sentri 1.1.2 → 2.0.0

package/dist/errors/AuthError.js

@@ -1,97 +0,0 @@
-/**
- * Default HTTP status codes for built-in error codes.
- * Custom codes that are not in this map default to 500.
- *
- * @internal
- */
-export const AUTH_ERROR_STATUS = {
-    UNAUTHORIZED: 401,
-    TOKEN_EXPIRED: 401,
-    TOKEN_INVALID: 401,
-    INVALID_CREDENTIALS: 401,
-    FORBIDDEN: 403,
-    USER_NOT_FOUND: 404,
-    USER_ALREADY_EXISTS: 409,
-    INVALID_ROLE: 400,
-    VALIDATION_ERROR: 400,
-    CONFIGURATION_ERROR: 500,
-};
-/**
- * Base error class for all authentication and authorization failures in sentri.
- *
- * Every error thrown by sentri is an instance of `SentriError`. The `code`
- * property is a machine-readable string that lets you distinguish error
- * types without string-matching on the message. Built-in codes are listed
- * in {@link SentriErrorCode}; custom subclasses may use any string.
- *
- * The `statusCode` property holds the HTTP status that the built-in router
- * and `auth.errorHandler()` will use in the response. For built-in codes
- * it is derived automatically. Pass it explicitly when subclassing with a
- * custom code.
- *
- * ---
- *
- * **Extending SentriError**
- *
- * You can create application-specific error classes by extending `SentriError`.
- * Any subclass will be caught automatically by `auth.errorHandler()` because
- * `instanceof SentriError` is `true` for all subclasses.
- *
- * ```typescript
- * import { SentriError } from 'sentri';
- *
- * // Domain error with a custom code and explicit HTTP status
- * export class PaymentError extends SentriError {
- *   constructor(message: string) {
- *     super('PAYMENT_FAILED', message, 402);
- *   }
- * }
- *
- * // Throw it anywhere in your routes — auth.errorHandler() catches it
- * router.post('/checkout', auth.protect(), async (req, res) => {
- *   const ok = await chargeCard(req.body.cardToken);
- *   if (!ok) throw new PaymentError('Card declined');
- *   res.json({ success: true });
- * });
- * ```
- *
- * ---
- *
- * **Error handling in custom routes**
- *
- * ```typescript
- * app.use('/auth', auth.router());
- * app.use('/api', apiRouter);
- *
- * // Mount after all routes — catches SentriError from sentri AND your subclasses
- * app.use(auth.errorHandler());
- * ```
- */
-export class SentriError extends Error {
-    /**
-     * Machine-readable error code.
-     * Built-in codes are defined by {@link SentriErrorCode}.
-     * Custom subclasses may use any string.
-     */
-    code;
-    /**
-     * HTTP status code associated with this error.
-     * Derived automatically for built-in codes; pass it explicitly when
-     * subclassing with a custom `code`.
-     */
-    statusCode;
-    /**
-     * @param code - Machine-readable error code. Use a built-in {@link SentriErrorCode}
-     *   or any string for custom subclasses.
-     * @param message - Human-readable description of the error.
-     * @param statusCode - HTTP status to use in the response. For built-in codes
-     *   this is derived automatically; for custom codes it defaults to `500`.
-     */
-    constructor(code, message, statusCode) {
-        super(message);
-        this.name = 'SentriError';
-        this.code = code;
-        this.statusCode = statusCode ?? AUTH_ERROR_STATUS[code] ?? 500;
-    }
-}
-//# sourceMappingURL=AuthError.js.map

package/dist/errors/AuthError.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"AuthError.js","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AA6BA;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA2B;IACvD,YAAY,EAAE,GAAG;IACjB,aAAa,EAAE,GAAG;IAClB,aAAa,EAAE,GAAG;IAClB,mBAAmB,EAAE,GAAG;IACxB,SAAS,EAAE,GAAG;IACd,cAAc,EAAE,GAAG;IACnB,mBAAmB,EAAE,GAAG;IACxB,YAAY,EAAE,GAAG;IACjB,gBAAgB,EAAE,GAAG;IACrB,mBAAmB,EAAE,GAAG;CACzB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC;;;;OAIG;IACa,IAAI,CAAS;IAE7B;;;;OAIG;IACa,UAAU,CAAS;IAEnC;;;;;;OAMG;IACH,YACE,IAAqC,EACrC,OAAe,EACf,UAAmB;QAEnB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;QAC1B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC;IACjE,CAAC;CACF"}

