sentri 1.0.0

package/dist/client.d.ts

@@ -0,0 +1,158 @@
+import type { PermitCheck, PermitOptions } from './middleware/permit.js';
+import type { AuthConfig, AuthResult, AuthUser, LoginInput, RefreshResult, SignupInput } from './types/auth.js';
+import type { RequestHandler, Router } from 'express';
+/**
+ * The bound auth client returned by {@link createAuth}.
+ *
+ * All methods are pre-configured with the options passed to `createAuth` —
+ * you never need to pass config around yourself.
+ *
+ * `TRole` is inferred from `validRoles` and narrows role strings to your
+ * application's exact union type everywhere (signup, authorize, req.user, etc.).
+ */
+export interface AuthClient<TRole extends string = string> {
+    /**
+     * Register a new user.
+     *
+     * Validates that every requested role is in `validRoles`, rejects duplicate
+     * emails, hashes the password, creates the user record, and returns a fresh
+     * access + refresh token pair.
+     */
+    signup(input: SignupInput<TRole>): Promise<AuthResult<TRole>>;
+    /**
+     * Authenticate an existing user by email and password.
+     *
+     * On success, creates a new session and returns an access + refresh token pair.
+     * Returns `{ success: false, error }` with code `INVALID_CREDENTIALS` on any
+     * mismatch (intentionally vague to prevent user enumeration).
+     */
+    login(input: LoginInput): Promise<AuthResult<TRole>>;
+    /**
+     * Exchange a valid refresh token for a new access + refresh token pair.
+     *
+     * Verifies the JWT, looks up the session in the database, checks expiry,
+     * then **rotates** the session: the old session is deleted and a new one is
+     * created. Old refresh tokens are immediately invalidated.
+     */
+    refresh(refreshToken: string): Promise<RefreshResult<TRole>>;
+    /**
+     * Invalidate a single session identified by the refresh token.
+     *
+     * Safe to call even if the token is already expired — it will simply
+     * attempt a DB delete and resolve.
+     */
+    logout(refreshToken: string): Promise<void>;
+    /**
+     * Delete all sessions for a user, effectively logging them out of every device.
+     *
+     * @param userId - The user's primary key as stored in the database.
+     */
+    logoutAll(userId: string): Promise<void>;
+    /**
+     * Express middleware factory that enforces authentication.
+     *
+     * Reads the `Authorization: Bearer <token>` header, verifies the access token,
+     * and injects the decoded payload as `req.user`. Calls `next(AuthError)` on failure.
+     *
+     * @example
+     * router.get('/me', auth.protect(), (req, res) => {
+     *   res.json(req.user);
+     * });
+     */
+    protect(): RequestHandler;
+    /**
+     * Express middleware factory that enforces role-based access.
+     *
+     * Must be used **after** `protect()`. Passes if the authenticated user has
+     * at least one of the specified roles; otherwise calls `next(AuthError)` with
+     * code `FORBIDDEN`.
+     *
+     * @example
+     * router.delete('/posts/:id', auth.protect(), auth.authorize('admin'), handler);
+     */
+    authorize(...roles: TRole[]): RequestHandler;
+    /** Hash a plain-text password using the configured `saltRounds`. */
+    hashPassword(plain: string): Promise<string>;
+    /** Compare a plain-text password against a stored bcrypt hash. */
+    verifyPassword(plain: string, hash: string): Promise<boolean>;
+    /** Sign an access token for the given user payload. */
+    signAccessToken(payload: AuthUser<TRole>): string;
+    /** Sign a refresh token bound to a session ID. */
+    signRefreshToken(sessionId: string): string;
+    /** Verify and decode an access token. Throws `AuthError` if invalid or expired. */
+    verifyAccessToken(token: string): AuthUser<TRole>;
+    /** Verify and decode a refresh token. Throws `AuthError` if invalid or expired. */
+    verifyRefreshToken(token: string): {
+        sessionId: string;
+    };
+    /**
