npm - @absolutejs/auth - Versions diffs - 0.29.0-beta.0 → 0.29.0-beta.1 - Mend

@absolutejs/auth 0.29.0-beta.0 → 0.29.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.d.ts +56 -3
package/dist/index.js +307 -11
package/dist/index.js.map +9 -8
package/dist/oidc/config.d.ts +2 -1
package/dist/oidc/inMemoryStores.d.ts +2 -1
package/dist/oidc/logout.d.ts +38 -0
package/dist/oidc/postgresStores.d.ts +233 -1
package/dist/oidc/routes.d.ts +53 -1
package/dist/oidc/types.d.ts +19 -0
package/package.json +1 -1

package/dist/index.d.ts CHANGED Viewed

@@ -13616,6 +13616,58 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
             };
         };
     };
+} & {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {};
+            query: {
+                client_id?: string | undefined;
+                state?: string | undefined;
+                id_token_hint?: string | undefined;
+                post_logout_redirect_uri?: string | undefined;
+            };
+            headers: unknown;
+            response: {
+                200: Response;
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                client_id?: string | undefined;
+                state?: string | undefined;
+                id_token_hint?: string | undefined;
+                post_logout_redirect_uri?: string | undefined;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: Response;
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
 } & {
     [x: string]: {
         get: {
@@ -13647,7 +13699,7 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
                 query: unknown;
                 headers: unknown;
                 response: {
-                    200: Record<string, string | string[]>;
+                    200: Record<string, string | boolean | string[]>;
                 };
             };
         };
@@ -14848,8 +14900,9 @@ export { generateSigningKey, jwkThumbprint, signJwt, toPublicJwk, verifyJwt } fr
 export type { SigningKey } from './oidc/keys';
 export { verifyDpopProof } from './oidc/dpop';
 export type { DpopResult } from './oidc/dpop';
-export { createInMemoryAuthorizationCodeStore, createInMemoryDeviceAuthorizationStore, createInMemoryOAuthClientStore, createInMemoryOidcRefreshTokenStore } from './oidc/inMemoryStores';
-export { createNeonAuthorizationCodeStore, createNeonDeviceAuthorizationStore, createNeonOAuthClientStore, createNeonOidcRefreshTokenStore, createPostgresAuthorizationCodeStore, createPostgresDeviceAuthorizationStore, createPostgresOAuthClientStore, createPostgresOidcRefreshTokenStore, oauthClientsTable, oauthCodesTable, oauthDeviceAuthorizationsTable, oauthRefreshTokensTable } from './oidc/postgresStores';
+export { createInMemoryAuthorizationCodeStore, createInMemoryDeviceAuthorizationStore, createInMemoryLogoutDeliveryStore, createInMemoryOAuthClientStore, createInMemoryOidcRefreshTokenStore } from './oidc/inMemoryStores';
+export { fanOutBackchannelLogout, mintLogoutToken, resolvePostLogoutRedirect, verifyIdTokenHint } from './oidc/logout';
+export { createNeonAuthorizationCodeStore, createNeonDeviceAuthorizationStore, createNeonLogoutDeliveryStore, createNeonOAuthClientStore, createNeonOidcRefreshTokenStore, createPostgresAuthorizationCodeStore, createPostgresDeviceAuthorizationStore, createPostgresLogoutDeliveryStore, createPostgresOAuthClientStore, createPostgresOidcRefreshTokenStore, oauthClientsTable, oauthCodesTable, oauthDeviceAuthorizationsTable, oauthLogoutDeliveriesTable, oauthRefreshTokensTable } from './oidc/postgresStores';