package/dist/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAGhD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,QAAQ,CAAC;SACjB;KACF;CACF;AAED,YAAY,EACV,UAAU,EACV,YAAY,EACZ,QAAQ,EACR,WAAW,EACX,WAAW,EACX,UAAU,EACV,aAAa,EACb,cAAc,EACd,cAAc,EACd,aAAa,EACb,UAAU,EACV,cAAc,EACd,UAAU,EACV,aAAa,EACb,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC9C,YAAY,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAExE,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAgCA,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/libs/config.d.ts

@@ -1,62 +0,0 @@
-import type { AuthAdapter, AuthConfig } from '../types/auth.js';
-/**
- * Fully-resolved configuration with all optional fields filled in by
- * their defaults. Produced by {@link resolveConfig} and used internally
- * wherever the library needs guaranteed values.
- */
-export interface ResolvedConfig {
-    secret: string;
-    accessExpiresIn: string | number;
-    refreshExpiresIn: string | number;
-    algorithm: 'HS256' | 'HS384' | 'HS512';
-    saltRounds: number;
-    validRoles: readonly string[];
-    adapter: AuthAdapter;
-}
-/**
- * Validate configuration at startup so misconfiguration is caught immediately,
- * not at the first login attempt.
- *
- * Throws {@link SentriError} with code `CONFIGURATION_ERROR` for any of:
- * - `secret` missing or shorter than 32 characters
- * - `saltRounds` outside the range 10–31
- * - `validRoles` is empty or missing
- * - `adapter` is missing
- *
- * @param config - The raw config passed to {@link createAuth}.
- * @throws {SentriError} With code `CONFIGURATION_ERROR` on any invalid field.
- */
-export declare function validateConfig(config: AuthConfig): void;
-/**
- * Merge a partial {@link AuthConfig} with library defaults and return a
- * fully-resolved configuration object.
- *
- * Does **not** validate the config — call {@link validateConfig} first.
- *
- * Defaults applied:
- * - `accessExpiresIn` → `'15m'`
- * - `refreshExpiresIn` → `'7d'`
- * - `algorithm` → `'HS256'`
- * - `saltRounds` → `12`
- *
- * @param partial - The raw config passed to {@link createAuth}.
- * @returns A {@link ResolvedConfig} with every field guaranteed to be present.
- */
-export declare function resolveConfig(partial: AuthConfig): ResolvedConfig;
-/**
- * Convert a duration string or a number of seconds into milliseconds.
- *
- * Supported unit suffixes: `s` (seconds), `m` (minutes), `h` (hours),
- * `d` (days), `w` (weeks). Numeric inputs are treated as seconds.
- *
- * @example
- * parseExpiry('15m')  // 900_000
- * parseExpiry('7d')   // 604_800_000
- * parseExpiry(60)     // 60_000
- *
- * @param expiresIn - A duration string (e.g. `'15m'`, `'7d'`) or a number of seconds.
- * @returns The equivalent duration in milliseconds.
- * @throws {Error} If the string format is unrecognised.
- */
-export declare function parseExpiry(expiresIn: string | number): number;
-//# sourceMappingURL=config.d.ts.map

package/dist/libs/config.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/libs/config.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEhE;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAAC;IAClC,SAAS,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B,OAAO,EAAE,WAAW,CAAC;CACtB;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CA0BvD;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,UAAU,GAAG,cAAc,CAUjE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAkB9D"}

