sentri 1.1.2 → 2.1.0

package/dist/libs/token.d.ts

@@ -1,46 +0,0 @@
-import type { AccessTokenPayload, AuthConfig, AuthUser } from '../types/auth.js';
-/**
- * Sign a short-lived access token containing the user's identity, roles, and
- * the session ID that `protect()` uses to verify the session is still active.
- *
- * Uses the access-specific secret derived from config and the configured
- * `accessExpiresIn` duration and HMAC algorithm.
- *
- * @param payload - The {@link AccessTokenPayload} to embed (id, identifier, roles, sessionId).
- * @param config - Auth configuration used to derive the secret and options.
- * @returns Compact JWT string.
- */
-export declare function signAccessToken(payload: AuthUser | AccessTokenPayload, config: AuthConfig): string;
-/**
- * Sign a long-lived refresh token bound to a specific session ID.
- *
- * Uses the refresh-specific secret derived from config and the configured
- * `refreshExpiresIn` duration. The session ID is embedded as the sole claim
- * so the token can be used to look up and rotate the session.
- *
- * @param sessionId - The database session ID to bind to this token.
- * @param config - Auth configuration used to derive the secret and options.
- * @returns Compact JWT string.
- */
-export declare function signRefreshToken(sessionId: string, config: AuthConfig): string;
-/**
- * Verify an access token and return its decoded {@link AuthUser} payload.
- *
- * @param token - Compact JWT access token string.
- * @param config - Auth configuration used to derive the secret and algorithm.
- * @returns Decoded `AuthUser` payload (id, identifier, roles).
- * @throws {SentriError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
- */
-export declare function verifyAccessToken(token: string, config: AuthConfig): AuthUser;
-/**
- * Verify a refresh token and return the embedded session ID.
- *
- * @param token - Compact JWT refresh token string.
- * @param config - Auth configuration used to derive the secret and algorithm.
- * @returns Object with `sessionId` matching the one passed to {@link signRefreshToken}.
- * @throws {SentriError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
- */
-export declare function verifyRefreshToken(token: string, config: AuthConfig): {
-    sessionId: string;
-};
-//# sourceMappingURL=token.d.ts.map

package/dist/libs/token.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAqEjF;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,QAAQ,GAAG,kBAAkB,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAIlG;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAI9E;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,QAAQ,CAI7E;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,CAI3F"}

