@absolutejs/auth 0.27.0 → 0.28.0

package/dist/index.js

@@ -4297,6 +4297,160 @@ var mcpProtectedResourceMetadata = ({
   scopes_supported: scopes ?? []
 });
 var verifyPkce = async (codeVerifier, codeChallenge) => await hashToken(codeVerifier) === codeChallenge;
+var inactive = { active: false };
+var introspectToken = async ({
+  config,
+  hint,
+  now = Date.now(),
+  token
+}) => {
+  if (hint !== "refresh_token") {
+    const verified = await verifyJwt(token, config.signingKey.publicJwk);
+    const payload = verified?.payload;
+    if (payload !== undefined && typeof payload.sub === "string" && typeof payload.exp === "number" && payload.exp > nowSeconds(now)) {
+      return {
+        active: true,
+        client_id: typeof payload.client_id === "string" ? payload.client_id : "",
+        exp: payload.exp,
+        iat: typeof payload.iat === "number" ? payload.iat : 0,
+        scope: typeof payload.scope === "string" ? payload.scope : "",
+        sub: payload.sub,
+        token_type: "access_token"
+      };
+    }
+  }
+  if (hint !== "access_token") {
+    const refresh = await config.refreshTokenStore.getToken(await hashToken(token));
+    if (refresh && refresh.expiresAt > now) {
+      return {
+        active: true,
+        client_id: refresh.clientId,
+        exp: nowSeconds(refresh.expiresAt),
+        iat: nowSeconds(refresh.createdAt),
+        scope: refresh.scopes.join(" "),
+        sub: refresh.userId,
+        token_type: "refresh_token"
+      };
+    }
+  }
+  return inactive;
+};
+var revokeRefreshToken = async (config, token) => {
+  const consumed = await config.refreshTokenStore.consumeToken(await hashToken(token));
+  return consumed !== undefined;
+};
+var DEVICE_CODE_BYTES = 32;
+var USER_CODE_HALF_LENGTH = 4;
+var USER_CODE_ALPHABET = "BCDFGHJKLMNPQRSTVWXZ23456789";
+var DEFAULT_DEVICE_CODE_TTL_MINUTES = 15;
+var DEFAULT_DEVICE_CODE_TTL_MS = MILLISECONDS_IN_A_MINUTE * DEFAULT_DEVICE_CODE_TTL_MINUTES;
+var DEFAULT_DEVICE_POLL_INTERVAL_SECONDS = 5;
+var generateUserCode = () => {
+  const length = USER_CODE_HALF_LENGTH * 2;
+  const random = crypto.getRandomValues(new Uint8Array(length));
+  let code = "";
+  for (const byte of random) {
+    code += USER_CODE_ALPHABET[byte % USER_CODE_ALPHABET.length];
+  }
+  return `${code.slice(0, USER_CODE_HALF_LENGTH)}-${code.slice(USER_CODE_HALF_LENGTH)}`;
+};
+var issueDeviceAuthorization = async ({
+  clientId,
+  config,
+  now = Date.now(),
+  requestedScopes
+}) => {
+  if (!config.deviceAuthorizationStore) {
+    throw new Error("oidc.deviceAuthorizationStore is not configured \u2014 cannot start a device flow");
+  }
+  const deviceCode = generateSecureToken(DEVICE_CODE_BYTES);
+  const userCode = generateUserCode();
+  const ttl = config.deviceCodeTtlMs ?? DEFAULT_DEVICE_CODE_TTL_MS;
+  const interval = config.devicePollIntervalSeconds ?? DEFAULT_DEVICE_POLL_INTERVAL_SECONDS;
+  await config.deviceAuthorizationStore.saveDeviceAuthorization({
+    clientId,
+    createdAt: now,
+    deviceCodeHash: await hashToken(deviceCode),
+    expiresAt: now + ttl,
+    intervalSeconds: interval,
+    scopes: requestedScopes,
+    status: "pending",
+    userCode
+  });
+  const verificationUri = `${config.issuer}${config.oidcRoute ?? DEFAULT_OIDC_ROUTE}/device`;
+  return {
+    device_code: deviceCode,
+    expires_in: Math.floor(ttl / MS_PER_SECOND),
+    interval,
+    user_code: userCode,
+    verification_uri: verificationUri,
+    verification_uri_complete: `${verificationUri}?user_code=${encodeURIComponent(userCode)}`
+  };
+};
+var decideDeviceAuthorization = async (config, userCode, approval) => {
+  if (!config.deviceAuthorizationStore) {
+    return { error: "not_configured", ok: false };
+  }
+  const record = await config.deviceAuthorizationStore.findByUserCode(userCode);
