npm - @absolutejs/auth - Versions diffs - 0.28.0 → 0.29.0-beta.1 - Mend

@absolutejs/auth 0.28.0 → 0.29.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/index.d.ts +58 -3
package/dist/index.js +524 -35
package/dist/index.js.map +13 -10
package/dist/oidc/config.d.ts +2 -1
package/dist/oidc/inMemoryStores.d.ts +2 -1
package/dist/oidc/logout.d.ts +38 -0
package/dist/oidc/postgresStores.d.ts +233 -1
package/dist/oidc/routes.d.ts +53 -1
package/dist/oidc/types.d.ts +19 -0
package/dist/webhooks/config.d.ts +14 -1
package/dist/webhooks/dispatcher.d.ts +1 -1
package/dist/webhooks/inMemoryStore.d.ts +2 -0
package/dist/webhooks/postgresStore.d.ts +136 -0
package/dist/webhooks/types.d.ts +14 -0
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -4496,6 +4496,138 @@ var verifyDpopProof = async ({
   return { jkt: await jwkThumbprint(header.jwk), jti };
 };
+// src/oidc/logout.ts
+var BACKCHANNEL_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";
+var buildLogoutClaims = ({
+  clientId,
+  issuer,
+  now,
+  sub
+}) => ({
+  aud: clientId,
+  events: { [BACKCHANNEL_LOGOUT_EVENT]: {} },
+  iat: Math.floor(now / MILLISECONDS_IN_A_SECOND),
+  iss: issuer,
+  jti: crypto.randomUUID(),
+  sub
+});
+var resolvePostLogoutRedirect = ({
+  client,
+  requestedUri
+}) => {
+  if (requestedUri === undefined)
+    return;
+  const allow = client.postLogoutRedirectUris ?? [];
+  return allow.includes(requestedUri) ? requestedUri : undefined;
+};
+var verifyIdTokenHint = async ({
+  config,
+  idTokenHint
+}) => {
+  const verified = await verifyJwt(idTokenHint, config.signingKey.publicJwk);
+  const payload = verified?.payload;
+  if (payload === undefined || typeof payload.sub !== "string" || typeof payload.aud !== "string" || payload.iss !== config.issuer) {
+    return;
+  }
+  return { audClientId: payload.aud, sub: payload.sub };
+};
+var BACKCHANNEL_TIMEOUT_SECONDS = 5;
+var DEFAULT_BACKCHANNEL_TIMEOUT_MS = BACKCHANNEL_TIMEOUT_SECONDS * MILLISECONDS_IN_A_SECOND;
+var errorMessage = (error) => error instanceof Error ? error.message : String(error);
+var statusFromError = (error) => {
+  if (!(error instanceof Error))
+    return;
+  const match = /returned (\d+)/.exec(error.message);
+  return match?.[1] === undefined ? undefined : Number(match[1]);
+};
+var mintLogoutToken = async ({
+  clientId,
+  config,
+  now = Date.now(),
+  sub
+}) => signJwt(buildLogoutClaims({ clientId, issuer: config.issuer, now, sub }), config.signingKey);
+var postLogoutToken = async ({
+  endpointUrl,
+  fetchImpl,
+  logoutToken,
+  timeoutMs
+}) => {
+  const response = await fetchImpl(endpointUrl, {
+    body: new URLSearchParams({ logout_token: logoutToken }).toString(),
+    headers: {
+      "content-type": "application/x-www-form-urlencoded"
+    },
+    method: "POST",
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (!response.ok) {
+    throw new Error(`Back-channel logout returned ${response.status}`);
+  }
+};
+var deliverLogoutToOne = async ({
+  clientId,
+  config,
+  endpointUrl,
+  fetchImpl,
+  logoutToken,
+  onError,
+  timeoutMs,
+  userId
+}) => {
+  try {
+    await postLogoutToken({ endpointUrl, fetchImpl, logoutToken, timeoutMs });
+  } catch (error) {
+    const delivery = {
+      attempts: 1,
+      clientId,
+      createdAt: Date.now(),
+      endpointUrl,
+      id: crypto.randomUUID(),
+      lastError: errorMessage(error),
+      lastStatus: statusFromError(error),
+      logoutToken,
+      userId
+    };
+    await config.logoutDeliveryStore?.recordFailure(delivery);
