UNPKG

auth-vir

Version:

Auth made easy and secure via JWT cookies, CSRF tokens, and password hashing helpers.

github.com/electrovir/auth-vir

electrovir/auth-vir

136 lines (135 loc) 4.95 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
import { type PartialWithUndefined, type SelectFrom } from '@augment-vir/common'; import { type AnyDuration } from 'date-vir'; import { type Primitive } from 'type-fest'; import { type CreateJwtParams, type ParseJwtParams, type ParsedJwt } from './jwt/jwt.js'; import { type JwtUserData } from './jwt/user-jwt.js'; /** * Cookie header names supported by default. * * @category Internal */ export declare enum AuthCookie { /** Used for a full user login auth. */ Auth = "auth", /** Use for a temporary "just signed up" auth. */ SignUp = "sign-up", /** Used for storing the CSRF token. Not `HttpOnly` so that frontend JS can read it. */ Csrf = "auth-vir-csrf" } /** * Resolves a cookie name by appending a suffix when provided. When `cookieNameSuffix` is * `undefined`, the base name is returned unchanged. * * @category Internal */ export declare function resolveCookieName(baseCookieName: AuthCookie, cookieNameSuffix?: string | undefined): string; /** * Parameters for {@link generateAuthCookie}. * * @category Internal */ export type CookieParams = { /** * The origin of the host (backend) service that cookies will be included in all requests to. * This should be restricted to just your host (backend) origin for security purposes. * * @example 'https://www.example.com' */ hostOrigin: string; /** * The max duration of this cookie. Or, in other words, the max user session duration before * they're logged out. */ cookieDuration: AnyDuration; /** * All JWT parameters required for generating the encrypted JWT that will be embedded in the * Cookie. Note that all JWT keys contained herein should never shared with any frontend, * client, etc. */ jwtParams: Readonly<CreateJwtParams>; } & PartialWithUndefined<{ /** * Which auth cookie name to use. * * @default AuthCookie.Auth */ authCookie: AuthCookie; /** * Is set to `true` (which should only be done in development environments), the cookie will be * allowed in insecure requests (non HTTPS requests). * * @default false */ isDev: boolean; /** * Optional suffix appended to cookie names (e.g., `'staging'` produces `auth-staging`). When * `undefined`, cookie names are unchanged. Useful for running multiple environments on the same * domain without cookie collisions. */ cookieNameSuffix: string; }>; /** * Generate a secure cookie that stores the user JWT data. Used in host (backend) code. * * @category Internal */ export declare function generateAuthCookie(userJwtData: Readonly<JwtUserData>, cookieConfig: Readonly<CookieParams>): Promise<string>; /** * Generate a CSRF token cookie. This cookie is intentionally not `HttpOnly` so that frontend * JavaScript can read it and inject the value as a request header for double-submit verification. * * The CSRF cookie uses a fixed 400-day MAX-AGE rather than matching the auth cookie duration. 400 * days is the cross-browser safe maximum (Chrome caps cookie lifetimes at 400 days; other browsers * accept it as-is). The CSRF token is only meaningful when paired with a valid JWT, so it doesn't * need its own expiration management. It gets regenerated on every fresh login. * * @category Internal */ export declare function generateCsrfCookie(csrfToken: string, cookieConfig: Readonly<SelectFrom<CookieParams, { hostOrigin: true; isDev: true; }>> & PartialWithUndefined<{ cookieNameSuffix: string; }>): string; /** * Generate a cookie value that will clear the previous auth cookie. Use this when signing out. * * @category Internal */ export declare function clearAuthCookie(cookieConfig: Readonly<SelectFrom<CookieParams, { hostOrigin: true; isDev: true; }>> & PartialWithUndefined<{ authCookie: AuthCookie; cookieNameSuffix: string; }>): string; /** * Generate a cookie value that will clear the CSRF token cookie. Use this when signing out. * * @category Internal */ export declare function clearCsrfCookie(cookieConfig: Readonly<SelectFrom<CookieParams, { hostOrigin: true; isDev: true; }>> & PartialWithUndefined<{ cookieNameSuffix: string; }>): string; /** * Generate a cookie string from a raw set of parameters. * * @category Internal */ export declare function generateCookie(params: Readonly<Record<string, Exclude<Primitive, symbol>>>): string; /** * Extract an auth cookie from a cookie string. Used in host (backend) code. * * @category Internal * @returns The extracted auth Cookie JWT data or `undefined` if no valid auth JWT data was found. */ export declare function extractCookieJwt({ rawCookie, jwtParams, cookieName, cookieNameSuffix, }: { rawCookie: string; jwtParams: Readonly<ParseJwtParams>; cookieName: AuthCookie; } & PartialWithUndefined<{ cookieNameSuffix: string; }>): Promise<undefined | ParsedJwt<JwtUserData>>;