npm - sentri - Versions diffs - 2.0.0 → 2.1.0 - Mend

sentri 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +250 -574
package/dist/cli.js +112 -13
package/dist/index.d.ts +253 -754
package/dist/index.js +1 -1
package/package.json +7 -12
package/templates/drizzle/adapter.ts +0 -154
package/templates/drizzle/auth.ts +0 -125
package/templates/drizzle/schema.ts +0 -47
package/templates/prisma/adapter.ts +0 -122
package/templates/prisma/auth.ts +0 -128
package/templates/prisma/schema.prisma +0 -56

package/dist/index.js CHANGED Viewed

	@@ -1 +1 @@
1	- import W from'bcrypt';import K from'jsonwebtoken';import {Router}from'express';var Y=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500}),i=class extends Error{code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??Y[r]??500;}};async function D(e,r=12){return W.hash(e,r)}async function H(e,r){return W.compare(e,r)}var J=new WeakMap,Q=32,ee=10,re=31;function se(e){if(!e.secret\|\|e.secret.trim().length===0)throw new i("CONFIGURATION_ERROR","secret must not be empty");if(e.secret.length<Q)throw new i("CONFIGURATION_ERROR",`secret must be at least ${Q} characters to be cryptographically safe`);let r=e.saltRounds??12;if(!Number.isInteger(r)\|\|r<ee\|\|r>re)throw new i("CONFIGURATION_ERROR",`saltRounds must be an integer between ${ee} and ${re}`);if(!e.validRoles\|\|e.validRoles.length===0)throw new i("CONFIGURATION_ERROR","validRoles must contain at least one role");if(!e.adapter)throw new i("CONFIGURATION_ERROR","adapter is required")}function h(e){let r=J.get(e);if(r)return r;let t={secret:e.secret,accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",algorithm:e.algorithm??"HS256",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),adapter:e.adapter,cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return J.set(e,t),t}var Re=/^(\d+)([smhdw])$/,ge={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},te=new Map;function T(e){if(typeof e=="number")return e1e3;let r=te.get(e);if(r!==void 0)return r;let t=Re.exec(e);if(!t?.[1]\|\|!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=ge[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let a=parseInt(t[1],10)s;return te.set(e,a),a}var oe=new Map,ne=new Map;function P(e){let r=oe.get(e);return r\|\|(r={access:`${e}:access`,refresh:`${e}:refresh`},oe.set(e,r)),r}function ie(e,r,t,s){let a=`${t}:${s}`,n=ne.get(a);return n\|\|(n={expiresIn:t,algorithm:s},ne.set(a,n)),K.sign(e,r,n)}function ae(e,r,t){try{let s=K.verify(e,r,{algorithms:[t]});if(typeof s=="string"\|\|s===null)throw new i("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof i?s:s instanceof K.TokenExpiredError?new i("TOKEN_EXPIRED","Token has expired"):new i("TOKEN_INVALID","Token is invalid or malformed")}}function x(e,r){let t=h(r),{access:s}=P(t.secret);return ie(e,s,t.accessExpiresIn,t.algorithm)}function v(e,r){let t=h(r),{refresh:s}=P(t.secret);return ie({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}function b(e,r){let t=h(r),{access:s}=P(t.secret);return ae(e,s,t.algorithm)}function N(e,r){let t=h(r),{refresh:s}=P(t.secret);return ae(e,s,t.algorithm)}function I(e){return h(e).cookieName}function E(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let a=e.indexOf(";",s),n=a===-1?e.length:a;if(e.startsWith(t,s))return e.slice(s+t.length,n);s=n+1;}}function O(e,r,t){let s=t.cookie??{},a=h(t),n=T(a.refreshExpiresIn);e.cookie(I(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:n});}function L(e,r){let t=r.cookie??{};e.clearCookie(I(r),{path:t.path??"/"});}function M(e){return h(e).accessCookieName}function S(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,a=h(t),n=T(a.accessExpiresIn);e.cookie(M(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:n});}function X(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(M(r),{path:t.path??"/"});}function _(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):E(e.headers.cookie,M(r))}async function Z(e,r){let t=h(r),s=e.roles??[],a=s.filter(u=>!t.validRolesSet.has(u));if(a.length>0)return {success:false,error:new i("INVALID_ROLE",`Invalid roles: ${a.join(", ")}`)};let n=e.identifier.trim();if(await t.adapter.user.findByIdentifier(n))return {success:false,error:new i("USER_ALREADY_EXISTS","User already exists")};let f=await D(e.password,t.saltRounds);return {success:true,user:{id:(await t.adapter.user.create({identifier:n,passwordHash:f,roles:s})).id,identifier:n,roles:s}}}async function ue(e,r){let t=h(r),s=await t.adapter.user.findByIdentifier(e.identifier.trim());if(!s)return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};if(!await H(e.password,s.passwordHash))return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};let n=new Date(Date.now()+T(t.refreshExpiresIn)),c=await t.adapter.session.create({userId:s.id,expiresAt:n}),f={id:s.id,identifier:s.identifier,roles:s.roles},m=x({id:s.id,identifier:s.identifier,roles:s.roles,sessionId:c.id},r),o=v(c.id,r);return {success:true,accessToken:m,refreshToken:o,user:f}}async function j(e,r){let t=h(r),s;try{({sessionId:s}=N(e,r));}catch(u){return u instanceof i?