sentri 1.0.4 → 1.0.6

package/dist/libs/token.js

@@ -1,12 +1,28 @@
 import jwt, {} from 'jsonwebtoken';
 import { AuthError } from '../errors/AuthError.js';
 import { resolveConfig } from './config.js';
+/**
+ * Derive separate HMAC secrets for access and refresh tokens from a single
+ * root secret by appending a domain suffix.
+ *
+ * Using distinct secrets prevents a refresh token from being accepted as an
+ * access token and vice versa.
+ */
 function deriveSecrets(secret) {
     return {
         access: `${secret}:access`,
         refresh: `${secret}:refresh`,
     };
 }
+/**
+ * Sign a JWT payload with the given secret and options.
+ *
+ * @param payload - Claims to embed in the token.
+ * @param secret - HMAC signing key.
+ * @param expiresIn - Expiry duration string (e.g. `'15m'`) or seconds.
+ * @param algorithm - HMAC algorithm variant.
+ * @returns Compact JWT string.
+ */
 function sign(payload, secret, expiresIn, algorithm) {
     const options = {
         expiresIn: expiresIn,
@@ -14,6 +30,16 @@ function sign(payload, secret, expiresIn, algorithm) {
     };
     return jwt.sign(payload, secret, options);
 }
+/**
+ * Verify and decode a JWT, mapping jsonwebtoken errors to typed {@link AuthError}s.
+ *
+ * @param token - Compact JWT string to verify.
+ * @param secret - HMAC key used to sign the token.
+ * @param algorithm - Expected signing algorithm.
+ * @returns Decoded payload cast to `T`.
+ * @throws {AuthError} With `TOKEN_EXPIRED` if the token's `exp` claim is in the past.
+ * @throws {AuthError} With `TOKEN_INVALID` for any other verification failure.
+ */
 function verify(token, secret, algorithm) {
     try {
         const decoded = jwt.verify(token, secret, { algorithms: [algorithm] });
@@ -31,21 +57,58 @@ function verify(token, secret, algorithm) {
         throw new AuthError('TOKEN_INVALID', 'Token is invalid or malformed');
     }
 }
+/**
+ * Sign a short-lived access token containing the user's identity and roles.
+ *
+ * Uses the access-specific secret derived from config and the configured
+ * `accessExpiresIn` duration and HMAC algorithm.
+ *
+ * @param payload - The {@link AuthUser} payload to embed (id, identifier, roles).
+ * @param config - Auth configuration used to derive the secret and options.
+ * @returns Compact JWT string.
+ */
 export function signAccessToken(payload, config) {
     const resolved = resolveConfig(config);
     const { access } = deriveSecrets(resolved.secret);
     return sign(payload, access, resolved.accessExpiresIn, resolved.algorithm);
 }
+/**
+ * Sign a long-lived refresh token bound to a specific session ID.
+ *
+ * Uses the refresh-specific secret derived from config and the configured
+ * `refreshExpiresIn` duration. The session ID is embedded as the sole claim
+ * so the token can be used to look up and rotate the session.
+ *
+ * @param sessionId - The database session ID to bind to this token.
+ * @param config - Auth configuration used to derive the secret and options.
+ * @returns Compact JWT string.
+ */
 export function signRefreshToken(sessionId, config) {
     const resolved = resolveConfig(config);
     const { refresh } = deriveSecrets(resolved.secret);
     return sign({ sessionId }, refresh, resolved.refreshExpiresIn, resolved.algorithm);
 }
+/**
+ * Verify an access token and return its decoded {@link AuthUser} payload.
+ *
+ * @param token - Compact JWT access token string.
+ * @param config - Auth configuration used to derive the secret and algorithm.
+ * @returns Decoded `AuthUser` payload (id, identifier, roles).
+ * @throws {AuthError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
+ */
 export function verifyAccessToken(token, config) {
     const resolved = resolveConfig(config);
     const { access } = deriveSecrets(resolved.secret);
     return verify(token, access, resolved.algorithm);
 }
+/**
+ * Verify a refresh token and return the embedded session ID.
+ *
+ * @param token - Compact JWT refresh token string.
+ * @param config - Auth configuration used to derive the secret and algorithm.
+ * @returns Object with `sessionId` matching the one passed to {@link signRefreshToken}.
+ * @throws {AuthError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
+ */
 export function verifyRefreshToken(token, config) {
     const resolved = resolveConfig(config);
     const { refresh } = deriveSecrets(resolved.secret);

