sentri 1.0.5 → 1.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +87 -37
- package/dist/client.d.ts +34 -75
- package/dist/client.d.ts.map +1 -1
- package/dist/client.js +0 -7
- package/dist/client.js.map +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js.map +1 -1
- package/dist/libs/config.d.ts +45 -1
- package/dist/libs/config.d.ts.map +1 -1
- package/dist/libs/config.js +40 -2
- package/dist/libs/config.js.map +1 -1
- package/dist/libs/hash.d.ts +14 -0
- package/dist/libs/hash.d.ts.map +1 -1
- package/dist/libs/hash.js +14 -0
- package/dist/libs/hash.js.map +1 -1
- package/dist/libs/token.d.ts +37 -0
- package/dist/libs/token.d.ts.map +1 -1
- package/dist/libs/token.js +63 -0
- package/dist/libs/token.js.map +1 -1
- package/dist/middleware/authorize.d.ts +15 -0
- package/dist/middleware/authorize.d.ts.map +1 -1
- package/dist/middleware/authorize.js +15 -0
- package/dist/middleware/authorize.js.map +1 -1
- package/dist/middleware/protect.d.ts +17 -0
- package/dist/middleware/protect.d.ts.map +1 -1
- package/dist/middleware/protect.js +17 -0
- package/dist/middleware/protect.js.map +1 -1
- package/dist/middleware/router.d.ts +10 -6
- package/dist/middleware/router.d.ts.map +1 -1
- package/dist/middleware/router.js +24 -14
- package/dist/middleware/router.js.map +1 -1
- package/dist/services/auth.d.ts +75 -0
- package/dist/services/auth.d.ts.map +1 -1
- package/dist/services/auth.js +75 -0
- package/dist/services/auth.js.map +1 -1
- package/dist/types/auth.d.ts +144 -0
- package/dist/types/auth.d.ts.map +1 -1
- package/package.json +11 -3
- package/templates/drizzle/adapter.ts +3 -9
- package/templates/drizzle/auth.ts +20 -0
- package/templates/prisma/adapter.ts +3 -9
- package/templates/prisma/auth.ts +20 -0
package/dist/libs/token.js
CHANGED
|
@@ -1,12 +1,28 @@
|
|
|
1
1
|
import jwt, {} from 'jsonwebtoken';
|
|
2
2
|
import { AuthError } from '../errors/AuthError.js';
|
|
3
3
|
import { resolveConfig } from './config.js';
|
|
4
|
+
/**
|
|
5
|
+
* Derive separate HMAC secrets for access and refresh tokens from a single
|
|
6
|
+
* root secret by appending a domain suffix.
|
|
7
|
+
*
|
|
8
|
+
* Using distinct secrets prevents a refresh token from being accepted as an
|
|
9
|
+
* access token and vice versa.
|
|
10
|
+
*/
|
|
4
11
|
function deriveSecrets(secret) {
|
|
5
12
|
return {
|
|
6
13
|
access: `${secret}:access`,
|
|
7
14
|
refresh: `${secret}:refresh`,
|
|
8
15
|
};
|
|
9
16
|
}
|
|
17
|
+
/**
|
|
18
|
+
* Sign a JWT payload with the given secret and options.
|
|
19
|
+
*
|
|
20
|
+
* @param payload - Claims to embed in the token.
|
|
21
|
+
* @param secret - HMAC signing key.
|
|
22
|
+
* @param expiresIn - Expiry duration string (e.g. `'15m'`) or seconds.
|
|
23
|
+
* @param algorithm - HMAC algorithm variant.
|
|
24
|
+
* @returns Compact JWT string.
|
|
25
|
+
*/
|
|
10
26
|
function sign(payload, secret, expiresIn, algorithm) {
|
|
11
27
|
const options = {
|
|
12
28
|
expiresIn: expiresIn,
|
|
@@ -14,6 +30,16 @@ function sign(payload, secret, expiresIn, algorithm) {
|
|
|
14
30
|
};
|
|
15
31
|
return jwt.sign(payload, secret, options);
|
|
16
32
|
}
|
|
33
|
+
/**
|
|
34
|
+
* Verify and decode a JWT, mapping jsonwebtoken errors to typed {@link AuthError}s.
|
|
35
|
+
*
|
|
36
|
+
* @param token - Compact JWT string to verify.
|
|
37
|
+
* @param secret - HMAC key used to sign the token.
|
|
38
|
+
* @param algorithm - Expected signing algorithm.
|
|
39
|
+
* @returns Decoded payload cast to `T`.
|
|
40
|
+
* @throws {AuthError} With `TOKEN_EXPIRED` if the token's `exp` claim is in the past.
|
|
41
|
+
* @throws {AuthError} With `TOKEN_INVALID` for any other verification failure.
|
|
42
|
+
*/
|
|
17
43
|
function verify(token, secret, algorithm) {
|
|
18
44
|
try {
|
|
19
45
|
const decoded = jwt.verify(token, secret, { algorithms: [algorithm] });
|
|
@@ -31,21 +57,58 @@ function verify(token, secret, algorithm) {
|
|
|
31
57
|
throw new AuthError('TOKEN_INVALID', 'Token is invalid or malformed');
|
|
32
58
|
}
|
|
33
59
|
}
|
|
60
|
+
/**
|
|
61
|
+
* Sign a short-lived access token containing the user's identity and roles.
|
|
62
|
+
*
|
|
63
|
+
* Uses the access-specific secret derived from config and the configured
|
|
64
|
+
* `accessExpiresIn` duration and HMAC algorithm.
|
|
65
|
+
*
|
|
66
|
+
* @param payload - The {@link AuthUser} payload to embed (id, identifier, roles).
|
|
67
|
+
* @param config - Auth configuration used to derive the secret and options.
|
|
68
|
+
* @returns Compact JWT string.
|
|
69
|
+
*/
|
|
34
70
|
export function signAccessToken(payload, config) {
|
|
35
71
|
const resolved = resolveConfig(config);
|
|
36
72
|
const { access } = deriveSecrets(resolved.secret);
|
|
37
73
|
return sign(payload, access, resolved.accessExpiresIn, resolved.algorithm);
|
|
38
74
|
}
|
|
75
|
+
/**
|
|
76
|
+
* Sign a long-lived refresh token bound to a specific session ID.
