX_AGE_MS = 60 * 60 * 1000;
+function authCookieBase() {
+    return {
+        httpOnly: true,
+        secure: Config_1.config.get("APP_ENV") === "production",
+        sameSite: "lax",
+        path: "/",
+    };
+}
+function clearAuthCookies(res) {
+    const base = authCookieBase();
+    res.clearCookie("auth_token", base);
+    res.clearCookie("refresh_token", base);
+}
+/** Avoid open redirects: only same-origin relative paths. */
+function safeInternalRedirect(url, fallback) {
+    if (!url || typeof url !== "string")
+        return fallback;
+    const t = url.trim();
+    if (t.startsWith("/") && !t.startsWith("//") && !t.includes("\\"))
+        return t;
+    return fallback;
+}
+function publicUserFields(user) {
+    const id = user.id ?? user._id;
+    return {
+        id: id != null ? String(id) : undefined,
+        name: user.name,
+        email: user.email,
+    };
+}
 class Authentication {
+    /** Use a shared store (e.g. Redis) when running multiple app instances. */
+    static setRefreshTokenStore(store) {
+        _a.refreshStore = store;
+    }
     /** Get user lookup field (email, phone, username) */
     static getCredentials(data) {
         const query = {};
@@ -29,7 +66,7 @@ class Authentication {
             return { user: null, field: "email" };
         let user = null;
         const orm = Config_1.config.get("DB_ORM");
-        if (orm === "mongodb") {
+        if (orm === "mongodb" || orm === "mongoose") {
             user = await User.findOne(field).select("+password");
         }
         else if (orm === "sequelize") {
@@ -43,22 +80,21 @@ class Authentication {
         }
         return { user, field: Object.keys(field)[0] || "email" };
     }
-    /** Generate and attach tokens to cookies */
+    /** Generate and attach tokens to cookies (refresh is rotated server-side via `jti`). */
     static setTokens(res, userId) {
-        const accessToken = (0, util_1.jwtSign)(userId.toString(), { expiresIn: "1h" });
-        const refreshToken = (0, util_1.jwtSign)(userId.toString(), { expiresIn: "7d" });
-        const cookieOptions = {
-            httpOnly: true,
-            secure: Config_1.config.get("APP_ENV") === "production",
-            sameSite: "lax",
-        };
+        const id = String(userId);
+        const jti = _a.refreshStore.generateJti();
+        _a.refreshStore.register(jti, id, REFRESH_TTL_MS);
+        const accessToken = (0, util_1.jwtSign)(id, { expiresIn: "1h" });
+        const refreshToken = (0, util_1.jwtSign)({ id, typ: "refresh", jti }, { expiresIn: "7d" });
+        const cookieOptions = authCookieBase();
         res.cookie("auth_token", accessToken, {
             ...cookieOptions,
-            maxAge: 1000 * 60 * 60, // 1 hour
+            maxAge: ACCESS_MAX_AGE_MS,
         });
         res.cookie("refresh_token", refreshToken, {
             ...cookieOptions,
-            maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
+            maxAge: REFRESH_TTL_MS,
         });
         return { accessToken, refreshToken };
     }
@@ -68,30 +104,64 @@ class Authentication {
             const refreshToken = req.cookies.refresh_token;
             if (!refreshToken)
                 throw new Error("No refresh token");
-            const userId = (0, util_1.jwtVerify)(refreshToken);
+            const payload = (0, util_1.jwtVerify)(refreshToken);
+            const kind = (0, util_1.jwtTokenType)(payload);
+            if (kind === "access") {
+                throw new Error("Invalid refresh token");
+            }
+            const jti = payload != null &&
+                typeof payload === "object" &&
+                typeof payload.jti === "string"
+                ? payload.jti
+                : "";
+            if (!jti) {
+                throw new Error("Invalid refresh token");
+            }
+            const session = _a.refreshStore.consume(jti);
+            const userId = (0, util_1.jwtSubjectId)(payload);
+            if (!session || session.userId !== String(userId)) {
+                throw new Error("Invalid refresh token");
+            }
             this.setTokens(res, userId);
-            // Use universal finder
             req.user = await (0, util_1.findUserById)(User, userId);
             next();
         }
         catch (error) {
-            res.clearCookie("auth_token");
-            res.clearCookie("refresh_token");
+            clearAuthCookies(res);
             return res.status(401).json({ message: "Unauthorized" });
         }
     }
     /** Logout handler */
     static logout(req, res) {
-        res.clearCookie("auth_token");
-        res.clearCookie("refresh_token");
+        try {
+            const rt = req.cookies?.refresh_token;
+            if (rt) {
+                const payload = (0, util_1.jwtVerify)(rt);
+                if (payload != null &&
+                    typeof payload === "object" &&
+                    typeof payload.jti === "string") {
+                    _a.refreshStore.revoke(payload.jti);
+                }
+            }
+        }
+        catch {
+            /* expired or malformed */
+        }
+        clearAuthCookies(res);
         return res.redirect("/login");
     }
 }
 exports.Authentication = Authentication;
 _a = Authentication;
+Authentication.refreshStore = refreshTokenStore_1.defaultRefreshTokenStore;
 /** Handle user login attempt */
-Authentication.attempt = async (req, res, next, redirect = "/home") => {
+Authentication.attempt = async (
+// req: AppRequest,
+// res: AppResponse,
+next, redirect = "/home") => {
     try {
+        const req = request();
+        const res = response();
         const { user, field } = await _a.getUser(req.body);
         if (!user)
             throw new ValidationException_v2_1.ValidationException({ [field]: ["Invalid credentials"] });
@@ -100,9 +170,13 @@ Authentication.attempt = async (req, res, next, redirect = "/home") => {
         }
         const tokens = _a.setTokens(res, user.id || user._id);
         if (req.expectsJson() && !req.isInertia()) {
-            return res.status(200).json({ tokens, user });
+            const plain = typeof user?.toObject === "function" ? user.toObject() : user;
+            return res.status(200).json({
+                tokens: { accessToken: tokens.accessToken },
+                user,
+            });
         }
-        const redirectTo = req.query.redirect?.toString() || redirect;
+        const redirectTo = safeInternalRedirect(req.query.redirect?.toString(), redirect);
         return res.redirect(303, redirectTo);
     }
     catch (error) {