 export * from './adaptive/config';
 export * from './adaptive/fingerprint';
 export * from './adaptive/types';

package/dist/index.js CHANGED Viewed

@@ -4496,6 +4496,138 @@ var verifyDpopProof = async ({
   return { jkt: await jwkThumbprint(header.jwk), jti };
 };
+// src/oidc/logout.ts
+var BACKCHANNEL_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";
+var buildLogoutClaims = ({
+  clientId,
+  issuer,
+  now,
+  sub
+}) => ({
+  aud: clientId,
+  events: { [BACKCHANNEL_LOGOUT_EVENT]: {} },
+  iat: Math.floor(now / MILLISECONDS_IN_A_SECOND),
+  iss: issuer,
+  jti: crypto.randomUUID(),
+  sub
+});
+var resolvePostLogoutRedirect = ({
+  client,
+  requestedUri
+}) => {
+  if (requestedUri === undefined)
+    return;
+  const allow = client.postLogoutRedirectUris ?? [];
+  return allow.includes(requestedUri) ? requestedUri : undefined;
+};
+var verifyIdTokenHint = async ({
+  config,
+  idTokenHint
+}) => {
+  const verified = await verifyJwt(idTokenHint, config.signingKey.publicJwk);
+  const payload = verified?.payload;
+  if (payload === undefined || typeof payload.sub !== "string" || typeof payload.aud !== "string" || payload.iss !== config.issuer) {
+    return;
+  }
+  return { audClientId: payload.aud, sub: payload.sub };
+};
+var BACKCHANNEL_TIMEOUT_SECONDS = 5;
+var DEFAULT_BACKCHANNEL_TIMEOUT_MS = BACKCHANNEL_TIMEOUT_SECONDS * MILLISECONDS_IN_A_SECOND;
+var errorMessage = (error) => error instanceof Error ? error.message : String(error);
+var statusFromError = (error) => {
+  if (!(error instanceof Error))
+    return;
+  const match = /returned (\d+)/.exec(error.message);
+  return match?.[1] === undefined ? undefined : Number(match[1]);
+};
+var mintLogoutToken = async ({
+  clientId,
+  config,
+  now = Date.now(),
+  sub
+}) => signJwt(buildLogoutClaims({ clientId, issuer: config.issuer, now, sub }), config.signingKey);
+var postLogoutToken = async ({
+  endpointUrl,
+  fetchImpl,
+  logoutToken,
+  timeoutMs
+}) => {
+  const response = await fetchImpl(endpointUrl, {
+    body: new URLSearchParams({ logout_token: logoutToken }).toString(),
+    headers: {
+      "content-type": "application/x-www-form-urlencoded"
+    },
+    method: "POST",
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (!response.ok) {
+    throw new Error(`Back-channel logout returned ${response.status}`);
+  }
+};
+var deliverLogoutToOne = async ({
+  clientId,
+  config,
+  endpointUrl,
+  fetchImpl,
+  logoutToken,
+  onError,
+  timeoutMs,
+  userId
+}) => {
+  try {
+    await postLogoutToken({ endpointUrl, fetchImpl, logoutToken, timeoutMs });
+  } catch (error) {
+    const delivery = {
+      attempts: 1,
+      clientId,
+      createdAt: Date.now(),
+      endpointUrl,
+      id: crypto.randomUUID(),
+      lastError: errorMessage(error),
+      lastStatus: statusFromError(error),
+      logoutToken,
+      userId
+    };
+    await config.logoutDeliveryStore?.recordFailure(delivery);
+    await onError?.(delivery);
+  }
+};
+var fanOutBackchannelLogout = async ({
+  config,
+  fetchImpl = globalThis.fetch,
+  now = Date.now(),
+  onError,
+  skipClientId,
+  timeoutMs = DEFAULT_BACKCHANNEL_TIMEOUT_MS,
