sentri 1.0.6 → 1.1.1

package/README.md

@@ -1,6 +1,6 @@
 # sentri
 
-Auth and authorization library for Express + PostgreSQL. Provides JWT-based authentication with refresh token rotation, role-based access control, fine-grained permission checks, and a pre-built Express router — all behind a single typed client.
+Auth and authorization library for Express + PostgreSQL. Provides JWT-based authentication with session-bound access tokens, refresh token rotation, role-based access control, fine-grained permission checks, and a pre-built Express router — all behind a single typed client.
 
 ---
 
@@ -99,7 +99,7 @@ npx sentri generate drizzle
 import { createAuth } from 'sentri';
 
 export const auth = createAuth({
-  secret: process.env.JWT_SECRET!,        // required — keep in env
+  secret: process.env.JWT_SECRET!,        // required — keep in env, min 32 chars
   validRoles: ['user', 'admin'] as const, // required — use `as const` for type safety
   adapter: myAdapter,                     // required — see Adapter Interface
 
@@ -109,6 +109,10 @@ export const auth = createAuth({
   algorithm: 'HS256',       // default: 'HS256' — also 'HS384' | 'HS512'
   saltRounds: 12,           // default: 12 (bcrypt rounds, min 10)
 
+  // Restrict POST /register to callers that supply X-Api-Key header.
+  // When set, only requests with this exact key can create new accounts.
+  apiKey: process.env.REGISTER_API_KEY,  // optional
+
   cookie: {                 // optional — enables httpOnly cookie for refresh token
     secure: process.env.NODE_ENV === 'production',
     // name: 'refresh_token',  // default: 'refresh_token'
@@ -119,7 +123,7 @@ export const auth = createAuth({
 
   // router: {             // optional — replace built-in service logic per route
   //   login: async (input) => { ... },
-  //   signup: async (input) => { ... },
+  //   register: async (input) => { ... },
   //   refresh: async (refreshToken) => { ... },
   //   logout: async (refreshToken) => { ... },
   //   logoutAll: async (userId) => { ... },
@@ -134,6 +138,50 @@ When `cookie` is configured, the refresh token is stored in an httpOnly cookie a
 
 ---
 
+## apiKey — Restricting Registration
+
+By default `POST /register` is open to the public. This can be a security risk when your application allows role selection at registration time — any caller could register themselves as `admin`.
+
+Set `apiKey` in your config to lock the endpoint:
+
+```typescript
+export const auth = createAuth({
+  // ...
+  apiKey: process.env.REGISTER_API_KEY!,
+});
+```
+
+Requests to `POST /register` must then include the header:
+
+```
+X-Api-Key: <value of REGISTER_API_KEY>
+```
+
+Requests without the header, or with the wrong value, receive HTTP 401 `UNAUTHORIZED`. Keep the API key in an environment variable and share it only with trusted services (your back-office panel, CI scripts, etc.).
+
+---
+
+## Session-Bound Access Tokens
+
+Since version 1.1.0, access tokens embed the `sessionId` of the session that was created at login. The `protect()` middleware validates this session against the database on every request.
+
+**What this means in practice:**
+
+- `POST /logout` deletes the session. Any access token issued during that login is immediately rejected — even if it has not expired yet.
+- `POST /logout-all` deletes **all** sessions for the user. Every access token across all devices is immediately rejected.
+- Tokens issued before 1.1.0 (without the `sessionId` claim) are still accepted but bypass session validation — plan a rolling upgrade if you need strict enforcement for existing tokens.
+
+```
+Login  →  session created  →  access token embeds sessionId
+Request → protect() verifies JWT → checks session exists → ✓ allowed
+Logout  → session deleted
+Request → protect() verifies JWT → session not found → ✗ 401 UNAUTHORIZED
+```
+
+> **Trade-off:** `protect()` now performs one additional database read per request. For most applications this is negligible. If you need to avoid any per-request DB access, keep `accessExpiresIn` short (e.g. `'5m'`) and rely on token expiry instead — but note that tokens will remain valid for up to `accessExpiresIn` after logout.
+
+---
+
 ## Custom Route Handlers
 
