chore: release packages (#387 )

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
feat(server): 添加可插拔认证系统 | add pluggable authentication system (#386 )
2025-12-29 16:12:03 +08:00 · 2025-12-29 16:10:09 +08:00
28 changed files with 4413 additions and 6 deletions
--- a/docs/astro.config.mjs
+++ b/docs/astro.config.mjs
@@ -267,6 +267,7 @@ export default defineConfig({
                { label: '概述', slug: 'modules/network', translations: { en: 'Overview' } },
                { label: '客户端', slug: 'modules/network/client', translations: { en: 'Client' } },
                { label: '服务器', slug: 'modules/network/server', translations: { en: 'Server' } },
+                { label: '认证系统', slug: 'modules/network/auth', translations: { en: 'Authentication' } },
                { label: '状态同步', slug: 'modules/network/sync', translations: { en: 'State Sync' } },
                { label: '客户端预测', slug: 'modules/network/prediction', translations: { en: 'Prediction' } },
                { label: 'AOI 兴趣区域', slug: 'modules/network/aoi', translations: { en: 'AOI' } },
--- a/docs/src/content/docs/en/modules/network/auth.md
+++ b/docs/src/content/docs/en/modules/network/auth.md
@@ -0,0 +1,506 @@
+---
+title: "Authentication"
+description: "Add authentication to your game server with JWT and Session providers"
+---
+
+The `@esengine/server` package includes a pluggable authentication system that supports JWT, session-based auth, and custom providers.
+
+## Installation
+
+Authentication is included in the server package:
+
+```bash
+npm install @esengine/server jsonwebtoken
+```
+
+> Note: `jsonwebtoken` is an optional peer dependency, required only for JWT authentication.
+
+## Quick Start
+
+### JWT Authentication
+
+```typescript
+import { createServer } from '@esengine/server'
+import { withAuth, createJwtAuthProvider, withRoomAuth, requireAuth } from '@esengine/server/auth'
+
+// Create JWT provider
+const jwtProvider = createJwtAuthProvider({
+    secret: process.env.JWT_SECRET!,
+    expiresIn: 3600, // 1 hour
+})
+
+// Wrap server with authentication
+const server = withAuth(await createServer({ port: 3000 }), {
+    provider: jwtProvider,
+    extractCredentials: (req) => {
+        const url = new URL(req.url ?? '', 'http://localhost')
+        return url.searchParams.get('token')
+    },
+})
+
+// Define authenticated room
+class GameRoom extends withRoomAuth(Room, { requireAuth: true }) {
+    onJoin(player) {
+        console.log(`${player.user?.name} joined!`)
+    }
+}
+
+server.define('game', GameRoom)
+await server.start()
+```
+
+## Auth Providers
+
+### JWT Provider
+
+Use JSON Web Tokens for stateless authentication:
+
+```typescript
+import { createJwtAuthProvider } from '@esengine/server/auth'
+
+const jwtProvider = createJwtAuthProvider({
+    // Required: secret key
+    secret: 'your-secret-key',
+
+    // Optional: algorithm (default: HS256)
+    algorithm: 'HS256',
+
+    // Optional: expiration in seconds (default: 3600)
+    expiresIn: 3600,
+
+    // Optional: issuer for validation
+    issuer: 'my-game-server',
+
+    // Optional: audience for validation
+    audience: 'my-game-client',
+
+    // Optional: custom user extraction
+    getUser: async (payload) => {
+        // Fetch user from database
+        return await db.users.findById(payload.sub)
+    },
+})
+
+// Sign a token (for login endpoints)
+const token = jwtProvider.sign({
+    sub: user.id,
+    name: user.name,
+    roles: ['player'],
+})
+
+// Decode without verification (for debugging)
+const payload = jwtProvider.decode(token)
+```
+
+### Session Provider
+
+Use server-side sessions for stateful authentication:
+
+```typescript
+import { createSessionAuthProvider, type ISessionStorage } from '@esengine/server/auth'
+
+// Custom storage implementation
+const storage: ISessionStorage = {
+    async get<T>(key: string): Promise<T | null> {
+        return await redis.get(key)
+    },
+    async set<T>(key: string, value: T): Promise<void> {
+        await redis.set(key, value)
+    },
+    async delete(key: string): Promise<boolean> {
+        return await redis.del(key) > 0
+    },
+}
+
+const sessionProvider = createSessionAuthProvider({
+    storage,
+    sessionTTL: 86400000, // 24 hours in ms
+
+    // Optional: validate user on each request
+    validateUser: (user) => !user.banned,
+})
+
+// Create session (for login endpoints)
+const sessionId = await sessionProvider.createSession(user, {
+    ipAddress: req.ip,
+    userAgent: req.headers['user-agent'],
+})
+
+// Revoke session (for logout)
+await sessionProvider.revoke(sessionId)
+```
+
+## Server Auth Mixin
+
+The `withAuth` function wraps your server to add authentication:
+
+```typescript
+import { withAuth } from '@esengine/server/auth'
+
+const server = withAuth(baseServer, {
+    // Required: auth provider
+    provider: jwtProvider,
+
+    // Required: extract credentials from request
+    extractCredentials: (req) => {
+        // From query string
+        return new URL(req.url, 'http://localhost').searchParams.get('token')
+
+        // Or from headers
+        // return req.headers['authorization']?.replace('Bearer ', '')
+    },
+
+    // Optional: handle auth failure
+    onAuthFailed: (conn, error) => {
+        console.log(`Auth failed: ${error}`)
+    },
+})
+```
+
+### Accessing Auth Context
+
+After authentication, the auth context is available on connections:
+
+```typescript
+import { getAuthContext } from '@esengine/server/auth'
+
+server.onConnect = (conn) => {
+    const auth = getAuthContext(conn)
+
+    if (auth.isAuthenticated) {
+        console.log(`User ${auth.userId} connected`)
+        console.log(`Roles: ${auth.roles}`)
+    }
+}
+```
+
+## Room Auth Mixin
+
+The `withRoomAuth` function adds authentication checks to rooms:
+
+```typescript
+import { withRoomAuth, type AuthPlayer } from '@esengine/server/auth'
+
+interface User {
+    id: string
+    name: string
+    roles: string[]
+}
+
+class GameRoom extends withRoomAuth<User>(Room, {
+    // Require authentication to join
+    requireAuth: true,
+
+    // Optional: require specific roles
+    allowedRoles: ['player', 'premium'],
+
+    // Optional: role check mode ('any' or 'all')
+    roleCheckMode: 'any',
+}) {
+    // player has .auth and .user properties
+    onJoin(player: AuthPlayer<User>) {
+        console.log(`${player.user?.name} joined`)
+        console.log(`Is premium: ${player.auth.hasRole('premium')}`)
+    }
+
+    // Optional: custom auth validation
+    async onAuth(player: AuthPlayer<User>): Promise<boolean> {
+        // Additional validation logic
+        if (player.auth.hasRole('banned')) {
+            return false
+        }
+        return true
+    }
+
+    @onMessage('Chat')
+    handleChat(data: { text: string }, player: AuthPlayer<User>) {
+        this.broadcast('Chat', {
+            from: player.user?.name ?? 'Guest',
+            text: data.text,
+        })
+    }
+}
+```
+
+### AuthPlayer Interface
+
+Players in auth rooms have additional properties:
+
+```typescript
+interface AuthPlayer<TUser> extends Player {
+    // Full auth context
+    readonly auth: IAuthContext<TUser>
+
+    // User info (shortcut for auth.user)
+    readonly user: TUser | null
+}
+```
+
+### Room Auth Helpers
+
+```typescript
+class GameRoom extends withRoomAuth<User>(Room) {
+    someMethod() {
+        // Get player by user ID
+        const player = this.getPlayerByUserId('user-123')
+
+        // Get all players with a role
+        const admins = this.getPlayersByRole('admin')
+
+        // Get player with auth info
+        const authPlayer = this.getAuthPlayer(playerId)
+    }
+}
+```
+
+## Auth Decorators
+
+### @requireAuth
+
+Mark message handlers as requiring authentication:
+
+```typescript
+import { requireAuth, requireRole, onMessage } from '@esengine/server/auth'
+
+class GameRoom extends withRoomAuth(Room) {
+    @requireAuth()
+    @onMessage('Trade')
+    handleTrade(data: TradeData, player: AuthPlayer) {
+        // Only authenticated players can trade
+    }
+
+    @requireAuth({ allowGuest: true })
+    @onMessage('Chat')
+    handleChat(data: ChatData, player: AuthPlayer) {
+        // Guests can also chat
+    }
+}
+```
+
+### @requireRole
+
+Require specific roles for message handlers:
+
+```typescript
+class AdminRoom extends withRoomAuth(Room) {
+    @requireRole('admin')
+    @onMessage('Ban')
+    handleBan(data: BanData, player: AuthPlayer) {
+        // Only admins can ban
+    }
+
+    @requireRole(['moderator', 'admin'])
+    @onMessage('Mute')
+    handleMute(data: MuteData, player: AuthPlayer) {
+        // Moderators OR admins can mute
+    }
+
+    @requireRole(['verified', 'premium'], { mode: 'all' })
+    @onMessage('SpecialFeature')
+    handleSpecial(data: any, player: AuthPlayer) {
+        // Requires BOTH verified AND premium roles
+    }
+}
+```
+
+## Auth Context API
+
+The auth context provides various methods for checking authentication state:
+
+```typescript
+interface IAuthContext<TUser> {
+    // Authentication state
+    readonly isAuthenticated: boolean
+    readonly user: TUser | null
+    readonly userId: string | null
+    readonly roles: ReadonlyArray<string>
+    readonly authenticatedAt: number | null
+    readonly expiresAt: number | null
+
+    // Role checking
+    hasRole(role: string): boolean
+    hasAnyRole(roles: string[]): boolean
+    hasAllRoles(roles: string[]): boolean
+}
+```
+
+The `AuthContext` class (implementation) also provides:
+
+```typescript
+class AuthContext<TUser> implements IAuthContext<TUser> {
+    // Set authentication from result
+    setAuthenticated(result: AuthResult<TUser>): void
+
+    // Clear authentication state
+    clear(): void
+}
+```
+
+## Testing
+
+Use the mock auth provider for unit tests:
+
+```typescript
+import { createMockAuthProvider } from '@esengine/server/auth/testing'
+
+// Create mock provider with preset users
+const mockProvider = createMockAuthProvider({
+    users: [
+        { id: '1', name: 'Alice', roles: ['player'] },
+        { id: '2', name: 'Bob', roles: ['admin', 'player'] },
+    ],
+    autoCreate: true, // Create users for unknown tokens
+})
+
+// Use in tests
+const server = withAuth(testServer, {
+    provider: mockProvider,
+    extractCredentials: (req) => req.headers['x-token'],
+})
+
+// Verify with user ID as token
+const result = await mockProvider.verify('1')
+// result.user = { id: '1', name: 'Alice', roles: ['player'] }
+
+// Add/remove users dynamically
+mockProvider.addUser({ id: '3', name: 'Charlie', roles: ['guest'] })
+mockProvider.removeUser('3')
+
+// Revoke tokens
+await mockProvider.revoke('1')
+
+// Reset to initial state
+mockProvider.clear()
+```
+
+## Error Handling
+
+Auth errors include error codes for programmatic handling:
+
+```typescript
+type AuthErrorCode =
+    | 'INVALID_CREDENTIALS'       // Invalid username/password
+    | 'INVALID_TOKEN'             // Token is malformed or invalid
+    | 'EXPIRED_TOKEN'             // Token has expired
+    | 'USER_NOT_FOUND'            // User lookup failed
+    | 'ACCOUNT_DISABLED'          // User account is disabled
+    | 'RATE_LIMITED'              // Too many requests
+    | 'INSUFFICIENT_PERMISSIONS'  // Insufficient permissions
+
+// In your auth failure handler
+const server = withAuth(baseServer, {
+    provider: jwtProvider,
+    extractCredentials,
+    onAuthFailed: (conn, error) => {
+        switch (error.errorCode) {
+            case 'EXPIRED_TOKEN':
+                conn.send('AuthError', { code: 'TOKEN_EXPIRED' })
+                break
+            case 'INVALID_TOKEN':
+                conn.send('AuthError', { code: 'INVALID_TOKEN' })
+                break
+            default:
+                conn.close()
+        }
+    },
+})
+```
+
+## Complete Example
+
+Here's a complete example with JWT authentication:
+
+```typescript
+// server.ts
+import { createServer } from '@esengine/server'
+import {
+    withAuth,
+    withRoomAuth,
+    createJwtAuthProvider,
+    requireAuth,
+    requireRole,
+    type AuthPlayer,
+} from '@esengine/server/auth'
+
+// Types
+interface User {
+    id: string
+    name: string
+    roles: string[]
+}
+
+// JWT Provider
+const jwtProvider = createJwtAuthProvider<User>({
+    secret: process.env.JWT_SECRET!,
+    expiresIn: 3600,
+    getUser: async (payload) => ({
+        id: payload.sub as string,
+        name: payload.name as string,
+        roles: (payload.roles as string[]) ?? [],
+    }),
+})
+
+// Create authenticated server
+const server = withAuth(
+    await createServer({ port: 3000 }),
+    {
+        provider: jwtProvider,
+        extractCredentials: (req) => {
+            return new URL(req.url ?? '', 'http://localhost')
+                .searchParams.get('token')
+        },
+    }
+)
+
+// Game Room with auth
+class GameRoom extends withRoomAuth<User>(Room, {
+    requireAuth: true,
+    allowedRoles: ['player'],
+}) {
+    onCreate() {
+        console.log('Game room created')
+    }
+
+    onJoin(player: AuthPlayer<User>) {
+        console.log(`${player.user?.name} joined!`)
+        this.broadcast('PlayerJoined', {
+            id: player.id,
+            name: player.user?.name,
+        })
+    }
+
+    @requireAuth()
+    @onMessage('Move')
+    handleMove(data: { x: number; y: number }, player: AuthPlayer<User>) {
+        // Handle movement
+    }
+
+    @requireRole('admin')
+    @onMessage('Kick')
+    handleKick(data: { playerId: string }, player: AuthPlayer<User>) {
+        const target = this.getPlayer(data.playerId)
+        if (target) {
+            this.kick(target, 'Kicked by admin')
+        }
+    }
+}
+
+server.define('game', GameRoom)
+await server.start()
+```
+
+## Best Practices
+
+1. **Secure your secrets**: Never hardcode JWT secrets. Use environment variables.
+
+2. **Set reasonable expiration**: Balance security and user experience when setting token TTL.
+
+3. **Validate on critical actions**: Use `@requireAuth` on sensitive message handlers.
+
+4. **Use role-based access**: Implement proper role hierarchy for admin functions.
+
+5. **Handle token refresh**: Implement token refresh logic for long sessions.
+
+6. **Log auth events**: Track login attempts and failures for security monitoring.
+
+7. **Test auth flows**: Use `MockAuthProvider` to test authentication scenarios.
--- a/docs/src/content/docs/modules/network/auth.md
+++ b/docs/src/content/docs/modules/network/auth.md
@@ -0,0 +1,506 @@
+---
+title: "认证系统"
+description: "使用 JWT 和 Session 提供者为游戏服务器添加认证功能"
+---
+
+`@esengine/server` 包内置了可插拔的认证系统，支持 JWT、会话认证和自定义提供者。
+
+## 安装
+
+认证功能已包含在 server 包中：
+
+```bash
+npm install @esengine/server jsonwebtoken
+```
+
+> 注意：`jsonwebtoken` 是可选的 peer dependency，仅在使用 JWT 认证时需要。
+
+## 快速开始
+
+### JWT 认证
+
+```typescript
+import { createServer } from '@esengine/server'
+import { withAuth, createJwtAuthProvider, withRoomAuth, requireAuth } from '@esengine/server/auth'
+
+// 创建 JWT 提供者
+const jwtProvider = createJwtAuthProvider({
+    secret: process.env.JWT_SECRET!,
+    expiresIn: 3600, // 1 小时
+})
+
+// 用认证包装服务器
+const server = withAuth(await createServer({ port: 3000 }), {
+    provider: jwtProvider,
+    extractCredentials: (req) => {
+        const url = new URL(req.url ?? '', 'http://localhost')
+        return url.searchParams.get('token')
+    },
+})
+
+// 定义需要认证的房间
+class GameRoom extends withRoomAuth(Room, { requireAuth: true }) {
+    onJoin(player) {
+        console.log(`${player.user?.name} 加入了游戏！`)
+    }
+}
+
+server.define('game', GameRoom)
+await server.start()
+```
+
+## 认证提供者
+
+### JWT 提供者
+
+使用 JSON Web Tokens 实现无状态认证：
+
+```typescript
+import { createJwtAuthProvider } from '@esengine/server/auth'
+
+const jwtProvider = createJwtAuthProvider({
+    // 必填：密钥
+    secret: 'your-secret-key',
+
+    // 可选：算法（默认：HS256）
+    algorithm: 'HS256',
+
+    // 可选：过期时间（秒，默认：3600）
+    expiresIn: 3600,
+
+    // 可选：签发者（用于验证）
+    issuer: 'my-game-server',
+
+    // 可选：受众（用于验证）
+    audience: 'my-game-client',
+
+    // 可选：自定义用户提取
+    getUser: async (payload) => {
+        // 从数据库获取用户
+        return await db.users.findById(payload.sub)
+    },
+})
+
+// 签发令牌（用于登录接口）
+const token = jwtProvider.sign({
+    sub: user.id,
+    name: user.name,
+    roles: ['player'],
+})
+
+// 解码但不验证（用于调试）
+const payload = jwtProvider.decode(token)
+```
+
+### Session 提供者
+
+使用服务端会话实现有状态认证：
+
+```typescript
+import { createSessionAuthProvider, type ISessionStorage } from '@esengine/server/auth'
+
+// 自定义存储实现
+const storage: ISessionStorage = {
+    async get<T>(key: string): Promise<T | null> {
+        return await redis.get(key)
+    },
+    async set<T>(key: string, value: T): Promise<void> {
+        await redis.set(key, value)
+    },
+    async delete(key: string): Promise<boolean> {
+        return await redis.del(key) > 0
+    },
+}
+
+const sessionProvider = createSessionAuthProvider({
+    storage,
+    sessionTTL: 86400000, // 24 小时（毫秒）
+
+    // 可选：每次请求时验证用户
+    validateUser: (user) => !user.banned,
+})
+
+// 创建会话（用于登录接口）
+const sessionId = await sessionProvider.createSession(user, {
+    ipAddress: req.ip,
+    userAgent: req.headers['user-agent'],
+})
+
+// 撤销会话（用于登出）
+await sessionProvider.revoke(sessionId)
+```
+
+## 服务器认证 Mixin
+
+`withAuth` 函数用于包装服务器添加认证功能：
+
+```typescript
+import { withAuth } from '@esengine/server/auth'
+
+const server = withAuth(baseServer, {
+    // 必填：认证提供者
+    provider: jwtProvider,
+
+    // 必填：从请求中提取凭证
+    extractCredentials: (req) => {
+        // 从查询字符串获取
+        return new URL(req.url, 'http://localhost').searchParams.get('token')
+
+        // 或从请求头获取
+        // return req.headers['authorization']?.replace('Bearer ', '')
+    },
+
+    // 可选：处理认证失败
+    onAuthFailed: (conn, error) => {
+        console.log(`认证失败: ${error}`)
+    },
+})
+```
+
+### 访问认证上下文
+
+认证后，可以从连接获取认证上下文：
+
+```typescript
+import { getAuthContext } from '@esengine/server/auth'
+
+server.onConnect = (conn) => {
+    const auth = getAuthContext(conn)
+
+    if (auth.isAuthenticated) {
+        console.log(`用户 ${auth.userId} 已连接`)
+        console.log(`角色: ${auth.roles}`)
+    }
+}
+```
+
+## 房间认证 Mixin
+
+`withRoomAuth` 函数为房间添加认证检查：
+
+```typescript
+import { withRoomAuth, type AuthPlayer } from '@esengine/server/auth'
+
+interface User {
+    id: string
+    name: string
+    roles: string[]
+}
+
+class GameRoom extends withRoomAuth<User>(Room, {
+    // 要求认证才能加入
+    requireAuth: true,
+
+    // 可选：要求特定角色
+    allowedRoles: ['player', 'premium'],
+
+    // 可选：角色检查模式（'any' 或 'all'）
+    roleCheckMode: 'any',
+}) {
+    // player 拥有 .auth 和 .user 属性
+    onJoin(player: AuthPlayer<User>) {
+        console.log(`${player.user?.name} 加入了`)
+        console.log(`是否高级会员: ${player.auth.hasRole('premium')}`)
+    }
+
+    // 可选：自定义认证验证
+    async onAuth(player: AuthPlayer<User>): Promise<boolean> {
+        // 额外的验证逻辑
+        if (player.auth.hasRole('banned')) {
+            return false
+        }
+        return true
+    }
+
+    @onMessage('Chat')
+    handleChat(data: { text: string }, player: AuthPlayer<User>) {
+        this.broadcast('Chat', {
+            from: player.user?.name ?? '访客',
+            text: data.text,
+        })
+    }
+}
+```
+
+### AuthPlayer 接口
+
+认证房间中的玩家拥有额外属性：
+
+```typescript
+interface AuthPlayer<TUser> extends Player {
+    // 完整认证上下文
+    readonly auth: IAuthContext<TUser>
+
+    // 用户信息（auth.user 的快捷方式）
+    readonly user: TUser | null
+}
+```
+
+### 房间认证辅助方法
+
+```typescript
+class GameRoom extends withRoomAuth<User>(Room) {
+    someMethod() {
+        // 通过用户 ID 获取玩家
+        const player = this.getPlayerByUserId('user-123')
+
+        // 获取拥有特定角色的所有玩家
+        const admins = this.getPlayersByRole('admin')
+
+        // 获取带认证信息的玩家
+        const authPlayer = this.getAuthPlayer(playerId)
+    }
+}
+```
+
+## 认证装饰器
+
+### @requireAuth
+
+标记消息处理器需要认证：
+
+```typescript
+import { requireAuth, requireRole, onMessage } from '@esengine/server/auth'
+
+class GameRoom extends withRoomAuth(Room) {
+    @requireAuth()
+    @onMessage('Trade')
+    handleTrade(data: TradeData, player: AuthPlayer) {
+        // 只有已认证玩家才能交易
+    }
+
+    @requireAuth({ allowGuest: true })
+    @onMessage('Chat')
+    handleChat(data: ChatData, player: AuthPlayer) {
+        // 访客也可以聊天
+    }
+}
+```
+
+### @requireRole
+
+要求特定角色才能访问消息处理器：
+
+```typescript
+class AdminRoom extends withRoomAuth(Room) {
+    @requireRole('admin')
+    @onMessage('Ban')
+    handleBan(data: BanData, player: AuthPlayer) {
+        // 只有管理员才能封禁
+    }
+
+    @requireRole(['moderator', 'admin'])
+    @onMessage('Mute')
+    handleMute(data: MuteData, player: AuthPlayer) {
+        // 版主或管理员可以禁言
+    }
+
+    @requireRole(['verified', 'premium'], { mode: 'all' })
+    @onMessage('SpecialFeature')
+    handleSpecial(data: any, player: AuthPlayer) {
+        // 需要同时拥有 verified 和 premium 角色
+    }
+}
+```
+
+## 认证上下文 API
+
+认证上下文提供多种检查认证状态的方法：
+
+```typescript
+interface IAuthContext<TUser> {
+    // 认证状态
+    readonly isAuthenticated: boolean
+    readonly user: TUser | null
+    readonly userId: string | null
+    readonly roles: ReadonlyArray<string>
+    readonly authenticatedAt: number | null
+    readonly expiresAt: number | null
+
+    // 角色检查
+    hasRole(role: string): boolean
+    hasAnyRole(roles: string[]): boolean
+    hasAllRoles(roles: string[]): boolean
+}
+```
+
+`AuthContext` 类（实现类）还提供：
+
+```typescript
+class AuthContext<TUser> implements IAuthContext<TUser> {
+    // 从认证结果设置认证状态
+    setAuthenticated(result: AuthResult<TUser>): void
+
+    // 清除认证状态
+    clear(): void
+}
+```
+
+## 测试
+
+使用模拟认证提供者进行单元测试：
+
+```typescript
+import { createMockAuthProvider } from '@esengine/server/auth/testing'
+
+// 创建带预设用户的模拟提供者
+const mockProvider = createMockAuthProvider({
+    users: [
+        { id: '1', name: 'Alice', roles: ['player'] },
+        { id: '2', name: 'Bob', roles: ['admin', 'player'] },
+    ],
+    autoCreate: true, // 为未知令牌创建用户
+})
+
+// 在测试中使用
+const server = withAuth(testServer, {
+    provider: mockProvider,
+    extractCredentials: (req) => req.headers['x-token'],
+})
+
+// 使用用户 ID 作为令牌进行验证
+const result = await mockProvider.verify('1')
+// result.user = { id: '1', name: 'Alice', roles: ['player'] }
+
+// 动态添加/移除用户
+mockProvider.addUser({ id: '3', name: 'Charlie', roles: ['guest'] })
+mockProvider.removeUser('3')
+
+// 撤销令牌
+await mockProvider.revoke('1')
+
+// 重置到初始状态
+mockProvider.clear()
+```
+
+## 错误处理
+
+认证错误包含错误码用于程序化处理：
+
+```typescript
+type AuthErrorCode =
+    | 'INVALID_CREDENTIALS'       // 用户名/密码无效
+    | 'INVALID_TOKEN'             // 令牌格式错误或无效
+    | 'EXPIRED_TOKEN'             // 令牌已过期
+    | 'USER_NOT_FOUND'            // 用户查找失败
+    | 'ACCOUNT_DISABLED'          // 用户账号已禁用
+    | 'RATE_LIMITED'              // 请求过于频繁
+    | 'INSUFFICIENT_PERMISSIONS'  // 权限不足
+
+// 在认证失败处理器中
+const server = withAuth(baseServer, {
+    provider: jwtProvider,
+    extractCredentials,
+    onAuthFailed: (conn, error) => {
+        switch (error.errorCode) {
+            case 'EXPIRED_TOKEN':
+                conn.send('AuthError', { code: 'TOKEN_EXPIRED' })
+                break
+            case 'INVALID_TOKEN':
+                conn.send('AuthError', { code: 'INVALID_TOKEN' })
+                break
+            default:
+                conn.close()
+        }
+    },
+})
+```
+
+## 完整示例
+
+以下是使用 JWT 认证的完整示例：
+
+```typescript
+// server.ts
+import { createServer } from '@esengine/server'
+import {
+    withAuth,
+    withRoomAuth,
+    createJwtAuthProvider,
+    requireAuth,
+    requireRole,
+    type AuthPlayer,
+} from '@esengine/server/auth'
+
+// 类型定义
+interface User {
+    id: string
+    name: string
+    roles: string[]
+}
+
+// JWT 提供者
+const jwtProvider = createJwtAuthProvider<User>({
+    secret: process.env.JWT_SECRET!,
+    expiresIn: 3600,
+    getUser: async (payload) => ({
+        id: payload.sub as string,
+        name: payload.name as string,
+        roles: (payload.roles as string[]) ?? [],
+    }),
+})
+
+// 创建带认证的服务器
+const server = withAuth(
+    await createServer({ port: 3000 }),
+    {
+        provider: jwtProvider,
+        extractCredentials: (req) => {
+            return new URL(req.url ?? '', 'http://localhost')
+                .searchParams.get('token')
+        },
+    }
+)
+
+// 带认证的游戏房间
+class GameRoom extends withRoomAuth<User>(Room, {
+    requireAuth: true,
+    allowedRoles: ['player'],
+}) {
+    onCreate() {
+        console.log('游戏房间已创建')
+    }
+
+    onJoin(player: AuthPlayer<User>) {
+        console.log(`${player.user?.name} 加入了！`)
+        this.broadcast('PlayerJoined', {
+            id: player.id,
+            name: player.user?.name,
+        })
+    }
+
+    @requireAuth()
+    @onMessage('Move')
+    handleMove(data: { x: number; y: number }, player: AuthPlayer<User>) {
+        // 处理移动
+    }
+
+    @requireRole('admin')
+    @onMessage('Kick')
+    handleKick(data: { playerId: string }, player: AuthPlayer<User>) {
+        const target = this.getPlayer(data.playerId)
+        if (target) {
+            this.kick(target, '被管理员踢出')
+        }
+    }
+}
+
+server.define('game', GameRoom)
+await server.start()
+```
+
+## 最佳实践
+
+1. **保护密钥安全**：永远不要硬编码 JWT 密钥，使用环境变量。
+
+2. **设置合理的过期时间**：在安全性和用户体验之间平衡令牌 TTL。
+
+3. **在关键操作上验证**：在敏感消息处理器上使用 `@requireAuth`。
+
+4. **使用基于角色的访问控制**：为管理功能实现适当的角色层级。
+
+5. **处理令牌刷新**：为长会话实现令牌刷新逻辑。
+
+6. **记录认证事件**：跟踪登录尝试和失败以进行安全监控。
+
+7. **测试认证流程**：使用 `MockAuthProvider` 测试认证场景。
--- a/packages/framework/server/CHANGELOG.md
+++ b/packages/framework/server/CHANGELOG.md
@@ -1,5 +1,18 @@
 # @esengine/server