+  if (!record)
+    return { error: "invalid_user_code", ok: false };
+  if (record.expiresAt < Date.now()) {
+    return { error: "expired_token", ok: false };
+  }
+  if (record.status !== "pending") {
+    return { error: "already_decided", ok: false };
+  }
+  await config.deviceAuthorizationStore.updateStatus(record.deviceCodeHash, approval.status, approval.userSub);
+  return { ok: true };
+};
+var approveDeviceAuthorization = async ({
+  config,
+  userCode,
+  userSub
+}) => decideDeviceAuthorization(config, userCode, {
+  status: "approved",
+  userSub
+});
+var denyDeviceAuthorization = async ({
+  config,
+  userCode
+}) => decideDeviceAuthorization(config, userCode, { status: "denied" });
+var exchangeDeviceCode = async ({
+  clientId,
+  config,
+  deviceCode,
+  dpopJkt,
+  now = Date.now()
+}) => {
+  if (!config.deviceAuthorizationStore) {
+    return { error: "invalid_grant", ok: false };
+  }
+  const deviceCodeHash = await hashToken(deviceCode);
+  const record = await config.deviceAuthorizationStore.findByDeviceCodeHash(deviceCodeHash);
+  if (!record || record.clientId !== clientId) {
+    return { error: "invalid_grant", ok: false };
+  }
+  if (record.expiresAt < now) {
+    await config.deviceAuthorizationStore.deleteByDeviceCodeHash(deviceCodeHash);
+    return { error: "expired_token", ok: false };
+  }
+  if (record.status === "pending") {
+    return { error: "authorization_pending", ok: false };
+  }
+  if (record.status === "denied" || record.userSub === undefined) {
+    return { error: "access_denied", ok: false };
+  }
+  await config.deviceAuthorizationStore.deleteByDeviceCodeHash(deviceCodeHash);
+  const tokenSet = await issueTokenSet({
+    clientId,
+    config,
+    dpopJkt,
+    now,
+    scopes: record.scopes,
+    sub: record.userSub
+  });
+  return { ...tokenSet, ok: true };
+};
 
 // src/oidc/dpop.ts
 var DEFAULT_MAX_AGE_MS = 60000;
@@ -4391,6 +4545,10 @@ var oidcProviderRoutes = (config) => {
   const authorizeRoute = `${oidcRoute}/authorize`;
   const tokenRoute = `${oidcRoute}/token`;
   const jwksRoute = `${oidcRoute}/jwks`;
+  const introspectRoute = `${oidcRoute}/introspect`;
+  const revokeRoute = `${oidcRoute}/revoke`;
+  const deviceAuthorizationRoute = `${oidcRoute}/device_authorization`;
+  const deviceApproveRoute = `${oidcRoute}/device/decision`;
   const tokenUrl = `${issuer}${oidcRoute}/token`;
   const authenticateClient = async (clientId, clientSecret) => {
     const client = await clientStore.findClient(clientId);
@@ -4492,19 +4650,57 @@ var oidcProviderRoutes = (config) => {
       token_type: dpopResult === undefined ? "Bearer" : "DPoP"
     }, HTTP_OK2);
   };
+  const grantDeviceCode = async (client, body, dpop) => {
+    if (config.deviceAuthorizationStore === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
+    }
+    if (body.device_code === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "invalid_request");
+    }
+    const dpopResult = dpop === undefined ? undefined : await verifyDpopProof({
+      htm: "POST",
+      htu: tokenUrl,
+      proof: dpop
+    });
+    if (dpop !== undefined && dpopResult === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "invalid_dpop_proof");
+    }
+    const result = await exchangeDeviceCode({
+      clientId: client.clientId,
+      config,
+      deviceCode: body.device_code,
+      dpopJkt: dpopResult?.jkt
+    });
+    if (!result.ok)
+      return oauthError2(HTTP_BAD_REQUEST2, result.error);
+    return jsonResponse({
+      access_token: result.access_token,
+      expires_in: result.expires_in,
+      id_token: result.id_token,
+      refresh_token: result.refresh_token,
+      scope: result.scope,
+      token_type: dpopResult === undefined ? "Bearer" : "DPoP"
+    }, HTTP_OK2);
+  };
+  const grantTypes = [