package/lib/Auth/loginRateLimit.d.ts

@@ -0,0 +1,6 @@
+import type { RequestHandler } from "express";
+/** Stricter limit for login attempts (per IP). */
+export declare const loginRateLimit: RequestHandler;
+/** Stricter limit for registration (per IP). */
+export declare const registerRateLimit: RequestHandler;
+//# sourceMappingURL=loginRateLimit.d.ts.map

package/lib/Auth/loginRateLimit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loginRateLimit.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/loginRateLimit.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE9C,kDAAkD;AAClD,eAAO,MAAM,cAAc,EAAE,cAO3B,CAAC;AAEH,gDAAgD;AAChD,eAAO,MAAM,iBAAiB,EAAE,cAO9B,CAAC"}

package/lib/Auth/loginRateLimit.js

@@ -0,0 +1,25 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerRateLimit = exports.loginRateLimit = void 0;
+const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
+/** Stricter limit for login attempts (per IP). */
+exports.loginRateLimit = (0, express_rate_limit_1.default)({
+    windowMs: 15 * 60 * 1000,
+    max: 20,
+    message: { message: "Too many login attempts. Try again later." },
+    standardHeaders: true,
+    legacyHeaders: false,
+    validate: { trustProxy: false },
+});
+/** Stricter limit for registration (per IP). */
+exports.registerRateLimit = (0, express_rate_limit_1.default)({
+    windowMs: 60 * 60 * 1000,
+    max: 10,
+    message: { message: "Too many registration attempts. Try again later." },
+    standardHeaders: true,
+    legacyHeaders: false,
+    validate: { trustProxy: false },
+});

package/lib/Auth/refreshTokenStore.d.ts

@@ -0,0 +1,24 @@
+export type RefreshSession = {
+    userId: string;
+    expiresAt: number;
+};
+/** Pluggable store for refresh-token `jti` rotation (swap for Redis in multi-instance). */
+export interface IRefreshTokenStore {
+    generateJti(): string;
+    register(jti: string, userId: string, ttlMs: number): void;
+    /** Remove and return the session if `jti` is valid and not expired. */
+    consume(jti: string): RefreshSession | undefined;
+    revoke(jti: string): void;
+    revokeAllForUser(userId: string): void;
+}
+export declare class MemoryRefreshTokenStore implements IRefreshTokenStore {
+    private readonly byJti;
+    generateJti(): string;
+    register(jti: string, userId: string, ttlMs: number): void;
+    consume(jti: string): RefreshSession | undefined;
+    revoke(jti: string): void;
+    revokeAllForUser(userId: string): void;
+    private prune;
+}
+export declare const defaultRefreshTokenStore: MemoryRefreshTokenStore;
+//# sourceMappingURL=refreshTokenStore.d.ts.map

package/lib/Auth/refreshTokenStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshTokenStore.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/refreshTokenStore.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,cAAc,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnE,2FAA2F;AAC3F,MAAM,WAAW,kBAAkB;IACjC,WAAW,IAAI,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3D,uEAAuE;IACvE,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAAC;IACjD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACxC;AAED,qBAAa,uBAAwB,YAAW,kBAAkB;IAChE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAqC;IAE3D,WAAW,IAAI,MAAM;IAIrB,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAQ1D,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAQhD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAIzB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAMtC,OAAO,CAAC,KAAK;CAMd;AAED,eAAO,MAAM,wBAAwB,yBAAgC,CAAC"}