+## 1.2.0
+
+### Minor Changes
+
+- [#386](https://github.com/esengine/esengine/pull/386) [`61a13ba`](https://github.com/esengine/esengine/commit/61a13baca2e1e8fba14e23d439521ec0e6b7ca6e) Thanks [@esengine](https://github.com/esengine)! - feat(server): 添加可插拔认证系统 | add pluggable authentication system
+    - 新增 JWT 认证提供者 (`createJwtAuthProvider`)
+    - 新增 Session 认证提供者 (`createSessionAuthProvider`)
+    - 新增服务器认证 mixin (`withAuth`)
+    - 新增房间认证 mixin (`withRoomAuth`)
+    - 新增认证装饰器 (`@requireAuth`, `@requireRole`)
+    - 新增测试工具 (`MockAuthProvider`)
+    - 导出路径: `@esengine/server/auth`, `@esengine/server/auth/testing`
+
 ## 1.1.4

 ### Patch Changes
--- a/packages/framework/server/package.json
+++ b/packages/framework/server/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@esengine/server",
-  "version": "1.1.4",
+  "version": "1.2.0",
  "description": "Game server framework for ESEngine with file-based routing",
  "type": "module",
  "main": "./dist/index.js",
@@ -11,6 +11,14 @@
      "import": "./dist/index.js",
      "types": "./dist/index.d.ts"
    },
+    "./auth": {
+      "import": "./dist/auth/index.js",
+      "types": "./dist/auth/index.d.ts"
+    },
+    "./auth/testing": {
+      "import": "./dist/auth/testing/index.js",
+      "types": "./dist/auth/testing/index.d.ts"
+    },
    "./testing": {
      "import": "./dist/testing/index.js",
      "types": "./dist/testing/index.d.ts"
@@ -33,11 +41,19 @@
    "@esengine/rpc": "workspace:*"
  },
  "peerDependencies": {
-    "ws": ">=8.0.0"
+    "ws": ">=8.0.0",
+    "jsonwebtoken": ">=9.0.0"
+  },
+  "peerDependenciesMeta": {
+    "jsonwebtoken": {
+      "optional": true
+    }
  },
  "devDependencies": {
+    "@types/jsonwebtoken": "^9.0.0",
    "@types/node": "^20.0.0",
    "@types/ws": "^8.5.13",
+    "jsonwebtoken": "^9.0.0",
    "rimraf": "^5.0.0",
    "tsup": "^8.0.0",
    "typescript": "^5.7.0",
--- a/packages/framework/server/src/auth/tests/MockAuthProvider.test.ts
+++ b/packages/framework/server/src/auth/tests/MockAuthProvider.test.ts
@@ -0,0 +1,214 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { MockAuthProvider, createMockAuthProvider, type MockUser } from '../testing/MockAuthProvider';
+
+describe('MockAuthProvider', () => {
+    const testUsers: MockUser[] = [
+        { id: '1', name: 'Alice', roles: ['player'] },
+        { id: '2', name: 'Bob', roles: ['admin', 'player'] },
+        { id: '3', name: 'Charlie', roles: ['guest'] }
+    ];
+
+    let provider: MockAuthProvider;
+
+    beforeEach(() => {
+        provider = createMockAuthProvider({
+            users: testUsers
+        });
+    });
+
+    describe('basic properties', () => {
+        it('should have name "mock"', () => {
+            expect(provider.name).toBe('mock');
+        });
+    });
+
+    describe('verify', () => {
+        it('should verify existing user by id (token)', async () => {
+            const result = await provider.verify('1');
+            expect(result.success).toBe(true);
+            expect(result.user?.id).toBe('1');
+            expect(result.user?.name).toBe('Alice');
+        });
+
+        it('should return user roles', async () => {
+            const result = await provider.verify('2');
+            expect(result.success).toBe(true);
+            expect(result.user?.roles).toEqual(['admin', 'player']);
+        });
+
+        it('should fail for unknown user', async () => {
+            const result = await provider.verify('unknown');
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('USER_NOT_FOUND');
+        });
+
+        it('should fail for empty token', async () => {
+            const result = await provider.verify('');
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('INVALID_TOKEN');
+        });
+
+        it('should return expiresAt', async () => {
+            const result = await provider.verify('1');
+            expect(result.expiresAt).toBeTypeOf('number');
+            expect(result.expiresAt).toBeGreaterThan(Date.now());
+        });
+    });
+
+    describe('with defaultUser', () => {
+        it('should return default user for empty token', async () => {
+            const providerWithDefault = createMockAuthProvider({
+                defaultUser: { id: 'default', name: 'Guest' }
+            });
+
+            const result = await providerWithDefault.verify('');
+            expect(result.success).toBe(true);
+            expect(result.user?.id).toBe('default');
+        });
+    });
+
+    describe('with autoCreate', () => {
+        it('should auto create user for unknown token', async () => {
+            const autoProvider = createMockAuthProvider({
+                autoCreate: true
+            });
+
+            const result = await autoProvider.verify('new-user-123');
+            expect(result.success).toBe(true);
+            expect(result.user?.id).toBe('new-user-123');
+            expect(result.user?.name).toBe('User_new-user-123');
+            expect(result.user?.roles).toEqual(['guest']);
+        });
+
+        it('should persist auto-created users', async () => {
+            const autoProvider = createMockAuthProvider({
+                autoCreate: true
+            });
+
+            await autoProvider.verify('auto-1');
+            const user = autoProvider.getUser('auto-1');
+            expect(user).toBeDefined();
+            expect(user?.id).toBe('auto-1');
+        });
+    });
+
+    describe('with validateToken', () => {
+        it('should validate token format', async () => {
+            const validatingProvider = createMockAuthProvider({
+                users: testUsers,
+                validateToken: (token) => token.length >= 1 && !token.includes('invalid')
+            });
+
+            const validResult = await validatingProvider.verify('1');
+            expect(validResult.success).toBe(true);
+
+            const invalidResult = await validatingProvider.verify('invalid-token');
+            expect(invalidResult.success).toBe(false);
+            expect(invalidResult.errorCode).toBe('INVALID_TOKEN');
+        });
+    });
+
+    describe('with delay', () => {
+        it('should add artificial delay', async () => {
+            const delayProvider = createMockAuthProvider({
+                users: testUsers,
+                delay: 50
+            });
+
+            const start = Date.now();
+            await delayProvider.verify('1');
+            const elapsed = Date.now() - start;
+
+            expect(elapsed).toBeGreaterThanOrEqual(45);
+        });
+    });
+
+    describe('refresh', () => {
+        it('should refresh token (returns same result as verify)', async () => {
+            const result = await provider.refresh('1');
+            expect(result.success).toBe(true);
+            expect(result.user?.id).toBe('1');
+        });
+    });
+
+    describe('revoke', () => {
+        it('should revoke token', async () => {
+            const result1 = await provider.verify('1');
+            expect(result1.success).toBe(true);
+
+            const revoked = await provider.revoke('1');
+            expect(revoked).toBe(true);
+
+            const result2 = await provider.verify('1');
+            expect(result2.success).toBe(false);
+            expect(result2.errorCode).toBe('INVALID_TOKEN');
+        });
+    });
+
+    describe('user management', () => {
+        it('should add user', () => {
+            provider.addUser({ id: '4', name: 'Dave', roles: ['tester'] });
+            const user = provider.getUser('4');
+            expect(user?.name).toBe('Dave');
+        });
+
+        it('should remove user', () => {
+            const removed = provider.removeUser('1');
+            expect(removed).toBe(true);
+
+            const user = provider.getUser('1');
+            expect(user).toBeUndefined();
+        });
+
+        it('should return false when removing non-existent user', () => {
+            const removed = provider.removeUser('non-existent');
+            expect(removed).toBe(false);
+        });
+
+        it('should get all users', () => {
+            const users = provider.getUsers();
+            expect(users).toHaveLength(3);
+            expect(users.map(u => u.id)).toContain('1');
+            expect(users.map(u => u.id)).toContain('2');
+            expect(users.map(u => u.id)).toContain('3');
+        });
+    });
+
+    describe('clear', () => {
+        it('should reset to initial state', async () => {
+            provider.addUser({ id: '4', name: 'Dave' });
+            await provider.revoke('1');
+
+            provider.clear();
+
+            const users = provider.getUsers();
+            expect(users).toHaveLength(3);
+
+            const result = await provider.verify('1');
+            expect(result.success).toBe(true);
+        });
+    });
+
+    describe('generateToken', () => {
+        it('should return user id as token', () => {
+            const token = provider.generateToken('user-123');
+            expect(token).toBe('user-123');
+        });
+    });
+});
+
+describe('createMockAuthProvider', () => {
+    it('should create provider with empty config', () => {
+        const provider = createMockAuthProvider();
+        expect(provider.name).toBe('mock');
+    });
+
+    it('should create provider with custom users', () => {
+        const provider = createMockAuthProvider({
+            users: [{ id: 'test', name: 'Test User' }]
+        });
+
+        const user = provider.getUser('test');
+        expect(user?.name).toBe('Test User');
+    });
+});
--- a/packages/framework/server/src/auth/tests/context.test.ts
+++ b/packages/framework/server/src/auth/tests/context.test.ts
@@ -0,0 +1,242 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { AuthContext, createGuestContext, createAuthContext, defaultUserExtractor } from '../context';
+import type { AuthResult } from '../types';
+
+describe('AuthContext', () => {
+    let context: AuthContext<{ id: string; name: string; roles: string[] }>;
+
+    beforeEach(() => {
+        context = new AuthContext();
+    });
+
+    describe('initial state', () => {
+        it('should not be authenticated initially', () => {
+            expect(context.isAuthenticated).toBe(false);
+        });
+
+        it('should have null user initially', () => {
+            expect(context.user).toBeNull();
+        });
+
+        it('should have null userId initially', () => {
+            expect(context.userId).toBeNull();
+        });
+
+        it('should have empty roles initially', () => {
+            expect(context.roles).toEqual([]);
+        });
+
+        it('should have null authenticatedAt initially', () => {
+            expect(context.authenticatedAt).toBeNull();
+        });
+
+        it('should have null expiresAt initially', () => {
+            expect(context.expiresAt).toBeNull();
+        });
+    });
+
+    describe('setAuthenticated', () => {
+        it('should set authenticated state on success', () => {
+            const result: AuthResult<{ id: string; name: string; roles: string[] }> = {
+                success: true,
+                user: { id: '123', name: 'Alice', roles: ['player'] }
+            };
+
+            context.setAuthenticated(result);
+
+            expect(context.isAuthenticated).toBe(true);
+            expect(context.user).toEqual({ id: '123', name: 'Alice', roles: ['player'] });
+            expect(context.userId).toBe('123');
+            expect(context.roles).toEqual(['player']);
+            expect(context.authenticatedAt).toBeTypeOf('number');
+        });
+
+        it('should set expiresAt when provided', () => {
+            const expiresAt = Date.now() + 3600000;
+            const result: AuthResult<{ id: string; name: string; roles: string[] }> = {
+                success: true,
+                user: { id: '123', name: 'Alice', roles: [] },
+                expiresAt
+            };
+
+            context.setAuthenticated(result);
+
+            expect(context.expiresAt).toBe(expiresAt);
+        });
+
+        it('should clear state on failed result', () => {
+            context.setAuthenticated({
+                success: true,
+                user: { id: '123', name: 'Alice', roles: ['player'] }
+            });
+
+            context.setAuthenticated({
+                success: false,
+                error: 'Token expired'
+            });
+
+            expect(context.isAuthenticated).toBe(false);
+            expect(context.user).toBeNull();
+        });
+
+        it('should clear state when success but no user', () => {
+            context.setAuthenticated({
+                success: true
+            });
+
+            expect(context.isAuthenticated).toBe(false);
+        });
+    });
+
+    describe('isAuthenticated with expiry', () => {
+        it('should return false when token is expired', () => {
+            context.setAuthenticated({
+                success: true,
+                user: { id: '123', name: 'Alice', roles: [] },
+                expiresAt: Date.now() - 1000
+            });
+
+            expect(context.isAuthenticated).toBe(false);
+        });
+
+        it('should return true when token is not expired', () => {
+            context.setAuthenticated({
+                success: true,
+                user: { id: '123', name: 'Alice', roles: [] },
+                expiresAt: Date.now() + 3600000
+            });
+
+            expect(context.isAuthenticated).toBe(true);
+        });
+    });
+
+    describe('role checking', () => {
+        beforeEach(() => {
+            context.setAuthenticated({
+                success: true,
+                user: { id: '123', name: 'Alice', roles: ['player', 'premium'] }
+            });
+        });
+
+        it('hasRole should return true for existing role', () => {
+            expect(context.hasRole('player')).toBe(true);
+            expect(context.hasRole('premium')).toBe(true);
+        });
+
+        it('hasRole should return false for non-existing role', () => {
+            expect(context.hasRole('admin')).toBe(false);
+        });
+
+        it('hasAnyRole should return true if any role matches', () => {
+            expect(context.hasAnyRole(['admin', 'player'])).toBe(true);
+            expect(context.hasAnyRole(['guest', 'premium'])).toBe(true);
+        });
+
+        it('hasAnyRole should return false if no role matches', () => {
+            expect(context.hasAnyRole(['admin', 'moderator'])).toBe(false);
+        });
+
+        it('hasAllRoles should return true if all roles match', () => {
+            expect(context.hasAllRoles(['player', 'premium'])).toBe(true);
+        });
+
+        it('hasAllRoles should return false if any role is missing', () => {
+            expect(context.hasAllRoles(['player', 'admin'])).toBe(false);
+        });
+    });
+
+    describe('clear', () => {
+        it('should reset all state', () => {
+            context.setAuthenticated({
+                success: true,
+                user: { id: '123', name: 'Alice', roles: ['player'] },
+                expiresAt: Date.now() + 3600000
+            });
+
+            context.clear();
+
+            expect(context.isAuthenticated).toBe(false);
+            expect(context.user).toBeNull();
+            expect(context.userId).toBeNull();
+            expect(context.roles).toEqual([]);
+            expect(context.authenticatedAt).toBeNull();
+            expect(context.expiresAt).toBeNull();
+        });
+    });
+});
+
+describe('defaultUserExtractor', () => {
+    describe('getId', () => {
+        it('should extract id from user object', () => {
+            expect(defaultUserExtractor.getId({ id: '123' })).toBe('123');
+        });
+
+        it('should extract numeric id as string', () => {
+            expect(defaultUserExtractor.getId({ id: 456 })).toBe('456');
+        });
+
+        it('should extract userId', () => {
+            expect(defaultUserExtractor.getId({ userId: 'abc' })).toBe('abc');
+        });
+
+        it('should extract sub (JWT standard)', () => {
+            expect(defaultUserExtractor.getId({ sub: 'jwt-sub' })).toBe('jwt-sub');
+        });
+
+        it('should return empty string for invalid user', () => {
+            expect(defaultUserExtractor.getId(null)).toBe('');
+            expect(defaultUserExtractor.getId(undefined)).toBe('');
+            expect(defaultUserExtractor.getId({})).toBe('');
+        });
+    });
+
+    describe('getRoles', () => {
+        it('should extract roles array', () => {
+            expect(defaultUserExtractor.getRoles({ roles: ['a', 'b'] })).toEqual(['a', 'b']);
+        });
+
+        it('should extract single role', () => {
+            expect(defaultUserExtractor.getRoles({ role: 'admin' })).toEqual(['admin']);
+        });
+
+        it('should filter non-string roles', () => {
+            expect(defaultUserExtractor.getRoles({ roles: ['a', 123, 'b'] })).toEqual(['a', 'b']);
+        });
+
+        it('should return empty array for invalid user', () => {
+            expect(defaultUserExtractor.getRoles(null)).toEqual([]);
+            expect(defaultUserExtractor.getRoles({})).toEqual([]);
+        });
+    });
+});
+
+describe('createGuestContext', () => {
+    it('should create unauthenticated context', () => {
+        const guest = createGuestContext();
+        expect(guest.isAuthenticated).toBe(false);
+        expect(guest.user).toBeNull();
+    });
+});
+
+describe('createAuthContext', () => {
+    it('should create authenticated context from result', () => {
+        const result: AuthResult<{ id: string }> = {
+            success: true,
+            user: { id: '123' }
+        };
+
+        const ctx = createAuthContext(result);
+        expect(ctx.isAuthenticated).toBe(true);
+        expect(ctx.userId).toBe('123');
+    });
+
+    it('should create unauthenticated context from failed result', () => {
+        const result: AuthResult<{ id: string }> = {
+            success: false,
+            error: 'Failed'
+        };
+
+        const ctx = createAuthContext(result);
+        expect(ctx.isAuthenticated).toBe(false);
+    });
+});
--- a/packages/framework/server/src/auth/tests/decorators.test.ts
+++ b/packages/framework/server/src/auth/tests/decorators.test.ts
@@ -0,0 +1,165 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { requireAuth, AUTH_METADATA_KEY, getAuthMetadata, type AuthMetadata } from '../decorators/requireAuth';
+import { requireRole } from '../decorators/requireRole';
+
+describe('requireAuth decorator', () => {
+    class TestClass {
+        @requireAuth()
+        basicMethod() {
+            return 'basic';
+        }
+
+        @requireAuth({ allowGuest: true })
+        guestAllowedMethod() {
+            return 'guest';
+        }
+
+        @requireAuth({ errorMessage: 'Custom error' })
+        customErrorMethod() {
+            return 'custom';
+        }
+
+        undecorated() {
+            return 'undecorated';
+        }
+    }
+
+    let instance: TestClass;
+
+    beforeEach(() => {
+        instance = new TestClass();
+    });
+
+    describe('metadata storage', () => {
+        it('should store auth metadata on target', () => {
+            const metadata = getAuthMetadata(TestClass.prototype, 'basicMethod');
+            expect(metadata).toBeDefined();
+            expect(metadata?.requireAuth).toBe(true);
+        });
+
+        it('should store options in metadata', () => {
+            const metadata = getAuthMetadata(TestClass.prototype, 'guestAllowedMethod');
+            expect(metadata?.options?.allowGuest).toBe(true);
