npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@davydko-mtas/express

v0.1.0

Published

Express BFF SDK for MTAS — login, callback, session, requireAuth.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

davydkodavydko

Keywords

mtasauthauthenticationoauth2expressbffjwtsdk

Readme

@davydko-mtas/express

Express BFF SDK for MTAS — drop-in OAuth2-inspired authentication for tenant backends. Handles the full server-side login flow: state-CSRF protection, encrypted-cookie sessions, JWKS-based JWT verification, refresh token rotation, and logout token revocation.

Mounts /login, /callback, /logout, /me, /users on your router. Exposes a requireAuth-style middleware for protecting your own routes.

Install

npm install @davydko-mtas/express cookie-parser

cookie-parser is required at runtime (the SDK reads req.cookies). express ≥ 4 must already be installed.

Quick start

const express = require('express');
const cookieParser = require('cookie-parser');
const { createMtasAuth } = require('@davydko-mtas/express');

const app = express();
app.use(cookieParser());
app.use(express.json());

const { mtasRouter, authMiddleware } = createMtasAuth({
  mtasApiUrl: process.env.MTAS_URL,
  mtasUiUrl: process.env.MTAS_FE_URL,
  mtasAppId: process.env.MTAS_APP_ID,
  mtasSecret: process.env.MTAS_SECRET,
  redirectUri: process.env.MTAS_REDIRECT_URI,
  encryptionPassword: process.env.ENCRYPTION_PASSWORD,
  frontendUrl: process.env.APP_FE_URL,
  secureCookies: process.env.NODE_ENV === 'production',
  routerBasePath: '/auth',
});

app.use('/auth', mtasRouter);

// Your protected routes
app.get('/protected', authMiddleware, (req, res) => {
  res.json(req.user);
});

app.listen(3000);

Routes mounted by mtasRouter

| Method | Path | Protected | Description | | ------ | ----------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | GET | /login | no | Sets state CSRF cookie, redirects user to MTAS login page. | | GET | /callback | no | Validates state, exchanges auth code for tokens (server-to-server), seals tokens into encrypted session cookie, redirects to frontendUrl. | | POST | /logout | yes | Revokes refresh token at MTAS, clears session cookie. | | GET | /me | yes | Proxies to MTAS /user-auth/authenticated-user. | | GET | /users | yes | Proxies to MTAS /users (tenant's user list). |

authMiddleware

Attaches authenticated user data to the request:

req.user; // { id, aud, type }  — see MtasUser
req.accessToken; // raw JWT (for forwarding to MTAS)
req.refreshToken; // refresh token (rotates per refresh)

Behavior:

  • Verifies the access token locally using MTAS's JWKS (cached in-process, 10 min TTL).
  • On verify failure (typical: token expired), automatically calls MTAS to refresh — concurrent requests for the same refresh token are deduplicated so MTAS is hit once.
  • On any auth failure throws an HTTP error with .status = 401 (your global error handler should respond accordingly).

How the BFF flow works

  1. Browser → your /auth/login → SDK sets state CSRF cookie, redirects to MTAS UI.
  2. User authenticates on MTAS UI → MTAS redirects to your /auth/callback?auth_code=...&state=....
  3. SDK validates state, exchanges code for tokens server-to-server (HTTP Basic, using your mtasSecret). Tokens never reach the browser.
  4. SDK seals { access_token, refresh_token } into an encrypted cookie (iron-session, AES-256-GCM).
  5. Subsequent requests → authMiddleware unseals the cookie, verifies the JWT locally via cached JWKS, attaches req.user.

Config reference

All fields required. Hover the Config type in your IDE to see per-field descriptions.

| Field | Description | | -------------------- | -------------------------------------------------------------------------------- | | mtasApiUrl | MTAS API base URL. JWKS is derived as ${mtasApiUrl}/.well-known/jwks.json. | | mtasUiUrl | MTAS UI base URL (login page). | | mtasAppId | Your tenant's MTAS App ID. | | mtasSecret | Your tenant's MTAS App secret. Server-side only. | | redirectUri | URL MTAS redirects to after user login. Must be registered in MTAS for your app. | | encryptionPassword | Cookie encryption password. Minimum 32 characters. | | frontendUrl | Where to send the user after successful login. | | secureCookies | true in production; false for local HTTP dev only. | | routerBasePath | Path you'll mount the router at (e.g. '/auth'). Used for login-fail redirects. |

Types

import type { Config, MtasUser } from '@davydko-mtas/express';

Importing the package also augments Express's Request with user, accessToken, and refreshToken (no extra import needed).

Requirements

  • Node.js ≥ 18
  • Express ≥ 4 (peer dependency)
  • cookie-parser mounted before the SDK router

Notes

  • routerBasePath must match the path you mount the SDK at via app.use(...). The SDK uses it to build the login-fail redirect URL.
  • All cookies issued by the SDK are httpOnly + sameSite=lax. The Secure flag follows your secureCookies config.
  • Errors thrown by the SDK have .status (number) and .message (string). Catch them in your global error handler and respond accordingly.

License

MIT