+    await onError?.(delivery);
+  }
+};
+var fanOutBackchannelLogout = async ({
+  config,
+  fetchImpl = globalThis.fetch,
+  now = Date.now(),
+  onError,
+  skipClientId,
+  timeoutMs = DEFAULT_BACKCHANNEL_TIMEOUT_MS,
+  userId
+}) => {
+  const clientIds = await config.refreshTokenStore.listClientIdsForUser(userId);
+  const targets = await Promise.all(clientIds.filter((clientId) => clientId !== skipClientId).map(async (clientId) => {
+    const client = await config.clientStore.findClient(clientId);
+    return client?.backchannelLogoutUri === undefined ? undefined : { client, endpointUrl: client.backchannelLogoutUri };
+  }));
+  const reachable = targets.filter((target) => target !== undefined);
+  await Promise.all(reachable.map(async ({ client, endpointUrl }) => {
+    const logoutToken = await mintLogoutToken({
+      clientId: client.clientId,
+      config,
+      now,
+      sub: userId
+    });
+    await deliverLogoutToOne({
+      clientId: client.clientId,
+      config,
+      endpointUrl,
+      fetchImpl,
+      logoutToken,
+      onError,
+      timeoutMs,
+      userId
+    });
+  }));
+  return reachable.map(({ client }) => client.clientId);
+};
 // src/oidc/routes.ts
 var HTTP_OK2 = 200;
 var HTTP_BAD_REQUEST2 = 400;
@@ -4549,6 +4681,7 @@ var oidcProviderRoutes = (config) => {
   const revokeRoute = `${oidcRoute}/revoke`;
   const deviceAuthorizationRoute = `${oidcRoute}/device_authorization`;
   const deviceApproveRoute = `${oidcRoute}/device/decision`;
+  const endSessionRoute = `${oidcRoute}/end_session`;
   const tokenUrl = `${issuer}${oidcRoute}/token`;
   const authenticateClient = async (clientId, clientSecret) => {
     const client = await clientStore.findClient(clientId);
@@ -4692,8 +4825,11 @@ var oidcProviderRoutes = (config) => {
   }
   const discovery = {
     authorization_endpoint: `${issuer}${authorizeRoute}`,
+    backchannel_logout_session_supported: false,
+    backchannel_logout_supported: true,
     code_challenge_methods_supported: ["S256"],
     dpop_signing_alg_values_supported: ["ES256"],
+    end_session_endpoint: `${issuer}${endSessionRoute}`,
     grant_types_supported: grantTypes,
     id_token_signing_alg_values_supported: ["ES256"],
     introspection_endpoint: `${issuer}${introspectRoute}`,
@@ -4712,6 +4848,47 @@ var oidcProviderRoutes = (config) => {
   if (config.deviceAuthorizationStore) {
     discovery.device_authorization_endpoint = `${issuer}${deviceAuthorizationRoute}`;
   }
+  const handleEndSession = async ({
+    cookie,
+    inMemorySession,
+    query
+  }) => {
+    const hint = query.id_token_hint === undefined ? undefined : await verifyIdTokenHint({
+      config,
+      idTokenHint: query.id_token_hint
+    });
+    const clientId = hint?.audClientId ?? query.client_id;
+    const client = clientId === undefined ? undefined : await config.clientStore.findClient(clientId);
+    const userSession = await loadSessionFromSource({
+      authSessionStore,
+      session: inMemorySession,
+      userSessionId: cookie.value
+    });
+    const resolvedSub = hint?.sub ?? (userSession === undefined ? undefined : getUserId(userSession.user));
+    await clearSession({
+      authSessionStore,
+      cookie,
+      inMemorySession
+    });
+    if (resolvedSub !== undefined) {
+      await fanOutBackchannelLogout({
+        config,
+        skipClientId: clientId,
+        userId: resolvedSub
+      });
+    }
+    const redirectUri = client === undefined ? undefined : resolvePostLogoutRedirect({