package/dist/libs/token.js.map

@@ -1 +1 @@
-{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,EAAE,EAAoB,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO;QACL,MAAM,EAAE,GAAG,MAAM,SAAS;QAC1B,OAAO,EAAE,GAAG,MAAM,UAAU;KAC7B,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,OAAe,EACf,MAAc,EACd,SAA0B,EAC1B,SAAsC;IAEtC,MAAM,OAAO,GAAgB;QAC3B,SAAS,EAAE,SAAyD;QACpE,SAAS;KACV,CAAC;IACF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,MAAM,CACb,KAAa,EACb,MAAc,EACd,SAAsC;IAEtC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,gCAAgC,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,IAAI,GAAG,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACzC,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAC5D,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAiB,EAAE,MAAkB;IACnE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,MAAkB;IACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AACrF,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,KAAa,EAAE,MAAkB;IACjE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,MAAM,CAAW,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,MAAkB;IAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,MAAM,CAAwB,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC3E,CAAC"}
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,EAAE,EAAoB,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO;QACL,MAAM,EAAE,GAAG,MAAM,SAAS;QAC1B,OAAO,EAAE,GAAG,MAAM,UAAU;KAC7B,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,IAAI,CACX,OAAe,EACf,MAAc,EACd,SAA0B,EAC1B,SAAsC;IAEtC,MAAM,OAAO,GAAgB;QAC3B,SAAS,EAAE,SAAyD;QACpE,SAAS;KACV,CAAC;IACF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,MAAM,CACb,KAAa,EACb,MAAc,EACd,SAAsC;IAEtC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,gCAAgC,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,IAAI,GAAG,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACzC,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAC5D,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,OAAiB,EAAE,MAAkB;IACnE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7E,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,MAAkB;IACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AACrF,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa,EAAE,MAAkB;IACjE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,MAAM,CAAW,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,MAAkB;IAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,MAAM,CAAwB,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC3E,CAAC"}

package/dist/middleware/authorize.d.ts

@@ -1,3 +1,18 @@
 import type { RequestHandler } from 'express';
+/**
+ * Express middleware factory for role-based access control (RBAC).
+ *
+ * Passes if the authenticated user (set by `protect()`) has **at least one**
+ * of the specified `allowedRoles`. Calls `next(AuthError)` with code `FORBIDDEN`
+ * if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
+ *
+ * Must be used **after** `protect()`.
+ *
+ * @param allowedRoles - One or more role strings. The user needs at least one of them.
+ * @returns An Express `RequestHandler` that enforces the role check.
+ *
+ * @example
+ * router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
+ */
 export declare function authorize<TRole extends string>(...allowedRoles: TRole[]): RequestHandler;
 //# sourceMappingURL=authorize.d.ts.map

package/dist/middleware/authorize.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,wBAAgB,SAAS,CAAC,KAAK,SAAS,MAAM,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,GAAG,cAAc,CAcxF"}
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,KAAK,SAAS,MAAM,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,GAAG,cAAc,CAcxF"}