package/dist/libs/config.js

@@ -1,97 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-const MIN_SECRET_LENGTH = 32;
-const MIN_SALT_ROUNDS = 10;
-const MAX_SALT_ROUNDS = 31;
-/**
- * Validate configuration at startup so misconfiguration is caught immediately,
- * not at the first login attempt.
- *
- * Throws {@link SentriError} with code `CONFIGURATION_ERROR` for any of:
- * - `secret` missing or shorter than 32 characters
- * - `saltRounds` outside the range 10–31
- * - `validRoles` is empty or missing
- * - `adapter` is missing
- *
- * @param config - The raw config passed to {@link createAuth}.
- * @throws {SentriError} With code `CONFIGURATION_ERROR` on any invalid field.
- */
-export function validateConfig(config) {
-    if (!config.secret || config.secret.trim().length === 0) {
-        throw new SentriError('CONFIGURATION_ERROR', 'secret must not be empty');
-    }
-    if (config.secret.length < MIN_SECRET_LENGTH) {
-        throw new SentriError('CONFIGURATION_ERROR', `secret must be at least ${MIN_SECRET_LENGTH} characters to be cryptographically safe`);
-    }
-    const saltRounds = config.saltRounds ?? 12;
-    if (!Number.isInteger(saltRounds) || saltRounds < MIN_SALT_ROUNDS || saltRounds > MAX_SALT_ROUNDS) {
-        throw new SentriError('CONFIGURATION_ERROR', `saltRounds must be an integer between ${MIN_SALT_ROUNDS} and ${MAX_SALT_ROUNDS}`);
-    }
-    if (!config.validRoles || config.validRoles.length === 0) {
-        throw new SentriError('CONFIGURATION_ERROR', 'validRoles must contain at least one role');
-    }
-    if (!config.adapter) {
-        throw new SentriError('CONFIGURATION_ERROR', 'adapter is required');
-    }
-}
-/**
- * Merge a partial {@link AuthConfig} with library defaults and return a
- * fully-resolved configuration object.
- *
- * Does **not** validate the config — call {@link validateConfig} first.
- *
- * Defaults applied:
- * - `accessExpiresIn` → `'15m'`
- * - `refreshExpiresIn` → `'7d'`
- * - `algorithm` → `'HS256'`
- * - `saltRounds` → `12`
- *
- * @param partial - The raw config passed to {@link createAuth}.
- * @returns A {@link ResolvedConfig} with every field guaranteed to be present.
- */
-export function resolveConfig(partial) {
-    return {
-        secret: partial.secret,
-        accessExpiresIn: partial.accessExpiresIn ?? '15m',
-        refreshExpiresIn: partial.refreshExpiresIn ?? '7d',
-        algorithm: partial.algorithm ?? 'HS256',
-        saltRounds: partial.saltRounds ?? 12,
-        validRoles: partial.validRoles,
-        adapter: partial.adapter,
-    };
-}
-/**
- * Convert a duration string or a number of seconds into milliseconds.
- *
- * Supported unit suffixes: `s` (seconds), `m` (minutes), `h` (hours),
- * `d` (days), `w` (weeks). Numeric inputs are treated as seconds.
- *
- * @example
- * parseExpiry('15m')  // 900_000
- * parseExpiry('7d')   // 604_800_000
- * parseExpiry(60)     // 60_000
- *
- * @param expiresIn - A duration string (e.g. `'15m'`, `'7d'`) or a number of seconds.
- * @returns The equivalent duration in milliseconds.
- * @throws {Error} If the string format is unrecognised.
- */
-export function parseExpiry(expiresIn) {
-    if (typeof expiresIn === 'number')
-        return expiresIn * 1000;
-    const multipliers = {
-        s: 1_000,
-        m: 60_000,
-        h: 3_600_000,
-        d: 86_400_000,
-        w: 604_800_000,
-    };
-    const match = /^(\d+)([smhdw])$/.exec(expiresIn);
-    if (!match?.[1] || !match?.[2]) {
-        throw new Error(`Invalid expiresIn: "${expiresIn}". Use e.g. "15m", "7d", "1h".`);
-    }
-    const unit = multipliers[match[2]];
-    if (unit === undefined) {
-        throw new Error(`Invalid expiresIn: "${expiresIn}". Use e.g. "15m", "7d", "1h".`);
-    }
-    return parseInt(match[1], 10) * unit;
-}
-//# sourceMappingURL=config.js.map