{success:false,error:u}:{success:false,error:new i("TOKEN_INVALID","Invalid refresh token")}}let a=await t.adapter.session.findById(s);if(!a)return {success:false,error:new i("UNAUTHORIZED","Session not found or revoked")};if(a.expiresAt.getTime()<Date.now())return await t.adapter.session.delete(s),{success:false,error:new i("TOKEN_EXPIRED","Session has expired")};await t.adapter.session.delete(s);let n=new Date(Date.now()+T(t.refreshExpiresIn)),c=await t.adapter.session.create({userId:a.userId,expiresAt:n}),f={id:a.user.id,identifier:a.user.identifier,roles:a.user.roles},m=x({id:f.id,identifier:f.identifier,roles:f.roles,sessionId:c.id},r),o=v(c.id,r);return {success:true,accessToken:m,refreshToken:o,user:f}}async function ce(e,r){let t;try{({sessionId:t}=N(e,r));}catch{return}await h(r).adapter.session.delete(t);}async function de(e,r){await h(r).adapter.session.deleteAllForUser(e);}async function le(e,r,t){let s=h(t),a=r.filter(m=>!s.validRolesSet.has(m));if(a.length>0)return {success:false,error:new i("INVALID_ROLE",`Invalid roles: ${a.join(", ")}`)};let n=await s.adapter.user.findById(e);if(!n)return {success:false,error:new i("USER_NOT_FOUND","User not found")};let c=new Set(n.roles);for(let m of r)c.add(m);let f=Array.from(c);return await s.adapter.user.updateRoles(e,f),{success:true,user:{id:n.id,identifier:n.identifier,roles:f}}}function k(e){return async(r,t,s)=>{let a=_(r,e);if(!a)return s(new i("UNAUTHORIZED","Missing or malformed Authorization header"));try{let n=b(a,e);if(e.isTokenRevoked&&await e.isTokenRevoked(n.sessionId))return s(new i("UNAUTHORIZED","Token has been revoked"));r.user={id:n.id,identifier:n.identifier,roles:n.roles},s();}catch(n){if(n instanceof i&&n.code==="TOKEN_EXPIRED"){let c=E(r.headers.cookie,I(e));if(!c)return s(new i("UNAUTHORIZED","Token expired. Please login again."));try{let f=await j(c,e);if(!f.success)return s(new i("UNAUTHORIZED","Session expired. Please login again."));O(t,f.refreshToken,e),S(t,f.accessToken,e),t.setHeader("X-New-Access-Token",f.accessToken),r.user=f.user,s();}catch{s(new i("UNAUTHORIZED","Session expired. Please login again."));}}else s(n);}}}function F(...e){let r=`Requires one of roles: ${e.join(", ")}`;return (t,s,a)=>{if(!t.user)return a(new i("UNAUTHORIZED","Not authenticated"));let n=t.user.roles;if(!e.some(c=>n.includes(c)))return a(new i("FORBIDDEN",r));a();}}var Ae=new i("FORBIDDEN","You do not have permission to perform this action");function fe(e){let r=typeof e=="function"?{check:e}:e;return async(t,s,a)=>{if(!t.user)return a(new i("UNAUTHORIZED","Not authenticated"));if(r.roles&&r.roles.length>0){let n=t.user.roles;if(r.roles.some(c=>n.includes(c)))return a()}try{let n=r.check(t);(n instanceof Promise?await n:n)?a():a(Ae);}catch(n){a(n);}}}var pe=8,q=72,$=255;function y(e){return new i("VALIDATION_ERROR",e)}function C(e,r,t,s){e.status(r).json({error:false,statusCode:r,message:t,data:s});}function U(e,r){e.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}function z(e){if(e==null\|\|typeof e!="object"\|\|Array.isArray(e))throw new i("VALIDATION_ERROR","Request body is missing or not a JSON object. Did you apply express.json()?");return e}function Ie(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"\|\|t!==r.apiKey)throw new i("UNAUTHORIZED","Invalid or missing API key")}function B(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}function he(e){let r=Router(),t=e,s=e.router?.register??(o=>Z(o,t)),a=e.router?.login??(o=>ue(o,t)),n=e.router?.refresh??(o=>j(o,t)),c=e.router?.logout??(o=>o!==void 0?ce(o,t):Promise.resolve()),f=e.router?.logoutAll??(o=>de(o,t)),m=e.router?.assignRoles??((o,u)=>le(o,u,t));return r.post("/register",async(o,u,p)=>{try{Ie(o,e);let d=z(o.body),{identifier:l,password:g,roles:A}=d;if(typeof l!="string"\|\|l.trim().length===0)throw y("identifier is required and must be a non-empty string");if(l.length>$)throw y(`identifier must not exceed ${$} characters`);if(typeof g!="string"\|\|g.length<pe)throw y(`password is required and must be at least ${pe} characters`);if(g.length>q)throw y(`password must not exceed ${q} characters`);if(A!==void 0&&!Array.isArray(A))throw y("roles must be an array of strings when provided");if(Array.isArray(A)&&!A.every(me=>typeof me=="string"))throw y("each role must be a string");let R=Array.isArray(A)?A:void 0,w=R!==void 0?{identifier:l.trim(),password:g,roles:R}:{identifier:l.trim(),password:g},V=await s(w);if(!V.success){U(u,V.error);return}C(u,201,"User registered successfully",{user:V.user});}catch(d){p(d);}}),r.post("/login",async(o,u,p)=>{try{let d=z(o.body),{identifier:l,password:g}=d;if(typeof l!="string"\|\|l.trim().length===0)throw y("identifier is required and must be a non-empty string");if(l.length>$)throw y(`identifier must not exceed ${$} characters`);if(typeof g!="string"\|\|g.length===0)throw y("password is required");if(g.length>q)throw y(`password must not exceed ${q} characters`);let A=l.trim(),R=await a({identifier:A,password:g});if(!R.success){B(()=>e.hooks?.onFailedLogin?.(A,R.error)),U(u,R.error);return}B(()=>e.hooks?.onLogin?.(R.user)),O(u,R.refreshToken,e),S(u,R.accessToken,e),C(u,200,"Login successful",{accessToken:R.accessToken,user:R.user});}catch(d){p(d);}}),r.post("/refresh",async(o,u,p)=>{try{let d=E(o.headers.cookie,I(e));if(!d)throw new i("UNAUTHORIZED","Refresh token cookie is missing");let l=await n(d);if(!l.success){L(u,e),U(u,l.error);return}O(u,l.refreshToken,e),S(u,l.accessToken,e),C(u,200,"Token refreshed",{accessToken:l.accessToken});}catch(d){p(d);}}),r.post("/logout",async(o,u,p)=>{try{let d=E(o.headers.cookie,I(e));await c(d),L(u,e),X(u,e),C(u,200,"Logged out",null);}catch(d){p(d);}}),r.post("/logout-all",k(e),async(o,u,p)=>{try{let d=o.user.id;await f(d),B(()=>e.hooks?.onLogout?.(d)),L(u,e),X(u,e),C(u,200,"All sessions revoked",null);}catch(d){p(d);}}),r.get("/me",k(e),(o,u)=>{C(u,200,"OK",o.user);}),r.post("/users/:userId/roles",k(e),F("admin"),async(o,u,p)=>{try{let d=z(o.body),{roles:l}=d,g=o.params.userId,A=typeof g=="string"?g:void 0;if(!A)throw y("userId is required");if(!Array.isArray(l)\|\|l.length===0)throw y("roles must be a non-empty array of strings");if(!l.every(w=>typeof w=="string"))throw y("each role must be a string");let R=await m(A,l);if(!R.success){U(u,R.error);return}C(u,200,"Roles assigned successfully",{user:R.user});}catch(d){p(d);}}),r.use((o,u,p,d)=>{o instanceof i?U(p,o):p.status(500).json({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}),r}function G(e){return (r,t,s,a)=>{if(r instanceof i){s.