package/dist/libs/token.js

@@ -1,118 +0,0 @@
-import jwt, {} from 'jsonwebtoken';
-import { SentriError } from '../errors/AuthError.js';
-import { resolveConfig } from './config.js';
-/**
- * Derive separate HMAC secrets for access and refresh tokens from a single
- * root secret by appending a domain suffix.
- *
- * Using distinct secrets prevents a refresh token from being accepted as an
- * access token and vice versa.
- */
-function deriveSecrets(secret) {
-    return {
-        access: `${secret}:access`,
-        refresh: `${secret}:refresh`,
-    };
-}
-/**
- * Sign a JWT payload with the given secret and options.
- *
- * @param payload - Claims to embed in the token.
- * @param secret - HMAC signing key.
- * @param expiresIn - Expiry duration string (e.g. `'15m'`) or seconds.
- * @param algorithm - HMAC algorithm variant.
- * @returns Compact JWT string.
- */
-function sign(payload, secret, expiresIn, algorithm) {
-    const options = {
-        expiresIn: expiresIn,
-        algorithm,
-    };
-    return jwt.sign(payload, secret, options);
-}
-/**
- * Verify and decode a JWT, mapping jsonwebtoken errors to typed {@link SentriError}s.
- *
- * @param token - Compact JWT string to verify.
- * @param secret - HMAC key used to sign the token.
- * @param algorithm - Expected signing algorithm.
- * @returns Decoded payload cast to `T`.
- * @throws {SentriError} With `TOKEN_EXPIRED` if the token's `exp` claim is in the past.
- * @throws {SentriError} With `TOKEN_INVALID` for any other verification failure.
- */
-function verify(token, secret, algorithm) {
-    try {
-        const decoded = jwt.verify(token, secret, { algorithms: [algorithm] });
-        if (typeof decoded === 'string' || decoded === null) {
-            throw new SentriError('TOKEN_INVALID', 'Token payload is not an object');
-        }
-        return decoded;
-    }
-    catch (err) {
-        if (err instanceof SentriError)
-            throw err;
-        if (err instanceof jwt.TokenExpiredError) {
-            throw new SentriError('TOKEN_EXPIRED', 'Token has expired');
-        }
-        throw new SentriError('TOKEN_INVALID', 'Token is invalid or malformed');
-    }
-}
-/**
- * Sign a short-lived access token containing the user's identity, roles, and
- * the session ID that `protect()` uses to verify the session is still active.
- *
- * Uses the access-specific secret derived from config and the configured
- * `accessExpiresIn` duration and HMAC algorithm.
- *
- * @param payload - The {@link AccessTokenPayload} to embed (id, identifier, roles, sessionId).
- * @param config - Auth configuration used to derive the secret and options.
- * @returns Compact JWT string.
- */
-export function signAccessToken(payload, config) {
-    const resolved = resolveConfig(config);
-    const { access } = deriveSecrets(resolved.secret);
-    return sign(payload, access, resolved.accessExpiresIn, resolved.algorithm);
-}
-/**
- * Sign a long-lived refresh token bound to a specific session ID.
- *
- * Uses the refresh-specific secret derived from config and the configured
- * `refreshExpiresIn` duration. The session ID is embedded as the sole claim
- * so the token can be used to look up and rotate the session.
- *
- * @param sessionId - The database session ID to bind to this token.
- * @param config - Auth configuration used to derive the secret and options.
- * @returns Compact JWT string.
- */
-export function signRefreshToken(sessionId, config) {
-    const resolved = resolveConfig(config);
-    const { refresh } = deriveSecrets(resolved.secret);
-    return sign({ sessionId }, refresh, resolved.refreshExpiresIn, resolved.algorithm);
-}
-/**
- * Verify an access token and return its decoded {@link AuthUser} payload.
- *
- * @param token - Compact JWT access token string.
- * @param config - Auth configuration used to derive the secret and algorithm.
- * @returns Decoded `AuthUser` payload (id, identifier, roles).
- * @throws {SentriError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
- */
-export function verifyAccessToken(token, config) {
-    const resolved = resolveConfig(config);
-    const { access } = deriveSecrets(resolved.secret);
-    return verify(token, access, resolved.algorithm);
-}
-/**
- * Verify a refresh token and return the embedded session ID.
- *
- * @param token - Compact JWT refresh token string.
- * @param config - Auth configuration used to derive the secret and algorithm.
- * @returns Object with `sessionId` matching the one passed to {@link signRefreshToken}.
- * @throws {SentriError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
- */
-export function verifyRefreshToken(token, config) {
-    const resolved = resolveConfig(config);
-    const { refresh } = deriveSecrets(resolved.secret);
-    return verify(token, refresh, resolved.algorithm);
-}
-//# sourceMappingURL=token.js.map

package/dist/libs/token.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,EAAE,EAAoB,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO;QACL,MAAM,EAAE,GAAG,MAAM,SAAS;QAC1B,OAAO,EAAE,GAAG,MAAM,UAAU;KAC7B,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,IAAI,CACX,OAAe,EACf,MAAc,EACd,SAA0B,EAC1B,SAAsC;IAEtC,MAAM,OAAO,GAAgB;QAC3B,SAAS,EAAE,SAAyD;QACpE,SAAS;KACV,CAAC;IACF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,MAAM,CACb,KAAa,EACb,MAAc,EACd,SAAsC;IAEtC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,WAAW,CAAC,eAAe,EAAE,gCAAgC,CAAC,CAAC;QAC3E,CAAC;QACD,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,WAAW;YAAE,MAAM,GAAG,CAAC;QAC1C,IAAI,GAAG,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACzC,MAAM,IAAI,WAAW,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAAC,OAAsC,EAAE,MAAkB;IACxF,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7E,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,MAAkB;IACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AACrF,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa,EAAE,MAAkB;IACjE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,MAAM,CAAW,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,MAAkB;IAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,MAAM,CAAwB,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC3E,CAAC"}

package/dist/middleware/authorize.d.ts

@@ -1,18 +0,0 @@
-import type { RequestHandler } from 'express';
-/**
- * Express middleware factory for role-based access control (RBAC).
- *
- * Passes if the authenticated user (set by `protect()`) has **at least one**
- * of the specified `allowedRoles`. Calls `next(SentriError)` with code `FORBIDDEN`
- * if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
- *
- * Must be used **after** `protect()`.
- *
- * @param allowedRoles - One or more role strings. The user needs at least one of them.
- * @returns An Express `RequestHandler` that enforces the role check.
- *
- * @example
- * router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
- */
-export declare function authorize<TRole extends string>(...allowedRoles: TRole[]): RequestHandler;
-//# sourceMappingURL=authorize.d.ts.map

