@absolutejs/auth 0.26.0-beta.3 → 0.26.0-beta.4

package/dist/roles/postgresRoleStore.d.ts

@@ -0,0 +1,102 @@
+import { type AnyPgDatabase } from '../stores/postgres';
+import type { RoleStore } from './types';
+export declare const rolesTable: import("drizzle-orm/pg-core").PgTableWithColumns<{
+    name: "auth_roles";
+    schema: undefined;
+    columns: {
+        created_at_ms: import("drizzle-orm/pg-core").PgColumn<{
+            name: "created_at_ms";
+            tableName: "auth_roles";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        organization_id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "organization_id";
+            tableName: "auth_roles";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        permissions: import("drizzle-orm/pg-core").PgColumn<{
+            name: "permissions";
+            tableName: "auth_roles";
+            dataType: "json";
+            columnType: "PgJsonb";
+            data: string[];
+            driverParam: unknown;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            $type: string[];
+        }>;
+        slug: import("drizzle-orm/pg-core").PgColumn<{
+            name: "slug";
+            tableName: "auth_roles";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 128;
+        }>;
+        updated_at_ms: import("drizzle-orm/pg-core").PgColumn<{
+            name: "updated_at_ms";
+            tableName: "auth_roles";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;
+export declare const createNeonRoleStore: (databaseUrl: string) => RoleStore;
+export declare const createPostgresRoleStore: (db: AnyPgDatabase) => RoleStore;

package/dist/roles/resolver.d.ts

@@ -0,0 +1,17 @@
+import type { OrganizationStore } from '../organizations/types';
+import type { OrganizationId } from '../tenancy';
+import type { RoleStore } from './types';
+export declare const createMembershipPermissionResolver: <UserType>({ getUserId, organizationStore, roleStore }: {
+    getUserId: (user: UserType) => string;
+    organizationStore: OrganizationStore;
+    roleStore: RoleStore;
+}) => ({ organizationId, permission, user }: {
+    organizationId?: OrganizationId;
+    permission: string;
+    user: UserType;
+}) => Promise<boolean>;
+export declare const resolvePermissions: ({ organizationId, roleStore, roles }: {
+    organizationId?: OrganizationId;
+    roleStore: RoleStore;
+    roles: string[];
+}) => Promise<Set<string>>;

package/dist/roles/routes.d.ts

@@ -0,0 +1,106 @@
+import { Elysia } from 'elysia';
+import type { SessionRecord } from '../types';
+import { type RolesRouteProps } from './config';
+export declare const roleRoutes: <UserType>({ authSessionStore, canManageRoles, emit, getUserId, onRolesAssigned, organizationStore, roleStore, rolesRoute }: RolesRouteProps<UserType>) => Elysia<"", {
+    decorator: {};
+    store: {
+        session: SessionRecord<UserType>;
+        unregisteredSession: import("..").UnregisteredSessionRecord;
+    };
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {
+    [x: string]: {
+        ":organizationId": {
+            get: {
+                body: unknown;
+                params: {
+                    organizationId: string;
+                };
+                query: unknown;
+                headers: unknown;
+                response: {
+                    200: {
+                        readonly roles: readonly import("./types").Role[];
+                    };
+                    401: "Authentication required";
+                    403: "Cannot manage roles";
+                    422: {
+                        type: "validation";
+                        on: string;
+                        summary?: string;
+                        message?: string;
+                        found?: unknown;
+                        property?: string;
+                        expected?: string;
+                    };
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        ":organizationId": {
+            members: {
+                ":userId": {
+                    put: {
+                        body: {
+                            roles: string[];
+                        };
+                        params: {
+                            userId: string;
+                            organizationId: string;
+                        };
+                        query: unknown;
+                        headers: unknown;
+                        response: {
+                            200: {
+                                readonly roles: string[];
+                            };
+                            401: "Authentication required";
+                            403: "Cannot manage roles";
+                            404: "Membership not found";
+                            422: {
+                                type: "validation";
+                                on: string;
+                                summary?: string;
+                                message?: string;
+                                found?: unknown;
+                                property?: string;
+                                expected?: string;
+                            };
+                        };
+                    };
+                };
+            };
+        };
+    };
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+} & {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;

package/dist/roles/types.d.ts

@@ -0,0 +1,14 @@
+import type { OrganizationId } from '../tenancy';
+export type Role = {
+    createdAt: number;
+    organizationId?: OrganizationId;
+    permissions: string[];
+    slug: string;
+    updatedAt: number;
+};
+export type RoleStore = {
+    deleteRole: (slug: string, organizationId?: OrganizationId) => Promise<void>;
+    getRole: (slug: string, organizationId?: OrganizationId) => Promise<Role | undefined>;
+    listRoles: (organizationId?: OrganizationId) => Promise<Role[]>;
+    saveRole: (role: Role) => Promise<void>;
+};