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.status(500).json({error:true,statusCode:500,message:"Internal server error",data:null});}}function Ce(e){se(e);let r=h(e);return {protect:()=>k(e),authorize:(...t)=>F(...t),permit:t=>fe(t),hashPassword:t=>D(t,r.saltRounds),verifyPassword:(t,s)=>H(t,s),signAccessToken:t=>x(t,e),signRefreshToken:t=>v(t,e),verifyAccessToken:t=>b(t,e),verifyRefreshToken:t=>N(t,e),getCurrentAccessToken:t=>_(t,e),router:()=>he(e),errorHandler:t=>G(t)}}function we(e){let r=e?.ttl??3e5,t=Math.max(r,5e3),s=(e?.header??"X-Idempotency-Key").toLowerCase(),a=new Set((e?.methods??["POST","PUT","PATCH"]).map(m=>m.toUpperCase())),n=e?.maxSize??1e4,c=new Map,f=setInterval(()=>{let m=Date.now();for(let[o,u]of c)u.expiresAt<=m&&c.delete(o);},t);return typeof f=="object"&&f!==null&&"unref"in f&&f.unref(),(m,o,u)=>{let p=m.headers[s];if(!p\|\|typeof p!="string"\|\|!a.has(m.method))return u();m.requestId=p,o.setHeader("X-Request-Id",p);let d=Date.now(),l=c.get(p);if(l&&l.expiresAt>d)return o.setHeader("X-Idempotent-Replayed","true"),o.status(l.statusCode).json(l.body);let g=o.json.bind(o);o.json=function(R){if(o.statusCode>=200&&o.statusCode<300){if(c.size>=n){let w=c.keys().next().value;w!==void 0&&c.delete(w);}c.set(p,{statusCode:o.statusCode,body:R,expiresAt:Date.now()+r});}return g(R)},u();}}export{Y as AUTH_ERROR_STATUS,i as SentriError,Ce as createAuth,G as createErrorHandler,we as createIdempotencyMiddleware,_ as getCurrentAccessToken,Z as register};
1	+ import Re from'bcrypt';import H from'jsonwebtoken';import {generateKeyPairSync,randomUUID,createPublicKey,createPrivateKey}from'crypto';import {Kysely,sql,PostgresDialect}from'kysely';import {Router}from'express';import {Redis}from'ioredis';import {Pool}from'pg';var pe=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500}),i=class extends Error{code;statusCode;constructor(r,s,t){super(s),this.name="SentriError",this.code=r,this.statusCode=t??pe[r]??500;}};async function D(e,r=12){return Re.hash(e,r)}async function K(e,r){return Re.compare(e,r)}var ye=new Map,we=new Map,nr=36001e3;function Ce(e){let r=ye.get(e);if(!r){let s=createPrivateKey(e),t=createPublicKey(s),n=t.export({format:"jwk"}),o=Buffer.from(e).slice(0,8).toString("base64url"),c={...n,use:"sig",kid:o};r={kid:o,publicKey:t,jwk:c},ye.set(e,r);}return r}function ke(e){let{jwk:r}=Ce(e);return {keys:[r]}}function Ie(e){return Ce(e).publicKey}async function Se(e){let r=Date.now(),s=we.get(e);if(s&&r-s.fetchedAt<nr)return s.publicKey;let t=await fetch(e);if(!t.ok)throw new i("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${t.status}`);let n=await t.json();if(!n.keys\|\|n.keys.length===0)throw new i("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let o=n.keys[0],c=createPublicKey({key:o,format:"jwk"});return we.set(e,{publicKey:c,fetchedAt:r}),c}var Te=new WeakMap,ve=32,Ee=10,xe=31;function _e(e){if(e.mode==="client"){if(!e.keyUri\|\|e.keyUri.trim().length===0)throw new i("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret\|\|e.secret.trim().length===0)throw new i("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<ve)throw new i("CONFIGURATION_ERROR",`secret must be at least ${ve} characters for HMAC algorithms`);let t=e.saltRounds??12;if(!Number.isInteger(t)\|\|t<Ee\|\|t>xe)throw new i("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Ee} and ${xe}`);if(!e.validRoles\|\|e.validRoles.length===0)throw new i("CONFIGURATION_ERROR","validRoles must contain at least one role");if(!e.dialect)throw new i("CONFIGURATION_ERROR","dialect is required in server mode")}function p(e){let r=Te.get(e);if(r)return r;let s={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return Te.set(e,s),s}var or=/^(\d+)([smhdw])$/,ir={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},be=new Map;function x(e){if(typeof e=="number")return e1e3;let r=be.get(e);if(r!==void 0)return r;let s=or.exec(e);if(!s?.[1]\|\|!s?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let t=ir[s[2]];if(t===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let n=parseInt(s[1],10)*t;return be.set(e,n),n}var Pe=new Map,Oe=new Map,Ne=new Map;function Ue(e){return e.startsWith("RS")\|\|e.startsWith("PS")}function De(e){let r=Pe.get(e);return r\|\|(r={access:`${e}:access`,refresh:`${e}:refresh`},Pe.set(e,r)),r}function cr(e){let r=Oe.get(e);return r\|\|(r=createPrivateKey(e),Oe.set(e,r)),r}function Ke(e){let r=p(e);if(Ue(r.algorithm)){let n=cr(e.secret);return {accessKey:n,refreshKey:n}}let{access:s,refresh:t}=De(e.secret);return {accessKey:s,refreshKey:t}}function He(e,r){let s=p(e);if(Ue(s.algorithm))return Ie(e.secret);let{access:t,refresh:n}=De(e.secret);return r==="access"?t:n}function je(e,r,s,t){let n=`${s}:${t}`,o=Ne.get(n);return o\|\|(o={expiresIn:s,algorithm:t},Ne.set(n,o)),H.sign(e,r,o)}function Le(e,r,s){try{let t=H.verify(e,r,{algorithms:[s]});if(typeof t=="string"\|\|t===null)throw new i("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof i?t:t instanceof H.TokenExpiredError?new i("TOKEN_EXPIRED","Token has expired"):new i("TOKEN_INVALID","Token is invalid or malformed")}}function j(e,r){let s=p(r),{accessKey:t}=Ke(r);return je(e,t,s.accessExpiresIn,s.algorithm)}function L(e,r){let s=p(r),{refreshKey:t}=Ke(r);return je({sessionId:e},t,s.refreshExpiresIn,s.algorithm)}function z(e,r){let s=p(r),t=He(r,"access");return Le(e,t,s.algorithm)}function F(e,r){let s=p(r),t=He(r,"refresh");return Le(e,t,s.algorithm)}function Fe(e,r){try{let s=H.