najm-auth 1.1.17 → 1.1.20

package/README.md

@@ -198,11 +198,13 @@ class PostController {
 ```typescript
 import { defineRoles } from 'najm-auth';
 
-const roles = defineRoles({
-  ADMIN: 'admin',
-  MODERATOR: 'moderator',
-  USER: 'user',
-});
+const roles = defineRoles({
+  ADMIN: 'admin',
+  MODERATOR: 'moderator',
+  USER: 'user',
+}, {
+  superRoles: ['ADMIN'],       // admin also passes moderator/user role guards
+});
 
 export const { isAdmin, isModerator, isUser } = roles;
 

package/dist/index.d.ts

@@ -683,8 +683,10 @@ declare class TokenService {
     validateRefreshSession(refreshToken: string): Promise<string>;
     /**
      * Read the refresh cookie and return the userId it belongs to.
-     * Validates against DB to ensure the session is still active.
-     * Throws if the cookie is missing, invalid, or revoked.
+     * Lightweight check: verifies JWT signature and ensures the user
+     * has an active session in the DB. Does NOT compare token hashes,
+     * so it is safe to call concurrently with token rotation.
+     * Throws if the cookie is missing, invalid, or the session was revoked.
      */
     resolveUserFromCookie(): Promise<string>;
     getUser(auth: string): Promise<any>;
@@ -860,6 +862,13 @@ declare class AuthService {
     getUserFromCookie(): Promise<SanitizedUser & {
         language: string;
     }>;
+    /**
+     * Get current user — prefer access token (no cookie rotation risk),
+     * fall back to cookie when no Authorization header is present.
+     */
+    getMe(authorization?: string): Promise<SanitizedUser & {
+        language: string;
+    }>;
     forgotPassword(email: string): Promise<{
         message: string;
     }>;
@@ -887,7 +896,7 @@ declare class AuthController {
     changePassword(userId: string, body: ChangePasswordDto): Promise<{
         message: string;
     }>;
-    userProfile(): Promise<Omit<{
+    userProfile(authorization?: string): Promise<Omit<{
         id: string;
         name: string;
         createdAt: string;
@@ -982,6 +991,13 @@ type RoleInput = string | string[];
 type IsGuards<T extends Record<string, string>> = {
     [K in keyof T as `is${Capitalize<Lowercase<string & K>>}`]: () => ClassDecorator & MethodDecorator;
 };
+interface DefineRolesOptions<T extends Record<string, string>> {
+    /**
+     * Role keys that should implicitly pass every generated role guard, group guard,
+     * and service-layer role check created by defineRoles.
+     */
+    superRoles?: Array<keyof T>;
+}
 interface DefineRolesResult<T extends Record<string, string>> {
     /** The original roles record */
     ROLES: T;
@@ -1001,6 +1017,8 @@ interface DefineRolesResult<T extends Record<string, string>> {
  *   ADMIN: 'admin',
  *   TEACHER: 'teacher',
  *   STUDENT: 'student',
+ * }, {
+ *   superRoles: ['ADMIN'],
  * });
  *
  * // HTTP guards
@@ -1010,7 +1028,7 @@ interface DefineRolesResult<T extends Record<string, string>> {
  * if (hasRole(user.role, 'ADMIN', 'TEACHER')) { ... }
  * ```
  */
-declare function defineRoles<T extends Record<string, string>>(roles: T): DefineRolesResult<T> & IsGuards<T>;
+declare function defineRoles<T extends Record<string, string>>(roles: T, options?: DefineRolesOptions<T>): DefineRolesResult<T> & IsGuards<T>;
 
 declare class RoleGuard {
     canActivate(allowedRoles: RoleInput, userRole: string): false | {
@@ -1818,4 +1836,4 @@ declare const authSeed: (config: AuthSeedConfig) => Record<string, SeedEntry>;
  */
 declare function seedAuthData(config: SeedAuthDataConfig): Promise<SeedAuthDataResult>;
 
-export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, AuthResolver, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, CanCreate, CanDelete, CanList, CanRead, CanUpdate, type ChainableGuard, type ChangePasswordDto, type CheckPermissionDto, type ConfiguredOwnership, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Owned, type OwnedMethods, type OwnershipConfig, type OwnershipProvider, type OwnershipRule, OwnershipToken, type OwnershipTokenOptions, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, Policy, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type ResourceAccessor, type ResourceGuards, type ResourceGuardsOptions, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type SanitizedUser, ScopeContext, type ScopeResult, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, changePasswordDto, checkPermissionDto, clean, configureOwnership, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, defineRoles, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, join, languageParam, loginDto, own, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, seedAuthData, setConfiguredCookieName, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto, where };
+export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, AuthResolver, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, CanCreate, CanDelete, CanList, CanRead, CanUpdate, type ChainableGuard, type ChangePasswordDto, type CheckPermissionDto, type ConfiguredOwnership, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type DefineRolesOptions, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Owned, type OwnedMethods, type OwnershipConfig, type OwnershipProvider, type OwnershipRule, OwnershipToken, type OwnershipTokenOptions, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, Policy, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type ResourceAccessor, type ResourceGuards, type ResourceGuardsOptions, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type SanitizedUser, ScopeContext, type ScopeResult, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, changePasswordDto, checkPermissionDto, clean, configureOwnership, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, defineRoles, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, join, languageParam, loginDto, own, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, seedAuthData, setConfiguredCookieName, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto, where };

