fix(fastify-auth): support getter functions for jwtSecret/jwksUrl

Allows dynamic config resolution (e.g. test mocks that change config between calls).
Options can now be string | (() => string) for both jwtSecret and jwksUrl.

packages/fastify-auth/src/auth.ts

@@ -14,8 +14,16 @@ export function createAuthMiddleware(opts: FastifyAuthOptions) {
   let jwks: ReturnType<typeof createRemoteJWKSet> | null = null;
   let cachedJwksUrl: string | undefined;
 
+  function resolveJwksUrl(): string | undefined {
+    return typeof opts.jwksUrl === 'function' ? opts.jwksUrl() : opts.jwksUrl;
+  }
+
+  function resolveJwtSecret(): string {
+    return typeof opts.jwtSecret === 'function' ? opts.jwtSecret() : opts.jwtSecret;
+  }
+
   function getJWKS(): ReturnType<typeof createRemoteJWKSet> | null {
-    const url = opts.jwksUrl;
+    const url = resolveJwksUrl();
     if (!url) return null;
     if (jwks && cachedJwksUrl === url) return jwks;
     jwks = createRemoteJWKSet(new URL(url));
@@ -24,7 +32,7 @@ export function createAuthMiddleware(opts: FastifyAuthOptions) {
   }
 
   function getHmacSecret(): Uint8Array {
-    return new TextEncoder().encode(opts.jwtSecret);
+    return new TextEncoder().encode(resolveJwtSecret());
   }
 
   /**

packages/fastify-auth/src/types.ts

@@ -24,10 +24,10 @@ export interface JwtPayload {
 
 /** Options for creating the auth middleware. */
 export interface FastifyAuthOptions {
-  /** HS256 symmetric secret for JWT verification. */
-  jwtSecret: string;
-  /** Optional RS256 JWKS endpoint URL (tried first, falls back to HS256). */
-  jwksUrl?: string;
+  /** HS256 symmetric secret for JWT verification. May be a getter for dynamic config. */
+  jwtSecret: string | (() => string);
+  /** Optional RS256 JWKS endpoint URL (tried first, falls back to HS256). May be a getter. */
+  jwksUrl?: string | (() => string | undefined);
 }
 
 /** Options for creating the request context helpers. */