+      client,
+      requestedUri: query.post_logout_redirect_uri
+    });
+    if (redirectUri === undefined) {
+      return jsonResponse({ ok: true }, HTTP_OK2);
+    }
+    const url = new URL(redirectUri);
+    if (query.state !== undefined)
+      url.searchParams.set("state", query.state);
+    return redirectTo(url.toString());
+  };
   return new Elysia15().use(sessionStore()).get(authorizeRoute, async ({ cookie: { user_session_id }, query, request, store }) => {
     const {
       client_id: clientId,
@@ -4944,6 +5121,42 @@ var oidcProviderRoutes = (config) => {
     cookie: t12.Cookie({
       user_session_id: t12.Optional(userSessionIdTypebox)
     })
+  }).get(endSessionRoute, async ({
+    cookie: { user_session_id },
+    query,
+    store
+  }) => handleEndSession({
+    cookie: user_session_id,
+    inMemorySession: store.session,
+    query
+  }), {
+    cookie: t12.Cookie({
+      user_session_id: t12.Optional(userSessionIdTypebox)
+    }),
+    query: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      id_token_hint: t12.Optional(t12.String()),
+      post_logout_redirect_uri: t12.Optional(t12.String()),
+      state: t12.Optional(t12.String())
+    })
+  }).post(endSessionRoute, async ({
+    body,
+    cookie: { user_session_id },
+    store
+  }) => handleEndSession({
+    cookie: user_session_id,
+    inMemorySession: store.session,
+    query: body
+  }), {
+    body: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      id_token_hint: t12.Optional(t12.String()),
+      post_logout_redirect_uri: t12.Optional(t12.String()),
+      state: t12.Optional(t12.String())
+    }),
+    cookie: t12.Cookie({
+      user_session_id: t12.Optional(userSessionIdTypebox)
+    })
   }).get(jwksRoute, () => ({ keys: [toPublicJwk(signingKey)] })).get("/.well-known/openid-configuration", () => discovery);
 };
@@ -7920,6 +8133,14 @@ var webauthnRoutes = ({
 // src/webhooks/config.ts
 var DEFAULT_TIMEOUT_SECONDS = 5;
+var DEFAULT_RETRY_ATTEMPTS = 3;
+var DEFAULT_RETRY_INITIAL_DELAY_MS = MILLISECONDS_IN_A_SECOND;
+var DEFAULT_RETRY_BACKOFF_MULTIPLIER = 2;
+var DEFAULT_WEBHOOK_RETRY = {
+  attempts: DEFAULT_RETRY_ATTEMPTS,
+  backoffMultiplier: DEFAULT_RETRY_BACKOFF_MULTIPLIER,
+  initialDelayMs: DEFAULT_RETRY_INITIAL_DELAY_MS
+};
 var DEFAULT_WEBHOOK_TIMEOUT_MS = MILLISECONDS_IN_A_SECOND * DEFAULT_TIMEOUT_SECONDS;
 // src/webhooks/sign.ts
@@ -7952,12 +8173,145 @@ var verifyWebhookSignature = async ({
 };
 // src/webhooks/dispatcher.ts
+var defaultSleep = (delayMs) => new Promise((resolve) => setTimeout(resolve, delayMs));
+var attemptOnce = async ({
+  envelope,
+  endpoint,
+  fetchImpl,
+  payload,
+  signature,
+  timeoutMs,
+  timestamp
+}) => {
+  const response = await fetchImpl(endpoint.url, {
+    body: payload,
+    headers: {
+      "content-type": "application/json",
+      "webhook-id": envelope.id,
+      "webhook-signature": signature,
+      "webhook-timestamp": timestamp
+    },
+    method: "POST",
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (!response.ok) {
+    throw new Error(`Webhook delivery returned ${response.status}`);
+  }
+  return response.status;
+};
+var errorMessage2 = (error) => error instanceof Error ? error.message : String(error);
+var statusFromError2 = (error) => {
+  if (!(error instanceof Error))
+    return;
+  const match = /returned (\d+)/.exec(error.message);
+  return match?.[1] === undefined ? undefined : Number(match[1]);
+};
+var persistFailure = async ({
+  attempts,
