UNPKG

auth-vir

Version:

Auth made easy and secure via JWT cookies, CSRF tokens, and password hashing helpers.

github.com/electrovir/auth-vir

electrovir/auth-vir

95 lines (94 loc) 4.17 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import { type PartialWithUndefined, type SelectFrom } from '@augment-vir/common'; import { type FullDate, type UtcTimezone } from 'date-vir'; import { type AuthCookie, type CookieParams } from './cookie.js'; import { type CsrfHeaderNameOption } from './csrf-token.js'; import { type ParseJwtParams } from './jwt/jwt.js'; import { type JwtUserData } from './jwt/user-jwt.js'; /** * All possible headers container types supported by {@link extractUserIdFromRequestHeaders}. * * @category Internal */ export type HeaderContainer = Record<string, string[] | undefined | string | number> | Headers; /** * Output from {@link extractUserIdFromRequestHeaders}. * * @category Internal */ export type UserIdResult<UserId extends string | number> = { userId: UserId; jwtExpiration: FullDate<UtcTimezone>; /** When the JWT was issued (`iat` claim). */ jwtIssuedAt: FullDate<UtcTimezone>; cookieName: AuthCookie; /** The CSRF token embedded in the JWT. */ csrfToken: string; /** * Unix timestamp (in milliseconds) when the session was originally started. Used to enforce max * session duration. */ sessionStartedAt: JwtUserData['sessionStartedAt']; }; /** * Extract the user id from a request by checking both the request cookie and CSRF token. This is * used by host (backend) code to help verify a request. After extracting the user id using this, * you should compare it to users stored in your database. * * @category Auth : Host * @returns The extracted user id or `undefined` if no valid auth headers exist. */ export declare function extractUserIdFromRequestHeaders<UserId extends string | number>({ headers, jwtParams, csrfHeaderNameOption, cookieName, cookieNameSuffix, }: Readonly<{ headers: HeaderContainer; jwtParams: Readonly<ParseJwtParams>; csrfHeaderNameOption: Readonly<CsrfHeaderNameOption>; cookieName: AuthCookie; cookieNameSuffix?: string | undefined; }>): Promise<Readonly<UserIdResult<UserId>> | undefined>; /** * Extract a user id from just the cookie, without CSRF token validation. This is _less secure_ than * {@link extractUserIdFromRequestHeaders} as a result. This should only be used in rare * circumstances where you cannot rely on client-side JavaScript to insert the CSRF token. * * @deprecated Prefer {@link extractUserIdFromRequestHeaders} instead: it is more secure. * @category Auth : Host */ export declare function insecureExtractUserIdFromCookieAlone<UserId extends string | number>({ headers, jwtParams, cookieName, cookieNameSuffix, }: Readonly<{ headers: HeaderContainer; jwtParams: Readonly<ParseJwtParams>; cookieName: AuthCookie; cookieNameSuffix?: string | undefined; }>): Promise<Readonly<UserIdResult<UserId>> | undefined>; /** * Used by host (backend) code to set headers on a response object. Sets both the auth JWT cookie * and the CSRF token cookie. The CSRF cookie is not `HttpOnly` so that frontend JavaScript can read * it and inject the value as a request header. * * @category Auth : Host */ export declare function generateSuccessfulLoginHeaders( /** The id from your database of the user you're authenticating. */ userId: string | number, cookieConfig: Readonly<CookieParams>, /** * The timestamp (in seconds) when the session originally started. If not provided, the current * time will be used (for new sessions). */ sessionStartedAt?: number | undefined): Promise<Record<string, string[]>>; /** * Used by host (backend) code to set headers on a response object when the user has logged out or * failed to authorize. * * @category Auth : Host */ export declare function generateLogoutHeaders(cookieConfig: Readonly<SelectFrom<CookieParams, { hostOrigin: true; isDev: true; }>> & PartialWithUndefined<{ cookieNameSuffix: string; }>, options?: Readonly<PartialWithUndefined<{ /** * When `true`, the CSRF cookie is preserved (not cleared). Use this when clearing only * one cookie type (e.g., the auth cookie) while keeping the other active session (e.g., * sign-up) that still needs its CSRF token. */ preserveCsrf: boolean; }>>): Record<string, string[]>;