@authdog/fastify
v0.3.1
Published
Authdog Fastify SDK
Downloads
295
Readme
@authdog/fastify
Authdog SDK for Fastify.
A tiny, high-performance plugin that validates Authdog sessions on every
request and gives you an idiomatic request.authdog context plus a
requireAuth guard — built on @authdog/node-commons.
- 🔌 Drop-in plugin —
app.register(authdogPlugin, { publicKey }). - 🔐 Secure by default — public key (and its identity host) validated once at registration; tokens only trusted after the identity host confirms them.
- 🧱 No assumptions — parses cookies itself;
@fastify/cookienot required. - 🟦 Typed —
request.authdogandapp.authdogare fully typed via module augmentation.
Install
bun add @authdog/fastify fastifySet your Authdog public key (safe to expose):
AUTHDOG_PK=pk_xxxxxxxxxxxxxxxxUsage
import Fastify from "fastify";
import { authdogPlugin } from "@authdog/fastify";
const app = Fastify();
await app.register(authdogPlugin, {
publicKey: process.env.AUTHDOG_PK!,
});
// Every request now carries `request.authdog` ({ token, user, isAuthenticated }).
app.get("/", async (request) => {
return request.authdog?.isAuthenticated
? `Hello ${JSON.stringify(request.authdog.user)}`
: "Not signed in";
});
// Protect a route with the built-in guard (the real enforcement point).
app.get(
"/me",
{ preHandler: app.authdog.requireAuth },
async (request) => request.authdog!.user,
);
// Logout: clears the session cookie and redirects to a sanitized ?redirect_uri.
app.get("/logout", (request, reply) => app.authdog.logout(request, reply));
await app.listen({ port: 3000 });Token resolution
On each request the plugin looks for a token in this order:
- The
authdog-sessioncookie. - An
Authorization: Bearer <token>header.
If a token is found it is verified against the identity host's userinfo
endpoint and, on success, request.authdog.isAuthenticated becomes true and
request.authdog.user is populated. A missing or invalid token never throws —
it simply yields an unauthenticated context.
Options
| Option | Type | Default | Description |
| --------------- | --------- | ------- | --------------------------------------------------------------------------- |
| publicKey | string | — | Authdog public key (pk_…). Required. |
| secretKey | string | — | Reserved for future server-side session revocation. Currently unused. |
| fetchUserInfo | boolean | true | When false, skips the per-request userinfo call (token is not verified). |
⚠️
request.authdogis informational. Always gate protected routes withapp.authdog.requireAuth(or your own check onisAuthenticated).
License
MIT
