my-crud-lib 1.0.3 → 2.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Riccardo Sensi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,214 +1,269 @@
 # my-crud-lib
 
-A modular, TypeScript-first **Auth + User/Profile CRUD** library for Node.js, designed to be **framework-light**, **DB-agnostic** (via adapters), and **highly extensible** (schemas + hooks). Ship a secure `/auth/register`, `/auth/login`, and `/me` in minutes—then customize without forking the core.
+[![CI](https://github.com/riccardosensi99/CRUD-lib/actions/workflows/ci.yml/badge.svg)](https://github.com/riccardosensi99/CRUD-lib/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/my-crud-lib.svg)](https://www.npmjs.com/package/my-crud-lib)
 
-> Works great with Express and Prisma out of the box, but you can plug in your own repo adapter.
+TypeScript-first auth and user/profile CRUD helpers for Node.js and Express.
 
----
+The package currently provides:
 
-## Features
+- Express routers for auth and user CRUD.
+- JWT access and refresh token helpers.
+- Zod schemas for request validation.
+- A `UserRepo` port plus a Prisma adapter.
+- Convenience setup helpers for small Express APIs.
 
-- ✅ Ready-made routes: `POST /auth/register`, `POST /auth/login`, `GET /me`
-- 🔐 JWT-based auth with pluggable lifecycle hooks (before/after create, before issuing JWT, etc.)
-- 🧩 Extensible validation via **Zod**: merge your own fields into the base schemas
-- 🗄️ Repository interfaces (DB-agnostic) + optional Prisma adapter
-- 🧰 Cleanly separated core logic & web router
-- 🧪 TypeScript types exported for DX
+## Installation
 
----
+```bash
+npm i my-crud-lib express cors body-parser
+```
 
-## Installation
+If you use the bundled Prisma adapter:
 
 ```bash
-npm i my-crud-lib zod jsonwebtoken bcryptjs
-# If using Prisma adapter in your app:
-npm i @prisma/client
+npm i @prisma/client prisma
+npx prisma generate
 ```
 
-> Node.js `>= 18.17` is required.
+Node.js `>=18.17` is required.
 
----
+## Environment
 
-## Quickstart (Express)
+```bash
+DATABASE_URL="postgresql://user:password@localhost:5432/app"
+JWT_SECRET="replace-with-a-long-random-secret"
+JWT_ACCESS_EXPIRES_IN="15m"
+JWT_REFRESH_EXPIRES_IN="7d"
+BCRYPT_SALT="10"
+```
+
+`JWT_ACCESS_EXPIRES_IN` and `JWT_REFRESH_EXPIRES_IN` have defaults. `JWT_SECRET` and `DATABASE_URL` must be set before using the default auth and Prisma paths.
+
+## Quickstart With Express And Prisma
 
 ```ts
-import express from "express";
-import { json } from "body-parser";
-import { createLibrary } from "my-crud-lib";
-// Optional: Prisma adapter (provided in your app)
 import { PrismaClient } from "@prisma/client";
-import { makePrismaUserRepo } from "my-crud-lib/adapter-prisma"; // if you expose this path
+import { createLibrary, createServer } from "my-crud-lib";
+import { makePrismaUserRepo } from "my-crud-lib/adapter-prisma";
 
 const prisma = new PrismaClient();
-
-const app = express();
-app.use(json());
+const app = createServer();
 
 const lib = createLibrary(
   {
+    routesPrefix: "/api",
     auth: {
-      jwtSecret: process.env.JWT_SECRET!, // e.g. "supersecret"
-      jwtExpiresIn: "7d",
       passwordHashRounds: 10,
     },
-    routesPrefix: "/api", // optional
   },
   { userRepo: makePrismaUserRepo(prisma) }
 );
 
 app.use(lib.router);
 
-app.listen(3000, () => console.log("API running on http://localhost:3000"));
+app.listen(3000, () => {
+  console.log("API running on http://localhost:3000");
+});
 ```
 
-### Available Routes
-
-- `POST /auth/register` → create user (email + password + optional name)
-- `POST /auth/login` → returns `{ accessToken }`
-- `GET /me` → authenticated endpoint, returns the current user
+With the `/api` prefix, the mounted routes include:
 
-> Protect `/me` with the `isAuth` middleware already wired inside the library router.
+- `POST /api/auth/register`
+- `POST /api/auth/login`
+- `POST /api/auth/refresh`
+- `GET /api/auth/me`
+- `GET /api/users`
+- `GET /api/users/me`
+- `PUT /api/users/me`
+- `POST /api/users`
+- `GET /api/users/:id`
+- `PUT /api/users/:id`
+- `DELETE /api/users/:id`
 
----
+Admin user routes require a bearer token with role `ADMIN`.
 
-## Configuration
+## Examples
 
-```ts
-type AuthConfig = {
-  jwtSecret: string;
-  jwtExpiresIn: string; // e.g. "7d"
-  passwordHashRounds: number; // e.g. 10
-};
-
-type LibraryConfig = {
-  auth: AuthConfig;
-  routesPrefix?: string; // e.g. "/api"
-};
-```
+- `examples/express-prisma` is a runnable Express + Prisma app.
+- `examples/custom-repo` shows the `UserRepo` shape with an in-memory adapter.
 