+  userId
+}) => {
+  const clientIds = await config.refreshTokenStore.listClientIdsForUser(userId);
+  const targets = await Promise.all(clientIds.filter((clientId) => clientId !== skipClientId).map(async (clientId) => {
+    const client = await config.clientStore.findClient(clientId);
+    return client?.backchannelLogoutUri === undefined ? undefined : { client, endpointUrl: client.backchannelLogoutUri };
+  }));
+  const reachable = targets.filter((target) => target !== undefined);
+  await Promise.all(reachable.map(async ({ client, endpointUrl }) => {
+    const logoutToken = await mintLogoutToken({
+      clientId: client.clientId,
+      config,
+      now,
+      sub: userId
+    });
+    await deliverLogoutToOne({
+      clientId: client.clientId,
+      config,
+      endpointUrl,
+      fetchImpl,
+      logoutToken,
+      onError,
+      timeoutMs,
+      userId
+    });
+  }));
+  return reachable.map(({ client }) => client.clientId);
+};
 // src/oidc/routes.ts
 var HTTP_OK2 = 200;
 var HTTP_BAD_REQUEST2 = 400;
@@ -4549,6 +4681,7 @@ var oidcProviderRoutes = (config) => {
   const revokeRoute = `${oidcRoute}/revoke`;
   const deviceAuthorizationRoute = `${oidcRoute}/device_authorization`;
   const deviceApproveRoute = `${oidcRoute}/device/decision`;
+  const endSessionRoute = `${oidcRoute}/end_session`;
   const tokenUrl = `${issuer}${oidcRoute}/token`;
   const authenticateClient = async (clientId, clientSecret) => {
     const client = await clientStore.findClient(clientId);
@@ -4692,8 +4825,11 @@ var oidcProviderRoutes = (config) => {
   }
   const discovery = {
     authorization_endpoint: `${issuer}${authorizeRoute}`,
+    backchannel_logout_session_supported: false,
+    backchannel_logout_supported: true,
     code_challenge_methods_supported: ["S256"],
     dpop_signing_alg_values_supported: ["ES256"],
+    end_session_endpoint: `${issuer}${endSessionRoute}`,
     grant_types_supported: grantTypes,
     id_token_signing_alg_values_supported: ["ES256"],
     introspection_endpoint: `${issuer}${introspectRoute}`,
@@ -4712,6 +4848,47 @@ var oidcProviderRoutes = (config) => {
   if (config.deviceAuthorizationStore) {
     discovery.device_authorization_endpoint = `${issuer}${deviceAuthorizationRoute}`;
   }
+  const handleEndSession = async ({
+    cookie,
+    inMemorySession,
+    query
+  }) => {
+    const hint = query.id_token_hint === undefined ? undefined : await verifyIdTokenHint({
+      config,
+      idTokenHint: query.id_token_hint
+    });
+    const clientId = hint?.audClientId ?? query.client_id;
+    const client = clientId === undefined ? undefined : await config.clientStore.findClient(clientId);
+    const userSession = await loadSessionFromSource({
+      authSessionStore,
+      session: inMemorySession,
+      userSessionId: cookie.value
+    });
+    const resolvedSub = hint?.sub ?? (userSession === undefined ? undefined : getUserId(userSession.user));
+    await clearSession({
+      authSessionStore,
+      cookie,
+      inMemorySession
+    });
+    if (resolvedSub !== undefined) {
+      await fanOutBackchannelLogout({
+        config,
+        skipClientId: clientId,
+        userId: resolvedSub
+      });
+    }
+    const redirectUri = client === undefined ? undefined : resolvePostLogoutRedirect({
+      client,
+      requestedUri: query.post_logout_redirect_uri
