@absolutejs/auth 0.25.1 → 0.26.0-beta.0

package/dist/index.d.ts

@@ -1,11 +1,53 @@
 import { Elysia } from 'elysia';
+import type { AuthHtmxUser } from './htmx/types';
 import { AuthConfig } from './types';
-import type { AuthHtmxUser } from './ui/types';
-export declare const auth: <UserType>({ providersConfiguration, authorizeRoute, callbackRoute, profileRoute, signoutRoute, statusRoute, refreshRoute, revokeRoute, cleanupIntervalMs, maxSessions, sessionDurationMs, authSessionStore, htmx, resolveAuthIntent, onAuthorizeSuccess, onAuthorizeError, onProfileSuccess, onProfileError, onCallbackSuccess, onLinkIdentity, onLinkIdentityConflict, onLinkConnector, onCallbackError, onStatus, onRefreshSuccess, onRefreshError, onSignOut, onRevocationSuccess, onRevocationError, onSessionCleanup }: AuthConfig<UserType>) => Promise<Elysia<"", {
+export declare const auth: <UserType>({ providersConfiguration, authorizeRoute, callbackRoute, profileRoute, signoutRoute, statusRoute, refreshRoute, revokeRoute, cleanupIntervalMs, maxSessions, sessionDurationMs, authSessionStore, audit, credentials, mfa, lockout, sessions, htmx, resolveAuthIntent, onAuthorizeSuccess, onAuthorizeError, onProfileSuccess, onProfileError, onCallbackSuccess, onLinkIdentity, onLinkIdentityConflict, onLinkConnector, onCallbackError, onStatus, onRefreshSuccess, onRefreshError, onSignOut, onRevocationSuccess, onRevocationError, onSessionCleanup }: AuthConfig<UserType>) => Promise<Elysia<"", {
     decorator: {};
     store: {
         session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown>;
         unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown> & import("./types").SessionRecord<UserType & AuthHtmxUser>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown> & import("./types").SessionRecord<UserType & AuthHtmxUser>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown> & import("./types").SessionRecord<UserType & AuthHtmxUser>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown> & import("./types").SessionRecord<UserType & AuthHtmxUser>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown> & import("./types").SessionRecord<UserType & AuthHtmxUser>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown> & import("./types").SessionRecord<UserType & AuthHtmxUser>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
+    } | {
+        session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown> & import("./types").SessionRecord<UserType & AuthHtmxUser>;
+        unregisteredSession: import("./types").UnregisteredSessionRecord;
     } | {
         session: import("./types").SessionRecord<UserType> & import("./types").SessionRecord<unknown> & import("./types").SessionRecord<UserType & AuthHtmxUser>;
         unregisteredSession: import("./types").UnregisteredSessionRecord;
@@ -20,6 +62,11 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
             readonly code: "Unauthorized";
             readonly message: "User is not authenticated";
         }) => AuthFailReturn) | undefined) => Promise<import("elysia").ElysiaCustomStatusResponse<"Bad Request", "Cookies are missing", 400> | import("elysia").ElysiaCustomStatusResponse<"Unauthorized", "User is not authenticated", 401> | AuthReturn | NonNullable<AuthFailReturn>>;
+    } & {
+        readonly requireRecentAuth: <AuthReturn, AuthFailReturn_1>(maxAgeMs: number, handleAuth: (user: UserType) => AuthReturn | Promise<AuthReturn>, handleAuthFail?: ((error: {
+            readonly code: "Unauthorized";
+            readonly message: "Recent authentication required";
+        }) => AuthFailReturn_1) | undefined) => Promise<import("elysia").ElysiaCustomStatusResponse<"Unauthorized", "Recent authentication required", 401> | AuthReturn | NonNullable<AuthFailReturn_1>>;
     } & ({} | {
         readonly protectRoute: <AuthReturn, AuthFailReturn>(handleAuth: (user: UserType & AuthHtmxUser) => AuthReturn | Promise<AuthReturn>, handleAuthFail?: ((error: {
             readonly code: "Bad Request";
@@ -68,6 +115,22 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
             readonly message: "User is not authenticated";
         }) => AuthFailReturn) | undefined) => Promise<import("elysia").ElysiaCustomStatusResponse<"Bad Request", "Cookies are missing", 400> | import("elysia").ElysiaCustomStatusResponse<"Unauthorized", "User is not authenticated", 401> | AuthReturn | NonNullable<AuthFailReturn>>;
     }>;
+} & ({
+    schema: import("elysia").UnwrapRoute<{
+        cookie: import("@sinclair/typebox").TObject<{
+            user_session_id: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TTemplateLiteralSyntax<"${string}-${string}-${string}-${string}-${string}">>;
+        }>;
+    }, {}, "">;
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: import("elysia").ExtractErrorFromHandle<{
+        readonly requireRecentAuth: <AuthReturn, AuthFailReturn_1>(maxAgeMs: number, handleAuth: (user: UserType) => AuthReturn | Promise<AuthReturn>, handleAuthFail?: ((error: {
+            readonly code: "Unauthorized";
+            readonly message: "Recent authentication required";
+        }) => AuthFailReturn_1) | undefined) => Promise<import("elysia").ElysiaCustomStatusResponse<"Unauthorized", "Recent authentication required", 401> | AuthReturn | NonNullable<AuthFailReturn_1>>;