-Create the library:
+Run the Prisma example:
 
-```ts
-const lib = createLibrary(config, { userRepo });
+```bash
+cd examples/express-prisma
+npm install
+cp .env.example .env
+npx prisma generate
+npx prisma migrate dev --name init
+npm run dev
 ```
 
----
-
-## Extending Schemas (Zod)
+## Response Examples
 
-The library exports base Zod schemas and a factory to merge your custom fields.
+Register:
 
-```ts
-// consumer app
-import { z } from "zod";
-import { makeCreateUserSchema } from "my-crud-lib/schemas";
+```http
+POST /api/auth/register
+Content-Type: application/json
 
-const ExtraUserFields = z.object({
-  companyVat: z.string().min(5),
-  marketingOptIn: z.boolean().default(false),
-});
+{
+  "email": "reader@example.com",
+  "password": "password123",
+  "name": "Reader"
+}
+```
 
-export const CreateUserSchema = makeCreateUserSchema(ExtraUserFields);
+Response:
 
-// Later in your route (if you override the built-in):
-const data = CreateUserSchema.parse(req.body);
+```json
+{
+  "user": {
+    "id": 1,
+    "email": "reader@example.com",
+    "name": "Reader",
+    "role": "USER"
+  },
+  "accessToken": "eyJ...",
+  "refreshToken": "eyJ..."
+}
 ```
 
-**Tip:** The default Prisma schema (if you use it) exposes `profile.extra: Json?` so you can store arbitrary fields without altering the core tables.
-
----
+Login:
 
-## Hooks (Lifecycle)
+```http
+POST /api/auth/login
+Content-Type: application/json
 
-Use hooks to change data or enrich tokens without forking.
+{
+  "email": "reader@example.com",
+  "password": "password123"
+}
+```
 
-```ts
-import { plugins } from "my-crud-lib";
+Protected request:
 
-plugins.use({
-  beforeCreateUser: async (data, ctx) => {
-    if (data.companyVat) data.companyVat = data.companyVat.toUpperCase();
-    return data;
-  },
-  afterCreateUser: async (user, ctx) => {
-    // e.g., send welcome email or audit log
-  },
-  beforeIssueJwt: (payload, ctx) => {
-    return { ...payload, tenantId: "acme-123" };
-  },
-});
+```http
+GET /api/auth/me
+Authorization: Bearer <accessToken>
 ```
 
-**Available hooks**
-- `beforeCreateUser(data, ctx)`
-- `afterCreateUser(user, ctx)`
-- `beforeUpdateUser(data, ctx)`
-- `beforeIssueJwt(payload, ctx)`
+## Public Imports
 
-`ctx` includes the request and useful dependencies (e.g., repos).
-
----
+```ts
+import {
+  createLibrary,
+  createServer,
+  mountDefaultRoutes,
+  createAuthRouter,
+  createUserRouter,
+  isAuth,
+  hasRole,
+} from "my-crud-lib";
+
+import { createAuthRouter, makeAuthService, registerSchema, loginSchema } from "my-crud-lib/auth";
+import { createUserRouter, type UserRepo } from "my-crud-lib/user";
+import { registerSchema, listUsersQuerySchema } from "my-crud-lib/schemas";
+import { isAuth, hasRole } from "my-crud-lib/middleware";
+import { makePrismaUserRepo } from "my-crud-lib/adapter-prisma";
+import { makePrismaUserRepo as makePrismaUserRepoCanonical } from "my-crud-lib/adapters/prisma";
+```
 
-## Repository Adapters (DB-agnostic)
+## Repository Adapter
 
-Core interface:
+User CRUD is driven by the `UserRepo` interface:
 
 ```ts
 export interface UserRepo {
-  create(data: any): Promise<any>;
-  update(id: string, data: any): Promise<any>;
-  findById(id: string): Promise<any | null>;
-  findByEmail(email: string): Promise<any | null>;
+  count(where: { role?: string; search?: string }): Promise<number>;
+  findMany(params: {
+    page: number;
+    pageSize: number;
+    role?: string;
+    search?: string;
+    sortField: "createdAt" | "updatedAt" | "email" | "name";
+    sortDir: "asc" | "desc";
+  }): Promise<UserListItem[]>;
+  findById(id: number | string): Promise<UserListItem | null>;
+  findByEmail(email: string): Promise<(UserListItem & { passwordHash?: string }) | null>;
+  create(input: {
+    email: string;
+    passwordHash: string;
+    name?: string | null;
+    role?: string;
+    bio?: string | null;
+    avatarUrl?: string | null;
+  }): Promise<UserListItem>;
+  update(id: number | string, input: AdminUpdateUserInput): Promise<UserListItem>;
+  delete(id: number | string): Promise<void>;
+  updateMe(
+    userId: number | string,
+    input: { name?: string | null; bio?: string | null; avatarUrl?: string | null }
+  ): Promise<UserListItem>;
 }
 ```
 
-Example Prisma adapter (in your app or provided by the lib):
+The Prisma adapter is available from both import paths:
 
