navojit-auth 1.0.0

package/dist/index.d.mts

@@ -0,0 +1,100 @@
+import { FastifyRequest, FastifyReply, FastifyInstance } from 'fastify';
+
+interface User {
+    id: string;
+    email: string;
+    passwordHash: string;
+    orgId: string;
+    role: string;
+}
+interface AuthAdapter {
+    getUserByEmail(email: string, orgId: string): Promise<User | null>;
+    createUser(data: Omit<User, "id">): Promise<User>;
+}
+interface AuthProvider {
+    id: string;
+    name: string;
+    handle(body: any): Promise<User | null>;
+    handleAction?(action: string, body: any): Promise<any>;
+    getRedirectUrl?(): string;
+}
+interface NavojitAuthConfig {
+    adapter: AuthAdapter;
+    jwtSecret: string;
+    providers: AuthProvider[];
+}
+declare module "@fastify/jwt" {
+    interface FastifyJWT {
+        payload: {
+            sub: string;
+            role: string;
+            orgId: string;
+        };
+        user: {
+            sub: string;
+            role: string;
+            orgId: string;
+        };
+    }
+}
+
+/**
+ * 1. Credentials Provider
+ * Standard Email/Password authentication using Argon2 hashing.
+ */
+declare class CredentialsProvider implements AuthProvider {
+    private adapter;
+    id: string;
+    name: string;
+    constructor(adapter: AuthAdapter);
+    handle(body: any): Promise<User | null>;
+}
+/**
+ * 2. Google Social Provider
+ * Handles One-Click login/registration using Google OAuth2.
+ */
+declare class GoogleProvider implements AuthProvider {
+    private adapter;
+    id: string;
+    name: string;
+    private client;
+    constructor(adapter: AuthAdapter);
+    handle(body: any): Promise<User | null>;
+}
+/**
+ * 3. OTP Provider
+ * Passwordless login with 6-digit codes sent via Real Email (Resend).
+ */
+declare class OTPProvider implements AuthProvider {
+    private adapter;
+    id: string;
+    name: string;
+    private otpStore;
+    constructor(adapter: AuthAdapter);
+    handleAction(action: string, body: any): Promise<any>;
+    handle(body: any): Promise<User | null>;
+}
+
+declare class DrizzleAdapter implements AuthAdapter {
+    getUserByEmail(email: string, orgId: string): Promise<User | null>;
+    createUser(data: Omit<User, "id">): Promise<User>;
+}
+
+declare const authorize: (allowedRoles: string[]) => (request: FastifyRequest, reply: FastifyReply) => Promise<undefined>;
+
+/**
+ * NavojitAuth Engine
+ * Attach this class to your Fastify instance to enable multi-tenant auth.
+ */
+declare class NavojitAuth {
+    private config;
+    constructor(config: NavojitAuthConfig);
+    /**
+     * Automatically registers all auth routes (login, register, refresh, logout, etc.)
+     * @param server Fastify Instance
+     * @param prefix URL prefix for auth routes (default: /auth)
+     */
+    attach(server: FastifyInstance, prefix?: string): void;
+}
+
+export { type AuthAdapter, type AuthProvider, CredentialsProvider, DrizzleAdapter, GoogleProvider, NavojitAuth, type NavojitAuthConfig, OTPProvider, type User, authorize };

package/dist/index.d.ts

@@ -0,0 +1,100 @@
+import { FastifyRequest, FastifyReply, FastifyInstance } from 'fastify';
+
+interface User {
+    id: string;
+    email: string;
+    passwordHash: string;
+    orgId: string;
+    role: string;
+}
+interface AuthAdapter {
+    getUserByEmail(email: string, orgId: string): Promise<User | null>;
+    createUser(data: Omit<User, "id">): Promise<User>;
+}
+interface AuthProvider {
+    id: string;
+    name: string;
+    handle(body: any): Promise<User | null>;
+    handleAction?(action: string, body: any): Promise<any>;
+    getRedirectUrl?(): string;
+}
+interface NavojitAuthConfig {
+    adapter: AuthAdapter;
+    jwtSecret: string;
+    providers: AuthProvider[];
+}
+declare module "@fastify/jwt" {
+    interface FastifyJWT {
+        payload: {
+            sub: string;
+            role: string;
+            orgId: string;
+        };
+        user: {
+            sub: string;
+            role: string;
+            orgId: string;
+        };
+    }
+}
+
+/**
+ * 1. Credentials Provider
+ * Standard Email/Password authentication using Argon2 hashing.
