Express routes and middleware for UniAuth.
This package is a transport adapter.
This package does not create a UniAuth service, access a database, or implement authentication
rules. Applications pass a service with auth.public, auth.account, and auth.admin facades into
the adapter.
Configure the GitHub Packages registry for the package scope before installing:
@alyldas:registry=https://npm.pkg.github.comGitHub Packages can require authentication for package reads. Use a token with read:packages in local npm config or CI secrets; do not commit tokens.
npm install @alyldas/uniauth-express @alyldas/uniauth-core expressimport express from "express";
import { createUniAuthExpressRouter } from "@alyldas/uniauth-express";
const app = express();
app.use(express.json());
app.use(
"/auth",
createUniAuthExpressRouter({
auth,
adminGuard: requireAdmin,
session: {
cookie: {
name: "session",
options: {
httpOnly: true,
sameSite: "lax",
secure: true,
path: "/",
},
},
},
}),
);Session transport reads Authorization: Bearer <token> first and then a session cookie. Public
sign-in routes can write the returned session token to a cookie when cookie transport is enabled.
Public routes:
POST /provider/sign-inPOST /password/sign-inPOST /otp/startPOST /otp/resendPOST /otp/sign-inPOST /magic-link/startPOST /magic-link/resendPOST /magic-link/finishPOST /password-recovery/startPOST /password-recovery/resend
Account routes require a bearer token or configured session cookie:
GET /account/sessionPOST /account/session/refreshGET /account/securityGET /account/inspectionPOST /account/inspection/auditGET /account/closure-exportPATCH /account/profilePOST /account/contact/startPOST /account/contact/resendPOST /account/contact/cancelPOST /account/contact/finishPOST /account/password/setPOST /account/password/confirmPOST /account/password/changePOST /account/re-auth/statusPOST /account/re-auth/assertPOST /account/re-auth/otp/startPOST /account/re-auth/otp/resendPOST /account/re-auth/otp/cancelPOST /account/re-auth/otp/finishPOST /account/re-auth/password/confirmPOST /account/sessions/revoke-currentPOST /account/sessions/revoke-ownedPOST /account/sessions/revoke-otherPOST /account/identities/linkPOST /account/identities/unlinkPOST /account/closure/close
Admin routes are mounted under /admin and require the supplied adminGuard middleware. The
adapter returns 403 when admin routes are used without a guard.
- Configure secure, HTTP-only cookies when using cookie session transport.
- Keep CSRF protection application-owned and pass middleware into the adapter where needed.
- Do not pass database handles or persistence adapters into this package.
npm run check