 ```ts
-export function makePrismaUserRepo(prisma: any): UserRepo {
-  return {
-    create: (data) => prisma.user.create({ data }),
-    update: (id, data) => prisma.user.update({ where: { id }, data }),
-    findById: (id) => prisma.user.findUnique({ where: { id } }),
-    findByEmail: (email) => prisma.user.findUnique({ where: { email } }),
-  };
-}
+import { makePrismaUserRepo } from "my-crud-lib/adapter-prisma";
+// or
+import { makePrismaUserRepo } from "my-crud-lib/adapters/prisma";
+```
+
+Auth also receives the same repository dependency:
+
+```ts
+import { createAuthRouter } from "my-crud-lib/auth";
+
+app.use("/auth", createAuthRouter({ userRepo }));
 ```
 
----
+## Build Checks
 
-## Types
+```bash
+npm run build
+npm run smoke:exports
+npm run smoke:auth-hardening
+npm run smoke:auth-service
+```
 
-The package exports the main public types:
+`smoke:exports` builds the package and imports the documented public paths from `dist`.
+`smoke:auth-hardening` checks auth safety defaults and JWT secret validation.
+`smoke:auth-service` verifies register/login/refresh/me with an in-memory repo.
 
-- `LibraryConfig`, `AuthConfig`
-- `UserRepo`
-- schema types (e.g., `CreateUserBase`)
+## Current Limitations
 
----
+- Lifecycle hooks and schema factories are not part of the current public API.
+- The Prisma schema is included as a starter schema; consumer apps should own their migrations.
 
-## Security Notes
+## Troubleshooting
 
-- Keep `JWT_SECRET` secure; rotate if compromised.
-- Consider adding rate limiting in your app (e.g., `express-rate-limit`).
-- Store password hashes using `bcryptjs` with adequate rounds (default shown: `10`).
-- Use HTTPS in production.
+`Cannot find module '@prisma/client'`
 
----
+Install Prisma dependencies in your app and run `npx prisma generate`.
 
-## Optional
+`JWT_SECRET is required before signing or verifying tokens`
 
-if you want to use the prisma adeapter use:
+Set `JWT_SECRET` before mounting or calling auth routes. Use a long random value.
 
-npm i @prisma/client prisma
-npx prisma generate
+`Invalid or expired token`
+
+Send the access token in the `Authorization` header as `Bearer <accessToken>`. Use `/auth/refresh` with a refresh token to get a new pair.
 
-## Contributing
+ESM import errors
 
-PRs and issues are welcome! Please follow conventional commits or include a clear description. For releases, we recommend Changesets or semantic-release.
+Use Node.js `>=18.17` and import from the documented package paths, for example `my-crud-lib`, `my-crud-lib/auth`, or `my-crud-lib/adapter-prisma`.
 
----
+## Security Notes
+
+- Use a long random `JWT_SECRET` and rotate it if compromised.
+- Keep access tokens short-lived.
+- Add rate limiting around auth endpoints in production.
+- Use HTTPS in production.
+- Self-registration creates `USER` accounts by default.
+- Create `ADMIN` accounts intentionally through your own seed/admin workflow.
 
 ## License
 
-MIT © Riccardo
+MIT

package/RELEASE.md

@@ -0,0 +1,32 @@
+# Release Checklist
+
+Use this checklist before publishing `my-crud-lib` to npm.
+
+## Preflight
+
+- Confirm `package.json` version is the intended release version.
+- Confirm `README.md` examples match tested public imports.
+- Confirm `LICENSE`, `README.md`, `examples`, `dist`, and `prisma/schema.prisma` are included in the package.
+- Review open issues for release blockers.
+
+## Verify
+
+```bash
+npm ci
+npm run ci
+npm pack --dry-run
+```
+
+Inspect the dry-run file list before publishing.
+
+## Publish
+
+```bash
+npm publish --access public
+```
+
+## After Publish
+
+- Create a GitHub release or tag for the published version.
+- Confirm the npm page shows repository, license, README, examples, and keywords.
+- Smoke test installation in a fresh temporary project.

package/dist/adapter-prisma.d.ts

@@ -0,0 +1 @@
+export { makePrismaUserRepo } from './adapters/prisma.js';

package/dist/adapter-prisma.js

@@ -0,0 +1 @@
+export { makePrismaUserRepo } from './adapters/prisma.js';

package/dist/auth.d.ts

@@ -0,0 +1,6 @@
+export { createAuthRouter } from './modules/auth/auth.controller.js';
+export { DEFAULT_REGISTER_ROLE, resolveRegisterRole } from './modules/auth/auth.defaults.js';
+export { makeAuthService } from './modules/auth/auth.service.js';
+export { loginSchema, registerSchema } from './modules/auth/auth.schemas.js';
+export type { AuthResult, AuthServiceDeps, AuthTokens, AuthUser, AuthUserRepo } from './modules/auth/auth.types.js';
+export type { LoginInput, RegisterInput } from './modules/auth/auth.schemas.js';

package/dist/auth.js

@@ -0,0 +1,4 @@
+export { createAuthRouter } from './modules/auth/auth.controller.js';
+export { DEFAULT_REGISTER_ROLE, resolveRegisterRole } from './modules/auth/auth.defaults.js';
+export { makeAuthService } from './modules/auth/auth.service.js';
+export { loginSchema, registerSchema } from './modules/auth/auth.schemas.js';

package/dist/config/env.d.ts

@@ -1,2 +1,3 @@
-export declare const JWT_ACCESS_EXPIRES_IN: string, JWT_REFRESH_EXPIRES_IN: string;
-export declare const JWT_SECRET: string;
+export declare const JWT_ACCESS_EXPIRES_IN: string;
+export declare const JWT_REFRESH_EXPIRES_IN: string;
+export declare function getJwtSecret(): string;

package/dist/config/env.js

@@ -1,5 +1,11 @@
 import dotenv from "dotenv";
-import { env } from "process";
 dotenv.config();
-export const { JWT_ACCESS_EXPIRES_IN = env.JWT_ACCESS_EXPIRES_IN || "15m", JWT_REFRESH_EXPIRES_IN = env.JWT_REFRESH_EXPIRES_IN || "7d", } = process.env;
-export const JWT_SECRET = process.env.JWT_SECRET;
+export const JWT_ACCESS_EXPIRES_IN = process.env.JWT_ACCESS_EXPIRES_IN || "15m";
+export const JWT_REFRESH_EXPIRES_IN = process.env.JWT_REFRESH_EXPIRES_IN || "7d";
+export function getJwtSecret() {