package/lib/Auth/refreshTokenStore.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultRefreshTokenStore = exports.MemoryRefreshTokenStore = void 0;
+const crypto_1 = require("crypto");
+class MemoryRefreshTokenStore {
+    constructor() {
+        this.byJti = new Map();
+    }
+    generateJti() {
+        return (0, crypto_1.randomBytes)(32).toString("hex");
+    }
+    register(jti, userId, ttlMs) {
+        this.prune();
+        this.byJti.set(jti, {
+            userId,
+            expiresAt: Date.now() + ttlMs,
+        });
+    }
+    consume(jti) {
+        const row = this.byJti.get(jti);
+        if (!row)
+            return undefined;
+        this.byJti.delete(jti);
+        if (Date.now() > row.expiresAt)
+            return undefined;
+        return row;
+    }
+    revoke(jti) {
+        this.byJti.delete(jti);
+    }
+    revokeAllForUser(userId) {
+        for (const [k, v] of this.byJti) {
+            if (v.userId === userId)
+                this.byJti.delete(k);
+        }
+    }
+    prune() {
+        const now = Date.now();
+        for (const [k, v] of this.byJti) {
+            if (v.expiresAt < now)
+                this.byJti.delete(k);
+        }
+    }
+}
+exports.MemoryRefreshTokenStore = MemoryRefreshTokenStore;
+exports.defaultRefreshTokenStore = new MemoryRefreshTokenStore();

package/lib/Command-Line/KeyGenerateCommand.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Generate a cryptographically strong secret (64 hex chars = 32 bytes).
+ * Default env key: JWT_SECRET (meets production length checks in this framework).
+ */
+export declare function runKeyGenerate(firstArg?: string, secondArg?: string): void;
+//# sourceMappingURL=KeyGenerateCommand.d.ts.map

package/lib/Command-Line/KeyGenerateCommand.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeyGenerateCommand.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Command-Line/KeyGenerateCommand.ts"],"names":[],"mappings":"AAUA;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,SAAK,EAAE,SAAS,SAAK,GAAG,IAAI,CAoClE"}

package/lib/Command-Line/KeyGenerateCommand.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runKeyGenerate = runKeyGenerate;
+const crypto_1 = require("crypto");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const app_root_path_1 = __importDefault(require("app-root-path"));
+const colors_1 = __importDefault(require("colors"));
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+/**
+ * Generate a cryptographically strong secret (64 hex chars = 32 bytes).
+ * Default env key: JWT_SECRET (meets production length checks in this framework).
+ */
+function runKeyGenerate(firstArg = "", secondArg = "") {
+    const showOnly = firstArg === "show" ||
+        secondArg === "show" ||
+        secondArg === "--show";
+    const keyName = firstArg && firstArg !== "show" ? firstArg : "JWT_SECRET";
+    const value = (0, crypto_1.randomBytes)(32).toString("hex");
+    if (showOnly) {
+        console.log(colors_1.default.green(`${keyName}=`) + value);
+        return;
+    }
+    const envPath = path_1.default.join(app_root_path_1.default.path, ".env");
+    if (!fs_1.default.existsSync(envPath)) {
+        console.log(colors_1.default.yellow(".env not found. Add this line to your environment file:\n"));
+        console.log(colors_1.default.cyan(`${keyName}=${value}\n`));
+        return;
+    }
+    let contents = fs_1.default.readFileSync(envPath, "utf8");
+    const re = new RegExp(`^${escapeRegex(keyName)}=.*$`, "m");
+    const line = `${keyName}=${value}`;
+    if (re.test(contents)) {
+        contents = contents.replace(re, line);
+    }
+    else {
+        contents = contents.replace(/\s*$/, "") + "\n" + line + "\n";
+    }
+    fs_1.default.writeFileSync(envPath, contents, "utf8");
+    console.log(colors_1.default.green(`✓ Set ${keyName} in .env`) +
+        colors_1.default.gray(` (${value.length} characters)`));
+}