 The `router` field in config lets you replace the built-in service logic for individual routes while the router still handles request parsing, input validation, and response formatting.
@@ -159,9 +207,9 @@ export const auth = createAuth({
       return defaultLogin(input);
     },
 
-    // Send a welcome email after signup
-    signup: async (input) => {
-      const result = await defaultSignup(input);
+    // Send a welcome email after registration
+    register: async (input) => {
+      const result = await defaultRegister(input);
       if (result.success) {
         await emailService.sendWelcome(input.identifier);
       }
@@ -184,7 +232,7 @@ export const auth = createAuth({
 
 | Key | Signature | Must return |
 |---|---|---|
-| `signup` | `(input: SignupInput) => Promise<SignupResult>` | `SignupResult` |
+| `register` | `(input: SignupInput) => Promise<SignupResult>` | `SignupResult` |
 | `login` | `(input: LoginInput) => Promise<AuthResult>` | `AuthResult` |
 | `refresh` | `(refreshToken: string) => Promise<RefreshResult>` | `RefreshResult` |
 | `logout` | `(refreshToken: string \| undefined) => Promise<void>` | `void` |
@@ -258,11 +306,12 @@ export const adapter = createAdapter(db);
 
 ### Endpoints
 
-#### `POST /signup`
+#### `POST /register`
 
-Register a new user. Does **not** issue tokens — call `/login` after signup.
+Register a new user. Does **not** issue tokens — call `/login` after registration.
 
 ```
+Headers: X-Api-Key: <key>   (required when config.apiKey is set)
 Body:    { identifier, password, roles?: string[] }
 Returns: { user: { id, identifier, roles } }
 Status:  201
@@ -310,7 +359,7 @@ Returns: null
 Status:  200
 ```
 
-Safe to call even if the cookie is missing or the token is already expired.
+After logout, any access token bound to this session is immediately rejected by `protect()`. Safe to call even if the cookie is missing or the token is already expired.
 
 ---
 
@@ -324,6 +373,8 @@ Returns: null
 Status:  200
 ```
 
+All access tokens across all devices are immediately rejected by `protect()` after this call.
+
 ---
 
 #### `GET /me`
@@ -355,7 +406,7 @@ Status:  200
 
 ### `auth.protect()`
 
-Verifies the `Authorization: Bearer <token>` header and injects `request.user` into the request.
+Verifies the `Authorization: Bearer <token>` header, confirms the session is still active in the database, and injects `request.user` into the request.
 
 ```typescript
 router.get('/dashboard', auth.protect(), (request, response) => {
@@ -363,6 +414,11 @@ router.get('/dashboard', auth.protect(), (request, response) => {
 });
 ```
 
+Returns HTTP 401 if:
+- The `Authorization` header is missing or malformed
+- The token signature is invalid or the token is expired
+- The session embedded in the token has been revoked (logout)
+
 ---
 
 ### `auth.authorize(...roles)`
@@ -467,11 +523,11 @@ All errors thrown by the library are instances of `AuthError` with a machine-rea
 | Code | HTTP | Meaning |
 |---|---|---|
 | `INVALID_CREDENTIALS` | 401 | Wrong identifier or password |
-| `USER_ALREADY_EXISTS` | 409 | Signup with duplicate identifier |
+| `USER_ALREADY_EXISTS` | 409 | Registration with duplicate identifier |
 | `USER_NOT_FOUND` | 404 | Operation on a non-existent user |
 | `TOKEN_EXPIRED` | 401 | JWT `exp` claim is in the past |
 | `TOKEN_INVALID` | 401 | JWT signature invalid or malformed |
-| `UNAUTHORIZED` | 401 | No valid access token on the request |
+| `UNAUTHORIZED` | 401 | No valid access token, revoked session, or invalid API key |
 | `FORBIDDEN` | 403 | Authenticated but missing required role |
 | `INVALID_ROLE` | 400 | Role name not in `validRoles` |
 | `VALIDATION_ERROR` | 400 | Missing or invalid input field |
@@ -482,17 +538,47 @@ The built-in router converts all `AuthError` instances to the standard envelope
 ```typescript
 import { AuthError } from 'sentri';
 
