@authcore/core 0.6.0 → 0.12.0

package/dist/features/templates.js

@@ -0,0 +1,67 @@
+/**
+ * Default email-template render functions. These match the inline content
+ * shipped before 0.10 byte-for-byte so apps that don't override anything see
+ * no behavior change.
+ *
+ * Consumers override individual templates via `EmailConfig.templates`:
+ *
+ * ```ts
+ * createAuth({
+ *   email: {
+ *     provider: resendAdapter(...),
+ *     from: 'auth@app.com',
+ *     templates: {
+ *       resetPassword: ({ link, email, ttlHours }) => ({
+ *         subject: 'Reset your password',
+ *         html: `<p>Hi ${email},</p><p><a href="${link}">Reset</a></p>`,
+ *         text: `Reset your password: ${link}`,
+ *       }),
+ *     },
+ *   },
+ * })
+ * ```
+ */
+export const defaultVerifyEmailTemplate = ({ link, ttlHours }) => ({
+    subject: 'Verify your email address',
+    html: `
+      <p>Hello,</p>
+      <p>Please verify your email address by clicking the link below:</p>
+      <p><a href="${link}">${link}</a></p>
+      <p>This link expires in ${ttlHours} hours.</p>
+      <p>If you did not create an account, you can ignore this email.</p>
+    `,
+    text: `Please verify your email by visiting: ${link}\n\nThis link expires in ${ttlHours} hours.`,
+});
+export const defaultResetPasswordTemplate = ({ link, ttlHours }) => ({
+    subject: 'Reset your password',
+    html: `
+      <p>Hello,</p>
+      <p>We received a request to reset your password. Click the link below to proceed:</p>
+      <p><a href="${link}">${link}</a></p>
+      <p>This link expires in ${ttlHours} hour${ttlHours === 1 ? '' : 's'}.</p>
+      <p>If you did not request a password reset, you can ignore this email.</p>
+    `,
+    text: `Reset your password by visiting: ${link}\n\nThis link expires in ${ttlHours} hour${ttlHours === 1 ? '' : 's'}.`,
+});
+export const defaultInvitationTemplate = ({ link, ttlHours }) => ({
+    subject: 'You have been invited',
+    html: `
+      <p>Hello,</p>
+      <p>You have been invited to create an account. Click the link below to set your password:</p>
+      <p><a href="${link}">${link}</a></p>
+      <p>This link expires in ${ttlHours} hours.</p>
+    `,
+    text: `You have been invited. Set your password by visiting: ${link}\n\nThis link expires in ${ttlHours} hours.`,
+});
+export const defaultMagicLinkTemplate = ({ link, ttlMinutes }) => ({
+    subject: 'Sign in to your account',
+    html: `
+      <p>Hello,</p>
+      <p>Click the link below to sign in:</p>
+      <p><a href="${link}">${link}</a></p>
+      <p>This link expires in ${ttlMinutes} minutes and can only be used once.</p>
+      <p>If you did not request this email, you can safely ignore it.</p>
+    `,
+    text: `Sign in by visiting: ${link}\n\nThis link expires in ${ttlMinutes} minutes and can only be used once.\n\nIf you did not request this email, you can safely ignore it.`,
+});
+//# sourceMappingURL=templates.js.map

package/dist/features/templates.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"templates.js","sourceRoot":"","sources":["../../src/features/templates.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,MAAM,CAAC,MAAM,0BAA0B,GAIlC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5B,OAAO,EAAE,2BAA2B;IACpC,IAAI,EAAE;;;oBAGY,IAAI,KAAK,IAAI;gCACD,QAAQ;;KAEnC;IACH,IAAI,EAAE,yCAAyC,IAAI,4BAA4B,QAAQ,SAAS;CACjG,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,4BAA4B,GAIpC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5B,OAAO,EAAE,qBAAqB;IAC9B,IAAI,EAAE;;;oBAGY,IAAI,KAAK,IAAI;gCACD,QAAQ,QAAQ,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG;;KAEpE;IACH,IAAI,EAAE,oCAAoC,IAAI,4BAA4B,QAAQ,QAAQ,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG;CACvH,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,yBAAyB,GAKjC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5B,OAAO,EAAE,uBAAuB;IAChC,IAAI,EAAE;;;oBAGY,IAAI,KAAK,IAAI;gCACD,QAAQ;KACnC;IACH,IAAI,EAAE,yDAAyD,IAAI,4BAA4B,QAAQ,SAAS;CACjH,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,wBAAwB,GAIhC,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC,CAAC;IAC9B,OAAO,EAAE,yBAAyB;IAClC,IAAI,EAAE;;;oBAGY,IAAI,KAAK,IAAI;gCACD,UAAU;;KAErC;IACH,IAAI,EAAE,wBAAwB,IAAI,4BAA4B,UAAU,qGAAqG;CAC9K,CAAC,CAAA"}