+    "authorization_code",
+    "refresh_token",
+    "urn:ietf:params:oauth:grant-type:token-exchange"
+  ];
+  if (config.deviceAuthorizationStore) {
+    grantTypes.push("urn:ietf:params:oauth:grant-type:device_code");
+  }
   const discovery = {
     authorization_endpoint: `${issuer}${authorizeRoute}`,
     code_challenge_methods_supported: ["S256"],
     dpop_signing_alg_values_supported: ["ES256"],
-    grant_types_supported: [
-      "authorization_code",
-      "refresh_token",
-      "urn:ietf:params:oauth:grant-type:token-exchange"
-    ],
+    grant_types_supported: grantTypes,
     id_token_signing_alg_values_supported: ["ES256"],
+    introspection_endpoint: `${issuer}${introspectRoute}`,
     issuer,
     jwks_uri: `${issuer}${jwksRoute}`,
     response_types_supported: ["code"],
+    revocation_endpoint: `${issuer}${revokeRoute}`,
     subject_types_supported: ["public"],
     token_endpoint: tokenUrl,
     token_endpoint_auth_methods_supported: [
@@ -4513,6 +4709,9 @@ var oidcProviderRoutes = (config) => {
       "none"
     ]
   };
+  if (config.deviceAuthorizationStore) {
+    discovery.device_authorization_endpoint = `${issuer}${deviceAuthorizationRoute}`;
+  }
   return new Elysia15().use(sessionStore()).get(authorizeRoute, async ({ cookie: { user_session_id }, query, request, store }) => {
     const {
       client_id: clientId,
@@ -4610,6 +4809,9 @@ var oidcProviderRoutes = (config) => {
     if (body.grant_type === "urn:ietf:params:oauth:grant-type:token-exchange") {
       return grantTokenExchange(client, body, headers.dpop);
     }
+    if (body.grant_type === "urn:ietf:params:oauth:grant-type:device_code") {
+      return grantDeviceCode(client, body, headers.dpop);
+    }
     return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
   }, {
     body: t12.Object({
@@ -4618,6 +4820,7 @@ var oidcProviderRoutes = (config) => {
       client_secret: t12.Optional(t12.String()),
       code: t12.Optional(t12.String()),
       code_verifier: t12.Optional(t12.String()),
+      device_code: t12.Optional(t12.String()),
       grant_type: t12.Optional(t12.String()),
       redirect_uri: t12.Optional(t12.String()),
       refresh_token: t12.Optional(t12.String()),
@@ -4626,6 +4829,121 @@ var oidcProviderRoutes = (config) => {
       subject_token: t12.Optional(t12.String()),
       subject_token_type: t12.Optional(t12.String())
     })
+  }).post(introspectRoute, async ({ body, headers }) => {
+    const basic = readBasicAuth2(headers.authorization);
+    const clientId = body.client_id ?? basic.clientId;
+    const clientSecret = body.client_secret ?? basic.clientSecret;
+    if (clientId === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const client = await authenticateClient(clientId, clientSecret);
+    if (client === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const result = await introspectToken({
+      config,
+      hint: body.token_type_hint === "access_token" || body.token_type_hint === "refresh_token" ? body.token_type_hint : undefined,
+      now: Date.now(),
+      token: body.token
+    });
+    return jsonResponse(result, HTTP_OK2);
+  }, {
+    body: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      client_secret: t12.Optional(t12.String()),
+      token: t12.String(),
+      token_type_hint: t12.Optional(t12.String())
+    }),
+    headers: t12.Object({
+      authorization: t12.Optional(t12.String())
+    })
+  }).post(revokeRoute, async ({ body, headers }) => {
+    const basic = readBasicAuth2(headers.authorization);
+    const clientId = body.client_id ?? basic.clientId;
+    const clientSecret = body.client_secret ?? basic.clientSecret;
+    if (clientId === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const client = await authenticateClient(clientId, clientSecret);