+  deliveryStore,
+  endpoint,
+  envelope,
+  lastError
+}) => {
+  if (deliveryStore === undefined)
+    return;
+  const record = {
+    attempts,
+    createdAt: Date.now(),
+    endpointUrl: endpoint.url,
+    envelope,
+    lastError: errorMessage2(lastError),
+    lastStatus: statusFromError2(lastError)
+  };
+  await deliveryStore.recordFailure(record);
+};
+var tryDeliverThenBackoff = async ({
+  attempt,
+  endpoint,
+  envelope,
+  fetchImpl,
+  payload,
+  retry,
+  signature,
+  sleep,
+  timeoutMs,
+  timestamp
+}) => {
+  try {
+    await attemptOnce({
+      endpoint,
+      envelope,
+      fetchImpl,
+      payload,
+      signature,
+      timeoutMs,
+      timestamp
+    });
+    return;
+  } catch (error) {
+    const isLastAttempt = attempt >= retry.attempts - 1;
+    await (isLastAttempt ? Promise.resolve() : sleep(retry.initialDelayMs * retry.backoffMultiplier ** attempt));
+    return error;
+  }
+};
+var deliverToEndpoint = async ({
+  deliveryStore,
+  endpoint,
+  envelope,
+  fetchImpl,
+  onDeliveryError,
+  payload,
+  retry,
+  signature,
+  sleep,
+  timeoutMs,
+  timestamp
+}) => {
+  let lastError;
+  for (let attempt = 0;attempt < retry.attempts; attempt++) {
+    const error = await tryDeliverThenBackoff({
+      attempt,
+      endpoint,
+      envelope,
+      fetchImpl,
+      payload,
+      retry,
+      signature,
+      sleep,
+      timeoutMs,
+      timestamp
+    });
+    if (error === undefined)
+      return;
+    lastError = error;
+  }
+  await onDeliveryError?.({
+    endpoint,
+    error: lastError,
+    event: envelope
+  });
+  await persistFailure({
+    attempts: retry.attempts,
+    deliveryStore,
+    endpoint,
+    envelope,
+    lastError
+  });
+};
 var createWebhookDispatcher = ({
+  deliveryStore,
   endpoints,
   fetch: fetchImpl = globalThis.fetch,
   onDeliveryError,
+  retry,
+  sleep = defaultSleep,
   timeoutMs = DEFAULT_WEBHOOK_TIMEOUT_MS
 }) => {
+  const effectiveRetry = {
+    attempts: retry?.attempts ?? DEFAULT_WEBHOOK_RETRY.attempts,
+    backoffMultiplier: retry?.backoffMultiplier ?? DEFAULT_WEBHOOK_RETRY.backoffMultiplier,
+    initialDelayMs: retry?.initialDelayMs ?? DEFAULT_WEBHOOK_RETRY.initialDelayMs
+  };
   const dispatch = async (event) => {
     const envelope = {
       createdAt: Date.now(),
@@ -7967,35 +8321,26 @@ var createWebhookDispatcher = ({
     };
     const payload = JSON.stringify(envelope);
     const timestamp = Math.floor(Date.now() / MILLISECONDS_IN_A_SECOND).toString();
-    await Promise.all(endpoints.map(async (endpoint) => {
-      try {
-        const signature = await signWebhook({
-          id: envelope.id,
-          payload,
-          secret: endpoint.secret,
-          timestamp
-        });
-        const response = await fetchImpl(endpoint.url, {
-          body: payload,
-          headers: {
-            "content-type": "application/json",
-            "webhook-id": envelope.id,
-            "webhook-signature": signature,
-            "webhook-timestamp": timestamp
-          },
-          method: "POST",
-          signal: AbortSignal.timeout(timeoutMs)
-        });
-        if (!response.ok) {
-          throw new Error(`Webhook delivery returned ${response.status}`);
-        }
-      } catch (error) {
-        await onDeliveryError?.({
-          endpoint,
-          error,
-          event: envelope
-        });
-      }
+    await Promise.all(endpoints.filter((endpoint) => endpoint.events === undefined || endpoint.events.includes(event.type)).map(async (endpoint) => {