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof s=="string"\|\|s===null)throw new i("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof i?s:s instanceof H.TokenExpiredError?new i("TOKEN_EXPIRED","Token has expired"):new i("TOKEN_INVALID","Token is invalid or malformed")}}function E(e){return p(e).cookieName}function b(e,r){if(!e)return;let s=`${r}=`,t=0;for(;t<e.length;){for(;t<e.length&&e[t]===" ";)t++;let n=e.indexOf(";",t),o=n===-1?e.length:n;if(e.startsWith(s,t))return e.slice(t+s.length,o);t=o+1;}}function q(e,r,s){let t=s.cookie??{},n=p(s),o=x(n.refreshExpiresIn);e.cookie(E(s),r,{httpOnly:t.httpOnly??true,secure:t.secure??false,sameSite:t.sameSite??"strict",path:t.path??"/",maxAge:o});}function W(e,r){let s=r.cookie??{};e.clearCookie(E(r),{path:s.path??"/"});}function ce(e){return p(e).accessCookieName}function M(e,r,s){if(!s.accessCookie)return;let t=s.accessCookie,n=p(s),o=x(n.accessExpiresIn);e.cookie(ce(s),r,{httpOnly:false,secure:t.secure??false,sameSite:t.sameSite??"strict",path:t.path??"/",maxAge:o});}function ue(e,r){if(!r.accessCookie)return;let s=r.accessCookie;e.clearCookie(ce(r),{path:s.path??"/"});}function $(e,r){let s=e.headers.authorization;return s?.startsWith("Bearer ")?s.slice(7):b(e.headers.cookie,ce(r))}var qe=new Map;function k(e){let r=qe.get(e);return r\|\|(r=new Kysely({dialect:e}),qe.set(e,r)),r}function de(e){try{return JSON.parse(e)}catch{return []}}function $e(e){return JSON.stringify(e)}async function Z(e,r){let s=await e.selectFrom("sentri_users").selectAll().where("identifier","=",r).executeTakeFirst();return s?{id:s.id,identifier:s.identifier,passwordHash:s.password_hash,roles:de(s.roles)}:null}async function J(e,r){let s=await e.selectFrom("sentri_users").selectAll().where("id","=",r).executeTakeFirst();return s?{id:s.id,identifier:s.identifier,passwordHash:s.password_hash,roles:de(s.roles)}:null}async function Je(e,r){let s=randomUUID();return await e.insertInto("sentri_users").values({id:s,identifier:r.identifier,password_hash:r.passwordHash,roles:$e(r.roles)}).execute(),{id:s}}async function Ge(e,r,s){await e.updateTable("sentri_users").set({identifier:s}).where("id","=",r).execute();}async function Xe(e,r,s){await e.updateTable("sentri_users").set({password_hash:s}).where("id","=",r).execute();}async function Ve(e,r,s){await e.updateTable("sentri_users").set({roles:$e(s)}).where("id","=",r).execute();}async function le(e,r){let s=randomUUID();return await e.insertInto("sentri_sessions").values({id:s,user_id:r.userId,expires_at:r.expiresAt}).execute(),{id:s}}async function Be(e,r){let s=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.created_at as session_created_at","u.id as user_id_col","u.identifier","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return s?{id:s.session_id,userId:s.user_id,expiresAt:new Date(s.expires_at),createdAt:new Date(s.session_created_at),user:{id:s.user_id_col,identifier:s.identifier,passwordHash:s.password_hash,roles:de(s.roles)}}:null}async function Y(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}async function fe(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}async function G(e,r){let s=p(r),t=k(r.dialect),n=e.roles??[],o=n.filter(w=>!s.validRolesSet.has(w));if(o.length>0)return {success:false,error:new i("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let c=e.identifier.trim();if(await Z(t,c))return {success:false,error:new i("USER_ALREADY_EXISTS","User already exists")};let g=await D(e.password,s.saltRounds);return {success:true,user:{id:(await Je(t,{identifier:c,passwordHash:g,roles:n})).id,identifier:c,roles:n}}}async function Q(e,r){let s=p(r),t=k(r.dialect),n=await Z(t,e.identifier.trim());if(!n)return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};if(!await K(e.password,n.passwordHash))return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};let c=new Date(Date.now()+x(s.refreshExpiresIn)),d=await le(t,{userId:n.id,expiresAt:c}),g={id:n.id,identifier:n.identifier,roles:n.roles},m=j({id:n.id,identifier:n.identifier,roles:n.roles,sessionId:d.id},r),w=L(d.id,r);return {success:true,accessToken:m,refreshToken:w,user:g}}async function _(e,r){let s=p(r),t=k(r.dialect),n;try{({sessionId:n}=F(e,r));}catch(v){return v instanceof i?{success:false,error:v}:{success:false,error:new i("TOKEN_INVALID","Invalid refresh token")}}let o=await Be(t,n);if(!o)return {success:false,error:new i("UNAUTHORIZED","Session not found or revoked")};if(o.expiresAt.getTime()<Date.now())return await Y(t,n),{success:false,error:new i("TOKEN_EXPIRED","Session has expired")};await Y(t,n);let c=new Date(Date.now()+x(s.refreshExpiresIn)),d=await le(t,{userId:o.userId,expiresAt:c}),g={id:o.user.id,identifier:o.user.identifier,roles:o.user.roles},m=j({id:g.id,identifier:g.identifier,roles:g.roles,sessionId:d.id},r),w=L(d.id,r);return {success:true,accessToken:m,refreshToken:w,user:g}}async function ee(e,r){let s=k(r.dialect),t;try{({sessionId:t}=F(e,r));}catch{return}await Y(s,t);}async function re(e,r){let s=k(r.dialect);await fe(s,e);}async function ze(e,r){let s=k(r.dialect),t=await J(s,e);return t?{success:true,user:{id:t.id,identifier:t.identifier,roles:t.roles}}:{success:false,error:new i("USER_NOT_FOUND","User not found")}}async function te(e,r,s){let t=k(s.dialect),n=await J(t,e);if(!n)return {success:false,error:new i("USER_NOT_FOUND","User not found")};let o=r.trim();return await Z(t,o)?