@arch-cadre/core 0.0.42 → 0.0.44

package/dist/core/auth/password-reset.d.ts

@@ -0,0 +1,35 @@
+import type { PasswordResetAuthSession, PasswordResetSession } from "./types";
+/**
+ * Creates a new password reset session.
+ */
+export declare function createPasswordResetSession(token: string, userId: string, email: string): Promise<PasswordResetSession>;
+/**
+ * Validates the password reset session token and retrieves user data.
+ * The user data is augmented by registered modules (e.g. 2FA).
+ */
+export declare function validatePasswordResetSessionToken(token: string): Promise<PasswordResetAuthSession>;
+/**
+ * Marks the password reset session as email verified.
+ */
+export declare function setPasswordResetSessionAsEmailVerified(sessionId: string): Promise<void>;
+/**
+ * Invalidates all password reset sessions for a user.
+ */
+export declare function invalidateUserPasswordResetSessions(userId: string): Promise<void>;
+/**
+ * Validates the current password reset session from cookies.
+ */
+export declare function getCurrentPasswordResetSession(): Promise<PasswordResetAuthSession>;
+/**
+ * Sets the password reset session token cookie.
+ */
+export declare function setPasswordResetSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
+/**
+ * Deletes the password reset session token cookie.
+ */
+export declare function deletePasswordResetSessionTokenCookie(): Promise<void>;
+/**
+ * Sends a password reset email with the OTP code.
+ */
+export declare function sendPasswordResetEmail(email: string, code: string): Promise<void>;
+//# sourceMappingURL=password-reset.d.ts.map

package/dist/core/auth/password-reset.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../../src/core/auth/password-reset.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,wBAAwB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAG9E;;GAEG;AACH,wBAAsB,0BAA0B,CAC9C,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,oBAAoB,CAAC,CAe/B;AAED;;;GAGG;AACH,wBAAsB,iCAAiC,CACrD,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,wBAAwB,CAAC,CAoCnC;AAED;;GAEG;AACH,wBAAsB,sCAAsC,CAC1D,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;GAEG;AACH,wBAAsB,mCAAmC,CACvD,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAIf;AAED;;GAEG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,wBAAwB,CAAC,CAexF;AAED;;GAEG;AACH,wBAAsB,kCAAkC,CACtD,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,IAAI,GACd,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;GAEG;AACH,wBAAsB,qCAAqC,IAAI,OAAO,CAAC,IAAI,CAAC,CAG3E;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAEf"}

