npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@1moby/just-auth

v0.1.2

Published

Lightweight zero-dependency edge-native auth library for React

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mynameisanumynameisanu

Keywords

authauthenticationoauthreactsessionedgecloudflareworkersd1sqlitepostgresmysqlrbaczero-dependency

Readme

@1moby/just-auth

Lightweight, zero-dependency, edge-native auth library for React.

OAuth 2.0 + PKCE, email/password, session management, RBAC, route-level middleware — all built on Web Crypto API and raw SQL. Works with Cloudflare Workers, Bun, Deno, Next.js, and any runtime that supports standard Request/Response.

Features

  • Zero dependencies — only React as a peer dep
  • OAuth 2.0 + PKCE — built-in providers for Google, GitHub, LINE
  • Email/password auth — PBKDF2-SHA256 (600k iterations), timing-safe comparison
  • Account linking — multiple providers share one user account via email matching
  • Session management — sliding window (30-day sessions, auto-extend at 15 days), SHA-256 hashed tokens
  • RBAC — optional role-based access control with code-defined permissions
  • Email/domain restrictionallowedEmails config to restrict by domain or custom function
  • Route permission middlewarecreateAuthMiddleware for path-based permission gating
  • Database adapters — D1, bun:sqlite, pg, mysql2, Bun.sql — bring your own driver
  • Table prefixtablePrefix: "myapp_" for shared databases
  • Non-destructive migrations — validates existing schema, never ALTER or DROP
  • Security hardened — open redirect protection, password length limits, POST-only logout
  • Edge-native — standard Request/Response, no Node.js-specific APIs

Install

bun add @1moby/just-auth
# or
npm install @1moby/just-auth

Quick Start

1. Choose a Database Adapter

// Cloudflare D1
import { createD1Adapter } from "@1moby/just-auth/adapters/d1";
const db = createD1Adapter(env.DB);

// bun:sqlite
import { createBunSQLiteAdapter } from "@1moby/just-auth/adapters/bun-sqlite";
const db = createBunSQLiteAdapter(new Database("auth.db"));

// PostgreSQL (pg)
import { createPgAdapter } from "@1moby/just-auth/adapters/pg";
const db = createPgAdapter(new Pool({ connectionString: env.DATABASE_URL }));

// MySQL (mysql2)
import { createMySQLAdapter } from "@1moby/just-auth/adapters/mysql";
const db = createMySQLAdapter(pool);

// Bun.sql (Postgres or MySQL)
import { createBunSQLAdapter } from "@1moby/just-auth/adapters/bun-sql";
const db = createBunSQLAdapter(Bun.sql);
const db = createBunSQLAdapter(Bun.sql, { dialect: "mysql" });

Only the adapter you import gets bundled. Drivers are peer dependencies — install what you need.

2. Run Migrations

import { migrate } from "@1moby/just-auth";

await migrate(db);
// With table prefix:
await migrate(db, { tablePrefix: "myapp_" });

Migrations are non-destructive: creates tables if missing, validates existing schema, never alters or drops existing tables.

3. Server Setup

import {
  createReactAuth,
  createGoogleProvider,
  createGitHubProvider,
} from "@1moby/just-auth";

const auth = createReactAuth({
  providers: [
    createGoogleProvider({
      clientId: env.GOOGLE_CLIENT_ID,
      clientSecret: env.GOOGLE_CLIENT_SECRET,
      redirectURI: "https://example.com/api/auth/callback/google",
    }),
    createGitHubProvider({
      clientId: env.GITHUB_CLIENT_ID,
      clientSecret: env.GITHUB_CLIENT_SECRET,
      redirectURI: "https://example.com/api/auth/callback/github",
    }),
  ],
  database: db,
  credentials: true,
  oauthAutoCreateAccount: true,
  allowDangerousEmailAccountLinking: true,
});

// Handle auth routes
const response = await auth.handleRequest(request);
if (response) return response;