|
|
77
|
+
*
|
|
78
|
+
* Uses the refresh-specific secret derived from config and the configured
|
|
79
|
+
* `refreshExpiresIn` duration. The session ID is embedded as the sole claim
|
|
80
|
+
* so the token can be used to look up and rotate the session.
|
|
81
|
+
*
|
|
82
|
+
* @param sessionId - The database session ID to bind to this token.
|
|
83
|
+
* @param config - Auth configuration used to derive the secret and options.
|
|
84
|
+
* @returns Compact JWT string.
|
|
85
|
+
*/
|
|
39
86
|
export function signRefreshToken(sessionId, config) {
|
|
40
87
|
const resolved = resolveConfig(config);
|
|
41
88
|
const { refresh } = deriveSecrets(resolved.secret);
|
|
42
89
|
return sign({ sessionId }, refresh, resolved.refreshExpiresIn, resolved.algorithm);
|
|
43
90
|
}
|
|
91
|
+
/**
|
|
92
|
+
* Verify an access token and return its decoded {@link AuthUser} payload.
|
|
93
|
+
*
|
|
94
|
+
* @param token - Compact JWT access token string.
|
|
95
|
+
* @param config - Auth configuration used to derive the secret and algorithm.
|
|
96
|
+
* @returns Decoded `AuthUser` payload (id, identifier, roles).
|
|
97
|
+
* @throws {AuthError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
|
|
98
|
+
*/
|
|
44
99
|
export function verifyAccessToken(token, config) {
|
|
45
100
|
const resolved = resolveConfig(config);
|
|
46
101
|
const { access } = deriveSecrets(resolved.secret);
|
|
47
102
|
return verify(token, access, resolved.algorithm);
|
|
48
103
|
}
|
|
104
|
+
/**
|
|
105
|
+
* Verify a refresh token and return the embedded session ID.
|
|
106
|
+
*
|
|
107
|
+
* @param token - Compact JWT refresh token string.
|
|
108
|
+
* @param config - Auth configuration used to derive the secret and algorithm.
|
|
109
|
+
* @returns Object with `sessionId` matching the one passed to {@link signRefreshToken}.
|
|
110
|
+
* @throws {AuthError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
|
|
111
|
+
*/
|
|
49
112
|
export function verifyRefreshToken(token, config) {
|
|
50
113
|
const resolved = resolveConfig(config);
|
|
51
114
|
const { refresh } = deriveSecrets(resolved.secret);
|
package/dist/libs/token.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,EAAE,EAAoB,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO;QACL,MAAM,EAAE,GAAG,MAAM,SAAS;QAC1B,OAAO,EAAE,GAAG,MAAM,UAAU;KAC7B,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,OAAe,EACf,MAAc,EACd,SAA0B,EAC1B,SAAsC;IAEtC,MAAM,OAAO,GAAgB;QAC3B,SAAS,EAAE,SAAyD;QACpE,SAAS;KACV,CAAC;IACF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,MAAM,CACb,KAAa,EACb,MAAc,EACd,SAAsC;IAEtC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,gCAAgC,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,IAAI,GAAG,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACzC,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAC5D,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAiB,EAAE,MAAkB;IACnE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,MAAkB;IACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AACrF,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,KAAa,EAAE,MAAkB;IACjE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,MAAM,CAAW,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,MAAkB;IAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,MAAM,CAAwB,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC3E,CAAC"}
|
|
1
|
+
{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,EAAE,EAAoB,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO;QACL,MAAM,EAAE,GAAG,MAAM,SAAS;QAC1B,OAAO,EAAE,GAAG,MAAM,UAAU;KAC7B,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,IAAI,CACX,OAAe,EACf,MAAc,EACd,SAA0B,EAC1B,SAAsC;IAEtC,MAAM,OAAO,GAAgB;QAC3B,SAAS,EAAE,SAAyD;QACpE,SAAS;KACV,CAAC;IACF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,MAAM,CACb,KAAa,EACb,MAAc,EACd,SAAsC;IAEtC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,gCAAgC,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,IAAI,GAAG,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACzC,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAC5D,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,OAAiB,EAAE,MAAkB;IACnE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7E,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,MAAkB;IACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AACrF,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa,EAAE,MAAkB;IACjE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,MAAM,CAAW,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,MAAkB;IAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,MAAM,CAAwB,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC3E,CAAC"}
|
|
@@ -1,3 +1,18 @@
|
|
|
1
1
|
import type { RequestHandler } from 'express';
|
|
2
|
+
/**
|
|
3
|
+
* Express middleware factory for role-based access control (RBAC).
|
|
4
|
+
*
|
|
5
|
+
* Passes if the authenticated user (set by `protect()`) has **at least one**
|
|
6
|
+
* of the specified `allowedRoles`. Calls `next(AuthError)` with code `FORBIDDEN`
|
|
7
|
+
* if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
|
|
8
|
+
*
|
|
9
|
+
* Must be used **after** `protect()`.
|
|
10
|
+
*
|
|
11
|
+
* @param allowedRoles - One or more role strings. The user needs at least one of them.
|
|
12
|
+
* @returns An Express `RequestHandler` that enforces the role check.
|
|
13
|
+
*
|
|
14
|
+
* @example
|
|
15
|
+
* router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
|
|
16
|
+
*/
|
|
2
17
|
export declare function authorize<TRole extends string>(...allowedRoles: TRole[]): RequestHandler;
|
|
3
18
|
//# sourceMappingURL=authorize.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,wBAAgB,SAAS,CAAC,KAAK,SAAS,MAAM,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,GAAG,cAAc,CAcxF"}
|
|
1
|
+
{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,KAAK,SAAS,MAAM,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,GAAG,cAAc,CAcxF"}
|
|
@@ -1,4 +1,19 @@
|
|
|
1
1
|
import { AuthError } from '../errors/AuthError.js';
|
|
2
|
+
/**
|
|
3
|
+
* Express middleware factory for role-based access control (RBAC).
