Auth Layer

Token-based authentication and authorization for secure API access.

Quick Start

``typescript
import { checkAccessToken, checkWriteAccessToken, checkAdminAccessToken } from "@schafevormfenster/auth";

// Protect a read endpoint
export async function GET(request: Request) {
const token = request.headers.get('Authorization')?.replace('Bearer ', '');
checkAccessToken(token); // Throws 401 if invalid

const data = await fetchData();
return Response.json(data);
}

// Protect a write endpoint
export async function POST(request: Request) {
const token = request.headers.get('Authorization')?.replace('Bearer ', '');
checkWriteAccessToken(token); // Requires write or admin token

const body = await request.json();
return Response.json(await createData(body), { status: 201 });
}
`

Environment Setup:
`bash


.env


READ_ACCESS_TOKENS=read-token-1,read-token-2
WRITE_ACCESS_TOKENS=write-token-1,write-token-2
ADMIN_ACCESS_TOKENS=admin-token-1
`

Installation

`bash
pnpm add @schafevormfenster/auth
`

$3

For faster development with Vite, use TypeScript sources directly:

`typescript
// vite.config.ts - Requires tsconfig "target": "ES2022"+
export default defineConfig({
resolve: { conditions: ['source', 'import', 'default'] }
});
`

Benefits: Faster HMR, direct debugging, better tree-shaking.

Use Cases

$3

Protect public API endpoints that allow authenticated users to read data:
- Event listings
- User profiles (public data)
- Search endpoints
- Report generation

$3

Secure endpoints that create, update, or delete resources:
- Blog post creation/editing
- User profile updates
- Image uploads
- Comment posting

$3

Restrict sensitive operations to admin users only:
- Schema migrations
- User role management
- System configuration
- Data deletion/purging

$3

Combine different permission levels in a single API:
- GET /api/posts - Read access (list all posts)
- POST /api/posts - Write access (create new post)
- DELETE /api/posts/:id - Admin access (delete any post)

Features

- Hierarchical Permissions: Admin → Write → Read
- Zero Configuration: Works with environment variables
- Type-Safe: Full TypeScript support
- Flexible: Multiple tokens per permission level
- Secure: Never exposes tokens in logs or responses
- Tested: Comprehensive test coverage

API Reference

$3

#### checkAccessToken(token?: string): void

Validates any valid token (read, write, or admin).

- Throws: ApiErrorConstructor(401) if token is missing or invalid

#### checkWriteAccessToken(token?: string): void

Validates write or admin tokens. Read-only tokens are rejected.

- Throws: ApiErrorConstructor(401) if token is invalid
- Throws: ApiErrorConstructor(403) if token lacks write permission

#### checkAdminAccessToken(token?: string): void

Validates admin tokens only. Write and read tokens are rejected.

- Throws: ApiErrorConstructor(401) if token is invalid
- Throws: ApiErrorConstructor(403) if token lacks admin permission

#### getTokenPermissions(token: string): TokenPermissions

Returns permission object for a token.

`typescript
interface TokenPermissions {
read: boolean;
write: boolean;
admin: boolean;
}
`

Domain

Authentication & Authorization.

Purpose

This directory contains logic for verifying access tokens and checking permissions.

Responsibilities

- Token Verification: Validating access tokens.
- Permission Checks: Checking if a token has the required permissions (e.g., admin, write).
- Access Control: Enforcing security policies for API access.

Boundaries

- Usage: Used by the API layer (middleware or route handlers) to secure endpoints.
- No Business Logic: Focuses solely on identity and access, not domain business rules.

Documentation

- CONTRIBUTING.md - Comprehensive guide for developers and AI assistants
- Example Implementation - See apps/web/app/api/auth-examples/` for working examples

License

MIT