+      const signature = await signWebhook({
+        id: envelope.id,
+        payload,
+        secret: endpoint.secret,
+        timestamp
+      });
+      await deliverToEndpoint({
+        deliveryStore,
+        endpoint,
+        envelope,
+        fetchImpl,
+        onDeliveryError,
+        payload,
+        retry: effectiveRetry,
+        signature,
+        sleep,
+        timeoutMs,
+        timestamp
+      });
     }));
   };
   return dispatch;
@@ -19951,6 +20296,7 @@ var createPostgresApiKeyStore = (db) => ({
   }
 });
 // src/oidc/inMemoryStores.ts
+var DEFAULT_LIST_LIMIT = 100;
 var createInMemoryAuthorizationCodeStore = () => {
   const codes = new Map;
   return {
@@ -19991,6 +20337,18 @@ var createInMemoryDeviceAuthorizationStore = () => {
     }
   };
 };
+var createInMemoryLogoutDeliveryStore = () => {
+  const failures = new Map;
+  return {
+    listFailed: async (limit = DEFAULT_LIST_LIMIT) => Array.from(failures.values()).sort((left, right) => right.createdAt - left.createdAt).slice(0, limit),
+    recordFailure: async (delivery) => {
+      failures.set(delivery.id, delivery);
+    },
+    removeFailure: async (deliveryId) => {
+      failures.delete(deliveryId);
+    }
+  };
+};
 var createInMemoryOAuthClientStore = (clients) => {
   const registry = new Map(clients.map((client) => [client.clientId, client]));
   return {
@@ -20012,17 +20370,28 @@ var createInMemoryOidcRefreshTokenStore = () => {
       }
     },
     getToken: async (tokenHash) => tokens.get(tokenHash),
+    listClientIdsForUser: async (userId) => {
+      const now = Date.now();
+      const active = Array.from(tokens.values()).filter((token) => token.userId === userId && token.expiresAt > now);
+      return Array.from(new Set(active.map((token) => token.clientId)));
+    },
     saveToken: async (token) => {
       tokens.set(token.tokenHash, { ...token });
     }
   };
 };
 // src/oidc/postgresStores.ts
+var URL_LENGTH = 2048;
+var DEFAULT_LIST_LIMIT2 = 100;
 var ID_LENGTH7 = 255;
 var oauthClientsTable = pgTable("auth_oauth_clients", {
+  backchannel_logout_uri: varchar("backchannel_logout_uri", {
+    length: URL_LENGTH
+  }),
   client_id: varchar("client_id", { length: ID_LENGTH7 }).primaryKey(),
   hashed_secret: varchar("hashed_secret", { length: ID_LENGTH7 }),
   name: varchar("name", { length: ID_LENGTH7 }).notNull(),
+  post_logout_redirect_uris: text("post_logout_redirect_uris").array(),
   redirect_uris: text("redirect_uris").array().notNull(),
   scopes: text("scopes").array().notNull()
 });
@@ -20052,6 +20421,17 @@ var oauthDeviceAuthorizationsTable = pgTable("auth_oauth_device_authorizations",
   user_code: varchar("user_code", { length: 16 }).notNull().unique(),
   user_sub: varchar("user_sub", { length: ID_LENGTH7 })
 });
+var oauthLogoutDeliveriesTable = pgTable("auth_oauth_logout_deliveries", {
+  attempts: bigint("attempts", { mode: "number" }).notNull(),
+  client_id: varchar("client_id", { length: ID_LENGTH7 }).notNull(),
+  created_at_ms: bigint("created_at_ms", { mode: "number" }).notNull(),
+  endpoint_url: varchar("endpoint_url", { length: URL_LENGTH }).notNull(),
+  id: varchar("id", { length: ID_LENGTH7 }).primaryKey(),
+  last_error: text("last_error"),
+  last_status: bigint("last_status", { mode: "number" }),
+  logout_token: text("logout_token").notNull(),
+  user_id: varchar("user_id", { length: ID_LENGTH7 }).notNull()
+});
 var oauthRefreshTokensTable = pgTable("auth_oauth_refresh_tokens", {
