@aooth/user 0.1.1

package/dist/index.d.cts

@@ -0,0 +1,233 @@
+import { C as UserStoreUpdate, S as UserServiceConfig, _ as TotpConfig, a as LockoutConfig, b as UserAuthErrorType, c as MfaMethod, d as PasswordData, f as PasswordPolicyContext, g as PolicyCheckResult, h as PasswordPolicyInstance, i as LockStatus, l as MfaMethodInfo, m as PasswordPolicyEvalFn, n as AccountData, o as LoginResult, p as PasswordPolicyDef, r as DeepPartial, s as MfaData, t as UserStore, u as PasswordConfig, v as TransferablePolicy, x as UserCredentials, y as TrustedDeviceRecord } from "./user-store-VJPWNgdp.cjs";
+
+//#region src/errors.d.ts
+declare class UserAuthError extends Error {
+  readonly type: UserAuthErrorType;
+  readonly details?: Record<string, unknown> | undefined;
+  readonly name = "UserAuthError";
+  constructor(type: UserAuthErrorType, message?: string, details?: Record<string, unknown> | undefined);
+}
+//#endregion
+//#region src/password/hasher.d.ts
+declare class PasswordHasher {
+  private readonly pepper;
+  private readonly N;
+  private readonly r;
+  private readonly p;
+  private readonly keyLength;
+  constructor(config?: PasswordConfig);
+  hash(password: string): Promise<string>;
+  verify(password: string, encoded: string): Promise<boolean>;
+  generatePassword(length?: number): string;
+}
+//#endregion
+//#region src/password/policy.d.ts
+declare function normalizePolicies(policies?: (PasswordPolicyDef | PasswordPolicyInstance)[]): PasswordPolicy[];
+declare class PasswordPolicy implements PasswordPolicyInstance {
+  readonly rule: string | PasswordPolicyEvalFn;
+  readonly description: string;
+  readonly errorMessage: string;
+  constructor(config: PasswordPolicyDef);
+  protected _evalFn: PasswordPolicyEvalFn;
+  evaluate(password: string, context?: PasswordPolicyContext): boolean | Promise<boolean>;
+  get transferable(): boolean;
+}
+//#endregion
+//#region src/user-service.d.ts
+interface ResolvedConfig {
+  password: Required<Omit<PasswordConfig, "policies">> & {
+    policies: PasswordPolicy[];
+  };
+  lockout: Required<LockoutConfig>;
+  clock: () => number;
+  deviceTrust?: {
+    secret: string;
+  };
+}
+declare class UserService<T extends object = object> {
+  protected readonly store: UserStore<T>;
+  protected readonly config: ResolvedConfig;
+  protected readonly hasher: PasswordHasher;
+  constructor(store: UserStore<T>, config?: UserServiceConfig);
+  /**
+   * @param extras Optional partial user fields merged AFTER the base
+   *   `UserCredentials` shape, so callers can populate consumer-specific
+   *   required fields (e.g. `tenantId`) without subclassing the store.
+   *   Because the merge is shallow and extras win, overlapping top-level
+   *   keys (`id`, `account`, `mfa`, ...) replace the defaults entirely —
+   *   pass nested objects with all required sub-fields if you intend to
+   *   override them.
+   */
+  createUser(username: string, password?: string, extras?: Partial<T>): Promise<UserCredentials & T>;
+  getUser(username: string): Promise<UserCredentials & T>;
+  login(username: string, password: string): Promise<LoginResult<T>>;
+  verifyPassword(username: string, password: string): Promise<boolean>;
+  changePassword(username: string, currentPassword: string, newPassword: string, repeatPassword?: string): Promise<void>;
+  setPassword(username: string, newPassword: string): Promise<void>;
+  /**
+   * Hard-delete the user row. Returns nothing on success. Throws
+   * `UserAuthError("NOT_FOUND")` when no row matches `username`. Used by the
+   * invite workflow's `auth.cancelInvite` to revoke a pending invitation.
+   */
+  deleteUser(username: string): Promise<void>;
+  /**
+   * Deep-merge `patch` into the user record (top-level fields are shallow-
+   * merged; `account` / `mfa` / `password` are merged per their
+   * `@db.patch.strategy 'merge'` declaration). Returns the patched record.
+   * Used by the invite workflow's `applyProfile` default fallback.