+    if (client === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    if (body.token_type_hint !== "access_token") {
+      await revokeRefreshToken(config, body.token);
+    }
+    return new Response(null, { status: HTTP_OK2 });
+  }, {
+    body: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      client_secret: t12.Optional(t12.String()),
+      token: t12.String(),
+      token_type_hint: t12.Optional(t12.String())
+    }),
+    headers: t12.Object({
+      authorization: t12.Optional(t12.String())
+    })
+  }).post(deviceAuthorizationRoute, async ({ body, headers }) => {
+    if (config.deviceAuthorizationStore === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
+    }
+    const basic = readBasicAuth2(headers.authorization);
+    const clientId = body.client_id ?? basic.clientId;
+    const clientSecret = body.client_secret ?? basic.clientSecret;
+    if (clientId === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const client = await authenticateClient(clientId, clientSecret);
+    if (client === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const requested = body.scope === undefined || body.scope.length === 0 ? client.scopes : body.scope.split(" ").filter((entry) => client.scopes.includes(entry));
+    const response = await issueDeviceAuthorization({
+      clientId: client.clientId,
+      config,
+      now: Date.now(),
+      requestedScopes: requested
+    });
+    return jsonResponse(response, HTTP_OK2);
+  }, {
+    body: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      client_secret: t12.Optional(t12.String()),
+      scope: t12.Optional(t12.String())
+    }),
+    headers: t12.Object({
+      authorization: t12.Optional(t12.String())
+    })
+  }).post(deviceApproveRoute, async ({ body, cookie: { user_session_id }, store }) => {
+    if (config.deviceAuthorizationStore === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
+    }
+    const userSession = await loadSessionFromSource({
+      authSessionStore,
+      session: store.session,
+      userSessionId: user_session_id.value
+    });
+    if (userSession === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "login_required");
+    }
+    const result = body.action === "deny" ? await denyDeviceAuthorization({
+      config,
+      userCode: body.user_code
+    }) : await approveDeviceAuthorization({
+      config,
+      userCode: body.user_code,
+      userSub: getUserId(userSession.user)
+    });
+    if (!result.ok)
+      return oauthError2(HTTP_BAD_REQUEST2, result.error);
+    return jsonResponse({ ok: true }, HTTP_OK2);
+  }, {
+    body: t12.Object({
+      action: t12.Optional(t12.Union([t12.Literal("approve"), t12.Literal("deny")])),
+      user_code: t12.String()
+    }),
+    cookie: t12.Cookie({
+      user_session_id: t12.Optional(userSessionIdTypebox)
+    })
   }).get(jwksRoute, () => ({ keys: [toPublicJwk(signingKey)] })).get("/.well-known/openid-configuration", () => discovery);
 };
 
@@ -19646,6 +19964,33 @@ var createInMemoryAuthorizationCodeStore = () => {
     }
   };
 };
+var createInMemoryDeviceAuthorizationStore = () => {
+  const byDeviceCode = new Map;
+  return {
+    deleteByDeviceCodeHash: async (deviceCodeHash) => {
+      byDeviceCode.delete(deviceCodeHash);
+    },
+    findByDeviceCodeHash: async (deviceCodeHash) => byDeviceCode.get(deviceCodeHash),
+    findByUserCode: async (userCode) => {
+      for (const record of byDeviceCode.values()) {
+        if (record.userCode === userCode)
+          return record;
+      }
+      return;
+    },
+    saveDeviceAuthorization: async (deviceAuthorization) => {
+      byDeviceCode.set(deviceAuthorization.deviceCodeHash, {
+        ...deviceAuthorization
+      });
+    },
+    updateStatus: async (deviceCodeHash, status, userSub) => {
+      const record = byDeviceCode.get(deviceCodeHash);