+const AUTH_ERROR_STATUS: Record<string, number> = {
+  UNAUTHORIZED: 401,
+  TOKEN_EXPIRED: 401,
+  TOKEN_INVALID: 401,
+  INVALID_CREDENTIALS: 401,
+  FORBIDDEN: 403,
+  USER_NOT_FOUND: 404,
+  USER_ALREADY_EXISTS: 409,
+  INVALID_ROLE: 400,
+  VALIDATION_ERROR: 400,
+  CONFIGURATION_ERROR: 500,
+};
+
 app.use((error, _request, response, next) => {
   if (error instanceof AuthError) {
-    const status =
-      error.code === 'UNAUTHORIZED' || error.code === 'TOKEN_EXPIRED' || error.code === 'TOKEN_INVALID' || error.code === 'INVALID_CREDENTIALS' ? 401
-      : error.code === 'FORBIDDEN' ? 403
-      : error.code === 'USER_NOT_FOUND' ? 404
-      : error.code === 'USER_ALREADY_EXISTS' ? 409
-      : 400;
-
-    return response.status(status).json({ error: true, statusCode: status, message: error.message, data: null });
+    const statusCode = AUTH_ERROR_STATUS[error.code] ?? 500;
+    return response.status(statusCode).json({
+      error: true,
+      statusCode,
+      code: error.code,
+      message: error.message,
+      data: null,
+    });
   }
   next(error);
 });
 ```
+
+---
+
+## Migration from 1.0.x
+
+### Breaking changes
+
+| What changed | Action required |
+|---|---|
+| `POST /signup` renamed to `POST /register` | Update all client-side calls |
+| `RouterHandlers.signup` renamed to `RouterHandlers.register` | Update config if you used a custom signup handler |
+| `protect()` now performs one DB read per request | Ensure your adapter's `session.findById` is indexed on session ID |
+
+### New features
+
+- **Session-bound tokens** — access tokens are immediately invalidated after logout without waiting for expiry.
+- **`apiKey` config** — lock `POST /register` to trusted callers via `X-Api-Key` header.

package/dist/client.d.ts

@@ -1,6 +1,7 @@
 import type { PermitCheck, PermitOptions } from './middleware/permit.js';
+import type { ErrorHandlerOptions } from './middleware/errorHandler.js';
 import type { AuthConfig, AuthUser } from './types/auth.js';
-import type { RequestHandler, Router } from 'express';
+import type { ErrorRequestHandler, RequestHandler, Router } from 'express';
 /**
  * The bound auth client returned by {@link createAuth}.
  *
@@ -15,11 +16,12 @@ export interface AuthClient<TRole extends string = string> {
      * Express middleware factory that enforces authentication.
      *
      * Reads the `Authorization: Bearer <token>` header, verifies the access token,
-     * and injects the decoded payload as `req.user`. Calls `next(AuthError)` on failure.
+     * confirms the session is still active in the database, and injects the decoded
+     * payload as `request.user`. Calls `next(AuthError)` on any failure.
      *
      * @example
-     * router.get('/me', auth.protect(), (req, res) => {
-     *   res.json(req.user);
+     * router.get('/me', auth.protect(), (request, response) => {
+     *   response.json(request.user);
      * });
      */
     protect(): RequestHandler;
@@ -47,7 +49,7 @@ export interface AuthClient<TRole extends string = string> {
      * // User can only update their own profile
      * router.put('/users/:id',
      *   auth.protect(),
-     *   auth.permit((req) => req.user!.id === req.params['id']),
+     *   auth.permit((request) => request.user!.id === request.params['id']),
      *   handler,
      * );
      *
@@ -57,9 +59,9 @@ export interface AuthClient<TRole extends string = string> {
      *   auth.protect(),
      *   auth.permit({
      *     roles: ['admin'],
-     *     check: async (req) => {
-     *       const post = await db.post.findUnique({ where: { id: req.params['id'] } });
-     *       return post?.authorId === req.user!.id;
+     *     check: async (request) => {
+     *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
+     *       return post?.authorId === request.user!.id;
      *     },
      *   }),
      *   handler,
@@ -82,23 +84,58 @@ export interface AuthClient<TRole extends string = string> {
         sessionId: string;
     };
     /**
-     * Returns a pre-built Express Router with all standard auth endpoints mounted:
+     * Returns a pre-built Express Router with all standard auth endpoints mounted.