package/dist/libs/config.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/libs/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAkBrD,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,cAAc,CAAC,MAAkB;IAC/C,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,WAAW,CAAC,qBAAqB,EAAE,0BAA0B,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;QAC7C,MAAM,IAAI,WAAW,CACnB,qBAAqB,EACrB,2BAA2B,iBAAiB,0CAA0C,CACvF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,eAAe,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;QAClG,MAAM,IAAI,WAAW,CACnB,qBAAqB,EACrB,yCAAyC,eAAe,QAAQ,eAAe,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,WAAW,CAAC,qBAAqB,EAAE,2CAA2C,CAAC,CAAC;IAC5F,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,WAAW,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,aAAa,CAAC,OAAmB;IAC/C,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,KAAK;QACjD,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,IAAI,IAAI;QAClD,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO;QACvC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,EAAE;QACpC,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;KACzB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,WAAW,CAAC,SAA0B;IACpD,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,OAAO,SAAS,GAAG,IAAI,CAAC;IAC3D,MAAM,WAAW,GAA2B;QAC1C,CAAC,EAAE,KAAK;QACR,CAAC,EAAE,MAAM;QACT,CAAC,EAAE,SAAS;QACZ,CAAC,EAAE,UAAU;QACb,CAAC,EAAE,WAAW;KACf,CAAC;IACF,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,gCAAgC,CAAC,CAAC;IACpF,CAAC;IACD,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,gCAAgC,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC;AACvC,CAAC"}

package/dist/libs/hash.d.ts

@@ -1,17 +0,0 @@
-/**
- * Hash a plain-text password using bcrypt.
- *
- * @param plain - The raw password string supplied by the user.
- * @param saltRounds - bcrypt cost factor; higher values increase security at the cost of speed.
- * @returns The bcrypt hash string to persist in the database.
- */
-export declare function hashPassword(plain: string, saltRounds?: number): Promise<string>;
-/**
- * Compare a plain-text password against a stored bcrypt hash.
- *
- * @param plain - The raw password string to verify.
- * @param hash - The stored bcrypt hash from the database.
- * @returns `true` if the password matches the hash, `false` otherwise.
- */
-export declare function verifyPassword(plain: string, hash: string): Promise<boolean>;
-//# sourceMappingURL=hash.d.ts.map

package/dist/libs/hash.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/libs/hash.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,SAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAElF;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAElF"}

package/dist/libs/hash.js

@@ -1,22 +0,0 @@
-import bcrypt from 'bcrypt';
-/**
- * Hash a plain-text password using bcrypt.
- *
- * @param plain - The raw password string supplied by the user.
- * @param saltRounds - bcrypt cost factor; higher values increase security at the cost of speed.
- * @returns The bcrypt hash string to persist in the database.
- */
-export async function hashPassword(plain, saltRounds = 12) {
-    return bcrypt.hash(plain, saltRounds);
-}
-/**
- * Compare a plain-text password against a stored bcrypt hash.
- *
- * @param plain - The raw password string to verify.
- * @param hash - The stored bcrypt hash from the database.
- * @returns `true` if the password matches the hash, `false` otherwise.
- */
-export async function verifyPassword(plain, hash) {
-    return bcrypt.compare(plain, hash);
-}
-//# sourceMappingURL=hash.js.map

package/dist/libs/hash.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/libs/hash.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,UAAU,GAAG,EAAE;IAC/D,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;AACxC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAa,EAAE,IAAY;IAC9D,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC"}

