@absolutejs/auth 0.22.5 → 0.22.6

package/dist/index.js

@@ -3289,251 +3289,6 @@ var createInMemoryAuthSessionStore = (input = {}) => {
     listUnregisteredSessionIds: async () => [...unregisteredSessions.keys()]
   };
 };
-// src/linkedProviderResolver.ts
-var uniqueStrings = (values) => [...new Set(values)];
-var getEffectiveScopes = (grant, binding) => {
-  if (binding.availableScopes.length === 0) {
-    return uniqueStrings(grant.grantedScopes);
-  }
-  const bindingScopeSet = new Set(binding.availableScopes);
-  return uniqueStrings(grant.grantedScopes.filter((scope) => bindingScopeSet.has(scope)));
-};
-var hasRequiredScopes = (availableScopes, requiredScopes) => (requiredScopes ?? []).every((scope) => availableScopes.includes(scope));
-var isGrantUsable = (grant) => grant.status === "active" || grant.status === "refresh_required";
-var isBindingUsable = (binding) => binding.status === "active";
-var needsRefresh = (lease, now, minValidityMs) => {
-  if (!lease)
-    return true;
-  if (lease.expiresAt === undefined)
-    return false;
-  return lease.expiresAt <= now + (minValidityMs ?? 0);
-};
-var ensureLeaseScopes = (lease, requiredScopes) => {
-  if (!hasRequiredScopes(lease.grantedScopes, requiredScopes)) {
-    throw new Error("Linked provider access token lease is missing required scopes");
-  }
-};
-var ensureLeaseValidity = (lease, now, minValidityMs) => {
-  if (lease.expiresAt === undefined)
-    return;
-  if (lease.expiresAt <= now + (minValidityMs ?? 0)) {
-    throw new Error("Linked provider access token lease does not satisfy minimum validity");
-  }
-};
-var buildResolvedCredential = (grant, binding) => ({
-  bindingId: binding.id,
-  grantId: grant.id,
-  ownerRef: grant.ownerRef,
-  connectorProvider: binding.connectorProvider,
-  providerFamily: grant.providerFamily,
-  authProviderKey: grant.authProviderKey,
-  externalAccountId: binding.externalAccountId,
-  externalAccountType: binding.externalAccountType,
-  scopes: getEffectiveScopes(grant, binding),
-  capabilities: binding.capabilities ? [...binding.capabilities] : undefined,
-  label: binding.label,
-  username: binding.username,
-  email: binding.email,
-  metadata: {
-    ...grant.metadata ?? {},
-    ...binding.metadata ?? {}
-  }
-});
-var annotateFailureMetadata = (metadata, report, now) => ({
-  ...metadata ?? {},
-  lastCredentialFailureAt: now,
-  lastCredentialFailureCode: report.code,
-  lastCredentialFailureMessage: report.message,
-  lastCredentialFailureRetryAt: report.retryAt
-});
-var sortNewestFirst = (items) => [...items].sort((left, right) => right.updatedAt - left.updatedAt);
-var createLinkedProviderCredentialResolver = ({
-  grantStore,
-  bindingStore,
-  loadAccessTokenLease,
-  refreshAccessTokenLease,
-  now = () => Date.now(),
-  onReportFailure
-}) => ({
-  listBindings: async ({ ownerRef, connectorProvider, status }) => sortNewestFirst(await bindingStore.listBindingsByOwner(ownerRef)).filter((binding) => (connectorProvider === undefined || binding.connectorProvider === connectorProvider) && (status === undefined || binding.status === status)),
-  resolveCredential: async (input) => {
-    const bindings = sortNewestFirst(await bindingStore.listBindingsByOwner(input.ownerRef)).filter((binding) => binding.connectorProvider === input.connectorProvider && isBindingUsable(binding) && (input.bindingId === undefined || binding.id === input.bindingId) && (input.externalAccountId === undefined || binding.externalAccountId === input.externalAccountId));
-    for (const binding of bindings) {
-      const grant = await grantStore.getGrant(binding.grantId);
-      if (!grant || grant.ownerRef !== input.ownerRef || !isGrantUsable(grant)) {
-        continue;
-      }
-      const effectiveScopes = getEffectiveScopes(grant, binding);
-      if (!hasRequiredScopes(effectiveScopes, input.requiredScopes)) {
