@absolutejs/auth 0.27.0 → 0.29.0-beta.0

package/dist/index.js

@@ -4297,6 +4297,160 @@ var mcpProtectedResourceMetadata = ({
   scopes_supported: scopes ?? []
 });
 var verifyPkce = async (codeVerifier, codeChallenge) => await hashToken(codeVerifier) === codeChallenge;
+var inactive = { active: false };
+var introspectToken = async ({
+  config,
+  hint,
+  now = Date.now(),
+  token
+}) => {
+  if (hint !== "refresh_token") {
+    const verified = await verifyJwt(token, config.signingKey.publicJwk);
+    const payload = verified?.payload;
+    if (payload !== undefined && typeof payload.sub === "string" && typeof payload.exp === "number" && payload.exp > nowSeconds(now)) {
+      return {
+        active: true,
+        client_id: typeof payload.client_id === "string" ? payload.client_id : "",
+        exp: payload.exp,
+        iat: typeof payload.iat === "number" ? payload.iat : 0,
+        scope: typeof payload.scope === "string" ? payload.scope : "",
+        sub: payload.sub,
+        token_type: "access_token"
+      };
+    }
+  }
+  if (hint !== "access_token") {
+    const refresh = await config.refreshTokenStore.getToken(await hashToken(token));
+    if (refresh && refresh.expiresAt > now) {
+      return {
+        active: true,
+        client_id: refresh.clientId,
+        exp: nowSeconds(refresh.expiresAt),
+        iat: nowSeconds(refresh.createdAt),
+        scope: refresh.scopes.join(" "),
+        sub: refresh.userId,
+        token_type: "refresh_token"
+      };
+    }
+  }
+  return inactive;
+};
+var revokeRefreshToken = async (config, token) => {
+  const consumed = await config.refreshTokenStore.consumeToken(await hashToken(token));
+  return consumed !== undefined;
+};
+var DEVICE_CODE_BYTES = 32;
+var USER_CODE_HALF_LENGTH = 4;
+var USER_CODE_ALPHABET = "BCDFGHJKLMNPQRSTVWXZ23456789";
+var DEFAULT_DEVICE_CODE_TTL_MINUTES = 15;
+var DEFAULT_DEVICE_CODE_TTL_MS = MILLISECONDS_IN_A_MINUTE * DEFAULT_DEVICE_CODE_TTL_MINUTES;
+var DEFAULT_DEVICE_POLL_INTERVAL_SECONDS = 5;
+var generateUserCode = () => {
+  const length = USER_CODE_HALF_LENGTH * 2;
+  const random = crypto.getRandomValues(new Uint8Array(length));
+  let code = "";
+  for (const byte of random) {
+    code += USER_CODE_ALPHABET[byte % USER_CODE_ALPHABET.length];
+  }
+  return `${code.slice(0, USER_CODE_HALF_LENGTH)}-${code.slice(USER_CODE_HALF_LENGTH)}`;
+};
+var issueDeviceAuthorization = async ({
+  clientId,
+  config,
+  now = Date.now(),
+  requestedScopes
+}) => {
+  if (!config.deviceAuthorizationStore) {
+    throw new Error("oidc.deviceAuthorizationStore is not configured \u2014 cannot start a device flow");
+  }
+  const deviceCode = generateSecureToken(DEVICE_CODE_BYTES);
+  const userCode = generateUserCode();
+  const ttl = config.deviceCodeTtlMs ?? DEFAULT_DEVICE_CODE_TTL_MS;
+  const interval = config.devicePollIntervalSeconds ?? DEFAULT_DEVICE_POLL_INTERVAL_SECONDS;
+  await config.deviceAuthorizationStore.saveDeviceAuthorization({
+    clientId,
+    createdAt: now,
+    deviceCodeHash: await hashToken(deviceCode),
+    expiresAt: now + ttl,
+    intervalSeconds: interval,
+    scopes: requestedScopes,
+    status: "pending",
+    userCode
+  });
+  const verificationUri = `${config.issuer}${config.oidcRoute ?? DEFAULT_OIDC_ROUTE}/device`;
+  return {
+    device_code: deviceCode,
+    expires_in: Math.floor(ttl / MS_PER_SECOND),
+    interval,
+    user_code: userCode,
+    verification_uri: verificationUri,
+    verification_uri_complete: `${verificationUri}?user_code=${encodeURIComponent(userCode)}`
+  };
+};
+var decideDeviceAuthorization = async (config, userCode, approval) => {
+  if (!config.deviceAuthorizationStore) {
+    return { error: "not_configured", ok: false };
+  }
+  const record = await config.deviceAuthorizationStore.findByUserCode(userCode);
+  if (!record)
+    return { error: "invalid_user_code", ok: false };
+  if (record.expiresAt < Date.now()) {
+    return { error: "expired_token", ok: false };
+  }
+  if (record.status !== "pending") {
+    return { error: "already_decided", ok: false };
+  }
+  await config.deviceAuthorizationStore.updateStatus(record.deviceCodeHash, approval.status, approval.userSub);
