npm - najm-auth - Versions diffs - 1.1.16 → 1.1.19 - Mend

najm-auth 1.1.16 → 1.1.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -198,11 +198,13 @@ class PostController {
 ```typescript
 import { defineRoles } from 'najm-auth';
-const roles = defineRoles({
-  ADMIN: 'admin',
-  MODERATOR: 'moderator',
-  USER: 'user',
-});
+const roles = defineRoles({
+  ADMIN: 'admin',
+  MODERATOR: 'moderator',
+  USER: 'user',
+}, {
+  superRoles: ['ADMIN'],       // admin also passes moderator/user role guards
+});
 export const { isAdmin, isModerator, isUser } = roles;

package/dist/index.d.ts CHANGED Viewed

@@ -403,7 +403,7 @@ declare class UserValidator {
         emailVerified: boolean;
         password: string;
         image: string;
-        status: "active" | "inactive" | "pending";
+        status: "active" | "pending" | "inactive";
         roleId: string;
         lastLogin: string;
         failedLoginAttempts: number;
@@ -423,7 +423,7 @@ declare class UserValidator {
         emailVerified: boolean;
         password: string;
         image: string;
-        status: "active" | "inactive" | "pending";
+        status: "active" | "pending" | "inactive";
         roleId: string;
         lastLogin: string;
         failedLoginAttempts: number;
@@ -771,8 +771,8 @@ declare const createUserDto: z.ZodObject<{
     emailVerified: z.ZodDefault<z.ZodBoolean>;
     status: z.ZodOptional<z.ZodEnum<{
         active: "active";
-        inactive: "inactive";
         pending: "pending";
+        inactive: "inactive";
     }>>;
 }, z.core.$strip>;
 declare const updateUserDto: z.ZodObject<{
@@ -784,8 +784,8 @@ declare const updateUserDto: z.ZodObject<{
     emailVerified: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
     status: z.ZodOptional<z.ZodOptional<z.ZodEnum<{
         active: "active";
-        inactive: "inactive";
         pending: "pending";
+        inactive: "inactive";
     }>>>;
 }, z.core.$strip>;
 declare const userIdParam: z.ZodObject<{
@@ -860,6 +860,13 @@ declare class AuthService {
     getUserFromCookie(): Promise<SanitizedUser & {
         language: string;
     }>;
+    /**
+     * Get current user — prefer access token (no cookie rotation risk),
+     * fall back to cookie when no Authorization header is present.
+     */
+    getMe(authorization?: string): Promise<SanitizedUser & {
+        language: string;
+    }>;
     forgotPassword(email: string): Promise<{
         message: string;
     }>;
@@ -887,7 +894,7 @@ declare class AuthController {
     changePassword(userId: string, body: ChangePasswordDto): Promise<{
         message: string;
     }>;
-    userProfile(): Promise<Omit<{
+    userProfile(authorization?: string): Promise<Omit<{
         id: string;
         name: string;
         createdAt: string;
@@ -896,7 +903,7 @@ declare class AuthController {
         emailVerified: boolean;
         password: string;
         image: string;
-        status: "active" | "inactive" | "pending";
+        status: "active" | "pending" | "inactive";
         roleId: string;
         lastLogin: string;
         failedLoginAttempts: number;
@@ -982,6 +989,13 @@ type RoleInput = string | string[];
 type IsGuards<T extends Record<string, string>> = {
     [K in keyof T as `is${Capitalize<Lowercase<string & K>>}`]: () => ClassDecorator & MethodDecorator;
 };
+interface DefineRolesOptions<T extends Record<string, string>> {
+    /**
+     * Role keys that should implicitly pass every generated role guard, group guard,
+     * and service-layer role check created by defineRoles.
+     */
+    superRoles?: Array<keyof T>;
+}
 interface DefineRolesResult<T extends Record<string, string>> {
     /** The original roles record */
     ROLES: T;
@@ -1001,6 +1015,8 @@ interface DefineRolesResult<T extends Record<string, string>> {
  *   ADMIN: 'admin',
  *   TEACHER: 'teacher',
  *   STUDENT: 'student',
+ * }, {
+ *   superRoles: ['ADMIN'],
  * });
  *
  * // HTTP guards
@@ -1010,7 +1026,7 @@ interface DefineRolesResult<T extends Record<string, string>> {
  * if (hasRole(user.role, 'ADMIN', 'TEACHER')) { ... }
  * ```
  */
-declare function defineRoles<T extends Record<string, string>>(roles: T): DefineRolesResult<T> & IsGuards<T>;
+declare function defineRoles<T extends Record<string, string>>(roles: T, options?: DefineRolesOptions<T>): DefineRolesResult<T> & IsGuards<T>;
 declare class RoleGuard {
     canActivate(allowedRoles: RoleInput, userRole: string): false | {
@@ -1818,4 +1834,4 @@ declare const authSeed: (config: AuthSeedConfig) => Record<string, SeedEntry>;
  */
 declare function seedAuthData(config: SeedAuthDataConfig): Promise<SeedAuthDataResult>;
-export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, AuthResolver, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, CanCreate, CanDelete, CanList, CanRead, CanUpdate, type ChainableGuard, type ChangePasswordDto, type CheckPermissionDto, type ConfiguredOwnership, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Owned, type OwnedMethods, type OwnershipConfig, type OwnershipProvider, type OwnershipRule, OwnershipToken, type OwnershipTokenOptions, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, Policy, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type ResourceAccessor, type ResourceGuards, type ResourceGuardsOptions, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type SanitizedUser, ScopeContext, type ScopeResult, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, changePasswordDto, checkPermissionDto, clean, configureOwnership, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, defineRoles, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, join, languageParam, loginDto, own, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, seedAuthData, setConfiguredCookieName, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto, where };
+export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, AuthResolver, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, CanCreate, CanDelete, CanList, CanRead, CanUpdate, type ChainableGuard, type ChangePasswordDto, type CheckPermissionDto, type ConfiguredOwnership, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type DefineRolesOptions, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Owned, type OwnedMethods, type OwnershipConfig, type OwnershipProvider, type OwnershipRule, OwnershipToken, type OwnershipTokenOptions, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, Policy, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type ResourceAccessor, type ResourceGuards, type ResourceGuardsOptions, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type SanitizedUser, ScopeContext, type ScopeResult, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, changePasswordDto, checkPermissionDto, clean, configureOwnership, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, defineRoles, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, join, languageParam, loginDto, own, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, seedAuthData, setConfiguredCookieName, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto, where };