package/dist/middleware/authorize.js

@@ -1,10 +1,25 @@
 import { AuthError } from '../errors/AuthError.js';
+/**
+ * Express middleware factory for role-based access control (RBAC).
+ *
+ * Passes if the authenticated user (set by `protect()`) has **at least one**
+ * of the specified `allowedRoles`. Calls `next(AuthError)` with code `FORBIDDEN`
+ * if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
+ *
+ * Must be used **after** `protect()`.
+ *
+ * @param allowedRoles - One or more role strings. The user needs at least one of them.
+ * @returns An Express `RequestHandler` that enforces the role check.
+ *
+ * @example
+ * router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
+ */
 export function authorize(...allowedRoles) {
-    return (req, _res, next) => {
-        if (!req.user) {
+    return (request, _response, next) => {
+        if (!request.user) {
             return next(new AuthError('UNAUTHORIZED', 'Not authenticated'));
         }
-        const userRoles = req.user.roles;
+        const userRoles = request.user.roles;
         const hasRole = allowedRoles.some((role) => userRoles.includes(role));
         if (!hasRole) {
             return next(new AuthError('FORBIDDEN', `Requires one of roles: ${allowedRoles.join(', ')}`));

package/dist/middleware/authorize.js.map

@@ -1 +1 @@
-{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,MAAM,UAAU,SAAS,CAAuB,GAAG,YAAqB;IACtE,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QACzB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,MAAM,SAAS,GAAsB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC;QACpD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CACT,IAAI,SAAS,CAAC,WAAW,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAChF,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,SAAS,CAAuB,GAAG,YAAqB;IACtE,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QAClC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,MAAM,SAAS,GAAsB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QACxD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CACT,IAAI,SAAS,CAAC,WAAW,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAChF,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/permit.d.ts

@@ -1,6 +1,6 @@
 import type { Request, RequestHandler } from 'express';
 /** A function that determines whether the current request is permitted. */
-export type PermitCheck = (req: Request) => boolean | Promise<boolean>;
+export type PermitCheck = (request: Request) => boolean | Promise<boolean>;
 /**
  * Options for {@link permit} when you need role-bypass alongside a resource check.
  *
@@ -8,9 +8,9 @@ export type PermitCheck = (req: Request) => boolean | Promise<boolean>;
  * // Admins can edit any post; others only their own
  * auth.permit({
  *   roles: ['admin'],
- *   check: async (req) => {
- *     const post = await db.findPost(req.params['id']);
- *     return post?.authorId === req.user!.id;
+ *   check: async (request) => {
+ *     const post = await db.findPost(request.params['id']);
+ *     return post?.authorId === request.user!.id;
  *   },
  * })
  */
@@ -40,7 +40,7 @@ export interface PermitOptions<TRole extends string> {
  * // Simple ownership check
  * router.put('/users/:id',
  *   auth.protect(),
- *   auth.permit((req) => req.user!.id === req.params['id']),
+ *   auth.permit((request) => request.user!.id === request.params['id']),
  *   updateUserHandler,
  * );
  *
@@ -50,9 +50,9 @@ export interface PermitOptions<TRole extends string> {
  *   auth.protect(),
  *   auth.permit({
  *     roles: ['admin'],
- *     check: async (req) => {
- *       const post = await db.post.findUnique({ where: { id: req.params['id'] } });
- *       return post?.authorId === req.user!.id;
+ *     check: async (request) => {
+ *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
+ *       return post?.authorId === request.user!.id;
  *     },
  *   }),
  *   deletePostHandler,

package/dist/middleware/permit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permit.d.ts","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGvD,2EAA2E;AAC3E,MAAM,MAAM,WAAW,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEvE;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,aAAa,CAAC,KAAK,SAAS,MAAM;IACjD;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;IAChB;;;;OAIG;IACH,KAAK,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,MAAM,CAAC,KAAK,SAAS,MAAM,EACzC,cAAc,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,WAAW,GACjD,cAAc,CA4BhB"}
+{"version":3,"file":"permit.d.ts","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGvD,2EAA2E;AAC3E,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAE3E;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,aAAa,CAAC,KAAK,SAAS,MAAM;IACjD;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;IAChB;;;;OAIG;IACH,KAAK,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,MAAM,CAAC,KAAK,SAAS,MAAM,EACzC,cAAc,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,WAAW,GACjD,cAAc,CA4BhB"}

