Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

@kitiumai/auth

kitium-ai113MIT4.0.1TypeScript support: included

Enterprise-grade authentication solution with OAuth2, API keys, email verification, SAML2, SSO, WebAuthn, 2FA, RBAC, and subscription management

auth, authentication, authorization, identity, identity-management, identity-provider, iam, idp, oauth, oauth2, openid, oidc, openid-connect, saml, saml2, sso, single-sign-on, federated-identity, email-auth, email-verification, magic-link, passwordless, api-keys, api-authentication, api-security, sessions, session-management, token-management, webauthn, fido2, passkeys, biometric, 2fa, two-factor-auth, mfa, multi-factor-auth, totp, time-based-otp, otp, authenticator, rbac, role-based-access-control, abac, access-control, permissions, acl, authorization-server, resource-server, security, encryption, password-hashing, bcrypt, argon2, jwt, json-web-token, jwe, jws, refresh-token, access-token, token-rotation, subscription, subscription-management, billing, saas, saas-auth, enterprise, enterprise-auth, multitenancy, multi-tenant, organization, team-management, user-management, audit-log, compliance, gdpr, hipaa, soc2, zero-trust, rate-limiting, anomaly-detection, security-monitoring, typescript, nodejs, node, backend, server-side, middleware, express, fastify, nextjs, react, hooks, lazy-loading, tree-shakable, modular, plugin-system, kitium, kitiumai

readme

@kitiumai/auth

Complete authentication solution with OAuth, API keys, email, SAML, 2FA, WebAuthn, RBAC, and subscription management.

Features

  • 🔐 Multiple Authentication Methods: Email/password, OAuth, API keys, SAML, WebAuthn
  • 🔒 Two-Factor Authentication: TOTP and SMS support with backup codes
  • 🎫 WebAuthn/FIDO2: Passwordless authentication with security keys
  • 👥 Single Sign-On: OIDC and SAML 2.0 support
  • 🛡️ Role-Based Access Control: Complete RBAC with permissions
  • 🔍 Security Features: Anomaly detection, conditional access, device management
  • 📊 Access Reviews: Governance and certification workflows
  • 🎣 Hooks System: Event-driven extensibility
  • Lazy Loading: Performance-optimized on-demand loading
  • 🔌 Plugin System: Extensible plugin architecture
  • 🚦 Rate Limiting: Configurable rate limiting per user/IP/endpoint
  • 🎨 Framework Integrations: Express.js, Next.js, React
  • 📦 Pre-configured OAuth Providers: Google, GitHub, Microsoft, Facebook, Apple, Twitter, Discord, LinkedIn
  • 🛠️ TypeScript: Full TypeScript support with comprehensive types
  • 📋 RFC 7807: Problem Details for HTTP APIs error format
  • 🧭 Enterprise Readiness: JWKS-backed token governance, SIEM-ready audit events, SCIM/JIT provisioning, tenant isolation, and compliance presets

Installation

npm install @kitiumai/auth
# or
pnpm add @kitiumai/auth
# or
yarn add @kitiumai/auth

Quick Start

Basic Setup

import { AuthCore, defineConfig, MemoryStorageAdapter } from '@kitiumai/auth';

// Create configuration
const config = defineConfig({
  appName: 'My App',
  appUrl: 'https://myapp.com',
  providers: [
    {
      id: 'email',
      name: 'Email',
      type: 'email',
      enabled: true,
    },
  ],
  storage: {
    type: 'memory',
  },
});

// Initialize storage adapter
const storage = new MemoryStorageAdapter();

// Create AuthCore instance
const auth = new AuthCore(config, storage);

// Register a user
const user = await auth.registerUser({
  email: 'user@example.com',
  password: 'securePassword123!',
});

// Authenticate
const session = await auth.authenticate('user@example.com', 'securePassword123!');

Express.js Integration

import express from 'express';
import { getExpressAuth, getOAuthRoutes } from '@kitiumai/auth';

const app = express();