4. Protect Server Routes

const session = await auth.auth(request);
if (!session) {
  return new Response("Unauthorized", { status: 401 });
}
// session.user = { id, email, name, avatarUrl, role }

5. React Client

import { SessionProvider, useSession, signIn, signOut } from "@1moby/just-auth/client";

function App() {
  return (
    <SessionProvider>
      <Profile />
    </SessionProvider>
  );
}

function Profile() {
  const { data, status } = useSession();

  if (status === "loading") return <p>Loading...</p>;
  if (status === "unauthenticated") return <button onClick={() => signIn("google")}>Sign In</button>;

  return (
    <div>
      <p>Hello, {data.user.name}</p>
      <button onClick={() => signOut()}>Sign Out</button>
    </div>
  );
}

6. Email/Password

import { signIn, signUp } from "@1moby/just-auth/client";

// Register
const res = await signUp({ email: "[email protected]", password: "secret123" });

// Login
const res = await signIn("credentials", { email: "[email protected]", password: "secret123" });

Configuration

createReactAuth({
  providers: [...],
  database: db,

  // Auth options
  basePath: "/api/auth",               // default: "/api/auth"
  credentials: true,                   // enable email/password auth
  allowRegistration: true,             // allow self-registration (default: true when credentials enabled)
  oauthAutoCreateAccount: true,        // auto-create users on OAuth login (default: false)
  allowDangerousEmailAccountLinking: true,  // link accounts by email match
  passwordMinLength: 8,               // default: 8, max: 128

  // Email restriction
  allowedEmails: ["@1moby.com"],       // domain allowlist
  // or: allowedEmails: (email) => email.endsWith("@1moby.com"),

  // Table prefix for shared databases
  tablePrefix: "myapp_",              // → myapp_users, myapp_accounts, myapp_sessions

  // Cookie options
  cookie: {
    name: "auth_session",             // default: "auth_session"
    secure: true,                     // default: true
    sameSite: "lax",                  // default: "lax"
    domain: ".example.com",           // for subdomain sharing
    path: "/",                        // default: "/"
  },

  // Session options
  session: {
    maxAge: 30 * 86400,               // 30 days (seconds)
    refreshThreshold: 15 * 86400,     // extend when < 15 days remaining
  },

  // RBAC (see full RBAC section below)
  rbac: {
    statements: {
      post: ["create", "read", "update", "delete"],
      user: ["list", "ban", "set-role"],
    },
    roles: {
      user: { post: ["read"] },
      admin: "*",  // wildcard = all permissions
    },
    defaultRole: "user",
  },
});

RBAC

Supports multi-role per user, role inheritance, and deny rules — all backward-compatible with single-role setups.

Basic (single role)

rbac: {
  statements: {
    post: ["create", "read", "update", "delete"],
    user: ["list", "ban", "set-role"],
  },
  roles: {
    viewer: { post: ["read"] },
    admin: "*",  // all permissions
  },
  defaultRole: "viewer",
}

Multi-role

Multiple roles stored as comma-separated string in the same role column ("user,editor"):

// Assign multiple roles
POST /api/auth/role
{ userId: "u1", roles: ["user", "editor"] }

// Add a role incrementally
{ userId: "u1", addRole: "editor" }

// Remove a role
{ userId: "u1", removeRole: "admin" }

Role Inheritance

roles: {
  viewer: { post: ["read"] },
  editor: {
    allow: { post: ["create", "read", "update"] },
    inherits: ["viewer"],  // gets all viewer permissions
  },
  moderator: {
    allow: { user: ["list", "ban"] },
    inherits: ["editor"],  // editor → viewer chain
  },
}

Deny Rules (deny always wins)

roles: {
  moderator: {
    allow: { user: ["list", "ban", "set-role"] },
    deny: { user: ["set-role"] },  // can ban but can't change roles
  },
  admin: {
    allow: "*",
    deny: { billing: ["manage"] },  // can view but not manage billing
  },
  superadmin: "*",  // unrestricted
}

