feat(auth): add @bytelyst/auth package

- createJwtUtils() factory with configurable issuer and expiry (jose)
- extractAuth() middleware for Fastify request auth extraction
- requireRole() guard with multi-role support
- hashPassword() / verifyPassword() via bcryptjs
- getCurrentUser() helper for Next.js API routes (generic TUser)
- AuthPayload, TokenPayload, JwtUtils types
- NO dependency on @bytelyst/config (reads JWT_SECRET from process.env directly)
- Peer deps: jose >=5.0.0, bcryptjs >=2.4.0

packages/auth/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@bytelyst/auth",
+  "version": "0.1.0",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": ["dist"],
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run"
+  },
+  "peerDependencies": {
+    "jose": ">=5.0.0",
+    "bcryptjs": ">=2.4.0"
+  }
+}

packages/auth/src/index.ts

@@ -0,0 +1,10 @@
+export { createJwtUtils } from "./jwt.js";
+export { extractAuth, requireRole } from "./middleware.js";
+export { hashPassword, verifyPassword } from "./password.js";
+export { getCurrentUser } from "./server-auth.js";
+export type {
+  TokenPayload,
+  AuthPayload,
+  JwtUtilsOptions,
+  JwtUtils,
+} from "./types.js";

packages/auth/src/jwt.ts

@@ -0,0 +1,70 @@
+/**
+ * JWT utilities — configurable issuer and expiry.
+ * Uses jose library for standards-compliant JWT handling.
+ */
+
+import { SignJWT, jwtVerify } from "jose";
+import type { JwtUtils, JwtUtilsOptions, TokenPayload } from "./types.js";
+
+function getSecret(): Uint8Array {
+  const secret = process.env.JWT_SECRET;
+  if (!secret) throw new Error("JWT_SECRET must be set");
+  return new TextEncoder().encode(secret);
+}
+
+/**
+ * Create a JWT utility set with the given issuer and expiry configuration.
+ *
+ * @example
+ * ```ts
+ * const jwt = createJwtUtils({ issuer: "lysnrai", accessTokenExpiry: "1h" });
+ * const token = await jwt.createAccessToken({ sub: "u1", email: "a@b.com", role: "admin" });
+ * const payload = await jwt.verifyToken(token);
+ * ```
+ */
+export function createJwtUtils(options: JwtUtilsOptions): JwtUtils {
+  const {
+    issuer,
+    accessTokenExpiry = "1h",
+    refreshTokenExpiry = "30d",
+  } = options;
+
+  return {
+    async createAccessToken(payload) {
+      return new SignJWT({
+        ...payload,
+        productId: payload.productId || issuer,
+        type: "access",
+      })
+        .setProtectedHeader({ alg: "HS256" })
+        .setIssuedAt()
+        .setExpirationTime(accessTokenExpiry)
+        .setIssuer(issuer)
+        .sign(getSecret());
+    },
+
+    async createRefreshToken(payload) {
+      return new SignJWT({
+        sub: payload.sub,
+        productId: payload.productId || issuer,
+        type: "refresh",
+      })
+        .setProtectedHeader({ alg: "HS256" })
+        .setIssuedAt()
+        .setExpirationTime(refreshTokenExpiry)
+        .setIssuer(issuer)
+        .sign(getSecret());
+    },
+
+    async verifyToken(token: string) {
+      try {
+        const { payload } = await jwtVerify(token, getSecret(), {
+          issuer,
+        });
+        return payload as unknown as TokenPayload;
+      } catch {
+        return null;
+      }
+    },
+  };
+}