package/dist/core/auth/password-reset.js

@@ -0,0 +1,122 @@
+"use server";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { addHours } from "date-fns";
+import { eq } from "drizzle-orm";
+import { cookies } from "next/headers";
+import { db } from "../../server/database/inject";
+import { passwordResetSessionTable, userTable, } from "../../server/database/schema";
+import { sendResetPassword } from "../../server/emails/index";
+import { augmentPasswordResetSession } from "./augment";
+import { performFullUserAugmentation } from "./logic";
+import { generateRandomOTP } from "./utils/encode";
+/**
+ * Creates a new password reset session.
+ */
+export async function createPasswordResetSession(token, userId, email) {
+    const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+    const [session] = await db
+        .insert(passwordResetSessionTable)
+        .values({
+        id: sessionId,
+        email: email,
+        code: generateRandomOTP(),
+        expiresAt: new Date(addHours(new Date(), 1)),
+        userId: userId,
+    })
+        .returning();
+    return session;
+}
+/**
+ * Validates the password reset session token and retrieves user data.
+ * The user data is augmented by registered modules (e.g. 2FA).
+ */
+export async function validatePasswordResetSessionToken(token) {
+    const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+    const [row] = await db
+        .select({
+        session: passwordResetSessionTable,
+        user: userTable,
+    })
+        .from(passwordResetSessionTable)
+        .innerJoin(userTable, eq(passwordResetSessionTable.userId, userTable.id))
+        .where(eq(passwordResetSessionTable.id, sessionId));
+    if (!row || !row.user) {
+        return { session: null, user: null };
+    }
+    const { session: baseSession, user: baseUser } = row;
+    // Check for expiration
+    if (new Date() > baseSession.expiresAt) {
+        await db
+            .delete(passwordResetSessionTable)
+            .where(eq(passwordResetSessionTable.id, baseSession.id));
+        return { session: null, user: null };
+    }
+    // STRICTLY remove non-serializable and sensitive fields
+    const { password, recovery_code, ...safeUser } = baseUser;
+    // AUGMENT (EXTENSIBILITY POINTS)
+    const user = await performFullUserAugmentation(safeUser);
+    const session = await augmentPasswordResetSession(baseSession);
+    return { session, user };
+}
+/**
+ * Marks the password reset session as email verified.
+ */
+export async function setPasswordResetSessionAsEmailVerified(sessionId) {
+    await db
+        .update(passwordResetSessionTable)
+        .set({
+        emailVerified: true,
+    })
+        .where(eq(passwordResetSessionTable.id, sessionId));
+}
+/**
+ * Invalidates all password reset sessions for a user.
+ */
+export async function invalidateUserPasswordResetSessions(userId) {
+    await db
+        .delete(passwordResetSessionTable)
+        .where(eq(passwordResetSessionTable.userId, userId));
+}
+/**
+ * Validates the current password reset session from cookies.
+ */
+export async function getCurrentPasswordResetSession() {
+    var _a, _b;
+    const cookieStore = await cookies();
+    const token = (_b = (_a = cookieStore.get("password_reset_session")) === null || _a === void 0 ? void 0 : _a.value) !== null && _b !== void 0 ? _b : null;
+    if (token === null) {
+        return { session: null, user: null };
+    }
+    const result = await validatePasswordResetSessionToken(token);
+    if (result.session === null) {
+        await deletePasswordResetSessionTokenCookie();
+    }
+    return result;
+}
+/**
+ * Sets the password reset session token cookie.
+ */
+export async function setPasswordResetSessionTokenCookie(token, expiresAt) {
+    const cookieStore = await cookies();
+    cookieStore.set("password_reset_session", token, {
+        expires: expiresAt,
+        sameSite: "lax",
+        httpOnly: true,
+        path: "/",
+        secure: process.env.NODE_ENV === "production",
+    });
+}
+/**
+ * Deletes the password reset session token cookie.
+ */
+export async function deletePasswordResetSessionTokenCookie() {
+    const cookieStore = await cookies();
+    cookieStore.delete("password_reset_session");
+}
+/**
+ * Sends a password reset email with the OTP code.
+ */
+export async function sendPasswordResetEmail(email, code) {
+    await sendResetPassword(email, code);
+}

package/dist/core/auth/rbac.d.ts

@@ -0,0 +1,56 @@
+/**
+ * CORE RBAC LOGIC
+ * This file handles all database operations for Roles and Permissions.
+ */
+export declare function getRoles(): Promise<{
+    id: string;
+    name: string;
+    description: string | null;
+}[]>;
+export declare function getRoleById(roleId: string): Promise<{
+    id: string;
+    name: string;
+    description: string | null;
+}>;
+export declare function createRole(name: string, description?: string): Promise<{
+    id: string;
+    name: string;
+    description: string | null;
+}[]>;
+export declare function deleteRole(roleId: string): Promise<import("pg").QueryResult<never>>;
+export declare function getPermissions(): Promise<{
+    id: string;
+    name: string;
+    description: string | null;
+}[]>;
+export declare function createPermission(name: string, description?: string): Promise<{
+    id: string;
+    name: string;
+    description: string | null;
+}[]>;
+export declare function deletePermission(permissionId: string): Promise<import("pg").QueryResult<never>>;
+export declare function getRolePermissions(roleId: string): Promise<{
+    id: string;
+    name: string;
+}[]>;
+export declare function assignPermissionToRole(roleId: string, permissionId: string): Promise<import("pg").QueryResult<never>>;
+export declare function revokePermissionFromRole(roleId: string, permissionId: string): Promise<import("pg").QueryResult<never>>;
+export declare function assignRoleToUser(userId: string, roleId: string): Promise<import("pg").QueryResult<never>>;
+export declare function revokeRoleFromUser(userId: string, roleId: string): Promise<import("pg").QueryResult<never>>;
+export declare function assignPermissionToUser(userId: string, permissionId: string): Promise<import("pg").QueryResult<never>>;
+export declare function revokePermissionFromUser(userId: string, permissionId: string): Promise<import("pg").QueryResult<never>>;
+export declare function getUserRbacData(userId: string): Promise<{
+    roles: {
+        id: string;
+        name: string;
+    }[];
+    directPermissions: {
+        id: string;
+        name: string;
+    }[];
+    effectivePermissions: {
+        id: string;
+        name: string;
+    }[];
+}>;
+//# sourceMappingURL=rbac.d.ts.map