+    const secret = process.env.JWT_SECRET?.trim();
+    if (!secret) {
+        throw new Error("JWT_SECRET is required before signing or verifying tokens");
+    }
+    return secret;
+}

package/dist/dev.js

@@ -7,7 +7,7 @@ import { PrismaClient } from '@prisma/client';
 const app = createServer();
 const prisma = new PrismaClient();
 const userRepo = makePrismaUserRepo(prisma);
-app.use('/auth', createAuthRouter());
+app.use('/auth', createAuthRouter({ userRepo }));
 app.use('/users', createUserRouter({ userRepo }));
 const PORT = Number(process.env.PORT) || 3000;
 app.listen(PORT, () => {

package/dist/index.d.ts

@@ -1,5 +1,27 @@
 import { type Express } from 'express';
-export { createAuthRouter } from './modules/auth/auth.controller.js';
+export type { UserRepo } from './core/ports/user.repo.js';
+export type { AdminCreateUserInput, AdminUpdateUserInput, ListUsersQuery, Paginated, Role, UpdateMeInput, UserListItem, } from './modules/user/user.types.js';
 export { createUserRouter } from './modules/user/user.controller.js';
+export { createAuthRouter } from './modules/auth/auth.controller.js';
+export { DEFAULT_REGISTER_ROLE, resolveRegisterRole } from './modules/auth/auth.defaults.js';
+export { makeAuthService } from './modules/auth/auth.service.js';
+export { registerSchema, loginSchema } from './modules/auth/auth.schemas.js';
+export type { AuthResult, AuthServiceDeps, AuthTokens, AuthUser, AuthUserRepo } from './modules/auth/auth.types.js';
+export { SortEnum, adminCreateUserSchema, adminUpdateUserSchema, listUsersQuerySchema, updateMeSchema, } from './modules/user/user.schemas.js';
+export { isAuth, type AuthRequest } from './middleware/isAuth.js';
+export { hasRole, isSelfOrAdmin } from './middleware/hasRole.js';
+export { makePrismaUserRepo } from './adapters/prisma.js';
+import type { UserRepo } from './core/ports/user.repo.js';
+import type { AuthServiceDeps } from './modules/auth/auth.types.js';
+export type LibraryConfig = {
+    routesPrefix?: string;
+    auth?: Omit<AuthServiceDeps, 'userRepo'>;
+};
+export type LibraryDeps = {
+    userRepo: UserRepo;
+};
 export declare function createServer(): Express;
-export declare function mountDefaultRoutes(app: Express): void;
+export declare function createLibrary(config: LibraryConfig, deps: LibraryDeps): {
+    router: import("express-serve-static-core").Router;
+};
+export declare function mountDefaultRoutes(app: Express, deps: LibraryDeps, config?: LibraryConfig): void;

package/dist/index.js

@@ -1,17 +1,40 @@
-import express from 'express';
+import express, { Router } from 'express';
 import cors from 'cors';
 import bodyParser from 'body-parser';
-export { createAuthRouter } from './modules/auth/auth.controller.js';
 export { createUserRouter } from './modules/user/user.controller.js';
+export { createAuthRouter } from './modules/auth/auth.controller.js';
+export { DEFAULT_REGISTER_ROLE, resolveRegisterRole } from './modules/auth/auth.defaults.js';
+export { makeAuthService } from './modules/auth/auth.service.js';
+export { registerSchema, loginSchema } from './modules/auth/auth.schemas.js';
+export { SortEnum, adminCreateUserSchema, adminUpdateUserSchema, listUsersQuerySchema, updateMeSchema, } from './modules/user/user.schemas.js';
+export { isAuth } from './middleware/isAuth.js';
+export { hasRole, isSelfOrAdmin } from './middleware/hasRole.js';
+export { makePrismaUserRepo } from './adapters/prisma.js';
+import { createAuthRouter } from './modules/auth/auth.controller.js';
+import { createUserRouter } from './modules/user/user.controller.js';
+function normalizePrefix(prefix) {
+    if (!prefix)
+        return '';
+    const trimmed = prefix.trim();
+    if (!trimmed || trimmed === '/')
+        return '';
+    const withLeadingSlash = trimmed.startsWith('/') ? trimmed : `/${trimmed}`;
+    return withLeadingSlash.endsWith('/') ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+}
 export function createServer() {
     const app = express();
     app.use(cors());
     app.use(bodyParser.json());
     return app;
 }
-export function mountDefaultRoutes(app) {
-    const { createAuthRouter } = require('./modules/auth/auth.controller.js');
-    const { createUserRouter } = require('./modules/user/user.controller.js');
-    app.use('/auth', createAuthRouter());
-    app.use('/users', createUserRouter());
+export function createLibrary(config, deps) {
+    const router = Router();
+    const prefix = normalizePrefix(config.routesPrefix);
+    router.use(`${prefix}/auth`, createAuthRouter({ userRepo: deps.userRepo, ...config.auth }));
+    router.use(`${prefix}/users`, createUserRouter({ userRepo: deps.userRepo }));
+    return { router };
+}
+export function mountDefaultRoutes(app, deps, config = {}) {
+    const { router } = createLibrary(config, deps);
+    app.use(router);
 }

package/dist/middleware/hasRole.js

@@ -11,8 +11,7 @@ export function isSelfOrAdmin() {
     return (req, res, next) => {
         const uid = req.user?.id;
         const role = req.user?.role;
-        const paramId = Number(req.params.id);
-        if (role === 'ADMIN' || uid === paramId)
+        if (role === 'ADMIN' || String(uid) === req.params.id)
             return next();
         return res.status(403).json({ error: 'Forbidden' });
     };

package/dist/middleware/isAuth.d.ts

@@ -1,7 +1,7 @@
 import type { Request, Response, NextFunction } from 'express';
 export type AuthRequest = Request & {
     user?: {
-        id: number;
+        id: number | string;
         role: 'USER' | 'ADMIN';
     };
 };

package/dist/middleware.d.ts

@@ -0,0 +1,2 @@
+export { hasRole, isSelfOrAdmin } from './middleware/hasRole.js';
+export { isAuth, type AuthRequest } from './middleware/isAuth.js';

package/dist/middleware.js

