@owujib/sabi-auth
v0.0.6
Published
Authentication package for the Sabi framework — JWT tokens, password hashing, and route guards
Readme
@owujib/sabi-auth
Authentication package for the Sabi framework — password hashing, JWT access/refresh tokens, and an Express route guard.
Install
npm install @owujib/sabi-authUsage
import { AuthServiceProvider, AUTH_SERVICE, AuthService } from '@owujib/sabi-auth';
const authProvider = new AuthServiceProvider(app, {
secret: process.env.APP_SECRET!, // required, min 32 characters
accessTokenExpiry: '15m', // default
refreshTokenExpiry: '7d', // default
saltRounds: 12, // default
});
authProvider.register();
const authService = app.make<AuthService>(AUTH_SERVICE);
const hash = await authService.hashPassword('secret');
const ok = await authService.verifyPassword('secret', hash);
const tokens = authService.generateTokens({ id: 1, email: '[email protected]' });Protect routes with the guard:
import { authenticate } from '@owujib/sabi-auth';
const guard = authenticate(authService);
Route.group('/users', [guard], () => {
Route.get('/', [UserController, 'index']);
});Config
| Option | Required | Default | Notes |
|-----------------------|----------|--------------------------------|------------------------------------------------------------|
| secret | yes | — | ≥ 32 characters. Used to sign access tokens. |
| refreshSecret | no | HMAC-SHA256 derivation of secret | Set explicitly for full key independence from secret. |
| accessTokenExpiry | no | '15m' | |
| refreshTokenExpiry | no | '7d' | |
| saltRounds | no | 12 | bcrypt cost factor. |
| issuer | no | — | JWT iss claim, set and verified if provided. |
| audience | no | — | JWT aud claim, set and verified if provided. |
| cache | no | disabled | See User caching below. |
User caching
By default, AuthService doesn't cache anything — you decide when to look a user up (e.g. re-fetching from
the DB on every authenticated request). Opting into a cache avoids doing that DB round-trip on every request:
import { AuthServiceProvider, RedisUserCache } from '@owujib/sabi-auth';
const authProvider = new AuthServiceProvider(app, {
secret: process.env.APP_SECRET!,
cache: {
store: new RedisUserCache(process.env.REDIS_URL!),
ttlSeconds: 7200, // default: 2 hours if omitted
},
});Use it in place of a direct DB lookup:
const user = await authService.getCachedUser(authUser.id, () => User.find(authUser.id));load() only runs on a cache miss. With no cache configured, getCachedUser just calls load() every
time — behavior is unchanged if you don't opt in.
Invalidate on any change that makes the cached entry stale — profile updates, password changes, account deletion, logout, etc.:
await authService.invalidateUser(userId);UserCache is an interface (get/set/invalidate), so RedisUserCache can be swapped for another
backing store without changing any calling code.
Notes / limitations
- Tokens are signed JWTs with no server-side revocation store — a leaked refresh token remains valid until it expires.
authenticate()is Express-specific (readsreq.headers.authorization, writesres.status().json()); it does not work with a non-ExpressHttpAdapter.- No password reset, email verification, MFA, or role/permission support is included — these are left to the consuming application.