-        continue;
-      }
-      return buildResolvedCredential(grant, binding);
-    }
-    return null;
-  },
-  getAccessToken: async (credential, input) => {
-    const binding = await bindingStore.getBinding(credential.bindingId);
-    if (!binding || !isBindingUsable(binding)) {
-      throw new Error("Linked provider binding is unavailable");
-    }
-    const grant = await grantStore.getGrant(credential.grantId);
-    if (!grant || !isGrantUsable(grant)) {
-      throw new Error("Linked provider grant is unavailable");
-    }
-    const requiredScopes = input?.requiredScopes;
-    const effectiveScopes = getEffectiveScopes(grant, binding);
-    if (!hasRequiredScopes(effectiveScopes, requiredScopes)) {
-      throw new Error("Linked provider credential is missing required scopes");
-    }
-    const currentTime = now();
-    let lease = await loadAccessTokenLease(grant);
-    if (needsRefresh(lease, currentTime, input?.minValidityMs)) {
-      if (!refreshAccessTokenLease) {
-        throw new Error("Linked provider access token lease requires refresh");
-      }
-      const refreshed = await refreshAccessTokenLease(grant, input);
-      if (!refreshed) {
-        throw new Error("Linked provider access token refresh failed");
-      }
-      await grantStore.saveGrant(refreshed.grant);
-      lease = refreshed.lease;
-    }
-    if (!lease) {
-      throw new Error("Linked provider access token lease is unavailable");
-    }
-    ensureLeaseScopes(lease, requiredScopes);
-    ensureLeaseValidity(lease, currentTime, input?.minValidityMs);
-    return lease;
-  },
-  reportFailure: async (credential, report) => {
-    const currentTime = now();
-    const grant = await grantStore.getGrant(credential.grantId);
-    const binding = await bindingStore.getBinding(credential.bindingId);
-    if (grant) {
-      const nextGrant = {
-        ...grant,
-        updatedAt: currentTime,
-        lastRefreshError: report.message ?? report.code,
-        metadata: annotateFailureMetadata(grant.metadata, report, currentTime)
-      };
-      if (report.code === "unauthorized" || report.code === "revoked") {
-        nextGrant.status = "revoked";
-      }
-      await grantStore.saveGrant(nextGrant);
-    }
-    if (binding) {
-      const nextBinding = {
-        ...binding,
-        updatedAt: currentTime,
-        metadata: annotateFailureMetadata(binding.metadata, report, currentTime)
-      };
-      if (report.code === "unauthorized" || report.code === "revoked") {
-        nextBinding.status = "disconnected";
-      } else if (report.code === "insufficient_scope") {
-        nextBinding.status = "restricted";
-      }
-      await bindingStore.saveBinding(nextBinding);
-    }
-    await onReportFailure?.({
-      credential,
-      report,
-      grant: grant ?? undefined,
-      binding: binding ?? undefined
-    });
-  }
-});
-// src/oauthLinkedProviderResolver.ts
-var getGrantedScopes = (scopeValue, fallbackScopes) => {
-  if (typeof scopeValue === "string" && scopeValue.trim().length > 0) {
-    return [...new Set(scopeValue.split(/\s+/).filter(Boolean))];
-  }
-  return [...new Set(fallbackScopes.filter(Boolean))];
-};
-var getExpiresAt = (tokenResponse) => {
-  const expiresIn = tokenResponse.expires_in;
-  const expiresInSeconds = typeof expiresIn === "number" ? expiresIn : typeof expiresIn === "string" && expiresIn.trim().length > 0 ? Number(expiresIn) : Number.NaN;
-  if (!Number.isFinite(expiresInSeconds) || expiresInSeconds <= 0) {
-    return;
-  }
-  return Date.now() + expiresInSeconds * 1000;
-};
-var createOAuthLinkedProviderCredentialResolver = async ({
-  bindingStore,
-  grantStore,
-  now,
-  providersConfiguration
-}) => {
-  const clientEntries = [];
-  for (const [providerName, providerConfig] of Object.entries(providersConfiguration)) {