package/dist/index.js

@@ -1408,24 +1408,28 @@ var TokenService = class TokenService2 {
     }
     const isValid = this.hashToken(refreshToken) === stored.token;
     if (!isValid) {
-      if (stored.tokenFamily) {
-        await this.tokenRepository.revokeByFamily(stored.tokenFamily);
-      }
       Err5(this.t("errors.refreshTokenInvalid"));
     }
     return userId;
   }
   /**
    * Read the refresh cookie and return the userId it belongs to.
-   * Validates against DB to ensure the session is still active.
-   * Throws if the cookie is missing, invalid, or revoked.
+   * Lightweight check: verifies JWT signature and ensures the user
+   * has an active session in the DB. Does NOT compare token hashes,
+   * so it is safe to call concurrently with token rotation.
+   * Throws if the cookie is missing, invalid, or the session was revoked.
    */
   async resolveUserFromCookie() {
     const refreshToken = this.cookieManager.getRefreshToken();
     if (!refreshToken) {
       Err5(this.t("errors.refreshTokenMissing"));
     }
-    return this.validateRefreshSession(refreshToken);
+    const userId = this.verifyRefreshToken(refreshToken);
+    const stored = await this.tokenRepository.getRefreshTokenWithFamily(userId);
+    if (!stored) {
+      Err5(this.t("errors.refreshTokenInvalid"));
+    }
+    return userId;
   }
   // ============ USER RETRIEVAL (MAIN METHOD) ============
   async getUser(auth2) {
@@ -1552,9 +1556,6 @@ var TokenService = class TokenService2 {
     }
     const isValid = this.hashToken(refreshToken) === stored.token;
     if (!isValid) {
-      if (stored.tokenFamily) {
-        await this.tokenRepository.revokeByFamily(stored.tokenFamily);
-      }
       Err5(this.t("errors.refreshTokenInvalid"));
     }
     return this.generateTokens(userId, stored.tokenFamily ?? void 0);
@@ -1758,6 +1759,20 @@ var AuthService = class AuthService2 {
     const lang = this.i18nService.getCurrentLanguage();
     return { ...user, language: lang };
   }
+  /**
+   * Get current user — prefer access token (no cookie rotation risk),
+   * fall back to cookie when no Authorization header is present.
+   */
+  async getMe(authorization) {
+    if (authorization) {
+      const user = await this.tokenService.getUser(authorization);
+      if (user) {
+        const lang = this.i18nService.getCurrentLanguage();
+        return { ...user, language: lang };
+      }
+    }
+    return this.getUserFromCookie();
+  }
   async forgotPassword(email2) {
     const user = await this.userService.findByEmail(email2);
     if (user) {
@@ -1966,8 +1981,8 @@ var AuthController = class AuthController2 {
   async changePassword(userId, body) {
     return this.authService.changePassword(userId, body.currentPassword, body.newPassword);
   }
-  async userProfile() {
-    return this.authService.getUserFromCookie();
+  async userProfile(authorization) {
+    return this.authService.getMe(authorization);
   }
   async forgotPassword(body) {
     return this.authService.forgotPassword(body.email);
@@ -2029,8 +2044,9 @@ __decorate13([
   Get("/me"),
   RateLimit({ limit: 30, window: "1m", key: cookieFingerprint() }),
   ResMsg("auth.users.success.retrieved"),
+  __param3(0, Headers("authorization")),
   __metadata13("design:type", Function),
-  __metadata13("design:paramtypes", []),
+  __metadata13("design:paramtypes", [String]),
   __metadata13("design:returntype", Promise)
 ], AuthController.prototype, "userProfile", null);
 __decorate13([
@@ -2299,15 +2315,21 @@ var isAdministrator = composeGuards(isAuth(), Role(ROLE_GROUPS.ADMINISTRATORS));
 
 // src/roles/defineRoles.ts
 var Role2 = createGuard3(RoleGuard);
-function defineRoles(roles) {
+function defineRoles(roles, options) {
   const ROLES2 = roles;
+  const superRoleKeys = options?.superRoles ?? [];
+  function resolveRoleValues(keys) {
+    return Array.from(new Set([...keys, ...superRoleKeys].map((key) => roles[key])));
+  }
+  __name(resolveRoleValues, "resolveRoleValues");
   const guards2 = {};
   for (const [key, value] of Object.entries(roles)) {
     const name = `is${key.charAt(0).toUpperCase()}${key.slice(1).toLowerCase()}`;
-    guards2[name] = composeGuards2(isAuth(), Role2(value));
+    const allowedValues = resolveRoleValues([key]);
+    guards2[name] = composeGuards2(isAuth(), Role2(allowedValues.length === 1 ? value : allowedValues));
   }
   function createGroupGuard(keys) {
-    const values = keys.map((k) => roles[k]);
+    const values = resolveRoleValues(keys);
     return composeGuards2(isAuth(), Role2(values));
   }
   __name(createGroupGuard, "createGroupGuard");
@@ -2315,7 +2337,7 @@ function defineRoles(roles) {
     if (!userRole)
       return false;
     const normalized = userRole.toLowerCase();
-    return keys.some((k) => roles[k] === normalized);
+    return resolveRoleValues(keys).some((role) => role === normalized);
   }
   __name(hasRole, "hasRole");
   function isInGroup(userRole, keys) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "najm-auth",
-  "version": "1.1.17",
+  "version": "1.1.20",
   "description": "Authentication and authorization library for najm framework",
   "type": "module",
   "files": [