package/dist/features/twoFactor.d.ts

@@ -0,0 +1,72 @@
+import type { DatabaseAdapter, User } from '@authcore/types';
+/**
+ * Begin 2FA enrollment for a user.
+ *
+ * Generates a fresh TOTP secret + a fresh set of recovery codes. The secret is
+ * stored on the user immediately so a `setup → enable` sequence on the same
+ * device works, but `twoFactorEnabled` stays `false` until `enableTwoFactor`
+ * verifies the first code from the authenticator app.
+ *
+ * Recovery codes are SHA-256 hashed before storage (same pattern as every
+ * other AuthCore token). The raw codes are returned ONCE — the caller MUST
+ * show them to the user, who copies them down.
+ */
+export declare function setupTwoFactor(params: {
+    userId: string;
+    email: string;
+    issuer: string;
+    db: DatabaseAdapter;
+}): Promise<{
+    secret: string;
+    otpauthUrl: string;
+    recoveryCodes: string[];
+}>;
+/**
+ * Enable 2FA for a user. Requires a valid TOTP code matching the secret stored
+ * during {@link setupTwoFactor}. Idempotent against the already-enabled state.
+ *
+ * @throws Error('TWO_FACTOR_NOT_SET_UP') if setup hasn't run.
+ * @throws Error('INVALID_TWO_FACTOR_CODE') if the code doesn't match.
+ */
+export declare function enableTwoFactor(params: {
+    userId: string;
+    code: string;
+    db: DatabaseAdapter;
+}): Promise<void>;
+/**
+ * Disable 2FA for a user. Clears the secret + all recovery codes + the enabled flag.
+ *
+ * Callers are responsible for additional confirmation (e.g. password re-entry) —
+ * this function trusts that the caller has already authorized the action.
+ */
+export declare function disableTwoFactor(params: {
+    userId: string;
+    db: DatabaseAdapter;
+}): Promise<void>;
+/**
+ * Verify a TOTP code as the second factor in a login challenge.
+ * Returns the user record on success.
+ *
+ * @throws Error('USER_NOT_FOUND') if no user with that id.
+ * @throws Error('TWO_FACTOR_NOT_ENABLED') if the user has not enrolled.
+ * @throws Error('INVALID_TWO_FACTOR_CODE') on mismatch.
+ */
+export declare function verifyTwoFactor(params: {
+    userId: string;
+    code: string;
+    db: DatabaseAdapter;
+}): Promise<User>;
+/**
+ * Use a single-use recovery code instead of a TOTP code. The matching token
+ * row is deleted before this function returns so a replay fails.
+ *
+ * @throws Error('USER_NOT_FOUND') if the user does not exist.
+ * @throws Error('TWO_FACTOR_NOT_ENABLED') if 2FA is not enrolled for the user.
+ * @throws Error('INVALID_RECOVERY_CODE') if the code is unknown.
+ */
+export declare function useRecoveryCode(params: {
+    userId: string;
+    rawCode: string;
+    db: DatabaseAdapter;
+}): Promise<User>;
+//# sourceMappingURL=twoFactor.d.ts.map

package/dist/features/twoFactor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"twoFactor.d.ts","sourceRoot":"","sources":["../../src/features/twoFactor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAS5D;;;;;;;;;;;GAWG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE;IAC3C,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,CAAA;IACd,EAAE,EAAE,eAAe,CAAA;CACpB,GAAG,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CA0B3E;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE;IAC5C,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,EAAE,EAAE,eAAe,CAAA;CACpB,GAAG,OAAO,CAAC,IAAI,CAAC,CAWhB;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE;IAC7C,MAAM,EAAE,MAAM,CAAA;IACd,EAAE,EAAE,eAAe,CAAA;CACpB,GAAG,OAAO,CAAC,IAAI,CAAC,CAIhB;AAED;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE;IAC5C,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,EAAE,EAAE,eAAe,CAAA;CACpB,GAAG,OAAO,CAAC,IAAI,CAAC,CAWhB;AAED;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE;IAC5C,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,MAAM,CAAA;IACf,EAAE,EAAE,eAAe,CAAA;CACpB,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBhB"}