{success:false,error:new i("USER_ALREADY_EXISTS","Identifier already taken")}:(await Ge(t,e,o),{success:true,user:{id:n.id,identifier:o,roles:n.roles}})}async function se(e,r,s,t){let n=p(t),o=k(t.dialect),c=await J(o,e);if(!c)return {success:false,error:new i("USER_NOT_FOUND","User not found")};if(!await K(r,c.passwordHash))return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};let g=await D(s,n.saltRounds);return await Xe(o,e,g),await fe(o,e),{success:true}}async function ne(e,r,s){let t=p(s),n=k(s.dialect),o=r.filter(m=>!t.validRolesSet.has(m));if(o.length>0)return {success:false,error:new i("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let c=await J(n,e);if(!c)return {success:false,error:new i("USER_NOT_FOUND","User not found")};let d=new Set(c.roles);for(let m of r)d.add(m);let g=Array.from(d);return await Ve(n,e,g),{success:true,user:{id:c.id,identifier:c.identifier,roles:g}}}function S(e){return e.mode==="client"?dr(e.keyUri):lr(e)}function dr(e){return async(r,s,t)=>{let n=r.headers.authorization,o=n?.startsWith("Bearer ")?n.slice(7):void 0;if(!o)return t(new i("UNAUTHORIZED","Missing or malformed Authorization header"));try{let c=await Se(e),d=Fe(o,c);r.user={id:d.id,identifier:d.identifier,roles:d.roles},t();}catch(c){t(c);}}}function lr(e){return async(r,s,t)=>{let n=$(r,e);if(!n)return t(new i("UNAUTHORIZED","Missing or malformed Authorization header"));try{let o=z(n,e);if(e.isTokenRevoked&&await e.isTokenRevoked(o.sessionId))return t(new i("UNAUTHORIZED","Token has been revoked"));r.user={id:o.id,identifier:o.identifier,roles:o.roles},t();}catch(o){if(o instanceof i&&o.code==="TOKEN_EXPIRED"){let c=b(r.headers.cookie,E(e));if(!c)return t(new i("UNAUTHORIZED","Token expired. Please login again."));try{let d=await _(c,e);if(!d.success)return t(new i("UNAUTHORIZED","Session expired. Please login again."));q(s,d.refreshToken,e),M(s,d.accessToken,e),s.setHeader("X-New-Access-Token",d.accessToken),r.user=d.user,t();}catch{t(new i("UNAUTHORIZED","Session expired. Please login again."));}}else t(o);}}}function X(...e){let r=`Requires one of roles: ${e.join(", ")}`;return (s,t,n)=>{if(!s.user)return n(new i("UNAUTHORIZED","Not authenticated"));let o=s.user.roles;if(!e.some(c=>o.includes(c)))return n(new i("FORBIDDEN",r));n();}}var fr=new i("FORBIDDEN","You do not have permission to perform this action");function V(e){let r=typeof e=="function"?{check:e}:e;return async(s,t,n)=>{if(!s.user)return n(new i("UNAUTHORIZED","Not authenticated"));if(r.roles&&r.roles.length>0){let o=s.user.roles;if(r.roles.some(c=>o.includes(c)))return n()}try{let o=r.check(s);(o instanceof Promise?await o:o)?n():n(fr);}catch(o){n(o);}}}function P(e){return (r,s,t,n)=>{if(r instanceof i){t.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),t.status(500).json({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}var oe=8,O=72,N=255;function y(e){return new i("VALIDATION_ERROR",e)}function T(e,r,s,t){e.status(r).json({error:false,statusCode:r,message:s,data:t});}function U(e,r){e.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}function B(e){if(e==null\|\|typeof e!="object"\|\|Array.isArray(e))throw new i("VALIDATION_ERROR","Request body is missing or not a JSON object. Did you apply express.json()?");return e}function hr(e,r){if(!r.apiKey)return;let s=e.headers["x-api-key"];if(typeof s!="string"\|\|s!==r.apiKey)throw new i("UNAUTHORIZED","Invalid or missing API key")}function ge(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}function mr(e){return e.startsWith("RS")\|\|e.startsWith("PS")}function We(e){let r=Router(),s=e,t=p(s),n=e.router?.register??(a=>G(a,s)),o=e.router?.login??(a=>Q(a,s)),c=e.router?.refresh??(a=>_(a,s)),d=e.router?.logout??(a=>a!==void 0?ee(a,s):Promise.resolve()),g=e.router?.logoutAll??(a=>re(a,s)),m=e.router?.assignRoles??((a,u)=>ne(a,u,s)),w=e.router?.changeIdentifier??((a,u)=>te(a,u,s)),v=e.router?.changePassword??((a,u,R)=>se(a,u,R,s));mr(t.algorithm)&&r.get("/keys",(a,u)=>{u.setHeader("Cache-Control","public, max-age=3600"),u.json(ke(e.secret));}),r.post("/register",async(a,u,R)=>{try{hr(a,e);let l=B(a.body),{identifier:f,password:h,roles:A}=l;if(typeof f!="string"\|\|f.trim().length===0)throw y("identifier is required and must be a non-empty string");if(f.length>N)throw y(`identifier must not exceed ${N} characters`);if(typeof h!="string"\|\|h.length<oe)throw y(`password is required and must be at least ${oe} characters`);if(h.length>O)throw y(`password must not exceed ${O} characters`);if(A!==void 0&&!Array.isArray(A))throw y("roles must be an array of strings when provided");if(Array.isArray(A)&&!A.every(tr=>typeof tr=="string"))throw y("each role must be a string");let C=Array.isArray(A)?A:void 0,ie=C!==void 0?{identifier:f.trim(),password:h,roles:C}:{identifier:f.trim(),password:h},ae=await n(ie);if(!ae.success){U(u,ae.error);return}T(u,201,"User registered successfully",{user:ae.user});}catch(l){R(l);}}),r.post("/login",async(a,u,R)=>{try{let l=B(a.body),{identifier:f,password:h}=l;if(typeof f!="string"\|\|f.trim().length===0)throw y("identifier is required and must be a non-empty string");if(f.length>N)throw y(`identifier must not exceed ${N} characters`);if(typeof h!="string"\|\|h.length===0)throw y("password is required");if(h.length>O)throw y(`password must not exceed ${O} characters`);let A=f.trim(),C=await o({identifier:A,password:h});if(!C.success){ge(()=>e.hooks?.onFailedLogin?.(A,C.error)),U(u,C.error);return}ge(()=>e.hooks?.onLogin?.(C.user)),q(u,C.refreshToken,e),M(u,C.accessToken,e),T(u,200,"Login successful",{accessToken:C.accessToken,user:C.user});}catch(l){R(l);}}),r.post("/refresh",async(a,u,R)=>{try{let l=b(a.headers.cookie,E(e));if(!l)throw new i("UNAUTHORIZED","Refresh token cookie is missing");let f=await c(l);if(!f.success){W(u,e),U(u,f.error);return}q(u,f.refreshToken,e),M(u,f.accessToken,e),T(u,200,"Token refreshed",{accessToken:f.accessToken});}catch(l){R(l);}}),r.post("/logout",async(a,u,R)=>{try{let l=b(a.headers.cookie,E(e));await d(l),W(u,e),ue(u,e),T(u,200,"Logged out",null);}catch(l){R(l);}}),r.post("/logout-all",S(e),async(a,u,R)=>{try{let l=a.user.id;await g(l),ge(()=>e.hooks?.onLogout?.(l)),W(u,e),ue(u,e),T(u,200,"All sessions revoked",null);}catch(l){R(l);}}),r.get("/me",S(e),(a,u)=>{T(u,200,"OK",a.user);});let I=V(a=>!!a.user);return r.patch("/me/identifier",S(e),I,async(a,u,R)=>{try{let l=B(a.body),{newIdentifier:f}=l;if(typeof f!