naystack/dist/auth/email/index.esm.js

A stack built with tight Next + Drizzle + GraphQL

// src/auth/email/utils.ts
import { verify as verify2 } from "jsonwebtoken";

// src/auth/email/token.ts
import { compare } from "bcryptjs";
import { JsonWebTokenError, sign, verify } from "jsonwebtoken";
import { NextResponse } from "next/server";
function generateAccessToken(id, signingKey) {
  return sign({ id }, signingKey, {
    expiresIn: "2h"
  });
}
function generateRefreshToken(id, refreshKey) {
  return sign({ id }, refreshKey);
}
function getTokenizedResponse(accessToken, refreshToken) {
  const body = { accessToken, refreshToken };
  const response = NextResponse.json(body, {
    status: 200
  });
  if (!accessToken) {
    response.cookies.set("refresh", "", {
      secure: false,
      httpOnly: true,
      expires: 0
    });
  }
  if (refreshToken !== void 0) {
    response.cookies.set("refresh", refreshToken, {
      secure: false,
      httpOnly: true,
      expires: refreshToken === "" ? 0 : new Date(Date.now() + 60 * 60 * 24 * 365 * 1e3)
    });
  }
  return response;
}
function getUserIdFromRefreshToken(refreshKey, refreshToken) {
  if (refreshToken)
    try {
      const decoded = verify(refreshToken, refreshKey);
      if (typeof decoded !== "string" && typeof decoded.id === "number")
        return decoded.id;
    } catch (e) {
      if (!(e instanceof JsonWebTokenError)) console.error(e, "errors");
      return null;
    }
  return null;
}
function verifyUser(user, password) {
  if (!user.password) return false;
  return compare(password, user.password);
}

// src/auth/utils/errors.ts
import { NextResponse as NextResponse2 } from "next/server";
function handleError(status, message, onError) {
  const res = onError?.({ status, message });
  if (res) return res;
  return new NextResponse2(message, { status });
}

// src/auth/email/utils.ts
async function massageRequest(req, options) {
  const data = await req.json();
  if (!data.email || !data.password)
    return {
      error: handleError(400, "Missing email or password", options.onError)
    };
  if (options.turnstileKey) {
    if (!data.captchaToken)
      return { error: handleError(400, "Missing captcha", options.onError) };
    if (!await verifyCaptcha(data.captchaToken, options.turnstileKey))
      return {
        error: handleError(400, "Invalid captcha", options.onError)
      };
  }
  return {
    data: {
      email: data.email,
      password: data.password,
      ...data
    }
  };
}
async function verifyCaptcha(token, secret) {
  const res = await fetch(
    "https://challenges.cloudflare.com/turnstile/v0/siteverify",
    {
      method: "POST",
      headers: {
        "Content-Type": "application/json"
      },
      body: JSON.stringify({
        secret,
        response: token
      })
    }
  );
  if (res.ok) {
    const data = await res.json();
    return data.success;
  }
  return false;
}
var getUserContext = (refreshKey, signingKey, req) => {
  const bearer = req.headers.get("authorization");
  if (!bearer) {
    const refresh = req.cookies.get("refresh")?.value;
    const userId = getUserIdFromRefreshToken(refreshKey, refresh);
    if (userId) return { refreshUserID: userId };
    return null;
  }
  const token = bearer.slice(7);
  try {
    const res = verify2(token, signingKey);
    if (typeof res === "string") {
      return null;
    }
    return {
      accessUserId: res.id
    };
  } catch {
  }
  return null;
};

// src/auth/email/routes/delete.ts
var getDeleteRoute = () => () => getTokenizedResponse(void 0, "");

// src/auth/email/routes/get.ts
var getGetRoute = (options) => (req) => {
  const refresh = req.cookies.get("refresh")?.value;
  const userID = getUserIdFromRefreshToken(options.refreshKey, refresh);
  if (userID)
    return getTokenizedResponse(
      generateAccessToken(userID, options.signingKey)
    );
  return getTokenizedResponse();
};

// src/auth/email/routes/post.ts
import { hash } from "bcryptjs";
var getPostRoute = (options) => async (req) => {
  const { data, error } = await massageRequest(req, options);
  if (error || !data) return error;
  const existingUser = await options.getUser(data.email);
  if (existingUser) {
    if (await verifyUser(existingUser, data.password)) {
      return getTokenizedResponse(
        generateAccessToken(existingUser.id, options.signingKey),
        generateRefreshToken(existingUser.id, options.refreshKey)
      );
    }
    return handleError(400, "A user already exists", options.onError);
  }
  const encryptedPassword = await hash(data.password, 10);
  const newUser = await options.createUser({
    ...data,
    password: encryptedPassword
  });
  if (newUser) {
    options.onSignUp?.(newUser);
    return getTokenizedResponse(
      generateAccessToken(newUser.id, options.signingKey),
      generateRefreshToken(newUser.id, options.refreshKey)
    );
  }
  return getTokenizedResponse();
};

// src/auth/email/routes/put.ts
var getPutRoute = (options) => async (req) => {
  const { data, error } = await massageRequest(req, options);
  if (error || !data) return error;
  const user = await options.getUser(data.email);
  if (!user)
    return handleError(400, "A user does not exist", options.onError);
  if (await verifyUser(user, data.password)) {
    return getTokenizedResponse(
      generateAccessToken(user.id, options.signingKey),
      generateRefreshToken(user.id, options.refreshKey)
    );
  }
  return handleError(403, "Invalid password", options.onError);
};

// src/auth/email/index.ts
function getEmailAuthRoutes(options) {
  return {
    GET: getGetRoute(options),
    POST: getPostRoute(options),
    PUT: getPutRoute(options),
    DELETE: getDeleteRoute(),
    getUserIdFromRequest: (req) => getUserContext(options.refreshKey, options.signingKey, req)
  };
}
export {
  getEmailAuthRoutes
};