@authcore/core 0.5.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 David Ouatedem
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/adapters/database.interface.d.ts

@@ -0,0 +1,42 @@
+import type { User, Token, TokenType, CreateUserInput, CreateTokenInput } from '../types.js';
+/**
+ * DatabaseAdapter defines the contract that any database implementation must fulfill.
+ * Implement this interface to add support for a new database (Drizzle, Mongoose, etc.).
+ *
+ * @example
+ * ```ts
+ * import type { DatabaseAdapter } from '@authcore/core'
+ *
+ * export function myAdapter(client: MyClient): DatabaseAdapter {
+ *   return {
+ *     findUserByEmail: (email) => client.user.findUnique({ where: { email } }),
+ *     // ...
+ *   }
+ * }
+ * ```
+ */
+export interface DatabaseAdapter {
+    /** Find a user by their email address. Returns null if not found. */
+    findUserByEmail(email: string): Promise<User | null>;
+    /** Find a user by their ID. Returns null if not found. */
+    findUserById(id: string): Promise<User | null>;
+    /** Create a new user record. */
+    createUser(data: CreateUserInput): Promise<User>;
+    /** Update fields on an existing user. */
+    updateUser(id: string, data: Partial<Omit<User, 'id' | 'createdAt'>>): Promise<User>;
+    /**
+     * Create a new token record.
+     * The `token` field in `data` must be the SHA-256 hash of the raw token.
+     */
+    createToken(data: CreateTokenInput): Promise<Token>;
+    /**
+     * Find a token record by the raw token value and type.
+     * Implementations MUST hash the raw token before querying.
+     */
+    findToken(rawToken: string, type: TokenType): Promise<Token | null>;
+    /** Delete a token by its ID. */
+    deleteToken(id: string): Promise<void>;
+    /** Delete all expired tokens. Call periodically for housekeeping. */
+    deleteExpiredTokens(): Promise<void>;
+}
+//# sourceMappingURL=database.interface.d.ts.map

package/dist/adapters/database.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"database.interface.d.ts","sourceRoot":"","sources":["../../src/adapters/database.interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAE5F;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,eAAe;IAC9B,qEAAqE;IACrE,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAA;IAEpD,0DAA0D;IAC1D,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAA;IAE9C,gCAAgC;IAChC,UAAU,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEhD,yCAAyC;IACzC,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,GAAG,WAAW,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEpF;;;OAGG;IACH,WAAW,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;IAEnD;;;OAGG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAA;IAEnE,gCAAgC;IAChC,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEtC,qEAAqE;IACrE,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CAAA;CACrC"}

package/dist/adapters/database.interface.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=database.interface.js.map

package/dist/adapters/database.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"database.interface.js","sourceRoot":"","sources":["../../src/adapters/database.interface.ts"],"names":[],"mappings":""}

package/dist/adapters/email.interface.d.ts

@@ -0,0 +1,31 @@
+/**
+ * EmailAdapter defines the contract for any email provider implementation.
+ * Implement this interface to add support for a new email provider (SendGrid, Mailgun, etc.).
+ *
+ * @example
+ * ```ts
+ * import type { EmailAdapter } from '@authcore/core'
+ *
+ * export function myEmailAdapter(apiKey: string): EmailAdapter {
+ *   return {
+ *     send: async ({ to, subject, html, text }) => {
+ *       await myEmailClient.send({ apiKey, to, subject, html, text })
+ *     }
+ *   }
+ * }
+ * ```
+ */
+export interface EmailAdapter {
+    /**
+     * Send an email.
+     * Must throw on failure — AuthCore will not retry automatically.
+     */
+    send(options: {
+        from: string;
+        to: string;
+        subject: string;
+        html: string;
+        text: string;
+    }): Promise<void>;
+}
+//# sourceMappingURL=email.interface.d.ts.map

package/dist/adapters/email.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.interface.d.ts","sourceRoot":"","sources":["../../src/adapters/email.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,IAAI,CAAC,OAAO,EAAE;QACZ,IAAI,EAAE,MAAM,CAAA;QACZ,EAAE,EAAE,MAAM,CAAA;QACV,OAAO,EAAE,MAAM,CAAA;QACf,IAAI,EAAE,MAAM,CAAA;QACZ,IAAI,EAAE,MAAM,CAAA;KACb,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClB"}

package/dist/adapters/email.interface.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=email.interface.js.map

package/dist/adapters/email.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.interface.js","sourceRoot":"","sources":["../../src/adapters/email.interface.ts"],"names":[],"mappings":""}

package/dist/auth.d.ts

@@ -0,0 +1,73 @@
+import type { AuthCoreConfig, PublicUser } from './types.js';
+export declare class AuthError extends Error {
+    readonly code: string;
+    readonly statusCode: number;
+    constructor(message: string, code: string, statusCode: number);
+}
+/**
+ * The AuthCore instance returned by createAuth.
+ * Framework adapters (Express, Fastify) wrap this object.
+ */
+export interface AuthCore {
+    /**
+     * Register a new user.
+     * @throws AuthError on validation failure (400) or duplicate email (409)
+     */
+    register(input: unknown): Promise<{
+        user: PublicUser;
+        token: string;
+    }>;
+    /**
+     * Authenticate a user with email/password.
+     * @throws AuthError on invalid credentials (401)
+     */
+    login(input: unknown): Promise<{
+        user: PublicUser;
+        token: string;
+    }>;
+    /**
+     * Verify a JWT and return the public user.
+     * Returns null if the token is invalid or expired.
+     */
+    verifyToken(token: string): Promise<PublicUser | null>;
+    /**
+     * Initiate email verification (requires emailVerification feature).
+     * Sends a verification email.
+     */
+    sendEmailVerification(params: {
+        userId: string;
+        email: string;
+        verificationUrl: string;
+    }): Promise<void>;
+    /**
+     * Complete email verification using the raw token.
+     * @throws AuthError if token is invalid or expired (400)
+     */
+    verifyEmail(input: unknown): Promise<void>;
+    /**
+     * Initiate password reset. Always returns successfully (prevents enumeration).
+     */
+    forgotPassword(input: unknown): Promise<void>;
+    /**
+     * Complete password reset using the raw token.
+     * @throws AuthError if token is invalid or expired (400)
+     */
+    resetPassword(input: unknown): Promise<void>;
+}
+/**
+ * Create an AuthCore instance from the provided configuration.
+ * This is the main entry point for the core package.
+ *
+ * @example
+ * ```ts
+ * import { createAuth } from '@authcore/core'
+ * import { prismaAdapter } from '@authcore/prisma-adapter'
+ *
+ * const auth = createAuth({
+ *   db: prismaAdapter(prisma),
+ *   session: { strategy: 'jwt', secret: process.env.AUTH_SECRET! },
+ * })
+ * ```
+ */
+export declare function createAuth(config: AuthCoreConfig): AuthCore;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,YAAY,CAAA;AAmB5D,qBAAa,SAAU,SAAQ,KAAK;aAGhB,IAAI,EAAE,MAAM;aACZ,UAAU,EAAE,MAAM;gBAFlC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM;CAKrC;AAED;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACvB;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAEtE;;;OAGG;IACH,KAAK,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAEnE;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAA;IAEtD;;;OAGG;IACH,qBAAqB,CAAC,MAAM,EAAE;QAC5B,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,MAAM,CAAA;QACb,eAAe,EAAE,MAAM,CAAA;KACxB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEjB;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE1C;;OAEG;IACH,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE7C;;;OAGG;IACH,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7C;AAmBD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,cAAc,GAAG,QAAQ,CAuL3D"}

