{"id":50962597,"url":"https://github.com/kroxt/kroxt","last_synced_at":"2026-06-18T16:00:50.083Z","repository":{"id":346026185,"uuid":"1177178131","full_name":"kroxt/kroxt","owner":"kroxt","description":"The The Most Simplified auth library","archived":false,"fork":false,"pushed_at":"2026-04-04T22:29:15.000Z","size":193,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-03T07:10:09.817Z","etag":null,"topics":["argon2","auth","authentication","expressjs","fastifyjs","framework-agnostic","honojs","library","nestjs","nextjs","security","token-rotation"],"latest_commit_sha":null,"homepage":"https://kroxt.vercel.app","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kroxt.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-09T19:18:07.000Z","updated_at":"2026-04-18T06:46:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kroxt/kroxt","commit_stats":null,"previous_names":["adepoju-oluwatobi/kroxt","kroxt/kroxt"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/kroxt/kroxt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kroxt%2Fkroxt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kroxt%2Fkroxt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kroxt%2Fkroxt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kroxt%2Fkroxt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kroxt","download_url":"https://codeload.github.com/kroxt/kroxt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kroxt%2Fkroxt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34497372,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-18T02:00:06.871Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["argon2","auth","authentication","expressjs","fastifyjs","framework-agnostic","honojs","library","nestjs","nextjs","security","token-rotation"],"created_at":"2026-06-18T16:00:49.156Z","updated_at":"2026-06-18T16:00:50.077Z","avatar_url":"https://github.com/kroxt.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kroxt\n\n**The Most Simplified auth library**\n\nKroxt is a premium, framework-agnostic, and security-hardened authentication engine for modern TypeScript environments. Engineered for **Next.js (App Router)**, Express, and Fastifyβ€”with 100% schema control and \"Zero-Config\" onboarding.\n\n[![npm version](https://img.shields.io/npm/v/kroxt.svg)](https://www.npmjs.com/package/kroxt)\n[![Next.js Ready](https://img.shields.io/badge/Next.js-First--Class-black?logo=next.js)](https://nextjs.org)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)\n\nThe recommended way to start is the **Kroxt CLI**. It detects your framework (Next.js, Express, Fastify) and scaffolds a professional auth structure automatically.\n\n```bash\nnpx kroxt init\n```\n\n---\n\n## πŸš€ Next.js First-Class Support\n\nKroxt is optimized for the Next.js App Router. Use standard **Route Handlers** for high performance and zero overhead.\n\n### 1. Configuration (`lib/kroxt/auth.ts`)\n```typescript\nimport { createAuth } from \"kroxt\";\nimport { createMongoAdapter } from \"kroxt/adapters/mongoose\";\nimport { User } from \"./models/user.model\";\n\nexport const auth = createAuth({\n adapter: createMongoAdapter(User),\n secret: process.env.JWT_SECRET,\n session: { enforceStrictRevocation: true } // Real-time security\n});\n```\n\n### 2. Login Route (`app/api/auth/login/route.ts`)\n```typescript\nimport { auth } from \"@/lib/kroxt/auth\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\nexport async function POST(req: NextRequest) {\n try {\n const { email, password } = await req.json();\n const result = await auth.loginWithPassword(email, password, req.ip);\n \n return NextResponse.json(result);\n } catch (error: any) {\n return NextResponse.json({ error: error.message }, { status: 401 });\n }\n}\n```\n\n## πŸ—οΈ Core Architecture\n\nKroxt is \"Headless.\" It provides the **Brain** (Logic, Hashing, JWTs, Security) while you provide the **Face** (UI/Routes). \n\n### 1. The Configuration Matrix\nEvery feature in Kroxt is modular. Toggle security layers with a single boolean.\n\n```typescript\nimport { createAuth } from \"kroxt\";\nimport { createMongoAdapter } from \"kroxt/adapters/mongoose\";\n\nexport const auth = createAuth({\n adapter: createMongoAdapter(UserModel),\n secret: process.env.JWT_SECRET,\n \n // Security Layer 1: Sessions\n session: {\n expires: \"15m\", // Access Token duration\n refreshExpires: \"7d\", // Refresh Token duration\n enforceStrictRevocation: true, // DB-lookup on EVERY request (Admin-mode)\n },\n\n // Security Layer 2: Defense\n rateLimit: {\n max: 100, // Requests per window\n windowMs: 60 * 1000 // 1 Minute window\n },\n\n // Security Layer 3: Brute Force\n ipBlocking: {\n maxStrikes: 5, // Ban after 5 failures\n blockDurationMs: 15 * 60 * 1000 // 15 Min ban\n },\n\n // Security Layer 4: Crypto\n passwordPolicy: {\n minLength: 8,\n requireUppercase: true,\n requireSpecialCharacter: true,\n usePepper: true // Requires JWT_PEPPER env variable\n }\n});\n```\n\n---\n\n## πŸ”Œ Universal Adapters\n\nBring your own schema. Kroxt adapts to you.