package/lib/Command-Line/NodeArtisanCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"NodeArtisanCommand.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Command-Line/NodeArtisanCommand.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAoCpC,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAiB;IACzC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAK1B;IACF,OAAO,CAAC,cAAc,CAA0B;IAChD,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,SAAS,CAAgC;IACjD,OAAO,CAAC,IAAI,CAAc;IAE1B,OAAO,KAAK,OAAO,GAElB;IAED,OAAO,KAAK,EAAE,GAEb;IAED,OAAO,KAAK,IAAI,GAEf;IAED,OAAO,KAAK,KAAK,GAEhB;IAED,OAAO,KAAK,QAAQ,GAEnB;IACD,OAAO,CAAC,GAAG;;IAWX,0FAA0F;IAC1F,OAAO,CAAC,kBAAkB;IA0B1B,OAAO,CAAC,aAAa;IAOrB,wFAAwF;IACxF,OAAO,CAAC,SAAS;IAkBjB,OAAO,CAAC,aAAa;IAkKrB,OAAO,CAAC,QAAQ;IAwHhB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;CA4BpD"}
+{"version":3,"file":"NodeArtisanCommand.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Command-Line/NodeArtisanCommand.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAqCpC,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAiB;IACzC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAK1B;IACF,OAAO,CAAC,cAAc,CAA0B;IAChD,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,SAAS,CAAgC;IACjD,OAAO,CAAC,IAAI,CAAc;IAE1B,OAAO,KAAK,OAAO,GAElB;IAED,OAAO,KAAK,EAAE,GAEb;IAED,OAAO,KAAK,IAAI,GAEf;IAED,OAAO,KAAK,KAAK,GAEhB;IAED,OAAO,KAAK,QAAQ,GAEnB;IACD,OAAO,CAAC,GAAG;;IAWX,0FAA0F;IAC1F,OAAO,CAAC,kBAAkB;IA0B1B,OAAO,CAAC,aAAa;IAOrB,wFAAwF;IACxF,OAAO,CAAC,SAAS;IAkBjB,OAAO,CAAC,aAAa;IA6KrB,OAAO,CAAC,QAAQ;IA8HhB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;CA4BpD"}

package/lib/Command-Line/NodeArtisanCommand.js

@@ -18,6 +18,7 @@ const MakeCommand_1 = require("./MakeCommand");
 const RouteCommand_1 = require("./RouteCommand");
 const ScheduleCommand_1 = require("./ScheduleCommand");
 const InertiaCommand_1 = require("./InertiaCommand");
+const KeyGenerateCommand_1 = require("./KeyGenerateCommand");
 const Tinker_1 = require("./NodeTinker/Tinker");
 const util_1 = require("../util");
 /** Parse key=value from secondArg (e.g. steps=2, class=UserSeeder) */
@@ -191,6 +192,10 @@ class ConsoleKernel {
         this.defineCommand("schedule:list").action(this.runAction(() => this.schedule.list()));
         // ─── build ──────────────────────────────────────────────────────────
         this.defineCommand("build").action(this.runAction(() => (0, buildCommand_1.BuildCommand)()));
+        // ─── key (JWT / app secrets) ─────────────────────────────────────────
+        this.defineCommand("key:generate")
+            .description("Generate a random secret (default: JWT_SECRET in .env). Use 'show' to print only.")
+            .action(this.runAction((firstArg, secondArg) => (0, KeyGenerateCommand_1.runKeyGenerate)(firstArg ?? "", secondArg ?? "")));
         // ─── custom user commands ────────────────────────────────────────────
         for (const { signature, description, CommandClass } of this
             .customCommands) {
@@ -235,7 +240,8 @@ class ConsoleKernel {
         console.log(line("route:list [middleware=]", "Display routes (optionally filtered)\n"));
         console.log(section("⚡ Development Tools:"));
         console.log(line("tinker", "Start the interactive Tinker REPL"));
-        console.log(line("build", "Build the application for production\n"));
+        console.log(line("build", "Build the application for production"));
+        console.log(line("key:generate [name] [show]", "Random secret → .env (default JWT_SECRET); name=env key, show=print only") + "\n");
         console.log(section("⏰ Schedule Commands:"));
         console.log(line("schedule:run", "Run scheduled tasks (runs continuously)"));
         console.log(line("schedule:list", "List all scheduled tasks\n"));

package/lib/Command-Line/files/Models.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Models.d.ts","sourceRoot":"","sources":["../../../../jcc-express-mvc/lib/Command-Line/files/Models.ts"],"names":[],"mappings":"AACA;;;;GAIG;AAEH,QAAA,MAAM,WAAW,GAAI,MAAM,MAAM,KAAG,MASnC,CAAC;AAiDF,eAAe,WAAW,CAAC"}
+{"version":3,"file":"Models.d.ts","sourceRoot":"","sources":["../../../../jcc-express-mvc/lib/Command-Line/files/Models.ts"],"names":[],"mappings":"AACA;;;;GAIG;AAEH,QAAA,MAAM,WAAW,GAAI,MAAM,MAAM,KAAG,MASnC,CAAC;AAsDF,eAAe,WAAW,CAAC"}

package/lib/Command-Line/files/Models.js

@@ -31,17 +31,22 @@ const createJccModel = (name) => {
 };
 const createMongooseModel = (name) => {
     return `
-  import mongoose, { HydratedDocument, InferSchemaType,Schema } from "mongoose";
+  import mongoose, { HydratedDocument, InferSchemaType, Model, Schema } from "mongoose";
 