="string"\|\|f.trim().length===0)throw y("newIdentifier is required and must be a non-empty string");if(f.length>N)throw y(`newIdentifier must not exceed ${N} characters`);let h=await w(a.user.id,f);if(!h.success){U(u,h.error);return}T(u,200,"Identifier updated successfully",{user:h.user});}catch(l){R(l);}}),r.patch("/me/password",S(e),I,async(a,u,R)=>{try{let l=B(a.body),{currentPassword:f,newPassword:h}=l;if(typeof f!="string"\|\|f.length===0)throw y("currentPassword is required");if(typeof h!="string"\|\|h.length<oe)throw y(`newPassword must be at least ${oe} characters`);if(h.length>O)throw y(`newPassword must not exceed ${O} characters`);if(f===h)throw y("newPassword must be different from currentPassword");let A=await v(a.user.id,f,h);if(!A.success){U(u,A.error);return}T(u,200,"Password updated successfully. All sessions have been revoked.",null);}catch(l){R(l);}}),r.post("/users/:userId/roles",S(e),X("admin"),async(a,u,R)=>{try{let l=B(a.body),{roles:f}=l,h=a.params.userId,A=typeof h=="string"?h:void 0;if(!A)throw y("userId is required");if(!Array.isArray(f)\|\|f.length===0)throw y("roles must be a non-empty array of strings");if(!f.every(ie=>typeof ie=="string"))throw y("each role must be a string");let C=await m(A,f);if(!C.success){U(u,C.error);return}T(u,200,"Roles assigned successfully",{user:C.user});}catch(l){R(l);}}),r.use(P()),r}var Ze=new Map;function Ye(e){let r=Ze.get(e);return r\|\|(r=new Redis(e,{lazyConnect:false,enableOfflineQueue:false}),Ze.set(e,r)),r}function he(e){let r=e?.ttl??3e5,s=(e?.header??"X-Idempotency-Key").toLowerCase(),t=new Set((e?.methods??["POST","PUT","PATCH"]).map(o=>o.toUpperCase())),n=e?.redisUrl;return n?Rr(n,r,s,t):yr(r,s,t,e?.maxSize??1e4)}function Rr(e,r,s,t){let n=Ye(e),o="sentri:idempotency:";return async(c,d,g)=>{let m=c.headers[s];if(!m\|\|typeof m!="string"\|\|!t.has(c.method))return g();c.requestId=m,d.setHeader("X-Request-Id",m);let w=await n.get(`${o}${m}`);if(w){let I=JSON.parse(w);return d.setHeader("X-Idempotent-Replayed","true"),d.status(I.statusCode).json(I.body)}let v=d.json.bind(d);d.json=function(a){if(d.statusCode>=200&&d.statusCode<300){let u={statusCode:d.statusCode,body:a,expiresAt:Date.now()+r};n.set(`${o}${m}`,JSON.stringify(u),"PX",r).catch(()=>{});}return v(a)},g();}}function yr(e,r,s,t){let n=Math.max(e,5e3),o=new Map,c=setInterval(()=>{let d=Date.now();for(let[g,m]of o)m.expiresAt<=d&&o.delete(g);},n);return typeof c=="object"&&c!==null&&"unref"in c&&c.unref(),(d,g,m)=>{let w=d.headers[r];if(!w\|\|typeof w!="string"\|\|!s.has(d.method))return m();d.requestId=w,g.setHeader("X-Request-Id",w);let v=Date.now(),I=o.get(w);if(I&&I.expiresAt>v)return g.setHeader("X-Idempotent-Replayed","true"),g.status(I.statusCode).json(I.body);let a=g.json.bind(g);g.json=function(R){if(g.statusCode>=200&&g.statusCode<300){if(o.size>=t){let l=o.keys().next().value;l!==void 0&&o.delete(l);}o.set(w,{statusCode:g.statusCode,body:R,expiresAt:Date.now()+e});}return a(R)},m();}}async function er(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("identifier","varchar(255)",r=>r.notNull().unique()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute();}function me(e){if(_e(e),e.mode==="client")return {protect:()=>S(e),authorize:(...t)=>X(...t),permit:t=>V(t),errorHandler:t=>P(t)};let r=e,s=p(r);return {protect:()=>S(r),authorize:(...t)=>X(...t),permit:t=>V(t),hashPassword:t=>D(t,s.saltRounds),verifyPassword:(t,n)=>K(t,n),signAccessToken:t=>j(t,r),signRefreshToken:t=>L(t,r),verifyAccessToken:t=>z(t,r),verifyRefreshToken:t=>F(t,r),getCurrentAccessToken:t=>$(t,r),router:()=>We(r),migrate:()=>er(k(r.dialect)),errorHandler:t=>P(t),idempotencyMiddleware:t=>he({...t,...r.redisUrl!==void 0&&{redisUrl:r.redisUrl}}),register:t=>G(t,r),login:t=>Q(t,r),refresh:t=>_(t,r),logout:t=>ee(t,r),logoutAll:t=>re(t,r),getUser:t=>ze(t,r),changeIdentifier:(t,n)=>te(t,n,r),changePassword:(t,n,o)=>se(t,n,o,r),assignRoles:(t,n)=>ne(t,n,r)}}function rr(e){return new PostgresDialect({pool:new Pool(e)})}function kr(e){let{privateKey:r}=generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),s={mode:"server",dialect:rr(e.db),secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl}};return me(s)}export{pe as SENTRI_ERROR_STATUS,i as SentriError,me as createAuth,kr as createAuthServer,P as createErrorHandler,he as createIdempotencyMiddleware,$ as getCurrentAccessToken,G as register};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "sentri",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "Personal auth/authorization library for Express + Postgres",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -16,8 +16,7 @@
   },
   "files": [
     "dist",
-    "bin",
-    "templates"
+    "bin"
   ],
   "scripts": {
     "build": "tsup",
@@ -41,6 +40,7 @@
     "@types/express": "^5.0.6",
     "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "^22.20.0",
+    "@types/pg": "^8.11.10",
     "@types/supertest": "^7.2.0",
     "@vitest/coverage-v8": "^4.1.9",
     "express": "^5.2.1",
@@ -52,17 +52,12 @@
   },
   "dependencies": {
     "bcrypt": "^6.0.0",
-    "jsonwebtoken": "^9.0.3"
+    "ioredis": "^5.11.1",
+    "jsonwebtoken": "^9.0.3",
+    "kysely": "^0.27.4",
+    "pg": "^8.13.1"
   },
   "peerDependencies": {
     "express": ">=4.0.0"
-  },
-  "peerDependenciesMeta": {
-    "@prisma/client": {
-      "optional": true
-    },
-    "drizzle-orm": {
-      "optional": true
-    }
   }
 }

package/templates/drizzle/adapter.ts DELETED Viewed

@@ -1,154 +0,0 @@
-// sentri — Drizzle adapter template
-// Generated by: npx sentri generate drizzle
-//
-// Adjust the import paths to match your project structure.
-// This template assumes tables: users, roles, userRoles, sessions.
-// Column names follow the sentri Drizzle schema convention.