// Get Express auth middleware (lazy loaded)
const authMiddleware = await getExpressAuth();
app.use('/api', authMiddleware(auth));

// Get OAuth routes (lazy loaded)
const createOAuthRoutes = await getOAuthRoutes();
app.use('/auth/oauth', createOAuthRoutes(auth));

OAuth with Pre-configured Providers

import {
  AuthCore,
  defineConfig,
  createOAuthProviderFromPreset,
  GOOGLE_PROVIDER,
} from '@kitiumai/auth';

const config = defineConfig({
  appName: 'My App',
  appUrl: 'https://myapp.com',
  providers: [
    createOAuthProviderFromPreset(GOOGLE_PROVIDER, {
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      redirectUri: 'https://myapp.com/auth/oauth/google/callback',
    }),
  ],
  storage: {
    type: 'memory',
  },
});

const auth = new AuthCore(config, storage);

// Initiate OAuth flow
const authUrl = await auth.getOAuthAuthorizationUrl('google', {
  redirectUri: 'https://myapp.com/auth/oauth/google/callback',
  state: 'random-state-string',
});

// Handle OAuth callback
const result = await auth.handleOAuthCallback('google', {
  code: 'authorization-code',
  state: 'random-state-string',
});

Enterprise controls

Signed tokens with JWKS rotation

import { createTokenGovernance } from '@kitiumai/auth';

const tokenGovernance = createTokenGovernance({
  format: {
    audience: 'my-app',
    issuer: 'https://auth.my-app.com',
    expirationSeconds: 3600,
    cookieFlags: { httpOnly: true, sameSite: 'lax', secure: true },
  },
  rotation: { rotationDays: 30, overlapSeconds: 60, enforceKid: true },
});

const { token, kid } = tokenGovernance.issueToken('user-123', { roles: ['admin'] });
tokenGovernance.verifyToken(token);

Audit pipeline with SIEM export and metrics hooks

import { AuditService, ConsoleAuditExporter } from '@kitiumai/auth';

const audit = new AuditService([new ConsoleAuditExporter()], { redactionFields: ['password'] }, {
  record: async (metric, value, tags) => console.log(metric, value, tags),
});

await audit.record({
  id: 'evt-1',
  category: 'auth',
  actor: 'user-123',
  action: 'login',
  severity: 'info',
  timestamp: new Date(),
  metadata: { ip: '192.168.1.1' },
});

SCIM and JIT provisioning

import { ProvisioningService } from '@kitiumai/auth';

const provisioning = new ProvisioningService();
await provisioning.upsertScimUser({
  userName: 'jane.doe',
  active: true,
  emails: [{ value: 'jane@example.com', primary: true }],
});

await provisioning.jitProvision({ email: 'saml-user@example.com', provider: 'saml' });

Tenant isolation and residency

import { TenantRegistry } from '@kitiumai/auth';

const tenants = new TenantRegistry();
const tenant = tenants.createTenant('Acme', { region: 'eu-west-1', residencyRequired: true, encryptionKeyId: 'kms-eu' });
tenants.setFeatureFlag(tenant.id, 'adaptive-mfa', true);

Compliance and credential policy enforcement

import { defaultComplianceProfile, validatePasswordAgainstPolicy } from '@kitiumai/auth';

const compliance = defaultComplianceProfile();
const violations = validatePasswordAgainstPolicy('weak', compliance.password);
if (violations.length) {
  throw new Error(`Password rejected: ${violations.join(', ')}`);
}

Two-Factor Authentication

import { getTwoFactorAuthService } from '@kitiumai/auth';

const twoFAService = await getTwoFactorAuthService();
await twoFAService.initialize(storage, { enabled: true });

// Enroll TOTP device
const device = await twoFAService.enrollTOTPDevice(userId, 'My Phone');
// device.secret contains the TOTP secret
// Generate QR code using device.secret

// Verify TOTP enrollment
const backupCodes = await twoFAService.verifyTOTPEnrollment(
  userId,
  device.id,
  '123456' // TOTP code
);