+  return { ok: true };
+};
+var approveDeviceAuthorization = async ({
+  config,
+  userCode,
+  userSub
+}) => decideDeviceAuthorization(config, userCode, {
+  status: "approved",
+  userSub
+});
+var denyDeviceAuthorization = async ({
+  config,
+  userCode
+}) => decideDeviceAuthorization(config, userCode, { status: "denied" });
+var exchangeDeviceCode = async ({
+  clientId,
+  config,
+  deviceCode,
+  dpopJkt,
+  now = Date.now()
+}) => {
+  if (!config.deviceAuthorizationStore) {
+    return { error: "invalid_grant", ok: false };
+  }
+  const deviceCodeHash = await hashToken(deviceCode);
+  const record = await config.deviceAuthorizationStore.findByDeviceCodeHash(deviceCodeHash);
+  if (!record || record.clientId !== clientId) {
+    return { error: "invalid_grant", ok: false };
+  }
+  if (record.expiresAt < now) {
+    await config.deviceAuthorizationStore.deleteByDeviceCodeHash(deviceCodeHash);
+    return { error: "expired_token", ok: false };
+  }
+  if (record.status === "pending") {
+    return { error: "authorization_pending", ok: false };
+  }
+  if (record.status === "denied" || record.userSub === undefined) {
+    return { error: "access_denied", ok: false };
+  }
+  await config.deviceAuthorizationStore.deleteByDeviceCodeHash(deviceCodeHash);
+  const tokenSet = await issueTokenSet({
+    clientId,
+    config,
+    dpopJkt,
+    now,
+    scopes: record.scopes,
+    sub: record.userSub
+  });
+  return { ...tokenSet, ok: true };
+};
 
 // src/oidc/dpop.ts
 var DEFAULT_MAX_AGE_MS = 60000;
@@ -4391,6 +4545,10 @@ var oidcProviderRoutes = (config) => {
   const authorizeRoute = `${oidcRoute}/authorize`;
   const tokenRoute = `${oidcRoute}/token`;
   const jwksRoute = `${oidcRoute}/jwks`;
+  const introspectRoute = `${oidcRoute}/introspect`;
+  const revokeRoute = `${oidcRoute}/revoke`;
+  const deviceAuthorizationRoute = `${oidcRoute}/device_authorization`;
+  const deviceApproveRoute = `${oidcRoute}/device/decision`;
   const tokenUrl = `${issuer}${oidcRoute}/token`;
   const authenticateClient = async (clientId, clientSecret) => {
     const client = await clientStore.findClient(clientId);
@@ -4492,19 +4650,57 @@ var oidcProviderRoutes = (config) => {
       token_type: dpopResult === undefined ? "Bearer" : "DPoP"
     }, HTTP_OK2);
   };
+  const grantDeviceCode = async (client, body, dpop) => {
+    if (config.deviceAuthorizationStore === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
+    }
+    if (body.device_code === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "invalid_request");
+    }
+    const dpopResult = dpop === undefined ? undefined : await verifyDpopProof({
+      htm: "POST",
+      htu: tokenUrl,
+      proof: dpop
+    });
+    if (dpop !== undefined && dpopResult === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "invalid_dpop_proof");
+    }
+    const result = await exchangeDeviceCode({
+      clientId: client.clientId,
+      config,
+      deviceCode: body.device_code,
+      dpopJkt: dpopResult?.jkt
+    });
+    if (!result.ok)
+      return oauthError2(HTTP_BAD_REQUEST2, result.error);
+    return jsonResponse({
+      access_token: result.access_token,
+      expires_in: result.expires_in,
+      id_token: result.id_token,
+      refresh_token: result.refresh_token,
+      scope: result.scope,
+      token_type: dpopResult === undefined ? "Bearer" : "DPoP"
+    }, HTTP_OK2);
+  };
+  const grantTypes = [
+    "authorization_code",
+    "refresh_token",
+    "urn:ietf:params:oauth:grant-type:token-exchange"
+  ];
+  if (config.deviceAuthorizationStore) {
+    grantTypes.push("urn:ietf:params:oauth:grant-type:device_code");
+  }
   const discovery = {
     authorization_endpoint: `${issuer}${authorizeRoute}`,
     code_challenge_methods_supported: ["S256"],
     dpop_signing_alg_values_supported: ["ES256"],
-    grant_types_supported: [
-      "authorization_code",
-      "refresh_token",
-      "urn:ietf:params:oauth:grant-type:token-exchange"
-    ],
+    grant_types_supported: grantTypes,
     id_token_signing_alg_values_supported: ["ES256"],
+    introspection_endpoint: `${issuer}${introspectRoute}`,