+     * Returns a pre-built Express Router with all standard auth endpoints mounted:
+     *
+     * - `POST /signup` — register, returns `{ accessToken, refreshToken, user }`
+     * - `POST /login` — authenticate, returns `{ accessToken, refreshToken, user }`
+     * - `POST /refresh` — rotate refresh token, returns `{ accessToken, refreshToken }`
+     * - `POST /logout` — invalidate current session
+     * - `POST /logout-all` — invalidate all sessions (requires valid access token)
+     *
+     * Requires `express.json()` to be applied before the router.
+     *
+     * @example
+     * app.use(express.json());
+     * app.use('/auth', auth.router());
+     */
+    router(): Router;
+    /**
+     * Express middleware factory for resource-level permission checks.
+     *
+     * Must be used **after** `protect()`. Evaluates a check function against the
+     * current request and calls `next(AuthError)` with `FORBIDDEN` if it returns `false`.
+     *
+     * Accepts either a bare check function or an options object with an optional
+     * `roles` list whose members bypass the check entirely.
+     *
+     * @example
+     * // User can only update their own profile
+     * router.put('/users/:id',
+     *   auth.protect(),
+     *   auth.permit((req) => req.user!.id === req.params['id']),
+     *   handler,
+     * );
+     *
+     * @example
+     * // Admins bypass the check; others must own the resource
+     * router.delete('/posts/:id',
+     *   auth.protect(),
+     *   auth.permit({
+     *     roles: ['admin'],
+     *     check: async (req) => {
+     *       const post = await db.post.findUnique({ where: { id: req.params['id'] } });
+     *       return post?.authorId === req.user!.id;
+     *     },
+     *   }),
+     *   handler,
+     * );
+     */
+    permit(check: PermitCheck): RequestHandler;
+    permit(options: PermitOptions<TRole>): RequestHandler;
+}
+/**
+ * Create a fully configured auth client for your application.
+ *
+ * Pass your config once here and use the returned client everywhere — it
+ * binds all library functions to your settings so you never need to pass
+ * config manually.
+ *
+ * The generic parameter `TRole` is inferred automatically from `validRoles`
+ * when you use `as const`:
+ *
+ * @example
+ * export const auth = createAuth({
+ *   secret: process.env.JWT_SECRET!,
+ *   validRoles: ['user', 'admin', 'moderator'] as const,
+ *   adapter: myAdapter,
+ * });
+ *
+ * // auth.authorize('admin') is type-safe — 'superuser' would be a compile error.
+ */
+export declare function createAuth<TRole extends string = string>(config: AuthConfig<TRole>): AuthClient<TRole>;
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,KAAK,EACV,UAAU,EACV,UAAU,EACV,QAAQ,EACR,UAAU,EACV,aAAa,EACb,WAAW,EACZ,MAAM,iBAAiB,CAAC;AACzB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEtD;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACvD;;;;;;OAMG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAE9D;;;;;;OAMG;IACH,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAErD;;;;;;OAMG;IACH,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IAE7D;;;;;OAKG;IACH,MAAM,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5C;;;;OAIG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC;;;;;;;;;;OAUG;IACH,OAAO,IAAI,cAAc,CAAC;IAE1B;;;;;;;;;OASG;IACH,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC;IAE7C,oEAAoE;IACpE,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7C,kEAAkE;IAClE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE9D,uDAAuD;IACvD,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC;IAElD,kDAAkD;IAClD,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5C,mFAAmF;IACnF,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,mFAAmF;IACnF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAEzD;;;;;;;;;;;;;;OAcG;IACH,MAAM,IAAI,MAAM,CAAC;IAEjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,cAAc,CAAC;CACvD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,EACtD,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GACxB,UAAU,CAAC,KAAK,CAAC,CAqBnB"}