package/dist/libs/token.d.ts

@@ -1,46 +0,0 @@
-import type { AccessTokenPayload, AuthConfig, AuthUser } from '../types/auth.js';
-/**
- * Sign a short-lived access token containing the user's identity, roles, and
- * the session ID that `protect()` uses to verify the session is still active.
- *
- * Uses the access-specific secret derived from config and the configured
- * `accessExpiresIn` duration and HMAC algorithm.
- *
- * @param payload - The {@link AccessTokenPayload} to embed (id, identifier, roles, sessionId).
- * @param config - Auth configuration used to derive the secret and options.
- * @returns Compact JWT string.
- */
-export declare function signAccessToken(payload: AuthUser | AccessTokenPayload, config: AuthConfig): string;
-/**
- * Sign a long-lived refresh token bound to a specific session ID.
- *
- * Uses the refresh-specific secret derived from config and the configured
- * `refreshExpiresIn` duration. The session ID is embedded as the sole claim
- * so the token can be used to look up and rotate the session.
- *
- * @param sessionId - The database session ID to bind to this token.
- * @param config - Auth configuration used to derive the secret and options.
- * @returns Compact JWT string.
- */
-export declare function signRefreshToken(sessionId: string, config: AuthConfig): string;
-/**
- * Verify an access token and return its decoded {@link AuthUser} payload.
- *
- * @param token - Compact JWT access token string.
- * @param config - Auth configuration used to derive the secret and algorithm.
- * @returns Decoded `AuthUser` payload (id, identifier, roles).
- * @throws {SentriError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
- */
-export declare function verifyAccessToken(token: string, config: AuthConfig): AuthUser;
-/**
- * Verify a refresh token and return the embedded session ID.
- *
- * @param token - Compact JWT refresh token string.
- * @param config - Auth configuration used to derive the secret and algorithm.
- * @returns Object with `sessionId` matching the one passed to {@link signRefreshToken}.
- * @throws {SentriError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
- */
-export declare function verifyRefreshToken(token: string, config: AuthConfig): {
-    sessionId: string;
-};
-//# sourceMappingURL=token.d.ts.map

package/dist/libs/token.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAqEjF;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,QAAQ,GAAG,kBAAkB,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAIlG;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAI9E;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,QAAQ,CAI7E;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,CAI3F"}

package/dist/libs/token.js

@@ -1,118 +0,0 @@
-import jwt, {} from 'jsonwebtoken';
-import { SentriError } from '../errors/AuthError.js';
-import { resolveConfig } from './config.js';
-/**
- * Derive separate HMAC secrets for access and refresh tokens from a single
- * root secret by appending a domain suffix.
- *
- * Using distinct secrets prevents a refresh token from being accepted as an
- * access token and vice versa.
- */
-function deriveSecrets(secret) {
-    return {
-        access: `${secret}:access`,
-        refresh: `${secret}:refresh`,
-    };
-}
-/**
- * Sign a JWT payload with the given secret and options.
- *
- * @param payload - Claims to embed in the token.
- * @param secret - HMAC signing key.
- * @param expiresIn - Expiry duration string (e.g. `'15m'`) or seconds.
- * @param algorithm - HMAC algorithm variant.
- * @returns Compact JWT string.
- */
-function sign(payload, secret, expiresIn, algorithm) {
-    const options = {
-        expiresIn: expiresIn,
-        algorithm,
-    };
-    return jwt.sign(payload, secret, options);
-}
-/**
- * Verify and decode a JWT, mapping jsonwebtoken errors to typed {@link SentriError}s.
- *
- * @param token - Compact JWT string to verify.
- * @param secret - HMAC key used to sign the token.
- * @param algorithm - Expected signing algorithm.
- * @returns Decoded payload cast to `T`.
- * @throws {SentriError} With `TOKEN_EXPIRED` if the token's `exp` claim is in the past.
- * @throws {SentriError} With `TOKEN_INVALID` for any other verification failure.
- */
-function verify(token, secret, algorithm) {
-    try {
-        const decoded = jwt.verify(token, secret, { algorithms: [algorithm] });
-        if (typeof decoded === 'string' || decoded === null) {
-            throw new SentriError('TOKEN_INVALID', 'Token payload is not an object');
-        }
-        return decoded;
-    }
-    catch (err) {
-        if (err instanceof SentriError)
-            throw err;
-        if (err instanceof jwt.TokenExpiredError) {
-            throw new SentriError('TOKEN_EXPIRED', 'Token has expired');
-        }
-        throw new SentriError('TOKEN_INVALID', 'Token is invalid or malformed');
-    }
-}
-/**
- * Sign a short-lived access token containing the user's identity, roles, and
- * the session ID that `protect()` uses to verify the session is still active.
- *
- * Uses the access-specific secret derived from config and the configured
- * `accessExpiresIn` duration and HMAC algorithm.
- *
- * @param payload - The {@link AccessTokenPayload} to embed (id, identifier, roles, sessionId).
- * @param config - Auth configuration used to derive the secret and options.
- * @returns Compact JWT string.
- */
-export function signAccessToken(payload, config) {
-    const resolved = resolveConfig(config);
-    const { access } = deriveSecrets(resolved.secret);
-    return sign(payload, access, resolved.accessExpiresIn, resolved.algorithm);
-}
-/**
- * Sign a long-lived refresh token bound to a specific session ID.
- *
- * Uses the refresh-specific secret derived from config and the configured
- * `refreshExpiresIn` duration. The session ID is embedded as the sole claim
- * so the token can be used to look up and rotate the session.
- *
- * @param sessionId - The database session ID to bind to this token.
- * @param config - Auth configuration used to derive the secret and options.
- * @returns Compact JWT string.
- */
-export function signRefreshToken(sessionId, config) {
-    const resolved = resolveConfig(config);
-    const { refresh } = deriveSecrets(resolved.secret);
-    return sign({ sessionId }, refresh, resolved.refreshExpiresIn, resolved.algorithm);
-}
-/**
- * Verify an access token and return its decoded {@link AuthUser} payload.
- *
- * @param token - Compact JWT access token string.
- * @param config - Auth configuration used to derive the secret and algorithm.
- * @returns Decoded `AuthUser` payload (id, identifier, roles).
- * @throws {SentriError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
- */
-export function verifyAccessToken(token, config) {
-    const resolved = resolveConfig(config);
-    const { access } = deriveSecrets(resolved.secret);
-    return verify(token, access, resolved.algorithm);
-}
-/**
- * Verify a refresh token and return the embedded session ID.
- *
- * @param token - Compact JWT refresh token string.
- * @param config - Auth configuration used to derive the secret and algorithm.
- * @returns Object with `sessionId` matching the one passed to {@link signRefreshToken}.
- * @throws {SentriError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
- */
-export function verifyRefreshToken(token, config) {
-    const resolved = resolveConfig(config);
-    const { refresh } = deriveSecrets(resolved.secret);
-    return verify(token, refresh, resolved.algorithm);
-}
-//# sourceMappingURL=token.js.map