// Verify 2FA during login
const isValid = await twoFAService.verifyTwoFactor(userId, device.id, '123456');

WebAuthn (Passwordless)

import { getWebAuthnService } from '@kitiumai/auth';

const webauthnService = await getWebAuthnService();
await webauthnService.initialize(storage, {
  enabled: true,
  rpId: 'myapp.com',
  rpName: 'My App',
});

// Register credential
const registrationOptions = await webauthnService.getRegistrationOptions(userId);
// Send to client for credential creation

// Authenticate with credential
const authOptions = await webauthnService.getAuthenticationOptions(userId);
// Send to client for credential assertion

RBAC (Role-Based Access Control)

import { getRBACService } from '@kitiumai/auth';

const rbacService = await getRBACService();
await rbacService.initialize(storage, { enabled: true });

// Create role
const role = await rbacService.createRole(orgId, 'Admin', [
  { id: 'perm_1', name: 'Full Access', resource: '*', action: '*' },
]);

// Assign role to user
await rbacService.assignRoleToUser(userId, role.id, orgId);

// Check permission
const hasPermission = await rbacService.hasPermission(userId, {
  resource: 'users',
  action: 'delete',
  orgId,
});

Express.js RBAC Middleware

import { getRBACMiddleware } from '@kitiumai/auth';
import express from 'express';

const app = express();
const { requireRole, requirePermission } = await getRBACMiddleware();

// Require specific role
app.get('/admin', requireRole(['admin'], { rbacService }), (req, res) => {
  res.json({ message: 'Admin access granted' });
});

// Require specific permission
app.delete('/users/:id', requirePermission('users', 'delete', { rbacService }), (req, res) => {
  res.json({ message: 'User deleted' });
});

Rate Limiting

import { getRateLimitMiddleware } from '@kitiumai/auth';
import express from 'express';

const app = express();
const { createRateLimitMiddleware } = await getRateLimitMiddleware();

// Apply rate limiting
app.use(
  createRateLimitMiddleware({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 100, // 100 requests per window
  })
);

Error Handling

import { getErrorHandler, setupErrorHandling } from '@kitiumai/auth';
import express from 'express';

const app = express();

// Setup error handling (includes 404 handler)
setupErrorHandling(app);

// Or use error handler directly
const errorHandler = await getErrorHandler();
app.use(errorHandler);

Hooks/Events

import { createHookManager } from '@kitiumai/auth';

const hookManager = createHookManager();

// Register hook
hookManager.on('user.created', async (data) => {
  console.log('User created:', data.user.email);
  // Send welcome email, create default resources, etc.
});

// Trigger hook
await hookManager.trigger('user.created', {
  user: { id: 'user_1', email: 'user@example.com' },
});

Anomaly Detection

import { getAnomalyDetectionService } from '@kitiumai/auth';

const anomalyService = await getAnomalyDetectionService();
await anomalyService.initialize(storage, {
  enabled: true,
  bruteForceThreshold: 5,
  bruteForceWindow: 300, // 5 minutes
});

// Record authentication attempt
await anomalyService.recordAttempt({
  email: 'user@example.com',
  ipAddress: '192.168.1.1',
  success: false,
});

// Check for brute force
const isBruteForce = await anomalyService.isBruteForceAttempt('user@example.com');

// Get risk score
const riskScore = await anomalyService.calculateRiskScore({
  email: 'user@example.com',
  ipAddress: '192.168.1.1',
  newDevice: true,
  newLocation: true,
});

Conditional Access

import { getConditionalAccessService } from '@kitiumai/auth';

const conditionalAccess = await getConditionalAccessService();
await conditionalAccess.initialize(storage, { enabled: true });

// Create location policy
const policy = await conditionalAccess.createPolicy({
  name: 'Block High-Risk Countries',
  type: 'location',
  blockedCountries: ['XX', 'YY'],
});

// Evaluate policy
const result = await conditionalAccess.evaluatePolicy(policy.id, {
  userId: 'user_1',
  ipAddress: '192.168.1.1',
  country: 'US',
  deviceId: 'device_1',
});