   claims_json: jsonb("claims_json").$type(),
   client_id: varchar("client_id", { length: ID_LENGTH7 }).notNull(),
@@ -20063,12 +20443,25 @@ var oauthRefreshTokensTable = pgTable("auth_oauth_refresh_tokens", {
   user_id: varchar("user_id", { length: ID_LENGTH7 }).notNull()
 });
 var toClient2 = (row) => ({
+  backchannelLogoutUri: row.backchannel_logout_uri ?? undefined,
   clientId: row.client_id,
   hashedSecret: row.hashed_secret ?? undefined,
   name: row.name,
+  postLogoutRedirectUris: row.post_logout_redirect_uris ?? undefined,
   redirectUris: row.redirect_uris,
   scopes: row.scopes
 });
+var toLogoutDelivery = (row) => ({
+  attempts: row.attempts,
+  clientId: row.client_id,
+  createdAt: row.created_at_ms,
+  endpointUrl: row.endpoint_url,
+  id: row.id,
+  lastError: row.last_error ?? undefined,
+  lastStatus: row.last_status ?? undefined,
+  logoutToken: row.logout_token,
+  userId: row.user_id
+});
 var toCode = (row) => ({
   claims: row.claims_json ?? undefined,
   clientId: row.client_id,
@@ -20128,6 +20521,7 @@ var toRefreshValues = (token) => ({
 });
 var createNeonAuthorizationCodeStore = (databaseUrl) => createPostgresAuthorizationCodeStore(createNeonDatabase(databaseUrl));
 var createNeonDeviceAuthorizationStore = (databaseUrl) => createPostgresDeviceAuthorizationStore(createNeonDatabase(databaseUrl));
+var createNeonLogoutDeliveryStore = (databaseUrl) => createPostgresLogoutDeliveryStore(createNeonDatabase(databaseUrl));
 var createNeonOAuthClientStore = (databaseUrl) => createPostgresOAuthClientStore(createNeonDatabase(databaseUrl));
 var createNeonOidcRefreshTokenStore = (databaseUrl) => createPostgresOidcRefreshTokenStore(createNeonDatabase(databaseUrl));
 var createPostgresAuthorizationCodeStore = (db) => ({
@@ -20168,6 +20562,28 @@ var createPostgresDeviceAuthorizationStore = (db) => ({
     await db.update(oauthDeviceAuthorizationsTable).set({ status, user_sub: userSub ?? null }).where(eq(oauthDeviceAuthorizationsTable.device_code_hash, deviceCodeHash));
   }
 });
+var createPostgresLogoutDeliveryStore = (db) => ({
+  listFailed: async (limit = DEFAULT_LIST_LIMIT2) => {
+    const rows = await db.select().from(oauthLogoutDeliveriesTable).orderBy(desc(oauthLogoutDeliveriesTable.created_at_ms)).limit(limit);
+    return rows.map(toLogoutDelivery);
+  },
+  recordFailure: async (delivery) => {
+    await db.insert(oauthLogoutDeliveriesTable).values({
+      attempts: delivery.attempts,
+      client_id: delivery.clientId,
+      created_at_ms: delivery.createdAt,
+      endpoint_url: delivery.endpointUrl,
+      id: delivery.id,
+      last_error: delivery.lastError ?? null,
+      last_status: delivery.lastStatus ?? null,
+      logout_token: delivery.logoutToken,
+      user_id: delivery.userId
+    });
+  },
+  removeFailure: async (deliveryId) => {
+    await db.delete(oauthLogoutDeliveriesTable).where(eq(oauthLogoutDeliveriesTable.id, deliveryId));
+  }
+});
 var createPostgresOAuthClientStore = (db) => ({
   findClient: async (clientId) => {
     const [row] = await db.select().from(oauthClientsTable).where(eq(oauthClientsTable.client_id, clientId)).limit(1);
@@ -20186,6 +20602,10 @@ var createPostgresOidcRefreshTokenStore = (db) => ({
     const [row] = await db.select().from(oauthRefreshTokensTable).where(eq(oauthRefreshTokensTable.token_hash, tokenHash)).limit(1);
     return row ? toRefresh(row) : undefined;
   },
+  listClientIdsForUser: async (userId) => {