|
|
4
|
+
*
|
|
5
|
+
* Passes if the authenticated user (set by `protect()`) has **at least one**
|
|
6
|
+
* of the specified `allowedRoles`. Calls `next(AuthError)` with code `FORBIDDEN`
|
|
7
|
+
* if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
|
|
8
|
+
*
|
|
9
|
+
* Must be used **after** `protect()`.
|
|
10
|
+
*
|
|
11
|
+
* @param allowedRoles - One or more role strings. The user needs at least one of them.
|
|
12
|
+
* @returns An Express `RequestHandler` that enforces the role check.
|
|
13
|
+
*
|
|
14
|
+
* @example
|
|
15
|
+
* router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
|
|
16
|
+
*/
|
|
2
17
|
export function authorize(...allowedRoles) {
|
|
3
18
|
return (request, _response, next) => {
|
|
4
19
|
if (!request.user) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,MAAM,UAAU,SAAS,CAAuB,GAAG,YAAqB;IACtE,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QAClC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,MAAM,SAAS,GAAsB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QACxD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CACT,IAAI,SAAS,CAAC,WAAW,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAChF,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}
|
|
1
|
+
{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,SAAS,CAAuB,GAAG,YAAqB;IACtE,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QAClC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,MAAM,SAAS,GAAsB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QACxD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CACT,IAAI,SAAS,CAAC,WAAW,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAChF,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}
|
|
@@ -1,4 +1,21 @@
|
|
|
1
1
|
import type { RequestHandler } from 'express';
|
|
2
2
|
import type { AuthConfig } from '../types/auth.js';
|
|
3
|
+
/**
|
|
4
|
+
* Express middleware factory that enforces JWT authentication.
|
|
5
|
+
*
|
|
6
|
+
* Reads the `Authorization: Bearer <token>` header, verifies the access token,
|
|
7
|
+
* and attaches the decoded payload to `req.user`. Calls `next(AuthError)` on
|
|
8
|
+
* any failure so your error handler can convert it to an HTTP response.
|
|
9
|
+
*
|
|
10
|
+
* Must be used **before** `authorize()` or `permit()`.
|
|
11
|
+
*
|
|
12
|
+
* @param config - Auth configuration used to verify the token.
|
|
13
|
+
* @returns An Express `RequestHandler` that populates `req.user` on success.
|
|
14
|
+
*
|
|
15
|
+
* @example
|
|
16
|
+
* router.get('/profile', protect(config), (req, res) => {
|
|
17
|
+
* res.json(req.user);
|
|
18
|
+
* });
|
|
19
|
+
*/
|
|
3
20
|
export declare function protect(config: AuthConfig): RequestHandler;
|
|
4
21
|
//# sourceMappingURL=protect.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD,wBAAgB,OAAO,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAc1D"}
|
|
1
|
+
{"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAc1D"}
|
|
@@ -1,5 +1,22 @@
|
|
|
1
1
|
import { AuthError } from '../errors/AuthError.js';
|
|
2
2
|
import { verifyAccessToken } from '../libs/token.js';
|
|
3
|
+
/**
|
|
4
|
+
* Express middleware factory that enforces JWT authentication.
|
|
5
|
+
*
|
|
6
|
+
* Reads the `Authorization: Bearer <token>` header, verifies the access token,
|
|
7
|
+
* and attaches the decoded payload to `req.user`. Calls `next(AuthError)` on
|
|
8
|
+
* any failure so your error handler can convert it to an HTTP response.
|
|
9
|
+
*
|
|
10
|
+
* Must be used **before** `authorize()` or `permit()`.
|
|
11
|
+
*
|
|
12
|
+
* @param config - Auth configuration used to verify the token.
|
|
13
|
+
* @returns An Express `RequestHandler` that populates `req.user` on success.
|
|
14
|
+
*
|
|
15
|
+
* @example
|
|
16
|
+
* router.get('/profile', protect(config), (req, res) => {
|
|
17
|
+
* res.json(req.user);
|
|
18
|
+
* });
|
|
19
|
+
*/
|
|
3
20
|
export function protect(config) {
|
|
4
21
|
return (request, _response, next) => {
|
|
5
22
|
const authHeader = request.headers['authorization'];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"protect.js","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,MAAM,UAAU,OAAO,CAAC,MAAkB;IACxC,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QAClC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,2CAA2C,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,GAAG,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAChD,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
|
|
1
|
+
{"version":3,"file":"protect.js","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,OAAO,CAAC,MAAkB;IACxC,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QAClC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,2CAA2C,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,GAAG,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAChD,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
|
|
@@ -6,12 +6,13 @@ import type { AuthConfig } from '../types/auth.js';
|
|
|
6
6
|
* Mount it once and all routes are ready:
|
|
7
7
|
*
|
|
8
8
|
* ```
|
|
9
|
-
* POST /signup
|
|
10
|
-
* POST /login
|
|
11
|
-
* POST /refresh
|
|
12
|
-
* POST /logout
|
|
13
|
-
* POST /logout-all
|
|
14
|
-
* GET /me
|
|
9
|
+
* POST /signup — register a new user
|
|
10
|
+
* POST /login — authenticate and get tokens
|
|
11
|
+
* POST /refresh — rotate refresh token
|
|
12
|
+
* POST /logout — invalidate current session
|
|
13
|
+
* POST /logout-all — invalidate all sessions for the authenticated user
|
|
14
|
+
* GET /me — return the currently authenticated user
|
|
15
|
+
* POST /users/:userId/roles — assign roles (admin only)
|
|
15
16
|
* ```
|
|
16
17
|
*
|
|
17
18
|
* Requires `express.json()` to be applied before the router.
|
|
@@ -19,6 +20,9 @@ import type { AuthConfig } from '../types/auth.js';
|
|
|
19
20
|
* When `cookie` is set in config, the refresh token is stored in an httpOnly
|
|
20
21
|
* cookie automatically — no `cookie-parser` needed.