+        });
+
+        it('should store custom error message', () => {
+            const metadata = getAuthMetadata(TestClass.prototype, 'customErrorMethod');
+            expect(metadata?.options?.errorMessage).toBe('Custom error');
+        });
+
+        it('should return undefined for undecorated methods', () => {
+            const metadata = getAuthMetadata(TestClass.prototype, 'undecorated');
+            expect(metadata).toBeUndefined();
+        });
+
+        it('should return undefined for non-existent methods', () => {
+            const metadata = getAuthMetadata(TestClass.prototype, 'nonExistent');
+            expect(metadata).toBeUndefined();
+        });
+    });
+
+    describe('method behavior', () => {
+        it('should not alter method behavior', () => {
+            expect(instance.basicMethod()).toBe('basic');
+            expect(instance.guestAllowedMethod()).toBe('guest');
+            expect(instance.customErrorMethod()).toBe('custom');
+        });
+    });
+
+    describe('metadata key', () => {
+        it('should use symbol for metadata storage', () => {
+            expect(typeof AUTH_METADATA_KEY).toBe('symbol');
+        });
+
+        it('should store metadata in a Map', () => {
+            const metadataMap = (TestClass.prototype as any)[AUTH_METADATA_KEY];
+            expect(metadataMap).toBeInstanceOf(Map);
+        });
+    });
+});
+
+describe('requireRole decorator', () => {
+    class RoleTestClass {
+        @requireRole('admin')
+        adminOnly() {
+            return 'admin';
+        }
+
+        @requireRole(['moderator', 'admin'])
+        modOrAdmin() {
+            return 'mod';
+        }
+
+        @requireRole(['verified', 'premium'], { mode: 'all' })
+        verifiedPremium() {
+            return 'vip';
+        }
+
+        @requireRole('player', { mode: 'any' })
+        playerExplicit() {
+            return 'player';
+        }
+    }
+
+    describe('single role', () => {
+        it('should store single role as array', () => {
+            const metadata = getAuthMetadata(RoleTestClass.prototype, 'adminOnly');
+            expect(metadata?.roles).toEqual(['admin']);
+        });
+
+        it('should set requireAuth to true', () => {
+            const metadata = getAuthMetadata(RoleTestClass.prototype, 'adminOnly');
+            expect(metadata?.requireAuth).toBe(true);
+        });
+
+        it('should default to any mode', () => {
+            const metadata = getAuthMetadata(RoleTestClass.prototype, 'adminOnly');
+            expect(metadata?.roleMode).toBe('any');
+        });
+    });
+
+    describe('multiple roles', () => {
+        it('should store multiple roles', () => {
+            const metadata = getAuthMetadata(RoleTestClass.prototype, 'modOrAdmin');
+            expect(metadata?.roles).toEqual(['moderator', 'admin']);
+        });
+    });
+
+    describe('role mode', () => {
+        it('should support all mode', () => {
+            const metadata = getAuthMetadata(RoleTestClass.prototype, 'verifiedPremium');
+            expect(metadata?.roleMode).toBe('all');
+            expect(metadata?.roles).toEqual(['verified', 'premium']);
+        });
+
+        it('should support explicit any mode', () => {
+            const metadata = getAuthMetadata(RoleTestClass.prototype, 'playerExplicit');
+            expect(metadata?.roleMode).toBe('any');
+        });
+    });
+
+    describe('method behavior', () => {
+        it('should not alter method behavior', () => {
+            const instance = new RoleTestClass();
+            expect(instance.adminOnly()).toBe('admin');
+            expect(instance.modOrAdmin()).toBe('mod');
+            expect(instance.verifiedPremium()).toBe('vip');
+        });
+    });
+});
+
+describe('combined decorators', () => {
+    class CombinedTestClass {
+        @requireAuth({ allowGuest: false })
+        @requireRole('admin')
+        combinedMethod() {
+            return 'combined';
+        }
+    }
+
+    it('should merge metadata from both decorators', () => {
+        const metadata = getAuthMetadata(CombinedTestClass.prototype, 'combinedMethod');
+        expect(metadata?.requireAuth).toBe(true);
+        expect(metadata?.roles).toEqual(['admin']);
+    });
+});
--- a/packages/framework/server/src/auth/tests/providers.test.ts
+++ b/packages/framework/server/src/auth/tests/providers.test.ts
@@ -0,0 +1,330 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { JwtAuthProvider, createJwtAuthProvider } from '../providers/JwtAuthProvider';
+import { SessionAuthProvider, createSessionAuthProvider, type ISessionStorage } from '../providers/SessionAuthProvider';
+
+describe('JwtAuthProvider', () => {
+    const secret = 'test-secret-key-for-testing';
+    let provider: JwtAuthProvider<{ id: string; name: string; roles: string[] }>;
+
+    beforeEach(() => {
+        provider = createJwtAuthProvider({
+            secret,
+            expiresIn: 3600
+        });
+    });
+
+    describe('sign and verify', () => {
+        it('should sign and verify a token', async () => {
+            const payload = { sub: '123', name: 'Alice', roles: ['player'] };
+            const token = provider.sign(payload);
+
+            expect(token).toBeTypeOf('string');
+            expect(token.split('.')).toHaveLength(3);
+
+            const result = await provider.verify(token);
+            expect(result.success).toBe(true);
+            expect(result.user).toBeDefined();
+        });
+
+        it('should extract user from payload', async () => {
+            const payload = { sub: '123', name: 'Alice' };
+            const token = provider.sign(payload);
+
+            const result = await provider.verify(token);
+            expect(result.success).toBe(true);
+            expect((result.user as any).sub).toBe('123');
+            expect((result.user as any).name).toBe('Alice');
+        });
+
+        it('should return expiration time', async () => {
+            const token = provider.sign({ sub: '123' });
+            const result = await provider.verify(token);
+
+            expect(result.expiresAt).toBeTypeOf('number');
+            expect(result.expiresAt).toBeGreaterThan(Date.now());
+        });
+    });
+
+    describe('verify errors', () => {
+        it('should fail for empty token', async () => {
+            const result = await provider.verify('');
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('INVALID_TOKEN');
+        });
+
+        it('should fail for invalid token', async () => {
+            const result = await provider.verify('invalid.token.here');
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('INVALID_TOKEN');
+        });
+
+        it('should fail for expired token', async () => {
+            const shortLivedProvider = createJwtAuthProvider({
+                secret,
+                expiresIn: -1
+            });
+
+            const token = shortLivedProvider.sign({ sub: '123' });
+            const result = await shortLivedProvider.verify(token);
+
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('EXPIRED_TOKEN');
+        });
+
+        it('should fail for wrong secret', async () => {
+            const token = provider.sign({ sub: '123' });
+
+            const wrongSecretProvider = createJwtAuthProvider({
+                secret: 'wrong-secret'
+            });
+
+            const result = await wrongSecretProvider.verify(token);
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('INVALID_TOKEN');
+        });
+    });
+
+    describe('with getUser callback', () => {
+        it('should use getUser to transform payload', async () => {
+            const customProvider = createJwtAuthProvider({
+                secret,
+                getUser: async (payload) => ({
+                    id: payload.sub as string,
+                    name: payload.name as string,
+                    roles: (payload.roles as string[]) || []
+                })
+            });
+
+            const token = customProvider.sign({ sub: '123', name: 'Bob', roles: ['admin'] });
+            const result = await customProvider.verify(token);
+
+            expect(result.success).toBe(true);
+            expect(result.user).toEqual({
+                id: '123',
+                name: 'Bob',
+                roles: ['admin']
+            });
+        });
+
+        it('should fail when getUser returns null', async () => {
+            const customProvider = createJwtAuthProvider({
+                secret,
+                getUser: async () => null
+            });
+
+            const token = customProvider.sign({ sub: '123' });
+            const result = await customProvider.verify(token);
+
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('USER_NOT_FOUND');
+        });
+    });
+
+    describe('refresh', () => {
+        it('should refresh a valid token', async () => {
+            const token = provider.sign({ sub: '123', name: 'Alice' });
+
+            // Wait a bit so iat changes
+            await new Promise(resolve => setTimeout(resolve, 1100));
+
+            const result = await provider.refresh(token);
+
+            expect(result.success).toBe(true);
+            expect(result.token).toBeDefined();
+            expect(result.token).not.toBe(token);
+        });
+
+        it('should return new expiration time', async () => {
+            const token = provider.sign({ sub: '123' });
+            const result = await provider.refresh(token);
+
+            expect(result.success).toBe(true);
+            expect(result.expiresAt).toBeTypeOf('number');
+            expect(result.expiresAt).toBeGreaterThan(Date.now());
+        });
+
+        it('should fail to refresh invalid token', async () => {
+            const result = await provider.refresh('invalid');
+
+            expect(result.success).toBe(false);
+        });
+    });
+
+    describe('decode', () => {
+        it('should decode token without verification', () => {
+            const token = provider.sign({ sub: '123', name: 'Alice' });
+            const payload = provider.decode(token);
+
+            expect(payload).toBeDefined();
+            expect(payload?.sub).toBe('123');
+            expect(payload?.name).toBe('Alice');
+        });
+
+        it('should return null for invalid token', () => {
+            const payload = provider.decode('not-a-token');
+            expect(payload).toBeNull();
+        });
+    });
+});
+
+describe('SessionAuthProvider', () => {
+    let storage: ISessionStorage;
+    let provider: SessionAuthProvider<{ id: string; name: string }>;
+    let storageData: Map<string, unknown>;
+
+    beforeEach(() => {
+        storageData = new Map();
+
+        storage = {
+            async get<T>(key: string): Promise<T | null> {
+                return (storageData.get(key) as T) ?? null;
+            },
+            async set<T>(key: string, value: T): Promise<void> {
+                storageData.set(key, value);
+            },
+            async delete(key: string): Promise<boolean> {
+                return storageData.delete(key);
+            }
+        };
+
+        provider = createSessionAuthProvider({
+            storage,
+            sessionTTL: 3600000
+        });
+    });
+
+    describe('createSession and verify', () => {
+        it('should create and verify a session', async () => {
+            const user = { id: '123', name: 'Alice' };
+            const sessionId = await provider.createSession(user);
+
+            expect(sessionId).toBeTypeOf('string');
+            expect(sessionId.length).toBeGreaterThan(10);
+
+            const result = await provider.verify(sessionId);
+
+            expect(result.success).toBe(true);
+            expect(result.user).toEqual(user);
+        });
+
+        it('should store session data', async () => {
+            const user = { id: '123', name: 'Alice' };
+            const sessionId = await provider.createSession(user, { customField: 'value' });
+
+            const session = await provider.getSession(sessionId);
+
+            expect(session).toBeDefined();
+            expect(session?.user).toEqual(user);
+            expect(session?.data?.customField).toBe('value');
+            expect(session?.createdAt).toBeTypeOf('number');
+            expect(session?.lastActiveAt).toBeTypeOf('number');
+        });
+    });
+
+    describe('verify errors', () => {
+        it('should fail for empty session id', async () => {
+            const result = await provider.verify('');
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('INVALID_TOKEN');
+        });
+
+        it('should fail for non-existent session', async () => {
+            const result = await provider.verify('non-existent-session');
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('EXPIRED_TOKEN');
+        });
+    });
+
+    describe('with validateUser', () => {
+        it('should validate user on verify', async () => {
+            const validatingProvider = createSessionAuthProvider({
+                storage,
+                validateUser: (user) => user.id !== 'banned'
+            });
+
+            const sessionId = await validatingProvider.createSession({ id: 'banned', name: 'Bad User' });
+            const result = await validatingProvider.verify(sessionId);
+
+            expect(result.success).toBe(false);
+            expect(result.errorCode).toBe('ACCOUNT_DISABLED');
+        });
+
+        it('should pass validation for valid user', async () => {
+            const validatingProvider = createSessionAuthProvider({
+                storage,
+                validateUser: (user) => user.id !== 'banned'
+            });
+
+            const sessionId = await validatingProvider.createSession({ id: '123', name: 'Good User' });
+            const result = await validatingProvider.verify(sessionId);
+
+            expect(result.success).toBe(true);
+        });
+    });
+
+    describe('refresh', () => {
+        it('should refresh session and update lastActiveAt', async () => {
+            const sessionId = await provider.createSession({ id: '123', name: 'Alice' });
+
+            const session1 = await provider.getSession(sessionId);
+            const lastActive1 = session1?.lastActiveAt;
+
+            await new Promise(resolve => setTimeout(resolve, 10));
+
+            const result = await provider.refresh(sessionId);
+            expect(result.success).toBe(true);
+
+            const session2 = await provider.getSession(sessionId);
+            expect(session2?.lastActiveAt).toBeGreaterThanOrEqual(lastActive1!);
+        });
+    });
+
+    describe('revoke', () => {
+        it('should revoke session', async () => {
+            const sessionId = await provider.createSession({ id: '123', name: 'Alice' });
+
+            const revoked = await provider.revoke(sessionId);
+            expect(revoked).toBe(true);
+
+            const result = await provider.verify(sessionId);
+            expect(result.success).toBe(false);
+        });
+    });
+
+    describe('updateSession', () => {
+        it('should update session data', async () => {
+            const sessionId = await provider.createSession({ id: '123', name: 'Alice' });
+
+            const updated = await provider.updateSession(sessionId, { newField: 'newValue' });
+            expect(updated).toBe(true);
+
+            const session = await provider.getSession(sessionId);
+            expect(session?.data?.newField).toBe('newValue');
+        });
+
+        it('should return false for non-existent session', async () => {
+            const updated = await provider.updateSession('non-existent', { field: 'value' });
+            expect(updated).toBe(false);
+        });
+    });
+});
+
+describe('createJwtAuthProvider', () => {
+    it('should create provider with default options', () => {
+        const provider = createJwtAuthProvider({ secret: 'test' });
+        expect(provider.name).toBe('jwt');
+    });
+});
+
+describe('createSessionAuthProvider', () => {
+    it('should create provider with default options', () => {
+        const storage: ISessionStorage = {
+            get: async () => null,
+            set: async () => {},
+            delete: async () => true
+        };
+
+        const provider = createSessionAuthProvider({ storage });
+        expect(provider.name).toBe('session');
+    });
+});
--- a/packages/framework/server/src/auth/context.ts
+++ b/packages/framework/server/src/auth/context.ts
@@ -0,0 +1,202 @@
+/**
+ * @zh 认证上下文实现
+ * @en Authentication context implementation
+ */
+
+import type { IAuthContext, AuthResult } from './types.js';
+
+/**
+ * @zh 用户信息提取器
+ * @en User info extractor
+ */
+export interface UserInfoExtractor<TUser> {
+    /**
+     * @zh 提取用户 ID
+     * @en Extract user ID
+     */
+    getId(user: TUser): string;
+
+    /**
+     * @zh 提取用户角色
+     * @en Extract user roles
+     */
+    getRoles(user: TUser): string[];
+}
+
+/**
+ * @zh 默认用户信息提取器
+ * @en Default user info extractor
+ */
+export const defaultUserExtractor: UserInfoExtractor<unknown> = {
+    getId(user: unknown): string {
+        if (user && typeof user === 'object') {
+            const u = user as Record<string, unknown>;
+            if (typeof u.id === 'string') return u.id;
+            if (typeof u.id === 'number') return String(u.id);
+            if (typeof u.userId === 'string') return u.userId;
+            if (typeof u.userId === 'number') return String(u.userId);
+            if (typeof u.sub === 'string') return u.sub;
+        }
+        return '';
+    },
+
+    getRoles(user: unknown): string[] {
+        if (user && typeof user === 'object') {
+            const u = user as Record<string, unknown>;
+            if (Array.isArray(u.roles)) {
+                return u.roles.filter((r): r is string => typeof r === 'string');
+            }
+            if (typeof u.role === 'string') {
+                return [u.role];
+            }
+        }
+        return [];
+    }
+};
+
+/**
+ * @zh 认证上下文
+ * @en Authentication context
+ *
+ * @zh 存储连接的认证状态
+ * @en Stores authentication state for a connection
+ */
+export class AuthContext<TUser = unknown> implements IAuthContext<TUser> {
+    private _isAuthenticated: boolean = false;
+    private _user: TUser | null = null;
+    private _userId: string | null = null;
+    private _roles: string[] = [];
+    private _authenticatedAt: number | null = null;
+    private _expiresAt: number | null = null;
+    private _extractor: UserInfoExtractor<TUser>;
+
+    constructor(extractor?: UserInfoExtractor<TUser>) {
+        this._extractor = (extractor ?? defaultUserExtractor) as UserInfoExtractor<TUser>;
+    }
+
+    /**
+     * @zh 是否已认证
+     * @en Whether authenticated
+     */
+    get isAuthenticated(): boolean {
+        if (this._expiresAt && Date.now() > this._expiresAt) {
+            return false;
+        }
+        return this._isAuthenticated;
+    }
+
+    /**
+     * @zh 用户信息
+     * @en User information
+     */
+    get user(): TUser | null {
+        return this._user;
+    }
+
+    /**
+     * @zh 用户 ID
+     * @en User ID
+     */
+    get userId(): string | null {
+        return this._userId;
+    }
+
+    /**
+     * @zh 用户角色
+     * @en User roles
+     */
+    get roles(): ReadonlyArray<string> {
+        return this._roles;
+    }
+
+    /**
+     * @zh 认证时间
+     * @en Authentication timestamp
+     */
+    get authenticatedAt(): number | null {
+        return this._authenticatedAt;
+    }
+
+    /**
+     * @zh 令牌过期时间
+     * @en Token expiration time
+     */
+    get expiresAt(): number | null {