+    const rows = await db.selectDistinct({ client_id: oauthRefreshTokensTable.client_id }).from(oauthRefreshTokensTable).where(and(eq(oauthRefreshTokensTable.user_id, userId), gt(oauthRefreshTokensTable.expires_at_ms, Date.now())));
+    return rows.map((row) => row.client_id);
+  },
   saveToken: async (token) => {
     await db.insert(oauthRefreshTokensTable).values(toRefreshValues(token));
   }
@@ -21318,6 +21738,62 @@ var createPostgresPasswordlessTokenStore = (db) => ({
     });
   }
 });
+// src/webhooks/inMemoryStore.ts
+var DEFAULT_LIST_LIMIT3 = 100;
+var createInMemoryWebhookDeliveryStore = () => {
+  const failures = new Map;
+  return {
+    listFailed: async (limit = DEFAULT_LIST_LIMIT3) => Array.from(failures.values()).sort((left, right) => right.createdAt - left.createdAt).slice(0, limit),
+    recordFailure: async (delivery) => {
+      failures.set(delivery.envelope.id, delivery);
+    },
+    removeFailure: async (envelopeId) => {
+      failures.delete(envelopeId);
+    }
+  };
+};
+// src/webhooks/postgresStore.ts
+var ID_LENGTH15 = 255;
+var URL_LENGTH2 = 2048;
+var DEFAULT_LIST_LIMIT4 = 100;
+var webhookDeliveriesTable = pgTable("auth_webhook_deliveries", {
+  attempts: bigint("attempts", { mode: "number" }).notNull(),
+  created_at_ms: bigint("created_at_ms", { mode: "number" }).notNull(),
+  endpoint_url: varchar("endpoint_url", { length: URL_LENGTH2 }).notNull(),
+  envelope_id: varchar("envelope_id", { length: ID_LENGTH15 }).primaryKey(),
+  envelope_json: jsonb("envelope_json").$type().notNull(),
+  last_error: text("last_error"),
+  last_status: bigint("last_status", { mode: "number" })
+});
+var toDelivery = (row) => ({
+  attempts: row.attempts,
+  createdAt: row.created_at_ms,
+  endpointUrl: row.endpoint_url,
+  envelope: row.envelope_json,
+  lastError: row.last_error ?? undefined,
+  lastStatus: row.last_status ?? undefined
+});
+var createNeonWebhookDeliveryStore = (databaseUrl) => createPostgresWebhookDeliveryStore(createNeonDatabase(databaseUrl));
+var createPostgresWebhookDeliveryStore = (db) => ({
+  listFailed: async (limit = DEFAULT_LIST_LIMIT4) => {
+    const rows = await db.select().from(webhookDeliveriesTable).orderBy(desc(webhookDeliveriesTable.created_at_ms)).limit(limit);
+    return rows.map(toDelivery);
+  },
+  recordFailure: async (delivery) => {
+    await db.insert(webhookDeliveriesTable).values({
+      attempts: delivery.attempts,
+      created_at_ms: delivery.createdAt,
+      endpoint_url: delivery.endpointUrl,
+      envelope_id: delivery.envelope.id,
+      envelope_json: delivery.envelope,
+      last_error: delivery.lastError ?? null,
+      last_status: delivery.lastStatus ?? null
+    });
+  },
+  removeFailure: async (envelopeId) => {
+    await db.delete(webhookDeliveriesTable).where(eq(webhookDeliveriesTable.envelope_id, envelopeId));
+  }
+});
 // src/portal/inMemorySetupSessionStore.ts
 var cloneSession = (value) => ({
   ...value,
@@ -21339,19 +21815,19 @@ var createInMemorySetupSessionStore = () => {
   };
 };
 // src/portal/postgresSetupSessionStore.ts
-var ID_LENGTH15 = 255;
+var ID_LENGTH16 = 255;
 var setupSessionsTable = pgTable("auth_setup_sessions", {
   capabilities: jsonb("capabilities").$type().notNull().default([]),
   created_at_ms: bigint("created_at_ms", { mode: "number" }).notNull(),
-  created_by: varchar("created_by", { length: ID_LENGTH15 }),
+  created_by: varchar("created_by", { length: ID_LENGTH16 }),
   expires_at_ms: bigint("expires_at_ms", { mode: "number" }).notNull(),
   organization_id: varchar("organization_id", {