|
|
21
22
|
*
|
|
23
|
+
* When `router` is set in config, individual service functions can be replaced
|
|
24
|
+
* while the router still handles validation and response formatting.
|
|
25
|
+
*
|
|
22
26
|
* @example
|
|
23
27
|
* app.use(express.json());
|
|
24
28
|
* app.use('/auth', auth.router());
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AAEjF,OAAO,KAAK,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AAEjF,OAAO,KAAK,EAAE,UAAU,EAA2B,MAAM,kBAAkB,CAAC;AAmE5E;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,SAAS,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GAAG,MAAM,CA8KxF"}
|
|
@@ -62,12 +62,13 @@ function clearCookie(response, config) {
|
|
|
62
62
|
* Mount it once and all routes are ready:
|
|
63
63
|
*
|
|
64
64
|
* ```
|
|
65
|
-
* POST /signup
|
|
66
|
-
* POST /login
|
|
67
|
-
* POST /refresh
|
|
68
|
-
* POST /logout
|
|
69
|
-
* POST /logout-all
|
|
70
|
-
* GET /me
|
|
65
|
+
* POST /signup — register a new user
|
|
66
|
+
* POST /login — authenticate and get tokens
|
|
67
|
+
* POST /refresh — rotate refresh token
|
|
68
|
+
* POST /logout — invalidate current session
|
|
69
|
+
* POST /logout-all — invalidate all sessions for the authenticated user
|
|
70
|
+
* GET /me — return the currently authenticated user
|
|
71
|
+
* POST /users/:userId/roles — assign roles (admin only)
|
|
71
72
|
* ```
|
|
72
73
|
*
|
|
73
74
|
* Requires `express.json()` to be applied before the router.
|
|
@@ -75,12 +76,23 @@ function clearCookie(response, config) {
|
|
|
75
76
|
* When `cookie` is set in config, the refresh token is stored in an httpOnly
|
|
76
77
|
* cookie automatically — no `cookie-parser` needed.
|
|
77
78
|
*
|
|
79
|
+
* When `router` is set in config, individual service functions can be replaced
|
|
80
|
+
* while the router still handles validation and response formatting.
|
|
81
|
+
*
|
|
78
82
|
* @example
|
|
79
83
|
* app.use(express.json());
|
|
80
84
|
* app.use('/auth', auth.router());
|
|
81
85
|
*/
|
|
82
86
|
export function createAuthRouter(config) {
|
|
83
87
|
const router = Router();
|
|
88
|
+
// Resolve service functions — use custom override from config.router when provided, else fall back to the built-in service.
|
|
89
|
+
const baseConfig = config;
|
|
90
|
+
const signupFn = config.router?.signup ?? ((input) => signup(input, baseConfig));
|
|
91
|
+
const loginFn = config.router?.login ?? ((input) => login(input, baseConfig));
|
|
92
|
+
const refreshFn = config.router?.refresh ?? ((token) => refresh(token, baseConfig));
|
|
93
|
+
const logoutFn = config.router?.logout ?? ((token) => token !== undefined ? logout(token, baseConfig) : Promise.resolve());
|
|
94
|
+
const logoutAllFn = config.router?.logoutAll ?? ((userId) => logoutAll(userId, baseConfig));
|
|
95
|
+
const assignRolesFn = config.router?.assignRoles ?? ((userId, roles) => assignRoles(userId, roles, baseConfig));
|
|
84
96
|
router.post('/signup', async (request, response, next) => {
|
|
85
97
|
try {
|
|
86
98
|
const body = parseBody(request.body);
|
|
@@ -107,7 +119,7 @@ export function createAuthRouter(config) {
|
|
|
107
119
|
const input = rolesInput !== undefined
|
|
108
120
|
? { identifier: identifier.trim(), password, roles: rolesInput }
|
|
109
121
|
: { identifier: identifier.trim(), password };
|
|
110
|
-
const result = await
|
|
122
|
+
const result = await signupFn(input);
|
|
111
123
|
if (!result.success) {
|
|
112
124
|
fail(response, result.error);
|
|
113
125
|
return;
|
|
@@ -134,7 +146,7 @@ export function createAuthRouter(config) {
|
|
|
134
146
|
if (password.length > MAX_PASSWORD_LENGTH) {
|
|
135
147
|
throw badRequest(`password must not exceed ${MAX_PASSWORD_LENGTH} characters`);
|
|
136
148
|
}
|
|
137
|
-
const result = await
|
|
149
|
+
const result = await loginFn({ identifier: identifier.trim(), password });
|
|
138
150
|
if (!result.success) {
|
|
139
151
|
fail(response, result.error);
|
|
140
152
|
return;
|
|
@@ -152,7 +164,7 @@ export function createAuthRouter(config) {
|
|
|
152
164
|
if (!fromCookie) {
|
|
153
165
|
throw new AuthError('UNAUTHORIZED', 'Refresh token cookie is missing');
|
|
154
166
|
}
|
|
155
|
-
const result = await
|
|
167
|
+
const result = await refreshFn(fromCookie);
|
|
156
168
|
if (!result.success) {
|
|
157
169
|
clearCookie(response, config);
|
|
158
170
|
fail(response, result.error);
|
|
@@ -168,9 +180,7 @@ export function createAuthRouter(config) {
|
|
|
168
180
|
router.post('/logout', async (request, response, next) => {
|
|
169
181
|
try {
|
|
170
182
|
const fromCookie = readCookie(request.headers['cookie'], getCookieName(config));
|
|
171
|
-
|
|
172
|
-
await logout(fromCookie, config);
|
|
173
|
-
}
|
|
183
|
+
await logoutFn(fromCookie);
|
|
174
184
|
clearCookie(response, config);
|
|
175
185
|
ok(response, 200, 'Logged out', null);
|
|
176
186
|
}
|
|
@@ -180,7 +190,7 @@ export function createAuthRouter(config) {
|
|
|
180
190
|
});
|
|
181
191
|
router.post('/logout-all', protect(config), async (request, response, next) => {
|
|
182
192
|
try {
|
|
183
|
-
await
|
|
193
|
+
await logoutAllFn(request.user.id);
|
|
184
194
|
clearCookie(response, config);
|
|
185
195
|
ok(response, 200, 'All sessions revoked', null);
|
|
186
196
|
}
|
|
@@ -206,7 +216,7 @@ export function createAuthRouter(config) {
|
|
|
206
216
|
if (!roles.every((role) => typeof role === 'string')) {
|
|
207
217
|
throw badRequest('each role must be a string');
|
|
208
218
|
}
|
|
209
|
-
const result = await
|
|
219
|
+
const result = await assignRolesFn(userId, roles);
|
|
210
220
|
if (!result.success) {
|
|
211
221
|
fail(response, result.error);
|
|
212
222
|
