@authcore/core 0.6.0 → 0.12.0

package/dist/utils/token.js

@@ -7,6 +7,29 @@ import jwt from 'jsonwebtoken';
 export function generateOpaqueToken() {
     return randomBytes(32).toString('hex');
 }
+/**
+ * Generate a CSRF token. Same shape as `generateOpaqueToken` (256 bits of entropy)
+ * but kept as a separate export to make intent explicit at call sites.
+ * The CSRF token is NOT hashed before storage — it's sent to the client as a cookie
+ * value AND compared byte-for-byte against the `X-CSRF-Token` header on each request.
+ */
+export function generateCsrfToken() {
+    return randomBytes(32).toString('hex');
+}
+/**
+ * Generate a PKCE code verifier (RFC 7636 §4.1).
+ * 32 random bytes → 43-char base64url string (no padding), within the 43-128 char range.
+ */
+export function generatePkceVerifier() {
+    return randomBytes(32).toString('base64url');
+}
+/**
+ * Build the PKCE code challenge (S256 method) from a verifier.
+ * SHA-256 of the verifier, base64url-encoded (no padding).
+ */
+export function pkceChallenge(verifier) {
+    return createHash('sha256').update(verifier).digest('base64url');
+}
 /**
  * Hash a raw token using SHA-256 for safe database storage.
  * Store the hash; return the raw token to the user.
@@ -61,4 +84,34 @@ export function verifyJwt(token, secret) {
         return null;
     }
 }
+/**
+ * Sign a short-lived JWT used as a 2FA login challenge. The token carries the
+ * user id + a scope claim, and expires after `expiresIn` (default 5 minutes).
+ * It is NOT a session token — verify with {@link verifyTwoFactorChallenge}.
+ */
+export function signTwoFactorChallenge(userId, secret, expiresIn = '5m') {
+    const payload = { sub: userId, scope: '2fa-pending' };
+    const options = { algorithm: 'HS256', expiresIn };
+    return jwt.sign(payload, secret, options);
+}
+/**
+ * Verify a 2FA challenge token. Rejects tokens with the wrong scope so a
+ * session JWT can't be reused as a challenge (and vice versa).
+ *
+ * @returns The decoded payload, or `null` if invalid / expired / wrong scope.
+ */
+export function verifyTwoFactorChallenge(token, secret) {
+    try {
+        const decoded = jwt.verify(token, secret, { algorithms: ['HS256'] });
+        if (typeof decoded === 'string')
+            return null;
+        const payload = decoded;
+        if (payload.scope !== '2fa-pending')
+            return null;
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
 //# sourceMappingURL=token.js.map

