UNPKG

@waelhabbaldev/next-jwt-auth

Version:

A secure, lightweight JWT authentication solution for Next.js, providing access and refresh token handling, middleware support, and easy React integration.

github.com/waelhabbalDev/next-jwt-auth

waelhabbalDev/next-jwt-auth

149 lines (146 loc) 4.92 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
interface UserIdentity { identifier: string; roles: string[]; version: number; isForbidden: boolean; hasMFA?: boolean; } type PublicUserIdentity<T extends UserIdentity> = Omit<T, "version" | "isForbidden">; type AuthSession<T extends UserIdentity> = { identity: PublicUserIdentity<T>; } | null; /** * Represents the secret used for signing and verifying JWTs. * Removed `KeyObject` from the public type to ensure Edge Runtime compatibility. * Users should pass PEM-encoded strings for asymmetric keys. */ type JWTSecret = string | { key: string; kid?: string; } | { key: string; kid?: string; }[]; type RefreshTokenPayload = { identifier: string; version: number; jti: string; iat?: number; }; interface TokenPair { accessToken: string; refreshToken: string; } interface UserIdentityDAL<T extends UserIdentity> { fetchIdentityByCredentials: (signInIdentifier: string, secret: string) => Promise<T | null>; fetchIdentityForSession: (identifier: string) => Promise<T | null>; invalidateAllSessionsForIdentity: (identifier: string) => Promise<void>; isTokenJtiUsed: (jti: string) => Promise<boolean>; markTokenJtiAsUsed: (jti: string, expirationInSeconds: number) => Promise<void>; verifyMFA?: (identifier: string, code: string) => Promise<boolean>; } interface CookieOptions { name: string; value: string; maxAge?: number; expires?: Date; httpOnly?: boolean; secure?: boolean; domain?: string; path?: string; sameSite?: "strict" | "lax" | "none"; } interface AuthCookieConfig extends Partial<CookieOptions> { name: string; value: string; maxAge?: number; } interface AuthConfig<T extends UserIdentity> { dal: UserIdentityDAL<T>; secrets: { accessTokenSecret: JWTSecret; refreshTokenSecret: JWTSecret; }; cookies: { access: { name: string; maxAge: number; }; refresh: { name: string; maxAge: number; }; }; baseUrl: string; redirects: { unauthenticated: string; unauthorized: string; forbidden: string; }; jwt?: { issuer?: string; audience?: string; alg?: "HS256" | "RS256"; }; debug?: boolean; refreshTokenRotationIntervalSeconds?: number; rateLimit?: (signInIdentifier: string) => Promise<boolean>; logger?: (level: "info" | "warn" | "error", message: string, ...args: any[]) => void; errorMessages?: Partial<Record<"InvalidCredentialsError" | "IdentityForbiddenError" | "NotAuthenticatedError" | "ForbiddenError" | "RateLimitError" | "CsrfError", string>>; providers?: Record<string, (authCode: string) => Promise<{ signInIdentifier: string; secret?: string; }>>; csrfEnabled?: boolean; } /** * Protection options are now context-aware for advanced authorization. * The `authorize` function now receives a single object with both `identity` and `context`. */ interface ProtectionOptions<T extends UserIdentity, C = unknown> { unauthenticatedRedirect?: string; unauthorizedRedirect?: string; forbiddenRedirect?: string; redirectParams?: Record<string, string>; authorize?: (params: { identity: PublicUserIdentity<T>; context: C; }) => Promise<boolean> | boolean; context: C; } /** * Action protection options are also now context-aware. */ interface ActionProtectionOptions<T extends UserIdentity, C = unknown> { authorize?: (params: { identity: PublicUserIdentity<T>; context: C; }) => Promise<boolean> | boolean; context: C; } /** * @module @waelhabbaldev/next-jwt-auth/errors * This module exports custom error classes used throughout the authentication package. */ declare class AuthError extends Error { constructor(message: string); } declare class InvalidCredentialsError extends AuthError { constructor(message?: string); } declare class IdentityForbiddenError extends AuthError { constructor(message?: string); } declare class NotAuthenticatedError extends AuthError { constructor(message?: string); } declare class ForbiddenError extends AuthError { constructor(message?: string); } declare class RateLimitError extends AuthError { constructor(message?: string); } declare class CsrfError extends AuthError { constructor(message?: string); } export { type AuthConfig as A, type CookieOptions as C, ForbiddenError as F, InvalidCredentialsError as I, type JWTSecret as J, NotAuthenticatedError as N, type PublicUserIdentity as P, type RefreshTokenPayload as R, type TokenPair as T, type UserIdentity as U, type AuthSession as a, type ProtectionOptions as b, type ActionProtectionOptions as c, type UserIdentityDAL as d, type AuthCookieConfig as e, AuthError as f, IdentityForbiddenError as g, RateLimitError as h, CsrfError as i };