     issuer,
     jwks_uri: `${issuer}${jwksRoute}`,
     response_types_supported: ["code"],
+    revocation_endpoint: `${issuer}${revokeRoute}`,
     subject_types_supported: ["public"],
     token_endpoint: tokenUrl,
     token_endpoint_auth_methods_supported: [
@@ -4513,6 +4709,9 @@ var oidcProviderRoutes = (config) => {
       "none"
     ]
   };
+  if (config.deviceAuthorizationStore) {
+    discovery.device_authorization_endpoint = `${issuer}${deviceAuthorizationRoute}`;
+  }
   return new Elysia15().use(sessionStore()).get(authorizeRoute, async ({ cookie: { user_session_id }, query, request, store }) => {
     const {
       client_id: clientId,
@@ -4610,6 +4809,9 @@ var oidcProviderRoutes = (config) => {
     if (body.grant_type === "urn:ietf:params:oauth:grant-type:token-exchange") {
       return grantTokenExchange(client, body, headers.dpop);
     }
+    if (body.grant_type === "urn:ietf:params:oauth:grant-type:device_code") {
+      return grantDeviceCode(client, body, headers.dpop);
+    }
     return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
   }, {
     body: t12.Object({
@@ -4618,6 +4820,7 @@ var oidcProviderRoutes = (config) => {
       client_secret: t12.Optional(t12.String()),
       code: t12.Optional(t12.String()),
       code_verifier: t12.Optional(t12.String()),
+      device_code: t12.Optional(t12.String()),
       grant_type: t12.Optional(t12.String()),
       redirect_uri: t12.Optional(t12.String()),
       refresh_token: t12.Optional(t12.String()),
@@ -4626,6 +4829,121 @@ var oidcProviderRoutes = (config) => {
       subject_token: t12.Optional(t12.String()),
       subject_token_type: t12.Optional(t12.String())
     })
+  }).post(introspectRoute, async ({ body, headers }) => {
+    const basic = readBasicAuth2(headers.authorization);
+    const clientId = body.client_id ?? basic.clientId;
+    const clientSecret = body.client_secret ?? basic.clientSecret;
+    if (clientId === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const client = await authenticateClient(clientId, clientSecret);
+    if (client === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const result = await introspectToken({
+      config,
+      hint: body.token_type_hint === "access_token" || body.token_type_hint === "refresh_token" ? body.token_type_hint : undefined,
+      now: Date.now(),
+      token: body.token
+    });
+    return jsonResponse(result, HTTP_OK2);
+  }, {
+    body: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      client_secret: t12.Optional(t12.String()),
+      token: t12.String(),
+      token_type_hint: t12.Optional(t12.String())
+    }),
+    headers: t12.Object({
+      authorization: t12.Optional(t12.String())
+    })
+  }).post(revokeRoute, async ({ body, headers }) => {
+    const basic = readBasicAuth2(headers.authorization);
+    const clientId = body.client_id ?? basic.clientId;
+    const clientSecret = body.client_secret ?? basic.clientSecret;
+    if (clientId === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const client = await authenticateClient(clientId, clientSecret);
+    if (client === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    if (body.token_type_hint !== "access_token") {
+      await revokeRefreshToken(config, body.token);
+    }
+    return new Response(null, { status: HTTP_OK2 });
+  }, {
+    body: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      client_secret: t12.Optional(t12.String()),
+      token: t12.String(),
+      token_type_hint: t12.Optional(t12.String())
+    }),
+    headers: t12.Object({
+      authorization: t12.Optional(t12.String())
+    })
+  }).post(deviceAuthorizationRoute, async ({ body, headers }) => {
+    if (config.deviceAuthorizationStore === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
+    }
+    const basic = readBasicAuth2(headers.authorization);
+    const clientId = body.client_id ?? basic.clientId;
+    const clientSecret = body.client_secret ?? basic.clientSecret;
+    if (clientId === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const client = await authenticateClient(clientId, clientSecret);
+    if (client === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "invalid_client");