+   */
+  update(username: string, patch: Partial<UserCredentials & T>): Promise<UserCredentials & T>;
+  activateAccount(username: string): Promise<void>;
+  deactivateAccount(username: string): Promise<void>;
+  lockAccount(username: string, reason: string, duration?: number): Promise<void>;
+  unlockAccount(username: string): Promise<void>;
+  getLockStatus(account: UserCredentials["account"]): LockStatus;
+  checkPolicies(password: string, passwordData?: PasswordData): Promise<PolicyCheckResult>;
+  getTransferablePolicies(): TransferablePolicy[];
+  addMfaMethod(username: string, method: MfaMethod): Promise<void>;
+  confirmMfaMethod(username: string, name: string): Promise<void>;
+  removeMfaMethod(username: string, name: string): Promise<void>;
+  setDefaultMfaMethod(username: string, name: string): Promise<void>;
+  setMfaAutoSend(username: string, value: boolean): Promise<void>;
+  getAvailableMfaMethods(mfa: MfaData): MfaMethodInfo[];
+  /**
+   * Generate `count` plaintext backup codes (default 10), persist their
+   * hashes (replacing any existing batch), and return the plaintext codes
+   * once for the caller to deliver to the user. Plaintext is never
+   * recoverable after this call returns.
+   *
+   * Throws `UserAuthError("NOT_FOUND")` if the user does not exist.
+   */
+  generateBackupCodes(username: string, count?: number): Promise<string[]>;
+  /**
+   * Consume a backup code: returns `true` and removes the matching hash
+   * from storage if `code` matches a stored backup code; returns `false`
+   * if no match (without modifying storage).
+   *
+   * Read-then-write is not atomic at this layer: two concurrent consumes
+   * of the same code may both succeed, with the last write winning. The
+   * underlying store API does not expose an atomic match-and-remove, so
+   * this is acceptable at the intended scale (backup codes are a fallback
+   * path, not a hot one). Wrap in your store's transaction primitive if a
+   * stricter guarantee is required.
+   *
+   * Throws `UserAuthError("NOT_FOUND")` if the user does not exist.
+   */
+  consumeBackupCode(username: string, code: string): Promise<boolean>;
+  /**
+   * Verify a TOTP code against the user's confirmed `totp` MFA method.
+   * Failures bump the same `failedLoginAttempts` counter as `login` so an
+   * attacker who knows the password but not the TOTP gets `lockout.threshold`
+   * total tries across BOTH factors, not `2 * threshold`.
+   */
+  verifyMfa(username: string, code: string, config?: TotpConfig): Promise<void>;
+  getPasswordHasher(): PasswordHasher;
+  getConfig(): Readonly<ResolvedConfig>;
+  /**
+   * Mint a freshly-signed trust record (does NOT persist — pair with
+   * `addTrustedDevice`). Throws when `deviceTrust.secret` is unset.
+   */
+  issueTrustedDevice(userId: string, opts: {
+    ip?: string;
+    ttlMs: number;
+    name?: string;
+  }): TrustedDeviceRecord;
+  /**
+   * Append a trust record to the user's `trustedDevices` list. Read-modify-
+   * write — the array shape is preserved end-to-end so DB adapters with a
+   * merge strategy replace the whole array.
+   */
+  addTrustedDevice(username: string, record: TrustedDeviceRecord): Promise<void>;
+  /**
+   * Returns true when the supplied token (a) signs against the user+ip with
+   * the configured secret, AND (b) matches a persisted record that is still
+   * within its expiry window and whose bound IP (if any) matches.
+   */
+  verifyTrustedDevice(username: string, token: string, ip?: string): Promise<boolean>;
+  /**
+   * Remove a specific trust record from the user. No-op when the record is
+   * absent — mirrors the legacy `DeviceTrustStore.revoke` semantics.
+   */
+  revokeTrustedDevice(username: string, token: string): Promise<void>;
+  listTrustedDevices(username: string): Promise<TrustedDeviceRecord[]>;
+  private requireDeviceTrustSecret;
+  private applyPasswordChange;
+  private hasConfirmedMfaMethods;
+  /**
+   * If `account.locked`: auto-unlock when the lock has expired (mutating
+   * `account` in place), or throw `LOCKED` otherwise.
+   */
+  private ensureNotLockedOrThrow;
+  /**
+   * Bump `failedLoginAttempts`, locking the account when threshold is hit,
+   * and always throw `errorCode` (with `details.lockEnds` when the lockout
+   * just tripped). Used by both `login` and `verifyMfa` so the two factors
+   * share one counter.