package/dist/core/auth/rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../../../src/core/auth/rbac.ts"],"names":[],"mappings":"AAkBA;;;GAGG;AAIH,wBAAsB,QAAQ;;;;KAE7B;AAED,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM;;;;GAM/C;AAED,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;;;;KAElE;AAED,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,4CAE9C;AAID,wBAAsB,cAAc;;;;KAKnC;AAED,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;;;;KAKxE;AAED,wBAAsB,gBAAgB,CAAC,YAAY,EAAE,MAAM,4CAI1D;AAID,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM;;;KAYtD;AAED,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,4CAMrB;AAED,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,4CAUrB;AAID,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,4CAKpE;AAED,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,4CAStE;AAED,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,4CAMrB;AAED,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,4CAUrB;AAED,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM;;;;;;;;;;YAwCP,MAAM;cAAQ,MAAM;;GAUhE"}

package/dist/core/auth/rbac.js

@@ -0,0 +1,134 @@
+"use server";
+import { and, eq, inArray } from "drizzle-orm";
+import { db } from "../../server/database/inject";
+import { permissionsTable, rolesTable, rolesToPermissionsTable, usersToPermissionsTable, usersToRolesTable, } from "../../server/database/schema";
+import { notificationService } from "../notifications/index";
+// Ensure notification service is loaded
+if (typeof window === "undefined") {
+    notificationService.init();
+}
+/**
+ * CORE RBAC LOGIC
+ * This file handles all database operations for Roles and Permissions.
+ */
+// --- Roles ---
+export async function getRoles() {
+    return await db.select().from(rolesTable).orderBy(rolesTable.name);
+}
+export async function getRoleById(roleId) {
+    const [role] = await db
+        .select()
+        .from(rolesTable)
+        .where(eq(rolesTable.id, roleId));
+    return role;
+}
+export async function createRole(name, description) {
+    return await db.insert(rolesTable).values({ name, description }).returning();
+}
+export async function deleteRole(roleId) {
+    return await db.delete(rolesTable).where(eq(rolesTable.id, roleId));
+}
+// --- Permissions ---
+export async function getPermissions() {
+    return await db
+        .select()
+        .from(permissionsTable)
+        .orderBy(permissionsTable.name);
+}
+export async function createPermission(name, description) {
+    return await db
+        .insert(permissionsTable)
+        .values({ name, description })
+        .returning();
+}
+export async function deletePermission(permissionId) {
+    return await db
+        .delete(permissionsTable)
+        .where(eq(permissionsTable.id, permissionId));
+}
+// --- Mappings ---
+export async function getRolePermissions(roleId) {
+    return await db
+        .select({
+        id: permissionsTable.id,
+        name: permissionsTable.name,
+    })
+        .from(rolesToPermissionsTable)
+        .innerJoin(permissionsTable, eq(rolesToPermissionsTable.permissionId, permissionsTable.id))
+        .where(eq(rolesToPermissionsTable.roleId, roleId));
+}
+export async function assignPermissionToRole(roleId, permissionId) {
+    return await db
+        .insert(rolesToPermissionsTable)
+        .values({ roleId, permissionId })
+        .onConflictDoNothing();
+}
+export async function revokePermissionFromRole(roleId, permissionId) {
+    return await db
+        .delete(rolesToPermissionsTable)
+        .where(and(eq(rolesToPermissionsTable.roleId, roleId), eq(rolesToPermissionsTable.permissionId, permissionId)));
+}
+// --- User Assignment ---
+export async function assignRoleToUser(userId, roleId) {
+    return await db
+        .insert(usersToRolesTable)
+        .values({ userId, roleId })
+        .onConflictDoNothing();
+}
+export async function revokeRoleFromUser(userId, roleId) {
+    return await db
+        .delete(usersToRolesTable)
+        .where(and(eq(usersToRolesTable.userId, userId), eq(usersToRolesTable.roleId, roleId)));
+}
+export async function assignPermissionToUser(userId, permissionId) {
+    return await db
+        .insert(usersToPermissionsTable)
+        .values({ userId, permissionId })
+        .onConflictDoNothing();
+}
+export async function revokePermissionFromUser(userId, permissionId) {
+    return await db
+        .delete(usersToPermissionsTable)
+        .where(and(eq(usersToPermissionsTable.userId, userId), eq(usersToPermissionsTable.permissionId, permissionId)));
+}
+export async function getUserRbacData(userId) {
+    const roles = await db
+        .select({
+        id: rolesTable.id,
+        name: rolesTable.name,
+    })
+        .from(usersToRolesTable)
+        .innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id))
+        .where(eq(usersToRolesTable.userId, userId));
+    const directPermissions = await db
+        .select({
+        id: permissionsTable.id,
+        name: permissionsTable.name,
+    })
+        .from(usersToPermissionsTable)
+        .innerJoin(permissionsTable, eq(usersToPermissionsTable.permissionId, permissionsTable.id))
+        .where(eq(usersToPermissionsTable.userId, userId));
+    // Fetch inherited permissions from roles
+    let rolePermissions = [];
+    if (roles.length > 0) {
+        const roleIds = roles.map((r) => r.id);
+        rolePermissions = await db
+            .select({
+            id: permissionsTable.id,
+            name: permissionsTable.name,
+        })
+            .from(rolesToPermissionsTable)
+            .innerJoin(permissionsTable, eq(rolesToPermissionsTable.permissionId, permissionsTable.id))
+            .where(inArray(rolesToPermissionsTable.roleId, roleIds));
+    }
+    // Combine for effective permissions
+    const effectiveMap = new Map();
+    for (const p of [...directPermissions, ...rolePermissions]) {
+        effectiveMap.set(p.id, p);
+    }
+    return {
+        roles,
+        directPermissions,
+        effectivePermissions: Array.from(effectiveMap.values()),
+    };
+}