+    }
+    const requested = body.scope === undefined || body.scope.length === 0 ? client.scopes : body.scope.split(" ").filter((entry) => client.scopes.includes(entry));
+    const response = await issueDeviceAuthorization({
+      clientId: client.clientId,
+      config,
+      now: Date.now(),
+      requestedScopes: requested
+    });
+    return jsonResponse(response, HTTP_OK2);
+  }, {
+    body: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      client_secret: t12.Optional(t12.String()),
+      scope: t12.Optional(t12.String())
+    }),
+    headers: t12.Object({
+      authorization: t12.Optional(t12.String())
+    })
+  }).post(deviceApproveRoute, async ({ body, cookie: { user_session_id }, store }) => {
+    if (config.deviceAuthorizationStore === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
+    }
+    const userSession = await loadSessionFromSource({
+      authSessionStore,
+      session: store.session,
+      userSessionId: user_session_id.value
+    });
+    if (userSession === undefined) {
+      return oauthError2(HTTP_UNAUTHORIZED2, "login_required");
+    }
+    const result = body.action === "deny" ? await denyDeviceAuthorization({
+      config,
+      userCode: body.user_code
+    }) : await approveDeviceAuthorization({
+      config,
+      userCode: body.user_code,
+      userSub: getUserId(userSession.user)
+    });
+    if (!result.ok)
+      return oauthError2(HTTP_BAD_REQUEST2, result.error);
+    return jsonResponse({ ok: true }, HTTP_OK2);
+  }, {
+    body: t12.Object({
+      action: t12.Optional(t12.Union([t12.Literal("approve"), t12.Literal("deny")])),
+      user_code: t12.String()
+    }),
+    cookie: t12.Cookie({
+      user_session_id: t12.Optional(userSessionIdTypebox)
+    })
   }).get(jwksRoute, () => ({ keys: [toPublicJwk(signingKey)] })).get("/.well-known/openid-configuration", () => discovery);
 };
 
@@ -7602,6 +7920,14 @@ var webauthnRoutes = ({
 
 // src/webhooks/config.ts
 var DEFAULT_TIMEOUT_SECONDS = 5;
+var DEFAULT_RETRY_ATTEMPTS = 3;
+var DEFAULT_RETRY_INITIAL_DELAY_MS = MILLISECONDS_IN_A_SECOND;
+var DEFAULT_RETRY_BACKOFF_MULTIPLIER = 2;
+var DEFAULT_WEBHOOK_RETRY = {
+  attempts: DEFAULT_RETRY_ATTEMPTS,
+  backoffMultiplier: DEFAULT_RETRY_BACKOFF_MULTIPLIER,
+  initialDelayMs: DEFAULT_RETRY_INITIAL_DELAY_MS
+};
 var DEFAULT_WEBHOOK_TIMEOUT_MS = MILLISECONDS_IN_A_SECOND * DEFAULT_TIMEOUT_SECONDS;
 
 // src/webhooks/sign.ts
@@ -7634,12 +7960,145 @@ var verifyWebhookSignature = async ({
 };
 
 // src/webhooks/dispatcher.ts
+var defaultSleep = (delayMs) => new Promise((resolve) => setTimeout(resolve, delayMs));
+var attemptOnce = async ({
+  envelope,
+  endpoint,
+  fetchImpl,
+  payload,
+  signature,
+  timeoutMs,
+  timestamp
+}) => {
+  const response = await fetchImpl(endpoint.url, {
+    body: payload,
+    headers: {
+      "content-type": "application/json",
+      "webhook-id": envelope.id,
+      "webhook-signature": signature,
+      "webhook-timestamp": timestamp
+    },
+    method: "POST",
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (!response.ok) {
+    throw new Error(`Webhook delivery returned ${response.status}`);
+  }
+  return response.status;
+};
+var errorMessage = (error) => error instanceof Error ? error.message : String(error);
+var statusFromError = (error) => {
+  if (!(error instanceof Error))
+    return;
+  const match = /returned (\d+)/.exec(error.message);
+  return match?.[1] === undefined ? undefined : Number(match[1]);
+};
+var persistFailure = async ({
+  attempts,
+  deliveryStore,
+  endpoint,
+  envelope,
+  lastError
+}) => {
+  if (deliveryStore === undefined)
+    return;
+  const record = {
+    attempts,
+    createdAt: Date.now(),
+    endpointUrl: endpoint.url,
+    envelope,
+    lastError: errorMessage(lastError),
+    lastStatus: statusFromError(lastError)
+  };
+  await deliveryStore.recordFailure(record);
+};
+var tryDeliverThenBackoff = async ({
+  attempt,
+  endpoint,
+  envelope,
+  fetchImpl,
+  payload,
+  retry,
+  signature,
+  sleep,
+  timeoutMs,
+  timestamp
+}) => {
+  try {
+    await attemptOnce({
+      endpoint,
+      envelope,