+  const ${name}Schema = new Schema(
+    {
+      //
+    },
+    { timestamps: true }
+  );
 
-  const ${name}Schema = new mongoose.Schema({
-    //
-  },{
-    timestamps:true
-  });
+  type ${name}Attrs = InferSchemaType<typeof ${name}Schema>;
+
+  export const ${name}: Model<${name}Attrs> =
+    (mongoose.models.${name} as Model<${name}Attrs>) ||
+    mongoose.model<${name}Attrs>("${name}", ${name}Schema);
 
-  export const ${name} = mongoose.model("${name}", ${name}Schema);
-  export type ${name} = HydratedDocument<InferSchemaType<typeof ${name}Schema>>;
+  export type ${name}Document = HydratedDocument<${name}Attrs>;
   `;
 };
 const createSequelizeModel = (name) => {

package/lib/Global/helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Global/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAUzD,eAAO,MAAM,aAAa,GAAI,KAAK,WAAW,SAoH7C,CAAC"}
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Global/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAkBzD,eAAO,MAAM,aAAa,GAAI,KAAK,WAAW,SAqH7C,CAAC"}

package/lib/Global/helpers.js

@@ -8,6 +8,7 @@ const util_1 = require("../util");
 const Authorization_1 = require("../Authorization");
 const Date_1 = require("../Date");
 const globalHelpers = (app) => {
+    (0, util_1.assertProductionJwtSecret)();
     globalThis.app = app;
     //
     globalThis.env = (key, defaultValue) => {

package/lib/Validation/Validator/CustomValidation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CustomValidation.d.ts","sourceRoot":"","sources":["../../../../jcc-express-mvc/lib/Validation/Validator/CustomValidation.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AAE/C,qBAAa,gBAAgB;IAI3B,MAAM,CAAC,QAAQ,CACb,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;WASP,MAAM,CACjB,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;IAapB,MAAM,CAAC,IAAI,CACT,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;IAQpB,MAAM,CAAC,KAAK,CACV,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;WAQP,MAAM,CACjB,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;CAWrB;AAED,eAAO,MAAM,gBAAgB;;;;;;CAM5B,CAAC"}
+{"version":3,"file":"CustomValidation.d.ts","sourceRoot":"","sources":["../../../../jcc-express-mvc/lib/Validation/Validator/CustomValidation.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AAE/C,qBAAa,gBAAgB;IAI3B,MAAM,CAAC,QAAQ,CACb,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;WASP,MAAM,CACjB,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;IAkBpB,MAAM,CAAC,IAAI,CACT,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;IAQpB,MAAM,CAAC,KAAK,CACV,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;WAQP,MAAM,CACjB,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,SAAS,EAChB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU;CAerB;AAED,eAAO,MAAM,gBAAgB;;;;;;CAM5B,CAAC"}

package/lib/Validation/Validator/CustomValidation.js

@@ -16,7 +16,7 @@ class CustomValidation {
         if (!this.ruleValue || !attribute) {
             return passes(false, "Invalid unique rule definition.");
         }
-        const result = await (0, helper_1.existsHelper)(attribute, value, this.ruleValue);
+        const result = await (0, helper_1.existsHelper)(this.attribute || attribute, value, this.ruleValue);
         if (result) {
             return passes(false, `This ${this.attribute} has already been taken`);
         }
@@ -38,7 +38,7 @@ class CustomValidation {
         if (!value) {
             return passes(false, "The field is required.");
         }
-        const result = await (0, helper_1.existsHelper)(attribute, value, this.ruleValue);
+        const result = await (0, helper_1.existsHelper)(this.attribute || attribute, value, this.ruleValue);
         if (!result) {
             return passes(false, `The ${this.attribute} does not exist`);
         }

package/lib/Validation/Validator/helper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"helper.d.ts","sourceRoot":"","sources":["../../../../jcc-express-mvc/lib/Validation/Validator/helper.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AAGnC;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GACvB,WAAW,MAAM,EACjB,OAAO,SAAS,EAChB,WAAW,MAAM,iBAkBlB,CAAC"}
+{"version":3,"file":"helper.d.ts","sourceRoot":"","sources":["../../../../jcc-express-mvc/lib/Validation/Validator/helper.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AAGnC;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GACvB,WAAW,MAAM,EACjB,OAAO,SAAS,EAChB,WAAW,MAAM,iBAmBlB,CAAC"}