package/dist/core/auth/session.d.ts

@@ -0,0 +1,50 @@
+import type { AuthSession, Session, SessionFlags, UserSession } from "./types";
+/**
+ * Returns the user's IP address.
+ */
+export declare function getIPAddress(): Promise<string | null>;
+/**
+ * Validates the session token.
+ */
+export declare function validateSessionToken(token: string): Promise<AuthSession>;
+/**
+ * Returns the current user session from cookies.
+ */
+export declare const getCurrentSession: () => Promise<AuthSession>;
+/**
+ * Invalidates a single session.
+ */
+export declare function invalidateSession(sessionId: string): Promise<void>;
+/**
+ * Invalidates all user sessions.
+ */
+export declare function invalidateUserSessions(userId: string): Promise<void>;
+/**
+ * Sets the session token in a cookie.
+ */
+export declare function setSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
+/**
+ * Removes the session token cookie.
+ */
+export declare function deleteSessionTokenCookie(): Promise<void>;
+/**
+ * Generates a new random session token.
+ */
+export declare function generateSessionToken(): Promise<string>;
+/**
+ * Creates a new session in the database.
+ */
+export declare function createSession(token: string, userId: string, flags: SessionFlags): Promise<Session>;
+/**
+ * Signs the user out and redirects to the sign-in page.
+ */
+export declare function sessionSignOut(): Promise<void>;
+/**
+ * Get all active sessions for a user.
+ */
+export declare function getUserSessions(userId: string, currentSessionId: string): Promise<UserSession[]>;
+/**
+ * Invalidate all sessions for a user except the specified current one.
+ */
+export declare function invalidateOtherSessions(userId: string, currentSessionId: string): Promise<void>;
+//# sourceMappingURL=session.d.ts.map

package/dist/core/auth/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../src/core/auth/session.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EACV,WAAW,EACX,OAAO,EACP,YAAY,EAEZ,WAAW,EACZ,MAAM,SAAS,CAAC;AAEjB;;GAEG;AACH,wBAAsB,YAAY,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAE3D;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,WAAW,CAAC,CAoCtB;AAED;;GAEG;AACH,eAAO,MAAM,iBAAiB,QAAa,OAAO,CAAC,WAAW,CAS7D,CAAC;AAEF;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAExE;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE1E;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,IAAI,GACd,OAAO,CAAC,IAAI,CAAC,CASf;AAED;;GAEG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,IAAI,CAAC,CAG9D;AAED;;GAEG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,MAAM,CAAC,CAI5D;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;GAEG;AACH,wBAAsB,cAAc,kBASnC;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,WAAW,EAAE,CAAC,CAYxB;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,IAAI,CAAC,CASf"}