+      if (!record)
+        return;
+      byDeviceCode.set(deviceCodeHash, { ...record, status, userSub });
+    }
+  };
+};
 var createInMemoryOAuthClientStore = (clients) => {
   const registry = new Map(clients.map((client) => [client.clientId, client]));
   return {
@@ -19666,6 +20011,7 @@ var createInMemoryOidcRefreshTokenStore = () => {
           tokens.delete(hash);
       }
     },
+    getToken: async (tokenHash) => tokens.get(tokenHash),
     saveToken: async (token) => {
       tokens.set(token.tokenHash, { ...token });
     }
@@ -19693,6 +20039,19 @@ var oauthCodesTable = pgTable("auth_oauth_codes", {
   scopes: text("scopes").array().notNull(),
   user_id: varchar("user_id", { length: ID_LENGTH7 }).notNull()
 });
+var oauthDeviceAuthorizationsTable = pgTable("auth_oauth_device_authorizations", {
+  client_id: varchar("client_id", { length: ID_LENGTH7 }).notNull(),
+  created_at_ms: bigint("created_at_ms", { mode: "number" }).notNull(),
+  device_code_hash: varchar("device_code_hash", {
+    length: ID_LENGTH7
+  }).primaryKey(),
+  expires_at_ms: bigint("expires_at_ms", { mode: "number" }).notNull(),
+  interval_seconds: bigint("interval_seconds", { mode: "number" }).notNull(),
+  scopes: text("scopes").array().notNull(),
+  status: varchar("status", { length: 16 }).notNull(),
+  user_code: varchar("user_code", { length: 16 }).notNull().unique(),
+  user_sub: varchar("user_sub", { length: ID_LENGTH7 })
+});
 var oauthRefreshTokensTable = pgTable("auth_oauth_refresh_tokens", {
   claims_json: jsonb("claims_json").$type(),
   client_id: varchar("client_id", { length: ID_LENGTH7 }).notNull(),
@@ -19736,6 +20095,17 @@ var toCodeValues = (code) => ({
   scopes: code.scopes,
   user_id: code.userId
 });
+var toDeviceAuth = (row) => ({
+  clientId: row.client_id,
+  createdAt: row.created_at_ms,
+  deviceCodeHash: row.device_code_hash,
+  expiresAt: row.expires_at_ms,
+  intervalSeconds: row.interval_seconds,
+  scopes: row.scopes,
+  status: row.status,
+  userCode: row.user_code,
+  userSub: row.user_sub ?? undefined
+});
 var toRefresh = (row) => ({
   claims: row.claims_json ?? undefined,
   clientId: row.client_id,
@@ -19757,6 +20127,7 @@ var toRefreshValues = (token) => ({
   user_id: token.userId
 });
 var createNeonAuthorizationCodeStore = (databaseUrl) => createPostgresAuthorizationCodeStore(createNeonDatabase(databaseUrl));
+var createNeonDeviceAuthorizationStore = (databaseUrl) => createPostgresDeviceAuthorizationStore(createNeonDatabase(databaseUrl));
 var createNeonOAuthClientStore = (databaseUrl) => createPostgresOAuthClientStore(createNeonDatabase(databaseUrl));
 var createNeonOidcRefreshTokenStore = (databaseUrl) => createPostgresOidcRefreshTokenStore(createNeonDatabase(databaseUrl));
 var createPostgresAuthorizationCodeStore = (db) => ({
@@ -19768,6 +20139,35 @@ var createPostgresAuthorizationCodeStore = (db) => ({
     await db.insert(oauthCodesTable).values(toCodeValues(code));
   }
 });
+var createPostgresDeviceAuthorizationStore = (db) => ({
+  deleteByDeviceCodeHash: async (deviceCodeHash) => {
+    await db.delete(oauthDeviceAuthorizationsTable).where(eq(oauthDeviceAuthorizationsTable.device_code_hash, deviceCodeHash));
+  },
+  findByDeviceCodeHash: async (deviceCodeHash) => {
+    const [row] = await db.select().from(oauthDeviceAuthorizationsTable).where(eq(oauthDeviceAuthorizationsTable.device_code_hash, deviceCodeHash)).limit(1);
+    return row ? toDeviceAuth(row) : undefined;
+  },
+  findByUserCode: async (userCode) => {
+    const [row] = await db.select().from(oauthDeviceAuthorizationsTable).where(eq(oauthDeviceAuthorizationsTable.user_code, userCode)).limit(1);
+    return row ? toDeviceAuth(row) : undefined;
+  },
+  saveDeviceAuthorization: async (deviceAuthorization) => {
