UNPKG

@voilajsx/appkit

Version:

Minimal and framework agnostic Node.js toolkit designed for AI agentic backend development

github.com/voilajsx/appkit

voilajsx/appkit

182 lines 8.47 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
/** * Core authentication class with role-level-permission system * @module @voilajsx/appkit/auth * @file src/auth/authentication.ts * * @llm-rule WHEN: Building apps that need JWT operations, password hashing, and role-based middleware * @llm-rule AVOID: Using directly - always get instance via auth.get() * @llm-rule NOTE: Use requireUserRoles() for hierarchy-based access, requireUserPermissions() for action-specific access * @llm-rule NOTE: Uses role.level format (user.basic, admin.tenant) with automatic inheritance */ import { type AuthConfig } from './defaults.js'; export interface JwtPayload { userId?: string | number; keyId?: string; type: 'login' | 'api_key'; role: string; level: string; permissions?: string[]; [key: string]: any; iat?: number; exp?: number; iss?: string; aud?: string; } export interface LoginTokenPayload { userId: string | number; type: 'login'; role: string; level: string; permissions?: string[]; [key: string]: any; } export interface ApiTokenPayload { keyId: string; type: 'api_key'; role: string; level: string; permissions?: string[]; [key: string]: any; } export interface ExpressRequest { headers: { [key: string]: string | string[] | undefined; }; cookies?: { [key: string]: string; }; query?: { [key: string]: any; }; user?: JwtPayload; token?: JwtPayload; [key: string]: any; } export interface ExpressResponse { status: (code: number) => { json: (data: any) => void; }; json: (data: any) => void; } export interface MiddlewareOptions { getToken?: (request: ExpressRequest) => string | null; } export type ExpressMiddleware = (req: ExpressRequest, res: ExpressResponse, next: () => void) => void; /** * Authentication class with JWT, password, and role-level-permission system */ export declare class AuthenticationClass { config: AuthConfig; constructor(config: AuthConfig); /** * Generates a login JWT token for user authentication * @llm-rule WHEN: User successfully logs in to your app (mobile/web) * @llm-rule AVOID: Using for API access - use generateApiToken instead * @llm-rule NOTE: Creates JWT with userId and type: 'login' */ generateLoginToken(payload: Omit<LoginTokenPayload, 'type' | 'iat' | 'exp' | 'iss' | 'aud'>, expiresIn?: string): string; /** * Generates an API JWT token for external access * @llm-rule WHEN: Creating API keys for third-party integrations * @llm-rule AVOID: Using for user authentication - use generateLoginToken instead * @llm-rule NOTE: Creates JWT with keyId and type: 'api_key' */ generateApiToken(payload: Omit<ApiTokenPayload, 'type' | 'iat' | 'exp' | 'iss' | 'aud'>, expiresIn?: string): string; /** * Internal method to create and sign JWT tokens * @private */ private signToken; /** * Verifies and decodes a JWT token (both login and API tokens) * @llm-rule WHEN: Validating incoming tokens from requests * @llm-rule AVOID: Using jwt.verify directly - this handles errors and validates structure * @llm-rule NOTE: Handles both login tokens (userId) and API tokens (keyId) */ verifyToken(token: string): JwtPayload; /** * Hashes a password using bcrypt * @llm-rule WHEN: Storing user passwords - always hash before saving to database * @llm-rule AVOID: Storing plain text passwords - major security vulnerability * @llm-rule NOTE: Takes ~100ms with default 10 rounds - don't call in tight loops */ hashPassword(password: string, rounds?: number): Promise<string>; /** * Compares a password with its hash * @llm-rule WHEN: Validating user login credentials * @llm-rule AVOID: Manual string comparison - timing attacks possible * @llm-rule NOTE: Always returns boolean, never throws on comparison failure */ comparePassword(password: string, hash: string): Promise<boolean>; /** * Safely extracts user from request - never crashes * @llm-rule WHEN: Need to