      *
-     * - `POST /signup` — register a user, returns `{ user }`
+     * Endpoints:
+     * - `POST /register` — register a new user. Requires `X-Api-Key` header when `config.apiKey` is set.
      * - `POST /login` — authenticate, sets refresh token cookie, returns `{ accessToken, user }`
-     * - `POST /refresh` — reads refresh token from cookie, returns `{ accessToken }`
-     * - `POST /logout` — invalidate current session
-     * - `POST /logout-all` — invalidate all sessions (requires valid access token)
+     * - `POST /refresh` — rotate refresh token, returns new `{ accessToken }`
+     * - `POST /logout` — delete the current session; the bound access token is immediately rejected by `protect()`
+     * - `POST /logout-all` — delete all sessions for the user (requires valid access token)
      * - `GET  /me` — return the authenticated user
      * - `POST /users/:userId/roles` — assign roles (requires admin)
      *
-     * Requires `express.json()` to be applied before the router.
+     * Requires `express.json()` before the router.
      *
      * @example
      * app.use(express.json());
      * app.use('/auth', auth.router());
      */
     router(): Router;
+    /**
+     * Returns an Express error-handling middleware that formats every `AuthError`
+     * (and any subclass) into the standard sentri response envelope:
+     *
+     * ```json
+     * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
+     * ```
+     *
+     * Mount it **after all your routes** so it acts as the global catch-all for
+     * both sentri errors and your own `AuthError` subclasses.
+     *
+     * @example
+     * import { AuthError } from 'sentri';
+     *
+     * // Define app-specific errors by extending AuthError
+     * class NotFoundError extends AuthError {
+     *   constructor(resource: string) {
+     *     super('NOT_FOUND', `${resource} not found`, 404);
+     *   }
+     * }
+     *
+     * app.use('/auth', auth.router());
+     * app.use('/api', apiRouter);
+     *
+     * // Catches errors from sentri AND your own subclasses
+     * app.use(auth.errorHandler());
+     *
+     * @example
+     * // With optional unhandled-error logger
+     * app.use(auth.errorHandler({
+     *   onUnhandled: (err) => logger.error('Unexpected error', { err }),
+     * }));
+     */
+    errorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
 }
 /**
  * Create a fully configured auth client for your application.

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEtD;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACvD;;;;;;;;;;OAUG;IACH,OAAO,IAAI,cAAc,CAAC;IAE1B;;;;;;;;;OASG;IACH,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC;IAE7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,cAAc,CAAC;IAEtD,oEAAoE;IACpE,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7C,kEAAkE;IAClE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE9D,uDAAuD;IACvD,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC;IAElD,kDAAkD;IAClD,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5C,mFAAmF;IACnF,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,mFAAmF;IACnF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAEzD;;;;;;;;;;;;;;;;OAgBG;IACH,MAAM,IAAI,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,EACtD,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GACxB,UAAU,CAAC,KAAK,CAAC,CAgBnB"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACxE,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAE3E;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACvD;;;;;;;;;;;OAWG;IACH,OAAO,IAAI,cAAc,CAAC;IAE1B;;;;;;;;;OASG;IACH,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC;IAE7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,cAAc,CAAC;IAEtD,oEAAoE;IACpE,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7C,kEAAkE;IAClE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE9D,uDAAuD;IACvD,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC;IAElD,kDAAkD;IAClD,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5C,mFAAmF;IACnF,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,mFAAmF;IACnF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAEzD;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,IAAI,MAAM,CAAC;IAEjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACH,YAAY,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,mBAAmB,CAAC;CAClE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,EACtD,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GACxB,UAAU,CAAC,KAAK,CAAC,CAiBnB"}