+   */
+  private incrementAndMaybeLock;
+}
+//#endregion
+//#region src/store/memory.d.ts
+declare class UserStoreMemory<T extends object = object> extends UserStore<T> {
+  private store;
+  constructor(seed?: Record<string, UserCredentials & T>);
+  exists(username: string): Promise<boolean>;
+  findByUsername(username: string): Promise<(UserCredentials & T) | null>;
+  create(data: UserCredentials & T): Promise<void>;
+  update(username: string, update: UserStoreUpdate): Promise<boolean>;
+  delete(username: string): Promise<boolean>;
+}
+//#endregion
+//#region src/password/policies.d.ts
+declare const ppHasMinLength: (min?: number) => PasswordPolicyDef;
+declare const ppHasUpperCase: (n?: number) => PasswordPolicyDef;
+declare const ppHasLowerCase: (n?: number) => PasswordPolicyDef;
+declare const ppHasNumber: (n?: number) => PasswordPolicyDef;
+declare const ppHasSpecialChar: (n?: number) => PasswordPolicyDef;
+declare const ppMaxRepeatedChars: (maxRepeated?: number) => PasswordPolicyDef;
+//#endregion
+//#region src/mfa/totp.d.ts
+declare function generateTotpSecret(bytes?: number): string;
+declare function generateTotpUri(secret: string, issuer: string, account: string, config?: Pick<TotpConfig, "period" | "digits">): string;
+declare function generateTotpCode(secret: string, config?: TotpConfig): string;
+declare function verifyTotpCode(secret: string, code: string, config?: TotpConfig): boolean;
+declare function generateMfaCode(length?: number): string;
+//#endregion
+//#region src/mfa/codes.d.ts
+/**
+ * SHA-256 hash of an MFA code (e.g. one-time email/SMS code or backup code).
+ *
+ * Hex-encoded for stable, comparable output regardless of input case/format.
+ * Use {@link verifyMfaCode} to compare a submitted plaintext code against the
+ * stored hash in constant time.
+ */
+declare function hashMfaCode(code: string): string;
+/**
+ * Constant-time comparison of a submitted plaintext code against an
+ * expected SHA-256 hex hash (as produced by {@link hashMfaCode}).
+ *
+ * Returns false for malformed/empty expected hashes (timingSafeEqual
+ * requires equal-length, non-empty buffers).
+ */
+declare function verifyMfaCode(submitted: string, expectedHash: string): boolean;
+//#endregion
+//#region src/mfa/backup-codes.d.ts
+/**
+ * Generate `count` cryptographically-random backup codes (default 10).
+ *
+ * Format: 10 characters from the 31-char safe alphabet (uppercase letters +
+ * digits, omitting I/O/L/0/1), grouped as `XXXX-XXXX-XX`.
+ *
+ * Returns plaintext codes for the caller to deliver to the user — these
+ * should be hashed via {@link hashMfaCode} before persistence and never
+ * shown to the user again.
+ */
+declare function generateBackupCodePlaintext(count?: number): string[];
+//#endregion
+//#region src/utils.d.ts
+declare function maskEmail(email: string): string;
+declare function maskPhone(phone: string): string;
+declare function maskMfaValue(method: MfaMethod): string;
+declare function setAtPath(obj: object, path: string, value: unknown): void;
+//#endregion
+export { type AccountData, type DeepPartial, type LockStatus, type LockoutConfig, type LoginResult, type MfaData, type MfaMethod, type MfaMethodInfo, type PasswordConfig, type PasswordData, PasswordHasher, PasswordPolicy, type PasswordPolicyContext, type PasswordPolicyDef, type PasswordPolicyEvalFn, type PasswordPolicyInstance, type PolicyCheckResult, type TotpConfig, type TransferablePolicy, type TrustedDeviceRecord, UserAuthError, type UserAuthErrorType, type UserCredentials, UserService, type UserServiceConfig, UserStore, UserStoreMemory, type UserStoreUpdate, generateBackupCodePlaintext, generateMfaCode, generateTotpCode, generateTotpSecret, generateTotpUri, hashMfaCode, maskEmail, maskMfaValue, maskPhone, normalizePolicies, ppHasLowerCase, ppHasMinLength, ppHasNumber, ppHasSpecialChar, ppHasUpperCase, ppMaxRepeatedChars, setAtPath, verifyMfaCode, verifyTotpCode };