API Reference

Core Classes

AuthCore

Main authentication engine.

class AuthCore {
  constructor(config: AuthConfig, storage: StorageAdapter);

  // User management
  registerUser(input: CreateUserInput): Promise<User>;
  updateUser(userId: string, input: UpdateUserInput): Promise<User>;
  deleteUser(userId: string): Promise<void>;
  getUser(userId: string): Promise<User | null>;

  // Authentication
  authenticate(email: string, password: string): Promise<Session>;
  verifySession(sessionId: string): Promise<Session>;
  revokeSession(sessionId: string): Promise<void>;

  // API Keys
  issueApiKey(userId: string, input: IssueApiKeyInput): Promise<IssueApiKeyResult>;
  verifyApiKey(apiKey: string): Promise<VerifyApiKeyResult>;
  revokeApiKey(keyId: string): Promise<void>;

  // OAuth
  getOAuthAuthorizationUrl(providerId: string, options: OAuthOptions): Promise<string>;
  handleOAuthCallback(
    providerId: string,
    params: OAuthCallbackParams
  ): Promise<OAuthCallbackResult>;
}

TwoFactorAuthService

Two-factor authentication service.

class TwoFactorAuthService {
  // TOTP
  enrollTOTPDevice(userId: string, name?: string): Promise<TwoFactorDevice>;
  verifyTOTPEnrollment(userId: string, deviceId: string, code: string): Promise<BackupCode[]>;

  // SMS
  enrollSMSDevice(userId: string, phoneNumber: string, name?: string): Promise<TwoFactorDevice>;
  sendSMSCode(deviceId: string): Promise<void>;
  verifySMSCode(userId: string, deviceId: string, code: string): Promise<void>;

  // Verification
  verifyTwoFactor(userId: string, deviceId: string, code: string): Promise<boolean>;

  // Management
  listDevices(userId: string): Promise<TwoFactorDevice[]>;
  deleteDevice(deviceId: string): Promise<void>;
  getTwoFactorStatus(userId: string): Promise<TwoFactorStatus>;
}

WebAuthnService

WebAuthn/FIDO2 passwordless authentication.

class WebAuthnService {
  getRegistrationOptions(userId: string): Promise<WebAuthnRegistrationOptions>;
  registerCredential(
    userId: string,
    credential: WebAuthnCredentialCreation
  ): Promise<WebAuthnDevice>;

  getAuthenticationOptions(userId: string): Promise<WebAuthnAuthenticationOptions>;
  authenticateCredential(userId: string, assertion: WebAuthnCredentialAssertion): Promise<boolean>;

  listDevices(userId: string): Promise<WebAuthnDevice[]>;
  deleteDevice(deviceId: string): Promise<void>;
}

RBACService

Role-based access control service.

class RBACService {
  // Roles
  createRole(orgId: string, name: string, permissions: Permission[]): Promise<Role>;
  updateRole(roleId: string, updates: Partial<Role>): Promise<Role>;
  deleteRole(roleId: string): Promise<void>;
  getRole(roleId: string): Promise<Role | null>;
  listRoles(orgId: string): Promise<Role[]>;

  // Assignments
  assignRoleToUser(userId: string, roleId: string, orgId: string): Promise<void>;
  revokeRoleFromUser(userId: string, roleId: string, orgId: string): Promise<void>;
  getUserRoles(userId: string, orgId: string): Promise<Role[]>;

  // Permissions
  hasPermission(userId: string, check: PermissionCheck): Promise<boolean>;
  hasAnyPermission(userId: string, checks: PermissionCheck[]): Promise<boolean>;
  hasAllPermissions(userId: string, checks: PermissionCheck[]): Promise<boolean>;
  getUserPermissions(userId: string, orgId: string): Promise<Permission[]>;
}

SSOService

Single sign-on service.

