viyv-db-auth 0.1.0 → 0.2.0

package/dist/index.d.ts

@@ -1,5 +1,7 @@
 export { FileCredentialStore } from './credential-store.js';
 export { DeviceCodeAuth } from './device-code-auth.js';
+export { JwtAuthProvider } from './jwt-auth.js';
+export type { JwtAuthConfig } from './jwt-auth.js';
 export { getValidToken, isTokenExpired, refreshTokens } from './token-refresh.js';
 export type { ICredentialStore, StoredCredentials, TokenSet, UserInfo, DeviceCodeResponse, TokenResponse, UserInfoResponse, } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAClF,YAAY,EACX,gBAAgB,EAChB,iBAAiB,EACjB,QAAQ,EACR,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,gBAAgB,GAChB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,YAAY,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAClF,YAAY,EACX,gBAAgB,EAChB,iBAAiB,EACjB,QAAQ,EACR,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,gBAAgB,GAChB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -1,4 +1,5 @@
 export { FileCredentialStore } from './credential-store.js';
 export { DeviceCodeAuth } from './device-code-auth.js';
+export { JwtAuthProvider } from './jwt-auth.js';
 export { getValidToken, isTokenExpired, refreshTokens } from './token-refresh.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/jwt-auth.d.ts

@@ -0,0 +1,33 @@
+/**
+ * JWT-based IAuthProvider implementation using jose library.
+ * Supports both JWKS URL (asymmetric, production) and symmetric secret (testing).
+ */
+import type { AuthContext, AuthCredentials, IAuthProvider } from 'viyv-db-core';
+export interface JwtAuthConfig {
+    /** JWKS endpoint URL for asymmetric key verification (RS256 etc.) */
+    jwksUrl?: string;
+    /** Symmetric secret for HS256 (testing / simple setups) */
+    secret?: string;
+    /** Expected issuer (iss claim) */
+    issuer?: string;
+    /** Expected audience (aud claim) */
+    audience?: string;
+    /** JWT claim → AuthContext field mapping */
+    claimsMapping?: {
+        userId?: string;
+        orgId?: string;
+        teamId?: string;
+        roles?: string;
+        accessLevel?: string;
+    };
+}
+export declare class JwtAuthProvider implements IAuthProvider {
+    private readonly config;
+    private readonly symmetricKey;
+    private readonly jwksGetKey;
+    private readonly mapping;
+    constructor(config: JwtAuthConfig);
+    private verify;
+    authenticate(credentials: AuthCredentials): Promise<AuthContext>;
+}
+//# sourceMappingURL=jwt-auth.d.ts.map

package/dist/jwt-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.d.ts","sourceRoot":"","sources":["../src/jwt-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAGhF,MAAM,WAAW,aAAa;IAC7B,qEAAqE;IACrE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,aAAa,CAAC,EAAE;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,WAAW,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;CACF;AAgBD,qBAAa,eAAgB,YAAW,aAAa;IAKxC,OAAO,CAAC,QAAQ,CAAC,MAAM;IAJnC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAyB;IACpD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAwD;gBAEnD,MAAM,EAAE,aAAa;YA0BpC,MAAM;IAcd,YAAY,CAAC,WAAW,EAAE,eAAe,GAAG,OAAO,CAAC,WAAW,CAAC;CAoCtE"}