package/dist/auth.js

@@ -0,0 +1,180 @@
+import { hashPassword, verifyPassword } from './utils/password.js';
+import { signJwt, verifyJwt } from './utils/token.js';
+import { registerSchema, loginSchema, forgotPasswordSchema, resetPasswordSchema, verifyEmailSchema, } from './utils/validation.js';
+import { createEmailVerification, verifyEmail as verifyEmailFeature, } from './features/emailVerification.js';
+import { createPasswordReset, resetPassword as resetPasswordFeature, } from './features/passwordReset.js';
+export class AuthError extends Error {
+    code;
+    statusCode;
+    constructor(message, code, statusCode) {
+        super(message);
+        this.code = code;
+        this.statusCode = statusCode;
+        this.name = 'AuthError';
+    }
+}
+function toPublicUser(user) {
+    return {
+        id: user.id,
+        email: user.email,
+        emailVerified: user.emailVerified,
+        createdAt: user.createdAt,
+        updatedAt: user.updatedAt,
+    };
+}
+/**
+ * Create an AuthCore instance from the provided configuration.
+ * This is the main entry point for the core package.
+ *
+ * @example
+ * ```ts
+ * import { createAuth } from '@authcore/core'
+ * import { prismaAdapter } from '@authcore/prisma-adapter'
+ *
+ * const auth = createAuth({
+ *   db: prismaAdapter(prisma),
+ *   session: { strategy: 'jwt', secret: process.env.AUTH_SECRET! },
+ * })
+ * ```
+ */
+export function createAuth(config) {
+    const { db, session, email, features = [], password: pwConfig = {}, callbacks = {} } = config;
+    const saltRounds = pwConfig.saltRounds ?? 12;
+    const minPasswordLength = pwConfig.minLength ?? 8;
+    const expiresIn = session.expiresIn ?? '7d';
+    const hasEmailVerification = features.includes('emailVerification');
+    const hasPasswordReset = features.includes('passwordReset');
+    return {
+        async register(input) {
+            const schema = registerSchema(minPasswordLength);
+            const parsed = schema.safeParse(input);
+            if (!parsed.success) {
+                throw new AuthError(parsed.error.errors[0]?.message ?? 'Validation failed', 'VALIDATION_ERROR', 400);
+            }
+            const { email: userEmail, password } = parsed.data;
+            const existing = await db.findUserByEmail(userEmail);
+            if (existing) {
+                throw new AuthError('An account with this email already exists', 'EMAIL_EXISTS', 409);
+            }
+            const passwordHash = await hashPassword(password, saltRounds);
+            const user = await db.createUser({ email: userEmail, passwordHash });
+            const publicUser = toPublicUser(user);
+            const token = signJwt({ sub: user.id, email: user.email }, session.secret, expiresIn);
+            await callbacks.onSignUp?.(publicUser);
+            return { user: publicUser, token };
+        },
+        async login(input) {
+            const parsed = loginSchema.safeParse(input);
+            if (!parsed.success) {
+                throw new AuthError(parsed.error.errors[0]?.message ?? 'Validation failed', 'VALIDATION_ERROR', 400);
+            }
+            const { email: userEmail, password } = parsed.data;
+            const user = await db.findUserByEmail(userEmail);
+            if (!user) {
+                throw new AuthError('Invalid email or password', 'INVALID_CREDENTIALS', 401);
+            }
+            const valid = await verifyPassword(password, user.passwordHash);
+            if (!valid) {
+                throw new AuthError('Invalid email or password', 'INVALID_CREDENTIALS', 401);
+            }
+            if (hasEmailVerification && !user.emailVerified) {
+                throw new AuthError('Please verify your email address before signing in', 'EMAIL_NOT_VERIFIED', 403);
+            }
+            const publicUser = toPublicUser(user);
+            const token = signJwt({ sub: user.id, email: user.email }, session.secret, expiresIn);
+            await callbacks.onSignIn?.(publicUser);
+            return { user: publicUser, token };
+        },
+        async verifyToken(token) {
+            const payload = verifyJwt(token, session.secret);
+            if (!payload)
+                return null;
+            const user = await db.findUserById(payload.sub);
+            if (!user)
+                return null;
+            return toPublicUser(user);
+        },
+        async sendEmailVerification({ userId, email: userEmail, verificationUrl }) {
+            if (!hasEmailVerification) {
+                throw new AuthError('emailVerification feature is not enabled', 'FEATURE_DISABLED', 500);
+            }
+            if (!email) {
+                throw new AuthError('Email provider is not configured', 'EMAIL_NOT_CONFIGURED', 500);
+            }
+            await createEmailVerification({
+                userId,
+                email: userEmail,
+                db,
+                emailProvider: email.provider,
+                from: email.from,
+                verificationUrl,
+            });
+        },
+        async verifyEmail(input) {
+            const parsed = verifyEmailSchema.safeParse(input);
+            if (!parsed.success) {
+                throw new AuthError(parsed.error.errors[0]?.message ?? 'Validation failed', 'VALIDATION_ERROR', 400);
+            }
+            try {
+                await verifyEmailFeature({ rawToken: parsed.data.token, db });
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : 'Invalid token';
+                throw new AuthError(message, 'INVALID_TOKEN', 400);
+            }
+        },
+        async forgotPassword(input) {
+            if (!hasPasswordReset) {
+                // Silently ignore — don't reveal feature status
+                return;
+            }
+            const parsed = forgotPasswordSchema.safeParse(input);
+            if (!parsed.success) {
+                // Still return successfully to prevent enumeration
+                return;
+            }
+            if (!email)
+                return;
+            // Intentionally swallow errors — always return 200
+            try {
+                await createPasswordReset({
+                    email: parsed.data.email,
+                    db,
+                    emailProvider: email.provider,
+                    from: email.from,
+                    resetUrl: `${session.secret}/reset-password`, // overridden by framework adapter
+                });
+            }
+            catch {
+                // Swallow — no email enumeration
+            }
+        },
+        async resetPassword(input) {
+            const schema = resetPasswordSchema(minPasswordLength);
+            const parsed = schema.safeParse(input);
+            if (!parsed.success) {
+                throw new AuthError(parsed.error.errors[0]?.message ?? 'Validation failed', 'VALIDATION_ERROR', 400);
+            }
+            try {
+                await resetPasswordFeature({
+                    rawToken: parsed.data.token,