class SSOService {
  // OIDC
  registerOIDCProvider(config: OIDCProviderConfig): Promise<OIDCProvider>;
  getOIDCAuthorizationUrl(providerId: string, options: OIDCOptions): Promise<string>;
  handleOIDCCallback(providerId: string, params: OIDCCallbackParams): Promise<OIDCCallbackResult>;

  // SAML
  registerSAMLProvider(config: SAMLProviderConfig): Promise<SAMLProvider>;
  getSAMLAuthRequest(providerId: string, options: SAMLOptions): Promise<string>;
  handleSAMLResponse(providerId: string, samlResponse: string): Promise<SAMLCallbackResult>;

  // Links
  linkSSOProvider(userId: string, providerId: string, subject: string): Promise<SSOLink>;
  getUserSSOLinks(userId: string): Promise<SSOLink[]>;
  deleteSSOLink(linkId: string): Promise<void>;
}

Configuration

defineConfig

Create authentication configuration.

function defineConfig(config: AuthConfig): AuthConfig;

interface AuthConfig {
  appName: string;
  appUrl: string;
  providers: AuthProvider[];
  storage: StorageConfig;
  billing?: BillingConfig;
  apiKeys?: ApiKeyConfig;
  sessions?: SessionConfig;
  organizations?: OrganizationConfig;
  events?: EventConfig;
}

Pre-configured OAuth Providers

import {
  GOOGLE_PROVIDER,
  GITHUB_PROVIDER,
  MICROSOFT_PROVIDER,
  FACEBOOK_PROVIDER,
  APPLE_PROVIDER,
  TWITTER_PROVIDER,
  DISCORD_PROVIDER,
  LINKEDIN_PROVIDER,
  createOAuthProviderFromPreset,
} from '@kitiumai/auth';

const provider = createOAuthProviderFromPreset(GOOGLE_PROVIDER, {
  clientId: 'your-client-id',
  clientSecret: 'your-client-secret',
  redirectUri: 'https://yourapp.com/callback',
});

Error Handling

All errors use the @kitiumai/error API with RFC 7807 Problem Details format.

import {
  ValidationError,
  AuthenticationError,
  AuthorizationError,
  NotFoundError,
  RateLimitError,
} from '@kitiumai/auth';

// Error format
throw new ValidationError({
  code: 'auth/invalid_email',
  message: 'Invalid email address',
  severity: 'error',
  retryable: false,
  context: { email: 'invalid-email' },
});

Framework Integrations

Express.js

import { getExpressAuth, getRBACMiddleware, getErrorHandler } from '@kitiumai/auth';

// Authentication middleware
const authMiddleware = await getExpressAuth();
app.use('/api', authMiddleware(auth));

// RBAC middleware
const { requireRole, requirePermission } = await getRBACMiddleware();
app.get('/admin', requireRole(['admin'], { rbacService }), handler);

// Error handling
const errorHandler = await getErrorHandler();
app.use(errorHandler);

Next.js

import { getNextAuth } from '@kitiumai/auth';

// Server-side auth helper
const withAuth = await getNextAuth();
export default withAuth(async (req, res) => {
  // req.user is available
  res.json({ user: req.user });
});

React

import { getReactAuth } from '@kitiumai/auth';

function MyComponent() {
  const { user, isLoading, signOut } = await getReactAuth();

  if (isLoading) return <div>Loading...</div>;
  if (!user) return <div>Not authenticated</div>;

  return (
    <div>
      <p>Welcome, {user.email}</p>
      <button onClick={signOut}>Sign Out</button>
    </div>
  );
}

TypeScript Support

Full TypeScript support with comprehensive type definitions:

import type {
  User,
  Session,
  AuthConfig,
  AuthProvider,
  StorageAdapter,
  TwoFactorDevice,
  WebAuthnDevice,
  Role,
  Permission,
  SSOProvider,
} from '@kitiumai/auth';

Security Best Practices

  1. Use Strong Passwords: Enable password strength validation
  2. Enable 2FA: Require 2FA for sensitive operations
  3. Use HTTPS: Always use HTTPS in production
  4. Rate Limiting: Enable rate limiting to prevent brute force attacks
  5. Anomaly Detection: Monitor and detect suspicious activity
  6. Conditional Access: Implement location and device-based policies
  7. Regular Access Reviews: Review and certify user access regularly
  8. Secure API Keys: Rotate API keys regularly
  9. Session Management: Use secure, httpOnly cookies for sessions
  10. Error Handling: Don't expose sensitive information in error messages

Contributing

Contributions are welcome! Please read our contributing guidelines first.