package/dist/features/twoFactor.js

@@ -0,0 +1,119 @@
+import { generateTotpSecret, verifyTotpCode, buildOtpauthUrl, generateRecoveryCodes, } from '../utils/totp.js';
+import { hashToken } from '../utils/token.js';
+/**
+ * Begin 2FA enrollment for a user.
+ *
+ * Generates a fresh TOTP secret + a fresh set of recovery codes. The secret is
+ * stored on the user immediately so a `setup → enable` sequence on the same
+ * device works, but `twoFactorEnabled` stays `false` until `enableTwoFactor`
+ * verifies the first code from the authenticator app.
+ *
+ * Recovery codes are SHA-256 hashed before storage (same pattern as every
+ * other AuthCore token). The raw codes are returned ONCE — the caller MUST
+ * show them to the user, who copies them down.
+ */
+export async function setupTwoFactor(params) {
+    const { userId, email, issuer, db } = params;
+    const secret = generateTotpSecret();
+    const recoveryCodes = generateRecoveryCodes(10);
+    // Persist the secret on the user (still disabled). If the user re-runs setup,
+    // this overwrites the previous secret — they need to re-scan their authenticator.
+    await db.updateUser(userId, { twoFactorSecret: secret });
+    // Wipe any prior recovery codes (idempotent re-enrollment).
+    await db.deleteTokensByUserAndType(userId, 'RECOVERY_CODE');
+    // Persist hashed recovery codes — no expiry, single-use.
+    const farFuture = new Date(Date.now() + 100 * 365 * 24 * 60 * 60 * 1000);
+    for (const raw of recoveryCodes) {
+        await db.createToken({
+            userId,
+            type: 'RECOVERY_CODE',
+            token: hashToken(raw),
+            expiresAt: farFuture,
+        });
+    }
+    const otpauthUrl = buildOtpauthUrl({ secret, accountName: email, issuer });
+    return { secret, otpauthUrl, recoveryCodes };
+}
+/**
+ * Enable 2FA for a user. Requires a valid TOTP code matching the secret stored
+ * during {@link setupTwoFactor}. Idempotent against the already-enabled state.
+ *
+ * @throws Error('TWO_FACTOR_NOT_SET_UP') if setup hasn't run.
+ * @throws Error('INVALID_TWO_FACTOR_CODE') if the code doesn't match.
+ */
+export async function enableTwoFactor(params) {
+    const { userId, code, db } = params;
+    const user = await db.findUserById(userId);
+    if (!user)
+        throw new Error('USER_NOT_FOUND');
+    if (!user.twoFactorSecret)
+        throw new Error('TWO_FACTOR_NOT_SET_UP');
+    if (!verifyTotpCode(user.twoFactorSecret, code)) {
+        throw new Error('INVALID_TWO_FACTOR_CODE');
+    }
+    await db.updateUser(userId, { twoFactorEnabled: true });
+}
+/**
+ * Disable 2FA for a user. Clears the secret + all recovery codes + the enabled flag.
+ *
+ * Callers are responsible for additional confirmation (e.g. password re-entry) —
+ * this function trusts that the caller has already authorized the action.
+ */
+export async function disableTwoFactor(params) {
+    const { userId, db } = params;
+    await db.updateUser(userId, { twoFactorEnabled: false, twoFactorSecret: null });
+    await db.deleteTokensByUserAndType(userId, 'RECOVERY_CODE');
+}
+/**
+ * Verify a TOTP code as the second factor in a login challenge.
+ * Returns the user record on success.
+ *
+ * @throws Error('USER_NOT_FOUND') if no user with that id.
+ * @throws Error('TWO_FACTOR_NOT_ENABLED') if the user has not enrolled.
+ * @throws Error('INVALID_TWO_FACTOR_CODE') on mismatch.
+ */
+export async function verifyTwoFactor(params) {
+    const { userId, code, db } = params;
+    const user = await db.findUserById(userId);
+    if (!user)
+        throw new Error('USER_NOT_FOUND');
+    if (!user.twoFactorEnabled || !user.twoFactorSecret) {
+        throw new Error('TWO_FACTOR_NOT_ENABLED');
+    }
+    if (!verifyTotpCode(user.twoFactorSecret, code)) {
+        throw new Error('INVALID_TWO_FACTOR_CODE');
+    }
+    return user;
+}
+/**
+ * Use a single-use recovery code instead of a TOTP code. The matching token
+ * row is deleted before this function returns so a replay fails.
+ *
+ * @throws Error('USER_NOT_FOUND') if the user does not exist.
+ * @throws Error('TWO_FACTOR_NOT_ENABLED') if 2FA is not enrolled for the user.
+ * @throws Error('INVALID_RECOVERY_CODE') if the code is unknown.
+ */
+export async function useRecoveryCode(params) {
+    const { userId, rawCode, db } = params;
+    const user = await db.findUserById(userId);
+    if (!user)
+        throw new Error('USER_NOT_FOUND');
+    if (!user.twoFactorEnabled)
+        throw new Error('TWO_FACTOR_NOT_ENABLED');
+    const tokenRecord = await db.findToken(rawCode, 'RECOVERY_CODE');
+    // The token must (1) exist, (2) belong to this user, (3) be non-expired.
+    // Recovery codes are stored with a far-future expiry so the second check is
+    // belt-and-suspenders — but verifying user ownership prevents an attacker
+    // who knows one user's recovery code from authenticating as someone else.
+    if (!tokenRecord || tokenRecord.userId !== userId) {
+        throw new Error('INVALID_RECOVERY_CODE');
+    }
+    if (tokenRecord.expiresAt < new Date()) {
+        await db.deleteToken(tokenRecord.id);
+        throw new Error('INVALID_RECOVERY_CODE');
+    }
+    // Single-use: delete first so a concurrent replay fails.
+    await db.deleteToken(tokenRecord.id);
+    return user;
+}
+//# sourceMappingURL=twoFactor.js.map

