npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@justscale/auth

v0.1.2

Published

Authentication and authorization utilities for JustScale

Downloads

191

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jaensterjaenster

Keywords

justscaleauthauthenticationauthorizationtypescript

Readme

@justscale/auth

User + Session models, password hashing, email verification, 2FA (TOTP), password reset, plus ready-made HTTP endpoints for all of it. Ships as two features so you can take the services without the endpoints if you're building your own surface.

Storage-agnostic: the feature declares ModelRepository.of(User) / ModelRepository.of(Session) requirements and the app binds them to whatever adapter it uses (Postgres, in-memory for tests, etc.).

Install

pnpm add @justscale/auth

Peers: @justscale/core, @justscale/http, zod.

Usage

import JustScale, { bindService, bindRepository } from '@justscale/core';
import { ModelRepository } from '@justscale/core/models';
import { PostgresClientService, createPgModel, createPgRepository } from '@justscale/postgres';
import {
  AuthFeature,
  AuthEndpointsFeature,
  User,
  Session,
  AbstractEmailSender,
  ConsoleEmailSender,
} from '@justscale/auth';

const PgUser = createPgModel(User, { table: 'users' });
const PgSession = createPgModel(Session, { table: 'sessions' });
const UserRepository = createPgRepository(PgUser);
const SessionRepository = createPgRepository(PgSession);

const app = JustScale()
  .add(PostgresClientService)
  .add(UserRepository)
  .add(SessionRepository)
  .add(bindRepository(ModelRepository.of(User), UserRepository))
  .add(bindRepository(ModelRepository.of(Session), SessionRepository))
  .add(bindService(AbstractEmailSender, ConsoleEmailSender))
  .add(AuthFeature)
  .add(AuthEndpointsFeature)
  .build();

AuthFeature provides the services. AuthEndpointsFeature adds the REST controllers. Use both if you want the framework's default surface; use only AuthFeature if you're wiring your own controllers around the services.

Endpoints

AuthEndpointsFeature mounts three controllers:

  • AuthControllerPOST /auth/register, POST /auth/login, POST /auth/logout, GET /auth/me, POST /auth/change-password
  • TwoFactorControllerGET /auth/2fa/status, POST /auth/2fa/setup, POST /auth/2fa/verify, DELETE /auth/2fa
  • PasswordControllerPOST /auth/forgot-password, POST /auth/reset-password

Request and response shapes are exported as zod schemas (RegisterBody, LoginBody, AuthResponse, etc.) — use them to type your client or to drive OpenAPI / RPC generation.

Services (when you skip the endpoints)

  • UserServiceregister, authenticate, findByEmail, changePassword. Throws UserExistsError / InvalidCredentialsError.
  • SessionService — create/revoke sessions; the auth middleware reads and refreshes them.
  • PasswordService — hash / verify; uses a modern KDF under the hood.
  • TwoFactorService — TOTP setup, verification, disable.
  • NotificationService — wraps AbstractEmailSender for verification + reset emails.
  • AuthSignals — the signal set used by signup / 2FA / password-reset durable processes.

Middleware + guards

import { auth, requireAuth, requireVerifiedEmail } from '@justscale/auth';

Get('/profile')
  .use(auth)                  // attaches `ctx.user` if a session cookie is present
  .guard(requireAuth)         // rejects anonymous requests
  .guard(requireVerifiedEmail)
  .handle(ctx => ctx.res.json({ user: ctx.user }));

auth is lenient (populates ctx.user when it can), optionalAuth is the alias; the guards are the enforcement layer. requireSelf compares a route param reference to ctx.user and rejects mismatches.

Email sending

AbstractEmailSender is an abstract DI token. Bind a concrete sender (your SMTP wrapper, Postmark, SES client). ConsoleEmailSender is shipped for local development — it prints emails to stdout instead of sending them.

Models

  • User — email + password hash + optional name + emailVerifiedAt + TOTP fields. Register with createPgModel(User, { table: 'users' }) or any other repository binding.
  • Session — rotating session tokens; keyed by the user reference.

Both are defineModel classes, so they integrate with the rest of the JustScale model layer (queries, repositories, references).

Durable processes

Signup (with email verification), password reset, and 2FA setup / verification are implemented as durable processes via @justscale/core/process. They survive restarts — if a user confirms their email an hour after signup, the verification process resumes and completes the signup. The app must provide AbstractProcessExecutor (e.g. via PostgresProcessFeature).

CLI

Installing this package contributes subcommands to just via justscale.modes.cli in package.json. The just binary's assembleCliApp() walks the project's dependencies/devDependencies, imports each dependency's CLI module, and registers any discovered controllers against the user's DI container, so these commands share services and repositories with the rest of the app:

just user add --email [email protected]     # create a user (prompts for password)
just user list                              # list registered users
just session list                           # list active sessions
just session revoke --email [email protected]

See src/cli.ts for the command definitions.

Testing

@justscale/auth/testing exports helpers for test apps — mock principals, password hashing without the full KDF cost, and a factory for creating sessions in isolation.

Docs

https://justscale.sh/docs/features/auth