From ea2cb4c0e69f541309ed04b7599de4bebce355c2 Mon Sep 17 00:00:00 2001
From: saravanakumardb1 <saravanakumardb1@users.noreply.github.com>
Date: Fri, 20 Mar 2026 07:38:26 -0700
Subject: [PATCH] fix(fastify-auth): support getter functions for
 jwtSecret/jwksUrl

Allows dynamic config resolution (e.g. test mocks that change config between calls).
Options can now be string | (() => string) for both jwtSecret and jwksUrl.
---
 packages/fastify-auth/src/auth.ts  | 12 ++++++++++--
 packages/fastify-auth/src/types.ts |  8 ++++----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/packages/fastify-auth/src/auth.ts b/packages/fastify-auth/src/auth.ts
index a41db7b8..98289314 100644
--- a/packages/fastify-auth/src/auth.ts
+++ b/packages/fastify-auth/src/auth.ts
@@ -14,8 +14,16 @@ export function createAuthMiddleware(opts: FastifyAuthOptions) {
   let jwks: ReturnType<typeof createRemoteJWKSet> | null = null;
   let cachedJwksUrl: string | undefined;
 
+  function resolveJwksUrl(): string | undefined {
+    return typeof opts.jwksUrl === 'function' ? opts.jwksUrl() : opts.jwksUrl;
+  }
+
+  function resolveJwtSecret(): string {
+    return typeof opts.jwtSecret === 'function' ? opts.jwtSecret() : opts.jwtSecret;
+  }
+
   function getJWKS(): ReturnType<typeof createRemoteJWKSet> | null {
-    const url = opts.jwksUrl;
+    const url = resolveJwksUrl();
     if (!url) return null;
     if (jwks && cachedJwksUrl === url) return jwks;
     jwks = createRemoteJWKSet(new URL(url));
@@ -24,7 +32,7 @@ export function createAuthMiddleware(opts: FastifyAuthOptions) {
   }
 
   function getHmacSecret(): Uint8Array {
-    return new TextEncoder().encode(opts.jwtSecret);
+    return new TextEncoder().encode(resolveJwtSecret());
   }
 
   /**
diff --git a/packages/fastify-auth/src/types.ts b/packages/fastify-auth/src/types.ts
index 322870e0..32dd9737 100644
--- a/packages/fastify-auth/src/types.ts
+++ b/packages/fastify-auth/src/types.ts
@@ -24,10 +24,10 @@ export interface JwtPayload {
 
 /** Options for creating the auth middleware. */
 export interface FastifyAuthOptions {
-  /** HS256 symmetric secret for JWT verification. */
-  jwtSecret: string;
-  /** Optional RS256 JWKS endpoint URL (tried first, falls back to HS256). */
-  jwksUrl?: string;
+  /** HS256 symmetric secret for JWT verification. May be a getter for dynamic config. */
+  jwtSecret: string | (() => string);
+  /** Optional RS256 JWKS endpoint URL (tried first, falls back to HS256). May be a getter. */
+  jwksUrl?: string | (() => string | undefined);
 }
 
 /** Options for creating the request context helpers. */