say-auth 1.0.0

package/LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Sanyii
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,121 @@
+# 🔐 say-auth
+
+> Enterprise-grade authentication library for Next.js with MFA, JWT, and security features
+
+[![npm version](https://badge.fury.io/js/say-auth.svg)](https://www.npmjs.com/package/say-auth)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![TypeScript](https://img.shields.io/badge/TypeScript-5.x-blue.svg)](https://www.typescriptlang.org/)
+[![Next.js](https://img.shields.io/badge/Next.js-13%2B-black.svg)](https://nextjs.org/)
+[![Downloads](https://img.shields.io/npm/dm/say-auth.svg)](https://www.npmjs.com/package/say-auth)
+
+## ✨ Features
+
+- 🔐 **JWT Authentication** - Secure token-based authentication
+- 🔄 **Auto Token Refresh** - Automatic token refresh with request queuing
+- 🛡️ **MFA Support** - Two-factor authentication with TOTP
+- 🚫 **Token Blacklisting** - Revoke tokens on logout
+- 📝 **Audit Logging** - Track all authentication events
+- 🖥️ **Device Fingerprinting** - Prevent session hijacking
+- ⚡ **Rate Limiting** - Brute force protection
+- 🔒 **AES-256 Encryption** - Secure token storage
+- 📦 **Zero Config** - Works out of the box
+- 🎯 **TypeScript** - Full type safety
+
+## 📦 Installation
+
+```bash
+npm install say-auth
+# or
+pnpm add say-auth
+# or
+yarn add say-auth
+🚀 Quick Start
+1. Wrap your app with AuthProvider
+tsx
+// app/layout.tsx
+import { AuthProvider } from 'say-auth';
+
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <body>
+        <AuthProvider apiUrl={process.env.NEXT_PUBLIC_API_URL}>
+          {children}
+        </AuthProvider>
+      </body>
+    </html>
+  );
+}
+2. Create login page
+tsx
+// app/login/page.tsx
+'use client';
+import { useAuth } from 'say-auth';
+
+export default function LoginPage() {
+  const { login, isLoading } = useAuth();
+
+  const handleSubmit = async (e) => {
+    e.preventDefault();
+    const formData = new FormData(e.currentTarget);
+    await login({
+      email: formData.get('email'),
+      password: formData.get('password'),
+    });
+  };
+
+  return (
+    <form onSubmit={handleSubmit}>
+      <input name="email" type="email" required />
+      <input name="password" type="password" required />
+      <button type="submit" disabled={isLoading}>
+        {isLoading ? 'Loading...' : 'Login'}
+      </button>
+    </form>
+  );
+}
+3. Protect routes
+tsx
+// app/dashboard/page.tsx
+'use client';
+import { ProtectedRoute, useAuth } from 'say-auth';
+
+export default function DashboardPage() {
+  const { user } = useAuth();
+
+  return (
+    <ProtectedRoute>
+      <h1>Welcome, {user?.name}!</h1>
+    </ProtectedRoute>
+  );
+}
+📖 API Reference
+useAuth()
+Main authentication hook that returns:
+
+Property	Type	Description
+user	User | null	Current user data
+isAuthenticated	boolean	Authentication status
+isLoading	boolean	Loading state
+login()	(credentials) => Promise	Login function
+logout()	() => Promise	Logout function
+refreshSession()	() => Promise	Refresh session
+ProtectedRoute
+Component for protecting routes:
+
+tsx
+<ProtectedRoute requiredRole="admin">
+  <AdminPanel />
+</ProtectedRoute>
+🔧 Requirements
+Next.js 13+
+
+React 18+
+
+Axios 1.6+
+
+🤝 Contributing
+Contributions are welcome! Please read our contributing guidelines.