package/dist/client.js

@@ -5,6 +5,7 @@ import { protect } from './middleware/protect.js';
 import { authorize } from './middleware/authorize.js';
 import { permit } from './middleware/permit.js';
 import { createAuthRouter } from './middleware/router.js';
+import { createErrorHandler } from './middleware/errorHandler.js';
 /**
  * Create a fully configured auth client for your application.
  *
@@ -30,6 +31,7 @@ export function createAuth(config) {
     return {
         protect: () => protect(config),
         authorize: (...roles) => authorize(...roles),
+        permit: (optionsOrCheck) => permit(optionsOrCheck),
         hashPassword: (plain) => hashPassword(plain, resolved.saltRounds),
         verifyPassword: (plain, hash) => verifyPassword(plain, hash),
         signAccessToken: (payload) => signAccessToken(payload, config),
@@ -37,7 +39,7 @@ export function createAuth(config) {
         verifyAccessToken: (token) => verifyAccessToken(token, config),
         verifyRefreshToken: (token) => verifyRefreshToken(token, config),
         router: () => createAuthRouter(config),
-        permit: (optionsOrCheck) => permit(optionsOrCheck),
+        errorHandler: (options) => createErrorHandler(options),
     };
 }
 //# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC3G,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAgH1D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,UAAU,CACxB,MAAyB;IAEzB,cAAc,CAAC,MAAoB,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAoB,CAAC,CAAC;IAErD,OAAO;QACL,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAoB,CAAC;QAC5C,SAAS,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;QAC5C,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC;QACjE,cAAc,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,KAAK,EAAE,IAAI,CAAC;QAC5D,eAAe,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,eAAe,CAAC,OAAmB,EAAE,MAAoB,CAAC;QACxF,gBAAgB,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAoB,CAAC;QAClF,iBAAiB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAoB,CAAoB;QAC/F,kBAAkB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAoB,CAAC;QAC9E,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;QACtC,MAAM,EAAE,CAAC,cAAkD,EAAE,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC;KACvF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC3G,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAsJlE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,UAAU,CACxB,MAAyB;IAEzB,cAAc,CAAC,MAAoB,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAoB,CAAC,CAAC;IAErD,OAAO;QACL,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAoB,CAAC;QAC5C,SAAS,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;QAC5C,MAAM,EAAE,CAAC,cAAkD,EAAE,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC;QACtF,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC;QACjE,cAAc,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,KAAK,EAAE,IAAI,CAAC;QAC5D,eAAe,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,eAAe,CAAC,OAAmB,EAAE,MAAoB,CAAC;QACxF,gBAAgB,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAoB,CAAC;QAClF,iBAAiB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAoB,CAAoB;QAC/F,kBAAkB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAoB,CAAC;QAC9E,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;QACtC,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,kBAAkB,CAAC,OAAO,CAAC;KACvD,CAAC;AACJ,CAAC"}

package/dist/errors/AuthError.d.ts

@@ -1,40 +1,101 @@
 /**
- * Discriminant codes for {@link AuthError}.
+ * Discriminant codes for built-in {@link AuthError} instances.
  *
  * - `INVALID_CREDENTIALS` — identifier or password did not match (intentionally vague to prevent user enumeration)
  * - `USER_NOT_FOUND` — an operation required a user that does not exist