@@ -0,0 +1,2 @@
+export { hasRole, isSelfOrAdmin } from './middleware/hasRole.js';
+export { isAuth } from './middleware/isAuth.js';

package/dist/modules/auth/auth.controller.d.ts

@@ -1 +1,2 @@
-export declare function createAuthRouter(): import("express-serve-static-core").Router;
+import type { AuthServiceDeps } from './auth.types.js';
+export declare function createAuthRouter(deps: AuthServiceDeps): import("express-serve-static-core").Router;

package/dist/modules/auth/auth.controller.js

@@ -1,20 +1,19 @@
 import { Router } from 'express';
-import { registerSchema, loginSchema } from './auth.schemas.js';
-import { registerUser, loginUser } from './auth.service.js';
-import { verifyToken, signAccessToken, signRefreshToken } from '../../utils/jwt.js';
 import { isAuth } from '../../middleware/isAuth.js';
-import { prisma } from '../../utils/prisma.js';
-export function createAuthRouter() {
+import { loginSchema, registerSchema } from './auth.schemas.js';
+import { makeAuthService } from './auth.service.js';
+export function createAuthRouter(deps) {
     const router = Router();
+    const service = makeAuthService(deps);
     router.post('/register', async (req, res) => {
         try {
             const data = registerSchema.parse(req.body);
-            const result = await registerUser(data);
+            const result = await service.registerUser(data);
             return res.status(201).json(result);
         }
         catch (err) {
             if (err?.message === 'EMAIL_TAKEN')
-                return res.status(409).json({ error: 'Email già registrata' });
+                return res.status(409).json({ error: 'Email already registered' });
             if (err?.issues)
                 return res.status(400).json({ error: 'ValidationError', details: err.issues });
             return res.status(500).json({ error: 'InternalError' });
@@ -23,12 +22,12 @@ export function createAuthRouter() {
     router.post('/login', async (req, res) => {
         try {
             const data = loginSchema.parse(req.body);
-            const result = await loginUser(data);
+            const result = await service.loginUser(data);
             return res.json(result);
         }
         catch (err) {
             if (err?.message === 'INVALID_CREDENTIALS')
-                return res.status(401).json({ error: 'Credenziali non valide' });
+                return res.status(401).json({ error: 'Invalid credentials' });
             if (err?.issues)
                 return res.status(400).json({ error: 'ValidationError', details: err.issues });
             return res.status(500).json({ error: 'InternalError' });
@@ -39,15 +38,8 @@ export function createAuthRouter() {
             const { refreshToken } = req.body;
             if (!refreshToken)
                 return res.status(400).json({ error: 'Missing refreshToken' });
-            const payload = verifyToken(refreshToken);
-            if (payload.typ !== 'refresh')
-                return res.status(401).json({ error: 'Invalid refresh token' });
-            const user = await prisma.user.findUnique({ where: { id: payload.sub }, select: { id: true, role: true } });
-            if (!user)
-                return res.status(401).json({ error: 'User not found' });
-            const accessToken = signAccessToken({ sub: user.id, role: user.role });
-            const newRefreshToken = signRefreshToken({ sub: user.id, role: user.role });
-            return res.json({ accessToken, refreshToken: newRefreshToken });
+            const tokens = await service.refreshSession(refreshToken);
+            return res.json(tokens);
         }
         catch {
             return res.status(401).json({ error: 'Invalid or expired refresh token' });
@@ -55,10 +47,7 @@ export function createAuthRouter() {
     });
     router.get('/me', isAuth, async (req, res) => {
         const userId = req.user.id;
-        const me = await prisma.user.findUnique({
-            where: { id: userId },
-            select: { id: true, email: true, name: true, role: true, profile: { select: { bio: true, avatarUrl: true } } },
-        });
+        const me = await service.getMe(userId);
         if (!me)
             return res.status(404).json({ error: 'User not found' });
         return res.json(me);

package/dist/modules/auth/auth.defaults.d.ts

@@ -0,0 +1,3 @@
+import type { Role } from '../user/user.types.js';
+export declare const DEFAULT_REGISTER_ROLE: Role;
+export declare function resolveRegisterRole(role?: Role): Role;

package/dist/modules/auth/auth.defaults.js

@@ -0,0 +1,4 @@
+export const DEFAULT_REGISTER_ROLE = 'USER';
+export function resolveRegisterRole(role) {
+    return role ?? DEFAULT_REGISTER_ROLE;
+}

package/dist/modules/auth/auth.service.d.ts

@@ -1,24 +1,8 @@
-import type { RegisterInput } from './auth.schemas.js';
-export declare function registerUser(params: RegisterInput): Promise<{
-    user: {
-        email: string;
-        name: string | null;
-        id: number;
-        role: import("@prisma/client").$Enums.Role;
-    };
-    accessToken: string;
-    refreshToken: string;
-}>;
-export declare function loginUser(params: {
-    email: string;
-    password: string;
-}): Promise<{
-    user: {
-        id: number;
-        email: string;
-        name: string | null;
-        role: import("@prisma/client").$Enums.Role;
-    };
-    accessToken: string;
-    refreshToken: string;
-}>;
+import type { LoginInput, RegisterInput } from './auth.schemas.js';
+import type { AuthResult, AuthServiceDeps, AuthTokens, AuthUser } from './auth.types.js';
+export declare function makeAuthService(deps: AuthServiceDeps): {
+    registerUser(params: RegisterInput): Promise<AuthResult>;
+    loginUser(params: LoginInput): Promise<AuthResult>;