+
+📄 License
+MIT © Sanyii

package/dist/index.d.mts

@@ -0,0 +1,312 @@
+import { AxiosInstance } from 'axios';
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import React$1 from 'react';
+
+interface User {
+    id: string;
+    email: string;
+    name: string;
+    role?: string;
+    avatar?: string;
+    mfaEnabled: boolean;
+    mfaSecret?: string;
+    backupCodes?: string[];
+    createdAt?: Date;
+    updatedAt?: Date;
+}
+interface AuthTokens {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+}
+interface LoginCredentials {
+    email: string;
+    password: string;
+}
+interface RegisterData {
+    email: string;
+    password: string;
+    name: string;
+}
+interface AuthState {
+    user: User | null;
+    tokens: AuthTokens | null;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    error: string | null;
+}
+interface MFAVerify {
+    userId: string;
+    code: string;
+    trustDevice?: boolean;
+}
+interface TokenBlacklistEntry {
+    token: string;
+    userId: string;
+    expiresAt: Date;
+    reason: 'logout' | 'revoke' | 'security';
+}
+interface AuditEntry$1 {
+    action: string;
+    userId?: string;
+    email?: string;
+    ipAddress: string;
+    userAgent: string;
+    timestamp: Date;
+    details?: Record<string, any>;
+    success: boolean;
+    errorMessage?: string;
+}
+
+declare class AuthService {
+    private static instance;
+    private axiosInstance;
+    private state;
+    private listeners;
+    private baseURL;
+    private constructor();
+    static getInstance(apiUrl?: string): AuthService;
+    private makeRequest;
+    healthCheck(): Promise<boolean>;
+    healthCheckWithRetry(retries?: number): Promise<boolean>;
+    private loadInitialState;
+    private notifyListeners;
+    subscribe(listener: (state: AuthState) => void): () => void;
+    private updateState;
+    login(credentials: LoginCredentials): Promise<{
+        requiresMFA: boolean;
+        user?: User;
+    }>;
+    verifyMFA(code: string, trustDevice?: boolean): Promise<User>;
+    register(data: RegisterData): Promise<User>;
+    logout(reason?: 'logout' | 'revoke' | 'security'): Promise<void>;
+    refreshSession(): Promise<void>;
+    logoutAllDevices(): Promise<void>;
+    changePassword(currentPassword: string, newPassword: string): Promise<void>;
+    hasRole(role: string | string[]): boolean;
+    getAxiosInstance(): AxiosInstance;
+    getUser(): User | null;
+    getState(): AuthState;
+}
+
+declare class SecureTokenStorage {
+    private static instance;
+    private encryptionKey;
+    private memoryCache;
+    private readonly TOKEN_VERSION;
+    private readonly SUPPORTED_VERSIONS;
+    private constructor();
+    static getInstance(): SecureTokenStorage;
+    private getOrCreateEncryptionKey;
+    private generateEncryptionKey;
+    private encrypt;
+    private decrypt;
+    setTokens(tokens: AuthTokens): void;
+    getTokens(): AuthTokens | null;
+    private migrateTokenFormat;
+    shouldRefreshToken(): boolean;
+    getTokenAge(): number | null;
+    setUser(user: User): void;
+    getUser(): User | null;
+    clear(): void;
+    hardClear(): void;
+    getStorageInfo(): {
+        hasTokens: boolean;
+        hasUser: boolean;
+        tokenVersion: string | null;
+    };
+}
+
+declare class TokenManager {
+    private static instance;
+    private refreshPromise;
+    static getInstance(): TokenManager;
+    getAccessToken(): string | null;
+    isTokenExpired(): boolean;
+    refreshToken(refreshFn: () => Promise<AuthTokens>): Promise<string>;
+    private performRefresh;
+}
+
+declare class TokenBlacklist {
+    private static instance;
+    private blacklist;
+    private cleanupInterval;
+    private constructor();
+    static getInstance(): TokenBlacklist;
+    addToBlacklist(token: string, userId: string, reason: TokenBlacklistEntry['reason']): Promise<void>;
+    isBlacklisted(token: string): Promise<boolean>;
+    revokeAllUserTokens(userId: string): Promise<void>;
+    private hashToken;
+    private syncToBackend;
+    private revokeAllOnBackend;
+    private startCleanup;
+    stopCleanup(): void;
+}
+
+declare class MFAService {
+    private static instance;
+    static getInstance(): MFAService;
+    setupMFA(userId: string, email: string): Promise<{
+        secret: string;
+        qrCode: string;
+        backupCodes: string[];
+    }>;
+    verifyAndEnableMFA(userId: string, code: string): Promise<boolean>;
+    verifyMFA(userId: string, code: string): Promise<boolean>;
+    private generateBackupCodes;
+    private saveMFAConfig;
+    private getUserMFASecret;
+}
+
+declare class RateLimiter {
+    private static instance;
+    private attempts;
+    private readonly MAX_ATTEMPTS;
+    private readonly WINDOW_MS;
+    private readonly BLOCK_DURATION_MS;
+    static getInstance(): RateLimiter;
+    checkRateLimit(identifier: string): {
+        allowed: boolean;