package/dist/libs/token.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,EAAE,EAAoB,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO;QACL,MAAM,EAAE,GAAG,MAAM,SAAS;QAC1B,OAAO,EAAE,GAAG,MAAM,UAAU;KAC7B,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,IAAI,CACX,OAAe,EACf,MAAc,EACd,SAA0B,EAC1B,SAAsC;IAEtC,MAAM,OAAO,GAAgB;QAC3B,SAAS,EAAE,SAAyD;QACpE,SAAS;KACV,CAAC;IACF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,MAAM,CACb,KAAa,EACb,MAAc,EACd,SAAsC;IAEtC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,WAAW,CAAC,eAAe,EAAE,gCAAgC,CAAC,CAAC;QAC3E,CAAC;QACD,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,WAAW;YAAE,MAAM,GAAG,CAAC;QAC1C,IAAI,GAAG,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACzC,MAAM,IAAI,WAAW,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAAC,OAAsC,EAAE,MAAkB;IACxF,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7E,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,MAAkB;IACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AACrF,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa,EAAE,MAAkB;IACjE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,MAAM,CAAW,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,MAAkB;IAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,MAAM,CAAwB,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC3E,CAAC"}

package/dist/middleware/authorize.d.ts

@@ -1,18 +0,0 @@
-import type { RequestHandler } from 'express';
-/**
- * Express middleware factory for role-based access control (RBAC).
- *
- * Passes if the authenticated user (set by `protect()`) has **at least one**
- * of the specified `allowedRoles`. Calls `next(SentriError)` with code `FORBIDDEN`
- * if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
- *
- * Must be used **after** `protect()`.
- *
- * @param allowedRoles - One or more role strings. The user needs at least one of them.
- * @returns An Express `RequestHandler` that enforces the role check.
- *
- * @example
- * router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
- */
-export declare function authorize<TRole extends string>(...allowedRoles: TRole[]): RequestHandler;
-//# sourceMappingURL=authorize.d.ts.map