package/dist/middleware/authorize.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,KAAK,SAAS,MAAM,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,GAAG,cAAc,CAcxF"}

package/dist/middleware/authorize.js

@@ -1,30 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-/**
- * Express middleware factory for role-based access control (RBAC).
- *
- * Passes if the authenticated user (set by `protect()`) has **at least one**
- * of the specified `allowedRoles`. Calls `next(SentriError)` with code `FORBIDDEN`
- * if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
- *
- * Must be used **after** `protect()`.
- *
- * @param allowedRoles - One or more role strings. The user needs at least one of them.
- * @returns An Express `RequestHandler` that enforces the role check.
- *
- * @example
- * router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
- */
-export function authorize(...allowedRoles) {
-    return (request, _response, next) => {
-        if (!request.user) {
-            return next(new SentriError('UNAUTHORIZED', 'Not authenticated'));
-        }
-        const userRoles = request.user.roles;
-        const hasRole = allowedRoles.some((role) => userRoles.includes(role));
-        if (!hasRole) {
-            return next(new SentriError('FORBIDDEN', `Requires one of roles: ${allowedRoles.join(', ')}`));
-        }
-        next();
-    };
-}
-//# sourceMappingURL=authorize.js.map

package/dist/middleware/authorize.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/middleware/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,SAAS,CAAuB,GAAG,YAAqB;IACtE,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QAClC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,IAAI,WAAW,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QACpE,CAAC;QACD,MAAM,SAAS,GAAsB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QACxD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CACT,IAAI,WAAW,CAAC,WAAW,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAClF,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/errorHandler.d.ts

@@ -1,71 +0,0 @@
-import type { ErrorRequestHandler } from 'express';
-/**
- * Options for {@link createErrorHandler}.
- */
-export interface ErrorHandlerOptions {
-    /**
-     * Called for errors that are **not** a `SentriError` instance (or subclass).
-     *
-     * Use this to log unexpected server errors before the generic 500 response
-     * is sent. The error is passed as-is and may be any unknown value.
-     *
-     * @example
-     * app.use(auth.errorHandler({
-     *   onUnhandled: (err) => logger.error('Unhandled error', { err }),
-     * }));
-     */
-    onUnhandled?: (error: unknown) => void;
-}
-/**
- * Creates an Express error-handling middleware that formats every `SentriError`
- * (including subclasses) into the standard sentri response envelope:
- *
- * ```json
- * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
- * ```
- *
- * Prefer using `auth.errorHandler()` instead of calling this directly:
- *
- * ```typescript
- * app.use('/auth', auth.router());
- * app.use('/api', apiRouter);
- *
- * // Must come after all route/middleware registrations
- * app.use(auth.errorHandler());
- * ```
- *
- * ---
- *
- * **Works with built-in sentri errors and your own subclasses**
- *
- * Because `instanceof SentriError` matches any subclass, you can define
- * application-specific error types and have them automatically formatted
- * by this handler:
- *
- * ```typescript
- * import { SentriError } from 'sentri';
- *
- * // Extend SentriError for domain-specific failures
- * export class NotFoundError extends SentriError {
- *   constructor(resource: string) {
- *     super('NOT_FOUND', `${resource} not found`, 404);
- *   }
- * }
- *
- * export class PaymentError extends SentriError {
- *   constructor(message: string) {
- *     super('PAYMENT_FAILED', message, 402);
- *   }
- * }
- *
- * // All of the above are caught and formatted by one handler
- * app.use(auth.errorHandler({
- *   onUnhandled: (err) => console.error('Unexpected error:', err),
- * }));
- * ```
- *
- * @param options - Optional configuration (see {@link ErrorHandlerOptions}).
- * @returns An Express `ErrorRequestHandler` (4-argument middleware).
- */
-export declare function createErrorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
-//# sourceMappingURL=errorHandler.d.ts.map

package/dist/middleware/errorHandler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"errorHandler.d.ts","sourceRoot":"","sources":["../../src/middleware/errorHandler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAGnD;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;;;;;;;;OAUG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACxC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,mBAAmB,CAsBrF"}