-    if (!isValidProviderOption(providerName)) {
-      continue;
-    }
-    const resolvedProviderClientConfiguration = resolveProviderClientConfiguration({
-      providerName,
-      providersConfiguration
-    });
-    if ("error" in resolvedProviderClientConfiguration || !resolvedProviderClientConfiguration.config) {
-      continue;
-    }
-    clientEntries.push(createOAuth2Client(providerName, resolvedProviderClientConfiguration.config.credentials).then((providerInstance) => [providerName, providerInstance]));
-  }
-  const clients = new Map(await Promise.all(clientEntries));
-  return createLinkedProviderCredentialResolver({
-    bindingStore,
-    grantStore,
-    now,
-    loadAccessTokenLease: async (grant) => grant.accessTokenCiphertext ? {
-      accessToken: grant.accessTokenCiphertext,
-      expiresAt: grant.expiresAt,
-      grantedScopes: grant.grantedScopes,
-      tokenType: grant.tokenType
-    } : null,
-    refreshAccessTokenLease: async (grant) => {
-      if (!isValidProviderOption(grant.authProviderKey) || !grant.refreshTokenCiphertext) {
-        return null;
-      }
-      const providerKey = grant.authProviderKey;
-      const providerClientName = typeof grant.metadata?.providerClient === "string" && grant.metadata.providerClient.trim().length > 0 ? grant.metadata.providerClient.trim() : undefined;
-      const resolvedProviderClientConfiguration = resolveProviderClientConfiguration({
-        clientName: providerClientName,
-        providerName: providerKey,
-        providersConfiguration
-      });
-      if ("error" in resolvedProviderClientConfiguration || !resolvedProviderClientConfiguration.config) {
-        return null;
-      }
-      const providerClient = await createOAuth2Client(providerKey, resolvedProviderClientConfiguration.config.credentials);
-      if (!providerClient || !isRefreshableOAuth2Client(providerKey, providerClient)) {
-        return null;
-      }
-      const tokenResponse = await providerClient.refreshAccessToken(grant.refreshTokenCiphertext);
-      const refreshedAt = Date.now();
-      const grantedScopes = getGrantedScopes(Reflect.get(tokenResponse, "scope"), grant.grantedScopes);
-      const tokenType = Reflect.get(tokenResponse, "token_type");
-      const refreshedGrant = {
-        ...grant,
-        accessTokenCiphertext: tokenResponse.access_token,
-        expiresAt: getExpiresAt(tokenResponse),
-        grantedScopes,
-        lastRefreshError: undefined,
-        lastRefreshedAt: refreshedAt,
-        refreshTokenCiphertext: tokenResponse.refresh_token ?? grant.refreshTokenCiphertext,
-        status: "active",
-        tokenType: typeof tokenType === "string" ? tokenType : grant.tokenType,
-        updatedAt: refreshedAt
-      };
-      return {
-        grant: refreshedGrant,
-        lease: {
-          accessToken: refreshedGrant.accessTokenCiphertext ?? "",
-          expiresAt: refreshedGrant.expiresAt,
-          grantedScopes: refreshedGrant.grantedScopes,
-          tokenType: refreshedGrant.tokenType
-        }
-      };
-    }
-  });
-};
 // node_modules/@neondatabase/serverless/index.mjs
 var vo = Object.create;
 var Te = Object.defineProperty;
@@ -13227,6 +12982,364 @@ function drizzle(...params) {
   drizzle2.mock = mock;
 })(drizzle || (drizzle = {}));
 
+// src/neonAuthSessionStore.ts
+var authSessionsTable = pgTable("auth_sessions", {
+  id: varchar("id", { length: 255 }).primaryKey(),
+  access_token: text("access_token").notNull(),
+  refresh_token: text("refresh_token"),
+  expires_at_ms: bigint("expires_at_ms", { mode: "number" }).notNull(),
+  user_json: jsonb("user_json").$type().notNull(),
+  created_at: timestamp("created_at").notNull().defaultNow(),
+  updated_at: timestamp("updated_at").notNull().defaultNow()
+});
+var authUnregisteredSessionsTable = pgTable("auth_unregistered_sessions", {