+ */
+declare class CredentialsProvider implements AuthProvider {
+    private adapter;
+    id: string;
+    name: string;
+    constructor(adapter: AuthAdapter);
+    handle(body: any): Promise<User | null>;
+}
+/**
+ * 2. Google Social Provider
+ * Handles One-Click login/registration using Google OAuth2.
+ */
+declare class GoogleProvider implements AuthProvider {
+    private adapter;
+    id: string;
+    name: string;
+    private client;
+    constructor(adapter: AuthAdapter);
+    handle(body: any): Promise<User | null>;
+}
+/**
+ * 3. OTP Provider
+ * Passwordless login with 6-digit codes sent via Real Email (Resend).
+ */
+declare class OTPProvider implements AuthProvider {
+    private adapter;
+    id: string;
+    name: string;
+    private otpStore;
+    constructor(adapter: AuthAdapter);
+    handleAction(action: string, body: any): Promise<any>;
+    handle(body: any): Promise<User | null>;
+}
+
+declare class DrizzleAdapter implements AuthAdapter {
+    getUserByEmail(email: string, orgId: string): Promise<User | null>;
+    createUser(data: Omit<User, "id">): Promise<User>;
+}
+
+declare const authorize: (allowedRoles: string[]) => (request: FastifyRequest, reply: FastifyReply) => Promise<undefined>;
+
+/**
+ * NavojitAuth Engine
+ * Attach this class to your Fastify instance to enable multi-tenant auth.
+ */
+declare class NavojitAuth {
+    private config;
+    constructor(config: NavojitAuthConfig);
+    /**
+     * Automatically registers all auth routes (login, register, refresh, logout, etc.)
+     * @param server Fastify Instance
+     * @param prefix URL prefix for auth routes (default: /auth)
+     */
+    attach(server: FastifyInstance, prefix?: string): void;
+}
+
+export { type AuthAdapter, type AuthProvider, CredentialsProvider, DrizzleAdapter, GoogleProvider, NavojitAuth, type NavojitAuthConfig, OTPProvider, type User, authorize };

package/dist/index.js

@@ -0,0 +1,322 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  CredentialsProvider: () => CredentialsProvider,
+  DrizzleAdapter: () => DrizzleAdapter,
+  GoogleProvider: () => GoogleProvider,
+  NavojitAuth: () => NavojitAuth,
+  OTPProvider: () => OTPProvider,
+  authorize: () => authorize
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/db/index.ts
+var import_postgres_js = require("drizzle-orm/postgres-js");
+var import_postgres = __toESM(require("postgres"));
+
+// src/db/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  organizations: () => organizations,
+  refreshTokens: () => refreshTokens,
+  roleEnum: () => roleEnum,
+  users: () => users
+});
+var import_pg_core = require("drizzle-orm/pg-core");
+var roleEnum = (0, import_pg_core.pgEnum)("role", ["owner", "admin", "member", "guest"]);
+var organizations = (0, import_pg_core.pgTable)("organizations", {
+  id: (0, import_pg_core.uuid)("id").primaryKey().defaultRandom(),
+  name: (0, import_pg_core.varchar)("name", { length: 255 }).notNull(),
+  slug: (0, import_pg_core.varchar)("slug", { length: 255 }).unique().notNull(),
+  createdAt: (0, import_pg_core.timestamp)("created_at").defaultNow().notNull()
+});
+var users = (0, import_pg_core.pgTable)("users", {
+  id: (0, import_pg_core.uuid)("id").primaryKey().defaultRandom(),
+  orgId: (0, import_pg_core.uuid)("org_id").references(() => organizations.id).notNull(),
+  email: (0, import_pg_core.varchar)("email", { length: 255 }).unique().notNull(),
+  passwordHash: (0, import_pg_core.varchar)("password_hash", { length: 255 }).notNull(),
+  role: roleEnum("role").default("member").notNull(),
+  createdAt: (0, import_pg_core.timestamp)("created_at").defaultNow().notNull()
+});
+var refreshTokens = (0, import_pg_core.pgTable)("refresh_tokens", {
+  id: (0, import_pg_core.uuid)("id").primaryKey().defaultRandom(),
+  userId: (0, import_pg_core.uuid)("user_id").references(() => users.id).notNull(),
+  token: (0, import_pg_core.varchar)("token", { length: 500 }).unique().notNull(),
+  revoked: (0, import_pg_core.boolean)("revoked").default(false).notNull(),