- * - `USER_ALREADY_EXISTS` — signup was attempted with an identifier already in the database
+ * - `USER_ALREADY_EXISTS` — registration was attempted with an identifier already in the database
  * - `TOKEN_EXPIRED` — the JWT was valid but its `exp` claim is in the past
  * - `TOKEN_INVALID` — the JWT could not be verified (bad signature, malformed, wrong type)
  * - `FORBIDDEN` — the user is authenticated but lacks the required role
- * - `UNAUTHORIZED` — no valid access token was present on the request
+ * - `UNAUTHORIZED` — no valid access token was present on the request, or the session was revoked
  * - `INVALID_ROLE` — a role name was used that is not in `validRoles`
  * - `VALIDATION_ERROR` — a required field was missing or had an invalid value
  * - `CONFIGURATION_ERROR` — `createAuth` was called with an invalid configuration
+ *
+ * When you extend {@link AuthError} for your own error types you can use any
+ * string as `code` — it does not need to be one of these built-in values.
  */
 export type AuthErrorCode = 'INVALID_CREDENTIALS' | 'USER_NOT_FOUND' | 'USER_ALREADY_EXISTS' | 'TOKEN_EXPIRED' | 'TOKEN_INVALID' | 'FORBIDDEN' | 'UNAUTHORIZED' | 'INVALID_ROLE' | 'VALIDATION_ERROR' | 'CONFIGURATION_ERROR';
 /**
- * Error class thrown by the library for all authentication and authorization failures.
- *
- * Carries a machine-readable `code` that lets you distinguish error types without
- * string-matching on the message:
- *
- * @example
- * import { AuthError } from 'rizzzdev-auth';
- *
- * app.use((err, req, res, next) => {
- *   if (err instanceof AuthError) {
- *     const status = err.code === 'UNAUTHORIZED' ? 401
- *       : err.code === 'FORBIDDEN' ? 403
- *       : 400;
- *     res.status(status).json({ error: err.code, message: err.message });
- *   } else {
- *     next(err);
+ * Default HTTP status codes for built-in error codes.
+ * Custom codes that are not in this map default to 500.
+ *
+ * @internal
+ */
+export declare const AUTH_ERROR_STATUS: Record<string, number>;
+/**
+ * Base error class for all authentication and authorization failures.
+ *
+ * Every error thrown by sentri is an instance of `AuthError`. The `code`
+ * property is a machine-readable string that lets you distinguish error
+ * types without string-matching on the message. Built-in codes are listed
+ * in {@link AuthErrorCode}; custom subclasses may use any string.
+ *
+ * The `statusCode` property holds the HTTP status that the built-in router
+ * and `createErrorHandler()` will use in the response. For built-in codes
+ * it is derived automatically. Pass it explicitly when subclassing with a
+ * custom code.
+ *
+ * ---
+ *
+ * **Extending AuthError**
+ *
+ * You can create application-specific error classes by extending `AuthError`.
+ * Any subclass will be caught automatically by `createErrorHandler()` because
+ * `instanceof AuthError` is `true` for all subclasses.
+ *
+ * ```typescript
+ * import { AuthError } from 'sentri';
+ *
+ * // Domain error with a custom code and explicit HTTP status
+ * export class PaymentError extends AuthError {
+ *   constructor(message: string) {
+ *     super('PAYMENT_FAILED', message, 402);
  *   }
+ * }
+ *
+ * // Throw it anywhere in your routes — createErrorHandler() catches it
+ * router.post('/checkout', auth.protect(), async (req, res) => {
+ *   const ok = await chargeCard(req.body.cardToken);
+ *   if (!ok) throw new PaymentError('Card declined');
+ *   res.json({ success: true });
  * });
+ * ```
+ *
+ * ---
+ *
+ * **Error handling in custom routes**
+ *
+ * ```typescript
+ * import { AuthError, createErrorHandler } from 'sentri';
+ *
+ * app.use('/auth', auth.router());
+ * app.use('/api', apiRouter);
+ *
+ * // Mount after all routes — catches AuthError from sentri AND your subclasses
+ * app.use(createErrorHandler());
+ * ```
  */
 export declare class AuthError extends Error {
-    readonly code: AuthErrorCode;
-    constructor(code: AuthErrorCode, message: string);
+    /**
+     * Machine-readable error code.
+     * Built-in codes are defined by {@link AuthErrorCode}.
+     * Custom subclasses may use any string.
+     */
+    readonly code: string;
+    /**