+        return this._expiresAt;
+    }
+
+    /**
+     * @zh 检查是否有指定角色
+     * @en Check if has specified role
+     */
+    hasRole(role: string): boolean {
+        return this._roles.includes(role);
+    }
+
+    /**
+     * @zh 检查是否有任一指定角色
+     * @en Check if has any of specified roles
+     */
+    hasAnyRole(roles: string[]): boolean {
+        return roles.some(role => this._roles.includes(role));
+    }
+
+    /**
+     * @zh 检查是否有所有指定角色
+     * @en Check if has all specified roles
+     */
+    hasAllRoles(roles: string[]): boolean {
+        return roles.every(role => this._roles.includes(role));
+    }
+
+    /**
+     * @zh 设置认证结果
+     * @en Set authentication result
+     */
+    setAuthenticated(result: AuthResult<TUser>): void {
+        if (result.success && result.user) {
+            this._isAuthenticated = true;
+            this._user = result.user;
+            this._userId = this._extractor.getId(result.user);
+            this._roles = this._extractor.getRoles(result.user);
+            this._authenticatedAt = Date.now();
+            this._expiresAt = result.expiresAt ?? null;
+        } else {
+            this.clear();
+        }
+    }
+
+    /**
+     * @zh 清除认证状态
+     * @en Clear authentication state
+     */
+    clear(): void {
+        this._isAuthenticated = false;
+        this._user = null;
+        this._userId = null;
+        this._roles = [];
+        this._authenticatedAt = null;
+        this._expiresAt = null;
+    }
+}
+
+/**
+ * @zh 创建访客认证上下文
+ * @en Create guest auth context
+ */
+export function createGuestContext<TUser = unknown>(): IAuthContext<TUser> {
+    return new AuthContext<TUser>();
+}
+
+/**
+ * @zh 从认证结果创建认证上下文
+ * @en Create auth context from auth result
+ */
+export function createAuthContext<TUser = unknown>(
+    result: AuthResult<TUser>,
+    extractor?: UserInfoExtractor<TUser>
+): AuthContext<TUser> {
+    const context = new AuthContext<TUser>(extractor);
+    context.setAuthenticated(result);
+    return context;
+}
--- a/packages/framework/server/src/auth/decorators/index.ts
+++ b/packages/framework/server/src/auth/decorators/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @zh 认证装饰器
+ * @en Authentication decorators
+ */
+
+export {
+    requireAuth,
+    getAuthMetadata,
+    AUTH_METADATA_KEY,
+    type AuthMetadata
+} from './requireAuth.js';
+
+export { requireRole } from './requireRole.js';
--- a/packages/framework/server/src/auth/decorators/requireAuth.ts
+++ b/packages/framework/server/src/auth/decorators/requireAuth.ts
@@ -0,0 +1,86 @@
+/**
+ * @zh requireAuth 装饰器
+ * @en requireAuth decorator
+ */
+
+import type { RequireAuthOptions } from '../types.js';
+
+/**
+ * @zh 认证元数据键
+ * @en Auth metadata key
+ */
+export const AUTH_METADATA_KEY = Symbol('authMetadata');
+
+/**
+ * @zh 认证元数据
+ * @en Auth metadata
+ */
+export interface AuthMetadata {
+    requireAuth: boolean;
+    options?: RequireAuthOptions;
+    roles?: string[];
+    roleMode?: 'any' | 'all';
+}
+
+/**
+ * @zh 获取方法的认证元数据
+ * @en Get auth metadata for method
+ */
+export function getAuthMetadata(target: any, propertyKey: string): AuthMetadata | undefined {
+    const metadata = target[AUTH_METADATA_KEY] as Map<string, AuthMetadata> | undefined;
+    return metadata?.get(propertyKey);
+}
+
+/**
+ * @zh 设置方法的认证元数据
+ * @en Set auth metadata for method
+ */
+function setAuthMetadata(target: any, propertyKey: string, metadata: AuthMetadata): void {
+    if (!target[AUTH_METADATA_KEY]) {
+        target[AUTH_METADATA_KEY] = new Map<string, AuthMetadata>();
+    }
+    (target[AUTH_METADATA_KEY] as Map<string, AuthMetadata>).set(propertyKey, metadata);
+}
+
+/**
+ * @zh 要求认证装饰器
+ * @en Require authentication decorator
+ *
+ * @zh 标记方法需要认证才能访问，用于消息处理器
+ * @en Marks method as requiring authentication, used for message handlers
+ *
+ * @example
+ * ```typescript
+ * class GameRoom extends withRoomAuth(Room) {
+ *     @requireAuth()
+ *     @onMessage('Trade')
+ *     handleTrade(data: TradeData, player: AuthPlayer) {
+ *         // Only authenticated players can trade
+ *     }
+ *
+ *     @requireAuth({ allowGuest: true })
+ *     @onMessage('Chat')
+ *     handleChat(data: ChatData, player: AuthPlayer) {
+ *         // Guests can also chat
+ *     }
+ * }
+ * ```
+ */
+export function requireAuth(options?: RequireAuthOptions): MethodDecorator {
+    return function (
+        target: any,
+        propertyKey: string | symbol,
+        descriptor: PropertyDescriptor
+    ) {
+        const key = String(propertyKey);
+        const existing = getAuthMetadata(target, key);
+
+        setAuthMetadata(target, key, {
+            ...existing,
+            requireAuth: true,
+            options
+        });
+
+        return descriptor;
+    };
+}
--- a/packages/framework/server/src/auth/decorators/requireRole.ts
+++ b/packages/framework/server/src/auth/decorators/requireRole.ts
@@ -0,0 +1,73 @@
+/**
+ * @zh requireRole 装饰器
+ * @en requireRole decorator
+ */
+
+import type { RequireRoleOptions } from '../types.js';
+import { AUTH_METADATA_KEY, getAuthMetadata, type AuthMetadata } from './requireAuth.js';
+
+/**
+ * @zh 设置方法的认证元数据
+ * @en Set auth metadata for method
+ */
+function setAuthMetadata(target: any, propertyKey: string, metadata: AuthMetadata): void {
+    if (!target[AUTH_METADATA_KEY]) {
+        target[AUTH_METADATA_KEY] = new Map<string, AuthMetadata>();
+    }
+    (target[AUTH_METADATA_KEY] as Map<string, AuthMetadata>).set(propertyKey, metadata);
+}
+
+/**
+ * @zh 要求角色装饰器
+ * @en Require role decorator
+ *
+ * @zh 标记方法需要特定角色才能访问
+ * @en Marks method as requiring specific role(s)
+ *
+ * @example
+ * ```typescript
+ * class AdminRoom extends withRoomAuth(Room) {
+ *     @requireRole('admin')
+ *     @onMessage('Ban')
+ *     handleBan(data: BanData, player: AuthPlayer) {
+ *         // Only admins can ban
+ *     }
+ *
+ *     @requireRole(['moderator', 'admin'])
+ *     @onMessage('Mute')
+ *     handleMute(data: MuteData, player: AuthPlayer) {
+ *         // Moderators or admins can mute
+ *     }
+ *
+ *     @requireRole(['verified', 'premium'], { mode: 'all' })
+ *     @onMessage('SpecialFeature')
+ *     handleSpecial(data: any, player: AuthPlayer) {
+ *         // Requires both verified AND premium roles
+ *     }
+ * }
+ * ```
+ */
+export function requireRole(
+    roles: string | string[],
+    options?: RequireRoleOptions
+): MethodDecorator {
+    return function (
+        target: any,
+        propertyKey: string | symbol,
+        descriptor: PropertyDescriptor
+    ) {
+        const key = String(propertyKey);
+        const existing = getAuthMetadata(target, key);
+        const roleArray = Array.isArray(roles) ? roles : [roles];
+
+        setAuthMetadata(target, key, {
+            ...existing,
+            requireAuth: true,
+            roles: roleArray,
+            roleMode: options?.mode ?? 'any',
+            options
+        });
+
+        return descriptor;
+    };
+}
--- a/packages/framework/server/src/auth/index.ts
+++ b/packages/framework/server/src/auth/index.ts
@@ -0,0 +1,129 @@
+/**
+ * @zh 认证模块
+ * @en Authentication module
+ *
+ * @zh 为 @esengine/server 提供可插拔的认证系统
+ * @en Provides pluggable authentication system for @esengine/server
+ *
+ * @example
+ * ```typescript
+ * import { createServer, Room, onMessage } from '@esengine/server';
+ * import {
+ *     withAuth,
+ *     withRoomAuth,
+ *     createJwtAuthProvider,
+ *     requireAuth,
+ *     requireRole,
+ *     type AuthPlayer
+ * } from '@esengine/server/auth';
+ *
+ * // 1. Create auth provider
+ * const jwtProvider = createJwtAuthProvider({
+ *     secret: process.env.JWT_SECRET!,
+ *     expiresIn: 3600,
+ * });
+ *
+ * // 2. Wrap server with auth
+ * const server = withAuth(await createServer({ port: 3000 }), {
+ *     provider: jwtProvider,
+ *     extractCredentials: (req) => {
+ *         const url = new URL(req.url, 'http://localhost');
+ *         return url.searchParams.get('token');
+ *     },
+ * });
+ *
+ * // 3. Create auth-enabled room
+ * class GameRoom extends withRoomAuth<User>(Room, {
+ *     requireAuth: true,
+ *     allowedRoles: ['player'],
+ * }) {
+ *     onJoin(player: AuthPlayer<User>) {
+ *         console.log(`${player.user?.name} joined`);
+ *     }
+ *
+ *     @requireAuth()
+ *     @onMessage('Chat')
+ *     handleChat(data: { text: string }, player: AuthPlayer<User>) {
+ *         this.broadcast('Chat', { from: player.user?.name, text: data.text });
+ *     }
+ *
+ *     @requireRole('admin')
+ *     @onMessage('Kick')
+ *     handleKick(data: { playerId: string }, player: AuthPlayer<User>) {
+ *         this.kick(data.playerId);
+ *     }
+ * }
+ *
+ * server.define('game', GameRoom);
+ * await server.start();
+ * ```
+ */
+
+// Types
+export type {
+    AuthResult,
+    AuthErrorCode,
+    IAuthProvider,
+    IAuthContext,
+    AuthConnectionData,
+    AuthConnection,
+    AuthApiContext,
+    AuthMsgContext,
+    ConnectionRequest,
+    AuthServerConfig,
+    AuthGameServer,
+    AuthRoomConfig,
+    RequireAuthOptions,
+    RequireRoleOptions
+} from './types.js';
+
+// Context
+export {
+    AuthContext,
+    createGuestContext,
+    createAuthContext,
+    defaultUserExtractor,
+    type UserInfoExtractor
+} from './context.js';
+
+// Providers
+export {
+    JwtAuthProvider,
+    createJwtAuthProvider,
+    type JwtAuthConfig,
+    type JwtPayload
+} from './providers/JwtAuthProvider.js';
+
+export {
+    SessionAuthProvider,
+    createSessionAuthProvider,
+    type SessionAuthConfig,
+    type SessionData,
+    type ISessionStorage
+} from './providers/SessionAuthProvider.js';
+
+// Mixins
+export {
+    withAuth,
+    getAuthContext,
+    setAuthContext,
+    requireAuthentication,
+    requireRole as requireRoleCheck
+} from './mixin/withAuth.js';
+
+export {
+    withRoomAuth,
+    AuthRoomBase,
+    type AuthPlayer,
+    type IAuthRoom,
+    type AuthRoomClass
+} from './mixin/withRoomAuth.js';
+
+// Decorators
+export {
+    requireAuth,
+    requireRole,
+    getAuthMetadata,
+    AUTH_METADATA_KEY,
+    type AuthMetadata
+} from './decorators/index.js';
--- a/packages/framework/server/src/auth/mixin/index.ts
+++ b/packages/framework/server/src/auth/mixin/index.ts
@@ -0,0 +1,20 @@
+/**
+ * @zh 认证 Mixin
+ * @en Authentication mixins
+ */
+
+export {
+    withAuth,
+    getAuthContext,
+    setAuthContext,
+    requireAuthentication,
+    requireRole
+} from './withAuth.js';
+
+export {
+    withRoomAuth,
+    AuthRoomBase,
+    type AuthPlayer,
+    type IAuthRoom,
+    type AuthRoomClass
+} from './withRoomAuth.js';
--- a/packages/framework/server/src/auth/mixin/withAuth.ts
+++ b/packages/framework/server/src/auth/mixin/withAuth.ts
@@ -0,0 +1,221 @@
+/**
+ * @zh 服务器认证 Mixin
+ * @en Server authentication mixin
+ */
+
+import type { ServerConnection, GameServer } from '../../types/index.js';
+import type {
+    IAuthProvider,
+    AuthResult,
+    AuthServerConfig,
+    AuthGameServer,
+    IAuthContext,
+    ConnectionRequest
+} from '../types.js';
+import { AuthContext } from '../context.js';
+
+/**
+ * @zh 认证数据键
+ * @en Auth data key
+ */
+const AUTH_CONTEXT_KEY = Symbol('authContext');
+
+/**
+ * @zh 获取连接的认证上下文
+ * @en Get auth context for connection
+ */
+export function getAuthContext<TUser = unknown>(conn: ServerConnection): IAuthContext<TUser> | null {
+    const data = conn.data as Record<symbol, unknown>;
+    return (data[AUTH_CONTEXT_KEY] as IAuthContext<TUser>) ?? null;
+}
+
+/**
+ * @zh 设置连接的认证上下文
+ * @en Set auth context for connection
+ */
+export function setAuthContext<TUser = unknown>(conn: ServerConnection, context: IAuthContext<TUser>): void {
+    const data = conn.data as Record<symbol, unknown>;
+    data[AUTH_CONTEXT_KEY] = context;
+}
+
+/**
+ * @zh 包装服务器添加认证功能
+ * @en Wrap server with authentication functionality
+ *
+ * @zh 使用 mixin 模式为服务器添加认证能力，不修改原始服务器
+ * @en Uses mixin pattern to add authentication to server without modifying original
+ *
+ * @example
+ * ```typescript
+ * import { createServer } from '@esengine/server';
+ * import { withAuth, createJwtAuthProvider } from '@esengine/server/auth';
+ *
+ * const jwtProvider = createJwtAuthProvider({
+ *     secret: 'your-secret-key',
+ *     expiresIn: 3600,
+ * });
+ *
+ * const server = withAuth(await createServer({ port: 3000 }), {
+ *     provider: jwtProvider,
+ *     extractCredentials: (req) => {
+ *         const url = new URL(req.url, 'http://localhost');
+ *         return url.searchParams.get('token');
+ *     },
+ *     onAuthSuccess: (conn, user) => {
+ *         console.log(`User ${user.name} authenticated`);
+ *     },
+ *     onAuthFailure: (conn, error) => {
+ *         console.log(`Auth failed: ${error.error}`);
+ *     }
+ * });
+ *
+ * await server.start();
+ * ```
+ */
+export function withAuth<TUser = unknown>(
+    server: GameServer,
+    config: AuthServerConfig<TUser>
+): AuthGameServer<TUser> {
+    const {
+        provider,
+        extractCredentials,
+        autoAuthOnConnect = true,
+        disconnectOnAuthFailure = false,
+        onAuthSuccess,
+        onAuthFailure
+    } = config;
+
+    const originalConnections = server.connections;
+    const connectionAuthMap = new WeakMap<ServerConnection, AuthContext<TUser>>();
+
+    const authServer: AuthGameServer<TUser> = {
+        ...server,
+
+        get authProvider(): IAuthProvider<TUser> {
+            return provider;
+        },
+
+        async authenticate(
+            conn: ServerConnection,
+            credentials: unknown
+        ): Promise<AuthResult<TUser>> {
+            const result = await provider.verify(credentials as never);
+
+            let authContext = connectionAuthMap.get(conn);
+            if (!authContext) {
+                authContext = new AuthContext<TUser>();
+                connectionAuthMap.set(conn, authContext);
+                setAuthContext(conn, authContext);
+            }
+
+            if (result.success) {
+                authContext.setAuthenticated(result);
+                await onAuthSuccess?.(conn, result.user!);
+            } else {
+                authContext.clear();
+                await onAuthFailure?.(conn, result);
+            }
+
+            return result;
+        },
+
+        getAuthContext(conn: ServerConnection): IAuthContext<TUser> | null {
+            return connectionAuthMap.get(conn) ?? null;
+        },
+
+        get connections(): ReadonlyArray<ServerConnection> {
+            return originalConnections;
+        }
+    };
+
+    const originalOnConnect = (server as any)._onConnect;
+    (server as any)._onConnect = async (conn: ServerConnection, req?: unknown) => {
+        const authContext = new AuthContext<TUser>();
+        connectionAuthMap.set(conn, authContext);
+        setAuthContext(conn, authContext);
+
+        if (autoAuthOnConnect && extractCredentials && req) {
+            try {
+                const connReq = req as ConnectionRequest;
+                const credentials = await extractCredentials(connReq);
+
+                if (credentials) {
+                    const result = await provider.verify(credentials as never);
+
+                    if (result.success) {
+                        authContext.setAuthenticated(result);
+                        await onAuthSuccess?.(conn, result.user!);
+                    } else {
+                        await onAuthFailure?.(conn, result);
+
+                        if (disconnectOnAuthFailure) {
+                            (conn as any).close?.();
+                            return;
+                        }
+                    }
+                }
+            } catch (error) {
+                console.error('[Auth] Error during auto-authentication:', error);
+            }
+        }
+
+        if (originalOnConnect) {
+            await originalOnConnect(conn, req);
+        }
+    };
+
+    const originalOnDisconnect = (server as any)._onDisconnect;
+    (server as any)._onDisconnect = async (conn: ServerConnection) => {
+        connectionAuthMap.delete(conn);
+
+        if (originalOnDisconnect) {
+            await originalOnDisconnect(conn);
+        }
+    };
+
+    return authServer;
+}
+
+/**
+ * @zh 创建认证中间件
+ * @en Create authentication middleware
+ *
+ * @zh 用于在 API 处理器中检查认证状态
+ * @en Used to check authentication status in API handlers
+ */
+export function requireAuthentication<TUser = unknown>(
+    conn: ServerConnection,
+    options?: { errorMessage?: string }
+): IAuthContext<TUser> {
+    const auth = getAuthContext<TUser>(conn);
+
+    if (!auth || !auth.isAuthenticated) {
+        throw new Error(options?.errorMessage ?? 'Authentication required');
+    }
+
+    return auth;
+}
+
+/**
+ * @zh 创建角色检查中间件
+ * @en Create role check middleware
+ */
+export function requireRole<TUser = unknown>(
+    conn: ServerConnection,
+    roles: string | string[],
+    options?: { mode?: 'any' | 'all'; errorMessage?: string }
+): IAuthContext<TUser> {
+    const auth = requireAuthentication<TUser>(conn);
+    const roleArray = Array.isArray(roles) ? roles : [roles];
+    const mode = options?.mode ?? 'any';
+
+    const hasRole = mode === 'any'
+        ? auth.hasAnyRole(roleArray)
+        : auth.hasAllRoles(roleArray);
+
+    if (!hasRole) {
+        throw new Error(options?.errorMessage ?? 'Insufficient permissions');
+    }
+
+    return auth;
+}
--- a/packages/framework/server/src/auth/mixin/withRoomAuth.ts
+++ b/packages/framework/server/src/auth/mixin/withRoomAuth.ts
@@ -0,0 +1,317 @@
+/**
+ * @zh 房间认证 Mixin
+ * @en Room authentication mixin
+ */
+
+import type { Room, Player } from '../../room/index.js';
+import type { IAuthContext, AuthRoomConfig } from '../types.js';
+import { getAuthContext } from './withAuth.js';
+import { createGuestContext } from '../context.js';
+
+/**
+ * @zh 带认证的玩家
+ * @en Player with authentication
+ */
+export interface AuthPlayer<TUser = unknown, TData = Record<string, unknown>> extends Player<TData> {
+    /**
+     * @zh 认证上下文
+     * @en Authentication context
+     */
+    readonly auth: IAuthContext<TUser>;
+
+    /**
+     * @zh 用户信息（快捷访问）
+     * @en User info (shortcut)
+     */
+    readonly user: TUser | null;
+}
+
+/**
+ * @zh 带认证的房间接口
+ * @en Room with authentication interface
+ */
+export interface IAuthRoom<TUser = unknown> {
+    /**
+     * @zh 认证钩子（在 onJoin 之前调用）
+     * @en Auth hook (called before onJoin)
+     */
+    onAuth?(player: AuthPlayer<TUser>): boolean | Promise<boolean>;
+
+    /**
+     * @zh 获取带认证信息的玩家
+     * @en Get player with auth info
+     */
+    getAuthPlayer(id: string): AuthPlayer<TUser> | undefined;
+
+    /**
+     * @zh 获取所有带认证信息的玩家
+     * @en Get all players with auth info
+     */
+    getAuthPlayers(): AuthPlayer<TUser>[];
+
+    /**
+     * @zh 按角色获取玩家
+     * @en Get players by role
+     */
+    getPlayersByRole(role: string): AuthPlayer<TUser>[];
+
+    /**
+     * @zh 按用户 ID 获取玩家
+     * @en Get player by user ID
+     */
+    getPlayerByUserId(userId: string): AuthPlayer<TUser> | undefined;
+}
+
+/**
+ * @zh 认证房间构造器类型
+ * @en Auth room constructor type
+ */
+export type AuthRoomClass<TUser = unknown> = new (...args: any[]) => Room & IAuthRoom<TUser>;
+
+/**
+ * @zh 玩家认证上下文存储
+ * @en Player auth context storage
+ */
+const playerAuthContexts = new WeakMap<Player, IAuthContext<unknown>>();
+
+/**
+ * @zh 包装玩家对象添加认证信息
+ * @en Wrap player object with auth info
+ */
+function wrapPlayerWithAuth<TUser>(player: Player, authContext: IAuthContext<TUser>): AuthPlayer<TUser> {
+    playerAuthContexts.set(player, authContext);