return;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAGnD,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAC7F,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,6EAA6E;AAC7E,6EAA6E;AAC7E,wCAAwC;AACxC,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,qBAAqB,GAAG,GAAG,CAAC;AAElC,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,IAAI,SAAS,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,EAAE,CAAI,QAAkB,EAAE,UAAkB,EAAE,OAAe,EAAE,IAAO;IAC7E,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,IAAI,CAAC,QAAkB,EAAE,KAAgB;IAChD,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/C,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;AACpG,CAAC;AAED,SAAS,SAAS,CAAC,IAAa;IAC9B,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3F,MAAM,IAAI,SAAS,CAAC,kBAAkB,EAAE,6EAA6E,CAAC,CAAC;IACzH,CAAC;IACD,OAAO,IAA+B,CAAC;AACzC,CAAC;AAED,6EAA6E;AAC7E,SAAS,UAAU,CAAC,YAAgC,EAAE,IAAY;IAChE,IAAI,CAAC,YAAY;QAAE,OAAO,SAAS,CAAC;IACpC,MAAM,IAAI,GAAG,YAAY;SACtB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;SAChC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,MAAkB;IACvC,OAAO,MAAM,CAAC,MAAM,EAAE,IAAI,IAAI,eAAe,CAAC;AAChD,CAAC;AAED,SAAS,SAAS,CAAC,QAAkB,EAAE,KAAa,EAAE,MAAkB;IACtE,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACtD,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE;QAC5C,QAAQ,EAAE,YAAY,CAAC,QAAQ,IAAI,IAAI;QACvC,MAAM,EAAE,YAAY,CAAC,MAAM,IAAI,KAAK;QACpC,QAAQ,EAAE,YAAY,CAAC,QAAQ,IAAI,QAAQ;QAC3C,IAAI,EAAE,YAAY,CAAC,IAAI,IAAI,GAAG;QAC9B,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,SAAS,WAAW,CAAC,QAAkB,EAAE,MAAkB;IACzD,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;IACzC,QAAQ,CAAC,WAAW,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,YAAY,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;AAClF,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,gBAAgB,CAAuB,MAAyB;IAC9E,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB,4HAA4H;IAC5H,MAAM,UAAU,GAAG,MAAoB,CAAC;IACxC,MAAM,QAAQ,GAAK,MAAM,CAAC,MAAM,EAAE,MAAM,IAAS,CAAC,CAAC,KAAkB,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IACrG,MAAM,OAAO,GAAM,MAAM,CAAC,MAAM,EAAE,KAAK,IAAU,CAAC,CAAC,KAAiB,EAAG,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IACpG,MAAM,SAAS,GAAI,MAAM,CAAC,MAAM,EAAE,OAAO,IAAQ,CAAC,CAAC,KAAa,EAAO,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IACtG,MAAM,QAAQ,GAAK,MAAM,CAAC,MAAM,EAAE,MAAM,IAAS,CAAC,CAAC,KAAyB,EAAE,EAAE,CAC9E,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IACvE,MAAM,WAAW,GAAK,MAAM,CAAC,MAAM,EAAE,SAAS,IAAM,CAAC,CAAC,MAAc,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;IACxG,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE,WAAW,IAAI,CAAC,CAAC,MAAc,EAAE,KAAe,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IAElI,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACvD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACrC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;YAE7C,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrE,MAAM,UAAU,CAAC,uDAAuD,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,UAAU,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;gBAC9C,MAAM,UAAU,CAAC,8BAA8B,qBAAqB,aAAa,CAAC,CAAC;YACrF,CAAC;YACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;gBAC1E,MAAM,UAAU,CAAC,6CAA6C,mBAAmB,aAAa,CAAC,CAAC;YAClG,CAAC;YACD,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,UAAU,CAAC,4BAA4B,mBAAmB,aAAa,CAAC,CAAC;YACjF,CAAC;YACD,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,MAAM,UAAU,CAAC,iDAAiD,CAAC,CAAC;YACtE,CAAC;YACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;gBAC7E,MAAM,UAAU,CAAC,4BAA4B,CAAC,CAAC;YACjD,CAAC;YAED,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAE,KAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YACzE,MAAM,KAAK,GAAG,UAAU,KAAK,SAAS;gBACpC,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE;gBAChE,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;YAErC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,8BAA8B,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACtD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACrC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;YAEtC,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrE,MAAM,UAAU,CAAC,uDAAuD,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,UAAU,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;gBAC9C,MAAM,UAAU,CAAC,8BAA8B,qBAAqB,aAAa,CAAC,CAAC;YACrF,CAAC;YACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1D,MAAM,UAAU,CAAC,sBAAsB,CAAC,CAAC;YAC3C,CAAC;YACD,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,UAAU,CAAC,4BAA4B,mBAAmB,aAAa,CAAC,CAAC;YACjF,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;YAE1E,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,SAAS,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YACjD,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,kBAAkB,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAChG,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACxD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAChF,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,iCAAiC,CAAC,CAAC;YACzE,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,CAAC;YAE3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC9B,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,SAAS,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YACjD,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,iBAAiB,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACvD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAChF,MAAM,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC3B,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC9B,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QAC5E,IAAI,CAAC;YACH,MAAM,WAAW,CAAC,OAAO,CAAC,IAAK,CAAC,EAAE,CAAC,CAAC;YACpC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC9B,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,sBAAsB,EAAE,IAAI,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;QACvD,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,IAAK,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACzG,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACrC,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;YACvB,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC3C,MAAM,MAAM,GAAG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAErE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,UAAU,CAAC,oBAAoB,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChD,MAAM,UAAU,CAAC,4CAA4C,CAAC,CAAC;YACjE,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;gBACrD,MAAM,UAAU,CAAC,4BAA4B,CAAC,CAAC;YACjD,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,KAAiB,CAAC,CAAC;YAE9D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,6BAA6B,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,gFAAgF;IAChF,8EAA8E;IAC9E,MAAM,CAAC,GAAG,CAAC,CAAC,KAAc,EAAE,QAAiB,EAAE,QAAkB,EAAE,KAAmB,EAAE,EAAE;QACxF,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,uBAAuB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5G,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
package/dist/services/auth.d.ts
CHANGED
|
@@ -1,8 +1,83 @@
|
|
|
1
1
|
import type { AssignRolesResult, AuthConfig, AuthResult, LoginInput, RefreshResult, SignupInput, SignupResult } from '../types/auth.js';
|
|
2
|
+
/**
|
|
3
|
+
* Register a new user.