package/dist/middleware/errorHandler.js

@@ -1,74 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-/**
- * Creates an Express error-handling middleware that formats every `SentriError`
- * (including subclasses) into the standard sentri response envelope:
- *
- * ```json
- * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
- * ```
- *
- * Prefer using `auth.errorHandler()` instead of calling this directly:
- *
- * ```typescript
- * app.use('/auth', auth.router());
- * app.use('/api', apiRouter);
- *
- * // Must come after all route/middleware registrations
- * app.use(auth.errorHandler());
- * ```
- *
- * ---
- *
- * **Works with built-in sentri errors and your own subclasses**
- *
- * Because `instanceof SentriError` matches any subclass, you can define
- * application-specific error types and have them automatically formatted
- * by this handler:
- *
- * ```typescript
- * import { SentriError } from 'sentri';
- *
- * // Extend SentriError for domain-specific failures
- * export class NotFoundError extends SentriError {
- *   constructor(resource: string) {
- *     super('NOT_FOUND', `${resource} not found`, 404);
- *   }
- * }
- *
- * export class PaymentError extends SentriError {
- *   constructor(message: string) {
- *     super('PAYMENT_FAILED', message, 402);
- *   }
- * }
- *
- * // All of the above are caught and formatted by one handler
- * app.use(auth.errorHandler({
- *   onUnhandled: (err) => console.error('Unexpected error:', err),
- * }));
- * ```
- *
- * @param options - Optional configuration (see {@link ErrorHandlerOptions}).
- * @returns An Express `ErrorRequestHandler` (4-argument middleware).
- */
-export function createErrorHandler(options) {
-    return (err, _req, res, _next) => {
-        if (err instanceof SentriError) {
-            res.status(err.statusCode).json({
-                error: true,
-                statusCode: err.statusCode,
-                code: err.code,
-                message: err.message,
-                data: null,
-            });
-            return;
-        }
-        options?.onUnhandled?.(err);
-        res.status(500).json({
-            error: true,
-            statusCode: 500,
-            message: 'Internal server error',
-            data: null,
-        });
-    };
-}
-//# sourceMappingURL=errorHandler.js.map

package/dist/middleware/errorHandler.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"errorHandler.js","sourceRoot":"","sources":["../../src/middleware/errorHandler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAoBrD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAA6B;IAC9D,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QAC/B,IAAI,GAAG,YAAY,WAAW,EAAE,CAAC;YAC/B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC;gBAC9B,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,IAAI,EAAE,IAAI;aACX,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;QAE5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,IAAI;YACX,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,uBAAuB;YAChC,IAAI,EAAE,IAAI;SACX,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/permit.d.ts

@@ -1,62 +0,0 @@
-import type { Request, RequestHandler } from 'express';
-/** A function that determines whether the current request is permitted. */
-export type PermitCheck = (request: Request) => boolean | Promise<boolean>;
-/**
- * Options for {@link permit} when you need role-bypass alongside a resource check.
- *
- * @example
- * // Admins can edit any post; others only their own
- * auth.permit({
- *   roles: ['admin'],
- *   check: async (request) => {
- *     const post = await db.findPost(request.params['id']);
- *     return post?.authorId === request.user!.id;
- *   },
- * })
- */
-export interface PermitOptions<TRole extends string> {
-    /**
-     * Roles whose members are granted access without running `check`.
-     * Use for privileged roles like `'admin'` that should bypass ownership checks.
-     */
-    roles?: TRole[];
-    /**
-     * Permission check executed when the user has none of the bypass `roles`.
-     * Return `true` to allow, `false` to deny with `FORBIDDEN`.
-     * May be async — useful for database-backed ownership checks.
-     */
-    check: PermitCheck;
-}
-/**
- * Express middleware factory for resource-level permission checks.
- *
- * Must be used **after** `protect()`. Evaluates a check function against the
- * current request; calls `next(SentriError)` with code `FORBIDDEN` if it returns `false`.
- *
- * Accepts either a bare check function or an options object with an optional
- * `roles` list whose members bypass the check entirely.
- *
- * @example
- * // Simple ownership check
- * router.put('/users/:id',
- *   auth.protect(),
- *   auth.permit((request) => request.user!.id === request.params['id']),
- *   updateUserHandler,
- * );
- *
- * @example
- * // Admins bypass the check; others must own the post
- * router.delete('/posts/:id',
- *   auth.protect(),
- *   auth.permit({
- *     roles: ['admin'],
- *     check: async (request) => {
- *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
- *       return post?.authorId === request.user!.id;
- *     },
- *   }),
- *   deletePostHandler,
- * );
- */
-export declare function permit<TRole extends string>(optionsOrCheck: PermitOptions<TRole> | PermitCheck): RequestHandler;
-//# sourceMappingURL=permit.d.ts.map