package/dist/jwt-auth.js

@@ -0,0 +1,95 @@
+/**
+ * JWT-based IAuthProvider implementation using jose library.
+ * Supports both JWKS URL (asymmetric, production) and symmetric secret (testing).
+ */
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+import { AuthenticationError } from 'viyv-db-core';
+const VALID_ACCESS_LEVELS = new Set(['read', 'data', 'schema']);
+function isValidAccessLevel(value) {
+    return typeof value === 'string' && VALID_ACCESS_LEVELS.has(value);
+}
+const DEFAULT_MAPPING = {
+    userId: 'sub',
+    orgId: 'org_id',
+    teamId: 'team_id',
+    roles: 'roles',
+    accessLevel: 'access_level',
+};
+export class JwtAuthProvider {
+    config;
+    symmetricKey;
+    jwksGetKey;
+    mapping;
+    constructor(config) {
+        this.config = config;
+        if (config.jwksUrl && config.secret) {
+            throw new Error('JwtAuthConfig: jwksUrl and secret are mutually exclusive');
+        }
+        if (!config.jwksUrl && !config.secret) {
+            throw new Error('JwtAuthConfig: either jwksUrl or secret is required');
+        }
+        if (config.jwksUrl) {
+            this.symmetricKey = null;
+            this.jwksGetKey = createRemoteJWKSet(new URL(config.jwksUrl));
+        }
+        else {
+            // config.secret is guaranteed non-null by the validation above
+            this.symmetricKey = new TextEncoder().encode(config.secret);
+            this.jwksGetKey = null;
+        }
+        this.mapping = {
+            userId: config.claimsMapping?.userId ?? DEFAULT_MAPPING.userId,
+            orgId: config.claimsMapping?.orgId ?? DEFAULT_MAPPING.orgId,
+            teamId: config.claimsMapping?.teamId ?? DEFAULT_MAPPING.teamId,
+            roles: config.claimsMapping?.roles ?? DEFAULT_MAPPING.roles,
+            accessLevel: config.claimsMapping?.accessLevel ?? DEFAULT_MAPPING.accessLevel,
+        };
+    }
+    async verify(token) {
+        const opts = {
+            issuer: this.config.issuer,
+            audience: this.config.audience,
+        };
+        if (this.symmetricKey) {
+            const { payload } = await jwtVerify(token, this.symmetricKey, opts);
+            return payload;
+        }
+        // jwksGetKey is guaranteed non-null when symmetricKey is null
+        const { payload } = await jwtVerify(token, this.jwksGetKey, opts);
+        return payload;
+    }
+    async authenticate(credentials) {
+        if (credentials.type !== 'bearer') {
+            throw new AuthenticationError(`Bearer token required, got '${credentials.type}'`);
+        }
+        try {
+            const payload = await this.verify(credentials.token);
+            const userId = payload[this.mapping.userId];
+            if (typeof userId !== 'string' || !userId) {
+                throw new AuthenticationError(`Missing or invalid '${this.mapping.userId}' claim in JWT`);
+            }
+            return {
+                userId,
+                orgId: typeof payload[this.mapping.orgId] === 'string'
+                    ? payload[this.mapping.orgId]
+                    : undefined,
+                teamId: typeof payload[this.mapping.teamId] === 'string'
+                    ? payload[this.mapping.teamId]
+                    : undefined,
+                roles: Array.isArray(payload[this.mapping.roles])
+                    ? payload[this.mapping.roles]
+                    : [],
+                accessLevel: isValidAccessLevel(payload[this.mapping.accessLevel])
+                    ? payload[this.mapping.accessLevel]
+                    : undefined,
+                claims: payload,
+            };
+        }
+        catch (error) {
+            if (error instanceof AuthenticationError)
+                throw error;
+            throw new AuthenticationError(`JWT verification failed: ${error.message}`);
+        }
+    }
+}
+//# sourceMappingURL=jwt-auth.js.map