+                    newPassword: parsed.data.password,
+                    db,
+                    saltRounds,
+                });
+                const tokenRecord = await db.findToken(parsed.data.token, 'PASSWORD_RESET');
+                if (tokenRecord) {
+                    const user = await db.findUserById(tokenRecord.userId);
+                    if (user) {
+                        await callbacks.onPasswordReset?.(toPublicUser(user));
+                    }
+                }
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : 'Invalid token';
+                throw new AuthError(message, 'INVALID_TOKEN', 400);
+            }
+        },
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAClE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAkC,MAAM,kBAAkB,CAAA;AACrF,OAAO,EACL,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,uBAAuB,EACvB,WAAW,IAAI,kBAAkB,GAClC,MAAM,iCAAiC,CAAA;AACxC,OAAO,EACL,mBAAmB,EACnB,aAAa,IAAI,oBAAoB,GACtC,MAAM,6BAA6B,CAAA;AAEpC,MAAM,OAAO,SAAU,SAAQ,KAAK;IAGhB;IACA;IAHlB,YACE,OAAe,EACC,IAAY,EACZ,UAAkB;QAElC,KAAK,CAAC,OAAO,CAAC,CAAA;QAHE,SAAI,GAAJ,IAAI,CAAQ;QACZ,eAAU,GAAV,UAAU,CAAQ;QAGlC,IAAI,CAAC,IAAI,GAAG,WAAW,CAAA;IACzB,CAAC;CACF;AAqDD,SAAS,YAAY,CAAC,IAOrB;IACC,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,UAAU,CAAC,MAAsB;IAC/C,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,GAAG,EAAE,EAAE,QAAQ,EAAE,QAAQ,GAAG,EAAE,EAAE,SAAS,GAAG,EAAE,EAAE,GAAG,MAAM,CAAA;IAC7F,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAA;IAC5C,MAAM,iBAAiB,GAAG,QAAQ,CAAC,SAAS,IAAI,CAAC,CAAA;IACjD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAA;IAE3C,MAAM,oBAAoB,GAAG,QAAQ,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAA;IACnE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAA;IAE3D,OAAO;QACL,KAAK,CAAC,QAAQ,CAAC,KAAK;YAClB,MAAM,MAAM,GAAG,cAAc,CAAC,iBAAiB,CAAC,CAAA;YAChD,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;YACtC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,SAAS,CACjB,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,mBAAmB,EACtD,kBAAkB,EAClB,GAAG,CACJ,CAAA;YACH,CAAC;YAED,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC,IAAI,CAAA;YAElD,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC,SAAS,CAAC,CAAA;YACpD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,SAAS,CAAC,2CAA2C,EAAE,cAAc,EAAE,GAAG,CAAC,CAAA;YACvF,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;YAC7D,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAA;YACpE,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;YAErC,MAAM,KAAK,GAAG,OAAO,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;YAErF,MAAM,SAAS,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAA;YAEtC,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAA;QACpC,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,KAAK;YACf,MAAM,MAAM,GAAG,WAAW,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;YAC3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,SAAS,CACjB,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,mBAAmB,EACtD,kBAAkB,EAClB,GAAG,CACJ,CAAA;YACH,CAAC;YAED,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC,IAAI,CAAA;YAElD,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC,SAAS,CAAC,CAAA;YAChD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,SAAS,CAAC,2BAA2B,EAAE,qBAAqB,EAAE,GAAG,CAAC,CAAA;YAC9E,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;YAC/D,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,SAAS,CAAC,2BAA2B,EAAE,qBAAqB,EAAE,GAAG,CAAC,CAAA;YAC9E,CAAC;YAED,IAAI,oBAAoB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;gBAChD,MAAM,IAAI,SAAS,CACjB,oDAAoD,EACpD,oBAAoB,EACpB,GAAG,CACJ,CAAA;YACH,CAAC;YAED,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;YACrC,MAAM,KAAK,GAAG,OAAO,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;YAErF,MAAM,SAAS,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAA;YAEtC,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAA;QACpC,CAAC;QAED,KAAK,CAAC,WAAW,CAAC,KAAK;YACrB,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAA;YAChD,IAAI,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAA;YAEzB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAC/C,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAA;YAEtB,OAAO,YAAY,CAAC,IAAI,CAAC,CAAA;QAC3B,CAAC;QAED,KAAK,CAAC,qBAAqB,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE;YACvE,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,MAAM,IAAI,SAAS,CACjB,0CAA0C,EAC1C,kBAAkB,EAClB,GAAG,CACJ,CAAA;YACH,CAAC;YACD,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,SAAS,CAAC,kCAAkC,EAAE,sBAAsB,EAAE,GAAG,CAAC,CAAA;YACtF,CAAC;YACD,MAAM,uBAAuB,CAAC;gBAC5B,MAAM;gBACN,KAAK,EAAE,SAAS;gBAChB,EAAE;gBACF,aAAa,EAAE,KAAK,CAAC,QAAQ;gBAC7B,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,eAAe;aAChB,CAAC,CAAA;QACJ,CAAC;QAED,KAAK,CAAC,WAAW,CAAC,KAAK;YACrB,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;YACjD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,SAAS,CACjB,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,mBAAmB,EACtD,kBAAkB,EAClB,GAAG,CACJ,CAAA;YACH,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,kBAAkB,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,CAAA;YAC/D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAA;gBACpE,MAAM,IAAI,SAAS,CAAC,OAAO,EAAE,eAAe,EAAE,GAAG,CAAC,CAAA;YACpD,CAAC;QACH,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,KAAK;YACxB,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,gDAAgD;gBAChD,OAAM;YACR,CAAC;YAED,MAAM,MAAM,GAAG,oBAAoB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;YACpD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,mDAAmD;gBACnD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,KAAK;gBAAE,OAAM;YAElB,mDAAmD;YACnD,IAAI,CAAC;gBACH,MAAM,mBAAmB,CAAC;oBACxB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;oBACxB,EAAE;oBACF,aAAa,EAAE,KAAK,CAAC,QAAQ;oBAC7B,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,QAAQ,EAAE,GAAG,OAAO,CAAC,MAAM,iBAAiB,EAAE,kCAAkC;iBACjF,CAAC,CAAA;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,iCAAiC;YACnC,CAAC;QACH,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,KAAK;YACvB,MAAM,MAAM,GAAG,mBAAmB,CAAC,iBAAiB,CAAC,CAAA;YACrD,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;YACtC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,SAAS,CACjB,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,mBAAmB,EACtD,kBAAkB,EAClB,GAAG,CACJ,CAAA;YACH,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,oBAAoB,CAAC;oBACzB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;oBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ;oBACjC,EAAE;oBACF,UAAU;iBACX,CAAC,CAAA;gBACF,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAA;gBAC3E,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,WAAW,CAAC,MAAM,CAAC,CAAA;oBACtD,IAAI,IAAI,EAAE,CAAC;wBACT,MAAM,SAAS,CAAC,eAAe,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAA;oBACvD,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAA;gBACpE,MAAM,IAAI,SAAS,CAAC,OAAO,EAAE,eAAe,EAAE,GAAG,CAAC,CAAA;YACpD,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/features/emailVerification.d.ts