+  expiresAt: (0, import_pg_core.timestamp)("expires_at").notNull()
+});
+
+// src/db/index.ts
+var dotenv = __toESM(require("dotenv"));
+dotenv.config();
+var client = (0, import_postgres.default)(process.env.DATABASE_URL, { max: 1 });
+var db = (0, import_postgres_js.drizzle)(client, { schema: schema_exports });
+
+// src/routes/auth.ts
+var import_drizzle_orm = require("drizzle-orm");
+var import_argon2 = __toESM(require("argon2"));
+var import_zod = require("zod");
+var RegisterSchema = import_zod.z.object({
+  email: import_zod.z.string().email(),
+  password: import_zod.z.string().min(8),
+  orgName: import_zod.z.string().min(2),
+  role: import_zod.z.enum(["owner", "admin", "member", "guest"]).optional()
+});
+function createAuthRoutes(config2) {
+  return async function authRoutes(server) {
+    server.post("/register", async (request, reply) => {
+      const result = RegisterSchema.safeParse(request.body);
+      if (!result.success)
+        return reply.code(400).send({ errors: result.error.format() });
+      const { email, password, orgName, role } = result.data;
+      try {
+        let [org] = await db.select().from(organizations).where((0, import_drizzle_orm.eq)(organizations.name, orgName)).limit(1);
+        if (!org) {
+          [org] = await db.insert(organizations).values({
+            name: orgName,
+            slug: orgName.toLowerCase().replace(/\s/g, "-")
+          }).returning();
+        }
+        const hash = await import_argon2.default.hash(password);
+        const user = await config2.adapter.createUser({
+          email,
+          passwordHash: hash,
+          orgId: org.id,
+          role: role || "member"
+        });
+        return reply.send({ success: true, userId: user.id, orgId: org.id });
+      } catch (err) {
+        return reply.code(500).send({ error: "Registration failed", details: err.message });
+      }
+    });
+    server.post("/login/:providerId", async (request, reply) => {
+      const { providerId } = request.params;
+      const provider = config2.providers.find((p) => p.id === providerId);
+      if (!provider) return reply.code(400).send({ error: "Invalid Provider" });
+      const user = await provider.handle(request.body);
+      if (!user) return reply.code(401).send({ error: "Unauthorized" });
+      const accessToken = server.jwt.sign(
+        { sub: user.id, role: user.role, orgId: user.orgId },
+        { expiresIn: "15m" }
+      );
+      const refreshToken = server.jwt.sign(
+        { sub: user.id, role: user.role, orgId: user.orgId },
+        { expiresIn: "7d" }
+      );
+      await db.insert(refreshTokens).values({
+        userId: user.id,
+        token: refreshToken,
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3)
+      });
+      return reply.send({
+        success: true,
+        access_token: accessToken,
+        refresh_token: refreshToken
+      });
+    });
+    server.post("/logout", async (request, reply) => {
+      const { refresh_token } = request.body;
+      if (refresh_token) {
+        await db.update(refreshTokens).set({ revoked: true }).where((0, import_drizzle_orm.eq)(refreshTokens.token, refresh_token));
+      }
+      return reply.send({
+        success: true,
+        message: "Logged out from all devices"
+      });
+    });
+  };
+}
+
+// src/core/types.ts
+var import_jwt = require("@fastify/jwt");
+
+// src/core/providers.ts
+var import_argon22 = __toESM(require("argon2"));
+var import_google_auth_library = require("google-auth-library");
+var import_resend = require("resend");
+var resend = new import_resend.Resend(process.env.RESEND_API_KEY);
+var CredentialsProvider = class {
+  constructor(adapter) {
+    this.adapter = adapter;
+  }
+  adapter;
+  id = "credentials";
+  name = "Email/Password";
+  async handle(body) {
+    const { email, password, orgId } = body;
+    const user = await this.adapter.getUserByEmail(email, orgId);
+    if (user && await import_argon22.default.verify(user.passwordHash, password)) {
+      return user;
+    }
+    return null;
+  }
+};