+    });
+    if (redirectUri === undefined) {
+      return jsonResponse({ ok: true }, HTTP_OK2);
+    }
+    const url = new URL(redirectUri);
+    if (query.state !== undefined)
+      url.searchParams.set("state", query.state);
+    return redirectTo(url.toString());
+  };
   return new Elysia15().use(sessionStore()).get(authorizeRoute, async ({ cookie: { user_session_id }, query, request, store }) => {
     const {
       client_id: clientId,
@@ -4944,6 +5121,42 @@ var oidcProviderRoutes = (config) => {
     cookie: t12.Cookie({
       user_session_id: t12.Optional(userSessionIdTypebox)
     })
+  }).get(endSessionRoute, async ({
+    cookie: { user_session_id },
+    query,
+    store
+  }) => handleEndSession({
+    cookie: user_session_id,
+    inMemorySession: store.session,
+    query
+  }), {
+    cookie: t12.Cookie({
+      user_session_id: t12.Optional(userSessionIdTypebox)
+    }),
+    query: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      id_token_hint: t12.Optional(t12.String()),
+      post_logout_redirect_uri: t12.Optional(t12.String()),
+      state: t12.Optional(t12.String())
+    })
+  }).post(endSessionRoute, async ({
+    body,
+    cookie: { user_session_id },
+    store
+  }) => handleEndSession({
+    cookie: user_session_id,
+    inMemorySession: store.session,
+    query: body
+  }), {
+    body: t12.Object({
+      client_id: t12.Optional(t12.String()),
+      id_token_hint: t12.Optional(t12.String()),
+      post_logout_redirect_uri: t12.Optional(t12.String()),
+      state: t12.Optional(t12.String())
+    }),
+    cookie: t12.Cookie({
+      user_session_id: t12.Optional(userSessionIdTypebox)
+    })
   }).get(jwksRoute, () => ({ keys: [toPublicJwk(signingKey)] })).get("/.well-known/openid-configuration", () => discovery);
 };
@@ -7986,8 +8199,8 @@ var attemptOnce = async ({
   }
   return response.status;
 };
-var errorMessage = (error) => error instanceof Error ? error.message : String(error);
-var statusFromError = (error) => {
+var errorMessage2 = (error) => error instanceof Error ? error.message : String(error);
+var statusFromError2 = (error) => {
   if (!(error instanceof Error))
     return;
   const match = /returned (\d+)/.exec(error.message);
@@ -8007,8 +8220,8 @@ var persistFailure = async ({
     createdAt: Date.now(),
     endpointUrl: endpoint.url,
     envelope,
-    lastError: errorMessage(lastError),
-    lastStatus: statusFromError(lastError)
+    lastError: errorMessage2(lastError),
+    lastStatus: statusFromError2(lastError)
   };
   await deliveryStore.recordFailure(record);
 };
@@ -20083,6 +20296,7 @@ var createPostgresApiKeyStore = (db) => ({
   }
 });
 // src/oidc/inMemoryStores.ts
+var DEFAULT_LIST_LIMIT = 100;
 var createInMemoryAuthorizationCodeStore = () => {
   const codes = new Map;
   return {
@@ -20123,6 +20337,18 @@ var createInMemoryDeviceAuthorizationStore = () => {
     }
   };
 };
+var createInMemoryLogoutDeliveryStore = () => {
+  const failures = new Map;
+  return {
+    listFailed: async (limit = DEFAULT_LIST_LIMIT) => Array.from(failures.values()).sort((left, right) => right.createdAt - left.createdAt).slice(0, limit),
+    recordFailure: async (delivery) => {
+      failures.set(delivery.id, delivery);
+    },
+    removeFailure: async (deliveryId) => {
+      failures.delete(deliveryId);