+      fetchImpl,
+      payload,
+      signature,
+      timeoutMs,
+      timestamp
+    });
+    return;
+  } catch (error) {
+    const isLastAttempt = attempt >= retry.attempts - 1;
+    await (isLastAttempt ? Promise.resolve() : sleep(retry.initialDelayMs * retry.backoffMultiplier ** attempt));
+    return error;
+  }
+};
+var deliverToEndpoint = async ({
+  deliveryStore,
+  endpoint,
+  envelope,
+  fetchImpl,
+  onDeliveryError,
+  payload,
+  retry,
+  signature,
+  sleep,
+  timeoutMs,
+  timestamp
+}) => {
+  let lastError;
+  for (let attempt = 0;attempt < retry.attempts; attempt++) {
+    const error = await tryDeliverThenBackoff({
+      attempt,
+      endpoint,
+      envelope,
+      fetchImpl,
+      payload,
+      retry,
+      signature,
+      sleep,
+      timeoutMs,
+      timestamp
+    });
+    if (error === undefined)
+      return;
+    lastError = error;
+  }
+  await onDeliveryError?.({
+    endpoint,
+    error: lastError,
+    event: envelope
+  });
+  await persistFailure({
+    attempts: retry.attempts,
+    deliveryStore,
+    endpoint,
+    envelope,
+    lastError
+  });
+};
 var createWebhookDispatcher = ({
+  deliveryStore,
   endpoints,
   fetch: fetchImpl = globalThis.fetch,
   onDeliveryError,
+  retry,
+  sleep = defaultSleep,
   timeoutMs = DEFAULT_WEBHOOK_TIMEOUT_MS
 }) => {
+  const effectiveRetry = {
+    attempts: retry?.attempts ?? DEFAULT_WEBHOOK_RETRY.attempts,
+    backoffMultiplier: retry?.backoffMultiplier ?? DEFAULT_WEBHOOK_RETRY.backoffMultiplier,
+    initialDelayMs: retry?.initialDelayMs ?? DEFAULT_WEBHOOK_RETRY.initialDelayMs
+  };
   const dispatch = async (event) => {
     const envelope = {
       createdAt: Date.now(),
@@ -7649,35 +8108,26 @@ var createWebhookDispatcher = ({
     };
     const payload = JSON.stringify(envelope);
     const timestamp = Math.floor(Date.now() / MILLISECONDS_IN_A_SECOND).toString();
-    await Promise.all(endpoints.map(async (endpoint) => {
-      try {
-        const signature = await signWebhook({
-          id: envelope.id,
-          payload,
-          secret: endpoint.secret,
-          timestamp
-        });
-        const response = await fetchImpl(endpoint.url, {
-          body: payload,
-          headers: {
-            "content-type": "application/json",
-            "webhook-id": envelope.id,
-            "webhook-signature": signature,
-            "webhook-timestamp": timestamp
-          },
-          method: "POST",
-          signal: AbortSignal.timeout(timeoutMs)
-        });
-        if (!response.ok) {
-          throw new Error(`Webhook delivery returned ${response.status}`);
-        }
-      } catch (error) {
-        await onDeliveryError?.({
-          endpoint,
-          error,
-          event: envelope
-        });
-      }
+    await Promise.all(endpoints.filter((endpoint) => endpoint.events === undefined || endpoint.events.includes(event.type)).map(async (endpoint) => {
+      const signature = await signWebhook({
+        id: envelope.id,
+        payload,
+        secret: endpoint.secret,
+        timestamp
+      });
+      await deliverToEndpoint({
+        deliveryStore,
+        endpoint,
+        envelope,
+        fetchImpl,
+        onDeliveryError,
+        payload,
+        retry: effectiveRetry,
+        signature,
+        sleep,
+        timeoutMs,
+        timestamp
+      });
     }));
   };
   return dispatch;
@@ -19646,6 +20096,33 @@ var createInMemoryAuthorizationCodeStore = () => {
     }
   };
 };
+var createInMemoryDeviceAuthorizationStore = () => {
+  const byDeviceCode = new Map;
+  return {
+    deleteByDeviceCodeHash: async (deviceCodeHash) => {
+      byDeviceCode.delete(deviceCodeHash);
+    },
+    findByDeviceCodeHash: async (deviceCodeHash) => byDeviceCode.get(deviceCodeHash),
+    findByUserCode: async (userCode) => {
+      for (const record of byDeviceCode.values()) {
+        if (record.userCode === userCode)
+          return record;
+      }
+      return;
+    },
+    saveDeviceAuthorization: async (deviceAuthorization) => {
+      byDeviceCode.set(deviceAuthorization.deviceCodeHash, {
+        ...deviceAuthorization
+      });
+    },