Server API

const canEdit = await auth.hasPermission(request, "post:update");
const isAdmin = await auth.hasRole(request, "admin");     // multi-role aware
const roles = await auth.getRoles(request);                // ["user", "editor"]

Client API

import { usePermission, useRole } from "@1moby/just-auth/client";

const canEdit = usePermission("post:update");
const isAdmin = useRole("admin");  // works with "user,admin" multi-role

Route Permission Middleware

import { createAuthMiddleware } from "@1moby/just-auth/middleware";

const { handle } = createAuthMiddleware(auth, {
  publicPaths: ["/login", "/public/*"],
  loginRedirect: "/login",
  routePermissions: {
    "/admin/*": "admin:access",
    "/api/admin/*": "admin:access",
  },
  onForbidden: (req) => new Response("Forbidden", { status: 403 }),
});

// In your server:
const blocked = await handle(request);
if (blocked) return blocked;
// ...proceed with normal routing

Auto-skips static files (.js, .css, .png, etc.). Supports exact paths and glob patterns.

Auth Routes

Default basePath: "/api/auth":

| Route | Method | Description | |-------|--------|-------------| | /api/auth/login/:provider | GET | Redirect to OAuth provider | | /api/auth/callback/:provider | GET | Handle OAuth callback, create session | | /api/auth/register | POST | Register with email/password | | /api/auth/callback/credentials | POST | Login with email/password | | /api/auth/session | GET | Return session JSON + linked accounts + permissions | | /api/auth/role | POST | Set user role (requires user:set-role permission) | | /api/auth/logout | POST | Invalidate session, return { ok: true } |

Database Adapters

Bring your own driver — only the adapter you import gets bundled:

import { createD1Adapter } from "@1moby/just-auth/adapters/d1";
import { createBunSQLiteAdapter } from "@1moby/just-auth/adapters/bun-sqlite";
import { createPgAdapter } from "@1moby/just-auth/adapters/pg";
import { createMySQLAdapter } from "@1moby/just-auth/adapters/mysql";
import { createBunSQLAdapter } from "@1moby/just-auth/adapters/bun-sql";

The Pg and Bun.sql adapters auto-translate ? placeholders to $1, $2, .... Schema uses portable types (VARCHAR(255), BIGINT, TEXT) that work across SQLite, Postgres, and MySQL.

You can also implement the DatabaseAdapter interface directly for any custom driver.

Exports

// Main
import { createReactAuth, migrate } from "@1moby/just-auth";
import { createGoogleProvider, createGitHubProvider, createLineProvider } from "@1moby/just-auth";
import { hashPassword, verifyPassword, resolvePermissions, parseRoles } from "@1moby/just-auth";
import { createQueries, resolveTableNames } from "@1moby/just-auth";

// Client
import { SessionProvider, useSession, signIn, signUp, signOut } from "@1moby/just-auth/client";
import { usePermission, useRole } from "@1moby/just-auth/client";

// Middleware
import { createAuthMiddleware } from "@1moby/just-auth/middleware";

// Database Adapters
import { createD1Adapter } from "@1moby/just-auth/adapters/d1";
import { createBunSQLiteAdapter } from "@1moby/just-auth/adapters/bun-sqlite";
import { createPgAdapter } from "@1moby/just-auth/adapters/pg";
import { createMySQLAdapter } from "@1moby/just-auth/adapters/mysql";
import { createBunSQLAdapter } from "@1moby/just-auth/adapters/bun-sql";

// Types
import type {
  AuthConfig, AuthInstance, User, Session, Account,
  DatabaseAdapter, OAuthProvider, SessionManager,
  RbacConfig, RoleDefinition, SessionContextValue, SessionStatus,
  Queries, TableNames, MigrateOptions,
} from "@1moby/just-auth";

Testing

bun test  # 285 tests across 17 files

License

MIT