+
+    Object.defineProperty(player, 'auth', {
+        get: () => playerAuthContexts.get(player) ?? createGuestContext<TUser>(),
+        enumerable: true,
+        configurable: false
+    });
+
+    Object.defineProperty(player, 'user', {
+        get: () => (playerAuthContexts.get(player) as IAuthContext<TUser> | undefined)?.user ?? null,
+        enumerable: true,
+        configurable: false
+    });
+
+    return player as AuthPlayer<TUser>;
+}
+
+/**
+ * @zh 包装房间类添加认证功能
+ * @en Wrap room class with authentication functionality
+ *
+ * @zh 使用 mixin 模式为房间添加认证检查，在玩家加入前验证认证状态
+ * @en Uses mixin pattern to add auth checks to room, validates auth before player joins
+ *
+ * @example
+ * ```typescript
+ * import { Room, onMessage } from '@esengine/server';
+ * import { withRoomAuth, type AuthPlayer } from '@esengine/server/auth';
+ *
+ * interface User {
+ *     id: string;
+ *     name: string;
+ *     roles: string[];
+ * }
+ *
+ * class GameRoom extends withRoomAuth<User>(Room, {
+ *     requireAuth: true,
+ *     allowedRoles: ['player', 'premium'],
+ * }) {
+ *     onJoin(player: AuthPlayer<User>) {
+ *         console.log(`${player.user?.name} joined the game`);
+ *         this.broadcast('PlayerJoined', {
+ *             id: player.id,
+ *             name: player.user?.name
+ *         });
+ *     }
+ *
+ *     // Optional: custom auth validation
+ *     async onAuth(player: AuthPlayer<User>): Promise<boolean> {
+ *         // Additional validation logic
+ *         if (player.auth.hasRole('banned')) {
+ *             return false;
+ *         }
+ *         return true;
+ *     }
+ *
+ *     @onMessage('Chat')
+ *     handleChat(data: { text: string }, player: AuthPlayer<User>) {
+ *         this.broadcast('Chat', {
+ *             from: player.user?.name ?? 'Guest',
+ *             text: data.text
+ *         });
+ *     }
+ * }
+ * ```
+ */
+export function withRoomAuth<TUser = unknown, TBase extends new (...args: any[]) => Room = new (...args: any[]) => Room>(
+    Base: TBase,
+    config: AuthRoomConfig = {}
+): TBase & (new (...args: any[]) => IAuthRoom<TUser>) {
+    const {
+        requireAuth = true,
+        allowedRoles = [],
+        roleCheckMode = 'any'
+    } = config;
+
+    abstract class AuthRoom extends (Base as new (...args: any[]) => Room) implements IAuthRoom<TUser> {
+        private _originalOnJoin: ((player: Player) => void | Promise<void>) | undefined;
+
+        constructor(...args: any[]) {
+            super(...args);
+            this._originalOnJoin = this.onJoin?.bind(this);
+            this.onJoin = this._authOnJoin.bind(this);
+        }
+
+        /**
+         * @zh 认证钩子（可覆盖）
+         * @en Auth hook (can be overridden)
+         */
+        onAuth?(player: AuthPlayer<TUser>): boolean | Promise<boolean>;
+
+        /**
+         * @zh 包装的 onJoin 方法
+         * @en Wrapped onJoin method
+         */
+        private async _authOnJoin(player: Player): Promise<void> {
+            const conn = (player as any).connection ?? (player as any)._conn;
+            const authContext = conn
+                ? (getAuthContext<TUser>(conn) ?? createGuestContext<TUser>())
+                : createGuestContext<TUser>();
+
+            if (requireAuth && !authContext.isAuthenticated) {
+                console.warn(`[AuthRoom] Rejected unauthenticated player: ${player.id}`);
+                this.kick(player as any, 'Authentication required');
+                return;
+            }
+
+            if (allowedRoles.length > 0) {
+                const hasRole = roleCheckMode === 'any'
+                    ? authContext.hasAnyRole(allowedRoles)
+                    : authContext.hasAllRoles(allowedRoles);
+
+                if (!hasRole) {
+                    console.warn(`[AuthRoom] Rejected player ${player.id}: insufficient roles`);
+                    this.kick(player as any, 'Insufficient permissions');
+                    return;
+                }
+            }
+
+            const authPlayer = wrapPlayerWithAuth<TUser>(player, authContext);
+
+            if (typeof this.onAuth === 'function') {
+                try {
+                    const allowed = await this.onAuth(authPlayer);
+                    if (!allowed) {
+                        console.warn(`[AuthRoom] Rejected player ${player.id}: onAuth returned false`);
+                        this.kick(player as any, 'Authentication rejected');
+                        return;
+                    }
+                } catch (error) {
+                    console.error(`[AuthRoom] Error in onAuth for player ${player.id}:`, error);
+                    this.kick(player as any, 'Authentication error');
+                    return;
+                }
+            }
+
+            if (this._originalOnJoin) {
+                await this._originalOnJoin(authPlayer as unknown as Player);
+            }
+        }
+
+        /**
+         * @zh 获取带认证信息的玩家
+         * @en Get player with auth info
+         */
+        getAuthPlayer(id: string): AuthPlayer<TUser> | undefined {
+            const player = this.getPlayer(id);
+            return player as AuthPlayer<TUser> | undefined;
+        }
+
+        /**
+         * @zh 获取所有带认证信息的玩家
+         * @en Get all players with auth info
+         */
+        getAuthPlayers(): AuthPlayer<TUser>[] {
+            return this.players as AuthPlayer<TUser>[];
+        }
+
+        /**
+         * @zh 按角色获取玩家
+         * @en Get players by role
+         */
+        getPlayersByRole(role: string): AuthPlayer<TUser>[] {
+            return this.getAuthPlayers().filter(p => p.auth?.hasRole(role));
+        }
+
+        /**
+         * @zh 按用户 ID 获取玩家
+         * @en Get player by user ID
+         */
+        getPlayerByUserId(userId: string): AuthPlayer<TUser> | undefined {
+            return this.getAuthPlayers().find(p => p.auth?.userId === userId);
+        }
+    }
+
+    return AuthRoom as unknown as TBase & (new (...args: any[]) => IAuthRoom<TUser>);
+}
+
+/**
+ * @zh 抽象认证房间基类
+ * @en Abstract auth room base class
+ *
+ * @zh 如果不想使用 mixin，可以直接继承此类
+ * @en If you don't want to use mixin, you can extend this class directly
+ *
+ * @example
+ * ```typescript
+ * import { AuthRoomBase } from '@esengine/server/auth';
+ *
+ * class GameRoom extends AuthRoomBase<User> {
+ *     protected readonly authConfig = {
+ *         requireAuth: true,
+ *         allowedRoles: ['player']
+ *     };
+ *
+ *     onJoin(player: AuthPlayer<User>) {
+ *         // player has .auth and .user properties
+ *     }
+ * }
+ * ```
+ */
+export abstract class AuthRoomBase<TUser = unknown, TState = any, TPlayerData = Record<string, unknown>>
+    implements IAuthRoom<TUser> {
+
+    /**
+     * @zh 认证配置（子类可覆盖）
+     * @en Auth config (can be overridden by subclass)
+     */
+    protected readonly authConfig: AuthRoomConfig = {
+        requireAuth: true,
+        allowedRoles: [],
+        roleCheckMode: 'any'
+    };
+
+    /**
+     * @zh 认证钩子
+     * @en Auth hook
+     */
+    onAuth?(player: AuthPlayer<TUser>): boolean | Promise<boolean>;
+
+    getAuthPlayer(id: string): AuthPlayer<TUser> | undefined {
+        return undefined;
+    }
+
+    getAuthPlayers(): AuthPlayer<TUser>[] {
+        return [];
+    }
+
+    getPlayersByRole(role: string): AuthPlayer<TUser>[] {
+        return [];
+    }
+
+    getPlayerByUserId(userId: string): AuthPlayer<TUser> | undefined {
+        return undefined;
+    }
+}
--- a/packages/framework/server/src/auth/providers/IAuthProvider.ts
+++ b/packages/framework/server/src/auth/providers/IAuthProvider.ts
@@ -0,0 +1,6 @@
+/**
+ * @zh 认证提供者接口
+ * @en Authentication provider interface
+ */
+
+export type { IAuthProvider, AuthResult, AuthErrorCode } from '../types.js';
--- a/packages/framework/server/src/auth/providers/JwtAuthProvider.ts
+++ b/packages/framework/server/src/auth/providers/JwtAuthProvider.ts
@@ -0,0 +1,253 @@
+/**
+ * @zh JWT 认证提供者
+ * @en JWT authentication provider
+ */
+
+import type { IAuthProvider, AuthResult, AuthErrorCode } from '../types.js';
+import * as jwt from 'jsonwebtoken';
+
+/**
+ * @zh JWT 载荷
+ * @en JWT payload
+ */
+export interface JwtPayload {
+    /**
+     * @zh 主题（用户 ID）
+     * @en Subject (user ID)
+     */
+    sub?: string;
+
+    /**
+     * @zh 签发时间
+     * @en Issued at
+     */
+    iat?: number;
+
+    /**
+     * @zh 过期时间
+     * @en Expiration time
+     */
+    exp?: number;
+
+    /**
+     * @zh 自定义字段
+     * @en Custom fields
+     */
+    [key: string]: unknown;
+}
+
+/**
+ * @zh JWT 认证配置
+ * @en JWT authentication configuration
+ */
+export interface JwtAuthConfig<TUser = unknown> {
+    /**
+     * @zh 密钥
+     * @en Secret key
+     */
+    secret: string;
+
+    /**
+     * @zh 算法
+     * @en Algorithm
+     * @defaultValue 'HS256'
+     */
+    algorithm?: 'HS256' | 'HS384' | 'HS512' | 'RS256' | 'RS384' | 'RS512';
+
+    /**
+     * @zh 令牌过期时间（秒）
+     * @en Token expiration in seconds
+     * @defaultValue 3600
+     */
+    expiresIn?: number;
+
+    /**
+     * @zh 从载荷获取用户信息
+     * @en Get user from payload
+     */
+    getUser?: (payload: JwtPayload) => TUser | Promise<TUser | null> | null;
+
+    /**
+     * @zh 签发者
+     * @en Issuer
+     */
+    issuer?: string;
+
+    /**
+     * @zh 受众
+     * @en Audience
+     */
+    audience?: string;
+}
+
+/**
+ * @zh JWT 认证提供者
+ * @en JWT authentication provider
+ *
+ * @zh 使用 jsonwebtoken 库实现 JWT 认证
+ * @en Uses jsonwebtoken library for JWT authentication
+ *
+ * @example
+ * ```typescript
+ * const jwtProvider = createJwtAuthProvider({
+ *     secret: 'your-secret-key',
+ *     expiresIn: 3600,
+ *     getUser: async (payload) => {
+ *         return await db.users.findById(payload.sub);
+ *     }
+ * });
+ * ```
+ */
+export class JwtAuthProvider<TUser = unknown> implements IAuthProvider<TUser, string> {
+    readonly name = 'jwt';
+
+    private _config: Required<Pick<JwtAuthConfig<TUser>, 'secret' | 'algorithm' | 'expiresIn'>> & JwtAuthConfig<TUser>;
+
+    constructor(config: JwtAuthConfig<TUser>) {
+        this._config = {
+            algorithm: 'HS256',
+            expiresIn: 3600,
+            ...config
+        };
+    }
+
+    /**
+     * @zh 验证令牌
+     * @en Verify token
+     */
+    async verify(token: string): Promise<AuthResult<TUser>> {
+        if (!token) {
+            return {
+                success: false,
+                error: 'Token is required',
+                errorCode: 'INVALID_TOKEN'
+            };
+        }
+
+        try {
+            const verifyOptions: jwt.VerifyOptions = {
+                algorithms: [this._config.algorithm]
+            };
+            if (this._config.issuer) {
+                verifyOptions.issuer = this._config.issuer;
+            }
+            if (this._config.audience) {
+                verifyOptions.audience = this._config.audience;
+            }
+            const payload = jwt.verify(token, this._config.secret, verifyOptions) as JwtPayload;
+
+            let user: TUser | null = null;
+
+            if (this._config.getUser) {
+                user = await this._config.getUser(payload);
+                if (!user) {
+                    return {
+                        success: false,
+                        error: 'User not found',
+                        errorCode: 'USER_NOT_FOUND'
+                    };
+                }
+            } else {
+                user = payload as unknown as TUser;
+            }
+
+            return {
+                success: true,
+                user,
+                token,
+                expiresAt: payload.exp ? payload.exp * 1000 : undefined
+            };
+        } catch (error) {
+            const err = error as Error;
+
+            if (err.name === 'TokenExpiredError') {
+                return {
+                    success: false,
+                    error: 'Token has expired',
+                    errorCode: 'EXPIRED_TOKEN'
+                };
+            }
+
+            return {
+                success: false,
+                error: err.message || 'Invalid token',
+                errorCode: 'INVALID_TOKEN'
+            };
+        }
+    }
+
+    /**
+     * @zh 刷新令牌
+     * @en Refresh token
+     */
+    async refresh(token: string): Promise<AuthResult<TUser>> {
+        const result = await this.verify(token);
+
+        if (!result.success || !result.user) {
+            return result;
+        }
+
+        const payload = jwt.decode(token) as JwtPayload;
+
+        // Remove JWT standard claims that will be regenerated
+        const { iat, exp, nbf, ...restPayload } = payload;
+
+        const newToken = this.sign(restPayload);
+
+        return {
+            success: true,
+            user: result.user,
+            token: newToken,
+            expiresAt: Date.now() + this._config.expiresIn * 1000
+        };
+    }
+
+    /**
+     * @zh 生成令牌
+     * @en Generate token
+     */
+    sign(payload: Record<string, unknown>): string {
+        const signOptions: jwt.SignOptions = {
+            algorithm: this._config.algorithm,
+            expiresIn: this._config.expiresIn
+        };
+        if (this._config.issuer) {
+            signOptions.issuer = this._config.issuer;
+        }
+        if (this._config.audience) {
+            signOptions.audience = this._config.audience;
+        }
+        return jwt.sign(payload, this._config.secret, signOptions);
+    }
+
+    /**
+     * @zh 解码令牌（不验证）
+     * @en Decode token (without verification)
+     */
+    decode(token: string): JwtPayload | null {
+        return jwt.decode(token) as JwtPayload | null;
+    }
+}
+
+/**
+ * @zh 创建 JWT 认证提供者
+ * @en Create JWT authentication provider
+ *
+ * @example
+ * ```typescript
+ * import { createJwtAuthProvider } from '@esengine/server/auth';
+ *
+ * const jwtProvider = createJwtAuthProvider({
+ *     secret: process.env.JWT_SECRET!,
+ *     expiresIn: 3600,
+ *     getUser: async (payload) => {
+ *         return { id: payload.sub, name: payload.name };
+ *     }
+ * });
+ * ```
+ */
+export function createJwtAuthProvider<TUser = unknown>(
+    config: JwtAuthConfig<TUser>
+): JwtAuthProvider<TUser> {
+    return new JwtAuthProvider<TUser>(config);
+}
--- a/packages/framework/server/src/auth/providers/SessionAuthProvider.ts
+++ b/packages/framework/server/src/auth/providers/SessionAuthProvider.ts
@@ -0,0 +1,292 @@
+/**
+ * @zh Session 认证提供者
+ * @en Session authentication provider
+ */
+
+import { randomBytes } from 'crypto';
+import type { IAuthProvider, AuthResult } from '../types.js';
+
+/**
+ * @zh Session 存储接口（兼容 ITransactionStorage）
+ * @en Session storage interface (compatible with ITransactionStorage)
+ */
+export interface ISessionStorage {
+    get<T>(key: string): Promise<T | null>;
+    set<T>(key: string, value: T, ttl?: number): Promise<void>;
+    delete(key: string): Promise<boolean>;
+}
+
+/**
+ * @zh Session 数据
+ * @en Session data
+ */
+export interface SessionData<TUser = unknown> {
+    /**
+     * @zh 用户信息
+     * @en User information
+     */
+    user: TUser;
+
+    /**
+     * @zh 创建时间
+     * @en Created at
+     */
+    createdAt: number;
+
+    /**
+     * @zh 最后活跃时间
+     * @en Last active at
+     */
+    lastActiveAt: number;
+
+    /**
+     * @zh 自定义数据
+     * @en Custom data
+     */
+    data?: Record<string, unknown>;
+}
+
+/**
+ * @zh Session 认证配置
+ * @en Session authentication configuration
+ */
+export interface SessionAuthConfig<TUser = unknown> {
+    /**
+     * @zh Session 存储
+     * @en Session storage
+     */
+    storage: ISessionStorage;
+
+    /**
+     * @zh Session 过期时间（毫秒）
+     * @en Session expiration in milliseconds
+     * @defaultValue 86400000 (24h)
+     */
+    sessionTTL?: number;
+
+    /**
+     * @zh Session 键前缀
+     * @en Session key prefix
+     * @defaultValue 'session:'
+     */
+    prefix?: string;
+
+    /**
+     * @zh 验证用户（可选额外验证）
+     * @en Validate user (optional extra validation)
+     */
+    validateUser?: (user: TUser) => boolean | Promise<boolean>;
+
+    /**
+     * @zh 是否自动续期
+     * @en Auto renew session
+     * @defaultValue true
+     */
+    autoRenew?: boolean;
+}
+
+/**
+ * @zh Session 认证提供者
+ * @en Session authentication provider
+ *
+ * @zh 基于存储的会话认证，支持 Redis、MongoDB 等后端
+ * @en Storage-based session authentication, supports Redis, MongoDB, etc.
+ *
+ * @example
+ * ```typescript
+ * import { createSessionAuthProvider } from '@esengine/server/auth';
+ * import { createRedisStorage } from '@esengine/transaction';
+ *
+ * const sessionProvider = createSessionAuthProvider({
+ *     storage: createRedisStorage({ factory: () => new Redis() }),
+ *     sessionTTL: 86400000, // 24 hours
+ * });
+ * ```
+ */
+export class SessionAuthProvider<TUser = unknown> implements IAuthProvider<TUser, string> {
+    readonly name = 'session';
+
+    private _config: Required<Pick<SessionAuthConfig<TUser>, 'sessionTTL' | 'prefix' | 'autoRenew'>> & SessionAuthConfig<TUser>;
+
+    constructor(config: SessionAuthConfig<TUser>) {
+        this._config = {
+            sessionTTL: 86400000,
+            prefix: 'session:',
+            autoRenew: true,
+            ...config
+        };
+    }
+
+    /**
+     * @zh 获取存储键
+     * @en Get storage key
+     */
+    private _getKey(sessionId: string): string {
+        return `${this._config.prefix}${sessionId}`;
+    }
+
+    /**
+     * @zh 验证 Session
+     * @en Verify session
+     */
+    async verify(sessionId: string): Promise<AuthResult<TUser>> {
+        if (!sessionId) {
+            return {
+                success: false,
+                error: 'Session ID is required',
+                errorCode: 'INVALID_TOKEN'
+            };
+        }
+
+        const key = this._getKey(sessionId);
+        const session = await this._config.storage.get<SessionData<TUser>>(key);
+
+        if (!session) {
+            return {
+                success: false,
+                error: 'Session not found or expired',
+                errorCode: 'EXPIRED_TOKEN'
+            };
+        }
+
+        if (this._config.validateUser) {
+            const isValid = await this._config.validateUser(session.user);
+            if (!isValid) {
+                return {
+                    success: false,
+                    error: 'User validation failed',
+                    errorCode: 'ACCOUNT_DISABLED'
+                };
+            }
+        }
+
+        if (this._config.autoRenew) {
+            session.lastActiveAt = Date.now();
+            await this._config.storage.set(key, session, this._config.sessionTTL);
+        }
+
+        return {
+            success: true,
+            user: session.user,
+            token: sessionId,
+            expiresAt: session.createdAt + this._config.sessionTTL
+        };
+    }
+
+    /**
+     * @zh 刷新 Session
+     * @en Refresh session
+     */
+    async refresh(sessionId: string): Promise<AuthResult<TUser>> {
+        const result = await this.verify(sessionId);
+
+        if (!result.success) {
+            return result;
+        }
+
+        const key = this._getKey(sessionId);
+        const session = await this._config.storage.get<SessionData<TUser>>(key);
+
+        if (session) {
+            session.lastActiveAt = Date.now();
+            await this._config.storage.set(key, session, this._config.sessionTTL);
+        }
+
+        return {
+            ...result,
+            expiresAt: Date.now() + this._config.sessionTTL
+        };
+    }
+
+    /**
+     * @zh 撤销 Session
+     * @en Revoke session
+     */
+    async revoke(sessionId: string): Promise<boolean> {