packages/auth/src/middleware.ts

@@ -0,0 +1,57 @@
+/**
+ * Fastify auth middleware — validates JWT tokens from Authorization headers.
+ */
+
+import { jwtVerify } from "jose";
+import type { AuthPayload } from "./types.js";
+
+function getSecret(): Uint8Array {
+  const secret = process.env.JWT_SECRET;
+  if (!secret) throw new Error("JWT_SECRET must be set");
+  return new TextEncoder().encode(secret);
+}
+
+/**
+ * Extract and verify auth payload from an Authorization header.
+ * Works with any request-like object that has headers.authorization.
+ *
+ * @throws Error with message "Unauthorized" if no valid Bearer token
+ * @throws Error with message "Invalid or expired token" if verification fails
+ */
+export async function extractAuth(req: {
+  headers: { authorization?: string };
+}): Promise<AuthPayload> {
+  const auth = req.headers.authorization;
+  if (!auth?.startsWith("Bearer ")) {
+    throw Object.assign(new Error("Unauthorized"), { statusCode: 401 });
+  }
+  const token = auth.slice(7);
+  try {
+    const { payload } = await jwtVerify(token, getSecret());
+    const p = payload as unknown as AuthPayload;
+    if (p.type !== "access") throw new Error("Not an access token");
+    return p;
+  } catch {
+    throw Object.assign(new Error("Invalid or expired token"), {
+      statusCode: 401,
+    });
+  }
+}
+
+/**
+ * Require specific roles. Extracts auth first, then checks role.
+ *
+ * @throws Error with statusCode 403 if role doesn't match
+ */
+export async function requireRole(
+  req: { headers: { authorization?: string } },
+  ...roles: string[]
+): Promise<AuthPayload> {
+  const payload = await extractAuth(req);
+  if (roles.length > 0 && (!payload.role || !roles.includes(payload.role))) {
+    throw Object.assign(new Error("Insufficient permissions"), {
+      statusCode: 403,
+    });
+  }
+  return payload;
+}

packages/auth/src/password.ts

@@ -0,0 +1,18 @@
+/**
+ * Password hashing utilities using bcryptjs.
+ */
+
+import bcrypt from "bcryptjs";
+
+const SALT_ROUNDS = 12;
+
+export async function hashPassword(plain: string): Promise<string> {
+  return bcrypt.hash(plain, SALT_ROUNDS);
+}
+
+export async function verifyPassword(
+  plain: string,
+  hash: string,
+): Promise<boolean> {
+  return bcrypt.compare(plain, hash);
+}

packages/auth/src/server-auth.ts

@@ -0,0 +1,26 @@
+/**
+ * Server-side auth helpers for Next.js API routes.
+ */
+
+import type { TokenPayload } from "./types.js";
+
+/**
+ * Get the current user from an Authorization header value.
+ * Pairs with a verifyToken function and a getUserById function.
+ *
+ * @param authHeader - The Authorization header value (e.g., "Bearer xxx")
+ * @param verifyToken - Function to verify the JWT and return a payload
+ * @param getUserById - Function to look up the user by their ID
+ * @returns The user object or null if auth fails
+ */
+export async function getCurrentUser<TUser>(
+  authHeader: string | null,
+  verifyToken: (token: string) => Promise<TokenPayload | null>,
+  getUserById: (id: string) => Promise<TUser | null>,
+): Promise<TUser | null> {
+  if (!authHeader?.startsWith("Bearer ")) return null;
+  const token = authHeader.slice(7);
+  const payload = await verifyToken(token);
+  if (!payload || payload.type !== "access") return null;
+  return getUserById(payload.sub);
+}

packages/auth/src/types.ts

@@ -0,0 +1,33 @@
+export interface TokenPayload {
+  sub: string;
+  email?: string;
+  role?: string;
+  productId?: string;
+  type?: "access" | "refresh";
+  [key: string]: unknown;
+}
+
+export interface AuthPayload {
+  sub: string;
+  email?: string;
+  role?: string;
+  productId?: string;
+  type?: string;
+}
+
+export interface JwtUtilsOptions {
+  issuer: string;
+  accessTokenExpiry?: string;
+  refreshTokenExpiry?: string;
+}
+
+export interface JwtUtils {
+  createAccessToken(payload: {
+    sub: string;
+    email: string;
+    role: string;
+    productId?: string;
+  }): Promise<string>;
+  createRefreshToken(payload: { sub: string; productId?: string }): Promise<string>;
+  verifyToken(token: string): Promise<TokenPayload | null>;
+}

packages/auth/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "rootDir": "src"
+  },
+  "include": ["src"],
+  "exclude": ["src/**/*.test.ts"]
+}