+     * HTTP status code associated with this error.
+     * Derived automatically for built-in codes; pass it explicitly when
+     * subclassing with a custom `code`.
+     */
+    readonly statusCode: number;
+    /**
+     * @param code - Machine-readable error code. Use a built-in {@link AuthErrorCode}
+     *   or any string for custom subclasses.
+     * @param message - Human-readable description of the error.
+     * @param statusCode - HTTP status to use in the response. For built-in codes
+     *   this is derived automatically; for custom codes it defaults to `500`.
+     */
+    constructor(code: AuthErrorCode | (string & {}), message: string, statusCode?: number);
 }
 //# sourceMappingURL=AuthError.d.ts.map

package/dist/errors/AuthError.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthError.d.ts","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,aAAa,GACrB,qBAAqB,GACrB,gBAAgB,GAChB,qBAAqB,GACrB,eAAe,GACf,eAAe,GACf,WAAW,GACX,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,qBAAqB,CAAC;AAE1B;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,SAAU,SAAQ,KAAK;IAClC,SAAgB,IAAI,EAAE,aAAa,CAAC;gBAExB,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM;CAKjD"}
+{"version":3,"file":"AuthError.d.ts","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,MAAM,aAAa,GACrB,qBAAqB,GACrB,gBAAgB,GAChB,qBAAqB,GACrB,eAAe,GACf,eAAe,GACf,WAAW,GACX,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,qBAAqB,CAAC;AAE1B;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAWpD,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AACH,qBAAa,SAAU,SAAQ,KAAK;IAClC;;;;OAIG;IACH,SAAgB,IAAI,EAAE,MAAM,CAAC;IAE7B;;;;OAIG;IACH,SAAgB,UAAU,EAAE,MAAM,CAAC;IAEnC;;;;;;OAMG;gBAED,IAAI,EAAE,aAAa,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,EACnC,OAAO,EAAE,MAAM,EACf,UAAU,CAAC,EAAE,MAAM;CAOtB"}

package/dist/errors/AuthError.js

@@ -1,29 +1,99 @@
 /**
- * Error class thrown by the library for all authentication and authorization failures.
- *
- * Carries a machine-readable `code` that lets you distinguish error types without
- * string-matching on the message:
- *
- * @example
- * import { AuthError } from 'rizzzdev-auth';
- *
- * app.use((err, req, res, next) => {
- *   if (err instanceof AuthError) {
- *     const status = err.code === 'UNAUTHORIZED' ? 401
- *       : err.code === 'FORBIDDEN' ? 403
- *       : 400;
- *     res.status(status).json({ error: err.code, message: err.message });
- *   } else {
- *     next(err);
+ * Default HTTP status codes for built-in error codes.
+ * Custom codes that are not in this map default to 500.
+ *
+ * @internal
+ */
+export const AUTH_ERROR_STATUS = {
+    UNAUTHORIZED: 401,
+    TOKEN_EXPIRED: 401,
+    TOKEN_INVALID: 401,
+    INVALID_CREDENTIALS: 401,
+    FORBIDDEN: 403,
+    USER_NOT_FOUND: 404,
+    USER_ALREADY_EXISTS: 409,
+    INVALID_ROLE: 400,
+    VALIDATION_ERROR: 400,
+    CONFIGURATION_ERROR: 500,
+};
+/**
+ * Base error class for all authentication and authorization failures.
+ *
+ * Every error thrown by sentri is an instance of `AuthError`. The `code`
+ * property is a machine-readable string that lets you distinguish error
+ * types without string-matching on the message. Built-in codes are listed
+ * in {@link AuthErrorCode}; custom subclasses may use any string.
+ *
+ * The `statusCode` property holds the HTTP status that the built-in router
+ * and `createErrorHandler()` will use in the response. For built-in codes
+ * it is derived automatically. Pass it explicitly when subclassing with a
+ * custom code.
+ *
+ * ---
+ *
+ * **Extending AuthError**
+ *
+ * You can create application-specific error classes by extending `AuthError`.
+ * Any subclass will be caught automatically by `createErrorHandler()` because
+ * `instanceof AuthError` is `true` for all subclasses.
+ *
+ * ```typescript
+ * import { AuthError } from 'sentri';
+ *
+ * // Domain error with a custom code and explicit HTTP status
+ * export class PaymentError extends AuthError {
+ *   constructor(message: string) {
+ *     super('PAYMENT_FAILED', message, 402);
  *   }
+ * }
+ *
+ * // Throw it anywhere in your routes — createErrorHandler() catches it