package/dist/client.js

@@ -0,0 +1,49 @@
+import { hashPassword, verifyPassword } from './libs/hash.js';
+import { signAccessToken, signRefreshToken, verifyAccessToken, verifyRefreshToken } from './libs/token.js';
+import { resolveConfig, validateConfig } from './libs/config.js';
+import { signup, login, refresh, logout, logoutAll } from './services/auth.js';
+import { protect } from './middleware/protect.js';
+import { authorize } from './middleware/authorize.js';
+import { permit } from './middleware/permit.js';
+import { createAuthRouter } from './middleware/router.js';
+/**
+ * Create a fully configured auth client for your application.
+ *
+ * Pass your config once here and use the returned client everywhere — it
+ * binds all library functions to your settings so you never need to pass
+ * config manually.
+ *
+ * The generic parameter `TRole` is inferred automatically from `validRoles`
+ * when you use `as const`:
+ *
+ * @example
+ * export const auth = createAuth({
+ *   secret: process.env.JWT_SECRET!,
+ *   validRoles: ['user', 'admin', 'moderator'] as const,
+ *   adapter: myAdapter,
+ * });
+ *
+ * // auth.authorize('admin') is type-safe — 'superuser' would be a compile error.
+ */
+export function createAuth(config) {
+    validateConfig(config);
+    const resolved = resolveConfig(config);
+    return {
+        signup: (input) => signup(input, config),
+        login: (input) => login(input, config),
+        refresh: (refreshToken) => refresh(refreshToken, config),
+        logout: (refreshToken) => logout(refreshToken, config),
+        logoutAll: (userId) => logoutAll(userId, config),
+        protect: () => protect(config),
+        authorize: (...roles) => authorize(...roles),
+        hashPassword: (plain) => hashPassword(plain, resolved.saltRounds),
+        verifyPassword: (plain, hash) => verifyPassword(plain, hash),
+        signAccessToken: (payload) => signAccessToken(payload, config),
+        signRefreshToken: (sessionId) => signRefreshToken(sessionId, config),
+        verifyAccessToken: (token) => verifyAccessToken(token, config),
+        verifyRefreshToken: (token) => verifyRefreshToken(token, config),
+        router: () => createAuthRouter(config),
+        permit: (optionsOrCheck) => permit(optionsOrCheck),
+    };
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC3G,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/E,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AA+J1D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,UAAU,CACxB,MAAyB;IAEzB,cAAc,CAAC,MAAoB,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAoB,CAAC,CAAC;IAErD,OAAO;QACL,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,KAAoB,EAAE,MAAoB,CAA+B;QACnG,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,MAAoB,CAA+B;QAClF,OAAO,EAAE,CAAC,YAAY,EAAE,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,MAAoB,CAAkC;QACvG,MAAM,EAAE,CAAC,YAAY,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,MAAoB,CAAC;QACpE,SAAS,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAoB,CAAC;QAC9D,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAoB,CAAC;QAC5C,SAAS,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;QAC5C,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC;QACjE,cAAc,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,KAAK,EAAE,IAAI,CAAC;QAC5D,eAAe,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,eAAe,CAAC,OAAmB,EAAE,MAAoB,CAAC;QACxF,gBAAgB,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAoB,CAAC;QAClF,iBAAiB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAoB,CAAoB;QAC/F,kBAAkB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAoB,CAAC;QAC9E,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;QACtC,MAAM,EAAE,CAAC,cAAkD,EAAE,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC;KACvF,CAAC;AACJ,CAAC"}

package/dist/errors/AuthError.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Discriminant codes for {@link AuthError}.
+ *
+ * - `INVALID_CREDENTIALS` — identifier or password did not match (intentionally vague to prevent user enumeration)
+ * - `USER_NOT_FOUND` — an operation required a user that does not exist
+ * - `USER_ALREADY_EXISTS` — signup was attempted with an identifier already in the database
+ * - `TOKEN_EXPIRED` — the JWT was valid but its `exp` claim is in the past
+ * - `TOKEN_INVALID` — the JWT could not be verified (bad signature, malformed, wrong type)
+ * - `FORBIDDEN` — the user is authenticated but lacks the required role
+ * - `UNAUTHORIZED` — no valid access token was present on the request
+ * - `INVALID_ROLE` — a role name was used that is not in `validRoles`
+ * - `VALIDATION_ERROR` — a required field was missing or had an invalid value
+ * - `CONFIGURATION_ERROR` — `createAuth` was called with an invalid configuration
+ */
+export type AuthErrorCode = 'INVALID_CREDENTIALS' | 'USER_NOT_FOUND' | 'USER_ALREADY_EXISTS' | 'TOKEN_EXPIRED' | 'TOKEN_INVALID' | 'FORBIDDEN' | 'UNAUTHORIZED' | 'INVALID_ROLE' | 'VALIDATION_ERROR' | 'CONFIGURATION_ERROR';
+/**
+ * Error class thrown by the library for all authentication and authorization failures.
+ *
+ * Carries a machine-readable `code` that lets you distinguish error types without
+ * string-matching on the message:
+ *
+ * @example
+ * import { AuthError } from 'rizzzdev-auth';
+ *
+ * app.use((err, req, res, next) => {
+ *   if (err instanceof AuthError) {
+ *     const status = err.code === 'UNAUTHORIZED' ? 401
+ *       : err.code === 'FORBIDDEN' ? 403
+ *       : 400;
+ *     res.status(status).json({ error: err.code, message: err.message });
+ *   } else {
+ *     next(err);
+ *   }
+ * });
+ */
+export declare class AuthError extends Error {
+    readonly code: AuthErrorCode;
+    constructor(code: AuthErrorCode, message: string);
+}
+//# sourceMappingURL=AuthError.d.ts.map