@@ -0,0 +1,25 @@
+import type { DatabaseAdapter } from '../adapters/database.interface.js';
+import type { EmailAdapter } from '../adapters/email.interface.js';
+/**
+ * Create an email verification token and send the verification email.
+ *
+ * @returns The raw token (not the hash). Store only the hash in DB.
+ */
+export declare function createEmailVerification(params: {
+    userId: string;
+    email: string;
+    db: DatabaseAdapter;
+    emailProvider: EmailAdapter;
+    from: string;
+    verificationUrl: string;
+}): Promise<string>;
+/**
+ * Verify an email address using the raw token from the user's email link.
+ *
+ * @throws Error if the token is invalid or expired
+ */
+export declare function verifyEmail(params: {
+    rawToken: string;
+    db: DatabaseAdapter;
+}): Promise<void>;
+//# sourceMappingURL=emailVerification.d.ts.map

package/dist/features/emailVerification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailVerification.d.ts","sourceRoot":"","sources":["../../src/features/emailVerification.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACxE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAA;AAMlE;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE;IACpD,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,EAAE,EAAE,eAAe,CAAA;IACnB,aAAa,EAAE,YAAY,CAAA;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,eAAe,EAAE,MAAM,CAAA;CACxB,GAAG,OAAO,CAAC,MAAM,CAAC,CA8BlB;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,MAAM,EAAE;IACxC,QAAQ,EAAE,MAAM,CAAA;IAChB,EAAE,EAAE,eAAe,CAAA;CACpB,GAAG,OAAO,CAAC,IAAI,CAAC,CAgBhB"}

package/dist/features/emailVerification.js

@@ -0,0 +1,52 @@
+import { generateOpaqueToken, hashToken } from '../utils/token.js';
+const EMAIL_VERIFICATION_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+/**
+ * Create an email verification token and send the verification email.
+ *
+ * @returns The raw token (not the hash). Store only the hash in DB.
+ */
+export async function createEmailVerification(params) {
+    const { userId, email, db, emailProvider, from, verificationUrl } = params;
+    const rawToken = generateOpaqueToken();
+    const hashedToken = hashToken(rawToken);
+    await db.createToken({
+        userId,
+        type: 'EMAIL_VERIFICATION',
+        token: hashedToken,
+        expiresAt: new Date(Date.now() + EMAIL_VERIFICATION_TTL_MS),
+    });
+    const link = `${verificationUrl}?token=${rawToken}`;
+    await emailProvider.send({
+        from,
+        to: email,
+        subject: 'Verify your email address',
+        html: `
+      <p>Hello,</p>
+      <p>Please verify your email address by clicking the link below:</p>
+      <p><a href="${link}">${link}</a></p>
+      <p>This link expires in 24 hours.</p>
+      <p>If you did not create an account, you can ignore this email.</p>
+    `,
+        text: `Please verify your email by visiting: ${link}\n\nThis link expires in 24 hours.`,
+    });
+    return rawToken;
+}
+/**
+ * Verify an email address using the raw token from the user's email link.
+ *
+ * @throws Error if the token is invalid or expired
+ */
+export async function verifyEmail(params) {
+    const { rawToken, db } = params;
+    const tokenRecord = await db.findToken(rawToken, 'EMAIL_VERIFICATION');
+    if (!tokenRecord) {
+        throw new Error('Invalid or expired verification token');
+    }
+    if (tokenRecord.expiresAt < new Date()) {
+        await db.deleteToken(tokenRecord.id);
+        throw new Error('Invalid or expired verification token');
+    }
+    await db.updateUser(tokenRecord.userId, { emailVerified: true });
+    await db.deleteToken(tokenRecord.id);
+}
+//# sourceMappingURL=emailVerification.js.map

package/dist/features/emailVerification.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailVerification.js","sourceRoot":"","sources":["../../src/features/emailVerification.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AAElE,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,WAAW;AAEjE;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,MAO7C;IACC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,eAAe,EAAE,GAAG,MAAM,CAAA;IAE1E,MAAM,QAAQ,GAAG,mBAAmB,EAAE,CAAA;IACtC,MAAM,WAAW,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAA;IAEvC,MAAM,EAAE,CAAC,WAAW,CAAC;QACnB,MAAM;QACN,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,WAAW;QAClB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,yBAAyB,CAAC;KAC5D,CAAC,CAAA;IAEF,MAAM,IAAI,GAAG,GAAG,eAAe,UAAU,QAAQ,EAAE,CAAA;IAEnD,MAAM,aAAa,CAAC,IAAI,CAAC;QACvB,IAAI;QACJ,EAAE,EAAE,KAAK;QACT,OAAO,EAAE,2BAA2B;QACpC,IAAI,EAAE;;;oBAGU,IAAI,KAAK,IAAI;;;KAG5B;QACD,IAAI,EAAE,yCAAyC,IAAI,oCAAoC;KACxF,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAGjC;IACC,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,MAAM,CAAA;IAE/B,MAAM,WAAW,GAAiB,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAA;IAEpF,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAA;IAC1D,CAAC;IAED,IAAI,WAAW,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACvC,MAAM,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;QACpC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAA;IAC1D,CAAC;IAED,MAAM,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAA;IAChE,MAAM,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;AACtC,CAAC"}