package/dist/middleware/permit.js

@@ -12,7 +12,7 @@ import { AuthError } from '../errors/AuthError.js';
  * // Simple ownership check
  * router.put('/users/:id',
  *   auth.protect(),
- *   auth.permit((req) => req.user!.id === req.params['id']),
+ *   auth.permit((request) => request.user!.id === request.params['id']),
  *   updateUserHandler,
  * );
  *
@@ -22,9 +22,9 @@ import { AuthError } from '../errors/AuthError.js';
  *   auth.protect(),
  *   auth.permit({
  *     roles: ['admin'],
- *     check: async (req) => {
- *       const post = await db.post.findUnique({ where: { id: req.params['id'] } });
- *       return post?.authorId === req.user!.id;
+ *     check: async (request) => {
+ *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
+ *       return post?.authorId === request.user!.id;
  *     },
  *   }),
  *   deletePostHandler,
@@ -34,18 +34,18 @@ export function permit(optionsOrCheck) {
     const options = typeof optionsOrCheck === 'function'
         ? { check: optionsOrCheck }
         : optionsOrCheck;
-    return async (req, _res, next) => {
-        if (!req.user) {
+    return async (request, _response, next) => {
+        if (!request.user) {
             return next(new AuthError('UNAUTHORIZED', 'Not authenticated'));
         }
         if (options.roles && options.roles.length > 0) {
-            const userRoles = req.user.roles;
+            const userRoles = request.user.roles;
             const hasBypassRole = options.roles.some((role) => userRoles.includes(role));
             if (hasBypassRole)
                 return next();
         }
         try {
-            const allowed = await options.check(req);
+            const allowed = await options.check(request);
             if (allowed) {
                 next();
             }
@@ -53,8 +53,8 @@ export function permit(optionsOrCheck) {
                 next(new AuthError('FORBIDDEN', 'You do not have permission to perform this action'));
             }
         }
-        catch (err) {
-            next(err);
+        catch (error) {
+            next(error);
         }
     };
 }

package/dist/middleware/permit.js.map

@@ -1 +1 @@
-{"version":3,"file":"permit.js","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAgCnD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,MAAM,CACpB,cAAkD;IAElD,MAAM,OAAO,GACX,OAAO,cAAc,KAAK,UAAU;QAClC,CAAC,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE;QAC3B,CAAC,CAAC,cAAc,CAAC;IAErB,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QAC/B,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9C,MAAM,SAAS,GAAsB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC;YACpD,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAC7E,IAAI,aAAa;gBAAE,OAAO,IAAI,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzC,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,EAAE,CAAC;YACT,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,IAAI,SAAS,CAAC,WAAW,EAAE,mDAAmD,CAAC,CAAC,CAAC;YACxF,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"permit.js","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAgCnD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,MAAM,CACpB,cAAkD;IAElD,MAAM,OAAO,GACX,OAAO,cAAc,KAAK,UAAU;QAClC,CAAC,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE;QAC3B,CAAC,CAAC,cAAc,CAAC;IAErB,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QACxC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9C,MAAM,SAAS,GAAsB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;YACxD,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAC7E,IAAI,aAAa;gBAAE,OAAO,IAAI,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC7C,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,EAAE,CAAC;YACT,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,IAAI,SAAS,CAAC,WAAW,EAAE,mDAAmD,CAAC,CAAC,CAAC;YACxF,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/protect.d.ts

@@ -1,4 +1,21 @@
 import type { RequestHandler } from 'express';
 import type { AuthConfig } from '../types/auth.js';
+/**
+ * Express middleware factory that enforces JWT authentication.
+ *
+ * Reads the `Authorization: Bearer <token>` header, verifies the access token,
+ * and attaches the decoded payload to `req.user`. Calls `next(AuthError)` on
+ * any failure so your error handler can convert it to an HTTP response.
+ *
+ * Must be used **before** `authorize()` or `permit()`.
+ *
+ * @param config - Auth configuration used to verify the token.
+ * @returns An Express `RequestHandler` that populates `req.user` on success.
+ *
+ * @example
+ * router.get('/profile', protect(config), (req, res) => {
+ *   res.json(req.user);
+ * });
+ */
 export declare function protect(config: AuthConfig): RequestHandler;
 //# sourceMappingURL=protect.d.ts.map