+var GoogleProvider = class {
+  constructor(adapter) {
+    this.adapter = adapter;
+  }
+  adapter;
+  id = "google";
+  name = "Google";
+  client = new import_google_auth_library.OAuth2Client(process.env.GOOGLE_CLIENT_ID);
+  async handle(body) {
+    const { idToken, orgId } = body;
+    try {
+      const ticket = await this.client.verifyIdToken({
+        idToken,
+        audience: process.env.GOOGLE_CLIENT_ID
+      });
+      const payload = ticket.getPayload();
+      if (!payload || !payload.email) return null;
+      let user = await this.adapter.getUserByEmail(payload.email, orgId);
+      if (!user) {
+        user = await this.adapter.createUser({
+          email: payload.email,
+          passwordHash: "SOCIAL_AUTH_EXTERNAL",
+          // Placeholder for social users
+          orgId,
+          role: "member"
+        });
+      }
+      return user;
+    } catch (error) {
+      console.error("[AUTH] Google Verification Failed:", error);
+      return null;
+    }
+  }
+};
+var OTPProvider = class {
+  constructor(adapter) {
+    this.adapter = adapter;
+  }
+  adapter;
+  id = "otp";
+  name = "OTP";
+  otpStore = /* @__PURE__ */ new Map();
+  async handleAction(action, body) {
+    if (action === "send") {
+      const otp = Math.floor(1e5 + Math.random() * 9e5).toString();
+      this.otpStore.set(body.email, { otp, expires: Date.now() + 3e5 });
+      if (process.env.RESEND_API_KEY) {
+        try {
+          await resend.emails.send({
+            from: "Navojit Auth <no-reply@navojit.io>",
+            // Apne verified domain se replace karein
+            to: body.email,
+            subject: "Your Security Code",
+            html: `<div style="font-family: sans-serif; padding: 20px;">
+                    <h2>Verification Code</h2>
+                    <p>Use the following code to sign in to your account:</p>
+                    <h1 style="color: #4F46E5;">${otp}</h1>
+                    <p>This code expires in 5 minutes.</p>
+                   </div>`
+          });
+        } catch (error) {
+          console.error("[AUTH] Email Delivery Failed:", error);
+        }
+      }
+      console.log(`[AUTH] OTP for ${body.email}: ${otp}`);
+      return { success: true, message: "OTP sent successfully" };
+    }
+    return { success: false, message: "Invalid action" };
+  }
+  async handle(body) {
+    const { email, otp, orgId } = body;
+    const record = this.otpStore.get(email);
+    if (record && record.otp === otp && record.expires > Date.now()) {
+      this.otpStore.delete(email);
+      return await this.adapter.getUserByEmail(email, orgId);
+    }
+    return null;
+  }
+};
+
+// src/adapters/drizzle.ts
+var import_drizzle_orm2 = require("drizzle-orm");
+var DrizzleAdapter = class {
+  async getUserByEmail(email, orgId) {
+    const result = await db.select().from(users).where((0, import_drizzle_orm2.and)((0, import_drizzle_orm2.eq)(users.email, email), (0, import_drizzle_orm2.eq)(users.orgId, orgId))).limit(1);
+    return result[0] || null;
+  }
+  async createUser(data) {
+    const [newUser] = await db.insert(users).values({
+      email: data.email,
+      passwordHash: data.passwordHash,
+      orgId: data.orgId,
+      role: data.role
+    }).returning();
+    return newUser;
+  }
+};
+
+// src/middleware/rbac.ts
+var authorize = (allowedRoles) => {
+  return async (request, reply) => {
+    try {
+      await request.jwtVerify();
+      const user = request.user;
+      if (!allowedRoles.includes(user.role)) {
+        return reply.code(403).send({
+          error: "Forbidden",
+          message: `Your role (${user.role}) does not have permission to access this resource.`
+        });
+      }
+    } catch (err) {
+      return reply.code(401).send({ error: "Unauthorized", message: "Invalid or expired token" });
+    }
+  };
+};
+
+// src/index.ts
+var NavojitAuth = class {
+  constructor(config2) {
+    this.config = config2;
+  }
+  config;
+  /**
+   * Automatically registers all auth routes (login, register, refresh, logout, etc.)