\n\n### Mongoose (MongoDB)\n```typescript\nimport { createMongoAdapter } from \"kroxt/adapters/mongoose\";\nconst adapter = createMongoAdapter(User); \n```\n\n### Prisma (SQL)\n```typescript\nimport { createPrismaAdapter } from \"kroxt/adapters/prisma\";\nconst adapter = createPrismaAdapter(prisma.user);\n```\n\n### Drizzle (SQL)\n```typescript\nimport { createDrizzleAdapter } from \"kroxt/adapters/drizzle\";\nimport { eq } from \"drizzle-orm\";\nconst adapter = createDrizzleAdapter(db, users, eq);\n```\n\n### Memory (Testing)\n```typescript\nimport { createMemoryAdapter } from \"kroxt\";\nconst adapter = createMemoryAdapter();\n```\n\n---\n\n## 🧠 API Reference\n\n### `auth.signup(userData, password)`\nRegisters a new user. User data is strictly typed to your schema.\n```typescript\nconst { user, accessToken, refreshToken } = await auth.signup({ \n email: \"dev@kroxt.io\",\n role: \"admin\" \n}, \"secure_password\");\n```\n\n### `auth.loginWithPassword(email, password, clientIp?)`\nAuthenticates a user and generates tokens. Pass `clientIp` to enable IP-Blocking.\n```typescript\nconst result = await auth.loginWithPassword(email, password, req.ip);\n```\n\n### `auth.refreshSession(refreshToken, clientIp?)`\nRotates the session. If `enforceStrictRevocation` is on, it validates the token against the user's current password hash.\n```typescript\nconst { user, accessToken, refreshToken: newRefresh } = await auth.refreshSession(token);\n```\n\n### `auth.logout(userId)`\nTerminates all active sessions for a user globally. This increments the `sessionVersion` in the database, invalidating all current tokens instantly.\n```typescript\nawait auth.logout(payload.sub);\n```\n\n### `auth.changePassword(userId, newPassword)`\nUpdates password and **instantly invalidates all other active sessions** globally via Hash-Linked revocation.\n```typescript\nawait auth.changePassword(payload.sub, \"new_secure_pass\");\n```\n\n---\n\n## 🧩 Middleware Implementation\n\n### Express / Fastify\n```typescript\nconst protect = async (req, res, next) =\u003e {\n const token = req.headers.authorization?.split(\" \")[1];\n try {\n const session = await auth.verifyAccessToken(token);\n req.user = session.user;\n next();\n } catch (err) {\n res.status(401).json({ error: \"Unauthorized\" });\n }\n};\n```\n\n---\n\n## πŸš€ Advanced Deployment\n\n### Custom JWT Payloads\nInject metadata into your tokens safely.\n```typescript\njwt: {\n payload: (user, type) =\u003e {\n return type === \"access\" ? { role: user.role } : {};\n }\n}\n```\n\n### Password Peppering\nKroxt supports server-side peppering to protect against rainbow table attacks even if your database is leaked.\n1. Set `usePepper: true` in config.\n2. Add `JWT_PEPPER` to your `.env`.\n\n---\n\n## 🧠 API Reference (Exhaustive)\n\n### `auth.signup()`\n| Argument | Type | Description |\n| --- | --- | --- |\n| `userData` | `Omit\u003cUser, \"id\"\u003e` | Your user object without the ID (ID is auto-generated) |\n| `password` | `string` (Optional) | Plain text password. Will be hashed using Argon2 |\n\n### `auth.loginWithPassword()`\n| Argument | Type | Description |\n| --- | --- | --- |\n| `email` | `string` | User email |\n| `password` | `string` | User password |\n| `clientIp` | `string` (Optional) | Required for IP-Blocking defense |\n\n### `auth.logout()`\n| Argument | Type | Description |\n| --- | --- | --- |\n| `userId` | `string` | The ID of the user whose sessions will be revoked |\n\n\u003e [!IMPORTANT]\n\u003e **Global Session Revocation**: Kroxt uses a `sessionVersion` counter. When `logout` is called, this counter increments in the database. Any token presented with an older version will be rejected during verification if `enforceStrictRevocation` is enabled or during session refreshes.\n\n### `auth.changePassword()`\n| Argument | Type | Description |\n| --- | --- | --- |\n| `userId` | `string` | The ID of the user to update |\n| `newPassword` | `string` | The new plain text password |\n\n\u003e [!TIP]\n\u003e **Hash-Linked Revocation**: When you call `changePassword`, all existing refresh tokens for that user are immediately invalidated because they contain a fragment of the old password hash (`pw_frag`).\n\n---\n\n## 🚦 Error Handling\n\nKroxt throws descriptive errors that you can catch in your controller.\n\n```typescript\ntry {\n await auth.loginWithPassword(email, password, req.ip);\n} catch (err) {\n if (err.message === \"IP is temporarily blocked.\") {\n return res.status(403).send(\"Banned.\");\n }\n if (err.message === \"Too many requests, please try again later.\") {\n return res.status(429).send(\"Slow down.\");\n }\n return res.status(401).send(\"Invalid Credentials\");\n}\n```\n\n---\n\n## πŸ”’ Security Best Practices\n\n1. **Environmental Pepper**: Always use `JWT_PEPPER`. This adds a server-side secret to every password hash. If your database is stolen, your user passwords are still protected by this environment variable.\n2. **Strict Revocation**: Set `enforceStrictRevocation: true` for high-security areas (like admin panels). This forces a database lookup on every single request to ensure the user hasn't been banned or changed their password in the last few seconds.\n3. **Dual Tokens**: Always use the provided `accessToken` for short-term API access and the `refreshToken` (stored in an `HttpOnly` cookie) for session persistence.\n\n---\n\n## πŸ”— Ecosystem\n- [Kroxt Examples Repository](https://github.com/adepoju-oluwatobi/kroxt-examples)\n\n## πŸ“„ License\nMIT Β© [Adepoju Oluwatobi](https://github.com/adepoju-oluwatobi)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkroxt%2Fkroxt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkroxt%2Fkroxt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkroxt%2Fkroxt/lists"}