package/dist/middleware/authorize.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,KAAK,SAAS,MAAM,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,GAAG,cAAc,CAcxF"}

package/dist/middleware/authorize.js

@@ -1,30 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-/**
- * Express middleware factory for role-based access control (RBAC).
- *
- * Passes if the authenticated user (set by `protect()`) has **at least one**
- * of the specified `allowedRoles`. Calls `next(SentriError)` with code `FORBIDDEN`
- * if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
- *
- * Must be used **after** `protect()`.
- *
- * @param allowedRoles - One or more role strings. The user needs at least one of them.
- * @returns An Express `RequestHandler` that enforces the role check.
- *
- * @example
- * router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
- */
-export function authorize(...allowedRoles) {
-    return (request, _response, next) => {
-        if (!request.user) {
-            return next(new SentriError('UNAUTHORIZED', 'Not authenticated'));
-        }
-        const userRoles = request.user.roles;
-        const hasRole = allowedRoles.some((role) => userRoles.includes(role));
-        if (!hasRole) {
-            return next(new SentriError('FORBIDDEN', `Requires one of roles: ${allowedRoles.join(', ')}`));
-        }
-        next();
-    };
-}
-//# sourceMappingURL=authorize.js.map

package/dist/middleware/authorize.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,SAAS,CAAuB,GAAG,YAAqB;IACtE,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QAClC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,IAAI,WAAW,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QACpE,CAAC;QACD,MAAM,SAAS,GAAsB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QACxD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CACT,IAAI,WAAW,CAAC,WAAW,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAClF,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/errorHandler.d.ts

@@ -1,71 +0,0 @@
-import type { ErrorRequestHandler } from 'express';
-/**
- * Options for {@link createErrorHandler}.
- */
-export interface ErrorHandlerOptions {
-    /**
-     * Called for errors that are **not** a `SentriError` instance (or subclass).
-     *
-     * Use this to log unexpected server errors before the generic 500 response
-     * is sent. The error is passed as-is and may be any unknown value.
-     *
-     * @example
-     * app.use(auth.errorHandler({
-     *   onUnhandled: (err) => logger.error('Unhandled error', { err }),
-     * }));
-     */
-    onUnhandled?: (error: unknown) => void;
-}
-/**
- * Creates an Express error-handling middleware that formats every `SentriError`
- * (including subclasses) into the standard sentri response envelope:
- *
- * ```json
- * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
- * ```
- *
- * Prefer using `auth.errorHandler()` instead of calling this directly:
- *
- * ```typescript
- * app.use('/auth', auth.router());
- * app.use('/api', apiRouter);
- *
- * // Must come after all route/middleware registrations
- * app.use(auth.errorHandler());
- * ```
- *
- * ---
- *
- * **Works with built-in sentri errors and your own subclasses**
- *
- * Because `instanceof SentriError` matches any subclass, you can define
- * application-specific error types and have them automatically formatted
- * by this handler:
- *
- * ```typescript
- * import { SentriError } from 'sentri';
- *
- * // Extend SentriError for domain-specific failures
- * export class NotFoundError extends SentriError {
- *   constructor(resource: string) {
- *     super('NOT_FOUND', `${resource} not found`, 404);
- *   }
- * }
- *
- * export class PaymentError extends SentriError {
- *   constructor(message: string) {
- *     super('PAYMENT_FAILED', message, 402);
- *   }
- * }
- *
- * // All of the above are caught and formatted by one handler
- * app.use(auth.errorHandler({
- *   onUnhandled: (err) => console.error('Unexpected error:', err),
- * }));
- * ```
- *
- * @param options - Optional configuration (see {@link ErrorHandlerOptions}).
- * @returns An Express `ErrorRequestHandler` (4-argument middleware).
- */
-export declare function createErrorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
-//# sourceMappingURL=errorHandler.d.ts.map

package/dist/middleware/errorHandler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"errorHandler.d.ts","sourceRoot":"","sources":["../../src/middleware/errorHandler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAGnD;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;;;;;;;;OAUG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACxC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,mBAAmB,CAsBrF"}