package/dist/features/twoFactor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"twoFactor.js","sourceRoot":"","sources":["../../src/features/twoFactor.ts"],"names":[],"mappings":"AACA,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,eAAe,EACf,qBAAqB,GACtB,MAAM,kBAAkB,CAAA;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AAE7C;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAKpC;IACC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,MAAM,CAAA;IAE5C,MAAM,MAAM,GAAG,kBAAkB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,qBAAqB,CAAC,EAAE,CAAC,CAAA;IAE/C,8EAA8E;IAC9E,kFAAkF;IAClF,MAAM,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC,CAAA;IAExD,4DAA4D;IAC5D,MAAM,EAAE,CAAC,yBAAyB,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IAE3D,yDAAyD;IACzD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IACxE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,MAAM,EAAE,CAAC,WAAW,CAAC;YACnB,MAAM;YACN,IAAI,EAAE,eAAe;YACrB,KAAK,EAAE,SAAS,CAAC,GAAG,CAAC;YACrB,SAAS,EAAE,SAAS;SACrB,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,eAAe,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAA;IAC1E,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,CAAA;AAC9C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAIrC;IACC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,MAAM,CAAA;IACnC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAA;IAC1C,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAC5C,IAAI,CAAC,IAAI,CAAC,eAAe;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAA;IAEnE,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAA;IAC5C,CAAC;IAED,MAAM,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC,CAAA;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAGtC;IACC,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,MAAM,CAAA;IAC7B,MAAM,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,CAAA;IAC/E,MAAM,EAAE,CAAC,yBAAyB,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;AAC7D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAIrC;IACC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,MAAM,CAAA;IACnC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAA;IAC1C,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAC5C,IAAI,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;IAC3C,CAAC;IACD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAA;IAC5C,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAIrC;IACC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,MAAM,CAAA;IACtC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAA;IAC1C,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAC5C,IAAI,CAAC,IAAI,CAAC,gBAAgB;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;IAErE,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;IAChE,yEAAyE;IACzE,4EAA4E;IAC5E,0EAA0E;IAC1E,0EAA0E;IAC1E,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAA;IAC1C,CAAC;IACD,IAAI,WAAW,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACvC,MAAM,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;QACpC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAA;IAC1C,CAAC;IACD,yDAAyD;IACzD,MAAM,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;IACpC,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/index.d.ts

@@ -1,14 +1,28 @@
-export type { User, Token, TokenType, CreateUserInput, CreateTokenInput, PublicUser, SessionConfig, EmailConfig, AuthCallbacks, AuthCoreConfig, } from './types.js';
-export type { DatabaseAdapter } from './adapters/database.interface.js';
-export type { EmailAdapter } from './adapters/email.interface.js';
 export { hashPassword, verifyPassword } from './utils/password.js';
-export { generateOpaqueToken, hashToken, safeCompareTokens, signJwt, verifyJwt, } from './utils/token.js';
-export type { JwtPayload } from './utils/token.js';
-export { registerSchema, loginSchema, forgotPasswordSchema, resetPasswordSchema, verifyEmailSchema, inviteSchema, acceptInvitationSchema, } from './utils/validation.js';
-export type { RegisterInput, LoginInput, ForgotPasswordInput, ResetPasswordInput, VerifyEmailInput, InviteInput, AcceptInvitationInput, } from './utils/validation.js';
+export { generateOpaqueToken, generateCsrfToken, generatePkceVerifier, pkceChallenge, hashToken, safeCompareTokens, signJwt, verifyJwt, signTwoFactorChallenge, verifyTwoFactorChallenge, } from './utils/token.js';
+export type { JwtPayload, TwoFactorChallengePayload } from './utils/token.js';
+export { base32Encode, base32Decode, generateTotpSecret, generateTotpCode, verifyTotpCode, buildOtpauthUrl, generateRecoveryCodes, } from './utils/totp.js';
+export { registerSchema, loginSchema, forgotPasswordSchema, resetPasswordSchema, verifyEmailSchema, inviteSchema, acceptInvitationSchema, sendMagicLinkSchema, consumeMagicLinkSchema, } from './utils/validation.js';
+export type { RegisterInput, LoginInput, ForgotPasswordInput, ResetPasswordInput, VerifyEmailInput, InviteInput, AcceptInvitationInput, SendMagicLinkInput, ConsumeMagicLinkInput, } from './utils/validation.js';
 export { createEmailVerification, verifyEmail } from './features/emailVerification.js';
 export { createPasswordReset, resetPassword } from './features/passwordReset.js';
 export { createInvitation, acceptInvitation } from './features/invitation.js';
+export { issueRefreshToken, rotateRefreshToken, revokeRefreshToken, revokeAllRefreshTokensForUser, } from './features/refresh.js';
+export { defaultVerifyEmailTemplate, defaultResetPasswordTemplate, defaultInvitationTemplate, defaultMagicLinkTemplate, } from './features/templates.js';
+export { sendMagicLink, consumeMagicLink, MAGIC_LINK_NO_PASSWORD_SENTINEL, } from './features/magicLink.js';
+export { setupTwoFactor, enableTwoFactor, disableTwoFactor, verifyTwoFactor, useRecoveryCode, } from './features/twoFactor.js';
+export { startOAuth, completeOAuth } from './features/oauth.js';
+export { createGoogleProvider } from './oauth/google.js';
+export type { GoogleProviderConfig } from './oauth/google.js';
+export { createGithubProvider } from './oauth/github.js';
+export type { GithubProviderConfig } from './oauth/github.js';
+export { createMicrosoftProvider } from './oauth/microsoft.js';
+export type { MicrosoftProviderConfig } from './oauth/microsoft.js';
+export { createDiscordProvider } from './oauth/discord.js';
+export type { DiscordProviderConfig } from './oauth/discord.js';
+export { createAppleProvider, generateAppleClientSecret } from './oauth/apple.js';
+export type { AppleProviderConfig } from './oauth/apple.js';
 export { createAuth, AuthError } from './auth.js';
-export type { AuthCore } from './auth.js';
+export type { AuthCore, SessionResult, TwoFactorChallengeResult, LoginResult, } from './auth.js';
+export * from '@authcore/types';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,IAAI,EACJ,KAAK,EACL,SAAS,EACT,eAAe,EACf,gBAAgB,EAChB,UAAU,EACV,aAAa,EACb,WAAW,EACX,aAAa,EACb,cAAc,GACf,MAAM,YAAY,CAAA;AAGnB,YAAY,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAA;AACvE,YAAY,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAA;AAGjE,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAClE,OAAO,EACL,mBAAmB,EACnB,SAAS,EACT,iBAAiB,EACjB,OAAO,EACP,SAAS,GACV,MAAM,kBAAkB,CAAA;AACzB,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,EACL,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,sBAAsB,GACvB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EACV,aAAa,EACb,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,EAChB,WAAW,EACX,qBAAqB,GACtB,MAAM,uBAAuB,CAAA;AAG9B,OAAO,EAAE,uBAAuB,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAA;AACtF,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAChF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAG7E,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AACjD,YAAY,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAClE,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,iBAAiB,EACjB,OAAO,EACP,SAAS,EACT,sBAAsB,EACtB,wBAAwB,GACzB,MAAM,kBAAkB,CAAA;AACzB,YAAY,EAAE,UAAU,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAA;AAC7E,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,qBAAqB,GACtB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EACV,aAAa,EACb,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,EAChB,WAAW,EACX,qBAAqB,EACrB,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,uBAAuB,CAAA;AAG9B,OAAO,EAAE,uBAAuB,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAA;AACtF,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAChF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC7E,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,yBAAyB,EACzB,wBAAwB,GACzB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,+BAA+B,GAChC,MAAM,yBAAyB,CAAA;AAChC,OAAO,EACL,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,eAAe,GAChB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AACxD,YAAY,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AACxD,YAAY,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAC7D,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAA;AAC9D,YAAY,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAA;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAA;AAC1D,YAAY,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAA;AAC/D,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAA;AACjF,YAAY,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAA;AAG3D,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AACjD,YAAY,EACV,QAAQ,EACR,aAAa,EACb,wBAAwB,EACxB,WAAW,GACZ,MAAM,WAAW,CAAA;AAElB,cAAc,iBAAiB,CAAA"}