+    }>;
 } & ({
     schema: {};
     standaloneSchema: {};
@@ -101,7 +164,7 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
             readonly message: "User is not authenticated";
         }) => AuthFailReturn) | undefined) => Promise<import("elysia").ElysiaCustomStatusResponse<"Bad Request", "Cookies are missing", 400> | import("elysia").ElysiaCustomStatusResponse<"Unauthorized", "User is not authenticated", 401> | AuthReturn | NonNullable<AuthFailReturn>>;
     }>;
-}))), (((({
+})))), (((((((({
     [x: string]: {
         delete: {
             body: unknown;
@@ -134,8 +197,8 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
             headers: unknown;
             response: {
                 200: Response;
-                400: "Cookies are missing" | "Invalid provider";
-                401: "Client provider not found" | "Client variant is required" | "Client variant not found" | "Provider is required" | "No auth provider found" | "No user session found";
+                400: "Cookies are missing" | "Invalid provider" | "Session has no access token to revoke";
+                401: "Provider is required" | "Client provider not found" | "Client variant is required" | "Client variant not found" | "No auth provider found" | "No user session found";
                 422: {
                     type: "validation";
                     on: string;
@@ -185,7 +248,7 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
             response: {
                 200: Response;
                 400: "Cookies are missing" | "Invalid provider" | "No refresh token found";
-                401: "Client provider not found" | "Client variant is required" | "Client variant not found" | "Provider is required" | "No auth provider found" | "No user session found";
+                401: "Provider is required" | "Client provider not found" | "Client variant is required" | "Client variant not found" | "No auth provider found" | "No user session found";
                 422: {
                     type: "validation";
                     on: string;
@@ -215,8 +278,8 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
                 headers: unknown;
                 response: {
                     200: Response;
-                    400: "Provider is required" | "Cookies are missing";
-                    401: "Client provider not found" | "Client variant is required" | "Client variant not found" | "Provider is required";
+                    400: "Cookies are missing" | "Provider is required";
+                    401: "Provider is required" | "Client provider not found" | "Client variant is required" | "Client variant not found";
                     422: {
                         type: "validation";
                         on: string;
@@ -247,8 +310,8 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
                     headers: unknown;
                     response: {
                         200: Response;
-                        400: "Provider is required" | "Cookies are missing";
-                        401: "Client provider not found" | "Client variant is required" | "Client variant not found" | "Provider is required";
+                        400: "Cookies are missing" | "Provider is required";
+                        401: "Provider is required" | "Client provider not found" | "Client variant is required" | "Client variant not found";
                         422: {
                             type: "validation";
                             on: string;
@@ -285,8 +348,8 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
             headers: unknown;
             response: {
                 200: Response;
-                400: "Cookies are missing";
-                401: "Client provider not found" | "Client variant is required" | "Client variant not found" | "Provider is required" | "No auth provider found" | "Invalid provider" | "No user session found";
+                400: "Cookies are missing" | "Session has no access token to fetch a profile";
+                401: "Provider is required" | "Client provider not found" | "Client variant is required" | "Client variant not found" | "No auth provider found" | "Invalid provider" | "No user session found";
                 422: {
                     type: "validation";
                     on: string;
@@ -300,7 +363,307 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
             };
         };
     };
-}) & {}) & ({} | ({
+}) & ({} | ({
+    [x: string]: {
+        post: {
+            body: {
+                email: string;
+                password: string;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                [x: string]: any;
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                token: string;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    readonly status: "email_verified";
+                };
+                400: "Invalid or expired verification token";
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        request: {
+            post: {
+                body: {
+                    email: string;
+                };
+                params: {};
+                query: unknown;
+                headers: unknown;
+                response: {