+    }
+  };
+};
 var createInMemoryOAuthClientStore = (clients) => {
   const registry = new Map(clients.map((client) => [client.clientId, client]));
   return {
@@ -20144,17 +20370,28 @@ var createInMemoryOidcRefreshTokenStore = () => {
       }
     },
     getToken: async (tokenHash) => tokens.get(tokenHash),
+    listClientIdsForUser: async (userId) => {
+      const now = Date.now();
+      const active = Array.from(tokens.values()).filter((token) => token.userId === userId && token.expiresAt > now);
+      return Array.from(new Set(active.map((token) => token.clientId)));
+    },
     saveToken: async (token) => {
       tokens.set(token.tokenHash, { ...token });
     }
   };
 };
 // src/oidc/postgresStores.ts
+var URL_LENGTH = 2048;
+var DEFAULT_LIST_LIMIT2 = 100;
 var ID_LENGTH7 = 255;
 var oauthClientsTable = pgTable("auth_oauth_clients", {
+  backchannel_logout_uri: varchar("backchannel_logout_uri", {
+    length: URL_LENGTH
+  }),
   client_id: varchar("client_id", { length: ID_LENGTH7 }).primaryKey(),
   hashed_secret: varchar("hashed_secret", { length: ID_LENGTH7 }),
   name: varchar("name", { length: ID_LENGTH7 }).notNull(),
+  post_logout_redirect_uris: text("post_logout_redirect_uris").array(),
   redirect_uris: text("redirect_uris").array().notNull(),
   scopes: text("scopes").array().notNull()
 });
@@ -20184,6 +20421,17 @@ var oauthDeviceAuthorizationsTable = pgTable("auth_oauth_device_authorizations",
   user_code: varchar("user_code", { length: 16 }).notNull().unique(),
   user_sub: varchar("user_sub", { length: ID_LENGTH7 })
 });
+var oauthLogoutDeliveriesTable = pgTable("auth_oauth_logout_deliveries", {
+  attempts: bigint("attempts", { mode: "number" }).notNull(),
+  client_id: varchar("client_id", { length: ID_LENGTH7 }).notNull(),
+  created_at_ms: bigint("created_at_ms", { mode: "number" }).notNull(),
+  endpoint_url: varchar("endpoint_url", { length: URL_LENGTH }).notNull(),
+  id: varchar("id", { length: ID_LENGTH7 }).primaryKey(),
+  last_error: text("last_error"),
+  last_status: bigint("last_status", { mode: "number" }),
+  logout_token: text("logout_token").notNull(),
+  user_id: varchar("user_id", { length: ID_LENGTH7 }).notNull()
+});
 var oauthRefreshTokensTable = pgTable("auth_oauth_refresh_tokens", {
   claims_json: jsonb("claims_json").$type(),
   client_id: varchar("client_id", { length: ID_LENGTH7 }).notNull(),
@@ -20195,12 +20443,25 @@ var oauthRefreshTokensTable = pgTable("auth_oauth_refresh_tokens", {
   user_id: varchar("user_id", { length: ID_LENGTH7 }).notNull()
 });
 var toClient2 = (row) => ({
+  backchannelLogoutUri: row.backchannel_logout_uri ?? undefined,
   clientId: row.client_id,
   hashedSecret: row.hashed_secret ?? undefined,
   name: row.name,
+  postLogoutRedirectUris: row.post_logout_redirect_uris ?? undefined,
   redirectUris: row.redirect_uris,
   scopes: row.scopes
 });
+var toLogoutDelivery = (row) => ({
+  attempts: row.attempts,
+  clientId: row.client_id,
+  createdAt: row.created_at_ms,
+  endpointUrl: row.endpoint_url,
+  id: row.id,
+  lastError: row.last_error ?? undefined,
+  lastStatus: row.last_status ?? undefined,
+  logoutToken: row.logout_token,
+  userId: row.user_id
+});
 var toCode = (row) => ({
   claims: row.claims_json ?? undefined,
   clientId: row.client_id,
@@ -20260,6 +20521,7 @@ var toRefreshValues = (token) => ({