package/dist/index.js CHANGED Viewed

@@ -32,9 +32,9 @@ var baseFields = /* @__PURE__ */ __name((idLength = 5) => ({
   createdAt: timestamp("created_at", { mode: "string" }).defaultNow(),
   updatedAt: timestamp("updated_at", { mode: "string" }).defaultNow().$onUpdate(() => sql`CURRENT_TIMESTAMP`)
 }), "baseFields");
-var userStatusEnum = pgEnum("user_status", USER_STATUS);
-var tokenStatusEnum = pgEnum("token_status", TOKEN_STATUS);
-var tokenTypeEnum = pgEnum("token_type", TOKEN_TYPE);
+var userStatusEnum = pgEnum("userStatus", USER_STATUS);
+var tokenStatusEnum = pgEnum("tokenStatus", TOKEN_STATUS);
+var tokenTypeEnum = pgEnum("tokenType", TOKEN_TYPE);
 var rolesTable = pgTable("roles", {
   ...baseFields(5),
   name: text("name").notNull(),
@@ -1758,6 +1758,20 @@ var AuthService = class AuthService2 {
     const lang = this.i18nService.getCurrentLanguage();
     return { ...user, language: lang };
   }
+  /**
+   * Get current user — prefer access token (no cookie rotation risk),
+   * fall back to cookie when no Authorization header is present.
+   */
+  async getMe(authorization) {
+    if (authorization) {
+      const user = await this.tokenService.getUser(authorization);
+      if (user) {
+        const lang = this.i18nService.getCurrentLanguage();
+        return { ...user, language: lang };
+      }
+    }
+    return this.getUserFromCookie();
+  }
   async forgotPassword(email2) {
     const user = await this.userService.findByEmail(email2);
     if (user) {
@@ -1966,8 +1980,8 @@ var AuthController = class AuthController2 {
   async changePassword(userId, body) {
     return this.authService.changePassword(userId, body.currentPassword, body.newPassword);
   }
-  async userProfile() {
-    return this.authService.getUserFromCookie();
+  async userProfile(authorization) {
+    return this.authService.getMe(authorization);
   }
   async forgotPassword(body) {
     return this.authService.forgotPassword(body.email);
@@ -2029,8 +2043,9 @@ __decorate13([
   Get("/me"),
   RateLimit({ limit: 30, window: "1m", key: cookieFingerprint() }),
   ResMsg("auth.users.success.retrieved"),
+  __param3(0, Headers("authorization")),
   __metadata13("design:type", Function),
-  __metadata13("design:paramtypes", []),
+  __metadata13("design:paramtypes", [String]),
   __metadata13("design:returntype", Promise)
 ], AuthController.prototype, "userProfile", null);
 __decorate13([
@@ -2299,15 +2314,21 @@ var isAdministrator = composeGuards(isAuth(), Role(ROLE_GROUPS.ADMINISTRATORS));
 // src/roles/defineRoles.ts
 var Role2 = createGuard3(RoleGuard);
-function defineRoles(roles) {
+function defineRoles(roles, options) {
   const ROLES2 = roles;
+  const superRoleKeys = options?.superRoles ?? [];
+  function resolveRoleValues(keys) {
+    return Array.from(new Set([...keys, ...superRoleKeys].map((key) => roles[key])));
+  }
+  __name(resolveRoleValues, "resolveRoleValues");
   const guards2 = {};
   for (const [key, value] of Object.entries(roles)) {
     const name = `is${key.charAt(0).toUpperCase()}${key.slice(1).toLowerCase()}`;
-    guards2[name] = composeGuards2(isAuth(), Role2(value));
+    const allowedValues = resolveRoleValues([key]);
+    guards2[name] = composeGuards2(isAuth(), Role2(allowedValues.length === 1 ? value : allowedValues));
   }
   function createGroupGuard(keys) {
-    const values = keys.map((k) => roles[k]);
+    const values = resolveRoleValues(keys);
     return composeGuards2(isAuth(), Role2(values));
   }
   __name(createGroupGuard, "createGroupGuard");
@@ -2315,7 +2336,7 @@ function defineRoles(roles) {
     if (!userRole)
       return false;
     const normalized = userRole.toLowerCase();
-    return keys.some((k) => roles[k] === normalized);
+    return resolveRoleValues(keys).some((role) => role === normalized);
   }
   __name(hasRole, "hasRole");
   function isInGroup(userRole, keys) {