+                    200: {
+                        readonly status: "verification_requested";
+                    };
+                    422: {
+                        type: "validation";
+                        on: string;
+                        summary?: string;
+                        message?: string;
+                        found?: unknown;
+                        property?: string;
+                        expected?: string;
+                    };
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                email: string;
+                password: string;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    readonly status: "mfa_required";
+                } | {
+                    readonly status: "authenticated";
+                };
+                401: "Invalid email or password";
+                403: {
+                    readonly status: "email_not_verified";
+                };
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+                429: {
+                    readonly retryAfterMs: number | undefined;
+                    readonly status: "account_locked";
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        request: {
+            post: {
+                body: {
+                    email: string;
+                };
+                params: {};
+                query: unknown;
+                headers: unknown;
+                response: {
+                    200: {
+                        readonly status: "reset_requested";
+                    };
+                    422: {
+                        type: "validation";
+                        on: string;
+                        summary?: string;
+                        message?: string;
+                        found?: unknown;
+                        property?: string;
+                        expected?: string;
+                    };
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                token: string;
+                password: string;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    readonly status: "password_reset";
+                };
+                400: "Invalid or expired reset token" | {
+                    readonly message: "Password does not meet the policy";
+                    readonly violations: import(".").PasswordPolicyViolation[];
+                };
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+}))) & ({} | ({
+    [x: string]: {
+        post: {
+            body: unknown;
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    readonly secret: string;
+                    readonly uri: string;
+                };
+                401: "Authentication required";
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                code: string;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    readonly backupCodes: string[];
+                };
+                400: "No TOTP enrollment in progress" | "Invalid TOTP code";
+                401: "Authentication required";
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                code: string;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    readonly status: "authenticated";
+                };
+                401: "No MFA challenge in progress" | "Invalid MFA code";
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+}))) & ({} | ({
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    readonly sessions: {
+                        authenticatedAt?: number;
+                        current: boolean;
+                        expiresAt: number;
+                        id: import("./types").UserSessionId;
+                    }[];
+                };
+                401: "Authentication required";
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+                501: "Session management requires an authSessionStore";
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        ":id": {
+            delete: {
+                body: unknown;
+                params: {
+                    id: string;
+                };
+                query: unknown;
+                headers: unknown;
+                response: {
+                    200: {
+                        readonly revoked: `${string}-${string}-${string}-${string}-${string}`;
+                    };
+                    400: "Invalid session id";
+                    401: "Authentication required";
+                    404: "Session not found";
+                    422: {
+                        type: "validation";
+                        on: string;
+                        summary?: string;
+                        message?: string;
+                        found?: unknown;
+                        property?: string;
+                        expected?: string;
+                    };
+                    501: "Session management requires an authSessionStore";
+                };
+            };
+        };
+    };
+}))) & {}) & {}) & ({} | ({
     htmx: {
         login: {
             get: {
@@ -772,22 +1135,59 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
 }>>;
 export * from './types';
 export * from './typebox';
-export type { AuthSessionStore } from './sessionTypes';
+export type { AuthSessionStore } from './session/types';
 export { isAuthIntent, isUserSessionId, isValidUser } from './typeGuards';