+    refreshSession(refreshToken: string): Promise<AuthTokens>;
+    getMe(userId: number | string): Promise<AuthUser | null>;
+};

package/dist/modules/auth/auth.service.js

@@ -1,38 +1,60 @@
-import { prisma } from '../../utils/prisma.js';
 import bcrypt from 'bcryptjs';
-import { signAccessToken, signRefreshToken } from '../../utils/jwt.js';
-export async function registerUser(params) {
-    const exists = await prisma.user.findUnique({ where: { email: params.email } });
-    if (exists)
-        throw new Error('EMAIL_TAKEN');
-    const passwordHash = await bcrypt.hash(params.password, Number(process.env.BCRYPT_SALT) || 10);
-    const user = await prisma.user.create({
-        data: {
-            email: params.email,
-            passwordHash,
-            name: params.name ?? null,
-            role: 'ADMIN',
-            profile: { create: {} },
-        },
-        select: { id: true, email: true, name: true, role: true },
-    });
-    const accessToken = signAccessToken({ sub: user.id, role: user.role });
-    const refreshToken = signRefreshToken({ sub: user.id, role: user.role });
-    return { user, accessToken, refreshToken };
+import { signAccessToken, signRefreshToken, verifyToken } from '../../utils/jwt.js';
+import { resolveRegisterRole } from './auth.defaults.js';
+function resolvePasswordHashRounds(configured) {
+    const rounds = configured ?? Number(process.env.BCRYPT_SALT);
+    return Number.isInteger(rounds) && rounds > 0 ? rounds : 10;
+}
+function toAuthUser(user) {
+    const { passwordHash: _passwordHash, ...safeUser } = user;
+    return safeUser;
 }
-export async function loginUser(params) {
-    const user = await prisma.user.findUnique({ where: { email: params.email } });
-    if (!user)
-        throw new Error('INVALID_CREDENTIALS');
-    const ok = await bcrypt.compare(params.password, user.passwordHash);
-    if (!ok)
-        throw new Error('INVALID_CREDENTIALS');
+function issueTokens(user) {
     const payload = { sub: user.id, role: user.role };
-    const accessToken = signAccessToken(payload);
-    const refreshToken = signRefreshToken(payload);
     return {
-        user: { id: user.id, email: user.email, name: user.name, role: user.role },
-        accessToken,
-        refreshToken,
+        accessToken: signAccessToken(payload),
+        refreshToken: signRefreshToken(payload),
+    };
+}
+export function makeAuthService(deps) {
+    const { userRepo } = deps;
+    return {
+        async registerUser(params) {
+            const exists = await userRepo.findByEmail(params.email);
+            if (exists)
+                throw new Error('EMAIL_TAKEN');
+            const passwordHash = await bcrypt.hash(params.password, resolvePasswordHashRounds(deps.passwordHashRounds));
+            const role = resolveRegisterRole(deps.defaultRegisterRole);
+            const user = await userRepo.create({
+                email: params.email,
+                passwordHash,
+                name: params.name ?? null,
+                role,
+            });
+            const authUser = toAuthUser(user);
+            return { user: authUser, ...issueTokens(authUser) };
+        },
+        async loginUser(params) {
+            const user = await userRepo.findByEmail(params.email);
+            if (!user?.passwordHash)
+                throw new Error('INVALID_CREDENTIALS');
+            const ok = await bcrypt.compare(params.password, user.passwordHash);
+            if (!ok)
+                throw new Error('INVALID_CREDENTIALS');
+            const authUser = toAuthUser(user);
+            return { user: authUser, ...issueTokens(authUser) };
+        },
+        async refreshSession(refreshToken) {
+            const payload = verifyToken(refreshToken);
+            if (payload.typ !== 'refresh')
+                throw new Error('INVALID_REFRESH_TOKEN');
+            const user = await userRepo.findById(payload.sub);
+            if (!user)
+                throw new Error('USER_NOT_FOUND');
+            return issueTokens(user);
+        },
+        getMe(userId) {
+            return userRepo.findById(userId);
+        },
     };
 }

package/dist/modules/auth/auth.types.d.ts

@@ -1 +1,16 @@
-export {};
+import type { UserRepo } from '../../core/ports/user.repo.js';
+import type { Role, UserListItem } from '../user/user.types.js';
+export type AuthUserRepo = Pick<UserRepo, 'create' | 'findByEmail' | 'findById'>;
+export type AuthServiceDeps = {
+    userRepo: AuthUserRepo;
+    passwordHashRounds?: number;
+    defaultRegisterRole?: Role;
+};
+export type AuthUser = UserListItem;
+export type AuthTokens = {
+    accessToken: string;
+    refreshToken: string;
+};
+export type AuthResult = AuthTokens & {
+    user: AuthUser;
+};

package/dist/modules/user/user.schemas.d.ts

@@ -7,17 +7,17 @@ export declare const listUsersQuerySchema: z.ZodObject<{
     role: z.ZodOptional<z.ZodEnum<["USER", "ADMIN"]>>;
     sort: z.ZodDefault<z.ZodEnum<["createdAt:desc", "createdAt:asc", "updatedAt:asc", "updatedAt:desc", "email:asc", "email:desc", "name:asc", "name:desc"]>>;
 }, "strip", z.ZodTypeAny, {
-    sort: "createdAt:desc" | "createdAt:asc" | "updatedAt:asc" | "updatedAt:desc" | "email:asc" | "email:desc" | "name:asc" | "name:desc";
     page: number;
     pageSize: number;
-    search?: string | undefined;
+    sort: "createdAt:asc" | "createdAt:desc" | "updatedAt:asc" | "updatedAt:desc" | "email:asc" | "email:desc" | "name:asc" | "name:desc";
     role?: "USER" | "ADMIN" | undefined;
-}, {
-    sort?: "createdAt:desc" | "createdAt:asc" | "updatedAt:asc" | "updatedAt:desc" | "email:asc" | "email:desc" | "name:asc" | "name:desc" | undefined;
     search?: string | undefined;
+}, {
     role?: "USER" | "ADMIN" | undefined;