+    updateStatus: async (deviceCodeHash, status, userSub) => {
+      const record = byDeviceCode.get(deviceCodeHash);
+      if (!record)
+        return;
+      byDeviceCode.set(deviceCodeHash, { ...record, status, userSub });
+    }
+  };
+};
 var createInMemoryOAuthClientStore = (clients) => {
   const registry = new Map(clients.map((client) => [client.clientId, client]));
   return {
@@ -19666,6 +20143,7 @@ var createInMemoryOidcRefreshTokenStore = () => {
           tokens.delete(hash);
       }
     },
+    getToken: async (tokenHash) => tokens.get(tokenHash),
     saveToken: async (token) => {
       tokens.set(token.tokenHash, { ...token });
     }
@@ -19693,6 +20171,19 @@ var oauthCodesTable = pgTable("auth_oauth_codes", {
   scopes: text("scopes").array().notNull(),
   user_id: varchar("user_id", { length: ID_LENGTH7 }).notNull()
 });
+var oauthDeviceAuthorizationsTable = pgTable("auth_oauth_device_authorizations", {
+  client_id: varchar("client_id", { length: ID_LENGTH7 }).notNull(),
+  created_at_ms: bigint("created_at_ms", { mode: "number" }).notNull(),
+  device_code_hash: varchar("device_code_hash", {
+    length: ID_LENGTH7
+  }).primaryKey(),
+  expires_at_ms: bigint("expires_at_ms", { mode: "number" }).notNull(),
+  interval_seconds: bigint("interval_seconds", { mode: "number" }).notNull(),
+  scopes: text("scopes").array().notNull(),
+  status: varchar("status", { length: 16 }).notNull(),
+  user_code: varchar("user_code", { length: 16 }).notNull().unique(),
+  user_sub: varchar("user_sub", { length: ID_LENGTH7 })
+});
 var oauthRefreshTokensTable = pgTable("auth_oauth_refresh_tokens", {
   claims_json: jsonb("claims_json").$type(),
   client_id: varchar("client_id", { length: ID_LENGTH7 }).notNull(),
@@ -19736,6 +20227,17 @@ var toCodeValues = (code) => ({
   scopes: code.scopes,
   user_id: code.userId
 });
+var toDeviceAuth = (row) => ({
+  clientId: row.client_id,
+  createdAt: row.created_at_ms,
+  deviceCodeHash: row.device_code_hash,
+  expiresAt: row.expires_at_ms,
+  intervalSeconds: row.interval_seconds,
+  scopes: row.scopes,
+  status: row.status,
+  userCode: row.user_code,
+  userSub: row.user_sub ?? undefined
+});
 var toRefresh = (row) => ({
   claims: row.claims_json ?? undefined,
   clientId: row.client_id,
@@ -19757,6 +20259,7 @@ var toRefreshValues = (token) => ({
   user_id: token.userId
 });
 var createNeonAuthorizationCodeStore = (databaseUrl) => createPostgresAuthorizationCodeStore(createNeonDatabase(databaseUrl));
+var createNeonDeviceAuthorizationStore = (databaseUrl) => createPostgresDeviceAuthorizationStore(createNeonDatabase(databaseUrl));
 var createNeonOAuthClientStore = (databaseUrl) => createPostgresOAuthClientStore(createNeonDatabase(databaseUrl));
 var createNeonOidcRefreshTokenStore = (databaseUrl) => createPostgresOidcRefreshTokenStore(createNeonDatabase(databaseUrl));
 var createPostgresAuthorizationCodeStore = (db) => ({
@@ -19768,6 +20271,35 @@ var createPostgresAuthorizationCodeStore = (db) => ({
     await db.insert(oauthCodesTable).values(toCodeValues(code));
   }
 });
+var createPostgresDeviceAuthorizationStore = (db) => ({
+  deleteByDeviceCodeHash: async (deviceCodeHash) => {
+    await db.delete(oauthDeviceAuthorizationsTable).where(eq(oauthDeviceAuthorizationsTable.device_code_hash, deviceCodeHash));
+  },
+  findByDeviceCodeHash: async (deviceCodeHash) => {
+    const [row] = await db.select().from(oauthDeviceAuthorizationsTable).where(eq(oauthDeviceAuthorizationsTable.device_code_hash, deviceCodeHash)).limit(1);
+    return row ? toDeviceAuth(row) : undefined;
+  },
+  findByUserCode: async (userCode) => {
+    const [row] = await db.select().from(oauthDeviceAuthorizationsTable).where(eq(oauthDeviceAuthorizationsTable.user_code, userCode)).limit(1);
+    return row ? toDeviceAuth(row) : undefined;
+  },
+  saveDeviceAuthorization: async (deviceAuthorization) => {
+    await db.insert(oauthDeviceAuthorizationsTable).values({
+      client_id: deviceAuthorization.clientId,
+      created_at_ms: deviceAuthorization.createdAt,
+      device_code_hash: deviceAuthorization.deviceCodeHash,
+      expires_at_ms: deviceAuthorization.expiresAt,