package/dist/features/passwordReset.d.ts

@@ -0,0 +1,26 @@
+import type { DatabaseAdapter } from '../adapters/database.interface.js';
+import type { EmailAdapter } from '../adapters/email.interface.js';
+/**
+ * Initiate a password reset flow.
+ * Always returns successfully even if the email is not found — prevents email enumeration.
+ * Callers should catch and swallow errors from the email send step if needed.
+ */
+export declare function createPasswordReset(params: {
+    email: string;
+    db: DatabaseAdapter;
+    emailProvider: EmailAdapter;
+    from: string;
+    resetUrl: string;
+}): Promise<void>;
+/**
+ * Complete a password reset using the raw token from the reset email.
+ *
+ * @throws Error if the token is invalid or expired
+ */
+export declare function resetPassword(params: {
+    rawToken: string;
+    newPassword: string;
+    db: DatabaseAdapter;
+    saltRounds?: number;
+}): Promise<void>;
+//# sourceMappingURL=passwordReset.d.ts.map

package/dist/features/passwordReset.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passwordReset.d.ts","sourceRoot":"","sources":["../../src/features/passwordReset.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACxE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAA;AAOlE;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,MAAM,EAAE;IAChD,KAAK,EAAE,MAAM,CAAA;IACb,EAAE,EAAE,eAAe,CAAA;IACnB,aAAa,EAAE,YAAY,CAAA;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,MAAM,CAAA;CACjB,GAAG,OAAO,CAAC,IAAI,CAAC,CAgChB;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE;IAC1C,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,EAAE,EAAE,eAAe,CAAA;IACnB,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,GAAG,OAAO,CAAC,IAAI,CAAC,CAiBhB"}

package/dist/features/passwordReset.js

@@ -0,0 +1,57 @@
+import { generateOpaqueToken, hashToken } from '../utils/token.js';
+import { hashPassword } from '../utils/password.js';
+const PASSWORD_RESET_TTL_MS = 60 * 60 * 1000; // 1 hour
+/**
+ * Initiate a password reset flow.
+ * Always returns successfully even if the email is not found — prevents email enumeration.
+ * Callers should catch and swallow errors from the email send step if needed.
+ */
+export async function createPasswordReset(params) {
+    const { email, db, emailProvider, from, resetUrl } = params;
+    // Always returns 200 — do not reveal whether the email exists
+    const user = await db.findUserByEmail(email);
+    if (!user)
+        return;
+    const rawToken = generateOpaqueToken();
+    const hashedToken = hashToken(rawToken);
+    await db.createToken({
+        userId: user.id,
+        type: 'PASSWORD_RESET',
+        token: hashedToken,
+        expiresAt: new Date(Date.now() + PASSWORD_RESET_TTL_MS),
+    });
+    const link = `${resetUrl}?token=${rawToken}`;
+    await emailProvider.send({
+        from,
+        to: email,
+        subject: 'Reset your password',
+        html: `
+      <p>Hello,</p>
+      <p>We received a request to reset your password. Click the link below to proceed:</p>
+      <p><a href="${link}">${link}</a></p>
+      <p>This link expires in 1 hour.</p>
+      <p>If you did not request a password reset, you can ignore this email.</p>
+    `,
+        text: `Reset your password by visiting: ${link}\n\nThis link expires in 1 hour.`,
+    });
+}
+/**
+ * Complete a password reset using the raw token from the reset email.
+ *
+ * @throws Error if the token is invalid or expired
+ */
+export async function resetPassword(params) {
+    const { rawToken, newPassword, db, saltRounds } = params;
+    const tokenRecord = await db.findToken(rawToken, 'PASSWORD_RESET');
+    if (!tokenRecord) {
+        throw new Error('Invalid or expired reset token');
+    }
+    if (tokenRecord.expiresAt < new Date()) {
+        await db.deleteToken(tokenRecord.id);
+        throw new Error('Invalid or expired reset token');
+    }
+    const passwordHash = await hashPassword(newPassword, saltRounds);
+    await db.updateUser(tokenRecord.userId, { passwordHash });
+    await db.deleteToken(tokenRecord.id);
+}
+//# sourceMappingURL=passwordReset.js.map

package/dist/features/passwordReset.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passwordReset.js","sourceRoot":"","sources":["../../src/features/passwordReset.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AAEnD,MAAM,qBAAqB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,SAAS;AAEtD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,MAMzC;IACC,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAA;IAE3D,8DAA8D;IAC9D,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC,KAAK,CAAC,CAAA;IAC5C,IAAI,CAAC,IAAI;QAAE,OAAM;IAEjB,MAAM,QAAQ,GAAG,mBAAmB,EAAE,CAAA;IACtC,MAAM,WAAW,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAA;IAEvC,MAAM,EAAE,CAAC,WAAW,CAAC;QACnB,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,WAAW;QAClB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,qBAAqB,CAAC;KACxD,CAAC,CAAA;IAEF,MAAM,IAAI,GAAG,GAAG,QAAQ,UAAU,QAAQ,EAAE,CAAA;IAE5C,MAAM,aAAa,CAAC,IAAI,CAAC;QACvB,IAAI;QACJ,EAAE,EAAE,KAAK;QACT,OAAO,EAAE,qBAAqB;QAC9B,IAAI,EAAE;;;oBAGU,IAAI,KAAK,IAAI;;;KAG5B;QACD,IAAI,EAAE,oCAAoC,IAAI,kCAAkC;KACjF,CAAC,CAAA;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAKnC;IACC,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,MAAM,CAAA;IAExD,MAAM,WAAW,GAAiB,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAA;IAEhF,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,IAAI,WAAW,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACvC,MAAM,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;QACpC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,UAAU,CAAC,CAAA;IAChE,MAAM,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE,YAAY,EAAE,CAAC,CAAA;IACzD,MAAM,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;AACtC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+export type { User, Token, TokenType, CreateUserInput, CreateTokenInput, PublicUser, SessionConfig, EmailConfig, AuthCallbacks, AuthCoreConfig, } from './types.js';
+export type { DatabaseAdapter } from './adapters/database.interface.js';
+export type { EmailAdapter } from './adapters/email.interface.js';
+export { hashPassword, verifyPassword } from './utils/password.js';
+export { generateOpaqueToken, hashToken, safeCompareTokens, signJwt, verifyJwt, } from './utils/token.js';
+export type { JwtPayload } from './utils/token.js';
+export { registerSchema, loginSchema, forgotPasswordSchema, resetPasswordSchema, verifyEmailSchema, } from './utils/validation.js';
+export type { RegisterInput, LoginInput, ForgotPasswordInput, ResetPasswordInput, VerifyEmailInput, } from './utils/validation.js';
+export { createEmailVerification, verifyEmail } from './features/emailVerification.js';
+export { createPasswordReset, resetPassword } from './features/passwordReset.js';
+export { createAuth, AuthError } from './auth.js';
+export type { AuthCore } from './auth.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,IAAI,EACJ,KAAK,EACL,SAAS,EACT,eAAe,EACf,gBAAgB,EAChB,UAAU,EACV,aAAa,EACb,WAAW,EACX,aAAa,EACb,cAAc,GACf,MAAM,YAAY,CAAA;AAGnB,YAAY,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAA;AACvE,YAAY,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAA;AAGjE,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAClE,OAAO,EACL,mBAAmB,EACnB,SAAS,EACT,iBAAiB,EACjB,OAAO,EACP,SAAS,GACV,MAAM,kBAAkB,CAAA;AACzB,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,EACL,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EACV,aAAa,EACb,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,uBAAuB,CAAA;AAG9B,OAAO,EAAE,uBAAuB,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAA;AACtF,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAGhF,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AACjD,YAAY,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA"}