package/dist/utils/token.js.map

@@ -1 +1 @@
-{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/utils/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AACtE,OAAO,GAAG,MAAM,cAAc,CAAA;AAE9B;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACxC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,QAAgB;IACxC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AAC5D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAS,EAAE,CAAS;IACpD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;IACnC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;IACnC,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;AACpC,CAAC;AAUD;;;;;;;GAOG;AACH,MAAM,UAAU,OAAO,CACrB,OAAwC,EACxC,MAAc,EACd,SAAS,GAAG,IAAI;IAEhB,mFAAmF;IACnF,MAAM,OAAO,GAAG,EAAE,SAAS,EAAE,OAAgB,EAAE,SAAS,EAAE,CAAA;IAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAA0B,CAAC,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa,EAAE,MAAc;IACrD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACpE,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAA;QAC5C,OAAO,OAAqB,CAAA;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/utils/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AACtE,OAAO,GAAG,MAAM,cAAc,CAAA;AAE9B;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACxC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACxC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;AAClE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,QAAgB;IACxC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AAC5D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAS,EAAE,CAAS;IACpD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;IACnC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;IACnC,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;AACpC,CAAC;AAUD;;;;;;;GAOG;AACH,MAAM,UAAU,OAAO,CACrB,OAAwC,EACxC,MAAc,EACd,SAAS,GAAG,IAAI;IAEhB,mFAAmF;IACnF,MAAM,OAAO,GAAG,EAAE,SAAS,EAAE,OAAgB,EAAE,SAAS,EAAE,CAAA;IAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAA0B,CAAC,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa,EAAE,MAAc;IACrD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACpE,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAA;QAC5C,OAAO,OAAqB,CAAA;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAUD;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAc,EAAE,MAAc,EAAE,SAAS,GAAG,IAAI;IACrF,MAAM,OAAO,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,aAAsB,EAAE,CAAA;IAC9D,MAAM,OAAO,GAAG,EAAE,SAAS,EAAE,OAAgB,EAAE,SAAS,EAAE,CAAA;IAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAA0B,CAAC,CAAA;AAC9D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CACtC,KAAa,EACb,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACpE,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAA;QAC5C,MAAM,OAAO,GAAG,OAAoC,CAAA;QACpD,IAAI,OAAO,CAAC,KAAK,KAAK,aAAa;YAAE,OAAO,IAAI,CAAA;QAChD,OAAO,OAAO,CAAA;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/utils/totp.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Encode raw bytes to base32 (RFC 4648, no padding). Authenticator apps and
+ * QR codes universally expect base32 for the secret.
+ */
+export declare function base32Encode(bytes: Buffer): string;
+/**
+ * Decode a base32 string back to bytes. Tolerates lowercase + whitespace +
+ * trailing `=` padding so we accept whatever a user paste happens to contain.
+ */
+export declare function base32Decode(encoded: string): Buffer;
+/**
+ * Generate a new TOTP secret: 20 random bytes (160 bits, the RFC 4226 minimum
+ * recommended length), base32-encoded.
+ */
+export declare function generateTotpSecret(): string;
+/**
+ * Generate a TOTP code for the given secret and timestamp (defaults to now).
+ *
+ * @param secret - Base32-encoded secret
+ * @param timestamp - Unix timestamp in seconds (default: current time)
+ * @returns 6-digit numeric code as a zero-padded string
+ */
+export declare function generateTotpCode(secret: string, timestamp?: number): string;
+/**
+ * Verify a TOTP code against a secret. Accepts the current 30-second window
+ * AND ±1 step (i.e. ±30 seconds) to absorb clock drift between server and
+ * authenticator app — RFC 6238 §5.2 recommends this tolerance.
+ *
+ * Returns true on match. Uses timing-safe comparison.
+ *
+ * @param secret - Base32-encoded secret stored at enrollment time
+ * @param code   - User-supplied 6-digit code (string; may include whitespace)
+ * @param window - Number of steps before AND after current to accept. Default 1.
+ * @param timestamp - Optional fixed timestamp (for testing)
+ */
+export declare function verifyTotpCode(secret: string, code: string, window?: number, timestamp?: number): boolean;
+/**
+ * Build an `otpauth://totp/...` URL for QR code rendering. Authenticator apps
+ * (Google Authenticator, 1Password, Authy, etc.) parse this URL format.
+ *
+ * @param secret    - Base32-encoded secret
+ * @param accountName - Usually the user's email
+ * @param issuer    - Your app name (e.g. "MyApp")
+ */
+export declare function buildOtpauthUrl(params: {
+    secret: string;
+    accountName: string;
+    issuer: string;
+}): string;
+/**
+ * Generate `count` user-friendly recovery codes. Format: `xxxx-xxxx-xxxx`
+ * (12 chars + 2 dashes), drawn from an unambiguous alphabet (no 0/O/1/I/L).
+ *
+ * Recovery codes are intentionally meant to be one-time backups when a user
+ * loses their authenticator device. Store the SHA-256 hash; show the raw
+ * value to the user exactly once.
+ */
+export declare function generateRecoveryCodes(count?: number): string[];
+//# sourceMappingURL=totp.d.ts.map

package/dist/utils/totp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp.d.ts","sourceRoot":"","sources":["../../src/utils/totp.ts"],"names":[],"mappings":"AAuBA;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAgBlD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAkBpD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,MAAM,EACd,SAAS,GAAE,MAAsC,GAChD,MAAM,CAGR;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,GAAE,MAAU,EAClB,SAAS,GAAE,MAAsC,GAChD,OAAO,CAYT;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE;IACtC,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,MAAM,CAAA;CACf,GAAG,MAAM,CAYT;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,SAAK,GAAG,MAAM,EAAE,CAgB1D"}