+      interval_seconds: deviceAuthorization.intervalSeconds,
+      scopes: deviceAuthorization.scopes,
+      status: deviceAuthorization.status,
+      user_code: deviceAuthorization.userCode,
+      user_sub: deviceAuthorization.userSub ?? null
+    });
+  },
+  updateStatus: async (deviceCodeHash, status, userSub) => {
+    await db.update(oauthDeviceAuthorizationsTable).set({ status, user_sub: userSub ?? null }).where(eq(oauthDeviceAuthorizationsTable.device_code_hash, deviceCodeHash));
+  }
+});
 var createPostgresOAuthClientStore = (db) => ({
   findClient: async (clientId) => {
     const [row] = await db.select().from(oauthClientsTable).where(eq(oauthClientsTable.client_id, clientId)).limit(1);
@@ -19782,6 +20314,10 @@ var createPostgresOidcRefreshTokenStore = (db) => ({
   deleteForUser: async (userId) => {
     await db.delete(oauthRefreshTokensTable).where(eq(oauthRefreshTokensTable.user_id, userId));
   },
+  getToken: async (tokenHash) => {
+    const [row] = await db.select().from(oauthRefreshTokensTable).where(eq(oauthRefreshTokensTable.token_hash, tokenHash)).limit(1);
+    return row ? toRefresh(row) : undefined;
+  },
   saveToken: async (token) => {
     await db.insert(oauthRefreshTokensTable).values(toRefreshValues(token));
   }
@@ -20914,6 +21450,62 @@ var createPostgresPasswordlessTokenStore = (db) => ({
     });
   }
 });
+// src/webhooks/inMemoryStore.ts
+var DEFAULT_LIST_LIMIT = 100;
+var createInMemoryWebhookDeliveryStore = () => {
+  const failures = new Map;
+  return {
+    listFailed: async (limit = DEFAULT_LIST_LIMIT) => Array.from(failures.values()).sort((left, right) => right.createdAt - left.createdAt).slice(0, limit),
+    recordFailure: async (delivery) => {
+      failures.set(delivery.envelope.id, delivery);
+    },
+    removeFailure: async (envelopeId) => {
+      failures.delete(envelopeId);
+    }
+  };
+};
+// src/webhooks/postgresStore.ts
+var ID_LENGTH15 = 255;
+var URL_LENGTH = 2048;
+var DEFAULT_LIST_LIMIT2 = 100;
+var webhookDeliveriesTable = pgTable("auth_webhook_deliveries", {
+  attempts: bigint("attempts", { mode: "number" }).notNull(),
+  created_at_ms: bigint("created_at_ms", { mode: "number" }).notNull(),
+  endpoint_url: varchar("endpoint_url", { length: URL_LENGTH }).notNull(),
+  envelope_id: varchar("envelope_id", { length: ID_LENGTH15 }).primaryKey(),
+  envelope_json: jsonb("envelope_json").$type().notNull(),
+  last_error: text("last_error"),
+  last_status: bigint("last_status", { mode: "number" })
+});
+var toDelivery = (row) => ({
+  attempts: row.attempts,
+  createdAt: row.created_at_ms,
+  endpointUrl: row.endpoint_url,
+  envelope: row.envelope_json,
+  lastError: row.last_error ?? undefined,
+  lastStatus: row.last_status ?? undefined
+});
+var createNeonWebhookDeliveryStore = (databaseUrl) => createPostgresWebhookDeliveryStore(createNeonDatabase(databaseUrl));
+var createPostgresWebhookDeliveryStore = (db) => ({
+  listFailed: async (limit = DEFAULT_LIST_LIMIT2) => {
+    const rows = await db.select().from(webhookDeliveriesTable).orderBy(desc(webhookDeliveriesTable.created_at_ms)).limit(limit);
+    return rows.map(toDelivery);
+  },
+  recordFailure: async (delivery) => {
+    await db.insert(webhookDeliveriesTable).values({
+      attempts: delivery.attempts,
+      created_at_ms: delivery.createdAt,
+      endpoint_url: delivery.endpointUrl,
+      envelope_id: delivery.envelope.id,
+      envelope_json: delivery.envelope,
+      last_error: delivery.lastError ?? null,
+      last_status: delivery.lastStatus ?? null
+    });
+  },
+  removeFailure: async (envelopeId) => {
+    await db.delete(webhookDeliveriesTable).where(eq(webhookDeliveriesTable.envelope_id, envelopeId));
+  }
+});
 // src/portal/inMemorySetupSessionStore.ts
 var cloneSession = (value) => ({
   ...value,
@@ -20935,19 +21527,19 @@ var createInMemorySetupSessionStore = () => {
   };
 };
 // src/portal/postgresSetupSessionStore.ts
-var ID_LENGTH15 = 255;
+var ID_LENGTH16 = 255;
 var setupSessionsTable = pgTable("auth_setup_sessions", {
   capabilities: jsonb("capabilities").$type().notNull().default([]),
   created_at_ms: bigint("created_at_ms", { mode: "number" }).notNull(),