-//
-// Replace NodePgDatabase with the type that matches your Drizzle driver:
-//   import { type NodePgDatabase } from 'drizzle-orm/node-postgres';  (default)
-//   import { type LibSQLDatabase }  from 'drizzle-orm/libsql';
-//   import { type MySql2Database }  from 'drizzle-orm/mysql2';
-import { eq } from 'drizzle-orm';
-import type { NodePgDatabase } from 'drizzle-orm/node-postgres';
-import { AuthError, type AuthAdapter } from 'sentri';
-import { users, roles, userRoles, sessions } from './schema.js';
-export function createAdapter(db: NodePgDatabase): AuthAdapter {
-  if (!db) {
-    throw new AuthError(
-      'CONFIGURATION_ERROR',
-      'createAdapter requires a Drizzle db instance. Did you forget to pass it?\n' +
-      'Example: createAdapter(db)',
-    );
-  }
-  return {
-    user: {
-      async findByIdentifier(identifier) {
-        const rows = await db
-          .select({
-            id: users.id,
-            identifier: users.identifier,
-            passwordHash: users.passwordHash,
-            roleName: roles.name,
-          })
-          .from(users)
-          .leftJoin(userRoles, eq(users.id, userRoles.userId))
-          .leftJoin(roles, eq(userRoles.roleId, roles.id))
-          .where(eq(users.identifier, identifier));
-        if (rows.length === 0) return null;
-        return {
-          id: rows[0]!.id,
-          identifier: rows[0]!.identifier,
-          passwordHash: rows[0]!.passwordHash,
-          roles: rows.flatMap((row) => (row.roleName ? [row.roleName] : [])),
-        };
-      },
-      async findById(id) {
-        const rows = await db
-          .select({
-            id: users.id,
-            identifier: users.identifier,
-            passwordHash: users.passwordHash,
-            roleName: roles.name,
-          })
-          .from(users)
-          .leftJoin(userRoles, eq(users.id, userRoles.userId))
-          .leftJoin(roles, eq(userRoles.roleId, roles.id))
-          .where(eq(users.id, id));
-        if (rows.length === 0) return null;
-        return {
-          id: rows[0]!.id,
-          identifier: rows[0]!.identifier,
-          passwordHash: rows[0]!.passwordHash,
-          roles: rows.flatMap((row) => (row.roleName ? [row.roleName] : [])),
-        };
-      },
-      async create({ identifier, passwordHash, roles: roleNames }) {
-        const [user] = await db
-          .insert(users)
-          .values({ identifier, passwordHash })
-          .returning({ id: users.id });
-        if (roleNames.length > 0) {
-          await Promise.all(
-            roleNames.map(async (name) => {
-              const existing = await db.select().from(roles).where(eq(roles.name, name));
-              const role = existing[0] ?? (await db.insert(roles).values({ name }).returning())[0];
-              await db.insert(userRoles).values({ userId: user!.id, roleId: role!.id });
-            }),
-          );
-        }
-        return { id: user!.id };
-      },
-      async updateRoles(userId, roleNames) {
-        await db.delete(userRoles).where(eq(userRoles.userId, userId));
-        await Promise.all(
-          roleNames.map(async (name) => {
-            const existing = await db.select().from(roles).where(eq(roles.name, name));
-            const role = existing[0] ?? (await db.insert(roles).values({ name }).returning())[0];
-            await db.insert(userRoles).values({ userId, roleId: role!.id });
-          }),
-        );
-      },
-    },
-    session: {
-      async create({ userId, expiresAt }) {
-        const [session] = await db
-          .insert(sessions)
-          .values({ userId, expiresAt })
-          .returning({ id: sessions.id });
-        return { id: session!.id };
-      },
-      async findById(sessionId) {
-        const rows = await db
-          .select({
-            sessionId: sessions.id,
-            sessionUserId: sessions.userId,
-            sessionExpiresAt: sessions.expiresAt,
-            sessionCreatedAt: sessions.createdAt,
-            userId: users.id,
-            identifier: users.identifier,
-            passwordHash: users.passwordHash,
-            roleName: roles.name,
-          })
-          .from(sessions)
-          .innerJoin(users, eq(sessions.userId, users.id))
-          .leftJoin(userRoles, eq(users.id, userRoles.userId))
-          .leftJoin(roles, eq(userRoles.roleId, roles.id))
-          .where(eq(sessions.id, sessionId));
-        if (rows.length === 0) return null;
-        const first = rows[0]!;
-        return {
-          id: first.sessionId,
-          userId: first.sessionUserId,
-          expiresAt: first.sessionExpiresAt,
-          createdAt: first.sessionCreatedAt,
-          user: {
-            id: first.userId,
-            identifier: first.identifier,
-            passwordHash: first.passwordHash,
-            roles: rows.flatMap((row) => (row.roleName ? [row.roleName] : [])),
-          },
-        };
-      },
-      async delete(sessionId) {
-        await db.delete(sessions).where(eq(sessions.id, sessionId));
-      },
-      async deleteAllForUser(userId) {
-        await db.delete(sessions).where(eq(sessions.userId, userId));
-      },
-    },
-  };
-}

package/templates/drizzle/auth.ts DELETED Viewed

@@ -1,125 +0,0 @@
-// sentri — auth config template (Drizzle)
-// Generated by: npx sentri generate drizzle
-//
-// Update validRoles to match the roles your application uses.
-// Add JWT_SECRET to your .env file.
-// If you already have a db instance defined elsewhere, import it instead.
-import { createAuth } from 'sentri';
-import { db } from '../db.js'; // adjust path to your db instance
-import { createAdapter } from './adapter.js';
-export const auth = createAuth({
-  secret: process.env.JWT_SECRET!,
-  validRoles: ['user', 'admin'] as const,
-  adapter: createAdapter(db),
-  accessExpiresIn: '5m',  // short-lived; silent refresh happens automatically in protect()
-  // refreshExpiresIn: '7d',
-  // algorithm: 'HS256',
-  // saltRounds: 12,
-  // apiKey: process.env.REGISTER_API_KEY, // when set, POST /register requires X-Api-Key header
-  // Access token stored in a non-httpOnly cookie — browser JS can read it via
-  // document.cookie or getCurrentAccessToken(req). protect() reads from this
-  // cookie automatically when no Authorization header is present.
-  accessCookie: {
-    secure: process.env.NODE_ENV === 'production',
-    // name: 'access_token',
-    // sameSite: 'strict',
-    // path: '/',
-  },
-  // Refresh token stored in an httpOnly cookie — not readable by JS.
-  cookie: {
-    secure: process.env.NODE_ENV === 'production',
-    // name: 'refresh_token',
-    // httpOnly: true,
-    // sameSite: 'strict',
-    // path: '/',
-  },
-  // hooks: {
-  //   // Fired after every successful login — good for audit logs, notifications.
-  //   onLogin: async (user) => {
-  //     await auditLog.record('login', user.id);
-  //   },
-  //   // Fired after every failed login — good for rate limiting, alerting.
-  //   onFailedLogin: (identifier, error) => {
-  //     rateLimiter.hit(`login:${identifier}`);
-  //   },
-  //   // Fired after logout (single session or all sessions).
-  //   onLogout: async (userId) => {
-  //     await cache.invalidate(userId);
-  //   },
-  // },
-  // isTokenRevoked: async (sessionId) => {
-  //   // Optional: immediate revocation via Redis (called on every protected request).
-  //   // Keep this fast — a slow check negates the performance benefit of stateless JWTs.