+        const key = this._getKey(sessionId);
+        return await this._config.storage.delete(key);
+    }
+
+    /**
+     * @zh 创建 Session
+     * @en Create session
+     */
+    async createSession(user: TUser, data?: Record<string, unknown>): Promise<string> {
+        const sessionId = this._generateSessionId();
+        const key = this._getKey(sessionId);
+
+        const session: SessionData<TUser> = {
+            user,
+            createdAt: Date.now(),
+            lastActiveAt: Date.now(),
+            data
+        };
+
+        await this._config.storage.set(key, session, this._config.sessionTTL);
+
+        return sessionId;
+    }
+
+    /**
+     * @zh 获取 Session 数据
+     * @en Get session data
+     */
+    async getSession(sessionId: string): Promise<SessionData<TUser> | null> {
+        const key = this._getKey(sessionId);
+        return await this._config.storage.get<SessionData<TUser>>(key);
+    }
+
+    /**
+     * @zh 更新 Session 数据
+     * @en Update session data
+     */
+    async updateSession(sessionId: string, data: Record<string, unknown>): Promise<boolean> {
+        const key = this._getKey(sessionId);
+        const session = await this._config.storage.get<SessionData<TUser>>(key);
+
+        if (!session) {
+            return false;
+        }
+
+        session.data = { ...session.data, ...data };
+        session.lastActiveAt = Date.now();
+        await this._config.storage.set(key, session, this._config.sessionTTL);
+
+        return true;
+    }
+
+    /**
+     * @zh 生成 Session ID（使用加密安全的随机数）
+     * @en Generate session ID (using cryptographically secure random)
+     */
+    private _generateSessionId(): string {
+        return randomBytes(32).toString('hex');
+    }
+}
+
+/**
+ * @zh 创建 Session 认证提供者
+ * @en Create session authentication provider
+ *
+ * @example
+ * ```typescript
+ * import { createSessionAuthProvider } from '@esengine/server/auth';
+ * import { MemoryStorage } from '@esengine/transaction';
+ *
+ * const sessionProvider = createSessionAuthProvider({
+ *     storage: new MemoryStorage(),
+ *     sessionTTL: 3600000, // 1 hour
+ * });
+ *
+ * // Create a session
+ * const sessionId = await sessionProvider.createSession({ id: '1', name: 'Alice' });
+ *
+ * // Verify session
+ * const result = await sessionProvider.verify(sessionId);
+ * ```
+ */
+export function createSessionAuthProvider<TUser = unknown>(
+    config: SessionAuthConfig<TUser>
+): SessionAuthProvider<TUser> {
+    return new SessionAuthProvider<TUser>(config);
+}
--- a/packages/framework/server/src/auth/providers/index.ts
+++ b/packages/framework/server/src/auth/providers/index.ts
@@ -0,0 +1,8 @@
+/**
+ * @zh 认证提供者
+ * @en Authentication providers
+ */
+
+export type { IAuthProvider, AuthResult, AuthErrorCode } from './IAuthProvider.js';
+export { JwtAuthProvider, createJwtAuthProvider, type JwtAuthConfig, type JwtPayload } from './JwtAuthProvider.js';
+export { SessionAuthProvider, createSessionAuthProvider, type SessionAuthConfig, type SessionData, type ISessionStorage } from './SessionAuthProvider.js';
--- a/packages/framework/server/src/auth/testing/MockAuthProvider.ts
+++ b/packages/framework/server/src/auth/testing/MockAuthProvider.ts
@@ -0,0 +1,278 @@
+/**
+ * @zh 模拟认证提供者
+ * @en Mock authentication provider
+ */
+
+import type { IAuthProvider, AuthResult, AuthErrorCode } from '../types.js';
+
+/**
+ * @zh 模拟用户
+ * @en Mock user
+ */
+export interface MockUser {
+    id: string;
+    name?: string;
+    roles?: string[];
+    [key: string]: unknown;
+}
+
+/**
+ * @zh 模拟认证配置
+ * @en Mock authentication configuration
+ */
+export interface MockAuthConfig {
+    /**
+     * @zh 预设用户列表
+     * @en Preset user list
+     */
+    users?: MockUser[];
+
+    /**
+     * @zh 默认用户（无 token 时返回）
+     * @en Default user (returned when no token)
+     */
+    defaultUser?: MockUser;
+
+    /**
+     * @zh 模拟延迟（毫秒）
+     * @en Simulated delay (ms)
+     */
+    delay?: number;
+
+    /**
+     * @zh 是否自动创建用户
+     * @en Auto create users
+     */
+    autoCreate?: boolean;
+
+    /**
+     * @zh 验证令牌格式
+     * @en Token format validator
+     */
+    validateToken?: (token: string) => boolean;
+}
+
+/**
+ * @zh 模拟认证提供者
+ * @en Mock authentication provider
+ *
+ * @zh 用于测试的认证提供者，不需要真实的 JWT 或数据库
+ * @en Authentication provider for testing, no real JWT or database required
+ *
+ * @example
+ * ```typescript
+ * import { createMockAuthProvider } from '@esengine/server/auth/testing';
+ *
+ * const mockProvider = createMockAuthProvider({
+ *     users: [
+ *         { id: '1', name: 'Alice', roles: ['player'] },
+ *         { id: '2', name: 'Bob', roles: ['admin'] },
+ *     ],
+ *     autoCreate: true, // Unknown tokens create guest users
+ * });
+ *
+ * // Verify with user ID as token
+ * const result = await mockProvider.verify('1');
+ * // result.user = { id: '1', name: 'Alice', roles: ['player'] }
+ * ```
+ */
+export class MockAuthProvider<TUser extends MockUser = MockUser>
+    implements IAuthProvider<TUser, string> {
+
+    readonly name = 'mock';
+
+    private _users: Map<string, TUser>;
+    private _config: MockAuthConfig;
+    private _revokedTokens: Set<string> = new Set();
+
+    constructor(config: MockAuthConfig = {}) {
+        this._config = config;
+        this._users = new Map();
+
+        if (config.users) {
+            for (const user of config.users) {
+                this._users.set(user.id, user as TUser);
+            }
+        }
+    }
+
+    /**
+     * @zh 模拟延迟
+     * @en Simulate delay
+     */
+    private async _delay(): Promise<void> {
+        if (this._config.delay && this._config.delay > 0) {
+            await new Promise(resolve => setTimeout(resolve, this._config.delay));
+        }
+    }
+
+    /**
+     * @zh 验证令牌
+     * @en Verify token
+     */
+    async verify(token: string): Promise<AuthResult<TUser>> {
+        await this._delay();
+
+        if (!token) {
+            if (this._config.defaultUser) {
+                return {
+                    success: true,
+                    user: this._config.defaultUser as TUser,
+                    token: 'default'
+                };
+            }
+            return {
+                success: false,
+                error: 'Token is required',
+                errorCode: 'INVALID_TOKEN'
+            };
+        }
+
+        if (this._revokedTokens.has(token)) {
+            return {
+                success: false,
+                error: 'Token has been revoked',
+                errorCode: 'INVALID_TOKEN'
+            };
+        }
+
+        if (this._config.validateToken && !this._config.validateToken(token)) {
+            return {
+                success: false,
+                error: 'Invalid token format',
+                errorCode: 'INVALID_TOKEN'
+            };
+        }
+
+        const user = this._users.get(token);
+
+        if (user) {
+            return {
+                success: true,
+                user,
+                token,
+                expiresAt: Date.now() + 3600000
+            };
+        }
+
+        if (this._config.autoCreate) {
+            const newUser = {
+                id: token,
+                name: `User_${token}`,
+                roles: ['guest']
+            } as TUser;
+
+            this._users.set(token, newUser);
+
+            return {
+                success: true,
+                user: newUser,
+                token,
+                expiresAt: Date.now() + 3600000
+            };
+        }
+
+        return {
+            success: false,
+            error: 'User not found',
+            errorCode: 'USER_NOT_FOUND'
+        };
+    }
+
+    /**
+     * @zh 刷新令牌
+     * @en Refresh token
+     */
+    async refresh(token: string): Promise<AuthResult<TUser>> {
+        return this.verify(token);
+    }
+
+    /**
+     * @zh 撤销令牌
+     * @en Revoke token
+     */
+    async revoke(token: string): Promise<boolean> {
+        this._revokedTokens.add(token);
+        return true;
+    }
+
+    /**
+     * @zh 添加用户
+     * @en Add user
+     */
+    addUser(user: TUser): void {
+        this._users.set(user.id, user);
+    }
+
+    /**
+     * @zh 移除用户
+     * @en Remove user
+     */
+    removeUser(id: string): boolean {
+        return this._users.delete(id);
+    }
+
+    /**
+     * @zh 获取用户
+     * @en Get user
+     */
+    getUser(id: string): TUser | undefined {
+        return this._users.get(id);
+    }
+
+    /**
+     * @zh 获取所有用户
+     * @en Get all users
+     */
+    getUsers(): TUser[] {
+        return Array.from(this._users.values());
+    }
+
+    /**
+     * @zh 清空所有状态
+     * @en Clear all state
+     */
+    clear(): void {
+        this._users.clear();
+        this._revokedTokens.clear();
+
+        if (this._config.users) {
+            for (const user of this._config.users) {
+                this._users.set(user.id, user as TUser);
+            }
+        }
+    }
+
+    /**
+     * @zh 生成测试令牌
+     * @en Generate test token
+     */
+    generateToken(userId: string): string {
+        return userId;
+    }
+}
+
+/**
+ * @zh 创建模拟认证提供者
+ * @en Create mock authentication provider
+ *
+ * @example
+ * ```typescript
+ * const provider = createMockAuthProvider({
+ *     users: [
+ *         { id: 'admin', name: 'Admin', roles: ['admin'] }
+ *     ]
+ * });
+ *
+ * // Use in tests
+ * const server = withAuth(await createServer({ port: 0 }), {
+ *     provider,
+ *     extractCredentials: (req) => req.headers['x-token']
+ * });
+ * ```
+ */
+export function createMockAuthProvider<TUser extends MockUser = MockUser>(
+    config?: MockAuthConfig
+): MockAuthProvider<TUser> {
+    return new MockAuthProvider<TUser>(config);
+}
--- a/packages/framework/server/src/auth/testing/index.ts
+++ b/packages/framework/server/src/auth/testing/index.ts
@@ -0,0 +1,11 @@
+/**
+ * @zh 认证测试工具
+ * @en Authentication testing utilities
+ */
+
+export {
+    MockAuthProvider,
+    createMockAuthProvider,
+    type MockUser,
+    type MockAuthConfig
+} from './MockAuthProvider.js';
--- a/packages/framework/server/src/auth/types.ts
+++ b/packages/framework/server/src/auth/types.ts
@@ -0,0 +1,400 @@
+/**
+ * @zh 认证系统类型定义
+ * @en Authentication system type definitions
+ */
+
+import type { ServerConnection, ApiContext, MsgContext, GameServer } from '../types/index.js';
+
+// ============================================================================
+// Error Codes
+// ============================================================================
+
+/**
+ * @zh 认证错误代码
+ * @en Authentication error codes
+ */
+export type AuthErrorCode =
+    | 'INVALID_CREDENTIALS'
+    | 'EXPIRED_TOKEN'
+    | 'INVALID_TOKEN'
+    | 'USER_NOT_FOUND'
+    | 'ACCOUNT_DISABLED'
+    | 'RATE_LIMITED'
+    | 'INSUFFICIENT_PERMISSIONS';
+
+// ============================================================================
+// Auth Result
+// ============================================================================
+
+/**
+ * @zh 认证结果
+ * @en Authentication result
+ */
+export interface AuthResult<TUser = unknown> {
+    /**
+     * @zh 是否成功
+     * @en Whether succeeded
+     */
+    success: boolean;
+
+    /**
+     * @zh 用户信息
+     * @en User information
+     */
+    user?: TUser;
+
+    /**
+     * @zh 错误信息
+     * @en Error message
+     */
+    error?: string;
+
+    /**
+     * @zh 错误代码
+     * @en Error code
+     */
+    errorCode?: AuthErrorCode;
+
+    /**
+     * @zh 令牌
+     * @en Token
+     */
+    token?: string;
+
+    /**
+     * @zh 令牌过期时间（时间戳）
+     * @en Token expiration time (timestamp)
+     */
+    expiresAt?: number;
+}
+
+// ============================================================================
+// Auth Provider
+// ============================================================================
+
+/**
+ * @zh 认证提供者接口
+ * @en Authentication provider interface
+ */
+export interface IAuthProvider<TUser = unknown, TCredentials = unknown> {
+    /**
+     * @zh 提供者名称
+     * @en Provider name
+     */
+    readonly name: string;
+
+    /**
+     * @zh 验证凭证
+     * @en Verify credentials
+     *
+     * @param credentials - @zh 凭证数据 @en Credential data
+     * @returns @zh 验证结果 @en Verification result
+     */
+    verify(credentials: TCredentials): Promise<AuthResult<TUser>>;
+
+    /**
+     * @zh 刷新令牌（可选）
+     * @en Refresh token (optional)
+     */
+    refresh?(token: string): Promise<AuthResult<TUser>>;
+
+    /**
+     * @zh 撤销令牌（可选）
+     * @en Revoke token (optional)
+     */
+    revoke?(token: string): Promise<boolean>;
+}
+
+// ============================================================================
+// Auth Context
+// ============================================================================
+
+/**
+ * @zh 认证上下文接口
+ * @en Authentication context interface
+ */
+export interface IAuthContext<TUser = unknown> {
+    /**
+     * @zh 是否已认证
+     * @en Whether authenticated
+     */
+    readonly isAuthenticated: boolean;
+
+    /**
+     * @zh 用户信息
+     * @en User information
+     */
+    readonly user: TUser | null;
+
+    /**
+     * @zh 用户 ID
+     * @en User ID
+     */
+    readonly userId: string | null;
+
+    /**
+     * @zh 用户角色
+     * @en User roles
+     */
+    readonly roles: ReadonlyArray<string>;
+
+    /**
+     * @zh 认证时间
+     * @en Authentication timestamp
+     */
+    readonly authenticatedAt: number | null;
+
+    /**
+     * @zh 令牌过期时间
+     * @en Token expiration time
+     */
+    readonly expiresAt: number | null;
+
+    /**
+     * @zh 检查是否有指定角色
+     * @en Check if has specified role
+     */
+    hasRole(role: string): boolean;
+
+    /**
+     * @zh 检查是否有任一指定角色
+     * @en Check if has any of specified roles
+     */
+    hasAnyRole(roles: string[]): boolean;
+
+    /**
+     * @zh 检查是否有所有指定角色
+     * @en Check if has all specified roles
+     */
+    hasAllRoles(roles: string[]): boolean;
+}
+
+// ============================================================================
+// Auth Connection
+// ============================================================================
+
+/**
+ * @zh 认证连接数据
+ * @en Authentication connection data
+ */
+export interface AuthConnectionData<TUser = unknown> {
+    /**
+     * @zh 认证上下文
+     * @en Authentication context
+     */
+    auth: IAuthContext<TUser>;
+}
+
+/**
+ * @zh 带认证的连接
+ * @en Connection with authentication
+ */
+export interface AuthConnection<TUser = unknown, TData extends AuthConnectionData<TUser> = AuthConnectionData<TUser>>
+    extends ServerConnection<TData> {
+    /**
+     * @zh 认证上下文（快捷访问）
+     * @en Authentication context (shortcut)
+     */
+    readonly auth: IAuthContext<TUser>;
+}
+
+/**
+ * @zh 带认证的 API 上下文
+ * @en API context with authentication
+ */
+export interface AuthApiContext<TUser = unknown, TData extends AuthConnectionData<TUser> = AuthConnectionData<TUser>>
+    extends ApiContext<TData> {
+    /**
+     * @zh 当前连接（带认证）
+     * @en Current connection (with auth)
+     */
+    conn: AuthConnection<TUser, TData>;
+}
+
+/**
+ * @zh 带认证的消息上下文
+ * @en Message context with authentication
+ */
+export interface AuthMsgContext<TUser = unknown, TData extends AuthConnectionData<TUser> = AuthConnectionData<TUser>>
+    extends MsgContext<TData> {
+    /**
+     * @zh 当前连接（带认证）
+     * @en Current connection (with auth)
+     */
+    conn: AuthConnection<TUser, TData>;
+}
+
+// ============================================================================
+// Auth Server Config
+// ============================================================================
+
+/**
+ * @zh 连接请求信息
+ * @en Connection request info
+ */
+export interface ConnectionRequest {
+    /**
+     * @zh 请求 URL
+     * @en Request URL
+     */
+    url: string;
+
+    /**
+     * @zh 请求头
+     * @en Request headers
+     */
+    headers: Record<string, string | string[] | undefined>;
+
+    /**
+     * @zh 客户端 IP
+     * @en Client IP
+     */
+    ip: string;
+}
+
+/**
+ * @zh 认证服务器配置
+ * @en Authentication server configuration
+ */
+export interface AuthServerConfig<TUser = unknown> {
+    /**
+     * @zh 认证提供者
+     * @en Authentication provider
+     */
+    provider: IAuthProvider<TUser>;
+
+    /**
+     * @zh 从连接请求提取凭证
+     * @en Extract credentials from connection request
+     */
+    extractCredentials?: (req: ConnectionRequest) => unknown | Promise<unknown>;
+
+    /**
+     * @zh 连接时自动认证
+     * @en Auto authenticate on connection
+     * @defaultValue true
+     */
+    autoAuthOnConnect?: boolean;
+
+    /**
+     * @zh 未认证连接的宽限期（毫秒）
+     * @en Grace period for unauthenticated connections (ms)
+     * @defaultValue 30000
+     */
+    authGracePeriod?: number;
+
+    /**
+     * @zh 认证失败是否断开连接
+     * @en Disconnect on auth failure
+     * @defaultValue false
+     */
+    disconnectOnAuthFailure?: boolean;
+
+    /**
+     * @zh 认证成功回调
+     * @en Authentication success callback
+     */
+    onAuthSuccess?: (conn: ServerConnection, user: TUser) => void | Promise<void>;
+
+    /**
+     * @zh 认证失败回调
+     * @en Authentication failure callback
+     */
+    onAuthFailure?: (conn: ServerConnection, error: AuthResult<TUser>) => void | Promise<void>;
+}
+
+// ============================================================================
+// Auth Game Server
+// ============================================================================
+
+/**
+ * @zh 带认证的游戏服务器
+ * @en Game server with authentication
+ */
+export interface AuthGameServer<TUser = unknown> extends GameServer {
+    /**
+     * @zh 认证提供者
+     * @en Authentication provider
+     */
+    readonly authProvider: IAuthProvider<TUser>;
+
+    /**
+     * @zh 手动认证连接
+     * @en Manually authenticate connection
+     */
+    authenticate(
+        conn: ServerConnection,
+        credentials: unknown
+    ): Promise<AuthResult<TUser>>;
+
+    /**
+     * @zh 获取连接的认证上下文
+     * @en Get auth context for connection
+     */
+    getAuthContext(conn: ServerConnection): IAuthContext<TUser> | null;
+}
+
+// ============================================================================
+// Auth Room Config
+// ============================================================================
+
+/**
+ * @zh 带认证的房间配置
+ * @en Auth room configuration
+ */
+export interface AuthRoomConfig {
+    /**
+     * @zh 是否要求认证才能加入
+     * @en Require authentication to join
+     * @defaultValue true
+     */
+    requireAuth?: boolean;
+
+    /**
+     * @zh 允许的角色（空数组表示任意角色）
+     * @en Allowed roles (empty array means any role)
+     */
+    allowedRoles?: string[];
+
+    /**
+     * @zh 角色检查模式
+     * @en Role check mode
+     * @defaultValue 'any'
+     */
+    roleCheckMode?: 'any' | 'all';
+}
+
+// ============================================================================
+// Decorator Options
+// ============================================================================
+
+/**
+ * @zh requireAuth 装饰器选项
+ * @en requireAuth decorator options
+ */
+export interface RequireAuthOptions {
+    /**
+     * @zh 认证失败时的错误消息
+     * @en Error message on auth failure
+     */
+    errorMessage?: string;
+
+    /**
+     * @zh 是否允许访客
+     * @en Allow guest access
+     */
+    allowGuest?: boolean;
+}
+
+/**
+ * @zh requireRole 装饰器选项
+ * @en requireRole decorator options
+ */
+export interface RequireRoleOptions extends RequireAuthOptions {
+    /**
+     * @zh 角色检查模式
+     * @en Role check mode
+     * @defaultValue 'any'
+     */
+    mode?: 'any' | 'all';
+}
--- a/packages/framework/server/tsup.config.ts
+++ b/packages/framework/server/tsup.config.ts
@@ -1,11 +1,16 @@
 import { defineConfig } from 'tsup'