+  id: varchar("id", { length: 255 }).primaryKey(),
+  access_token: text("access_token"),
+  refresh_token: text("refresh_token"),
+  expires_at_ms: bigint("expires_at_ms", { mode: "number" }).notNull(),
+  user_identity_json: jsonb("user_identity_json").$type(),
+  session_information_json: jsonb("session_information_json").$type(),
+  created_at: timestamp("created_at").notNull().defaultNow(),
+  updated_at: timestamp("updated_at").notNull().defaultNow()
+});
+var authSessionSchema = {
+  authSessions: authSessionsTable,
+  authUnregisteredSessions: authUnregisteredSessionsTable
+};
+var cloneUser = (value) => {
+  if (value === null || value === undefined)
+    return value;
+  return structuredClone(value);
+};
+var cloneRecord = (value) => value ? structuredClone(value) : undefined;
+var toSessionData = (row) => ({
+  accessToken: row.access_token,
+  expiresAt: row.expires_at_ms,
+  refreshToken: row.refresh_token ?? undefined,
+  user: cloneUser(row.user_json)
+});
+var toUnregisteredSessionData = (row) => ({
+  accessToken: row.access_token ?? undefined,
+  expiresAt: row.expires_at_ms,
+  refreshToken: row.refresh_token ?? undefined,
+  sessionInformation: cloneRecord(row.session_information_json ?? undefined),
+  userIdentity: cloneRecord(row.user_identity_json ?? undefined)
+});
+var createNeonAuthSessionStore = (databaseUrl) => {
+  const sql2 = as(databaseUrl);
+  const db = drizzle(sql2, {
+    schema: authSessionSchema
+  });
+  return {
+    getSession: async (id) => {
+      const [row] = await db.select().from(authSessionsTable).where(eq(authSessionsTable.id, id)).limit(1);
+      return row ? toSessionData(row) : undefined;
+    },
+    setSession: async (id, value) => {
+      await db.insert(authSessionsTable).values({
+        id,
+        access_token: value.accessToken,
+        refresh_token: value.refreshToken ?? null,
+        expires_at_ms: value.expiresAt,
+        user_json: value.user ?? {},
+        updated_at: new Date
+      }).onConflictDoUpdate({
+        target: authSessionsTable.id,
+        set: {
+          access_token: value.accessToken,
+          refresh_token: value.refreshToken ?? null,
+          expires_at_ms: value.expiresAt,
+          user_json: value.user ?? {},
+          updated_at: new Date
+        }
+      });
+    },
+    removeSession: async (id) => {
+      await db.delete(authSessionsTable).where(eq(authSessionsTable.id, id));
+    },
+    getUnregisteredSession: async (id) => {
+      const [row] = await db.select().from(authUnregisteredSessionsTable).where(eq(authUnregisteredSessionsTable.id, id)).limit(1);
+      return row ? toUnregisteredSessionData(row) : undefined;
+    },
+    setUnregisteredSession: async (id, value) => {
+      await db.insert(authUnregisteredSessionsTable).values({
+        id,
+        access_token: value.accessToken ?? null,
+        refresh_token: value.refreshToken ?? null,
+        expires_at_ms: value.expiresAt,
+        user_identity_json: value.userIdentity ?? null,
+        session_information_json: value.sessionInformation ?? null,
+        updated_at: new Date
+      }).onConflictDoUpdate({
+        target: authUnregisteredSessionsTable.id,
+        set: {
+          access_token: value.accessToken ?? null,
+          refresh_token: value.refreshToken ?? null,
+          expires_at_ms: value.expiresAt,
+          user_identity_json: value.userIdentity ?? null,
+          session_information_json: value.sessionInformation ?? null,
+          updated_at: new Date
+        }
+      });
+    },
+    removeUnregisteredSession: async (id) => {
+      await db.delete(authUnregisteredSessionsTable).where(eq(authUnregisteredSessionsTable.id, id));
+    },
+    listSessionIds: async () => {
+      const rows = await db.select({ id: authSessionsTable.id }).from(authSessionsTable);