License

MIT

Support

changelog

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[v4.0.1] - 2025-12-02

Added

bumped patch version for kitiumai packages

[v4.0.0] - 2025-11-30

Added

  • Token governance utilities with JWKS rotation, strict cookie guidance, and verification helpers for enterprise session hardening.
  • Audit pipeline building blocks that support SIEM export, metrics hooks, and redaction defaults.
  • SCIM/JIT provisioning, tenant registry with residency flags, compliance profiles, and operational runbooks to align with enterprise readiness recommendations.

[3.0.0] - 2025-11-26

Added

Core Authentication Features

  • AuthCore: Main authentication engine orchestrating all auth operations
    • Email/password authentication with secure password hashing (argon2)
    • API key authentication with secure key generation and verification
    • Session management with configurable expiration
    • User management (create, update, delete users)
    • Multi-tenant organization support
    • Subscription and billing integration hooks

OAuth Authentication

  • OAuth Manager: Complete OAuth 2.0 implementation
    • Authorization code flow with PKCE support
    • Token management and refresh
    • State management for security
    • Pre-configured providers: Google, GitHub, Microsoft, Facebook, Apple, Twitter, Discord, LinkedIn
    • Custom OAuth provider support
    • OAuth profile mapping and user linking

Email Authentication

  • Email Auth Service: Email-based authentication
    • User registration with email verification
    • Password reset flow
    • Magic link authentication
    • Email verification management
    • Multiple email provider support (SMTP, SendGrid, Mailgun, Resend)
    • Customizable email templates

Two-Factor Authentication (2FA)

  • TwoFactorAuthService: Comprehensive 2FA implementation
    • TOTP (Time-based One-Time Password) support
    • SMS-based 2FA with multiple providers (Twilio, AWS SNS, Console)
    • Backup codes generation and management
    • Device management for 2FA
    • Session-based 2FA verification
    • Express.js middleware for 2FA enforcement

WebAuthn/FIDO2

  • WebAuthnService: Passwordless authentication
    • FIDO2/WebAuthn credential registration
    • Passwordless authentication flow
    • Device credential management
    • Challenge-based security
    • Cross-platform support (desktop, mobile, security keys)

Single Sign-On (SSO)

  • SSOService: Enterprise SSO support
    • OIDC (OpenID Connect) provider management
    • SAML 2.0 provider support
    • SSO link management (multiple providers per user)
    • SSO session management
    • Auto-provisioning and user data sync
    • Metadata URL support for OIDC discovery

Role-Based Access Control (RBAC)

  • RBACService: Complete RBAC implementation
    • Role creation and management
    • Permission-based access control
    • Role assignment to users
    • Organization-scoped roles
    • System roles protection
    • Permission checking (single, any, all)
    • Express.js middleware for RBAC enforcement

Security Features

  • AnomalyDetectionService: Security monitoring

    • Brute force detection
    • Risk scoring based on multiple factors
    • Suspicious IP detection
    • Bot detection capabilities
    • Authentication attempt tracking
    • Configurable thresholds and time windows

  • ConditionalAccessService: Policy-based access control

    • Location-based policies (country/region blocking)
    • Device-based policies (trusted devices, device registration)
    • Time-based policies (business hours, day restrictions)
    • IP range policies (allow/block IP ranges)
    • MFA requirement policies
    • Risk-level based policies
    • Policy evaluation and enforcement

  • DeviceManagementService: Device trust management

    • Device registration and fingerprinting
    • Device trust levels (trusted, untrusted, unknown)
    • Device verification workflows
    • Device deletion and management
    • Device metadata tracking