 });
 var createNeonAuthorizationCodeStore = (databaseUrl) => createPostgresAuthorizationCodeStore(createNeonDatabase(databaseUrl));
 var createNeonDeviceAuthorizationStore = (databaseUrl) => createPostgresDeviceAuthorizationStore(createNeonDatabase(databaseUrl));
+var createNeonLogoutDeliveryStore = (databaseUrl) => createPostgresLogoutDeliveryStore(createNeonDatabase(databaseUrl));
 var createNeonOAuthClientStore = (databaseUrl) => createPostgresOAuthClientStore(createNeonDatabase(databaseUrl));
 var createNeonOidcRefreshTokenStore = (databaseUrl) => createPostgresOidcRefreshTokenStore(createNeonDatabase(databaseUrl));
 var createPostgresAuthorizationCodeStore = (db) => ({
@@ -20300,6 +20562,28 @@ var createPostgresDeviceAuthorizationStore = (db) => ({
     await db.update(oauthDeviceAuthorizationsTable).set({ status, user_sub: userSub ?? null }).where(eq(oauthDeviceAuthorizationsTable.device_code_hash, deviceCodeHash));
   }
 });
+var createPostgresLogoutDeliveryStore = (db) => ({
+  listFailed: async (limit = DEFAULT_LIST_LIMIT2) => {
+    const rows = await db.select().from(oauthLogoutDeliveriesTable).orderBy(desc(oauthLogoutDeliveriesTable.created_at_ms)).limit(limit);
+    return rows.map(toLogoutDelivery);
+  },
+  recordFailure: async (delivery) => {
+    await db.insert(oauthLogoutDeliveriesTable).values({
+      attempts: delivery.attempts,
+      client_id: delivery.clientId,
+      created_at_ms: delivery.createdAt,
+      endpoint_url: delivery.endpointUrl,
+      id: delivery.id,
+      last_error: delivery.lastError ?? null,
+      last_status: delivery.lastStatus ?? null,
+      logout_token: delivery.logoutToken,
+      user_id: delivery.userId
+    });
+  },
+  removeFailure: async (deliveryId) => {
+    await db.delete(oauthLogoutDeliveriesTable).where(eq(oauthLogoutDeliveriesTable.id, deliveryId));
+  }
+});
 var createPostgresOAuthClientStore = (db) => ({
   findClient: async (clientId) => {
     const [row] = await db.select().from(oauthClientsTable).where(eq(oauthClientsTable.client_id, clientId)).limit(1);
@@ -20318,6 +20602,10 @@ var createPostgresOidcRefreshTokenStore = (db) => ({
     const [row] = await db.select().from(oauthRefreshTokensTable).where(eq(oauthRefreshTokensTable.token_hash, tokenHash)).limit(1);
     return row ? toRefresh(row) : undefined;
   },
+  listClientIdsForUser: async (userId) => {
+    const rows = await db.selectDistinct({ client_id: oauthRefreshTokensTable.client_id }).from(oauthRefreshTokensTable).where(and(eq(oauthRefreshTokensTable.user_id, userId), gt(oauthRefreshTokensTable.expires_at_ms, Date.now())));
+    return rows.map((row) => row.client_id);
+  },
   saveToken: async (token) => {
     await db.insert(oauthRefreshTokensTable).values(toRefreshValues(token));
   }
@@ -21451,11 +21739,11 @@ var createPostgresPasswordlessTokenStore = (db) => ({
   }
 });
 // src/webhooks/inMemoryStore.ts
-var DEFAULT_LIST_LIMIT = 100;
+var DEFAULT_LIST_LIMIT3 = 100;
 var createInMemoryWebhookDeliveryStore = () => {
   const failures = new Map;
   return {
-    listFailed: async (limit = DEFAULT_LIST_LIMIT) => Array.from(failures.values()).sort((left, right) => right.createdAt - left.createdAt).slice(0, limit),
+    listFailed: async (limit = DEFAULT_LIST_LIMIT3) => Array.from(failures.values()).sort((left, right) => right.createdAt - left.createdAt).slice(0, limit),