+      return rows.map((row) => row.id);
+    },
+    listUnregisteredSessionIds: async () => {
+      const rows = await db.select({ id: authUnregisteredSessionsTable.id }).from(authUnregisteredSessionsTable);
+      return rows.map((row) => row.id);
+    }
+  };
+};
+// src/linkedProviderResolver.ts
+var uniqueStrings = (values) => [...new Set(values)];
+var getEffectiveScopes = (grant, binding) => {
+  if (binding.availableScopes.length === 0) {
+    return uniqueStrings(grant.grantedScopes);
+  }
+  const bindingScopeSet = new Set(binding.availableScopes);
+  return uniqueStrings(grant.grantedScopes.filter((scope) => bindingScopeSet.has(scope)));
+};
+var hasRequiredScopes = (availableScopes, requiredScopes) => (requiredScopes ?? []).every((scope) => availableScopes.includes(scope));
+var isGrantUsable = (grant) => grant.status === "active" || grant.status === "refresh_required";
+var isBindingUsable = (binding) => binding.status === "active";
+var needsRefresh = (lease, now, minValidityMs) => {
+  if (!lease)
+    return true;
+  if (lease.expiresAt === undefined)
+    return false;
+  return lease.expiresAt <= now + (minValidityMs ?? 0);
+};
+var ensureLeaseScopes = (lease, requiredScopes) => {
+  if (!hasRequiredScopes(lease.grantedScopes, requiredScopes)) {
+    throw new Error("Linked provider access token lease is missing required scopes");
+  }
+};
+var ensureLeaseValidity = (lease, now, minValidityMs) => {
+  if (lease.expiresAt === undefined)
+    return;
+  if (lease.expiresAt <= now + (minValidityMs ?? 0)) {
+    throw new Error("Linked provider access token lease does not satisfy minimum validity");
+  }
+};
+var buildResolvedCredential = (grant, binding) => ({
+  bindingId: binding.id,
+  grantId: grant.id,
+  ownerRef: grant.ownerRef,
+  connectorProvider: binding.connectorProvider,
+  providerFamily: grant.providerFamily,
+  authProviderKey: grant.authProviderKey,
+  externalAccountId: binding.externalAccountId,
+  externalAccountType: binding.externalAccountType,
+  scopes: getEffectiveScopes(grant, binding),
+  capabilities: binding.capabilities ? [...binding.capabilities] : undefined,
+  label: binding.label,
+  username: binding.username,
+  email: binding.email,
+  metadata: {
+    ...grant.metadata ?? {},
+    ...binding.metadata ?? {}
+  }
+});
+var annotateFailureMetadata = (metadata, report, now) => ({
+  ...metadata ?? {},
+  lastCredentialFailureAt: now,
+  lastCredentialFailureCode: report.code,
+  lastCredentialFailureMessage: report.message,
+  lastCredentialFailureRetryAt: report.retryAt
+});
+var sortNewestFirst = (items) => [...items].sort((left, right) => right.updatedAt - left.updatedAt);
+var createLinkedProviderCredentialResolver = ({
+  grantStore,
+  bindingStore,
+  loadAccessTokenLease,
+  refreshAccessTokenLease,
+  now = () => Date.now(),
+  onReportFailure
+}) => ({
+  listBindings: async ({ ownerRef, connectorProvider, status }) => sortNewestFirst(await bindingStore.listBindingsByOwner(ownerRef)).filter((binding) => (connectorProvider === undefined || binding.connectorProvider === connectorProvider) && (status === undefined || binding.status === status)),
+  resolveCredential: async (input) => {
+    const bindings = sortNewestFirst(await bindingStore.listBindingsByOwner(input.ownerRef)).filter((binding) => binding.connectorProvider === input.connectorProvider && isBindingUsable(binding) && (input.bindingId === undefined || binding.id === input.bindingId) && (input.externalAccountId === undefined || binding.externalAccountId === input.externalAccountId));
+    for (const binding of bindings) {
+      const grant = await grantStore.getGrant(binding.grantId);
+      if (!grant || grant.ownerRef !== input.ownerRef || !isGrantUsable(grant)) {
+        continue;
+      }