+    search?: string | undefined;
     page?: number | undefined;
     pageSize?: number | undefined;
+    sort?: "createdAt:asc" | "createdAt:desc" | "updatedAt:asc" | "updatedAt:desc" | "email:asc" | "email:desc" | "name:asc" | "name:desc" | undefined;
 }>;
 export declare const updateMeSchema: z.ZodObject<{
     name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
@@ -41,8 +41,8 @@ export declare const adminCreateUserSchema: z.ZodObject<{
     avatarUrl: z.ZodOptional<z.ZodNullable<z.ZodString>>;
 }, "strip", z.ZodTypeAny, {
     email: string;
-    password: string;
     role: "USER" | "ADMIN";
+    password: string;
     name?: string | null | undefined;
     bio?: string | null | undefined;
     avatarUrl?: string | null | undefined;

package/dist/schemas.d.ts

@@ -0,0 +1,2 @@
+export { loginSchema, registerSchema } from './modules/auth/auth.schemas.js';
+export { SortEnum, adminCreateUserSchema, adminUpdateUserSchema, listUsersQuerySchema, updateMeSchema, } from './modules/user/user.schemas.js';

package/dist/schemas.js

@@ -0,0 +1,2 @@
+export { loginSchema, registerSchema } from './modules/auth/auth.schemas.js';
+export { SortEnum, adminCreateUserSchema, adminUpdateUserSchema, listUsersQuerySchema, updateMeSchema, } from './modules/user/user.schemas.js';

package/dist/user.d.ts

@@ -0,0 +1,5 @@
+export { createUserRouter } from './modules/user/user.controller.js';
+export { makeUserService } from './modules/user/user.service.js';
+export { SortEnum, adminCreateUserSchema, adminUpdateUserSchema, listUsersQuerySchema, updateMeSchema, } from './modules/user/user.schemas.js';
+export type { AdminCreateUserInput, AdminUpdateUserInput, ListUsersQuery, Paginated, Role, UpdateMeInput, UserListItem, } from './modules/user/user.types.js';
+export type { UserRepo } from './core/ports/user.repo.js';

package/dist/user.js

@@ -0,0 +1,3 @@
+export { createUserRouter } from './modules/user/user.controller.js';
+export { makeUserService } from './modules/user/user.service.js';
+export { SortEnum, adminCreateUserSchema, adminUpdateUserSchema, listUsersQuerySchema, updateMeSchema, } from './modules/user/user.schemas.js';

package/dist/utils/jwt.d.ts

@@ -1,5 +1,5 @@
 export type JwtPayload = {
-    sub: number;
+    sub: number | string;
     role: "USER" | "ADMIN";
     typ?: "refresh";
 };

package/dist/utils/jwt.js

@@ -1,15 +1,15 @@
 import jwt from "jsonwebtoken";
-import { JWT_ACCESS_EXPIRES_IN, JWT_REFRESH_EXPIRES_IN, JWT_SECRET } from "../config/env.js";
+import { getJwtSecret, JWT_ACCESS_EXPIRES_IN, JWT_REFRESH_EXPIRES_IN } from "../config/env.js";
 export function signAccessToken(payload) {
-    return jwt.sign(payload, JWT_SECRET, {
+    return jwt.sign(payload, getJwtSecret(), {
         expiresIn: JWT_ACCESS_EXPIRES_IN,
     });
 }
 export function signRefreshToken(payload) {
-    return jwt.sign({ ...payload, typ: "refresh" }, JWT_SECRET, {
+    return jwt.sign({ ...payload, typ: "refresh" }, getJwtSecret(), {
         expiresIn: JWT_REFRESH_EXPIRES_IN,
     });
 }
 export function verifyToken(token) {
-    return jwt.verify(token, JWT_SECRET);
+    return jwt.verify(token, getJwtSecret());
 }

package/examples/custom-repo/README.md

@@ -0,0 +1,5 @@
+# Custom Repository Example
+
+This example shows the shape of an app-owned `UserRepo`.
+
+It is intentionally in-memory and only useful for understanding the adapter contract. Use a real database in production.

package/examples/custom-repo/server.ts

@@ -0,0 +1,70 @@
+import { createLibrary, createServer, type UserRepo, type UserListItem } from 'my-crud-lib';
+
+type StoredUser = UserListItem & { passwordHash: string };
+
+const users = new Map<number, StoredUser>();
+let nextId = 1;
+
+const publicUser = (user: StoredUser): UserListItem => {
+  const { passwordHash: _passwordHash, ...safeUser } = user;
+  return safeUser;
+};
+
+const userRepo: UserRepo = {
+  async count() {
+    return users.size;
+  },
+  async findMany({ page, pageSize }) {
+    return [...users.values()].slice((page - 1) * pageSize, page * pageSize).map(publicUser);
+  },
+  async findById(id) {
+    const user = users.get(Number(id));
+    return user ? publicUser(user) : null;
+  },
+  async findByEmail(email) {
+    return [...users.values()].find((user) => user.email === email) ?? null;
+  },
+  async create(input) {
+    const now = new Date().toISOString();
+    const user: StoredUser = {
+      id: nextId++,
+      email: input.email,
+      passwordHash: input.passwordHash,
+      name: input.name ?? null,
+      role: input.role === 'ADMIN' ? 'ADMIN' : 'USER',
+      createdAt: now,
+      updatedAt: now,
+      profile: { bio: input.bio ?? null, avatarUrl: input.avatarUrl ?? null },
+    };
+    users.set(Number(user.id), user);
+    return publicUser(user);
+  },
+  async update(id, input) {
+    const user = users.get(Number(id));
+    if (!user) throw new Error('USER_NOT_FOUND');
+    const nextUser: StoredUser = {
+      ...user,
+      name: input.name ?? user.name,
+      role: input.role ?? user.role,
+      updatedAt: new Date().toISOString(),
+      profile: {
+        bio: input.bio ?? user.profile?.bio ?? null,
+        avatarUrl: input.avatarUrl ?? user.profile?.avatarUrl ?? null,
+      },
+    };
+    users.set(Number(id), nextUser);
+    return publicUser(nextUser);
+  },
+  async delete(id) {
+    users.delete(Number(id));
+  },
+  async updateMe(userId, input) {
+    return this.update(userId, input);
+  },
+};
+
+const app = createServer();
+const lib = createLibrary({ routesPrefix: '/api' }, { userRepo });
+
+app.use(lib.router);
+app.listen(3000, () => console.log('API running on http://localhost:3000'));

package/examples/express-prisma/.env.example

@@ -0,0 +1,6 @@
+DATABASE_URL="postgresql://app:app@localhost:5432/mycrud"