Governance

  • AccessReviewService: Access certification workflows
    • Access review campaign creation
    • Review assignment and tracking
    • Review status management (pending, approved, rejected, expired)
    • Campaign lifecycle management
    • Review expiration handling

Hooks/Events System

  • HookManager: Event-driven extensibility
    • User lifecycle hooks (created, updated, deleted)
    • Session hooks (created, expired, revoked)
    • API key hooks (created, revoked)
    • Organization hooks (created, updated, deleted)
    • Authentication hooks (login, logout, failed)
    • Custom hook registration
    • Async hook execution

Error Handling

  • Integrated @kitiumai/error: Enterprise-grade error handling
    • RFC 7807 Problem Details support
    • Structured error codes with auth/ prefix
    • Error context and metadata
    • Error metrics and fingerprinting
    • Retry strategy metadata
    • Comprehensive error types (ValidationError, AuthenticationError, AuthorizationError, etc.)
    • Express.js error handler middleware

Rate Limiting

  • RateLimiter: Configurable rate limiting
    • Per-user rate limiting
    • Per-IP rate limiting
    • Per-endpoint rate limiting
    • Public rate limiting
    • Configurable windows and limits
    • Rate limit headers (X-RateLimit-*)
    • Express.js middleware integration

Framework Integrations

  • Express.js: Complete Express integration

    • Authentication middleware
    • RBAC middleware
    • 2FA middleware
    • Rate limiting middleware
    • Error handling middleware
    • OAuth routes
    • Email auth routes

  • Next.js: Next.js integration

    • Server-side authentication helpers
    • API route protection
    • Email authentication routes
    • OAuth callback handling

  • React: React hooks and components

    • useAuth hook
    • SignIn component
    • UserMenu component
    • BillingPortal component

Configuration System

  • Flexible Configuration: Environment-aware configuration
    • Provider configuration (OAuth, email, SAML)
    • Storage adapter configuration
    • Billing configuration
    • API key configuration
    • Session configuration
    • Organization configuration
    • Event configuration
    • Environment variable helpers
    • Configuration validation

Plugin System

  • KitiumPluginManager: Extensible plugin architecture
    • Plugin registration and lifecycle
    • Plugin context and dependencies
    • Plugin hooks integration
    • Lazy plugin loading

Lazy Loading

  • Lazy Loading System: Performance optimization
    • On-demand module loading
    • Code splitting support
    • Conditional loading
    • Lazy import utilities

Utilities

  • Password Utilities: Secure password handling

    • Argon2 password hashing
    • Password strength validation
    • Password reset token generation
    • Email validation and normalization

  • API Key Utilities: Secure API key management

    • Cryptographically secure key generation
    • Key hashing and verification
    • Key format validation

Storage Adapters

  • Memory Adapter: In-memory storage for development/testing
    • Full CRUD operations
    • Transaction support
    • Query capabilities

TypeScript Support

  • Full TypeScript Coverage: Complete type definitions
    • All APIs fully typed
    • Type-safe configuration
    • Type-safe error handling
    • Comprehensive type exports

Changed

Error Handling Migration

  • Migrated from custom error classes to @kitiumai/error API
  • All error instantiations now use object-based format with error codes
  • Added severity and retryable fields to all errors
  • Enhanced error context with correlation IDs and metadata
  • RFC 7807 Problem Details format support

Security

  • Password Security: Argon2 hashing with configurable parameters
  • API Key Security: Cryptographically secure key generation and hashing
  • Session Security: Secure session management with expiration
  • OAuth Security: PKCE support, state validation, secure token handling
  • 2FA Security: TOTP with secure secret generation, SMS with rate limiting
  • WebAuthn Security: Challenge-based authentication, credential verification
  • Rate Limiting: Protection against brute force and abuse
  • Anomaly Detection: Proactive threat detection and risk scoring

Documentation

  • Comprehensive API documentation
  • Usage examples for all features
  • Framework integration guides
  • Security best practices
  • Configuration reference
  • Error code reference