package/dist/middleware/protect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD,wBAAgB,OAAO,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAc1D"}
+{"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAc1D"}

package/dist/middleware/protect.js

@@ -1,18 +1,35 @@
 import { AuthError } from '../errors/AuthError.js';
 import { verifyAccessToken } from '../libs/token.js';
+/**
+ * Express middleware factory that enforces JWT authentication.
+ *
+ * Reads the `Authorization: Bearer <token>` header, verifies the access token,
+ * and attaches the decoded payload to `req.user`. Calls `next(AuthError)` on
+ * any failure so your error handler can convert it to an HTTP response.
+ *
+ * Must be used **before** `authorize()` or `permit()`.
+ *
+ * @param config - Auth configuration used to verify the token.
+ * @returns An Express `RequestHandler` that populates `req.user` on success.
+ *
+ * @example
+ * router.get('/profile', protect(config), (req, res) => {
+ *   res.json(req.user);
+ * });
+ */
 export function protect(config) {
-    return (req, _res, next) => {
-        const authHeader = req.headers['authorization'];
+    return (request, _response, next) => {
+        const authHeader = request.headers['authorization'];
         if (!authHeader?.startsWith('Bearer ')) {
             return next(new AuthError('UNAUTHORIZED', 'Missing or malformed Authorization header'));
         }
         const token = authHeader.slice(7);
         try {
-            req.user = verifyAccessToken(token, config);
+            request.user = verifyAccessToken(token, config);
             next();
         }
-        catch (err) {
-            next(err);
+        catch (error) {
+            next(error);
         }
     };
 }

package/dist/middleware/protect.js.map

@@ -1 +1 @@
-{"version":3,"file":"protect.js","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,MAAM,UAAU,OAAO,CAAC,MAAkB;IACxC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,2CAA2C,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,GAAG,CAAC,IAAI,GAAG,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC5C,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"protect.js","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,OAAO,CAAC,MAAkB;IACxC,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QAClC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,2CAA2C,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,GAAG,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAChD,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/router.d.ts

@@ -6,12 +6,13 @@ import type { AuthConfig } from '../types/auth.js';
  * Mount it once and all routes are ready:
  *
  * ```
- * POST /signup       — register a new user
- * POST /login        — authenticate and get tokens
- * POST /refresh      — rotate refresh token
- * POST /logout       — invalidate current session
- * POST /logout-all   — invalidate all sessions for the authenticated user
- * GET  /me           — return the currently authenticated user
+ * POST /signup              — register a new user
+ * POST /login               — authenticate and get tokens
+ * POST /refresh             — rotate refresh token
+ * POST /logout              — invalidate current session
+ * POST /logout-all          — invalidate all sessions for the authenticated user
+ * GET  /me                  — return the currently authenticated user
+ * POST /users/:userId/roles — assign roles (admin only)
  * ```
  *
  * Requires `express.json()` to be applied before the router.
@@ -19,6 +20,9 @@ import type { AuthConfig } from '../types/auth.js';
  * When `cookie` is set in config, the refresh token is stored in an httpOnly
  * cookie automatically — no `cookie-parser` needed.
  *
+ * When `router` is set in config, individual service functions can be replaced
+ * while the router still handles validation and response formatting.
+ *
  * @example
  * app.use(express.json());
  * app.use('/auth', auth.router());

package/dist/middleware/router.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAiB,MAAM,SAAS,CAAC;AAEhD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAmDnD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,SAAS,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GAAG,MAAM,CA2LxF"}
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AAEjF,OAAO,KAAK,EAAE,UAAU,EAA2B,MAAM,kBAAkB,CAAC;AAmE5E;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,SAAS,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GAAG,MAAM,CA8KxF"}