package/dist/types.d.ts

@@ -9,11 +9,15 @@ import type { AuthIdentityConflict } from './errors';
 import type { AuthHtmxConfig, AuthHtmxUser } from './htmx/types';
 import type { LockoutConfig } from './lockout/config';
 import type { MfaConfig } from './mfa/config';
+import type { OrganizationsConfig } from './organizations/config';
+import type { PasswordlessConfig } from './passwordless/config';
+import type { RolesConfig } from './roles/config';
 import type { ScimConfig } from './scim/config';
 import type { SessionsConfig } from './session/sessionsConfig';
 import type { AuthSessionStore } from './session/types';
 import type { SSOConfig } from './sso/config';
 import type { WebAuthnConfig } from './webauthn/config';
+import type { WebhooksConfig } from './webhooks/config';
 export type AuthIntent = 'login' | 'link_identity' | 'link_connector';
 export type OAuth2ProviderClientConfiguration<Provider extends ProviderOption> = {
     credentials: CredentialsFor<Provider>;
@@ -183,6 +187,11 @@ export type AuthConfig<UserType> = {
      *  mounts register / verify-email / login / reset-password routes that produce the
      *  same `SessionData<UserType>` as OAuth, transparent to `protectRoute`. */
     credentials?: CredentialsConfig<UserType>;
+    /** Passwordless login: magic links + email/SMS OTP. When present, mounts the magic-link flow
+     *  (if `onSendMagicLink` is set) and/or the OTP flow (if `onSendOtp` is set) under
+     *  `{passwordlessRoute}`; each verify route resolves the email to a user and mints the same
+     *  `SessionData<UserType>` as every other flow. */
+    passwordless?: PasswordlessConfig<UserType>;
     /** Multi-factor auth (TOTP + backup codes). When present alongside `credentials`,
      *  `auth()` auto-wires the login MFA gate, mounts the enroll/challenge routes, and
      *  promotes the parked session once a factor is verified. */
@@ -203,6 +212,15 @@ export type AuthConfig<UserType> = {
      *  mounts `{scimRoute}/Users` (+ `/ServiceProviderConfig`) with per-org bearer-token auth via
      *  `scimTokenStore`, and maps SCIM resources to the consumer's user store through hooks. */
     scim?: ScimConfig;
+    /** First-class multi-tenancy (the WorkOS model). When present, mounts organization +
+     *  membership + invitation routes under `{organizationsRoute}`: list the caller's orgs, create
+     *  one (caller becomes owner), invite/accept/revoke by email, and list/remove members. Ties the
+     *  bare `organizationId` used by SSO/SCIM/RBAC into a real tenant model with org-scoped roles. */
+    organizations?: OrganizationsConfig<UserType>;
+    /** Org-scoped roles & permissions (builds on `organizations`). When present, mounts routes to
+     *  list an org's role definitions and set a member's roles. Pair with
+     *  `createMembershipPermissionResolver` to make `authorization.hasPermission` turnkey. */
+    roles?: RolesConfig<UserType>;
     /** Role-based / attribute-based access control (E4). When present, `auth()` exposes a
      *  `protectPermission(check, handler)` derive (alongside `protectRoute`) that delegates the
      *  decision to your `hasPermission` hook — the package stays schema-agnostic about roles. */
@@ -217,6 +235,11 @@ export type AuthConfig<UserType> = {
      *  → mints the same `SessionData<UserType>`). A `webauthnAdapter` wraps a vetted library (e.g.
      *  `@simplewebauthn/server`); the package never bundles the WebAuthn crypto. */
     webauthn?: WebAuthnConfig<UserType>;
+    /** Signed outbound webhooks. When present, every emitted auth event (the audit taxonomy) is
+     *  HMAC-signed (Standard Webhooks scheme) and POSTed to each endpoint. Delivery is best-effort
+     *  and isolated per endpoint; configuring this alone (without `audit`) is enough to turn on
+     *  event emission. PII redaction (`audit.redact`) applies before delivery. */
+    webhooks?: WebhooksConfig;
     /** Enable the built-in HTMX fragment routes (login, identities, connectors,
      *  account, signout, delete-account). Supply provider display data + the
      *  identity/connector data actions; the package owns the route wiring and

package/dist/webhooks/config.d.ts

@@ -0,0 +1,21 @@
+import type { WebhookEndpoint, WebhookEvent } from './types';
+export declare const DEFAULT_WEBHOOK_TIMEOUT_MS: number;
+export type WebhookFetch = (url: string, init: {
+    body: string;
+    headers: Record<string, string>;
+    method: string;
+    signal: AbortSignal;
+}) => Promise<{
+    ok: boolean;
+    status: number;
+}>;
+export type WebhooksConfig = {
+    endpoints: WebhookEndpoint[];
+    fetch?: WebhookFetch;
+    onDeliveryError?: (context: {
+        endpoint: WebhookEndpoint;
+        error: unknown;
+        event: WebhookEvent;
+    }) => void | Promise<void>;
+    timeoutMs?: number;
+};

package/dist/webhooks/dispatcher.d.ts

@@ -0,0 +1,3 @@
+import type { AuditEvent } from '../audit/types';
+import { type WebhooksConfig } from './config';
+export declare const createWebhookDispatcher: ({ endpoints, fetch: fetchImpl, onDeliveryError, timeoutMs }: WebhooksConfig) => (event: AuditEvent) => Promise<void>;

package/dist/webhooks/sign.d.ts

@@ -0,0 +1,11 @@
+export declare const signWebhook: ({ id, payload, secret, timestamp }: {
+    id: string;
+    payload: string;
+    secret: string;
+    timestamp: string;
+}) => Promise<string>;
+export declare const verifyWebhookSignature: ({ headers, payload, secret }: {
+    headers: Record<string, string | undefined>;
+    payload: string;
+    secret: string;
+}) => Promise<boolean>;

package/dist/webhooks/types.d.ts

@@ -0,0 +1,11 @@
+import type { AuditEvent, AuditEventType } from '../audit/types';
+export type WebhookEndpoint = {
+    secret: string;
+    url: string;
+};
+export type WebhookEvent = {
+    createdAt: number;
+    data: AuditEvent;
+    id: string;
+    type: AuditEventType;
+};

package/package.json

@@ -1,5 +1,5 @@
 {
-	"version": "0.26.0-beta.3",
+	"version": "0.26.0-beta.4",
 	"name": "@absolutejs/auth",
 	"description": "An authorization library for absolutejs",
 	"repository": {