package/dist/index.js

@@ -1,11 +1,23 @@
 // Utilities
 export { hashPassword, verifyPassword } from './utils/password.js';
-export { generateOpaqueToken, hashToken, safeCompareTokens, signJwt, verifyJwt, } from './utils/token.js';
-export { registerSchema, loginSchema, forgotPasswordSchema, resetPasswordSchema, verifyEmailSchema, inviteSchema, acceptInvitationSchema, } from './utils/validation.js';
+export { generateOpaqueToken, generateCsrfToken, generatePkceVerifier, pkceChallenge, hashToken, safeCompareTokens, signJwt, verifyJwt, signTwoFactorChallenge, verifyTwoFactorChallenge, } from './utils/token.js';
+export { base32Encode, base32Decode, generateTotpSecret, generateTotpCode, verifyTotpCode, buildOtpauthUrl, generateRecoveryCodes, } from './utils/totp.js';
+export { registerSchema, loginSchema, forgotPasswordSchema, resetPasswordSchema, verifyEmailSchema, inviteSchema, acceptInvitationSchema, sendMagicLinkSchema, consumeMagicLinkSchema, } from './utils/validation.js';
 // Features
 export { createEmailVerification, verifyEmail } from './features/emailVerification.js';
 export { createPasswordReset, resetPassword } from './features/passwordReset.js';
 export { createInvitation, acceptInvitation } from './features/invitation.js';
+export { issueRefreshToken, rotateRefreshToken, revokeRefreshToken, revokeAllRefreshTokensForUser, } from './features/refresh.js';
+export { defaultVerifyEmailTemplate, defaultResetPasswordTemplate, defaultInvitationTemplate, defaultMagicLinkTemplate, } from './features/templates.js';
+export { sendMagicLink, consumeMagicLink, MAGIC_LINK_NO_PASSWORD_SENTINEL, } from './features/magicLink.js';
+export { setupTwoFactor, enableTwoFactor, disableTwoFactor, verifyTwoFactor, useRecoveryCode, } from './features/twoFactor.js';
+export { startOAuth, completeOAuth } from './features/oauth.js';
+export { createGoogleProvider } from './oauth/google.js';
+export { createGithubProvider } from './oauth/github.js';
+export { createMicrosoftProvider } from './oauth/microsoft.js';
+export { createDiscordProvider } from './oauth/discord.js';
+export { createAppleProvider, generateAppleClientSecret } from './oauth/apple.js';
 // Auth factory
 export { createAuth, AuthError } from './auth.js';
+export * from '@authcore/types';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAkBA,YAAY;AACZ,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAClE,OAAO,EACL,mBAAmB,EACnB,SAAS,EACT,iBAAiB,EACjB,OAAO,EACP,SAAS,GACV,MAAM,kBAAkB,CAAA;AAEzB,OAAO,EACL,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,sBAAsB,GACvB,MAAM,uBAAuB,CAAA;AAW9B,WAAW;AACX,OAAO,EAAE,uBAAuB,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAA;AACtF,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAChF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAE7E,eAAe;AACf,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY;AACZ,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAClE,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,iBAAiB,EACjB,OAAO,EACP,SAAS,EACT,sBAAsB,EACtB,wBAAwB,GACzB,MAAM,kBAAkB,CAAA;AAEzB,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,qBAAqB,GACtB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,uBAAuB,CAAA;AAa9B,WAAW;AACX,OAAO,EAAE,uBAAuB,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAA;AACtF,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAChF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC7E,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,yBAAyB,EACzB,wBAAwB,GACzB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,+BAA+B,GAChC,MAAM,yBAAyB,CAAA;AAChC,OAAO,EACL,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,eAAe,GAChB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAExD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAExD,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAA;AAE9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAA;AAE1D,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAA;AAGjF,eAAe;AACf,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AAQjD,cAAc,iBAAiB,CAAA"}