|
|
4
|
+
*
|
|
5
|
+
* Validates that every requested role is in `validRoles`, rejects duplicate
|
|
6
|
+
* identifiers, hashes the password with bcrypt, creates the user record via
|
|
7
|
+
* the adapter, and returns the created user.
|
|
8
|
+
*
|
|
9
|
+
* No tokens are issued — the caller should invoke `login` after signup if
|
|
10
|
+
* immediate authentication is desired.
|
|
11
|
+
*
|
|
12
|
+
* @param input - Signup data: identifier, plain-text password, and optional roles.
|
|
13
|
+
* @param config - Auth configuration containing the adapter and role definitions.
|
|
14
|
+
* @returns `{ success: true, user }` on success, or `{ success: false, error }` with
|
|
15
|
+
* code `INVALID_ROLE` or `USER_ALREADY_EXISTS` on failure.
|
|
16
|
+
*/
|
|
2
17
|
export declare function signup(input: SignupInput, config: AuthConfig): Promise<SignupResult>;
|
|
18
|
+
/**
|
|
19
|
+
* Authenticate an existing user by identifier and plain-text password.
|
|
20
|
+
*
|
|
21
|
+
* Looks up the user, verifies the password with bcrypt, creates a new session,
|
|
22
|
+
* and issues a JWT access token + refresh token pair.
|
|
23
|
+
*
|
|
24
|
+
* The failure response always uses code `INVALID_CREDENTIALS` regardless of
|
|
25
|
+
* whether the identifier or the password was wrong, preventing user enumeration.
|
|
26
|
+
*
|
|
27
|
+
* @param input - Login data: identifier and plain-text password.
|
|
28
|
+
* @param config - Auth configuration containing the adapter and JWT settings.
|
|
29
|
+
* @returns `{ success: true, accessToken, refreshToken, user }` on success, or
|
|
30
|
+
* `{ success: false, error }` with code `INVALID_CREDENTIALS` on failure.
|
|
31
|
+
*/
|
|
3
32
|
export declare function login(input: LoginInput, config: AuthConfig): Promise<AuthResult>;
|
|
33
|
+
/**
|
|
34
|
+
* Exchange a valid refresh token for a new access + refresh token pair.
|
|
35
|
+
*
|
|
36
|
+
* Implements **session rotation**: the old session is deleted and a fresh
|
|
37
|
+
* session is created, so each refresh token is single-use. An attacker
|
|
38
|
+
* replaying a stolen refresh token after it has already been rotated will
|
|
39
|
+
* find the session gone.
|
|
40
|
+
*
|
|
41
|
+
* @param refreshToken - The JWT refresh token (typically from an httpOnly cookie).
|
|
42
|
+
* @param config - Auth configuration containing the adapter and JWT settings.
|
|
43
|
+
* @returns `{ success: true, accessToken, refreshToken, user }` on success, or
|
|
44
|
+
* `{ success: false, error }` with code `UNAUTHORIZED`, `TOKEN_EXPIRED`, or
|
|
45
|
+
* `TOKEN_INVALID` on failure.
|
|
46
|
+
*/
|
|
4
47
|
export declare function refresh(refreshToken: string, config: AuthConfig): Promise<RefreshResult>;
|
|
48
|
+
/**
|
|
49
|
+
* Invalidate a single session identified by a refresh token.
|
|
50
|
+
*
|
|
51
|
+
* Safe to call even when the token is already expired or invalid — the JWT
|
|
52
|
+
* parse failure is silently swallowed and the function resolves normally.
|
|
53
|
+
* This makes logout idempotent from the client's perspective.
|
|
54
|
+
*
|
|
55
|
+
* @param refreshToken - The JWT refresh token bound to the session to revoke.
|
|
56
|
+
* @param config - Auth configuration containing the adapter and JWT settings.
|
|
57
|
+
*/
|
|
5
58
|
export declare function logout(refreshToken: string, config: AuthConfig): Promise<void>;
|
|
59
|
+
/**
|
|
60
|
+
* Delete all sessions for a user, effectively logging them out of every device.
|
|
61
|
+
*
|
|
62
|
+
* Delegates to `adapter.session.deleteAllForUser`. No token is required — the
|
|
63
|
+
* router route that calls this function is already guarded by `protect()`.
|
|
64
|
+
*
|
|
65
|
+
* @param userId - The user's primary key as stored in the database.
|
|
66
|
+
* @param config - Auth configuration containing the adapter.
|
|
67
|
+
*/
|
|
6
68
|
export declare function logoutAll(userId: string, config: AuthConfig): Promise<void>;
|
|
69
|
+
/**
|
|
70
|
+
* Add roles to a user account, merging them with any existing roles.
|
|
71
|
+
*
|
|
72
|
+
* Validates that every role in `rolesToAdd` is listed in `config.validRoles`.