+        waitTime?: number;
+    };
+    reset(identifier: string): void;
+}
+
+declare enum AuditAction {
+    LOGIN_SUCCESS = "LOGIN_SUCCESS",
+    LOGIN_FAILURE = "LOGIN_FAILURE",
+    LOGOUT = "LOGOUT",
+    REGISTER_SUCCESS = "REGISTER_SUCCESS",
+    PASSWORD_CHANGE = "PASSWORD_CHANGE",
+    TOKEN_REFRESH = "TOKEN_REFRESH",
+    SESSION_TERMINATED = "SESSION_TERMINATED",
+    MFA_ENABLED = "MFA_ENABLED",
+    MFA_DISABLED = "MFA_DISABLED",
+    MFA_VERIFIED = "MFA_VERIFIED"
+}
+interface AuditEntry {
+    action: AuditAction;
+    userId?: string;
+    email?: string;
+    ipAddress: string;
+    userAgent: string;
+    timestamp: Date;
+    details?: Record<string, any>;
+    success: boolean;
+    errorMessage?: string;
+}
+declare class AuditLogger {
+    private static instance;
+    private logQueue;
+    private isFlushing;
+    static getInstance(): AuditLogger;
+    log(entry: Omit<AuditEntry, 'timestamp' | 'ipAddress' | 'userAgent'>): Promise<void>;
+    private scheduleFlush;
+    private flush;
+    private getClientIP;
+}
+
+declare class SessionManager {
+    private static instance;
+    private activeSessions;
+    static getInstance(): SessionManager;
+    registerSession(userId: string): Promise<string>;
+    validateSession(userId: string, deviceId: string): Promise<boolean>;
+    terminateSession(userId: string): Promise<void>;
+    terminateAllOtherSessions(userId: string, currentDeviceId: string): Promise<void>;
+    getActiveSessionsCount(userId: string): number;
+}
+
+declare class DeviceFingerprint {
+    static generate(): Promise<string>;
+    private static hashObject;
+}
+
+declare function useAuth(apiUrl?: string): {
+    login: (credentials: LoginCredentials) => Promise<{
+        requiresMFA: boolean;
+        user?: User;
+    }>;
+    verifyMFA: (code: string, trustDevice?: boolean) => Promise<User>;
+    register: (data: RegisterData) => Promise<User>;
+    logout: () => Promise<void>;
+    refreshSession: () => Promise<void>;
+    hasRole: (role: string | string[]) => boolean;
+    user: User | null;
+    tokens: AuthTokens | null;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    error: string | null;
+};
+
+declare function useProtectedRoute(redirectTo?: string, requiredRole?: string | string[]): {
+    isAuthenticated: boolean;
+    isLoading: boolean;
+};
+
+interface AuthProviderProps {
+    children: React$1.ReactNode;
+    apiUrl?: string;
+}
+declare function AuthProvider({ children, apiUrl }: AuthProviderProps): react_jsx_runtime.JSX.Element;
+
+interface ProtectedRouteProps {
+    children: React.ReactNode;
+    requiredRole?: string | string[];
+    fallback?: React.ReactNode;
+}
+declare function ProtectedRoute({ children, requiredRole, fallback }: ProtectedRouteProps): react_jsx_runtime.JSX.Element | null;
+
+interface MFASetupProps {
+    userId: string;
+    email: string;
+    onComplete: () => void;
+    onCancel: () => void;
+}
+declare function MFASetup({ userId, email, onComplete, onCancel }: MFASetupProps): react_jsx_runtime.JSX.Element;
+
+interface MFAVerificationProps {
+    onSubmit: (code: string, trustDevice: boolean) => Promise<void>;
+    onBack?: () => void;
+}
+declare function MFAVerification({ onSubmit, onBack }: MFAVerificationProps): react_jsx_runtime.JSX.Element;
+
+declare function SessionWarning({ warningMinutes }: {
+    warningMinutes?: number;
+}): react_jsx_runtime.JSX.Element | null;
+
+declare function setupAuthInterceptors(axiosInstance: AxiosInstance, baseURL: string): void;
+
+declare function cn(...classes: (string | undefined | false)[]): string;
+declare function getErrorMessage(error: unknown): string;
+declare function isValidEmail(email: string): boolean;
+
+declare const AUTH_CONFIG: {
+    tokenRefreshThreshold: number;
+    maxLoginAttempts: number;
+    lockoutDuration: number;
+    sessionTimeout: number;
+    mfaCodeLength: number;
+    backupCodesCount: number;
+    trustDeviceDuration: number;
+};
+declare const STORAGE_KEYS: {
+    tokens: string;
+    user: string;
+    encryptionKey: string;
+    deviceId: string;
+    trustedDevices: string;
+};
+declare const API_ENDPOINTS: {
+    login: string;
+    logout: string;
+    register: string;
+    refresh: string;
+    mfaSetup: string;
+    mfaVerify: string;
+    mfaDisable: string;
+    changePassword: string;
+    audit: string;
+};
+
+export { API_ENDPOINTS, AUTH_CONFIG, AuditAction, type AuditEntry$1 as AuditEntry, AuditLogger, AuthProvider, AuthService, type AuthState, type AuthTokens, DeviceFingerprint, type LoginCredentials, MFAService, MFASetup, MFAVerification, type MFAVerify, ProtectedRoute, RateLimiter, type RegisterData, STORAGE_KEYS, SessionManager, SessionWarning, TokenBlacklist, type TokenBlacklistEntry, TokenManager, SecureTokenStorage as TokenStorage, type User, cn, getErrorMessage, isValidEmail, setupAuthInterceptors, useAuth, useProtectedRoute };