@nwire/auth

Identity + authorization contract — User, IdpAdapter, canonical sign-in/out resolvers.

What it does

Defines the User type (with declaration merging for app-specific fields), the IdpAdapter interface every authentication backend implements, the identityPlugin that wires an adapter into the container, and canonical resolvers (SignIn, SignOut, Refresh, Register, Me) so apps don't reinvent the boring parts. The authzMiddleware reads action.policy and a per-request Authorizer to enforce access.

Install

pnpm add @nwire/auth

Quick start

import { defineApp } from "@nwire/forge";
import { identityPlugin, authPlugin } from "@nwire/auth";
import { betterAuthAdapter } from "@nwire/auth-better-auth";

defineApp("my-app", {
  plugins: [
    identityPlugin({ adapter: betterAuthAdapter({ auth }) }),
    authPlugin({
      authorizer: {
        authorize: async ({ action, ctx }) => {
          if (action.policy === "admin" && !ctx.envelope.user?.roles?.includes("admin")) {
            throw new ForbiddenError("admin only");
          }
        },
      },
    }),
  ],
});

API surface

• User — declaration-mergeable identity shape.
• IdpAdapter — interface every auth backend (Logto, better-auth, custom) implements.
• identityPlugin({ adapter }) — registers the adapter; wires HTTP middleware to verify tokens.
• authPlugin({ authorizer }) / authzMiddleware({ authorizer }) — enforces action.policy.
• Canonical resolvers: SignIn, SignOut, Refresh, Register, Me.
• Error types: UnauthorizedError, ForbiddenError.

When to use

Whenever you need real users, sessions, or tenant-scoped authorization.

Within nwire-app

For developers using this package as part of the Nwire stack — register it via app.use(...) or it auto-wires when you compose createApp({ modules }).

import { createApp } from "@nwire/forge";

const app = createApp({
  /* ...config... */
});
// Adapter/plugin wiring happens here when applicable.