package/dist/index.js

@@ -0,0 +1,10 @@
+// Utilities
+export { hashPassword, verifyPassword } from './utils/password.js';
+export { generateOpaqueToken, hashToken, safeCompareTokens, signJwt, verifyJwt, } from './utils/token.js';
+export { registerSchema, loginSchema, forgotPasswordSchema, resetPasswordSchema, verifyEmailSchema, } from './utils/validation.js';
+// Features
+export { createEmailVerification, verifyEmail } from './features/emailVerification.js';
+export { createPasswordReset, resetPassword } from './features/passwordReset.js';
+// Auth factory
+export { createAuth, AuthError } from './auth.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAkBA,YAAY;AACZ,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAClE,OAAO,EACL,mBAAmB,EACnB,SAAS,EACT,iBAAiB,EACjB,OAAO,EACP,SAAS,GACV,MAAM,kBAAkB,CAAA;AAEzB,OAAO,EACL,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAS9B,WAAW;AACX,OAAO,EAAE,uBAAuB,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAA;AACtF,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAEhF,eAAe;AACf,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA"}

package/dist/types.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Core domain types for AuthCore.
+ * These are the canonical shapes that adapters must produce/consume.
+ */
+export type TokenType = 'EMAIL_VERIFICATION' | 'PASSWORD_RESET' | 'SESSION';
+/** A user record as stored in the database. */
+export interface User {
+    id: string;
+    email: string;
+    passwordHash: string;
+    emailVerified: boolean;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/** A token record as stored in the database. The `token` field is the hashed value. */
+export interface Token {
+    id: string;
+    userId: string;
+    type: TokenType;
+    /** SHA-256 hash of the raw token. Never the raw token itself. */
+    token: string;
+    expiresAt: Date;
+    createdAt: Date;
+}
+/** Input shape for creating a new user. */
+export interface CreateUserInput {
+    email: string;
+    passwordHash: string;
+}
+/** Input shape for creating a new token. */
+export interface CreateTokenInput {
+    userId: string;
+    type: TokenType;
+    /** SHA-256 hash of the raw token. */
+    token: string;
+    expiresAt: Date;
+}
+/** Safe user shape returned to callers (no passwordHash). */
+export type PublicUser = Omit<User, 'passwordHash'>;
+/** Configuration for the AuthCore session/JWT strategy. */
+export interface SessionConfig {
+    strategy: 'jwt';
+    secret: string;
+    expiresIn?: string;
+}
+/** Configuration for email features. */
+export interface EmailConfig {
+    provider: import('./adapters/email.interface.js').EmailAdapter;
+    from: string;
+}
+/** Optional lifecycle callbacks. */
+export interface AuthCallbacks {
+    onSignUp?: (user: PublicUser) => void | Promise<void>;
+    onSignIn?: (user: PublicUser) => void | Promise<void>;
+    onSignOut?: (userId: string) => void | Promise<void>;
+    onPasswordReset?: (user: PublicUser) => void | Promise<void>;
+}
+/** Top-level AuthCore configuration object. */
+export interface AuthCoreConfig {
+    db: import('./adapters/database.interface.js').DatabaseAdapter;
+    session: SessionConfig;
+    email?: EmailConfig;
+    features?: Array<'emailVerification' | 'passwordReset'>;
+    mode?: 'api' | 'monorepo' | 'auto';
+    password?: {
+        minLength?: number;
+        saltRounds?: number;
+    };
+    callbacks?: AuthCallbacks;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,SAAS,GAAG,oBAAoB,GAAG,gBAAgB,GAAG,SAAS,CAAA;AAE3E,+CAA+C;AAC/C,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,uFAAuF;AACvF,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAA;IACV,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,SAAS,CAAA;IACf,iEAAiE;IACjE,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,2CAA2C;AAC3C,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;CACrB;AAED,4CAA4C;AAC5C,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,SAAS,CAAA;IACf,qCAAqC;IACrC,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,6DAA6D;AAC7D,MAAM,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAA;AAEnD,2DAA2D;AAC3D,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,KAAK,CAAA;IACf,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,wCAAwC;AACxC,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,OAAO,+BAA+B,EAAE,YAAY,CAAA;IAC9D,IAAI,EAAE,MAAM,CAAA;CACb;AAED,oCAAoC;AACpC,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACrD,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACrD,SAAS,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACpD,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7D;AAED,+CAA+C;AAC/C,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,OAAO,kCAAkC,EAAE,eAAe,CAAA;IAC9D,OAAO,EAAE,aAAa,CAAA;IACtB,KAAK,CAAC,EAAE,WAAW,CAAA;IACnB,QAAQ,CAAC,EAAE,KAAK,CAAC,mBAAmB,GAAG,eAAe,CAAC,CAAA;IACvD,IAAI,CAAC,EAAE,KAAK,GAAG,UAAU,GAAG,MAAM,CAAA;IAClC,QAAQ,CAAC,EAAE;QACT,SAAS,CAAC,EAAE,MAAM,CAAA;QAClB,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;IACD,SAAS,CAAC,EAAE,aAAa,CAAA;CAC1B"}