package/dist/middleware/permit.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"permit.d.ts","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGvD,2EAA2E;AAC3E,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAE3E;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,aAAa,CAAC,KAAK,SAAS,MAAM;IACjD;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;IAChB;;;;OAIG;IACH,KAAK,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,MAAM,CAAC,KAAK,SAAS,MAAM,EACzC,cAAc,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,WAAW,GACjD,cAAc,CA4BhB"}

package/dist/middleware/permit.js

@@ -1,61 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-/**
- * Express middleware factory for resource-level permission checks.
- *
- * Must be used **after** `protect()`. Evaluates a check function against the
- * current request; calls `next(SentriError)` with code `FORBIDDEN` if it returns `false`.
- *
- * Accepts either a bare check function or an options object with an optional
- * `roles` list whose members bypass the check entirely.
- *
- * @example
- * // Simple ownership check
- * router.put('/users/:id',
- *   auth.protect(),
- *   auth.permit((request) => request.user!.id === request.params['id']),
- *   updateUserHandler,
- * );
- *
- * @example
- * // Admins bypass the check; others must own the post
- * router.delete('/posts/:id',
- *   auth.protect(),
- *   auth.permit({
- *     roles: ['admin'],
- *     check: async (request) => {
- *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
- *       return post?.authorId === request.user!.id;
- *     },
- *   }),
- *   deletePostHandler,
- * );
- */
-export function permit(optionsOrCheck) {
-    const options = typeof optionsOrCheck === 'function'
-        ? { check: optionsOrCheck }
-        : optionsOrCheck;
-    return async (request, _response, next) => {
-        if (!request.user) {
-            return next(new SentriError('UNAUTHORIZED', 'Not authenticated'));
-        }
-        if (options.roles && options.roles.length > 0) {
-            const userRoles = request.user.roles;
-            const hasBypassRole = options.roles.some((role) => userRoles.includes(role));
-            if (hasBypassRole)
-                return next();
-        }
-        try {
-            const allowed = await options.check(request);
-            if (allowed) {
-                next();
-            }
-            else {
-                next(new SentriError('FORBIDDEN', 'You do not have permission to perform this action'));
-            }
-        }
-        catch (error) {
-            next(error);
-        }
-    };
-}
-//# sourceMappingURL=permit.js.map

package/dist/middleware/permit.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"permit.js","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAgCrD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,MAAM,CACpB,cAAkD;IAElD,MAAM,OAAO,GACX,OAAO,cAAc,KAAK,UAAU;QAClC,CAAC,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE;QAC3B,CAAC,CAAC,cAAc,CAAC;IAErB,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QACxC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,IAAI,WAAW,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9C,MAAM,SAAS,GAAsB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;YACxD,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAC7E,IAAI,aAAa;gBAAE,OAAO,IAAI,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC7C,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,EAAE,CAAC;YACT,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,IAAI,WAAW,CAAC,WAAW,EAAE,mDAAmD,CAAC,CAAC,CAAC;YAC1F,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/protect.d.ts

@@ -1,31 +0,0 @@
-import type { RequestHandler } from 'express';
-import type { AuthConfig } from '../types/auth.js';
-/**
- * Express middleware factory that enforces JWT authentication and session validity.
- *
- * Reads the `Authorization: Bearer <token>` header, verifies the access token,
- * and attaches the decoded payload to `req.user`. Calls `next(SentriError)` on
- * any failure so your error handler can convert it to an HTTP response.
- *
- * Since sentri 1.1.0 access tokens embed a `sessionId` claim. When this claim
- * is present, `protect()` performs a lightweight database lookup
- * (`adapter.session.findById`) to confirm the session is still active. This
- * means a user who has logged out (or been logged out from all devices) cannot
- * use an access token that was issued before the logout — even if the token has
- * not yet expired.
- *
- * Tokens issued before 1.1.0 (without the `sessionId` claim) are still accepted
- * but bypass the session check.
- *
- * Must be used **before** `authorize()` or `permit()`.
- *
- * @param config - Auth configuration (secret, algorithm, adapter).
- * @returns An Express `RequestHandler` that populates `req.user` on success.
- *
- * @example
- * router.get('/profile', protect(config), (request, response) => {
- *   response.json(request.user);
- * });
- */
-export declare function protect(config: AuthConfig): RequestHandler;
-//# sourceMappingURL=protect.d.ts.map