package/dist/core/auth/session.js

@@ -0,0 +1,152 @@
+"use server";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase, } from "@oslojs/encoding";
+import { addDays } from "date-fns";
+import { and, eq, ne } from "drizzle-orm";
+import { cookies, headers } from "next/headers";
+import { redirect } from "next/navigation";
+import { db } from "../../server/database/inject";
+import { sessionTable, userTable } from "../../server/database/schema";
+import { augmentSession } from "./augment";
+import { performFullUserAugmentation } from "./logic";
+/**
+ * Returns the user's IP address.
+ */
+export async function getIPAddress() {
+    return (await headers()).get("x-forwarded-for");
+}
+/**
+ * Validates the session token.
+ */
+export async function validateSessionToken(token) {
+    const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+    const [row] = await db
+        .select({
+        session: sessionTable,
+        user: userTable,
+    })
+        .from(sessionTable)
+        .innerJoin(userTable, eq(sessionTable.userId, userTable.id))
+        .where(eq(sessionTable.id, sessionId));
+    if (!row || !row.user) {
+        return { session: null, user: null };
+    }
+    const { session: baseSession, user: baseUser } = row;
+    // STRICTLY remove non-serializable and sensitive fields
+    const { password, recovery_code, ...safeUser } = baseUser;
+    // Check if session is expired
+    if (new Date() > baseSession.expiresAt) {
+        await db.delete(sessionTable).where(eq(sessionTable.id, baseSession.id));
+        return { session: null, user: null };
+    }
+    // AUGMENT (EXTENSIBILITY POINTS)
+    const augmentedUser = await performFullUserAugmentation(safeUser);
+    const augmentedSession = await augmentSession(baseSession);
+    // ENSURE PLAIN OBJECTS for Client Components
+    return {
+        session: augmentedSession ? { ...augmentedSession } : null,
+        user: augmentedUser ? { ...augmentedUser } : null,
+    };
+}
+/**
+ * Returns the current user session from cookies.
+ */
+export const getCurrentSession = async () => {
+    var _a, _b;
+    const cookieStore = await cookies();
+    const token = (_b = (_a = cookieStore.get("session")) === null || _a === void 0 ? void 0 : _a.value) !== null && _b !== void 0 ? _b : null;
+    if (token === null) {
+        return { session: null, user: null };
+    }
+    return await validateSessionToken(token);
+};
+/**
+ * Invalidates a single session.
+ */
+export async function invalidateSession(sessionId) {
+    await db.delete(sessionTable).where(eq(sessionTable.id, sessionId));
+}
+/**
+ * Invalidates all user sessions.
+ */
+export async function invalidateUserSessions(userId) {
+    await db.delete(sessionTable).where(eq(sessionTable.userId, userId));
+}
+/**
+ * Sets the session token in a cookie.
+ */
+export async function setSessionTokenCookie(token, expiresAt) {
+    const cookieStore = await cookies();
+    cookieStore.set("session", token, {
+        httpOnly: true,
+        path: "/",
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        expires: expiresAt,
+    });
+}
+/**
+ * Removes the session token cookie.
+ */
+export async function deleteSessionTokenCookie() {
+    const cookieStore = await cookies();
+    cookieStore.delete("session");
+}
+/**
+ * Generates a new random session token.
+ */
+export async function generateSessionToken() {
+    const tokenBytes = new Uint8Array(20);
+    crypto.getRandomValues(tokenBytes);
+    return encodeBase32LowerCaseNoPadding(tokenBytes).toLowerCase();
+}
+/**
+ * Creates a new session in the database.
+ */
+export async function createSession(token, userId, flags) {
+    const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+    const [session] = await db
+        .insert(sessionTable)
+        .values({
+        id: sessionId,
+        expiresAt: new Date(addDays(new Date(), 7)),
+        active_organization_id: flags.activeOrganizationId,
+        userId: userId,
+    })
+        .returning();
+    return session;
+}
+/**
+ * Signs the user out and redirects to the sign-in page.
+ */
+export async function sessionSignOut() {
+    const { session } = await getCurrentSession();
+    if (session) {
+        await invalidateSession(session.id);
+        await deleteSessionTokenCookie();
+    }
+    redirect("/signin");
+}
+/**
+ * Get all active sessions for a user.
+ */
+export async function getUserSessions(userId, currentSessionId) {
+    const sessions = await db
+        .select()
+        .from(sessionTable)
+        .where(eq(sessionTable.userId, userId));
+    return sessions.map((session) => ({
+        id: session.id,
+        createdAt: session.createdAt,
+        expiresAt: session.expiresAt,
+        isCurrent: session.id === currentSessionId,
+    }));
+}
+/**
+ * Invalidate all sessions for a user except the specified current one.
+ */
+export async function invalidateOtherSessions(userId, currentSessionId) {
+    await db
+        .delete(sessionTable)
+        .where(and(eq(sessionTable.userId, userId), ne(sessionTable.id, currentSessionId)));
+}