package/dist/types.js

@@ -0,0 +1,6 @@
+/**
+ * Core domain types for AuthCore.
+ * These are the canonical shapes that adapters must produce/consume.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/utils/password.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Hash a plain-text password using bcrypt.
+ *
+ * @param password - Plain-text password. Never stored or logged.
+ * @param saltRounds - bcrypt cost factor (default: 12, minimum: 12)
+ * @returns bcrypt hash string
+ */
+export declare function hashPassword(password: string, saltRounds?: number): Promise<string>;
+/**
+ * Verify a plain-text password against a bcrypt hash.
+ * Uses bcrypt's internal timing-safe comparison.
+ *
+ * @param password - Plain-text candidate password
+ * @param hash - bcrypt hash from the database
+ * @returns true if the password matches the hash
+ */
+export declare function verifyPassword(password: string, hash: string): Promise<boolean>;
+//# sourceMappingURL=password.d.ts.map

package/dist/utils/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/utils/password.ts"],"names":[],"mappings":"AAIA;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,UAAU,GAAE,MAA4B,GACvC,OAAO,CAAC,MAAM,CAAC,CAGjB;AAED;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAErF"}

package/dist/utils/password.js

@@ -0,0 +1,25 @@
+import bcrypt from 'bcrypt';
+const DEFAULT_SALT_ROUNDS = 12;
+/**
+ * Hash a plain-text password using bcrypt.
+ *
+ * @param password - Plain-text password. Never stored or logged.
+ * @param saltRounds - bcrypt cost factor (default: 12, minimum: 12)
+ * @returns bcrypt hash string
+ */
+export async function hashPassword(password, saltRounds = DEFAULT_SALT_ROUNDS) {
+    const rounds = Math.max(saltRounds, DEFAULT_SALT_ROUNDS);
+    return bcrypt.hash(password, rounds);
+}
+/**
+ * Verify a plain-text password against a bcrypt hash.
+ * Uses bcrypt's internal timing-safe comparison.
+ *
+ * @param password - Plain-text candidate password
+ * @param hash - bcrypt hash from the database
+ * @returns true if the password matches the hash
+ */
+export async function verifyPassword(password, hash) {
+    return bcrypt.compare(password, hash);
+}
+//# sourceMappingURL=password.js.map

package/dist/utils/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/utils/password.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAA;AAE3B,MAAM,mBAAmB,GAAG,EAAE,CAAA;AAE9B;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,aAAqB,mBAAmB;IAExC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAA;IACxD,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;AACtC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,IAAY;IACjE,OAAO,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;AACvC,CAAC"}

package/dist/utils/token.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Generate a cryptographically random opaque token.
+ * Returns a 64-character hex string (256 bits of entropy).
+ */
+export declare function generateOpaqueToken(): string;
+/**
+ * Hash a raw token using SHA-256 for safe database storage.
+ * Store the hash; return the raw token to the user.
+ *
+ * @param rawToken - The raw token to hash
+ * @returns SHA-256 hex digest
+ */
+export declare function hashToken(rawToken: string): string;
+/**
+ * Timing-safe comparison of two token strings.
+ * Prevents timing attacks when comparing tokens.
+ *
+ * @returns true if the strings are equal
+ */
+export declare function safeCompareTokens(a: string, b: string): boolean;
+export interface JwtPayload {
+    sub: string;
+    email: string;
+    iat?: number;
+    exp?: number;
+}
+/**
+ * Sign a JWT access token.
+ *
+ * @param payload - Data to encode in the token
+ * @param secret - Signing secret
+ * @param expiresIn - Expiry duration (e.g. '7d', '1h')
+ * @returns Signed JWT string
+ */
+export declare function signJwt(payload: Omit<JwtPayload, 'iat' | 'exp'>, secret: string, expiresIn?: string): string;
+/**
+ * Verify and decode a JWT.
+ *
+ * @param token - JWT string to verify
+ * @param secret - Signing secret
+ * @returns Decoded payload, or null if invalid/expired
+ */
+export declare function verifyJwt(token: string, secret: string): JwtPayload | null;
+//# sourceMappingURL=token.d.ts.map

package/dist/utils/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/utils/token.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAElD;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAK/D;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,GAAG,KAAK,CAAC,EACxC,MAAM,EAAE,MAAM,EACd,SAAS,SAAO,GACf,MAAM,CAIR;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAQ1E"}

package/dist/utils/token.js

@@ -0,0 +1,64 @@
+import { randomBytes, createHash, timingSafeEqual } from 'node:crypto';
+import jwt from 'jsonwebtoken';
+/**
+ * Generate a cryptographically random opaque token.
+ * Returns a 64-character hex string (256 bits of entropy).
+ */
+export function generateOpaqueToken() {
+    return randomBytes(32).toString('hex');
+}
+/**
+ * Hash a raw token using SHA-256 for safe database storage.
+ * Store the hash; return the raw token to the user.
+ *
+ * @param rawToken - The raw token to hash
+ * @returns SHA-256 hex digest
+ */
+export function hashToken(rawToken) {
+    return createHash('sha256').update(rawToken).digest('hex');
+}
+/**
+ * Timing-safe comparison of two token strings.
+ * Prevents timing attacks when comparing tokens.
+ *
+ * @returns true if the strings are equal
+ */
+export function safeCompareTokens(a, b) {
+    if (a.length !== b.length)
+        return false;
+    const bufA = Buffer.from(a, 'utf8');
+    const bufB = Buffer.from(b, 'utf8');
+    return timingSafeEqual(bufA, bufB);
+}
+/**
+ * Sign a JWT access token.
+ *
+ * @param payload - Data to encode in the token
+ * @param secret - Signing secret
+ * @param expiresIn - Expiry duration (e.g. '7d', '1h')
+ * @returns Signed JWT string
+ */
+export function signJwt(payload, secret, expiresIn = '7d') {
+    // Cast options to avoid exactOptionalPropertyTypes conflict with the jwt overloads
+    const options = { algorithm: 'HS256', expiresIn };
+    return jwt.sign(payload, secret, options);
+}
+/**
+ * Verify and decode a JWT.
+ *
+ * @param token - JWT string to verify
+ * @param secret - Signing secret
+ * @returns Decoded payload, or null if invalid/expired
+ */
+export function verifyJwt(token, secret) {
+    try {
+        const decoded = jwt.verify(token, secret, { algorithms: ['HS256'] });
+        if (typeof decoded === 'string')
+            return null;
+        return decoded;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=token.js.map

package/dist/utils/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/utils/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AACtE,OAAO,GAAG,MAAM,cAAc,CAAA;AAE9B;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACxC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,QAAgB;IACxC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AAC5D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAS,EAAE,CAAS;IACpD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;IACnC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;IACnC,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;AACpC,CAAC;AASD;;;;;;;GAOG;AACH,MAAM,UAAU,OAAO,CACrB,OAAwC,EACxC,MAAc,EACd,SAAS,GAAG,IAAI;IAEhB,mFAAmF;IACnF,MAAM,OAAO,GAAG,EAAE,SAAS,EAAE,OAAgB,EAAE,SAAS,EAAE,CAAA;IAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAA0B,CAAC,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa,EAAE,MAAc;IACrD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACpE,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAA;QAC5C,OAAO,OAAqB,CAAA;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/utils/validation.d.ts