package/dist/index.d.mts

@@ -0,0 +1,233 @@
+import { C as UserStoreUpdate, S as UserServiceConfig, _ as TotpConfig, a as LockoutConfig, b as UserAuthErrorType, c as MfaMethod, d as PasswordData, f as PasswordPolicyContext, g as PolicyCheckResult, h as PasswordPolicyInstance, i as LockStatus, l as MfaMethodInfo, m as PasswordPolicyEvalFn, n as AccountData, o as LoginResult, p as PasswordPolicyDef, r as DeepPartial, s as MfaData, t as UserStore, u as PasswordConfig, v as TransferablePolicy, x as UserCredentials, y as TrustedDeviceRecord } from "./user-store-Dbc9unW3.mjs";
+
+//#region src/errors.d.ts
+declare class UserAuthError extends Error {
+  readonly type: UserAuthErrorType;
+  readonly details?: Record<string, unknown> | undefined;
+  readonly name = "UserAuthError";
+  constructor(type: UserAuthErrorType, message?: string, details?: Record<string, unknown> | undefined);
+}
+//#endregion
+//#region src/password/hasher.d.ts
+declare class PasswordHasher {
+  private readonly pepper;
+  private readonly N;
+  private readonly r;
+  private readonly p;
+  private readonly keyLength;
+  constructor(config?: PasswordConfig);
+  hash(password: string): Promise<string>;
+  verify(password: string, encoded: string): Promise<boolean>;
+  generatePassword(length?: number): string;
+}
+//#endregion
+//#region src/password/policy.d.ts
+declare function normalizePolicies(policies?: (PasswordPolicyDef | PasswordPolicyInstance)[]): PasswordPolicy[];
+declare class PasswordPolicy implements PasswordPolicyInstance {
+  readonly rule: string | PasswordPolicyEvalFn;
+  readonly description: string;
+  readonly errorMessage: string;
+  constructor(config: PasswordPolicyDef);
+  protected _evalFn: PasswordPolicyEvalFn;
+  evaluate(password: string, context?: PasswordPolicyContext): boolean | Promise<boolean>;
+  get transferable(): boolean;
+}
+//#endregion
+//#region src/user-service.d.ts
+interface ResolvedConfig {
+  password: Required<Omit<PasswordConfig, "policies">> & {
+    policies: PasswordPolicy[];
+  };
+  lockout: Required<LockoutConfig>;
+  clock: () => number;
+  deviceTrust?: {
+    secret: string;
+  };
+}
+declare class UserService<T extends object = object> {
+  protected readonly store: UserStore<T>;
+  protected readonly config: ResolvedConfig;
+  protected readonly hasher: PasswordHasher;
+  constructor(store: UserStore<T>, config?: UserServiceConfig);
+  /**
+   * @param extras Optional partial user fields merged AFTER the base
+   *   `UserCredentials` shape, so callers can populate consumer-specific
+   *   required fields (e.g. `tenantId`) without subclassing the store.
+   *   Because the merge is shallow and extras win, overlapping top-level
+   *   keys (`id`, `account`, `mfa`, ...) replace the defaults entirely —
+   *   pass nested objects with all required sub-fields if you intend to
+   *   override them.
+   */
+  createUser(username: string, password?: string, extras?: Partial<T>): Promise<UserCredentials & T>;
+  getUser(username: string): Promise<UserCredentials & T>;
+  login(username: string, password: string): Promise<LoginResult<T>>;
+  verifyPassword(username: string, password: string): Promise<boolean>;
+  changePassword(username: string, currentPassword: string, newPassword: string, repeatPassword?: string): Promise<void>;
+  setPassword(username: string, newPassword: string): Promise<void>;
+  /**
+   * Hard-delete the user row. Returns nothing on success. Throws
+   * `UserAuthError("NOT_FOUND")` when no row matches `username`. Used by the
+   * invite workflow's `auth.cancelInvite` to revoke a pending invitation.
+   */
+  deleteUser(username: string): Promise<void>;
+  /**
+   * Deep-merge `patch` into the user record (top-level fields are shallow-
+   * merged; `account` / `mfa` / `password` are merged per their
+   * `@db.patch.strategy 'merge'` declaration). Returns the patched record.
+   * Used by the invite workflow's `applyProfile` default fallback.