package/dist/core/auth/types.d.ts

@@ -0,0 +1,52 @@
+import type { passwordResetSessionTable, sessionTable, userTable } from "../../server/database/schema";
+import type { UserPermission, UserRole } from "../types";
+export type { UserRole, UserPermission };
+export type User = typeof userTable.$inferSelect;
+export type Session = typeof sessionTable.$inferSelect & Record<string, any>;
+export type PasswordResetSession = typeof passwordResetSessionTable.$inferSelect & Record<string, any>;
+/**
+ * Represents a user with all potential extensions.
+ * Use this type in UI components that require data added by modules.
+ */
+export type FullUser = User & Record<string, any> & {
+    roles: UserRole[];
+    permissions: UserPermission[];
+};
+/**
+ * Basic session context.
+ */
+export interface AuthSession {
+    session: Session | null;
+    user: FullUser | null;
+}
+export interface SessionFlags {
+    [key: string]: any;
+}
+export type UserSession = {
+    id: string;
+    createdAt: Date;
+    expiresAt: Date;
+    isCurrent: boolean;
+    [key: string]: any;
+};
+export type AuthResponse = {
+    status: "SUCCESS";
+    session: Session;
+    user: FullUser;
+    redirect?: string;
+} | {
+    status: "CHALLENGE_REQUIRED";
+    type: string;
+    userId: string;
+    tempToken?: string;
+    redirect?: string;
+} | {
+    status: "ERROR";
+    message: string;
+    redirect?: string;
+};
+export interface PasswordResetAuthSession {
+    session: PasswordResetSession | null;
+    user: FullUser | null;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/core/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/core/auth/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,yBAAyB,EACzB,YAAY,EACZ,SAAS,EACV,MAAM,8BAA8B,CAAC;AACtC,OAAO,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAEzD,YAAY,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAC;AAEzC,MAAM,MAAM,IAAI,GAAG,OAAO,SAAS,CAAC,YAAY,CAAC;AACjD,MAAM,MAAM,OAAO,GAAG,OAAO,YAAY,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AAC7E,MAAM,MAAM,oBAAoB,GAC9B,OAAO,yBAAyB,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AAEtE;;;GAGG;AACH,MAAM,MAAM,QAAQ,GAAG,IAAI,GACzB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG;IACpB,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,WAAW,EAAE,cAAc,EAAE,CAAC;CAC/B,CAAC;AAEJ;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IACxB,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,YAAY,GACpB;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,QAAQ,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAC1E;IACA,MAAM,EAAE,oBAAoB,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAE5D,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,oBAAoB,GAAG,IAAI,CAAC;IACrC,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;CACvB"}

package/dist/core/auth/types.js

@@ -0,0 +1 @@
+export {};

package/dist/core/auth/utils/encode.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Generates a random one-time code (OTP).
+ * @param length Length of the generated code (default 6).
+ * @returns A random uppercase base32 string.
+ */
+export declare function generateRandomOTP(length?: number): string;
+/**
+ * Generates a random recovery code.
+ * @returns A random uppercase base32 string.
+ */
+export declare function generateRandomRecoveryCode(): string;
+//# sourceMappingURL=encode.d.ts.map

package/dist/core/auth/utils/encode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encode.d.ts","sourceRoot":"","sources":["../../../../src/core/auth/utils/encode.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,SAAI,GAAG,MAAM,CAIpD;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,IAAI,MAAM,CAInD"}

package/dist/core/auth/utils/encode.js

@@ -0,0 +1,20 @@
+import { encodeBase32UpperCaseNoPadding } from "@oslojs/encoding";
+/**
+ * Generates a random one-time code (OTP).
+ * @param length Length of the generated code (default 6).
+ * @returns A random uppercase base32 string.
+ */
+export function generateRandomOTP(length = 6) {
+    const bytes = new Uint8Array(5);
+    crypto.getRandomValues(bytes);
+    return encodeBase32UpperCaseNoPadding(bytes).substring(0, length);
+}
+/**
+ * Generates a random recovery code.
+ * @returns A random uppercase base32 string.
+ */
+export function generateRandomRecoveryCode() {
+    const recoveryCodeBytes = new Uint8Array(10);
+    crypto.getRandomValues(recoveryCodeBytes);
+    return encodeBase32UpperCaseNoPadding(recoveryCodeBytes);
+}