package/dist/oauth/apple.d.ts

@@ -0,0 +1,80 @@
+import type { OAuthProvider } from '@authcore/types';
+export interface AppleProviderConfig {
+    /**
+     * Apple Services ID (the OAuth client id), e.g. `com.example.myapp.service`.
+     * NOT the iOS app's Bundle ID — Sign in with Apple uses a separate Services ID
+     * registered in Apple Developer → Identifiers.
+     */
+    clientId: string;
+    /** Apple Developer Team ID (10-char string, e.g. `ABC1234DEF`). */
+    teamId: string;
+    /** Sign in with Apple Key ID (10-char string from the .p8 download). */
+    keyId: string;
+    /**
+     * The .p8 private key downloaded from Apple Developer → Keys. Pass the full
+     * PEM string including `-----BEGIN PRIVATE KEY-----` / `-----END PRIVATE KEY-----`.
+     * Apple delivers the key once at creation time; store it as a secret env var.
+     */
+    privateKey: string;
+    /**
+     * Defaults to `['name', 'email']`. Apple only returns `email` in the id_token —
+     * `name` is delivered exactly once, on the first sign-in, via a posted form
+     * field. AuthCore uses query response_mode and reads identity from the
+     * id_token, so the `name` scope is effectively no-op here.
+     */
+    scopes?: string[];
+    /**
+     * Client secret JWT TTL in seconds. Defaults to 600 (10 minutes). Apple's
+     * maximum is 6 months (15777000s); shorter is safer — we mint a fresh JWT
+     * on every exchange anyway.
+     */
+    clientSecretTtlSeconds?: number;
+}
+/**
+ * Create a Sign in with Apple OAuth 2.0 provider.
+ *
+ * Apple's protocol differs from other providers in one important way: the
+ * `client_secret` sent to the token endpoint is **not** a static string. It's
+ * an ES256-signed JWT minted on each exchange, signed with a `.p8` private
+ * key from Apple Developer. AuthCore handles that for you.
+ *
+ * ```ts
+ * import { createAppleProvider } from '@authcore/core'
+ * const apple = createAppleProvider({
+ *   clientId: 'com.example.myapp.service',         // Apple Services ID
+ *   teamId: 'ABC1234DEF',                          // Apple Team ID
+ *   keyId: 'XYZ9876ABC',                           // Key ID from the .p8 file
+ *   privateKey: process.env.APPLE_PRIVATE_KEY!,    // contents of the .p8 (PEM)
+ * })
+ * createAuth({ ..., oauth: { apple } })
+ * ```
+ *
+ * **Apple-specific notes:**
+ * - Uses `response_mode=query` so the existing AuthCore callback route (GET)
+ *   handles the response. (Apple's default `form_post` mode would require
+ *   urlencoded body parsing on the callback; query mode works equivalently
+ *   for the data we need.)
+ * - Apple delivers the user's name **only on first sign-in** via a posted
+ *   `user` form field that AuthCore does not consume in query mode. The
+ *   sign-in still works — AuthCore creates the user with `name` unset; the
+ *   user can edit their profile later. The email is always present.
+ * - Apple's `email_verified` claim may be the string `"true"` or a boolean.
+ *   AuthCore normalizes both to `true`.
+ * - Some Apple users sign in with private relay emails (`*@privaterelay.appleid.com`).
+ *   These are valid forwarding addresses; treat them as real emails.
+ */
+export declare function createAppleProvider(config: AppleProviderConfig): OAuthProvider;
+/**
+ * Generate the client secret JWT Apple requires on the token endpoint.
+ * Signed with ES256 using the developer's .p8 private key.
+ *
+ * Claims per https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens
+ */
+export declare function generateAppleClientSecret(params: {
+    teamId: string;
+    keyId: string;
+    clientId: string;
+    privateKey: string;
+    ttlSeconds?: number;
+}): string;
+//# sourceMappingURL=apple.d.ts.map

package/dist/oauth/apple.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apple.d.ts","sourceRoot":"","sources":["../../src/oauth/apple.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAEpD,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB,mEAAmE;IACnE,MAAM,EAAE,MAAM,CAAA;IACd,wEAAwE;IACxE,KAAK,EAAE,MAAM,CAAA;IACb;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAA;IAClB;;;;;OAKG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAA;CAChC;AAKD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,mBAAmB,GAAG,aAAa,CAmF9E;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE;IAChD,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,GAAG,MAAM,CAyBT"}