package/dist/errors/AuthError.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthError.d.ts","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,aAAa,GACrB,qBAAqB,GACrB,gBAAgB,GAChB,qBAAqB,GACrB,eAAe,GACf,eAAe,GACf,WAAW,GACX,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,qBAAqB,CAAC;AAE1B;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,SAAU,SAAQ,KAAK;IAClC,SAAgB,IAAI,EAAE,aAAa,CAAC;gBAExB,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM;CAKjD"}

package/dist/errors/AuthError.js

@@ -0,0 +1,29 @@
+/**
+ * Error class thrown by the library for all authentication and authorization failures.
+ *
+ * Carries a machine-readable `code` that lets you distinguish error types without
+ * string-matching on the message:
+ *
+ * @example
+ * import { AuthError } from 'rizzzdev-auth';
+ *
+ * app.use((err, req, res, next) => {
+ *   if (err instanceof AuthError) {
+ *     const status = err.code === 'UNAUTHORIZED' ? 401
+ *       : err.code === 'FORBIDDEN' ? 403
+ *       : 400;
+ *     res.status(status).json({ error: err.code, message: err.message });
+ *   } else {
+ *     next(err);
+ *   }
+ * });
+ */
+export class AuthError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = 'AuthError';
+        this.code = code;
+    }
+}
+//# sourceMappingURL=AuthError.js.map

package/dist/errors/AuthError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthError.js","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AA0BA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClB,IAAI,CAAgB;IAEpC,YAAY,IAAmB,EAAE,OAAe;QAC9C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,15 @@
+import type { AuthUser } from './types/auth.js';
+declare global {
+    namespace Express {
+        interface Request {
+            user?: AuthUser;
+        }
+    }
+}
+export type { AuthConfig, CookieConfig, AuthUser, AuthResult, RefreshResult, SignupInput, LoginInput, AuthAdapter, UserRecord, SessionRecord, CreateUserData, } from './types/auth.js';
+export type { AuthErrorCode } from './errors/AuthError.js';
+export type { AuthClient } from './client.js';
+export { AuthError } from './errors/AuthError.js';
+export { createAuth } from './client.js';
+export type { PermitCheck, PermitOptions } from './middleware/permit.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAIhD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,QAAQ,CAAC;SACjB;KACF;CACF;AAED,YAAY,EACV,UAAU,EACV,YAAY,EACZ,QAAQ,EACR,UAAU,EACV,aAAa,EACb,WAAW,EACX,UAAU,EACV,WAAW,EACX,UAAU,EACV,aAAa,EACb,cAAc,GACf,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/index.js

@@ -0,0 +1,3 @@
+export { AuthError } from './errors/AuthError.js';
+export { createAuth } from './client.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AA4BA,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC"}

package/dist/libs/config.d.ts

@@ -0,0 +1,18 @@
+import type { AuthAdapter, AuthConfig } from '../types/auth.js';
+export interface ResolvedConfig {
+    secret: string;
+    accessExpiresIn: string | number;
+    refreshExpiresIn: string | number;
+    algorithm: 'HS256' | 'HS384' | 'HS512';
+    saltRounds: number;
+    validRoles: readonly string[];
+    adapter: AuthAdapter;
+}
+/**
+ * Validates config at startup so misconfiguration is caught immediately,
+ * not at the first login attempt.
+ */
+export declare function validateConfig(config: AuthConfig): void;
+export declare function resolveConfig(partial: AuthConfig): ResolvedConfig;
+export declare function parseExpiry(expiresIn: string | number): number;
+//# sourceMappingURL=config.d.ts.map

package/dist/libs/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/libs/config.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEhE,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAAC;IAClC,SAAS,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B,OAAO,EAAE,WAAW,CAAC;CACtB;AAMD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CA0BvD;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,UAAU,GAAG,cAAc,CAUjE;AAGD,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAkB9D"}