+ * router.post('/checkout', auth.protect(), async (req, res) => {
+ *   const ok = await chargeCard(req.body.cardToken);
+ *   if (!ok) throw new PaymentError('Card declined');
+ *   res.json({ success: true });
  * });
+ * ```
+ *
+ * ---
+ *
+ * **Error handling in custom routes**
+ *
+ * ```typescript
+ * import { AuthError, createErrorHandler } from 'sentri';
+ *
+ * app.use('/auth', auth.router());
+ * app.use('/api', apiRouter);
+ *
+ * // Mount after all routes — catches AuthError from sentri AND your subclasses
+ * app.use(createErrorHandler());
+ * ```
  */
 export class AuthError extends Error {
+    /**
+     * Machine-readable error code.
+     * Built-in codes are defined by {@link AuthErrorCode}.
+     * Custom subclasses may use any string.
+     */
     code;
-    constructor(code, message) {
+    /**
+     * HTTP status code associated with this error.
+     * Derived automatically for built-in codes; pass it explicitly when
+     * subclassing with a custom `code`.
+     */
+    statusCode;
+    /**
+     * @param code - Machine-readable error code. Use a built-in {@link AuthErrorCode}
+     *   or any string for custom subclasses.
+     * @param message - Human-readable description of the error.
+     * @param statusCode - HTTP status to use in the response. For built-in codes
+     *   this is derived automatically; for custom codes it defaults to `500`.
+     */
+    constructor(code, message, statusCode) {
         super(message);
         this.name = 'AuthError';
         this.code = code;
+        this.statusCode = statusCode ?? AUTH_ERROR_STATUS[code] ?? 500;
     }
 }
 //# sourceMappingURL=AuthError.js.map

package/dist/errors/AuthError.js.map

@@ -1 +1 @@
-{"version":3,"file":"AuthError.js","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AA0BA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClB,IAAI,CAAgB;IAEpC,YAAY,IAAmB,EAAE,OAAe;QAC9C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF"}
+{"version":3,"file":"AuthError.js","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AA6BA;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA2B;IACvD,YAAY,EAAE,GAAG;IACjB,aAAa,EAAE,GAAG;IAClB,aAAa,EAAE,GAAG;IAClB,mBAAmB,EAAE,GAAG;IACxB,SAAS,EAAE,GAAG;IACd,cAAc,EAAE,GAAG;IACnB,mBAAmB,EAAE,GAAG;IACxB,YAAY,EAAE,GAAG;IACjB,gBAAgB,EAAE,GAAG;IACrB,mBAAmB,EAAE,GAAG;CACzB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AACH,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClC;;;;OAIG;IACa,IAAI,CAAS;IAE7B;;;;OAIG;IACa,UAAU,CAAS;IAEnC;;;;;;OAMG;IACH,YACE,IAAmC,EACnC,OAAe,EACf,UAAmB;QAEnB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC;IACjE,CAAC;CACF"}

package/dist/index.d.ts

@@ -9,7 +9,9 @@ declare global {
 export type { AuthConfig, CookieConfig, AuthUser, ApiResponse, AuthAdapter, UserRecord, SessionRecord, CreateUserData, RouterHandlers, SignupInput, LoginInput, SignupResult, AuthResult, RefreshResult, AssignRolesResult, } from './types/auth.js';
 export type { AuthErrorCode } from './errors/AuthError.js';
 export type { AuthClient } from './client.js';
-export { AuthError } from './errors/AuthError.js';
+export type { ErrorHandlerOptions } from './middleware/errorHandler.js';
+export { AuthError, AUTH_ERROR_STATUS } from './errors/AuthError.js';
 export { createAuth } from './client.js';
+export { createErrorHandler } from './middleware/errorHandler.js';
 export type { PermitCheck, PermitOptions } from './middleware/permit.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAIhD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,QAAQ,CAAC;SACjB;KACF;CACF;AAED,YAAY,EACV,UAAU,EACV,YAAY,EACZ,QAAQ,EACR,WAAW,EACX,WAAW,EACX,UAAU,EACV,aAAa,EACb,cAAc,EACd,cAAc,EACd,WAAW,EACX,UAAU,EACV,YAAY,EACZ,UAAU,EACV,aAAa,EACb,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAIhD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,QAAQ,CAAC;SACjB;KACF;CACF;AAED,YAAY,EACV,UAAU,EACV,YAAY,EACZ,QAAQ,EACR,WAAW,EACX,WAAW,EACX,UAAU,EACV,aAAa,EACb,cAAc,EACd,cAAc,EACd,WAAW,EACX,UAAU,EACV,YAAY,EACZ,UAAU,EACV,aAAa,EACb,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC9C,YAAY,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAExE,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}