package/dist/oauth/apple.js

@@ -0,0 +1,148 @@
+import { createSign } from 'node:crypto';
+const DEFAULT_SCOPES = ['name', 'email'];
+const APPLE_AUD = 'https://appleid.apple.com';
+/**
+ * Create a Sign in with Apple OAuth 2.0 provider.
+ *
+ * Apple's protocol differs from other providers in one important way: the
+ * `client_secret` sent to the token endpoint is **not** a static string. It's
+ * an ES256-signed JWT minted on each exchange, signed with a `.p8` private
+ * key from Apple Developer. AuthCore handles that for you.
+ *
+ * ```ts
+ * import { createAppleProvider } from '@authcore/core'
+ * const apple = createAppleProvider({
+ *   clientId: 'com.example.myapp.service',         // Apple Services ID
+ *   teamId: 'ABC1234DEF',                          // Apple Team ID
+ *   keyId: 'XYZ9876ABC',                           // Key ID from the .p8 file
+ *   privateKey: process.env.APPLE_PRIVATE_KEY!,    // contents of the .p8 (PEM)
+ * })
+ * createAuth({ ..., oauth: { apple } })
+ * ```
+ *
+ * **Apple-specific notes:**
+ * - Uses `response_mode=query` so the existing AuthCore callback route (GET)
+ *   handles the response. (Apple's default `form_post` mode would require
+ *   urlencoded body parsing on the callback; query mode works equivalently
+ *   for the data we need.)
+ * - Apple delivers the user's name **only on first sign-in** via a posted
+ *   `user` form field that AuthCore does not consume in query mode. The
+ *   sign-in still works — AuthCore creates the user with `name` unset; the
+ *   user can edit their profile later. The email is always present.
+ * - Apple's `email_verified` claim may be the string `"true"` or a boolean.
+ *   AuthCore normalizes both to `true`.
+ * - Some Apple users sign in with private relay emails (`*@privaterelay.appleid.com`).
+ *   These are valid forwarding addresses; treat them as real emails.
+ */
+export function createAppleProvider(config) {
+    const scopes = config.scopes ?? DEFAULT_SCOPES;
+    const clientSecretTtl = config.clientSecretTtlSeconds ?? 600;
+    return {
+        id: 'apple',
+        scopes,
+        authorize: ({ state, codeChallenge, redirectUri }) => {
+            const url = new URL('https://appleid.apple.com/auth/authorize');
+            url.searchParams.set('client_id', config.clientId);
+            url.searchParams.set('redirect_uri', redirectUri);
+            url.searchParams.set('response_type', 'code');
+            // Apple defaults to form_post; we use query to land on the existing
+            // GET callback route. Apple supports both.
+            url.searchParams.set('response_mode', 'query');
+            url.searchParams.set('scope', scopes.join(' '));
+            url.searchParams.set('state', state);
+            url.searchParams.set('code_challenge', codeChallenge);
+            url.searchParams.set('code_challenge_method', 'S256');
+            return url.toString();
+        },
+        exchangeCode: async ({ code, codeVerifier, redirectUri }) => {
+            const clientSecret = generateAppleClientSecret({
+                teamId: config.teamId,
+                keyId: config.keyId,
+                clientId: config.clientId,
+                privateKey: config.privateKey,
+                ttlSeconds: clientSecretTtl,
+            });
+            const res = await fetch('https://appleid.apple.com/auth/token', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: new URLSearchParams({
+                    code,
+                    client_id: config.clientId,
+                    client_secret: clientSecret,
+                    redirect_uri: redirectUri,
+                    grant_type: 'authorization_code',
+                    code_verifier: codeVerifier,
+                }),
+            });
+            if (!res.ok) {
+                throw new Error(`Apple token exchange failed (${res.status}): ${await res.text()}`);
+            }
+            const body = (await res.json());
+            return {
+                accessToken: body.access_token,
+                ...(body.refresh_token !== undefined ? { refreshToken: body.refresh_token } : {}),
+                ...(body.expires_in !== undefined ? { expiresIn: body.expires_in } : {}),
+                ...(body.id_token !== undefined ? { idToken: body.id_token } : {}),
+            };
+        },
+        getUserInfo: async (_accessToken, idToken) => {
+            if (!idToken) {
+                throw new Error('Apple OAuth: id_token missing from token response');
+            }
+            const claims = decodeIdTokenClaims(idToken);
+            if (!claims || typeof claims['sub'] !== 'string' || typeof claims['email'] !== 'string') {
+                throw new Error('Apple OAuth: id_token missing required claims (sub, email)');
+            }
+            // Apple sends "true" / "false" as STRINGS in the id_token; some versions
+            // return booleans. Normalize.
+            const rawVerified = claims['email_verified'];
+            const emailVerified = rawVerified === true || rawVerified === 'true' ? true : false;
+            return {
+                id: claims['sub'],
+                email: claims['email'],
+                emailVerified,
+            };
+        },
+    };
+}
+/**
+ * Generate the client secret JWT Apple requires on the token endpoint.
+ * Signed with ES256 using the developer's .p8 private key.
+ *
+ * Claims per https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens
+ */
+export function generateAppleClientSecret(params) {
+    const { teamId, keyId, clientId, privateKey, ttlSeconds = 600 } = params;
+    const now = Math.floor(Date.now() / 1000);
+    const header = { alg: 'ES256', kid: keyId, typ: 'JWT' };
+    const payload = {
+        iss: teamId,
+        iat: now,
+        exp: now + ttlSeconds,
+        aud: APPLE_AUD,
+        sub: clientId,
+    };
+    const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signingInput = `${headerB64}.${payloadB64}`;
+    // Node's signer outputs DER-encoded ECDSA signatures; JWS requires raw R||S.
+    // We use `dsaEncoding: 'ieee-p1363'` (Node 16.4+) which produces the raw form.
+    const signature = createSign('SHA256')
+        .update(signingInput)
+        .sign({ key: privateKey, dsaEncoding: 'ieee-p1363' });
+    const sigB64 = Buffer.from(signature).toString('base64url');
+    return `${signingInput}.${sigB64}`;
+}
+function decodeIdTokenClaims(idToken) {
+    const parts = idToken.split('.');
+    if (parts.length < 2)
+        return null;
+    try {
+        const payload = Buffer.from(parts[1], 'base64url').toString('utf8');
+        return JSON.parse(payload);
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=apple.js.map

