@augmenting-integrations/auth 8.4.1 → 8.6.0

package/dist/client.cjs

@@ -21,14 +21,11 @@ __export(client_exports, {
   AppUserProvider: () => import_AppUserProvider.AppUserProvider,
   ImpersonationBanner: () => import_ImpersonationBanner.ImpersonationBanner,
   SignOutButton: () => import_SignOutButton.SignOutButton,
-  TENANT_GLOBAL_KEY: () => import_tenant.TENANT_GLOBAL_KEY,
-  TenantProvider: () => import_tenant.TenantProvider,
   UserMenu: () => import_UserMenu.UserMenu,
   useAppUser: () => import_AppUserProvider.useAppUser,
   useDbAppUser: () => import_AppUserProvider.useDbAppUser,
   useImpersonation: () => import_use_impersonation.useImpersonation,
-  useRole: () => import_AppUserProvider.useRole,
-  useTenant: () => import_tenant.useTenant
+  useRole: () => import_AppUserProvider.useRole
 });
 module.exports = __toCommonJS(client_exports);
 var import_AppUserProvider = require("./client/AppUserProvider.js");
@@ -36,19 +33,15 @@ var import_UserMenu = require("./client/UserMenu.js");
 var import_SignOutButton = require("./client/SignOutButton.js");
 var import_ImpersonationBanner = require("./client/ImpersonationBanner.js");
 var import_use_impersonation = require("./client/use-impersonation.js");
-var import_tenant = require("./client/tenant.js");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AppUserProvider,
   ImpersonationBanner,
   SignOutButton,
-  TENANT_GLOBAL_KEY,
-  TenantProvider,
   UserMenu,
   useAppUser,
   useDbAppUser,
   useImpersonation,
-  useRole,
-  useTenant
+  useRole
 });
 //# sourceMappingURL=client.cjs.map

package/dist/client.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n  AppUserProvider,\n  useAppUser,\n  useDbAppUser,\n  useRole,\n  type AppUserState,\n  type DbAppUser,\n  type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n  useImpersonation,\n  type EffectiveUser,\n  type ImpersonatedBy,\n  type MeResponse,\n} from \"./client/use-impersonation.js\";\nexport {\n  TenantProvider,\n  useTenant,\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n} from \"./client/tenant.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,6BAQO;AACP,sBAAyB;AACzB,2BAA8B;AAC9B,iCAAoC;AACpC,+BAKO;AACP,oBAMO;","names":[]}
+{"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n  AppUserProvider,\n  useAppUser,\n  useDbAppUser,\n  useRole,\n  type AppUserState,\n  type DbAppUser,\n  type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n  useImpersonation,\n  type EffectiveUser,\n  type ImpersonatedBy,\n  type MeResponse,\n} from \"./client/use-impersonation.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,6BAQO;AACP,sBAAyB;AACzB,2BAA8B;AAC9B,iCAAoC;AACpC,+BAKO;","names":[]}

package/dist/client.d.ts

@@ -3,5 +3,4 @@ export { UserMenu } from "./client/UserMenu.js";
 export { SignOutButton } from "./client/SignOutButton.js";
 export { ImpersonationBanner } from "./client/ImpersonationBanner.js";
 export { useImpersonation, type EffectiveUser, type ImpersonatedBy, type MeResponse, } from "./client/use-impersonation.js";
-export { TenantProvider, useTenant, TENANT_GLOBAL_KEY, type TenantPublicConfig, type TenantRole, } from "./client/tenant.js";
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,EACf,UAAU,EACV,YAAY,EACZ,OAAO,EACP,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,cAAc,GACpB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,UAAU,GAChB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,cAAc,EACd,SAAS,EACT,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,EACf,UAAU,EACV,YAAY,EACZ,OAAO,EACP,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,cAAc,GACpB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,UAAU,GAChB,MAAM,+BAA+B,CAAC"}