|
|
73
|
+
* The resulting role set is deduplicated before being persisted via
|
|
74
|
+
* `adapter.user.updateRoles`.
|
|
75
|
+
*
|
|
76
|
+
* @param userId - The primary key of the user to update.
|
|
77
|
+
* @param rolesToAdd - Role names to assign. Must all be present in `validRoles`.
|
|
78
|
+
* @param config - Auth configuration containing the adapter and role definitions.
|
|
79
|
+
* @returns `{ success: true, user }` on success, or `{ success: false, error }` with
|
|
80
|
+
* code `INVALID_ROLE` or `USER_NOT_FOUND` on failure.
|
|
81
|
+
*/
|
|
7
82
|
export declare function assignRoles(userId: string, rolesToAdd: string[], config: AuthConfig): Promise<AssignRolesResult>;
|
|
8
83
|
//# sourceMappingURL=auth.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/services/auth.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAExI,wBAAsB,MAAM,CAC1B,KAAK,EAAE,WAAW,EAClB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,YAAY,CAAC,CAoBvB;AAED,wBAAsB,KAAK,CACzB,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,UAAU,CAAC,CAoBrB;AAED,wBAAsB,OAAO,CAC3B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,aAAa,CAAC,CA8BxB;AAED,wBAAsB,MAAM,CAC1B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,SAAS,CAC7B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAEf;AAED,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAAE,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,iBAAiB,CAAC,CAiB5B"}
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/services/auth.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAExI;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,WAAW,EAClB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,YAAY,CAAC,CAoBvB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,KAAK,CACzB,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,UAAU,CAAC,CAoBrB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,OAAO,CAC3B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,aAAa,CAAC,CA8BxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,MAAM,CAC1B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAQf;AAED;;;;;;;;GAQG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAEf;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAAE,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,iBAAiB,CAAC,CAiB5B"}
|
package/dist/services/auth.js
CHANGED
|
@@ -2,6 +2,21 @@ import { AuthError } from '../errors/AuthError.js';
|
|
|
2
2
|
import { hashPassword, verifyPassword } from '../libs/hash.js';
|
|
3
3
|
import { signAccessToken, signRefreshToken, verifyRefreshToken } from '../libs/token.js';
|
|
4
4
|
import { resolveConfig, parseExpiry } from '../libs/config.js';
|
|
5
|
+
/**
|
|
6
|
+
* Register a new user.
|
|
7
|
+
*
|
|
8
|
+
* Validates that every requested role is in `validRoles`, rejects duplicate
|
|
9
|
+
* identifiers, hashes the password with bcrypt, creates the user record via
|
|
10
|
+
* the adapter, and returns the created user.
|
|
11
|
+
*
|
|
12
|
+
* No tokens are issued — the caller should invoke `login` after signup if
|
|
13
|
+
* immediate authentication is desired.
|
|
14
|
+
*
|
|
15
|
+
* @param input - Signup data: identifier, plain-text password, and optional roles.
|
|
16
|
+
* @param config - Auth configuration containing the adapter and role definitions.
|
|
17
|
+
* @returns `{ success: true, user }` on success, or `{ success: false, error }` with
|
|
18
|
+
* code `INVALID_ROLE` or `USER_ALREADY_EXISTS` on failure.
|
|
19
|
+
*/
|
|
5
20
|
export async function signup(input, config) {
|
|
6
21
|
const resolved = resolveConfig(config);
|
|
7
22
|
const requestedRoles = input.roles ?? [];
|
|
@@ -19,6 +34,20 @@ export async function signup(input, config) {
|
|
|
19
34
|
const user = { id: created.id, identifier, roles: requestedRoles };
|
|
20
35
|
return { success: true, user };
|
|
21
36
|
}
|
|
37
|
+
/**
|
|
38
|
+
* Authenticate an existing user by identifier and plain-text password.
|
|
39
|
+
*
|
|
40
|
+
* Looks up the user, verifies the password with bcrypt, creates a new session,
|
|
41
|
+
* and issues a JWT access token + refresh token pair.
|
|
42
|
+
*
|
|
43
|
+
* The failure response always uses code `INVALID_CREDENTIALS` regardless of
|
|
44
|
+
* whether the identifier or the password was wrong, preventing user enumeration.
|
|
45
|
+
*
|
|
46
|
+
* @param input - Login data: identifier and plain-text password.
|
|
47
|
+
* @param config - Auth configuration containing the adapter and JWT settings.
|
|
48
|
+
* @returns `{ success: true, accessToken, refreshToken, user }` on success, or
|
|
49
|
+
* `{ success: false, error }` with code `INVALID_CREDENTIALS` on failure.
|
|
50
|
+
*/
|
|
22
51
|
export async function login(input, config) {
|
|
23
52
|
const resolved = resolveConfig(config);
|
|
24
53
|
const found = await resolved.adapter.user.findByIdentifier(input.identifier.trim());
|
|
@@ -36,6 +65,20 @@ export async function login(input, config) {
|
|
|
36
65
|
const refreshToken = signRefreshToken(session.id, config);
|
|
37
66
|
return { success: true, accessToken, refreshToken, user };
|
|
38
67
|
}
|
|
68
|
+
/**
|
|
69
|
+
* Exchange a valid refresh token for a new access + refresh token pair.
|
|
70
|
+
*
|
|
71
|
+
* Implements **session rotation**: the old session is deleted and a fresh
|
|
72
|
+
* session is created, so each refresh token is single-use. An attacker
|
|
73
|
+
* replaying a stolen refresh token after it has already been rotated will
|
|
74
|
+
* find the session gone.
|
|
75
|
+
*
|
|
76
|
+
* @param refreshToken - The JWT refresh token (typically from an httpOnly cookie).
|
|
77
|
+
* @param config - Auth configuration containing the adapter and JWT settings.
|
|
78
|
+
* @returns `{ success: true, accessToken, refreshToken, user }` on success, or
|
|
79
|
+
* `{ success: false, error }` with code `UNAUTHORIZED`, `TOKEN_EXPIRED`, or
|
|
80
|
+
* `TOKEN_INVALID` on failure.