@@ -0,0 +1,56 @@
+import { z } from 'zod';
+/** Schema for POST /register */
+export declare const registerSchema: (minPasswordLength?: number) => z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    email: string;
+    password: string;
+}, {
+    email: string;
+    password: string;
+}>;
+/** Schema for POST /login */
+export declare const loginSchema: z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    email: string;
+    password: string;
+}, {
+    email: string;
+    password: string;
+}>;
+/** Schema for POST /forgot-password */
+export declare const forgotPasswordSchema: z.ZodObject<{
+    email: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    email: string;
+}, {
+    email: string;
+}>;
+/** Schema for POST /reset-password */
+export declare const resetPasswordSchema: (minPasswordLength?: number) => z.ZodObject<{
+    token: z.ZodString;
+    password: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    password: string;
+    token: string;
+}, {
+    password: string;
+    token: string;
+}>;
+/** Schema for POST /verify-email */
+export declare const verifyEmailSchema: z.ZodObject<{
+    token: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    token: string;
+}, {
+    token: string;
+}>;
+export type RegisterInput = z.infer<ReturnType<typeof registerSchema>>;
+export type LoginInput = z.infer<typeof loginSchema>;
+export type ForgotPasswordInput = z.infer<typeof forgotPasswordSchema>;
+export type ResetPasswordInput = z.infer<ReturnType<typeof resetPasswordSchema>>;
+export type VerifyEmailInput = z.infer<typeof verifyEmailSchema>;
+//# sourceMappingURL=validation.d.ts.map

package/dist/utils/validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAUvB,gCAAgC;AAChC,eAAO,MAAM,cAAc,GAAI,0BAAqB;;;;;;;;;EAIhD,CAAA;AAEJ,6BAA6B;AAC7B,eAAO,MAAM,WAAW;;;;;;;;;EAGtB,CAAA;AAEF,uCAAuC;AACvC,eAAO,MAAM,oBAAoB;;;;;;EAE/B,CAAA;AAEF,sCAAsC;AACtC,eAAO,MAAM,mBAAmB,GAAI,0BAAqB;;;;;;;;;EAIrD,CAAA;AAEJ,oCAAoC;AACpC,eAAO,MAAM,iBAAiB;;;;;;EAE5B,CAAA;AAEF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC,CAAA;AACtE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAA;AACpD,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AACtE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC,CAAA;AAChF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA"}

package/dist/utils/validation.js

@@ -0,0 +1,30 @@
+import { z } from 'zod';
+const emailSchema = z.string().email('Invalid email address');
+const passwordSchema = (minLength) => z
+    .string()
+    .min(minLength, `Password must be at least ${minLength} characters`)
+    .max(72, 'Password must be at most 72 characters'); // bcrypt max
+/** Schema for POST /register */
+export const registerSchema = (minPasswordLength = 8) => z.object({
+    email: emailSchema,
+    password: passwordSchema(minPasswordLength),
+});
+/** Schema for POST /login */
+export const loginSchema = z.object({
+    email: emailSchema,
+    password: z.string().min(1, 'Password is required'),
+});
+/** Schema for POST /forgot-password */
+export const forgotPasswordSchema = z.object({
+    email: emailSchema,
+});
+/** Schema for POST /reset-password */
+export const resetPasswordSchema = (minPasswordLength = 8) => z.object({
+    token: z.string().min(1, 'Token is required'),
+    password: passwordSchema(minPasswordLength),
+});
+/** Schema for POST /verify-email */
+export const verifyEmailSchema = z.object({
+    token: z.string().min(1, 'Token is required'),
+});
+//# sourceMappingURL=validation.js.map

package/dist/utils/validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAA;AAE7D,MAAM,cAAc,GAAG,CAAC,SAAiB,EAAE,EAAE,CAC3C,CAAC;KACE,MAAM,EAAE;KACR,GAAG,CAAC,SAAS,EAAE,6BAA6B,SAAS,aAAa,CAAC;KACnE,GAAG,CAAC,EAAE,EAAE,wCAAwC,CAAC,CAAA,CAAC,aAAa;AAEpE,gCAAgC;AAChC,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,iBAAiB,GAAG,CAAC,EAAE,EAAE,CACtD,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,cAAc,CAAC,iBAAiB,CAAC;CAC5C,CAAC,CAAA;AAEJ,6BAA6B;AAC7B,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC;CACpD,CAAC,CAAA;AAEF,uCAAuC;AACvC,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,KAAK,EAAE,WAAW;CACnB,CAAC,CAAA;AAEF,sCAAsC;AACtC,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,iBAAiB,GAAG,CAAC,EAAE,EAAE,CAC3D,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,CAAC;IAC7C,QAAQ,EAAE,cAAc,CAAC,iBAAiB,CAAC;CAC5C,CAAC,CAAA;AAEJ,oCAAoC;AACpC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,CAAC;CAC9C,CAAC,CAAA"}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@authcore/core",
+  "version": "0.5.0",
+  "description": "Framework-agnostic authentication core for AuthCore",
+  "license": "MIT",
+  "author": "David Ouatedem",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/david-ouatedem/auth-core",
+    "directory": "packages/core"
+  },
+  "keywords": [
+    "auth",
+    "authentication",
+    "authcore",
+    "jwt",
+    "bcrypt"
+  ],
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "dependencies": {
+    "bcrypt": "^5.1.1",
+    "jsonwebtoken": "^9.0.2",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/bcrypt": "^5.0.2",
+    "@types/jsonwebtoken": "^9.0.6",
+    "@types/node": "^20.0.0",
+    "typescript": "^5.4.0",
+    "vitest": "^1.6.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  }
+}