package/dist/client.js

@@ -10,22 +10,14 @@ import { ImpersonationBanner } from "./client/ImpersonationBanner.js";
 import {
   useImpersonation
 } from "./client/use-impersonation.js";
-import {
-  TenantProvider,
-  useTenant,
-  TENANT_GLOBAL_KEY
-} from "./client/tenant.js";
 export {
   AppUserProvider,
   ImpersonationBanner,
   SignOutButton,
-  TENANT_GLOBAL_KEY,
-  TenantProvider,
   UserMenu,
   useAppUser,
   useDbAppUser,
   useImpersonation,
-  useRole,
-  useTenant
+  useRole
 };
 //# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n  AppUserProvider,\n  useAppUser,\n  useDbAppUser,\n  useRole,\n  type AppUserState,\n  type DbAppUser,\n  type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n  useImpersonation,\n  type EffectiveUser,\n  type ImpersonatedBy,\n  type MeResponse,\n} from \"./client/use-impersonation.js\";\nexport {\n  TenantProvider,\n  useTenant,\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n} from \"./client/tenant.js\";\n"],"mappings":"AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAIK;AACP,SAAS,gBAAgB;AACzB,SAAS,qBAAqB;AAC9B,SAAS,2BAA2B;AACpC;AAAA,EACE;AAAA,OAIK;AACP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OAGK;","names":[]}
+{"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n  AppUserProvider,\n  useAppUser,\n  useDbAppUser,\n  useRole,\n  type AppUserState,\n  type DbAppUser,\n  type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n  useImpersonation,\n  type EffectiveUser,\n  type ImpersonatedBy,\n  type MeResponse,\n} from \"./client/use-impersonation.js\";\n"],"mappings":"AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAIK;AACP,SAAS,gBAAgB;AACzB,SAAS,qBAAqB;AAC9B,SAAS,2BAA2B;AACpC;AAAA,EACE;AAAA,OAIK;","names":[]}

package/dist/server/createAuth.d.ts

@@ -1,10 +1,17 @@
 import { type DefaultSession, type Session } from "next-auth";
-import type { TenantServerConfig } from "../tenant-types.js";
+import type { TenantServerConfig } from "@augmenting-integrations/platform/server";
 declare module "next-auth" {
     interface Session {
         user: {
             groups: string[];
         } & DefaultSession["user"];
+        /**
+         * Cognito access token, preserved on the session for spoke-side
+         * Cognito user-pool calls (TOTP setup/verify, ChangePassword). Only
+         * present after a fresh OAuth login on the apex; absent on cookie-only
+         * sessions in spokes that never sat in front of the OAuth dance.
+         */
+        accessToken?: string;
     }
     interface User {
         groups?: string[];
@@ -14,7 +21,7 @@ export type CreateAuthOptions = {
     /**
      * Full tenant configuration. Provides apex/cookieDomain/parentDomain/
      * appDomain/role + cognito client id + issuer + allowed admin emails.
-     * Load via `loadTenantConfig()` from `@augmenting-integrations/tenant/server`.
+     * Load via `loadTenantConfig()` from `@augmenting-integrations/platform/server`.
      */
     tenant: TenantServerConfig;
     /** Path prefixes that require an authenticated session. */
@@ -38,6 +45,28 @@ export type CreateAuthOptions = {
     signInPage?: string;
     /** Override prod/dev detection. Default reads NODE_ENV. */
     isProd?: boolean;
+    /**
+     * App-level access policy. When set, signed-in users whose Cognito
+     * identity groups don't intersect `requiredIdentityGroups` are
+     * redirected to `forbiddenPage` (default: the apex /login page with
+     * `?error=app_forbidden&app=<slug>`). Sourced from
+     * `app.manifest.json#access`.
+     *
+     * `requiredIdentityGroups: []` means all authenticated users may
+     * enter; access enforcement is a no-op (same as omitting `appAccess`
+     * entirely). This is NOT product-level authorization; it gates entry
+     * to the entire app surface, mirroring the registry field of the
+     * same name.
+     */
+    appAccess?: {
+        requiredIdentityGroups: string[];
+        /**
+         * Optional override. Default:
+         *   - apex: "/login?error=app_forbidden&app=<slug>"
+         *   - spoke: "https://<apex>/login?error=app_forbidden&app=<slug>"
+         */
+        forbiddenPage?: string;
+    };
 };
 export declare class AuthError extends Error {
     code: "unauthenticated" | "forbidden";