+      const effectiveScopes = getEffectiveScopes(grant, binding);
+      if (!hasRequiredScopes(effectiveScopes, input.requiredScopes)) {
+        continue;
+      }
+      return buildResolvedCredential(grant, binding);
+    }
+    return null;
+  },
+  getAccessToken: async (credential, input) => {
+    const binding = await bindingStore.getBinding(credential.bindingId);
+    if (!binding || !isBindingUsable(binding)) {
+      throw new Error("Linked provider binding is unavailable");
+    }
+    const grant = await grantStore.getGrant(credential.grantId);
+    if (!grant || !isGrantUsable(grant)) {
+      throw new Error("Linked provider grant is unavailable");
+    }
+    const requiredScopes = input?.requiredScopes;
+    const effectiveScopes = getEffectiveScopes(grant, binding);
+    if (!hasRequiredScopes(effectiveScopes, requiredScopes)) {
+      throw new Error("Linked provider credential is missing required scopes");
+    }
+    const currentTime = now();
+    let lease = await loadAccessTokenLease(grant);
+    if (needsRefresh(lease, currentTime, input?.minValidityMs)) {
+      if (!refreshAccessTokenLease) {
+        throw new Error("Linked provider access token lease requires refresh");
+      }
+      const refreshed = await refreshAccessTokenLease(grant, input);
+      if (!refreshed) {
+        throw new Error("Linked provider access token refresh failed");
+      }
+      await grantStore.saveGrant(refreshed.grant);
+      lease = refreshed.lease;
+    }
+    if (!lease) {
+      throw new Error("Linked provider access token lease is unavailable");
+    }
+    ensureLeaseScopes(lease, requiredScopes);
+    ensureLeaseValidity(lease, currentTime, input?.minValidityMs);
+    return lease;
+  },
+  reportFailure: async (credential, report) => {
+    const currentTime = now();
+    const grant = await grantStore.getGrant(credential.grantId);
+    const binding = await bindingStore.getBinding(credential.bindingId);
+    if (grant) {
+      const nextGrant = {
+        ...grant,
+        updatedAt: currentTime,
+        lastRefreshError: report.message ?? report.code,
+        metadata: annotateFailureMetadata(grant.metadata, report, currentTime)
+      };
+      if (report.code === "unauthorized" || report.code === "revoked") {
+        nextGrant.status = "revoked";
+      }
+      await grantStore.saveGrant(nextGrant);
+    }
+    if (binding) {
+      const nextBinding = {
+        ...binding,
+        updatedAt: currentTime,
+        metadata: annotateFailureMetadata(binding.metadata, report, currentTime)
+      };
+      if (report.code === "unauthorized" || report.code === "revoked") {
+        nextBinding.status = "disconnected";
+      } else if (report.code === "insufficient_scope") {
+        nextBinding.status = "restricted";
+      }
+      await bindingStore.saveBinding(nextBinding);
+    }
+    await onReportFailure?.({
+      credential,
+      report,
+      grant: grant ?? undefined,
+      binding: binding ?? undefined
+    });
+  }
+});
+// src/oauthLinkedProviderResolver.ts
+var getGrantedScopes = (scopeValue, fallbackScopes) => {
+  if (typeof scopeValue === "string" && scopeValue.trim().length > 0) {
+    return [...new Set(scopeValue.split(/\s+/).filter(Boolean))];
+  }
+  return [...new Set(fallbackScopes.filter(Boolean))];
+};
+var getExpiresAt = (tokenResponse) => {
+  const expiresIn = tokenResponse.expires_in;
+  const expiresInSeconds = typeof expiresIn === "number" ? expiresIn : typeof expiresIn === "string" && expiresIn.trim().length > 0 ? Number(expiresIn) : Number.NaN;
+  if (!Number.isFinite(expiresInSeconds) || expiresInSeconds <= 0) {
+    return;
+  }
+  return Date.now() + expiresInSeconds * 1000;
+};
+var createOAuthLinkedProviderCredentialResolver = async ({
+  bindingStore,
+  grantStore,
+  now,
+  providersConfiguration
+}) => {
+  const clientEntries = [];