 export default defineConfig({
-    entry: ['src/index.ts', 'src/testing/index.ts'],
+    entry: [
+        'src/index.ts',
+        'src/auth/index.ts',
+        'src/auth/testing/index.ts',
+        'src/testing/index.ts'
+    ],
    format: ['esm'],
    dts: true,
    clean: true,
    sourcemap: true,
-    external: ['ws', '@esengine/rpc', '@esengine/rpc/codec'],
+    external: ['ws', 'jsonwebtoken', '@esengine/rpc', '@esengine/rpc/codec'],
    treeshake: true,
 })
--- a/packages/framework/transaction/CHANGELOG.md
+++ b/packages/framework/transaction/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @esengine/transaction

+## 2.0.1
+
+### Patch Changes
+
+- Updated dependencies [[`61a13ba`](https://github.com/esengine/esengine/commit/61a13baca2e1e8fba14e23d439521ec0e6b7ca6e)]:
+    - @esengine/server@1.2.0
+
 ## 2.0.0

 ### Major Changes
--- a/packages/framework/transaction/package.json
+++ b/packages/framework/transaction/package.json
@@ -1,6 +1,6 @@
 {
    "name": "@esengine/transaction",
-    "version": "2.0.0",
+    "version": "2.0.1",
    "description": "Game transaction system with distributed support | 游戏事务系统，支持分布式事务",
    "type": "module",
    "main": "./dist/index.js",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -1688,12 +1688,18 @@ importers:
        specifier: workspace:*
        version: link:../rpc
    devDependencies:
+      '@types/jsonwebtoken':
+        specifier: ^9.0.0
+        version: 9.0.10
      '@types/node':
        specifier: ^20.0.0
        version: 20.19.27
      '@types/ws':
        specifier: ^8.5.13
        version: 8.18.1
+      jsonwebtoken:
+        specifier: ^9.0.0
+        version: 9.0.3
      rimraf:
        specifier: ^5.0.0
        version: 5.0.10
@@ -5183,6 +5189,9 @@ packages:
  '@types/json-schema@7.0.15':
    resolution: {integrity: sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==}