package/dist/server/createAuth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"createAuth.d.ts","sourceRoot":"","sources":["../../src/server/createAuth.ts"],"names":[],"mappings":"AAkBA,OAAiB,EACf,KAAK,cAAc,EAEnB,KAAK,OAAO,EACb,MAAM,WAAW,CAAC;AAGnB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAM7D,OAAO,QAAQ,WAAW,CAAC;IACzB,UAAU,OAAO;QACf,IAAI,EAAE;YACJ,MAAM,EAAE,MAAM,EAAE,CAAC;SAClB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;KAC5B;IACD,UAAU,IAAI;QACZ,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB;CACF;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;;;OAIG;IACH,MAAM,EAAE,kBAAkB,CAAC;IAC3B,2DAA2D;IAC3D,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,CAAC;AAIF,qBAAa,SAAU,SAAQ,KAAK;IACf,IAAI,EAAE,iBAAiB,GAAG,WAAW;gBAArC,IAAI,EAAE,iBAAiB,GAAG,WAAW;CAIzD;AAID,2EAA2E;AAC3E,wBAAgB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,EAAE,CAE3E;AAED,+CAA+C;AAC/C,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAInF;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EACnC,GAAG,KAAK,EAAE,MAAM,EAAE,GACjB,IAAI,CAKN;AA+BD,wBAAgB,UAAU,CAAC,IAAI,EAAE,iBAAiB,sCAyIjD;AAED,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC"}
+{"version":3,"file":"createAuth.d.ts","sourceRoot":"","sources":["../../src/server/createAuth.ts"],"names":[],"mappings":"AAkBA,OAAiB,EACf,KAAK,cAAc,EAEnB,KAAK,OAAO,EACb,MAAM,WAAW,CAAC;AAGnB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,0CAA0C,CAAC;AAMnF,OAAO,QAAQ,WAAW,CAAC;IACzB,UAAU,OAAO;QACf,IAAI,EAAE;YACJ,MAAM,EAAE,MAAM,EAAE,CAAC;SAClB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QAC3B;;;;;WAKG;QACH,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB;IACD,UAAU,IAAI;QACZ,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB;CACF;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;;;OAIG;IACH,MAAM,EAAE,kBAAkB,CAAC;IAC3B,2DAA2D;IAC3D,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;;;;;;;;;;OAYG;IACH,SAAS,CAAC,EAAE;QACV,sBAAsB,EAAE,MAAM,EAAE,CAAC;QACjC;;;;WAIG;QACH,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;CACH,CAAC;AAIF,qBAAa,SAAU,SAAQ,KAAK;IACf,IAAI,EAAE,iBAAiB,GAAG,WAAW;gBAArC,IAAI,EAAE,iBAAiB,GAAG,WAAW;CAIzD;AAID,2EAA2E;AAC3E,wBAAgB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,EAAE,CAE3E;AAED,+CAA+C;AAC/C,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAInF;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EACnC,GAAG,KAAK,EAAE,MAAM,EAAE,GACjB,IAAI,CAKN;AA+BD,wBAAgB,UAAU,CAAC,IAAI,EAAE,iBAAiB,sCAwKjD;AAED,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC"}