+   * @param server Fastify Instance
+   * @param prefix URL prefix for auth routes (default: /auth)
+   */
+  attach(server, prefix = "/auth") {
+    server.register(createAuthRoutes(this.config), { prefix });
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  CredentialsProvider,
+  DrizzleAdapter,
+  GoogleProvider,
+  NavojitAuth,
+  OTPProvider,
+  authorize
+});

package/dist/index.mjs

@@ -0,0 +1,293 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/db/index.ts
+import { drizzle } from "drizzle-orm/postgres-js";
+import postgres from "postgres";
+
+// src/db/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  organizations: () => organizations,
+  refreshTokens: () => refreshTokens,
+  roleEnum: () => roleEnum,
+  users: () => users
+});
+import {
+  pgTable,
+  uuid,
+  varchar,
+  timestamp,
+  pgEnum,
+  boolean
+} from "drizzle-orm/pg-core";
+var roleEnum = pgEnum("role", ["owner", "admin", "member", "guest"]);
+var organizations = pgTable("organizations", {
+  id: uuid("id").primaryKey().defaultRandom(),
+  name: varchar("name", { length: 255 }).notNull(),
+  slug: varchar("slug", { length: 255 }).unique().notNull(),
+  createdAt: timestamp("created_at").defaultNow().notNull()
+});
+var users = pgTable("users", {
+  id: uuid("id").primaryKey().defaultRandom(),
+  orgId: uuid("org_id").references(() => organizations.id).notNull(),
+  email: varchar("email", { length: 255 }).unique().notNull(),
+  passwordHash: varchar("password_hash", { length: 255 }).notNull(),
+  role: roleEnum("role").default("member").notNull(),
+  createdAt: timestamp("created_at").defaultNow().notNull()
+});
+var refreshTokens = pgTable("refresh_tokens", {
+  id: uuid("id").primaryKey().defaultRandom(),
+  userId: uuid("user_id").references(() => users.id).notNull(),
+  token: varchar("token", { length: 500 }).unique().notNull(),
+  revoked: boolean("revoked").default(false).notNull(),
+  expiresAt: timestamp("expires_at").notNull()
+});
+
+// src/db/index.ts
+import * as dotenv from "dotenv";
+dotenv.config();
+var client = postgres(process.env.DATABASE_URL, { max: 1 });
+var db = drizzle(client, { schema: schema_exports });
+
+// src/routes/auth.ts
+import { eq } from "drizzle-orm";
+import argon2 from "argon2";
+import { z } from "zod";
+var RegisterSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+  orgName: z.string().min(2),
+  role: z.enum(["owner", "admin", "member", "guest"]).optional()
+});
+function createAuthRoutes(config2) {
+  return async function authRoutes(server) {
+    server.post("/register", async (request, reply) => {
+      const result = RegisterSchema.safeParse(request.body);
+      if (!result.success)
+        return reply.code(400).send({ errors: result.error.format() });
+      const { email, password, orgName, role } = result.data;
+      try {
+        let [org] = await db.select().from(organizations).where(eq(organizations.name, orgName)).limit(1);
+        if (!org) {
+          [org] = await db.insert(organizations).values({
+            name: orgName,
+            slug: orgName.toLowerCase().replace(/\s/g, "-")
+          }).returning();
+        }
+        const hash = await argon2.hash(password);
+        const user = await config2.adapter.createUser({
+          email,
+          passwordHash: hash,
+          orgId: org.id,
+          role: role || "member"
+        });
+        return reply.send({ success: true, userId: user.id, orgId: org.id });
+      } catch (err) {
+        return reply.code(500).send({ error: "Registration failed", details: err.message });
+      }
+    });
+    server.post("/login/:providerId", async (request, reply) => {
+      const { providerId } = request.params;
+      const provider = config2.providers.find((p) => p.id === providerId);