access user data from authenticated requests * @llm-rule AVOID: Accessing req.user directly - may be undefined and cause crashes * @llm-rule NOTE: Always returns null for unauthenticated requests - safe to use * @llm-rule NOTE: Works with both login authentication (req.user) and API tokens (req.token) */ user(request: ExpressRequest): JwtPayload | null; /** * Checks if user has specified role with automatic inheritance * @llm-rule WHEN: Checking if user can access role-protected resources * @llm-rule AVOID: Manual role comparisons - this handles inheritance automatically * @llm-rule NOTE: Higher levels inherit lower (admin.org has admin.tenant access) * @llm-rule NOTE: INHERITANCE EXAMPLES: * @llm-rule NOTE: auth.hasRole('admin.org', 'admin.tenant') → TRUE (org > tenant) * @llm-rule NOTE: auth.hasRole('admin.system', 'user.basic') → TRUE (system > basic) * @llm-rule NOTE: auth.hasRole('user.basic', 'admin.tenant') → FALSE (basic < tenant) * @llm-rule NOTE: Role hierarchy: admin.system > admin.org > admin.tenant > user.max > user.pro > user.basic */ hasRole(userRoleLevel: string, requiredRoleLevel: string): boolean; /** * Checks if user has specific permission with automatic action inheritance * @llm-rule WHEN: Checking fine-grained permissions for specific actions * @llm-rule AVOID: Hardcoding permission checks - this handles action inheritance * @llm-rule NOTE: 'manage:scope' includes ALL other actions for that scope * @llm-rule NOTE: PERMISSION INHERITANCE EXAMPLES: * @llm-rule NOTE: If user has 'manage:tenant' → can('edit:tenant') returns TRUE * @llm-rule NOTE: If user has 'manage:tenant' → can('view:tenant') returns TRUE * @llm-rule NOTE: If user has 'edit:tenant' → can('manage:tenant') returns FALSE * @llm-rule NOTE: Actions hierarchy: manage > delete > edit > create > view */ can(user: JwtPayload, permission: string): boolean; /** * Creates Express authentication middleware for login tokens * @llm-rule WHEN: Protecting routes that need authenticated users * @llm-rule AVOID: Using for API routes - use requireApiToken instead * @llm-rule NOTE: Validates login tokens (type: 'login') and sets req.user */ requireLoginToken(options?: MiddlewareOptions): ExpressMiddleware; /** * Creates Express role-based authorization middleware for authenticated users * @llm-rule WHEN: Protecting routes that require specific user roles * @llm-rule AVOID: Using without requireLoginToken - this assumes user is already authenticated * @llm-rule AVOID: Using with API tokens - API tokens don't have user roles * @llm-rule NOTE: User needs ANY role from the array (OR logic) * @llm-rule NOTE: Role inheritance applies - admin.org can access admin.tenant routes */ requireUserRoles(requiredRoles: string[]): ExpressMiddleware; /** * Creates Express permission-based authorization middleware for authenticated users * @llm-rule WHEN: Protecting routes that require specific user permissions * @llm-rule AVOID: Using without requireLoginToken - this assumes user is already authenticated * @llm-rule AVOID: Using with API tokens - API tokens don't have user permissions * @llm-rule NOTE: User needs ALL permissions from the array (AND logic) * @llm-rule NOTE: Permission inheritance applies - manage:tenant can access edit:tenant routes */ requireUserPermissions(requiredPermissions: string[]): ExpressMiddleware; /** * Creates Express API token authentication middleware for external access * @llm-rule WHEN: Protecting API routes for third-party integrations * @llm-rule AVOID: Using for user routes - use requireLoginToken instead * @llm-rule NOTE: Validates API tokens (type: 'api_key') and sets req.token */ requireApiToken(options?: MiddlewareOptions): ExpressMiddleware; /** * Gets default token extractor that checks headers, cookies, and query params * @llm-rule WHEN: Need custom token extraction logic * @llm-rule AVOID: Modifying directly - pass custom getToken to middleware options */ private getDefaultTokenExtractor; } //# sourceMappingURL=auth.d.ts.map