     recordFailure: async (delivery) => {
       failures.set(delivery.envelope.id, delivery);
     },
@@ -21466,12 +21754,12 @@ var createInMemoryWebhookDeliveryStore = () => {
 };
 // src/webhooks/postgresStore.ts
 var ID_LENGTH15 = 255;
-var URL_LENGTH = 2048;
-var DEFAULT_LIST_LIMIT2 = 100;
+var URL_LENGTH2 = 2048;
+var DEFAULT_LIST_LIMIT4 = 100;
 var webhookDeliveriesTable = pgTable("auth_webhook_deliveries", {
   attempts: bigint("attempts", { mode: "number" }).notNull(),
   created_at_ms: bigint("created_at_ms", { mode: "number" }).notNull(),
-  endpoint_url: varchar("endpoint_url", { length: URL_LENGTH }).notNull(),
+  endpoint_url: varchar("endpoint_url", { length: URL_LENGTH2 }).notNull(),
   envelope_id: varchar("envelope_id", { length: ID_LENGTH15 }).primaryKey(),
   envelope_json: jsonb("envelope_json").$type().notNull(),
   last_error: text("last_error"),
@@ -21487,7 +21775,7 @@ var toDelivery = (row) => ({
 });
 var createNeonWebhookDeliveryStore = (databaseUrl) => createPostgresWebhookDeliveryStore(createNeonDatabase(databaseUrl));
 var createPostgresWebhookDeliveryStore = (db) => ({
-  listFailed: async (limit = DEFAULT_LIST_LIMIT2) => {
+  listFailed: async (limit = DEFAULT_LIST_LIMIT4) => {
     const rows = await db.select().from(webhookDeliveriesTable).orderBy(desc(webhookDeliveriesTable.created_at_ms)).limit(limit);
     return rows.map(toDelivery);
   },
@@ -21742,6 +22030,7 @@ export {
   verifyPkce,
   verifyPassword,
   verifyJwt,
+  verifyIdTokenHint,
   verifyHcaptcha,
   verifyDpopProof,
   verifyAuditChain,
@@ -21780,6 +22069,7 @@ export {
   resolveSetupSession,
   resolveScimOrganization,
   resolveProviderClientConfiguration,
+  resolvePostLogoutRedirect,
   resolvePermissions,
   resolveOAuthTokenExpiresAt,
   resolveOAuthAuthorization,
@@ -21807,9 +22097,11 @@ export {
   oidcProviderRoutes,
   oidcProviderOptions,
   oauthRefreshTokensTable,
+  oauthLogoutDeliveriesTable,
   oauthDeviceAuthorizationsTable,
   oauthCodesTable,
   oauthClientsTable,
+  mintLogoutToken,
   mfaTotpRoutes,
   mfaRoutes,
   mfaEnrollmentsTable,
@@ -21858,6 +22150,7 @@ export {
   generateEncryptionKey,
   generateBackupCodes,
   fingerprintDevice,
+  fanOutBackchannelLogout,
   extractPropFromIdentity,
   exportAuditCsv,
   exchangeToken,
@@ -21909,6 +22202,7 @@ export {
   createPostgresOidcRefreshTokenStore,
   createPostgresOAuthClientStore,
   createPostgresMfaStore,
+  createPostgresLogoutDeliveryStore,
   createPostgresLoginHistoryStore,
   createPostgresLockoutStore,
   createPostgresKnownDeviceStore,
@@ -21935,6 +22229,7 @@ export {
   createNeonOAuthLinkedProviderCredentialResolver,
   createNeonOAuthClientStore,
   createNeonMfaStore,
+  createNeonLogoutDeliveryStore,
   createNeonLoginHistoryStore,
   createNeonLockoutStore,
   createNeonLinkedProviderStores,
@@ -21965,6 +22260,7 @@ export {
   createInMemoryOidcRefreshTokenStore,
   createInMemoryOAuthClientStore,
   createInMemoryMfaStore,
+  createInMemoryLogoutDeliveryStore,
   createInMemoryLoginHistoryStore,
   createInMemoryLockoutStore,
   createInMemoryLinkedProviderStores,
@@ -22039,5 +22335,5 @@ export {
   AuthIdentityConflictError
 };
-//# debugId=451C9751C02E5E2164756E2164756E21
+//# debugId=9518CC46948D590564756E2164756E21
 //# sourceMappingURL=index.js.map