+      if (!provider) return reply.code(400).send({ error: "Invalid Provider" });
+      const user = await provider.handle(request.body);
+      if (!user) return reply.code(401).send({ error: "Unauthorized" });
+      const accessToken = server.jwt.sign(
+        { sub: user.id, role: user.role, orgId: user.orgId },
+        { expiresIn: "15m" }
+      );
+      const refreshToken = server.jwt.sign(
+        { sub: user.id, role: user.role, orgId: user.orgId },
+        { expiresIn: "7d" }
+      );
+      await db.insert(refreshTokens).values({
+        userId: user.id,
+        token: refreshToken,
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3)
+      });
+      return reply.send({
+        success: true,
+        access_token: accessToken,
+        refresh_token: refreshToken
+      });
+    });
+    server.post("/logout", async (request, reply) => {
+      const { refresh_token } = request.body;
+      if (refresh_token) {
+        await db.update(refreshTokens).set({ revoked: true }).where(eq(refreshTokens.token, refresh_token));
+      }
+      return reply.send({
+        success: true,
+        message: "Logged out from all devices"
+      });
+    });
+  };
+}
+
+// src/core/types.ts
+import "@fastify/jwt";
+
+// src/core/providers.ts
+import argon22 from "argon2";
+import { OAuth2Client } from "google-auth-library";
+import { Resend } from "resend";
+var resend = new Resend(process.env.RESEND_API_KEY);
+var CredentialsProvider = class {
+  constructor(adapter) {
+    this.adapter = adapter;
+  }
+  adapter;
+  id = "credentials";
+  name = "Email/Password";
+  async handle(body) {
+    const { email, password, orgId } = body;
+    const user = await this.adapter.getUserByEmail(email, orgId);
+    if (user && await argon22.verify(user.passwordHash, password)) {
+      return user;
+    }
+    return null;
+  }
+};
+var GoogleProvider = class {
+  constructor(adapter) {
+    this.adapter = adapter;
+  }
+  adapter;
+  id = "google";
+  name = "Google";
+  client = new OAuth2Client(process.env.GOOGLE_CLIENT_ID);
+  async handle(body) {
+    const { idToken, orgId } = body;
+    try {
+      const ticket = await this.client.verifyIdToken({
+        idToken,
+        audience: process.env.GOOGLE_CLIENT_ID
+      });
+      const payload = ticket.getPayload();
+      if (!payload || !payload.email) return null;
+      let user = await this.adapter.getUserByEmail(payload.email, orgId);
+      if (!user) {
+        user = await this.adapter.createUser({
+          email: payload.email,
+          passwordHash: "SOCIAL_AUTH_EXTERNAL",
+          // Placeholder for social users
+          orgId,
+          role: "member"
+        });
+      }
+      return user;
+    } catch (error) {
+      console.error("[AUTH] Google Verification Failed:", error);
+      return null;
+    }
+  }
+};
+var OTPProvider = class {
+  constructor(adapter) {
+    this.adapter = adapter;
+  }
+  adapter;
+  id = "otp";
+  name = "OTP";
+  otpStore = /* @__PURE__ */ new Map();
+  async handleAction(action, body) {
+    if (action === "send") {
+      const otp = Math.floor(1e5 + Math.random() * 9e5).toString();
+      this.otpStore.set(body.email, { otp, expires: Date.now() + 3e5 });
+      if (process.env.RESEND_API_KEY) {
+        try {
+          await resend.emails.send({
+            from: "Navojit Auth <no-reply@navojit.io>",
+            // Apne verified domain se replace karein
+            to: body.email,
+            subject: "Your Security Code",
+            html: `<div style="font-family: sans-serif; padding: 20px;">
+                    <h2>Verification Code</h2>
+                    <p>Use the following code to sign in to your account:</p>