+   */
+  update(username: string, patch: Partial<UserCredentials & T>): Promise<UserCredentials & T>;
+  activateAccount(username: string): Promise<void>;
+  deactivateAccount(username: string): Promise<void>;
+  lockAccount(username: string, reason: string, duration?: number): Promise<void>;
+  unlockAccount(username: string): Promise<void>;
+  getLockStatus(account: UserCredentials["account"]): LockStatus;
+  checkPolicies(password: string, passwordData?: PasswordData): Promise<PolicyCheckResult>;
+  getTransferablePolicies(): TransferablePolicy[];
+  addMfaMethod(username: string, method: MfaMethod): Promise<void>;
+  confirmMfaMethod(username: string, name: string): Promise<void>;
+  removeMfaMethod(username: string, name: string): Promise<void>;
+  setDefaultMfaMethod(username: string, name: string): Promise<void>;
+  setMfaAutoSend(username: string, value: boolean): Promise<void>;
+  getAvailableMfaMethods(mfa: MfaData): MfaMethodInfo[];
+  /**
+   * Generate `count` plaintext backup codes (default 10), persist their
+   * hashes (replacing any existing batch), and return the plaintext codes
+   * once for the caller to deliver to the user. Plaintext is never
+   * recoverable after this call returns.
+   *
+   * Throws `UserAuthError("NOT_FOUND")` if the user does not exist.
+   */
+  generateBackupCodes(username: string, count?: number): Promise<string[]>;
+  /**
+   * Consume a backup code: returns `true` and removes the matching hash
+   * from storage if `code` matches a stored backup code; returns `false`
+   * if no match (without modifying storage).
+   *
+   * Read-then-write is not atomic at this layer: two concurrent consumes
+   * of the same code may both succeed, with the last write winning. The
+   * underlying store API does not expose an atomic match-and-remove, so
+   * this is acceptable at the intended scale (backup codes are a fallback
+   * path, not a hot one). Wrap in your store's transaction primitive if a
+   * stricter guarantee is required.
+   *
+   * Throws `UserAuthError("NOT_FOUND")` if the user does not exist.
+   */
+  consumeBackupCode(username: string, code: string): Promise<boolean>;
+  /**
+   * Verify a TOTP code against the user's confirmed `totp` MFA method.
+   * Failures bump the same `failedLoginAttempts` counter as `login` so an
+   * attacker who knows the password but not the TOTP gets `lockout.threshold`
+   * total tries across BOTH factors, not `2 * threshold`.
+   */
+  verifyMfa(username: string, code: string, config?: TotpConfig): Promise<void>;
+  getPasswordHasher(): PasswordHasher;
+  getConfig(): Readonly<ResolvedConfig>;
+  /**
+   * Mint a freshly-signed trust record (does NOT persist — pair with
+   * `addTrustedDevice`). Throws when `deviceTrust.secret` is unset.
+   */
+  issueTrustedDevice(userId: string, opts: {
+    ip?: string;
+    ttlMs: number;
+    name?: string;
+  }): TrustedDeviceRecord;
+  /**
+   * Append a trust record to the user's `trustedDevices` list. Read-modify-
+   * write — the array shape is preserved end-to-end so DB adapters with a
+   * merge strategy replace the whole array.
+   */
+  addTrustedDevice(username: string, record: TrustedDeviceRecord): Promise<void>;
+  /**
+   * Returns true when the supplied token (a) signs against the user+ip with
+   * the configured secret, AND (b) matches a persisted record that is still
+   * within its expiry window and whose bound IP (if any) matches.
+   */
+  verifyTrustedDevice(username: string, token: string, ip?: string): Promise<boolean>;
+  /**
+   * Remove a specific trust record from the user. No-op when the record is
+   * absent — mirrors the legacy `DeviceTrustStore.revoke` semantics.
+   */
+  revokeTrustedDevice(username: string, token: string): Promise<void>;
+  listTrustedDevices(username: string): Promise<TrustedDeviceRecord[]>;
+  private requireDeviceTrustSecret;
+  private applyPasswordChange;
+  private hasConfirmedMfaMethods;
+  /**
+   * If `account.locked`: auto-unlock when the lock has expired (mutating
+   * `account` in place), or throw `LOCKED` otherwise.
+   */
+  private ensureNotLockedOrThrow;
+  /**
+   * Bump `failedLoginAttempts`, locking the account when threshold is hit,
+   * and always throw `errorCode` (with `details.lockEnds` when the lockout
+   * just tripped). Used by both `login` and `verifyMfa` so the two factors
+   * share one counter.