package/dist/libs/config.js

@@ -0,0 +1,59 @@
+import { AuthError } from '../errors/AuthError.js';
+const MIN_SECRET_LENGTH = 32;
+const MIN_SALT_ROUNDS = 10;
+const MAX_SALT_ROUNDS = 31;
+/**
+ * Validates config at startup so misconfiguration is caught immediately,
+ * not at the first login attempt.
+ */
+export function validateConfig(config) {
+    if (!config.secret || config.secret.trim().length === 0) {
+        throw new AuthError('CONFIGURATION_ERROR', 'secret must not be empty');
+    }
+    if (config.secret.length < MIN_SECRET_LENGTH) {
+        throw new AuthError('CONFIGURATION_ERROR', `secret must be at least ${MIN_SECRET_LENGTH} characters to be cryptographically safe`);
+    }
+    const saltRounds = config.saltRounds ?? 12;
+    if (!Number.isInteger(saltRounds) || saltRounds < MIN_SALT_ROUNDS || saltRounds > MAX_SALT_ROUNDS) {
+        throw new AuthError('CONFIGURATION_ERROR', `saltRounds must be an integer between ${MIN_SALT_ROUNDS} and ${MAX_SALT_ROUNDS}`);
+    }
+    if (!config.validRoles || config.validRoles.length === 0) {
+        throw new AuthError('CONFIGURATION_ERROR', 'validRoles must contain at least one role');
+    }
+    if (!config.adapter) {
+        throw new AuthError('CONFIGURATION_ERROR', 'adapter is required');
+    }
+}
+export function resolveConfig(partial) {
+    return {
+        secret: partial.secret,
+        accessExpiresIn: partial.accessExpiresIn ?? '15m',
+        refreshExpiresIn: partial.refreshExpiresIn ?? '7d',
+        algorithm: partial.algorithm ?? 'HS256',
+        saltRounds: partial.saltRounds ?? 12,
+        validRoles: partial.validRoles,
+        adapter: partial.adapter,
+    };
+}
+// Parses '15m', '7d', '1h', '30s', '2w' → milliseconds
+export function parseExpiry(expiresIn) {
+    if (typeof expiresIn === 'number')
+        return expiresIn * 1000;
+    const multipliers = {
+        s: 1_000,
+        m: 60_000,
+        h: 3_600_000,
+        d: 86_400_000,
+        w: 604_800_000,
+    };
+    const match = /^(\d+)([smhdw])$/.exec(expiresIn);
+    if (!match?.[1] || !match?.[2]) {
+        throw new Error(`Invalid expiresIn: "${expiresIn}". Use e.g. "15m", "7d", "1h".`);
+    }
+    const unit = multipliers[match[2]];
+    if (unit === undefined) {
+        throw new Error(`Invalid expiresIn: "${expiresIn}". Use e.g. "15m", "7d", "1h".`);
+    }
+    return parseInt(match[1], 10) * unit;
+}
+//# sourceMappingURL=config.js.map

package/dist/libs/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/libs/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAanD,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,MAAkB;IAC/C,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,0BAA0B,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;QAC7C,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,2BAA2B,iBAAiB,0CAA0C,CACvF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,eAAe,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;QAClG,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,yCAAyC,eAAe,QAAQ,eAAe,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,2CAA2C,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAAmB;IAC/C,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,KAAK;QACjD,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,IAAI,IAAI;QAClD,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO;QACvC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,EAAE;QACpC,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;KACzB,CAAC;AACJ,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,WAAW,CAAC,SAA0B;IACpD,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,OAAO,SAAS,GAAG,IAAI,CAAC;IAC3D,MAAM,WAAW,GAA2B;QAC1C,CAAC,EAAE,KAAK;QACR,CAAC,EAAE,MAAM;QACT,CAAC,EAAE,SAAS;QACZ,CAAC,EAAE,UAAU;QACb,CAAC,EAAE,WAAW;KACf,CAAC;IACF,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,gCAAgC,CAAC,CAAC;IACpF,CAAC;IACD,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,gCAAgC,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC;AACvC,CAAC"}

package/dist/libs/hash.d.ts

@@ -0,0 +1,3 @@
+export declare function hashPassword(plain: string, saltRounds?: number): Promise<string>;
+export declare function verifyPassword(plain: string, hash: string): Promise<boolean>;
+//# sourceMappingURL=hash.d.ts.map