+JWT_SECRET="replace-with-a-long-random-secret"
+JWT_ACCESS_EXPIRES_IN="15m"
+JWT_REFRESH_EXPIRES_IN="7d"
+BCRYPT_SALT="10"
+PORT="3000"

package/examples/express-prisma/README.md

@@ -0,0 +1,25 @@
+# Express + Prisma Example
+
+Minimal app using `my-crud-lib` with Express and Prisma.
+
+## Setup
+
+```bash
+npm install
+cp .env.example .env
+npx prisma generate
+npx prisma migrate dev --name init
+npm run dev
+```
+
+The API starts on `http://localhost:3000`.
+
+## Routes
+
+- `POST /api/auth/register`
+- `POST /api/auth/login`
+- `POST /api/auth/refresh`
+- `GET /api/auth/me`
+- `GET /api/users/me`
+
+Use `Authorization: Bearer <accessToken>` for protected routes.

package/examples/express-prisma/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "my-crud-lib-express-prisma-example",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "tsx src/server.ts",
+    "prisma:generate": "prisma generate",
+    "prisma:migrate": "prisma migrate dev"
+  },
+  "dependencies": {
+    "@prisma/client": "^6.14.0",
+    "body-parser": "^1.20.2",
+    "cors": "^2.8.5",
+    "dotenv": "^16.3.1",
+    "express": "^4.18.2",
+    "my-crud-lib": "file:../.."
+  },
+  "devDependencies": {
+    "prisma": "^6.14.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.9.2"
+  }
+}

package/examples/express-prisma/prisma/schema.prisma

@@ -0,0 +1,32 @@
+generator client {
+  provider = "prisma-client-js"
+}
+
+datasource db {
+  provider = "postgresql"
+  url      = env("DATABASE_URL")
+}
+
+model User {
+  id           Int      @id @default(autoincrement())
+  email        String   @unique
+  passwordHash String
+  name         String?
+  role         Role     @default(USER)
+  createdAt    DateTime @default(now())
+  updatedAt    DateTime @updatedAt
+  profile      Profile?
+}
+
+model Profile {
+  id        Int     @id @default(autoincrement())
+  userId    Int     @unique
+  bio       String?
+  avatarUrl String?
+  user      User    @relation(fields: [userId], references: [id], onDelete: Cascade)
+}
+
+enum Role {
+  USER
+  ADMIN
+}

package/examples/express-prisma/src/server.ts

@@ -0,0 +1,25 @@
+import 'dotenv/config';
+import { PrismaClient } from '@prisma/client';
+import { createLibrary, createServer } from 'my-crud-lib';
+import { makePrismaUserRepo } from 'my-crud-lib/adapter-prisma';
+
+const prisma = new PrismaClient();
+const app = createServer();
+
+const lib = createLibrary(
+  {
+    routesPrefix: '/api',
+    auth: {
+      passwordHashRounds: Number(process.env.BCRYPT_SALT) || 10,
+    },
+  },
+  { userRepo: makePrismaUserRepo(prisma) },
+);
+
+app.use(lib.router);
+
+const port = Number(process.env.PORT) || 3000;
+
+app.listen(port, () => {
+  console.log(`API running on http://localhost:${port}`);
+});

package/package.json

@@ -1,24 +1,68 @@
 {
   "name": "my-crud-lib",
-  "version": "1.0.3",
-  "description": "Libreria CRUD modulare (Auth/User/Profile) con TS; Prisma opzionale via adapter",
+  "version": "2.0.0",
+  "description": "TypeScript auth and user/profile CRUD helpers for Express with Prisma and custom repository adapters",
   "license": "MIT",
+  "author": "Riccardo Sensi",
   "type": "module",
+  "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
+  "keywords": [
+    "auth",
+    "authentication",
+    "express",
+    "prisma",
+    "jwt",
+    "zod",
+    "typescript",
+    "crud",
+    "user-management",
+    "repository-pattern"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/riccardosensi99/CRUD-lib.git"
+  },
+  "bugs": {
+    "url": "https://github.com/riccardosensi99/CRUD-lib/issues"
+  },
+  "homepage": "https://github.com/riccardosensi99/CRUD-lib#readme",
   "exports": {
     ".": {
       "import": "./dist/index.js",
       "types": "./dist/index.d.ts"
     },
+    "./auth": {
+      "import": "./dist/auth.js",
+      "types": "./dist/auth.d.ts"
+    },
+    "./user": {
+      "import": "./dist/user.js",
+      "types": "./dist/user.d.ts"
+    },
+    "./schemas": {
+      "import": "./dist/schemas.js",
+      "types": "./dist/schemas.d.ts"
+    },
+    "./middleware": {
+      "import": "./dist/middleware.js",
+      "types": "./dist/middleware.d.ts"
+    },
     "./adapter-prisma": {
+      "import": "./dist/adapter-prisma.js",
+      "types": "./dist/adapter-prisma.d.ts"
+    },
+    "./adapters/prisma": {
       "import": "./dist/adapters/prisma.js",
       "types": "./dist/adapters/prisma.d.ts"
     }
   },
   "files": [
     "dist",
+    "examples",
     "README.md",
+    "RELEASE.md",
     "LICENSE",
     "prisma/schema.prisma"
   ],
@@ -29,7 +73,10 @@
     "schema": "prisma/schema.prisma"
   },
   "scripts": {
+    "prebuild": "node scripts/prisma-generate.mjs",
     "build": "tsc",
+    "test": "npm run build && node --test tests/*.test.mjs",
+    "ci": "npm test && npm run smoke:exports && npm run smoke:auth-hardening && npm run smoke:auth-service && npm --cache .npm-cache pack --dry-run",
     "start": "node dist/index.js",
     "dev": "node --loader ts-node/esm --no-warnings=ExperimentalWarning src/dev.ts",
     "dev:db:up": "docker-compose up -d",
@@ -38,6 +85,9 @@
     "prisma:migrate": "prisma migrate dev",
     "prisma:studio": "prisma studio",
     "prepublishOnly": "npm run build",
+    "smoke:exports": "npm run build && node scripts/smoke-public-api.mjs",
+    "smoke:auth-hardening": "npm run build && node scripts/smoke-auth-hardening.mjs",
+    "smoke:auth-service": "npm run build && node scripts/smoke-auth-service.mjs",
     "db:schema": "docker exec -i mycrud_postgres psql -U app -d mycrud -v ON_ERROR_STOP=1 -f /dev/stdin < prisma/schema.sql",
     "db:seed": "docker exec -i mycrud_postgres psql -U app -d mycrud -v ON_ERROR_STOP=1 -f /dev/stdin < prisma/seed.sql",
     "db:init": "npm run db:schema && npm run db:seed",