package/dist/middleware/protect.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,OAAO,KAAK,EAAsB,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEvE;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAwB1D"}

package/dist/middleware/protect.js

@@ -1,54 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-import { verifyAccessToken } from '../libs/token.js';
-/**
- * Express middleware factory that enforces JWT authentication and session validity.
- *
- * Reads the `Authorization: Bearer <token>` header, verifies the access token,
- * and attaches the decoded payload to `req.user`. Calls `next(SentriError)` on
- * any failure so your error handler can convert it to an HTTP response.
- *
- * Since sentri 1.1.0 access tokens embed a `sessionId` claim. When this claim
- * is present, `protect()` performs a lightweight database lookup
- * (`adapter.session.findById`) to confirm the session is still active. This
- * means a user who has logged out (or been logged out from all devices) cannot
- * use an access token that was issued before the logout — even if the token has
- * not yet expired.
- *
- * Tokens issued before 1.1.0 (without the `sessionId` claim) are still accepted
- * but bypass the session check.
- *
- * Must be used **before** `authorize()` or `permit()`.
- *
- * @param config - Auth configuration (secret, algorithm, adapter).
- * @returns An Express `RequestHandler` that populates `req.user` on success.
- *
- * @example
- * router.get('/profile', protect(config), (request, response) => {
- *   response.json(request.user);
- * });
- */
-export function protect(config) {
-    return async (request, _response, next) => {
-        const authHeader = request.headers['authorization'];
-        if (!authHeader?.startsWith('Bearer ')) {
-            return next(new SentriError('UNAUTHORIZED', 'Missing or malformed Authorization header'));
-        }
-        const token = authHeader.slice(7);
-        try {
-            const payload = verifyAccessToken(token, config);
-            request.user = { id: payload.id, identifier: payload.identifier, roles: payload.roles };
-            // Session-bound validation: reject the request if the session was revoked (logout).
-            if (payload.sessionId) {
-                const session = await config.adapter.session.findById(payload.sessionId);
-                if (!session) {
-                    return next(new SentriError('UNAUTHORIZED', 'Session has been revoked'));
-                }
-            }
-            next();
-        }
-        catch (error) {
-            next(error);
-        }
-    };
-}
-//# sourceMappingURL=protect.js.map

package/dist/middleware/protect.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"protect.js","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,OAAO,CAAC,MAAkB;IACxC,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QACxC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,IAAI,WAAW,CAAC,cAAc,EAAE,2CAA2C,CAAC,CAAC,CAAC;QAC5F,CAAC;QACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAuB,CAAC;YACvE,OAAO,CAAC,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;YAExF,oFAAoF;YACpF,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;gBACtB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBACzE,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,IAAI,CAAC,IAAI,WAAW,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC,CAAC;gBAC3E,CAAC;YACH,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/router.d.ts

@@ -1,34 +0,0 @@
-import { Router } from 'express';
-import type { AuthConfig } from '../types/auth.js';
-/**
- * Creates a pre-built Express Router with all standard auth endpoints.
- *
- * Mount it once and all routes are ready:
- *
- * ```
- * POST /register            — register a new user (protected by X-Api-Key when config.apiKey is set)
- * POST /login               — authenticate and get tokens
- * POST /refresh             — rotate refresh token
- * POST /logout              — invalidate current session; access tokens issued before logout become invalid
- * POST /logout-all          — invalidate all sessions for the authenticated user
- * GET  /me                  — return the currently authenticated user
- * POST /users/:userId/roles — assign roles (admin only)
- * ```
- *
- * Requires `express.json()` to be applied before the router.
- *
- * When `cookie` is set in config, the refresh token is stored in an httpOnly
- * cookie automatically — no `cookie-parser` needed.
- *
- * When `apiKey` is set in config, `POST /register` requires the caller to send
- * an `X-Api-Key: <key>` header matching the configured value.
- *
- * When `router` is set in config, individual service functions can be replaced
- * while the router still handles validation and response formatting.
- *
- * @example
- * app.use(express.json());
- * app.use('/auth', auth.router());
- */
-export declare function createAuthRouter<TRole extends string>(config: AuthConfig<TRole>): Router;
-//# sourceMappingURL=router.d.ts.map

package/dist/middleware/router.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AAEjF,OAAO,KAAK,EAAE,UAAU,EAA6B,MAAM,kBAAkB,CAAC;AA4E9E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,SAAS,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GAAG,MAAM,CAwLxF"}