package/dist/schema/mysql.d.ts CHANGED Viewed

@@ -198,7 +198,7 @@ declare const usersTable: drizzle_orm_mysql_core.MySqlTableWithColumns<{
             tableName: "users";
             dataType: "string";
             columnType: "MySqlEnumColumn";
-            data: "active" | "inactive" | "pending";
+            data: "active" | "pending" | "inactive";
             driverParam: string;
             notNull: false;
             hasDefault: true;
@@ -780,7 +780,7 @@ declare const authSchema: {
                 tableName: "users";
                 dataType: "string";
                 columnType: "MySqlEnumColumn";
-                data: "active" | "inactive" | "pending";
+                data: "active" | "pending" | "inactive";
                 driverParam: string;
                 notNull: false;
                 hasDefault: true;

package/dist/schema/pg.d.ts CHANGED Viewed

@@ -201,7 +201,7 @@ declare const usersTable: drizzle_orm_pg_core.PgTableWithColumns<{
             tableName: "users";
             dataType: "string";
             columnType: "PgEnumColumn";
-            data: "active" | "inactive" | "pending";
+            data: "active" | "pending" | "inactive";
             driverParam: string;
             notNull: false;
             hasDefault: true;
@@ -783,7 +783,7 @@ declare const authSchema: {
                 tableName: "users";
                 dataType: "string";
                 columnType: "PgEnumColumn";
-                data: "active" | "inactive" | "pending";
+                data: "active" | "pending" | "inactive";
                 driverParam: string;
                 notNull: false;
                 hasDefault: true;

package/dist/schema/pg.js CHANGED Viewed

@@ -17,9 +17,9 @@ var baseFields = /* @__PURE__ */ __name((idLength = 5) => ({
   createdAt: timestamp("created_at", { mode: "string" }).defaultNow(),
   updatedAt: timestamp("updated_at", { mode: "string" }).defaultNow().$onUpdate(() => sql`CURRENT_TIMESTAMP`)
 }), "baseFields");
-var userStatusEnum = pgEnum("user_status", USER_STATUS);
-var tokenStatusEnum = pgEnum("token_status", TOKEN_STATUS);
-var tokenTypeEnum = pgEnum("token_type", TOKEN_TYPE);
+var userStatusEnum = pgEnum("userStatus", USER_STATUS);
+var tokenStatusEnum = pgEnum("tokenStatus", TOKEN_STATUS);
+var tokenTypeEnum = pgEnum("tokenType", TOKEN_TYPE);
 var rolesTable = pgTable("roles", {
   ...baseFields(5),
   name: text("name").notNull(),

package/dist/schema/sqlite.d.ts CHANGED Viewed

@@ -216,7 +216,7 @@ declare const usersTable: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
             tableName: "users";
             dataType: "string";
             columnType: "SQLiteText";
-            data: "active" | "inactive" | "pending";
+            data: "active" | "pending" | "inactive";
             driverParam: string;
             notNull: false;
             hasDefault: true;
@@ -229,7 +229,7 @@ declare const usersTable: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
             generated: undefined;
         }, {}, {
             length: number;
-            $type: "active" | "inactive" | "pending";
+            $type: "active" | "pending" | "inactive";
         }>;
         roleId: drizzle_orm_sqlite_core.SQLiteColumn<{
             name: "role_id";
@@ -899,7 +899,7 @@ declare const authSchema: {
                 tableName: "users";
                 dataType: "string";
                 columnType: "SQLiteText";
-                data: "active" | "inactive" | "pending";
+                data: "active" | "pending" | "inactive";
                 driverParam: string;
                 notNull: false;
                 hasDefault: true;
@@ -912,7 +912,7 @@ declare const authSchema: {
                 generated: undefined;
             }, {}, {
                 length: number;
-                $type: "active" | "inactive" | "pending";
+                $type: "active" | "pending" | "inactive";
             }>;
             roleId: drizzle_orm_sqlite_core.SQLiteColumn<{
                 name: "role_id";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "najm-auth",
-  "version": "1.1.16",
+  "version": "1.1.19",
   "description": "Authentication and authorization library for najm framework",
   "type": "module",
   "files": [