+    await db.insert(oauthDeviceAuthorizationsTable).values({
+      client_id: deviceAuthorization.clientId,
+      created_at_ms: deviceAuthorization.createdAt,
+      device_code_hash: deviceAuthorization.deviceCodeHash,
+      expires_at_ms: deviceAuthorization.expiresAt,
+      interval_seconds: deviceAuthorization.intervalSeconds,
+      scopes: deviceAuthorization.scopes,
+      status: deviceAuthorization.status,
+      user_code: deviceAuthorization.userCode,
+      user_sub: deviceAuthorization.userSub ?? null
+    });
+  },
+  updateStatus: async (deviceCodeHash, status, userSub) => {
+    await db.update(oauthDeviceAuthorizationsTable).set({ status, user_sub: userSub ?? null }).where(eq(oauthDeviceAuthorizationsTable.device_code_hash, deviceCodeHash));
+  }
+});
 var createPostgresOAuthClientStore = (db) => ({
   findClient: async (clientId) => {
     const [row] = await db.select().from(oauthClientsTable).where(eq(oauthClientsTable.client_id, clientId)).limit(1);
@@ -19782,6 +20182,10 @@ var createPostgresOidcRefreshTokenStore = (db) => ({
   deleteForUser: async (userId) => {
     await db.delete(oauthRefreshTokensTable).where(eq(oauthRefreshTokensTable.user_id, userId));
   },
+  getToken: async (tokenHash) => {
+    const [row] = await db.select().from(oauthRefreshTokensTable).where(eq(oauthRefreshTokensTable.token_hash, tokenHash)).limit(1);
+    return row ? toRefresh(row) : undefined;
+  },
   saveToken: async (token) => {
     await db.insert(oauthRefreshTokensTable).values(toRefreshValues(token));
   }
@@ -21182,6 +21586,7 @@ export {
   rolesTable,
   roleRoutes,
   revokeUserSessions,
+  revokeRefreshToken,
   revocableProviderOptions,
   resolveSetupSession,
   resolveScimOrganization,
@@ -21213,6 +21618,7 @@ export {
   oidcProviderRoutes,
   oidcProviderOptions,
   oauthRefreshTokensTable,
+  oauthDeviceAuthorizationsTable,
   oauthCodesTable,
   oauthClientsTable,
   mfaTotpRoutes,
@@ -21230,6 +21636,7 @@ export {
   knownDevicesTable,
   jwkThumbprint,
   issueTokenSet,
+  issueDeviceAuthorization,
   isValidUser,
   isValidProviderOption,
   isUserSessionId,
@@ -21246,6 +21653,7 @@ export {
   isAuthIntent,
   isAnonymousSession,
   inviteToOrganization,
+  introspectToken,
   instantiateUserSession,
   hashToken,
   hashPassword,
@@ -21264,11 +21672,13 @@ export {
   extractPropFromIdentity,
   exportAuditCsv,
   exchangeToken,
+  exchangeDeviceCode,
   exchangeClientCredentials,
   evaluatePassword,
   endImpersonation,
   encryptTotpSecret,
   encryptSecret,
+  denyDeviceAuthorization,
   deleteWarrant,
   defineProvidersConfiguration,
   defineAuthSettings,
@@ -21312,6 +21722,7 @@ export {
   createPostgresLoginHistoryStore,
   createPostgresLockoutStore,
   createPostgresKnownDeviceStore,
+  createPostgresDeviceAuthorizationStore,
   createPostgresCredentialStore,
   createPostgresAuthorizationCodeStore,
   createPostgresAuditSink,
@@ -21337,6 +21748,7 @@ export {
   createNeonLockoutStore,
   createNeonLinkedProviderStores,
   createNeonKnownDeviceStore,
+  createNeonDeviceAuthorizationStore,
   createNeonDatabase,
   createNeonCredentialStore,
   createNeonAuthorizationCodeStore,
@@ -21365,6 +21777,7 @@ export {
   createInMemoryLockoutStore,
   createInMemoryLinkedProviderStores,
   createInMemoryKnownDeviceStore,
+  createInMemoryDeviceAuthorizationStore,
   createInMemoryCredentialStore,
   createInMemoryCheckCache,
   createInMemoryAuthorizationCodeStore,
@@ -21396,6 +21809,7 @@ export {
   auditEventsTable,
   assessRisk,
   assessAbuse,
+  approveDeviceAuthorization,
   apiKeysTable,
   apiKeysRoutes,
   apiClientsTable,
@@ -21432,5 +21846,5 @@ export {
   AuthIdentityConflictError
 };
 
-//# debugId=CE0246297ACE345E64756E2164756E21
+//# debugId=E246ECC6A14E235864756E2164756E21
 //# sourceMappingURL=index.js.map