package/dist/oauth/apple.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apple.js","sourceRoot":"","sources":["../../src/oauth/apple.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAmCxC,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AACxC,MAAM,SAAS,GAAG,2BAA2B,CAAA;AAE7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAA2B;IAC7D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,cAAc,CAAA;IAC9C,MAAM,eAAe,GAAG,MAAM,CAAC,sBAAsB,IAAI,GAAG,CAAA;IAE5D,OAAO;QACL,EAAE,EAAE,OAAO;QACX,MAAM;QAEN,SAAS,EAAE,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,EAAE,EAAE;YACnD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,CAAC,CAAA;YAC/D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;YAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;YACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAA;YAC7C,oEAAoE;YACpE,2CAA2C;YAC3C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,CAAA;YAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;YAC/C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;YACpC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAA;YACrD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAA;YACrD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;QACvB,CAAC;QAED,YAAY,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,EAAE,EAAE;YAC1D,MAAM,YAAY,GAAG,yBAAyB,CAAC;gBAC7C,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,UAAU,EAAE,eAAe;aAC5B,CAAC,CAAA;YAEF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,sCAAsC,EAAE;gBAC9D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,IAAI;oBACJ,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,aAAa,EAAE,YAAY;oBAC3B,YAAY,EAAE,WAAW;oBACzB,UAAU,EAAE,oBAAoB;oBAChC,aAAa,EAAE,YAAY;iBAC5B,CAAC;aACH,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YACrF,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAM7B,CAAA;YACD,OAAO;gBACL,WAAW,EAAE,IAAI,CAAC,YAAY;gBAC9B,GAAG,CAAC,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjF,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxE,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACnE,CAAA;QACH,CAAC;QAED,WAAW,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,EAAE;YAC3C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAA;YACtE,CAAC;YACD,MAAM,MAAM,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAA;YAC3C,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACxF,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAA;YAC/E,CAAC;YACD,yEAAyE;YACzE,8BAA8B;YAC9B,MAAM,WAAW,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAA;YAC5C,MAAM,aAAa,GACjB,WAAW,KAAK,IAAI,IAAI,WAAW,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAA;YAE/D,OAAO;gBACL,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC;gBACjB,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;gBACtB,aAAa;aACd,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAMzC;IACC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,GAAG,GAAG,EAAE,GAAG,MAAM,CAAA;IACxE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IAEzC,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAA;IACvD,MAAM,OAAO,GAAG;QACd,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,UAAU;QACrB,GAAG,EAAE,SAAS;QACd,GAAG,EAAE,QAAQ;KACd,CAAA;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC3E,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC7E,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAA;IAEjD,6EAA6E;IAC7E,+EAA+E;IAC/E,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC;SACnC,MAAM,CAAC,YAAY,CAAC;SACpB,IAAI,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC,CAAA;IAEvD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC3D,OAAO,GAAG,YAAY,IAAI,MAAM,EAAE,CAAA;AACpC,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAe;IAC1C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAChC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACjC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAA;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/oauth/discord.d.ts

@@ -0,0 +1,32 @@
+import type { OAuthProvider } from '@authcore/types';
+export interface DiscordProviderConfig {
+    clientId: string;
+    clientSecret: string;
+    /**
+     * Defaults to `['identify', 'email']`. `identify` returns the basic profile;
+     * `email` is required to get the user's email + verification status.
+     */
+    scopes?: string[];
+}
+/**
+ * Create a Discord OAuth 2.0 provider.
+ *
+ * ```ts
+ * import { createDiscordProvider } from '@authcore/core'
+ * const discord = createDiscordProvider({
+ *   clientId: process.env.DISCORD_CLIENT_ID!,
+ *   clientSecret: process.env.DISCORD_CLIENT_SECRET!,
+ * })
+ * createAuth({ ..., oauth: { discord } })
+ * ```
+ *
+ * Notes:
+ * - Discord exposes `verified` on the user object — AuthCore threads that
+ *   straight through to `emailVerified`. Unverified Discord users will hit
+ *   the standard AuthCore "EMAIL_NOT_VERIFIED_BY_PROVIDER" gate when linking
+ *   to an existing local account.
+ * - User avatar URLs are constructed from the user's `id` + `avatar` hash
+ *   (https://discord.com/developers/docs/reference#image-formatting).
+ */
+export declare function createDiscordProvider(config: DiscordProviderConfig): OAuthProvider;
+//# sourceMappingURL=discord.d.ts.map

package/dist/oauth/discord.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discord.d.ts","sourceRoot":"","sources":["../../src/oauth/discord.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAEpD,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAID;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,qBAAqB,GAAG,aAAa,CAgFlF"}