-    length: ID_LENGTH15
+    length: ID_LENGTH16
   }).notNull(),
   setup_session_id: varchar("setup_session_id", {
-    length: ID_LENGTH15
+    length: ID_LENGTH16
   }).primaryKey(),
-  token_hash: varchar("token_hash", { length: ID_LENGTH15 }).notNull().unique()
+  token_hash: varchar("token_hash", { length: ID_LENGTH16 }).notNull().unique()
 });
 var toSession = (row) => ({
   capabilities: row.capabilities,
@@ -21542,6 +22018,7 @@ var auth = async ({
 };
 export {
   writeWarrant,
+  webhookDeliveriesTable,
   webauthnRoutes,
   webauthnCredentialsTable,
   warrantsTable,
@@ -21553,6 +22030,7 @@ export {
   verifyPkce,
   verifyPassword,
   verifyJwt,
+  verifyIdTokenHint,
   verifyHcaptcha,
   verifyDpopProof,
   verifyAuditChain,
@@ -21591,6 +22069,7 @@ export {
   resolveSetupSession,
   resolveScimOrganization,
   resolveProviderClientConfiguration,
+  resolvePostLogoutRedirect,
   resolvePermissions,
   resolveOAuthTokenExpiresAt,
   resolveOAuthAuthorization,
@@ -21618,9 +22097,11 @@ export {
   oidcProviderRoutes,
   oidcProviderOptions,
   oauthRefreshTokensTable,
+  oauthLogoutDeliveriesTable,
   oauthDeviceAuthorizationsTable,
   oauthCodesTable,
   oauthClientsTable,
+  mintLogoutToken,
   mfaTotpRoutes,
   mfaRoutes,
   mfaEnrollmentsTable,
@@ -21669,6 +22150,7 @@ export {
   generateEncryptionKey,
   generateBackupCodes,
   fingerprintDevice,
+  fanOutBackchannelLogout,
   extractPropFromIdentity,
   exportAuditCsv,
   exchangeToken,
@@ -21707,6 +22189,7 @@ export {
   createRiskEngine,
   createRedisLockoutStore,
   createRedisAuthSessionStore,
+  createPostgresWebhookDeliveryStore,
   createPostgresWebAuthnCredentialStore,
   createPostgresWarrantStore,
   createPostgresVaultStore,
@@ -21719,6 +22202,7 @@ export {
   createPostgresOidcRefreshTokenStore,
   createPostgresOAuthClientStore,
   createPostgresMfaStore,
+  createPostgresLogoutDeliveryStore,
   createPostgresLoginHistoryStore,
   createPostgresLockoutStore,
   createPostgresKnownDeviceStore,
@@ -21731,6 +22215,7 @@ export {
   createPostgresAccessTokenStore,
   createOrganization,
   createOAuthLinkedProviderCredentialResolver,
+  createNeonWebhookDeliveryStore,
   createNeonWebAuthnCredentialStore,
   createNeonWarrantStore,
   createNeonVaultStore,
@@ -21744,6 +22229,7 @@ export {
   createNeonOAuthLinkedProviderCredentialResolver,
   createNeonOAuthClientStore,
   createNeonMfaStore,
+  createNeonLogoutDeliveryStore,
   createNeonLoginHistoryStore,
   createNeonLockoutStore,
   createNeonLinkedProviderStores,
@@ -21761,6 +22247,7 @@ export {
   createMembershipPermissionResolver,
   createLockoutGuard,
   createLinkedProviderCredentialResolver,
+  createInMemoryWebhookDeliveryStore,
   createInMemoryWebAuthnCredentialStore,
   createInMemoryWarrantStore,
   createInMemoryVaultStore,
@@ -21773,6 +22260,7 @@ export {
   createInMemoryOidcRefreshTokenStore,
   createInMemoryOAuthClientStore,
   createInMemoryMfaStore,
+  createInMemoryLogoutDeliveryStore,
   createInMemoryLoginHistoryStore,
   createInMemoryLockoutStore,
   createInMemoryLinkedProviderStores,
@@ -21818,6 +22306,7 @@ export {
   acceptInvitation,
   WEBAUTHN_CHALLENGE_COOKIE,
   DEFAULT_WEBHOOK_TIMEOUT_MS,
+  DEFAULT_WEBHOOK_RETRY,
   DEFAULT_WEBAUTHN_SESSION_TTL_MS,
   DEFAULT_WEBAUTHN_ROUTE,
   DEFAULT_WEBAUTHN_CHALLENGE_TTL_MS,
@@ -21846,5 +22335,5 @@ export {
   AuthIdentityConflictError
 };
-//# debugId=E246ECC6A14E235864756E2164756E21
+//# debugId=9518CC46948D590564756E2164756E21
 //# sourceMappingURL=index.js.map