+   */
+  private incrementAndMaybeLock;
+}
+//#endregion
+//#region src/store/memory.d.ts
+declare class UserStoreMemory<T extends object = object> extends UserStore<T> {
+  private store;
+  constructor(seed?: Record<string, UserCredentials & T>);
+  exists(username: string): Promise<boolean>;
+  findByUsername(username: string): Promise<(UserCredentials & T) | null>;
+  create(data: UserCredentials & T): Promise<void>;
+  update(username: string, update: UserStoreUpdate): Promise<boolean>;
+  delete(username: string): Promise<boolean>;
+}
+//#endregion
+//#region src/password/policies.d.ts
+declare const ppHasMinLength: (min?: number) => PasswordPolicyDef;
+declare const ppHasUpperCase: (n?: number) => PasswordPolicyDef;
+declare const ppHasLowerCase: (n?: number) => PasswordPolicyDef;
+declare const ppHasNumber: (n?: number) => PasswordPolicyDef;
+declare const ppHasSpecialChar: (n?: number) => PasswordPolicyDef;
+declare const ppMaxRepeatedChars: (maxRepeated?: number) => PasswordPolicyDef;
+//#endregion
+//#region src/mfa/totp.d.ts
+declare function generateTotpSecret(bytes?: number): string;
+declare function generateTotpUri(secret: string, issuer: string, account: string, config?: Pick<TotpConfig, "period" | "digits">): string;
+declare function generateTotpCode(secret: string, config?: TotpConfig): string;
+declare function verifyTotpCode(secret: string, code: string, config?: TotpConfig): boolean;
+declare function generateMfaCode(length?: number): string;
+//#endregion
+//#region src/mfa/codes.d.ts
+/**
+ * SHA-256 hash of an MFA code (e.g. one-time email/SMS code or backup code).
+ *
+ * Hex-encoded for stable, comparable output regardless of input case/format.
+ * Use {@link verifyMfaCode} to compare a submitted plaintext code against the
+ * stored hash in constant time.
+ */
+declare function hashMfaCode(code: string): string;
+/**
+ * Constant-time comparison of a submitted plaintext code against an
+ * expected SHA-256 hex hash (as produced by {@link hashMfaCode}).
+ *
+ * Returns false for malformed/empty expected hashes (timingSafeEqual
+ * requires equal-length, non-empty buffers).
+ */
+declare function verifyMfaCode(submitted: string, expectedHash: string): boolean;
+//#endregion
+//#region src/mfa/backup-codes.d.ts
+/**
+ * Generate `count` cryptographically-random backup codes (default 10).
+ *
+ * Format: 10 characters from the 31-char safe alphabet (uppercase letters +
+ * digits, omitting I/O/L/0/1), grouped as `XXXX-XXXX-XX`.
+ *
+ * Returns plaintext codes for the caller to deliver to the user — these
+ * should be hashed via {@link hashMfaCode} before persistence and never
+ * shown to the user again.
+ */
+declare function generateBackupCodePlaintext(count?: number): string[];
+//#endregion
+//#region src/utils.d.ts
+declare function maskEmail(email: string): string;
+declare function maskPhone(phone: string): string;
+declare function maskMfaValue(method: MfaMethod): string;
+declare function setAtPath(obj: object, path: string, value: unknown): void;
+//#endregion
+export { type AccountData, type DeepPartial, type LockStatus, type LockoutConfig, type LoginResult, type MfaData, type MfaMethod, type MfaMethodInfo, type PasswordConfig, type PasswordData, PasswordHasher, PasswordPolicy, type PasswordPolicyContext, type PasswordPolicyDef, type PasswordPolicyEvalFn, type PasswordPolicyInstance, type PolicyCheckResult, type TotpConfig, type TransferablePolicy, type TrustedDeviceRecord, UserAuthError, type UserAuthErrorType, type UserCredentials, UserService, type UserServiceConfig, UserStore, UserStoreMemory, type UserStoreUpdate, generateBackupCodePlaintext, generateMfaCode, generateTotpCode, generateTotpSecret, generateTotpUri, hashMfaCode, maskEmail, maskMfaValue, maskPhone, normalizePolicies, ppHasLowerCase, ppHasMinLength, ppHasNumber, ppHasSpecialChar, ppHasUpperCase, ppMaxRepeatedChars, setAtPath, verifyMfaCode, verifyTotpCode };