package/lib/Validation/Validator/helper.js

@@ -15,6 +15,7 @@ const existsHelper = async (attribute, value, ruleValue) => {
     const modelInstance = (0, index_1.getModel)(Model);
     let result;
     if (process.env.DB_CONNECTION === "mongodb") {
+        console.log("modelInstance", modelInstance);
         result = await modelInstance[Model].findOne({
             [column || attribute]: value,
         });

package/lib/util/index.d.ts

@@ -75,6 +75,9 @@ export declare const verifyHash: (password: string, hashPassword: string) => Pro
  * @param {object} data - The data to be encoded in the token.
  * @returns {string} - Signed JWT token.
  */
+export type JwtTokenKind = "access" | "refresh" | "legacy";
+/** `typ` claim: access for API/session, refresh for refresh flow only. */
+export declare const jwtTokenType: (payload: unknown) => JwtTokenKind;
 export declare const jwtSign: (data: string | Record<string, any>, options?: Record<string, any>) => string | any;
 /**
  * Function to verify a JWT token.
@@ -82,6 +85,12 @@ export declare const jwtSign: (data: string | Record<string, any>, options?: Rec
  * @returns {object} - Decoded JWT payload.
  */
 export declare const jwtVerify: (token: string) => string | any;
+/** User id from JWT payload (jwt.sign stores subject as `{ id }` from jwtSign string helper). */
+export declare const jwtSubjectId: (payload: unknown) => string | number;
+/**
+ * In production, refuse weak or missing JWT_SECRET (call once at bootstrap).
+ */
+export declare function assertProductionJwtSecret(): void;
 /**
  * Function to save an image file.
  * @param {object} req - The request object containing the file.