+  for (const [providerName, providerConfig] of Object.entries(providersConfiguration)) {
+    if (!isValidProviderOption(providerName)) {
+      continue;
+    }
+    const resolvedProviderClientConfiguration = resolveProviderClientConfiguration({
+      providerName,
+      providersConfiguration
+    });
+    if ("error" in resolvedProviderClientConfiguration || !resolvedProviderClientConfiguration.config) {
+      continue;
+    }
+    clientEntries.push(createOAuth2Client(providerName, resolvedProviderClientConfiguration.config.credentials).then((providerInstance) => [providerName, providerInstance]));
+  }
+  const clients = new Map(await Promise.all(clientEntries));
+  return createLinkedProviderCredentialResolver({
+    bindingStore,
+    grantStore,
+    now,
+    loadAccessTokenLease: async (grant) => grant.accessTokenCiphertext ? {
+      accessToken: grant.accessTokenCiphertext,
+      expiresAt: grant.expiresAt,
+      grantedScopes: grant.grantedScopes,
+      tokenType: grant.tokenType
+    } : null,
+    refreshAccessTokenLease: async (grant) => {
+      if (!isValidProviderOption(grant.authProviderKey) || !grant.refreshTokenCiphertext) {
+        return null;
+      }
+      const providerKey = grant.authProviderKey;
+      const providerClientName = typeof grant.metadata?.providerClient === "string" && grant.metadata.providerClient.trim().length > 0 ? grant.metadata.providerClient.trim() : undefined;
+      const resolvedProviderClientConfiguration = resolveProviderClientConfiguration({
+        clientName: providerClientName,
+        providerName: providerKey,
+        providersConfiguration
+      });
+      if ("error" in resolvedProviderClientConfiguration || !resolvedProviderClientConfiguration.config) {
+        return null;
+      }
+      const providerClient = await createOAuth2Client(providerKey, resolvedProviderClientConfiguration.config.credentials);
+      if (!providerClient || !isRefreshableOAuth2Client(providerKey, providerClient)) {
+        return null;
+      }
+      const tokenResponse = await providerClient.refreshAccessToken(grant.refreshTokenCiphertext);
+      const refreshedAt = Date.now();
+      const grantedScopes = getGrantedScopes(Reflect.get(tokenResponse, "scope"), grant.grantedScopes);
+      const tokenType = Reflect.get(tokenResponse, "token_type");
+      const refreshedGrant = {
+        ...grant,
+        accessTokenCiphertext: tokenResponse.access_token,
+        expiresAt: getExpiresAt(tokenResponse),
+        grantedScopes,
+        lastRefreshError: undefined,
+        lastRefreshedAt: refreshedAt,
+        refreshTokenCiphertext: tokenResponse.refresh_token ?? grant.refreshTokenCiphertext,
+        status: "active",
+        tokenType: typeof tokenType === "string" ? tokenType : grant.tokenType,
+        updatedAt: refreshedAt
+      };
+      return {
+        grant: refreshedGrant,
+        lease: {
+          accessToken: refreshedGrant.accessTokenCiphertext ?? "",
+          expiresAt: refreshedGrant.expiresAt,
+          grantedScopes: refreshedGrant.grantedScopes,
+          tokenType: refreshedGrant.tokenType
+        }
+      };
+    }
+  });
+};
 // src/neonLinkedProviders.ts
 var linkedProviderGrantsTable = pgTable("linked_provider_grants", {
   id: varchar("id", { length: 255 }).primaryKey(),
@@ -13753,6 +13866,7 @@ export {
   createOAuthLinkedProviderCredentialResolver,
   createNeonOAuthLinkedProviderCredentialResolver,
   createNeonLinkedProviderStores,
+  createNeonAuthSessionStore,
   createLinkedProviderCredentialResolver,
   createInMemoryLinkedProviderStores,
   createInMemoryAuthSessionStore,
@@ -13765,5 +13879,5 @@ export {
   AbsoluteAuthIdentityConflictError
 };
 
-//# debugId=A110EE8D76C9D5C964756E2164756E21
+//# debugId=A6C23409DC7CDF3964756E2164756E21
 //# sourceMappingURL=index.js.map