package/dist/libs/hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/libs/hash.ts"],"names":[],"mappings":"AAEA,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,SAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAElF;AAED,wBAAsB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAElF"}

package/dist/libs/hash.js

@@ -0,0 +1,8 @@
+import bcrypt from 'bcrypt';
+export async function hashPassword(plain, saltRounds = 12) {
+    return bcrypt.hash(plain, saltRounds);
+}
+export async function verifyPassword(plain, hash) {
+    return bcrypt.compare(plain, hash);
+}
+//# sourceMappingURL=hash.js.map

package/dist/libs/hash.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/libs/hash.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,UAAU,GAAG,EAAE;IAC/D,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAa,EAAE,IAAY;IAC9D,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC"}

package/dist/libs/token.d.ts

@@ -0,0 +1,8 @@
+import type { AuthConfig, AuthUser } from '../types/auth.js';
+export declare function signAccessToken(payload: AuthUser, config: AuthConfig): string;
+export declare function signRefreshToken(sessionId: string, config: AuthConfig): string;
+export declare function verifyAccessToken(token: string, config: AuthConfig): AuthUser;
+export declare function verifyRefreshToken(token: string, config: AuthConfig): {
+    sessionId: string;
+};
+//# sourceMappingURL=token.d.ts.map

package/dist/libs/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AA2C7D,wBAAgB,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAI7E;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAI9E;AAED,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,QAAQ,CAI7E;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,CAI3F"}

package/dist/libs/token.js

@@ -0,0 +1,54 @@
+import jwt, {} from 'jsonwebtoken';
+import { AuthError } from '../errors/AuthError.js';
+import { resolveConfig } from './config.js';
+function deriveSecrets(secret) {
+    return {
+        access: `${secret}:access`,
+        refresh: `${secret}:refresh`,
+    };
+}
+function sign(payload, secret, expiresIn, algorithm) {
+    const options = {
+        expiresIn: expiresIn,
+        algorithm,
+    };
+    return jwt.sign(payload, secret, options);
+}
+function verify(token, secret, algorithm) {
+    try {
+        const decoded = jwt.verify(token, secret, { algorithms: [algorithm] });
+        if (typeof decoded === 'string' || decoded === null) {
+            throw new AuthError('TOKEN_INVALID', 'Token payload is not an object');
+        }
+        return decoded;
+    }
+    catch (err) {
+        if (err instanceof AuthError)
+            throw err;
+        if (err instanceof jwt.TokenExpiredError) {
+            throw new AuthError('TOKEN_EXPIRED', 'Token has expired');
+        }
+        throw new AuthError('TOKEN_INVALID', 'Token is invalid or malformed');
+    }
+}
+export function signAccessToken(payload, config) {
+    const resolved = resolveConfig(config);
+    const { access } = deriveSecrets(resolved.secret);
+    return sign(payload, access, resolved.accessExpiresIn, resolved.algorithm);
+}
+export function signRefreshToken(sessionId, config) {
+    const resolved = resolveConfig(config);
+    const { refresh } = deriveSecrets(resolved.secret);
+    return sign({ sessionId }, refresh, resolved.refreshExpiresIn, resolved.algorithm);
+}
+export function verifyAccessToken(token, config) {
+    const resolved = resolveConfig(config);
+    const { access } = deriveSecrets(resolved.secret);
+    return verify(token, access, resolved.algorithm);
+}
+export function verifyRefreshToken(token, config) {
+    const resolved = resolveConfig(config);
+    const { refresh } = deriveSecrets(resolved.secret);
+    return verify(token, refresh, resolved.algorithm);
+}
+//# sourceMappingURL=token.js.map

package/dist/libs/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,EAAE,EAAoB,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO;QACL,MAAM,EAAE,GAAG,MAAM,SAAS;QAC1B,OAAO,EAAE,GAAG,MAAM,UAAU;KAC7B,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,OAAe,EACf,MAAc,EACd,SAA0B,EAC1B,SAAsC;IAEtC,MAAM,OAAO,GAAgB;QAC3B,SAAS,EAAE,SAAyD;QACpE,SAAS;KACV,CAAC;IACF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,MAAM,CACb,KAAa,EACb,MAAc,EACd,SAAsC;IAEtC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,gCAAgC,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,IAAI,GAAG,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACzC,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAC5D,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAiB,EAAE,MAAkB;IACnE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,MAAkB;IACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AACrF,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,KAAa,EAAE,MAAkB;IACjE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,MAAM,CAAW,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,MAAkB;IAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,MAAM,CAAwB,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC3E,CAAC"}