|
|
81
|
+
*/
|
|
39
82
|
export async function refresh(refreshToken, config) {
|
|
40
83
|
const resolved = resolveConfig(config);
|
|
41
84
|
let sessionId;
|
|
@@ -64,6 +107,16 @@ export async function refresh(refreshToken, config) {
|
|
|
64
107
|
const newRefreshToken = signRefreshToken(newSession.id, config);
|
|
65
108
|
return { success: true, accessToken: newAccessToken, refreshToken: newRefreshToken, user };
|
|
66
109
|
}
|
|
110
|
+
/**
|
|
111
|
+
* Invalidate a single session identified by a refresh token.
|
|
112
|
+
*
|
|
113
|
+
* Safe to call even when the token is already expired or invalid — the JWT
|
|
114
|
+
* parse failure is silently swallowed and the function resolves normally.
|
|
115
|
+
* This makes logout idempotent from the client's perspective.
|
|
116
|
+
*
|
|
117
|
+
* @param refreshToken - The JWT refresh token bound to the session to revoke.
|
|
118
|
+
* @param config - Auth configuration containing the adapter and JWT settings.
|
|
119
|
+
*/
|
|
67
120
|
export async function logout(refreshToken, config) {
|
|
68
121
|
let sessionId;
|
|
69
122
|
try {
|
|
@@ -74,9 +127,31 @@ export async function logout(refreshToken, config) {
|
|
|
74
127
|
}
|
|
75
128
|
await resolveConfig(config).adapter.session.delete(sessionId);
|
|
76
129
|
}
|
|
130
|
+
/**
|
|
131
|
+
* Delete all sessions for a user, effectively logging them out of every device.
|
|
132
|
+
*
|
|
133
|
+
* Delegates to `adapter.session.deleteAllForUser`. No token is required — the
|
|
134
|
+
* router route that calls this function is already guarded by `protect()`.
|
|
135
|
+
*
|
|
136
|
+
* @param userId - The user's primary key as stored in the database.
|
|
137
|
+
* @param config - Auth configuration containing the adapter.
|
|
138
|
+
*/
|
|
77
139
|
export async function logoutAll(userId, config) {
|
|
78
140
|
await resolveConfig(config).adapter.session.deleteAllForUser(userId);
|
|
79
141
|
}
|
|
142
|
+
/**
|
|
143
|
+
* Add roles to a user account, merging them with any existing roles.
|
|
144
|
+
*
|
|
145
|
+
* Validates that every role in `rolesToAdd` is listed in `config.validRoles`.
|
|
146
|
+
* The resulting role set is deduplicated before being persisted via
|
|
147
|
+
* `adapter.user.updateRoles`.
|
|
148
|
+
*
|
|
149
|
+
* @param userId - The primary key of the user to update.
|
|
150
|
+
* @param rolesToAdd - Role names to assign. Must all be present in `validRoles`.
|
|
151
|
+
* @param config - Auth configuration containing the adapter and role definitions.
|
|
152
|
+
* @returns `{ success: true, user }` on success, or `{ success: false, error }` with
|
|
153
|
+
* code `INVALID_ROLE` or `USER_NOT_FOUND` on failure.
|
|
154
|
+
*/
|
|
80
155
|
export async function assignRoles(userId, rolesToAdd, config) {
|
|
81
156
|
const resolved = resolveConfig(config);
|
|
82
157
|
const invalidRoles = rolesToAdd.filter((role) => !resolved.validRoles.includes(role));
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/services/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACzF,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAG/D,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,KAAkB,EAClB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;IACzC,MAAM,YAAY,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACpF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,cAAc,EAAE,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;IAC/G,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC1E,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAChG,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;IAExG,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IACnE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,KAAK,CACzB,KAAiB,EACjB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IACpF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAChG,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;IACvE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAChG,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAChF,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvF,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IAChF,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAClD,MAAM,YAAY,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,YAAoB,EACpB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,CAAC,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;QACpE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,eAAe,EAAE,uBAAuB,CAAC,EAAE,CAAC;IAC5F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACnE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,cAAc,EAAE,8BAA8B,CAAC,EAAE,CAAC;IAClG,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACnC,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,eAAe,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAC1F,CAAC;IAED,6CAA6C;IAC7C,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAChF,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAEhG,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;IACrG,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,gBAAgB,CAAC,UAAU,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;AAC7F,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,YAAoB,EACpB,MAAkB;IAElB,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,CAAC,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,qCAAqC;IAC/C,CAAC;IACD,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAc,EACd,MAAkB;IAElB,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,UAAoB,EACpB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IACtF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,cAAc,EAAE,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;IAC/G,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,EAAE,CAAC;IACtF,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAE7D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC;AACrG,CAAC"}
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/services/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACzF,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAG/D;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,KAAkB,EAClB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;IACzC,MAAM,YAAY,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACpF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,cAAc,EAAE,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;IAC/G,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC1E,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAChG,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;IAExG,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IACnE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,KAAK,CACzB,KAAiB,EACjB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IACpF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAChG,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;IACvE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAChG,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAChF,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvF,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IAChF,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAClD,MAAM,YAAY,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;AAC5D,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,YAAoB,EACpB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,CAAC,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;QACpE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,eAAe,EAAE,uBAAuB,CAAC,EAAE,CAAC;IAC5F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACnE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,cAAc,EAAE,8BAA8B,CAAC,EAAE,CAAC;IAClG,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACnC,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,eAAe,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAC1F,CAAC;IAED,6CAA6C;IAC7C,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAChF,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAEhG,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;IACrG,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,gBAAgB,CAAC,UAAU,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;AAC7F,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,YAAoB,EACpB,MAAkB;IAElB,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,CAAC,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,qCAAqC;IAC/C,CAAC;IACD,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAc,EACd,MAAkB;IAElB,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACvE,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,UAAoB,EACpB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IACtF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,cAAc,EAAE,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;IAC/G,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,EAAE,CAAC;IACtF,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAE7D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC;AACrG,CAAC"}
|