package/dist/server/invitations.d.ts

@@ -0,0 +1,82 @@
+import "server-only";
+import type { Session } from "next-auth";
+type AuthFn = () => Promise<Session | null>;
+export type InvitationSendAppUser = {
+    id: bigint | string | number;
+    name: string;
+    role: string;
+};
+export type InvitationCreateInput = {
+    token: string;
+    email: string;
+    inviter_id: bigint | string | number;
+    intended_role: string;
+    parent_id: bigint | string | number | null;
+    expires_at: Date;
+};
+export type InvitationCreatedRow = {
+    id: bigint | string | number;
+    expires_at: Date;
+};
+export type InvitationSendDb = {
+    user: {
+        findUnique: (args: {
+            where: {
+                email: string;
+            };
+        }) => Promise<unknown | null>;
+    };
+    invitation: {
+        create: (args: {
+            data: InvitationCreateInput;
+        }) => Promise<InvitationCreatedRow>;
+    };
+};
+export type RenderedEmail = {
+    subject: string;
+    html: string;
+    text?: string;
+};
+export type InvitationEmailContext = {
+    inviterName: string;
+    inviteeEmail: string;
+    intendedRole: string;
+    invitationUrl: string;
+    expiresAt: Date;
+    appDisplayName: string;
+};
+export type CreateInvitationSendHandlersOptions = {
+    auth: AuthFn;
+    getDb: () => Promise<InvitationSendDb>;
+    getOrCreateAppUser: (session: Session) => Promise<InvitationSendAppUser>;
+    /** Returns true if the caller's role may invite. */
+    canInvite: (callerRole: string) => boolean;
+    /**
+     * Derive the new invitation's parent_id given the caller + the optional
+     * client override. Return null for a flat-tree spoke.
+     */
+    resolveInviteScope: (caller: InvitationSendAppUser, overrideParentId: bigint | null) => bigint | string | number | null;
+    /** Optional allow-list. If provided, body.role must be one of these. */
+    allowedRoles?: string[];
+    generateInvitationToken: () => string;
+    invitationExpiresAt: () => Date;
+    buildInvitationUrl: (token: string, origin: string) => string;
+    renderInvitationEmail: (ctx: InvitationEmailContext) => RenderedEmail;
+    sendEmail: (args: {
+        to: string;
+        subject: string;
+        html: string;
+        text?: string;
+    }) => Promise<void>;
+    /** Used as fallback origin if APP_DOMAIN env is unset. */
+    appDomainEnv?: string;
+    /** Issuer name shown in the invitation email. */
+    appDisplayName: string;
+};
+export declare function createInvitationSendHandlers(opts: CreateInvitationSendHandlersOptions): {
+    send: {
+        POST: (request: Request) => Promise<Response>;
+    };
+};
+export {};
+//# sourceMappingURL=invitations.d.ts.map

package/dist/server/invitations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"invitations.d.ts","sourceRoot":"","sources":["../../src/server/invitations.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAwBzC,KAAK,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;AAE5C,MAAM,MAAM,qBAAqB,GAAG;IAClC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC3C,UAAU,EAAE,IAAI,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IAC7B,UAAU,EAAE,IAAI,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,IAAI,EAAE;YAAE,KAAK,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAA;aAAE,CAAA;SAAE,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;KAC7E,CAAC;IACF,UAAU,EAAE;QACV,MAAM,EAAE,CAAC,IAAI,EAAE;YAAE,IAAI,EAAE,qBAAqB,CAAA;SAAE,KAAK,OAAO,CAAC,oBAAoB,CAAC,CAAC;KAClF,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mCAAmC,GAAG;IAChD,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACvC,kBAAkB,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACzE,oDAAoD;IACpD,SAAS,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC;IAC3C;;;OAGG;IACH,kBAAkB,EAAE,CAClB,MAAM,EAAE,qBAAqB,EAC7B,gBAAgB,EAAE,MAAM,GAAG,IAAI,KAC5B,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IACrC,wEAAwE;IACxE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,uBAAuB,EAAE,MAAM,MAAM,CAAC;IACtC,mBAAmB,EAAE,MAAM,IAAI,CAAC;IAChC,kBAAkB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9D,qBAAqB,EAAE,CAAC,GAAG,EAAE,sBAAsB,KAAK,aAAa,CAAC;IACtE,SAAS,EAAE,CAAC,IAAI,EAAE;QAChB,EAAE,EAAE,MAAM,CAAC;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB,0DAA0D;IAC1D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAUF,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,mCAAmC;;wBAE5D,OAAO,KAAG,OAAO,CAAC,QAAQ,CAAC;;EA2GpD"}