 export { AuthIdentityConflictError } from './errors';
-export { sessionStore } from './sessionStore';
-export { createInMemoryAuthSessionStore } from './authSessionStores';
-export { createNeonAuthSessionStore } from './neonAuthSessionStore';
-export { createLinkedProviderCredentialResolver } from './linkedProviderResolver';
-export { createOAuthLinkedProviderCredentialResolver } from './oauthLinkedProviderResolver';
-export { createNeonLinkedProviderStores, createNeonOAuthLinkedProviderCredentialResolver } from './neonLinkedProviders';
-export { createInMemoryLinkedProviderStores } from './linkedProviderStores';
-export { protectRoutePlugin } from './protectRoute';
-export { sessionCleanup } from './sessionCleanup';
-export { createAuthHtmxRoutes } from './htmxRoutes';
-export { resolveAuthHtmxRenderers } from './ui/renderers';
-export type { AuthHtmxConfig, AuthHtmxConnectorTarget, AuthHtmxProviderData, AuthHtmxProviderInfo, AuthHtmxRenderOverrides, AuthHtmxRenderersConfig, AuthHtmxUser, AuthIdentityPayload, LinkedProviderPayload } from './ui/types';
+export { sessionStore } from './session/state';
+export { createInMemoryAuthSessionStore } from './session/inMemoryStore';
+export { createNeonAuthSessionStore } from './session/neonStore';
+export { createLinkedProviderCredentialResolver } from './linkedProviders/resolver';
+export { createOAuthLinkedProviderCredentialResolver } from './linkedProviders/oauthResolver';
+export { createNeonLinkedProviderStores, createNeonOAuthLinkedProviderCredentialResolver } from './linkedProviders/neonStores';
+export { createInMemoryLinkedProviderStores } from './linkedProviders/inMemoryStores';
+export { protectRoutePlugin } from './routes/protectRoute';
+export { sessionRoutes } from './routes/sessions';
+export { stepUpPlugin } from './routes/stepUp';
+export * from './session/sessionsConfig';
+export { listUserSessions, revokeUserSessions } from './session/userSessions';
+export type { UserSession } from './session/userSessions';
+export { sessionCleanup } from './session/cleanup';
+export { createAuthHtmxRoutes } from './htmx/routes';
+export { resolveAuthHtmxRenderers } from './htmx/renderers';
+export type { AuthHtmxConfig, AuthHtmxConnectorTarget, AuthHtmxProviderData, AuthHtmxProviderInfo, AuthHtmxRenderOverrides, AuthHtmxRenderersConfig, AuthHtmxUser, AuthIdentityPayload, LinkedProviderPayload } from './htmx/types';
 export * from './utils';
-export { buildClientProviders, resolveClientProviderEntry, resolveProviderClientConfiguration } from './providerClients';
+export { buildClientProviders, resolveClientProviderEntry, resolveProviderClientConfiguration } from './providers/clients';
 export type { OAuth2TokenResponse, OAuth2Client, ProviderOption, PKCEProvider, OIDCProvider, RefreshableProvider, RevocableProvider, ScopeRequiredProvider, ProvidersMap, ProviderConfiguration, CredentialsFor } from 'citra';
 export { providers, providerOptions, refreshableProviderOptions, revocableProviderOptions, oidcProviderOptions, pkceProviderOptions, scopeRequiredProviderOptions, decodeJWT, extractPropFromIdentity, isValidProviderOption, isRefreshableOAuth2Client, isRefreshableProviderOption, isOIDCProviderOption, isPKCEProviderOption, isRevocableProviderOption, isRevocableOAuth2Client } from 'citra';
+export * from './crypto';
+export * from './tenancy';
+export * from './credentials/config';
+export * from './credentials/passwordPolicy';
+export * from './credentials/types';
+export { credentialRoutes } from './credentials/routes';
+export { credentialsEmailVerification } from './credentials/emailVerification';
+export { credentialsLogin } from './credentials/login';
+export { credentialsPasswordReset } from './credentials/passwordReset';
+export { credentialsRegister } from './credentials/register';
+export { createInMemoryCredentialStore } from './credentials/inMemoryCredentialStore';
+export { createNeonCredentialStore, createPostgresCredentialStore, credentialResetTokensTable, credentialsTable, credentialVerificationTokensTable } from './credentials/postgresCredentialStore';
+export { createNeonDatabase } from './stores/postgres';
+export type { AnyPgDatabase } from './stores/postgres';
+export * from './mfa/config';
+export * from './mfa/types';
+export { consumeBackupCode, generateBackupCodes } from './mfa/backupCodes';
+export { createMfaGate } from './mfa/gate';
+export { mfaChallenge } from './mfa/challenge';
+export { mfaRoutes } from './mfa/routes';
+export { mfaTotpRoutes } from './mfa/totp';
+export { decryptTotpSecret, encryptTotpSecret } from './mfa/secret';
+export { createInMemoryMfaStore } from './mfa/inMemoryMfaStore';
+export { createNeonMfaStore, createPostgresMfaStore, mfaEnrollmentsTable } from './mfa/postgresMfaStore';
+export * from './audit/config';
+export * from './audit/types';
+export * from './lockout/config';
+export * from './lockout/types';
+export { createInMemoryLockoutStore } from './lockout/inMemoryLockoutStore';
+export { createNeonLockoutStore, createPostgresLockoutStore, lockoutsTable } from './lockout/postgresLockoutStore';
+export { createInMemoryAuditSink } from './audit/inMemoryAuditStore';
+export { auditEventsTable, createNeonAuditSink, createPostgresAuditSink } from './audit/postgresAuditStore';