@gtcx/auth

Authorization middleware, policy enforcement, token management, and MFA for GTCX services.

Installation

pnpm add @gtcx/auth

API

createPolicyEnforcementPoint(rules)

Evaluates authorization requests against a set of policy rules and conditions.

import { createPolicyEnforcementPoint } from '@gtcx/auth';

const pep = createPolicyEnforcementPoint([
  { resource: 'asset:*', action: 'read', effect: 'allow', conditions: [] },
]);

const decision = pep.evaluate({
  identity: { did: 'did:gtcx:org_acme', roles: ['trader'] },
  resource: 'asset:gold-001',
  action: 'read',
});

createHmacTokenIssuer(secret) / createHmacTokenValidator(secret)

Issue and validate HMAC-signed bearer tokens.

import { createHmacTokenIssuer, createHmacTokenValidator } from '@gtcx/auth';

const issuer = createHmacTokenIssuer(secret);
const token = await issuer.issue({ sub: 'did:gtcx:org_acme', exp: ttl });

const validator = createHmacTokenValidator(secret);
const claims = await validator.validate(token);

createApiKeyManager(store)

Manages API key lifecycle -- creation, validation, rotation, and revocation.

createAccountLockoutManager(config)

Progressive account lockout after repeated authentication failures.

createAuthMiddleware(config)

Composable middleware combining token validation, API key checks, and policy enforcement.

InMemoryMfaProvider

Multi-factor authentication provider supporting TOTP-style challenge/response flows.

Testing

pnpm vitest run packages/auth/

License

BSL 1.1 -- converts to Apache 2.0 on January 1, 2030.