+  '@types/jsonwebtoken@9.0.10':
+    resolution: {integrity: sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA==}
+
  '@types/linkify-it@5.0.0':
    resolution: {integrity: sha512-sVDA58zAw4eWAffKOaQH5/5j3XeayukzDk+ewSsnv3p4yJEZHCCzMDiZM8e0OUrRvmpGZ85jf4yDHkHsgBNr9Q==}

@@ -5911,6 +5920,9 @@ packages:
    resolution: {integrity: sha512-WIsKqkSC0ABoBJuT1LEX+2HEvNmNKKgnTAyd0fL8qzK4SH2i9NXg+t08YtdZp/V9IZ33cxe3iV4yM0qg8lMQng==}
    engines: {node: '>=16.20.1'}

+  buffer-equal-constant-time@1.0.1:
+    resolution: {integrity: sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==}
+
  buffer-from@1.1.2:
    resolution: {integrity: sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==}

@@ -6604,6 +6616,9 @@ packages:
  eastasianwidth@0.2.0:
    resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}

+  ecdsa-sig-formatter@1.0.11:
+    resolution: {integrity: sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==}
+
  editorconfig@0.15.3:
    resolution: {integrity: sha512-M9wIMFx96vq0R4F+gRpY3o2exzb8hEj/n9S8unZtHSvYjibBp/iMufSzvmOcV/laG0ZtuTVGtiJggPOSW2r93g==}
    hasBin: true
@@ -7968,6 +7983,10 @@ packages:
    resolution: {integrity: sha512-POQXvpdL69+CluYsillJ7SUhKvytYjW9vG/GKpnf+xP8UWgYEM/RaMzHHofbALDiKbbP1W8UEYmgGl39WkPZsg==}
    engines: {'0': node >= 0.2.0}

+  jsonwebtoken@9.0.3:
+    resolution: {integrity: sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g==}
+    engines: {node: '>=12', npm: '>=6'}
+
  jszip@3.10.1:
    resolution: {integrity: sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==}

@@ -7977,6 +7996,12 @@ packages:
  just-diff@6.0.2:
    resolution: {integrity: sha512-S59eriX5u3/QhMNq3v/gm8Kd0w8OS6Tz2FS1NG4blv+z0MuQcBRJyFWjdovM0Rad4/P4aUPFtnkNjMjyMlMSYA==}

+  jwa@2.0.1:
+    resolution: {integrity: sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg==}
+
+  jws@4.0.1:
+    resolution: {integrity: sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==}
+
  k8w-crypto@0.2.0:
    resolution: {integrity: sha512-M6u4eQ6CQaU5xO3s4zaUUp9G79xNDhXtTU0X7N80tDcBhQC5ggowlyOzj95v7WiCuk7xkV0aFsTmCpuf0m0djw==}

@@ -8176,9 +8201,15 @@ packages:
    resolution: {integrity: sha512-z+Uw/vLuy6gQe8cfaFWD7p0wVv8fJl3mbzXh33RS+0oW2wvUqiRXiQ69gLWSLpgB5/6sU+r6BlQR0MBILadqTQ==}
    deprecated: This package is deprecated. Use the optional chaining (?.) operator instead.

+  lodash.includes@4.3.0:
+    resolution: {integrity: sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==}
+
  lodash.isarguments@3.1.0:
    resolution: {integrity: sha512-chi4NHZlZqZD18a0imDHnZPrDeBbTtVN7GXMwuGdRH9qotxAjYs3aVLKc7zNOG9eddR5Ksd8rvFEBc9SsggPpg==}

+  lodash.isboolean@3.0.3:
+    resolution: {integrity: sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==}
+
  lodash.isequal@4.5.0:
    resolution: {integrity: sha512-pDo3lu8Jhfjqls6GkMgpahsF9kCyayhgykjyLMNFTKWrpVdAQtYyB4muAMWozBB4ig/dtWAmsMxLEI8wuz+DYQ==}
    deprecated: This package is deprecated. Use require('node:util').isDeepStrictEqual instead.
@@ -8186,9 +8217,15 @@ packages:
  lodash.isfunction@3.0.9:
    resolution: {integrity: sha512-AirXNj15uRIMMPihnkInB4i3NHeb4iBtNg9WRWuK2o31S+ePwwNmDPaTL3o7dTJ+VXNZim7rFs4rxN4YU1oUJw==}

+  lodash.isinteger@4.0.4:
+    resolution: {integrity: sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==}
+
  lodash.ismatch@4.4.0:
    resolution: {integrity: sha512-fPMfXjGQEV9Xsq/8MTSgUf255gawYRbjwMyDbcvDhXgV7enSZA0hynz6vMPnpAb5iONEzBHBPsT+0zes5Z301g==}

+  lodash.isnumber@3.0.3:
+    resolution: {integrity: sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==}
+
  lodash.isplainobject@4.0.6:
    resolution: {integrity: sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==}

@@ -8207,6 +8244,9 @@ packages:
  lodash.mergewith@4.6.2:
    resolution: {integrity: sha512-GK3g5RPZWTRSeLSpgP8Xhra+pnjBC56q9FZYe1d5RN3TJ35dbkGy3YqBSMbyCrlbi+CM9Z3Jk5yTL7RCsqboyQ==}

+  lodash.once@4.1.1:
+    resolution: {integrity: sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==}
+
  lodash.snakecase@4.1.1:
    resolution: {integrity: sha512-QZ1d4xoBHYUeuouhEq3lk3Uq7ldgyFXGBhg04+oRLnIz8o9T65Eh+8YdroUwn846zchkA9yDsDl5CVVaV2nqYw==}

@@ -14889,6 +14929,11 @@ snapshots:

  '@types/json-schema@7.0.15': {}

+  '@types/jsonwebtoken@9.0.10':
+    dependencies:
+      '@types/ms': 2.1.0
+      '@types/node': 20.19.27
+
  '@types/linkify-it@5.0.0': {}

  '@types/markdown-it@14.1.2':
@@ -15159,6 +15204,14 @@ snapshots:
    optionalDependencies:
      vite: 5.4.21(@types/node@20.19.27)(lightningcss@1.30.2)(terser@5.44.1)

+  '@vitest/mocker@2.1.9(vite@5.4.21(@types/node@22.19.3)(lightningcss@1.30.2)(terser@5.44.1))':
+    dependencies:
+      '@vitest/spy': 2.1.9
+      estree-walker: 3.0.3
+      magic-string: 0.30.21
+    optionalDependencies:
+      vite: 5.4.21(@types/node@22.19.3)(lightningcss@1.30.2)(terser@5.44.1)
+
  '@vitest/pretty-format@2.1.9':
    dependencies:
      tinyrainbow: 1.2.0
@@ -15871,6 +15924,8 @@ snapshots:

  bson@6.10.4: {}

+  buffer-equal-constant-time@1.0.1: {}
+
  buffer-from@1.1.2: {}

  buffer@5.7.1:
@@ -16506,6 +16561,10 @@ snapshots:

  eastasianwidth@0.2.0: {}

+  ecdsa-sig-formatter@1.0.11:
+    dependencies:
+      safe-buffer: 5.2.1
+
  editorconfig@0.15.3:
    dependencies:
      commander: 2.20.3
@@ -18369,6 +18428,19 @@ snapshots:

  jsonparse@1.3.1: {}

+  jsonwebtoken@9.0.3:
+    dependencies:
+      jws: 4.0.1
+      lodash.includes: 4.3.0
+      lodash.isboolean: 3.0.3
+      lodash.isinteger: 4.0.4
+      lodash.isnumber: 3.0.3
+      lodash.isplainobject: 4.0.6
+      lodash.isstring: 4.0.1
+      lodash.once: 4.1.1
+      ms: 2.1.3
+      semver: 7.7.3
+
  jszip@3.10.1:
    dependencies:
      lie: 3.3.0
@@ -18380,6 +18452,17 @@ snapshots:

  just-diff@6.0.2: {}

+  jwa@2.0.1:
+    dependencies:
+      buffer-equal-constant-time: 1.0.1
+      ecdsa-sig-formatter: 1.0.11
+      safe-buffer: 5.2.1
+
+  jws@4.0.1:
+    dependencies:
+      jwa: 2.0.1
+      safe-buffer: 5.2.1
+
  k8w-crypto@0.2.0: {}

  k8w-extend-native@1.4.6:
@@ -18645,14 +18728,22 @@ snapshots:

  lodash.get@4.4.2: {}

+  lodash.includes@4.3.0: {}
+
  lodash.isarguments@3.1.0: {}

+  lodash.isboolean@3.0.3: {}
+
  lodash.isequal@4.5.0: {}

  lodash.isfunction@3.0.9: {}

+  lodash.isinteger@4.0.4: {}
+
  lodash.ismatch@4.4.0: {}

+  lodash.isnumber@3.0.3: {}
+
  lodash.isplainobject@4.0.6: {}

  lodash.isstring@4.0.1: {}
@@ -18665,6 +18756,8 @@ snapshots:

  lodash.mergewith@4.6.2: {}

+  lodash.once@4.1.1: {}
+
  lodash.snakecase@4.1.1: {}

  lodash.startcase@4.4.0: {}
@@ -22075,7 +22168,7 @@ snapshots:
  vitest@2.1.9(@types/node@22.19.3)(jsdom@20.0.3)(lightningcss@1.30.2)(terser@5.44.1):
    dependencies:
      '@vitest/expect': 2.1.9
-      '@vitest/mocker': 2.1.9(vite@5.4.21(@types/node@20.19.27)(lightningcss@1.30.2)(terser@5.44.1))
+      '@vitest/mocker': 2.1.9(vite@5.4.21(@types/node@22.19.3)(lightningcss@1.30.2)(terser@5.44.1))
      '@vitest/pretty-format': 2.1.9
      '@vitest/runner': 2.1.9
      '@vitest/snapshot': 2.1.9