+                    <h1 style="color: #4F46E5;">${otp}</h1>
+                    <p>This code expires in 5 minutes.</p>
+                   </div>`
+          });
+        } catch (error) {
+          console.error("[AUTH] Email Delivery Failed:", error);
+        }
+      }
+      console.log(`[AUTH] OTP for ${body.email}: ${otp}`);
+      return { success: true, message: "OTP sent successfully" };
+    }
+    return { success: false, message: "Invalid action" };
+  }
+  async handle(body) {
+    const { email, otp, orgId } = body;
+    const record = this.otpStore.get(email);
+    if (record && record.otp === otp && record.expires > Date.now()) {
+      this.otpStore.delete(email);
+      return await this.adapter.getUserByEmail(email, orgId);
+    }
+    return null;
+  }
+};
+
+// src/adapters/drizzle.ts
+import { eq as eq2, and } from "drizzle-orm";
+var DrizzleAdapter = class {
+  async getUserByEmail(email, orgId) {
+    const result = await db.select().from(users).where(and(eq2(users.email, email), eq2(users.orgId, orgId))).limit(1);
+    return result[0] || null;
+  }
+  async createUser(data) {
+    const [newUser] = await db.insert(users).values({
+      email: data.email,
+      passwordHash: data.passwordHash,
+      orgId: data.orgId,
+      role: data.role
+    }).returning();
+    return newUser;
+  }
+};
+
+// src/middleware/rbac.ts
+var authorize = (allowedRoles) => {
+  return async (request, reply) => {
+    try {
+      await request.jwtVerify();
+      const user = request.user;
+      if (!allowedRoles.includes(user.role)) {
+        return reply.code(403).send({
+          error: "Forbidden",
+          message: `Your role (${user.role}) does not have permission to access this resource.`
+        });
+      }
+    } catch (err) {
+      return reply.code(401).send({ error: "Unauthorized", message: "Invalid or expired token" });
+    }
+  };
+};
+
+// src/index.ts
+var NavojitAuth = class {
+  constructor(config2) {
+    this.config = config2;
+  }
+  config;
+  /**
+   * Automatically registers all auth routes (login, register, refresh, logout, etc.)
+   * @param server Fastify Instance
+   * @param prefix URL prefix for auth routes (default: /auth)
+   */
+  attach(server, prefix = "/auth") {
+    server.register(createAuthRoutes(this.config), { prefix });
+  }
+};
+export {
+  CredentialsProvider,
+  DrizzleAdapter,
+  GoogleProvider,
+  NavojitAuth,
+  OTPProvider,
+  authorize
+};

package/package.json

@@ -0,0 +1,62 @@
+{
+  "name": "navojit-auth",
+  "version": "1.0.0",
+  "description": "Blazing fast, multi-tenant global authentication engine for Fastify & Drizzle ORM.",
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "dev": "tsx watch src/server.ts",
+    "build": "tsup src/index.ts --format cjs,esm --dts --clean",
+    "prepublishOnly": "npm run build",
+    "db:generate": "drizzle-kit generate",
+    "db:push": "drizzle-kit push",
+    "db:studio": "drizzle-kit studio",
+    "lint": "tsc"
+  },
+  "keywords": [
+    "fastify",
+    "auth",
+    "drizzle",
+    "multi-tenant",
+    "jwt",
+    "rbac",
+    "otp"
+  ],
+  "author": "Kashish Singh",
+  "license": "MIT",
+  "peerDependencies": {
+    "fastify": ">=4.0.0",
+    "drizzle-orm": ">=0.30.0",
+    "postgres": ">=3.4.0"
+  },
+  "dependencies": {
+    "@fastify/cors": "^11.2.0",
+    "@fastify/helmet": "^13.0.2",
+    "@fastify/jwt": "^10.0.0",
+    "@fastify/rate-limit": "^10.3.0",
+    "argon2": "^0.44.0",
+    "dotenv": "^17.4.1",
+    "google-auth-library": "^10.6.2",
+    "resend": "^6.10.0",
+    "uuid": "^13.0.0",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "drizzle-kit": "^0.31.10",
+    "tsup": "^8.3.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  }
+}