package/lib/util/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/util/index.ts"],"names":[],"mappings":"AAQA,OAAO,EAAW,UAAU,EAAe,MAAM,cAAc,CAAC;AAIhE,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAKxC;;;;GAIG;AACH,eAAO,MAAM,QAAQ,GAAI,MAAM,MAAM,KAAG,GAC0B,CAAC;AAEnE;;GAEG;AACH,eAAO,MAAM,UAAU,QAAO,IAG7B,CAAC;AAEF,eAAO,MAAM,SAAS,GAAI,OAAO,MAAM,SAMtC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,KAAG,GACW,CAAC;AAEzD;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,MAAM,KAAG,GACY,CAAC;AAE7D;;;;GAIG;AACH,eAAO,MAAM,QAAQ,GAAI,MAAM,MAAM,KAAG,GACM,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,KAAG,GACW,CAAC;AAEzD;;;;GAIG;AACH,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,GACW,CAAC;AAEtD;;;;GAIG;AACH,eAAO,MAAM,QAAQ,GAAI,MAAM,MAAM,KAAG,GAEvC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,YAAY,QAAO,KAAK,CAAC,GAAG,CAGxC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,WAAW,GAAI,MAAM,MAAM,KAAG,GAM1C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,MAAM,GAAU,KAAK,MAAM,KAAG,OAAO,CAAC,MAAM,CAGxD,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,UAAU,GACrB,UAAU,MAAM,EAChB,cAAc,MAAM,KACnB,OAAO,CAAC,OAAO,CAEjB,CAAC;AAEF;;;;GAIG;AAEH,eAAO,MAAM,OAAO,GAClB,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAClC,UAAU,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,KAC5B,MAAM,GAAG,GAWX,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,SAAS,GAAI,OAAO,MAAM,KAAG,MAAM,GAAG,GAMlD,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,SAAS,GACpB,KAAK,GAAG,EACR,WAAW,MAAM,EACjB,SAAQ,MAAgB,KACvB,MAgBF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,MAAM,KAAG,MAExC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,GACtB,MAAM,GAAG,KAAG,GAEsC,CAAC;AAEtD,eAAO,MAAM,YAAY,GAAI,WAAW,MAAM,KAAG,MAEhD,CAAC;AAEF,eAAO,MAAM,gBAAgB,GAAI,MAAM,GAAG,KAAG,GAezC,CAAC;AAEL,eAAO,MAAM,WAAW,GAAI,SAAS,MAAM,KAAG,GAQ7C,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,YAAY,GAAI,KAAK,MAAM,KAAG,MAG1C,CAAC;AAOF,0EAA0E;AAC1E,eAAO,MAAM,YAAY,GAAU,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,MAAM,iBAkBpE,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,KAAK,UAAU,EACf,YAAY,OAAO,KAAK,EACxB,UAAU,GAAG,iBAoDd,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,GAAG,GAAU,CAAC,EACzB,MAAM,CAAC,EACP,WAAW,CAAC,IAAI,EAAE,CAAC,KAAK,GAAG,KAC1B,OAAO,CAAC,CAAC,CASX,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,eAAe,GAAI,OAAO,GAAG,KAAG,OAc5C,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/util/index.ts"],"names":[],"mappings":"AAQA,OAAO,EAAW,UAAU,EAAe,MAAM,cAAc,CAAC;AAIhE,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAKxC;;;;GAIG;AACH,eAAO,MAAM,QAAQ,GAAI,MAAM,MAAM,KAAG,GAC0B,CAAC;AAEnE;;GAEG;AACH,eAAO,MAAM,UAAU,QAAO,IAG7B,CAAC;AAEF,eAAO,MAAM,SAAS,GAAI,OAAO,MAAM,SAMtC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,KAAG,GACW,CAAC;AAEzD;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,MAAM,KAAG,GACY,CAAC;AAE7D;;;;GAIG;AACH,eAAO,MAAM,QAAQ,GAAI,MAAM,MAAM,KAAG,GACM,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,KAAG,GACW,CAAC;AAEzD;;;;GAIG;AACH,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,GACW,CAAC;AAEtD;;;;GAIG;AACH,eAAO,MAAM,QAAQ,GAAI,MAAM,MAAM,KAAG,GAEvC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,YAAY,QAAO,KAAK,CAAC,GAAG,CAGxC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,WAAW,GAAI,MAAM,MAAM,KAAG,GAM1C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,MAAM,GAAU,KAAK,MAAM,KAAG,OAAO,CAAC,MAAM,CAGxD,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,UAAU,GACrB,UAAU,MAAM,EAChB,cAAc,MAAM,KACnB,OAAO,CAAC,OAAO,CAEjB,CAAC;AAEF;;;;GAIG;AAEH,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,SAAS,GAAG,QAAQ,CAAC;AAE3D,0EAA0E;AAC1E,eAAO,MAAM,YAAY,GAAI,SAAS,OAAO,KAAG,YAM/C,CAAC;AAEF,eAAO,MAAM,OAAO,GAClB,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAClC,UAAU,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,KAC5B,MAAM,GAAG,GAgBX,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,SAAS,GAAI,OAAO,MAAM,KAAG,MAAM,GAAG,GAalD,CAAC;AAEF,iGAAiG;AACjG,eAAO,MAAM,YAAY,GAAI,SAAS,OAAO,KAAG,MAAM,GAAG,MAQxD,CAAC;AAEF;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,IAAI,CAkBhD;AAED;;;;;;GAMG;AACH,eAAO,MAAM,SAAS,GACpB,KAAK,GAAG,EACR,WAAW,MAAM,EACjB,SAAQ,MAAgB,KACvB,MAgBF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,MAAM,KAAG,MAExC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,GACtB,MAAM,GAAG,KAAG,GAEsC,CAAC;AAEtD,eAAO,MAAM,YAAY,GAAI,WAAW,MAAM,KAAG,MAEhD,CAAC;AAEF,eAAO,MAAM,gBAAgB,GAAI,MAAM,GAAG,KAAG,GAezC,CAAC;AAEL,eAAO,MAAM,WAAW,GAAI,SAAS,MAAM,KAAG,GAQ7C,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,YAAY,GAAI,KAAK,MAAM,KAAG,MAG1C,CAAC;AAOF,0EAA0E;AAC1E,eAAO,MAAM,YAAY,GAAU,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,MAAM,iBAoBpE,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,KAAK,UAAU,EACf,YAAY,OAAO,KAAK,EACxB,UAAU,GAAG,iBAoDd,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,GAAG,GAAU,CAAC,EACzB,MAAM,CAAC,EACP,WAAW,CAAC,IAAI,EAAE,CAAC,KAAK,GAAG,KAC1B,OAAO,CAAC,CAAC,CASX,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,eAAe,GAAI,OAAO,GAAG,KAAG,OAc5C,CAAC"}