-  created_by: varchar("created_by", { length: ID_LENGTH15 }),
+  created_by: varchar("created_by", { length: ID_LENGTH16 }),
   expires_at_ms: bigint("expires_at_ms", { mode: "number" }).notNull(),
   organization_id: varchar("organization_id", {
-    length: ID_LENGTH15
+    length: ID_LENGTH16
   }).notNull(),
   setup_session_id: varchar("setup_session_id", {
-    length: ID_LENGTH15
+    length: ID_LENGTH16
   }).primaryKey(),
-  token_hash: varchar("token_hash", { length: ID_LENGTH15 }).notNull().unique()
+  token_hash: varchar("token_hash", { length: ID_LENGTH16 }).notNull().unique()
 });
 var toSession = (row) => ({
   capabilities: row.capabilities,
@@ -21138,6 +21730,7 @@ var auth = async ({
 };
 export {
   writeWarrant,
+  webhookDeliveriesTable,
   webauthnRoutes,
   webauthnCredentialsTable,
   warrantsTable,
@@ -21182,6 +21775,7 @@ export {
   rolesTable,
   roleRoutes,
   revokeUserSessions,
+  revokeRefreshToken,
   revocableProviderOptions,
   resolveSetupSession,
   resolveScimOrganization,
@@ -21213,6 +21807,7 @@ export {
   oidcProviderRoutes,
   oidcProviderOptions,
   oauthRefreshTokensTable,
+  oauthDeviceAuthorizationsTable,
   oauthCodesTable,
   oauthClientsTable,
   mfaTotpRoutes,
@@ -21230,6 +21825,7 @@ export {
   knownDevicesTable,
   jwkThumbprint,
   issueTokenSet,
+  issueDeviceAuthorization,
   isValidUser,
   isValidProviderOption,
   isUserSessionId,
@@ -21246,6 +21842,7 @@ export {
   isAuthIntent,
   isAnonymousSession,
   inviteToOrganization,
+  introspectToken,
   instantiateUserSession,
   hashToken,
   hashPassword,
@@ -21264,11 +21861,13 @@ export {
   extractPropFromIdentity,
   exportAuditCsv,
   exchangeToken,
+  exchangeDeviceCode,
   exchangeClientCredentials,
   evaluatePassword,
   endImpersonation,
   encryptTotpSecret,
   encryptSecret,
+  denyDeviceAuthorization,
   deleteWarrant,
   defineProvidersConfiguration,
   defineAuthSettings,
@@ -21297,6 +21896,7 @@ export {
   createRiskEngine,
   createRedisLockoutStore,
   createRedisAuthSessionStore,
+  createPostgresWebhookDeliveryStore,
   createPostgresWebAuthnCredentialStore,
   createPostgresWarrantStore,
   createPostgresVaultStore,
@@ -21312,6 +21912,7 @@ export {
   createPostgresLoginHistoryStore,
   createPostgresLockoutStore,
   createPostgresKnownDeviceStore,
+  createPostgresDeviceAuthorizationStore,
   createPostgresCredentialStore,
   createPostgresAuthorizationCodeStore,
   createPostgresAuditSink,
@@ -21320,6 +21921,7 @@ export {
   createPostgresAccessTokenStore,
   createOrganization,
   createOAuthLinkedProviderCredentialResolver,
+  createNeonWebhookDeliveryStore,
   createNeonWebAuthnCredentialStore,
   createNeonWarrantStore,
   createNeonVaultStore,
@@ -21337,6 +21939,7 @@ export {
   createNeonLockoutStore,
   createNeonLinkedProviderStores,
   createNeonKnownDeviceStore,
+  createNeonDeviceAuthorizationStore,
   createNeonDatabase,
   createNeonCredentialStore,
   createNeonAuthorizationCodeStore,
@@ -21349,6 +21952,7 @@ export {
   createMembershipPermissionResolver,
   createLockoutGuard,
   createLinkedProviderCredentialResolver,
+  createInMemoryWebhookDeliveryStore,
   createInMemoryWebAuthnCredentialStore,
   createInMemoryWarrantStore,
   createInMemoryVaultStore,
@@ -21365,6 +21969,7 @@ export {
   createInMemoryLockoutStore,
   createInMemoryLinkedProviderStores,
   createInMemoryKnownDeviceStore,
+  createInMemoryDeviceAuthorizationStore,
   createInMemoryCredentialStore,
   createInMemoryCheckCache,
   createInMemoryAuthorizationCodeStore,
@@ -21396,6 +22001,7 @@ export {
   auditEventsTable,
   assessRisk,
   assessAbuse,
+  approveDeviceAuthorization,
   apiKeysTable,
   apiKeysRoutes,
   apiClientsTable,
@@ -21404,6 +22010,7 @@ export {
   acceptInvitation,
   WEBAUTHN_CHALLENGE_COOKIE,
   DEFAULT_WEBHOOK_TIMEOUT_MS,
+  DEFAULT_WEBHOOK_RETRY,
   DEFAULT_WEBAUTHN_SESSION_TTL_MS,
   DEFAULT_WEBAUTHN_ROUTE,
   DEFAULT_WEBAUTHN_CHALLENGE_TTL_MS,
@@ -21432,5 +22039,5 @@ export {
   AuthIdentityConflictError
 };
 
-//# debugId=CE0246297ACE345E64756E2164756E21
+//# debugId=451C9751C02E5E2164756E2164756E21
 //# sourceMappingURL=index.js.map