package/dist/middleware/authorize.d.ts

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+export declare function authorize<TRole extends string>(...allowedRoles: TRole[]): RequestHandler;
+//# sourceMappingURL=authorize.d.ts.map

package/dist/middleware/authorize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,wBAAgB,SAAS,CAAC,KAAK,SAAS,MAAM,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,GAAG,cAAc,CAcxF"}

package/dist/middleware/authorize.js

@@ -0,0 +1,15 @@
+import { AuthError } from '../errors/AuthError.js';
+export function authorize(...allowedRoles) {
+    return (req, _res, next) => {
+        if (!req.user) {
+            return next(new AuthError('UNAUTHORIZED', 'Not authenticated'));
+        }
+        const userRoles = req.user.roles;
+        const hasRole = allowedRoles.some((role) => userRoles.includes(role));
+        if (!hasRole) {
+            return next(new AuthError('FORBIDDEN', `Requires one of roles: ${allowedRoles.join(', ')}`));
+        }
+        next();
+    };
+}
+//# sourceMappingURL=authorize.js.map

package/dist/middleware/authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,MAAM,UAAU,SAAS,CAAuB,GAAG,YAAqB;IACtE,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QACzB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,MAAM,SAAS,GAAsB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC;QACpD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CACT,IAAI,SAAS,CAAC,WAAW,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAChF,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/permit.d.ts

@@ -0,0 +1,62 @@
+import type { Request, RequestHandler } from 'express';
+/** A function that determines whether the current request is permitted. */
+export type PermitCheck = (req: Request) => boolean | Promise<boolean>;
+/**
+ * Options for {@link permit} when you need role-bypass alongside a resource check.
+ *
+ * @example
+ * // Admins can edit any post; others only their own
+ * auth.permit({
+ *   roles: ['admin'],
+ *   check: async (req) => {
+ *     const post = await db.findPost(req.params['id']);
+ *     return post?.authorId === req.user!.id;
+ *   },
+ * })
+ */
+export interface PermitOptions<TRole extends string> {
+    /**
+     * Roles whose members are granted access without running `check`.
+     * Use for privileged roles like `'admin'` that should bypass ownership checks.
+     */
+    roles?: TRole[];
+    /**
+     * Permission check executed when the user has none of the bypass `roles`.
+     * Return `true` to allow, `false` to deny with `FORBIDDEN`.
+     * May be async — useful for database-backed ownership checks.
+     */
+    check: PermitCheck;
+}
+/**
+ * Express middleware factory for resource-level permission checks.
+ *
+ * Must be used **after** `protect()`. Evaluates a check function against the
+ * current request; calls `next(AuthError)` with code `FORBIDDEN` if it returns `false`.
+ *
+ * Accepts either a bare check function or an options object with an optional
+ * `roles` list whose members bypass the check entirely.
+ *
+ * @example
+ * // Simple ownership check
+ * router.put('/users/:id',
+ *   auth.protect(),
+ *   auth.permit((req) => req.user!.id === req.params['id']),
+ *   updateUserHandler,
+ * );
+ *
+ * @example
+ * // Admins bypass the check; others must own the post
+ * router.delete('/posts/:id',
+ *   auth.protect(),
+ *   auth.permit({
+ *     roles: ['admin'],
+ *     check: async (req) => {
+ *       const post = await db.post.findUnique({ where: { id: req.params['id'] } });
+ *       return post?.authorId === req.user!.id;
+ *     },
+ *   }),
+ *   deletePostHandler,
+ * );
+ */
+export declare function permit<TRole extends string>(optionsOrCheck: PermitOptions<TRole> | PermitCheck): RequestHandler;
+//# sourceMappingURL=permit.d.ts.map

package/dist/middleware/permit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permit.d.ts","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGvD,2EAA2E;AAC3E,MAAM,MAAM,WAAW,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEvE;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,aAAa,CAAC,KAAK,SAAS,MAAM;IACjD;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;IAChB;;;;OAIG;IACH,KAAK,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,MAAM,CAAC,KAAK,SAAS,MAAM,EACzC,cAAc,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,WAAW,GACjD,cAAc,CA4BhB"}