package/lib/util/index.js

@@ -3,7 +3,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isModelInstance = exports.tap = exports.resolveModelBinding = exports.findUserById = exports.pluralizeStr = exports.getJobClass = exports.cloudinaryUpload = exports.getModelFile = exports.asyncHandler = exports.capitalize = exports.saveImage = exports.jwtVerify = exports.jwtSign = exports.verifyHash = exports.bcrypt = exports.getProvider = exports.getProviders = exports.getRoute = exports.getRequest = exports.getMiddleware = exports.getModel = exports.getApiController = exports.getController = exports.loadRoute = exports.loadRoutes = exports.rootPath = void 0;
+exports.isModelInstance = exports.tap = exports.resolveModelBinding = exports.findUserById = exports.pluralizeStr = exports.getJobClass = exports.cloudinaryUpload = exports.getModelFile = exports.asyncHandler = exports.capitalize = exports.saveImage = exports.jwtSubjectId = exports.jwtVerify = exports.jwtSign = exports.jwtTokenType = exports.verifyHash = exports.bcrypt = exports.getProvider = exports.getProviders = exports.getRoute = exports.getRequest = exports.getMiddleware = exports.getModel = exports.getApiController = exports.getController = exports.loadRoute = exports.loadRoutes = exports.rootPath = void 0;
+exports.assertProductionJwtSecret = assertProductionJwtSecret;
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
 const app_root_path_1 = __importDefault(require("app-root-path"));
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
@@ -128,17 +129,28 @@ const verifyHash = async (password, hashPassword) => {
     return bcryptjs_1.default.compare(`${password || ""}`, hashPassword);
 };
 exports.verifyHash = verifyHash;
-/**
- * Function to sign a JWT token.
- * @param {object} data - The data to be encoded in the token.
- * @returns {string} - Signed JWT token.
- */
+/** `typ` claim: access for API/session, refresh for refresh flow only. */
+const jwtTokenType = (payload) => {
+    if (payload == null || typeof payload !== "object")
+        return "legacy";
+    const typ = payload.typ;
+    if (typ === "refresh")
+        return "refresh";
+    if (typ === "access")
+        return "access";
+    return "legacy";
+};
+exports.jwtTokenType = jwtTokenType;
 const jwtSign = (data, options) => {
     try {
         const secret = Config_1.config.get("JWT_SECRET") || "app-generated-key";
-        // Wrap string payload in an object
-        const payload = typeof data === "string" ? { id: data } : data;
-        return jsonwebtoken_1.default.sign(payload, secret, options);
+        const payload = typeof data === "string"
+            ? { id: data, typ: "access" }
+            : { typ: "access", ...data };
+        return jsonwebtoken_1.default.sign(payload, secret, {
+            algorithm: "HS256",
+            ...options,
+        });
     }
     catch (error) {
         throw new AppError_1.AppError(error?.message, error_1.JWT_SIGN_ERROR);
@@ -152,13 +164,43 @@ exports.jwtSign = jwtSign;
  */
 const jwtVerify = (token) => {
     try {
-        return jsonwebtoken_1.default.verify(token, Config_1.config.get(Constants_1.JWT_SECRET, "app-generated-key") || "");
+        return jsonwebtoken_1.default.verify(token, Config_1.config.get(Constants_1.JWT_SECRET, "app-generated-key") || "", {
+            algorithms: ["HS256"],
+            clockTolerance: 30,
+        });
     }
     catch (error) {
         throw new AppError_1.AppError(error?.message, error_1.JWT_VERIFY_ERROR);
     }
 };
 exports.jwtVerify = jwtVerify;
+/** User id from JWT payload (jwt.sign stores subject as `{ id }` from jwtSign string helper). */
+const jwtSubjectId = (payload) => {
+    if (payload != null && typeof payload === "object" && "id" in payload) {
+        return payload.id;
+    }
+    if (typeof payload === "string" || typeof payload === "number") {
+        return payload;
+    }
+    throw new AppError_1.AppError("Invalid token payload", error_1.JWT_VERIFY_ERROR);
+};
+exports.jwtSubjectId = jwtSubjectId;
+/**
+ * In production, refuse weak or missing JWT_SECRET (call once at bootstrap).
+ */
+function assertProductionJwtSecret() {
+    const secret = (Config_1.config.get(Constants_1.JWT_SECRET, "") || "").trim();
+    const appEnv = (Config_1.config.get("APP_ENV", "") || "").trim().toLowerCase();
+    const isProduction = process.env.NODE_ENV === "production" || appEnv === "production";
+    if (!isProduction)
+        return;
+    if (secret.length < 32) {
+        throw new Error("[security] JWT_SECRET must be at least 32 characters in production.");
+    }
+    if (secret === "app-generated-key") {
+        throw new Error("[security] JWT_SECRET must not use the default placeholder in production.");
+    }
+}
 /**
  * Function to save an image file.
  * @param {object} req - The request object containing the file.
@@ -246,7 +288,8 @@ exports.pluralizeStr = pluralizeStr;
 /** Universal user finder that supports MongoDB, Sequelize, and JCC ORM */
 const findUserById = async (User, userId) => {
     const orm = Config_1.config.get("DB_ORM");
-    if (orm === "mongodb" && typeof User.findById === "function") {
+    if (orm === "mongodb" ||
+        (orm === "mongoose" && typeof User.findById === "function")) {
         return await User.findById(userId);
     }
     if (orm === "sequelize" && typeof User.findByPk === "function") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jcc-express-mvc",
-  "version": "1.8.8",
+  "version": "1.8.9",
   "description": "express mvc structure",
   "main": "index.js",
   "types": "index.d.ts",