-  //   return await redis.sismember('revoked_sessions', sessionId);
-  // },
-  // router: {
-  //   register: async (input) => {
-  //     // custom register logic — must return RegisterResult
-  //   },
-  //   login: async (input) => {
-  //     // custom login logic — must return AuthResult
-  //   },
-  //   refresh: async (refreshToken) => {
-  //     // custom refresh logic — must return RefreshResult
-  //   },
-  //   logout: async (refreshToken) => {
-  //     // custom logout logic
-  //   },
-  //   logoutAll: async (userId) => {
-  //     // custom logout-all logic
-  //   },
-  //   assignRoles: async (userId, roles) => {
-  //     // custom assignRoles logic — must return AssignRolesResult
-  //   },
-  // },
-});
-// --- Express app setup ---
-//
-// import express from 'express';
-// import { SentriError, createIdempotencyMiddleware, getCurrentAccessToken } from 'sentri';
-//
-// const app = express();
-// app.use(express.json());
-//
-// // Optional: make create/update operations idempotent via X-Idempotency-Key header
-// app.use(createIdempotencyMiddleware());
-//
-// // Mount the auth router (POST /auth/register, /auth/login, etc.)
-// app.use('/auth', auth.router());
-//
-// // Your own routes — protect() reads token from Authorization header OR access_token cookie
-// app.get('/protected', auth.protect(), (req, res) => {
-//   res.json(req.user);
-// });
-//
-// // Read the raw access token if needed (header → cookie fallback)
-// app.get('/debug', (req, res) => {
-//   const token = auth.getCurrentAccessToken(req); // or: getCurrentAccessToken(req, config)
-//   res.json({ hasToken: !!token });
-// });
-//
-// // Domain-specific error by extending SentriError
-// class NotFoundError extends SentriError {
-//   constructor(resource: string) {
-//     super('NOT_FOUND', `${resource} not found`, 404);
-//   }
-// }
-//
-// app.get('/items/:id', auth.protect(), async (req, res) => {
-//   const item = await db.query.items.findFirst({ where: (t, { eq }) => eq(t.id, req.params['id']) });
-//   if (!item) throw new NotFoundError('Item');
-//   res.json(item);
-// });
-//
-// // Mount AFTER all routes — catches SentriError from sentri AND your subclasses
-// app.use(auth.errorHandler());
-//
-// app.listen(3000);

package/templates/drizzle/schema.ts DELETED Viewed

@@ -1,47 +0,0 @@
-// sentri — Drizzle schema template (PostgreSQL / node-postgres)
-// Generated by: npx sentri generate drizzle
-//
-// Field mapping: library uses `identifier` internally, but your DB column
-// can be named anything — adjust the first argument of text() on the
-// identifier column to match your existing schema, or leave it as-is.
-//
-//   text('email')    — login via email
-//   text('username') — login via username
-//   text('phone')    — login via phone number
-import { pgTable, primaryKey, text, timestamp } from 'drizzle-orm/pg-core';
-export const users = pgTable('users', {
-  id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
-  identifier: text('email').notNull().unique(),
-  passwordHash: text('password_hash').notNull(),
-  createdAt: timestamp('created_at').notNull().defaultNow(),
-  updatedAt: timestamp('updated_at').notNull().$onUpdateFn(() => new Date()),
-});
-export const roles = pgTable('roles', {
-  id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
-  name: text('name').notNull().unique(),
-});
-export const userRoles = pgTable(
-  'user_roles',
-  {
-    userId: text('user_id')
-      .notNull()
-      .references(() => users.id, { onDelete: 'cascade' }),
-    roleId: text('role_id')
-      .notNull()
-      .references(() => roles.id, { onDelete: 'cascade' }),
-  },
-  (table) => [primaryKey({ columns: [table.userId, table.roleId] })],
-);
-export const sessions = pgTable('sessions', {
-  id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
-  userId: text('user_id')
-    .notNull()
-    .references(() => users.id, { onDelete: 'cascade' }),
-  expiresAt: timestamp('expires_at').notNull(),
-  createdAt: timestamp('created_at').notNull().defaultNow(),
-});

package/templates/prisma/adapter.ts DELETED Viewed

@@ -1,122 +0,0 @@
-// sentri — Prisma adapter template
-// Generated by: npx sentri generate prisma
-//
-// Adjust the Prisma model/field names below if your schema differs from the
-// template produced by `npx sentri init`.
-import type { PrismaClient } from '@prisma/client';
-import { AuthError, type AuthAdapter } from 'sentri';
-export function createAdapter(prisma: PrismaClient): AuthAdapter {
-  if (!prisma) {
-    throw new AuthError(
-      'CONFIGURATION_ERROR',
-      'createAdapter requires a PrismaClient instance. Did you forget to pass it?\n' +
-      'Example: createAdapter(prisma)',
-    );
-  }
-  return {
-    user: {
-      async findByIdentifier(identifier) {
-        const user = await prisma.user.findUnique({
-          where: { identifier },
-          include: { userRoles: { include: { role: true } } },
-        });
-        if (!user) return null;
-        return {
-          id: user.id,
-          identifier: user.identifier,
-          passwordHash: user.passwordHash,
-          roles: user.userRoles.map((userRole) => userRole.role.name),
-        };
-      },
-      async findById(id) {
-        const user = await prisma.user.findUnique({
-          where: { id },
-          include: { userRoles: { include: { role: true } } },
-        });
-        if (!user) return null;
-        return {
-          id: user.id,
-          identifier: user.identifier,
-          passwordHash: user.passwordHash,
-          roles: user.userRoles.map((userRole) => userRole.role.name),
-        };
-      },
-      async create({ identifier, passwordHash, roles }) {
-        const user = await prisma.user.create({
-          data: {
-            identifier,
-            passwordHash,
-            userRoles: {
-              create: await Promise.all(
-                roles.map(async (name) => {
-                  const role = await prisma.role.upsert({
-                    where: { name },
-                    update: {},
-                    create: { name },
-                  });
-                  return { roleId: role.id };
-                }),
-              ),
-            },
-          },
-        });
-        return { id: user.id };
-      },
-      async updateRoles(userId, roles) {
-        await prisma.userRole.deleteMany({ where: { userId } });
-        await Promise.all(
-          roles.map(async (name) => {
-            const role = await prisma.role.upsert({
-              where: { name },
-              update: {},
-              create: { name },
-            });
-            await prisma.userRole.create({ data: { userId, roleId: role.id } });
-          }),
-        );
-      },
-    },
-    session: {
-      async create({ userId, expiresAt }) {
-        const session = await prisma.session.create({ data: { userId, expiresAt } });
-        return { id: session.id };
-      },
-      async findById(sessionId) {
-        const session = await prisma.session.findUnique({
-          where: { id: sessionId },
-          include: {
-            user: { include: { userRoles: { include: { role: true } } } },
-          },
-        });
-        if (!session) return null;
-        return {
-          id: session.id,
-          userId: session.userId,
-          expiresAt: session.expiresAt,
-          createdAt: session.createdAt,
-          user: {
-            id: session.user.id,
-            identifier: session.user.identifier,
-            passwordHash: session.user.passwordHash,
-            roles: session.user.userRoles.map((userRole) => userRole.role.name),
-          },
-        };
-      },
-      async delete(sessionId) {
-        await prisma.session.delete({ where: { id: sessionId } }).catch(() => {});
-      },
-      async deleteAllForUser(userId) {
-        await prisma.session.deleteMany({ where: { userId } });
-      },
-    },
-  };
-}