package/dist/server/settings.d.ts

@@ -0,0 +1,64 @@
+import "server-only";
+import type { Session } from "next-auth";
+type AuthFn = () => Promise<Session | null>;
+export type SettingsAppUser = {
+    id: bigint | string | number;
+};
+export type SettingsDb = {
+    user: {
+        update: (args: Record<string, unknown>) => Promise<unknown>;
+    };
+};
+export type CognitoOps = {
+    associateSoftwareToken: (args: {
+        accessToken: string;
+    }) => Promise<{
+        secretCode: string;
+    }>;
+    verifySoftwareToken: (args: {
+        accessToken: string;
+        code: string;
+    }) => Promise<{
+        status: string;
+    }>;
+    setUserMfaPreference: (args: {
+        accessToken: string;
+        enabled: boolean;
+    }) => Promise<void>;
+    changePassword: (args: {
+        accessToken: string;
+        previousPassword: string;
+        proposedPassword: string;
+    }) => Promise<void>;
+    buildOtpAuthUri: (args: {
+        secret: string;
+        accountName: string;
+        issuer: string;
+    }) => string;
+};
+export type CreateSettingsHandlersOptions = {
+    auth: AuthFn;
+    getDb: () => Promise<SettingsDb>;
+    getOrCreateAppUser: (session: Session) => Promise<SettingsAppUser>;
+    cognito: CognitoOps;
+    /** OTP issuer name shown in authenticator apps. */
+    appDisplayName: string;
+    /** Optional QR data URL generator -- spoke supplies `qrcode` if desired. */
+    generateQrDataUrl?: (otpAuthUri: string) => Promise<string>;
+};
+export declare function createSettingsHandlers(opts: CreateSettingsHandlersOptions): {
+    passwordChange: {
+        POST: (request: Request) => Promise<Response>;
+    };
+    twoFactorSetup: {
+        POST: () => Promise<Response>;
+    };
+    twoFactorVerify: {
+        POST: (request: Request) => Promise<Response>;
+    };
+    twoFactorDisable: {
+        POST: () => Promise<Response>;
+    };
+};
+export {};
+//# sourceMappingURL=settings.d.ts.map

package/dist/server/settings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.d.ts","sourceRoot":"","sources":["../../src/server/settings.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAoBzC,KAAK,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;AAE5C,MAAM,MAAM,eAAe,GAAG;IAC5B,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACvB,IAAI,EAAE;QACJ,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;KAC7D,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACvB,sBAAsB,EAAE,CAAC,IAAI,EAAE;QAAE,WAAW,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC;QACjE,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;IACH,mBAAmB,EAAE,CAAC,IAAI,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC;QAC5E,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oBAAoB,EAAE,CAAC,IAAI,EAAE;QAC3B,WAAW,EAAE,MAAM,CAAC;QACpB,OAAO,EAAE,OAAO,CAAC;KAClB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB,cAAc,EAAE,CAAC,IAAI,EAAE;QACrB,WAAW,EAAE,MAAM,CAAC;QACpB,gBAAgB,EAAE,MAAM,CAAC;QACzB,gBAAgB,EAAE,MAAM,CAAC;KAC1B,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB,eAAe,EAAE,CAAC,IAAI,EAAE;QACtB,MAAM,EAAE,MAAM,CAAC;QACf,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC;KAChB,KAAK,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,OAAO,CAAC,UAAU,CAAC,CAAC;IACjC,kBAAkB,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,eAAe,CAAC,CAAC;IACnE,OAAO,EAAE,UAAU,CAAC;IACpB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,4EAA4E;IAC5E,iBAAiB,CAAC,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAC7D,CAAC;AAwBF,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,6BAA6B;;wBAGhD,OAAO,KAAG,OAAO,CAAC,QAAQ,CAAC;;;oBA2CjC,OAAO,CAAC,QAAQ,CAAC;;;wBA8BX,OAAO,KAAG,OAAO,CAAC,QAAQ,CAAC;;;oBAwCjC,OAAO,CAAC,QAAQ,CAAC;;EAwBpC"}