package/dist/jwt-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.js","sourceRoot":"","sources":["../src/jwt-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAGrD,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAqBnD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AAEhE,SAAS,kBAAkB,CAAC,KAAc;IACzC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,eAAe,GAAG;IACvB,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,SAAS;IACjB,KAAK,EAAE,OAAO;IACd,WAAW,EAAE,cAAc;CAClB,CAAC;AAEX,MAAM,OAAO,eAAe;IAKE;IAJZ,YAAY,CAAoB;IAChC,UAAU,CAAyB;IACnC,OAAO,CAAwD;IAEhF,YAA6B,MAAqB;QAArB,WAAM,GAAN,MAAM,CAAe;QACjD,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;YACzB,IAAI,CAAC,UAAU,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACP,+DAA+D;YAC/D,IAAI,CAAC,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,MAAgB,CAAC,CAAC;YACtE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACxB,CAAC;QAED,IAAI,CAAC,OAAO,GAAG;YACd,MAAM,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,IAAI,eAAe,CAAC,MAAM;YAC9D,KAAK,EAAE,MAAM,CAAC,aAAa,EAAE,KAAK,IAAI,eAAe,CAAC,KAAK;YAC3D,MAAM,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,IAAI,eAAe,CAAC,MAAM;YAC9D,KAAK,EAAE,MAAM,CAAC,aAAa,EAAE,KAAK,IAAI,eAAe,CAAC,KAAK;YAC3D,WAAW,EAAE,MAAM,CAAC,aAAa,EAAE,WAAW,IAAI,eAAe,CAAC,WAAW;SAC7E,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,MAAM,CAAC,KAAa;QACjC,MAAM,IAAI,GAAG;YACZ,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;SAC9B,CAAC;QACF,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;YACpE,OAAO,OAAO,CAAC;QAChB,CAAC;QACD,8DAA8D;QAC9D,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,UAA6B,EAAE,IAAI,CAAC,CAAC;QACrF,OAAO,OAAO,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,WAA4B;QAC9C,IAAI,WAAW,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,IAAI,mBAAmB,CAAC,+BAA+B,WAAW,CAAC,IAAI,GAAG,CAAC,CAAC;QACnF,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAErD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC3C,MAAM,IAAI,mBAAmB,CAAC,uBAAuB,IAAI,CAAC,OAAO,CAAC,MAAM,gBAAgB,CAAC,CAAC;YAC3F,CAAC;YAED,OAAO;gBACN,MAAM;gBACN,KAAK,EACJ,OAAO,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;oBAC9C,CAAC,CAAE,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAY;oBACzC,CAAC,CAAC,SAAS;gBACb,MAAM,EACL,OAAO,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ;oBAC/C,CAAC,CAAE,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAY;oBAC1C,CAAC,CAAC,SAAS;gBACb,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;oBAChD,CAAC,CAAE,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAc;oBAC3C,CAAC,CAAC,EAAE;gBACL,WAAW,EAAE,kBAAkB,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;oBACjE,CAAC,CAAE,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAgC;oBACnE,CAAC,CAAC,SAAS;gBACZ,MAAM,EAAE,OAAkC;aAC1C,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,mBAAmB;gBAAE,MAAM,KAAK,CAAC;YACtD,MAAM,IAAI,mBAAmB,CAAC,4BAA6B,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QACvF,CAAC;IACF,CAAC;CACD"}

package/package.json

@@ -1,36 +1,40 @@
 {
-  "name": "viyv-db-auth",
-  "version": "0.1.0",
-  "type": "module",
-  "description": "Authentication implementation for viyv-db",
-  "license": "MIT",
-  "author": "viyv",
-  "engines": {
-    "node": ">=20"
-  },
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
-  "exports": {
-    ".": {
-      "types": "./dist/index.d.ts",
-      "default": "./dist/index.js"
-    }
-  },
-  "files": [
-    "dist",
-    "!dist/__tests__"
-  ],
-  "dependencies": {
-    "viyv-db-core": "0.1.0"
-  },
-  "devDependencies": {
-    "typescript": "^5.7.0",
-    "vitest": "^2.1.0"
-  },
-  "scripts": {
-    "build": "tsc",
-    "typecheck": "tsc --noEmit",
-    "test": "vitest run",
-    "clean": "rm -rf dist"
-  }
-}
+	"name": "viyv-db-auth",
+	"version": "0.2.0",
+	"type": "module",
+	"description": "Authentication implementation for viyv-db",
+	"license": "MIT",
+	"author": "viyv",
+	"engines": { "node": ">=20" },
+	"main": "dist/index.js",
+	"types": "dist/index.d.ts",
+	"exports": {
+		".": {
+			"development": "./src/index.ts",
+			"default": "./dist/index.js"
+		}
+	},
+	"publishConfig": {
+		"exports": {
+			".": {
+				"types": "./dist/index.d.ts",
+				"default": "./dist/index.js"
+			}
+		}
+	},
+	"files": ["dist", "!dist/__tests__"],
+	"scripts": {
+		"build": "tsc",
+		"typecheck": "tsc --noEmit",
+		"test": "vitest run",
+		"clean": "rm -rf dist"
+	},
+	"dependencies": {
+		"jose": "^6.0.0",
+		"viyv-db-core": "workspace:*"
+	},
+	"devDependencies": {
+		"typescript": "^5.7.0",
+		"vitest": "^2.1.0"
+	}
+}

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2025 viyv
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.