package/dist/utils/totp.js

@@ -0,0 +1,176 @@
+import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
+/**
+ * RFC 6238 (TOTP) and RFC 4226 (HOTP) primitives.
+ *
+ * Implemented from the spec — zero dependencies. We deliberately keep the
+ * audit surface small: 100 lines of straightforward code beats a third-party
+ * library whose changelog we have to follow.
+ *
+ * Algorithm summary:
+ *   HOTP(K, C) = Truncate(HMAC-SHA1(K, big-endian-uint64(C)))
+ *   Truncate picks 4 bytes at a dynamic offset, masks the MSB, and takes
+ *   mod 10^6 to produce a 6-digit code.
+ *   TOTP(K) = HOTP(K, floor(now / 30))
+ */
+const TOTP_DIGITS = 6;
+const TOTP_PERIOD_SECONDS = 30;
+const TOTP_ALGORITHM = 'sha1'; // RFC 6238 default; what every authenticator app expects
+/** RFC 4648 Base32 alphabet (uppercase, no padding for our use). */
+const BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+/**
+ * Encode raw bytes to base32 (RFC 4648, no padding). Authenticator apps and
+ * QR codes universally expect base32 for the secret.
+ */
+export function base32Encode(bytes) {
+    let bits = 0;
+    let value = 0;
+    let output = '';
+    for (const byte of bytes) {
+        value = (value << 8) | byte;
+        bits += 8;
+        while (bits >= 5) {
+            output += BASE32_ALPHABET[(value >>> (bits - 5)) & 0x1f];
+            bits -= 5;
+        }
+    }
+    if (bits > 0) {
+        output += BASE32_ALPHABET[(value << (5 - bits)) & 0x1f];
+    }
+    return output;
+}
+/**
+ * Decode a base32 string back to bytes. Tolerates lowercase + whitespace +
+ * trailing `=` padding so we accept whatever a user paste happens to contain.
+ */
+export function base32Decode(encoded) {
+    const cleaned = encoded.replace(/=+$/, '').replace(/\s/g, '').toUpperCase();
+    const bytes = [];
+    let bits = 0;
+    let value = 0;
+    for (const char of cleaned) {
+        const idx = BASE32_ALPHABET.indexOf(char);
+        if (idx === -1) {
+            throw new Error(`Invalid base32 character: ${char}`);
+        }
+        value = (value << 5) | idx;
+        bits += 5;
+        if (bits >= 8) {
+            bytes.push((value >>> (bits - 8)) & 0xff);
+            bits -= 8;
+        }
+    }
+    return Buffer.from(bytes);
+}
+/**
+ * Generate a new TOTP secret: 20 random bytes (160 bits, the RFC 4226 minimum
+ * recommended length), base32-encoded.
+ */
+export function generateTotpSecret() {
+    return base32Encode(randomBytes(20));
+}
+/**
+ * Generate a TOTP code for the given secret and timestamp (defaults to now).
+ *
+ * @param secret - Base32-encoded secret
+ * @param timestamp - Unix timestamp in seconds (default: current time)
+ * @returns 6-digit numeric code as a zero-padded string
+ */
+export function generateTotpCode(secret, timestamp = Math.floor(Date.now() / 1000)) {
+    const step = Math.floor(timestamp / TOTP_PERIOD_SECONDS);
+    return hotp(base32Decode(secret), step);
+}
+/**
+ * Verify a TOTP code against a secret. Accepts the current 30-second window
+ * AND ±1 step (i.e. ±30 seconds) to absorb clock drift between server and
+ * authenticator app — RFC 6238 §5.2 recommends this tolerance.
+ *
+ * Returns true on match. Uses timing-safe comparison.
+ *
+ * @param secret - Base32-encoded secret stored at enrollment time
+ * @param code   - User-supplied 6-digit code (string; may include whitespace)
+ * @param window - Number of steps before AND after current to accept. Default 1.
+ * @param timestamp - Optional fixed timestamp (for testing)
+ */
+export function verifyTotpCode(secret, code, window = 1, timestamp = Math.floor(Date.now() / 1000)) {
+    const normalized = code.replace(/\s/g, '');
+    if (!/^\d{6}$/.test(normalized))
+        return false;
+    const key = base32Decode(secret);
+    const currentStep = Math.floor(timestamp / TOTP_PERIOD_SECONDS);
+    for (let offset = -window; offset <= window; offset++) {
+        const candidate = hotp(key, currentStep + offset);
+        if (safeStringEqual(candidate, normalized))
+            return true;
+    }
+    return false;
+}
+/**
+ * Build an `otpauth://totp/...` URL for QR code rendering. Authenticator apps
+ * (Google Authenticator, 1Password, Authy, etc.) parse this URL format.
+ *
+ * @param secret    - Base32-encoded secret
+ * @param accountName - Usually the user's email
+ * @param issuer    - Your app name (e.g. "MyApp")
+ */
+export function buildOtpauthUrl(params) {
+    const { secret, accountName, issuer } = params;
+    // Per Google Authenticator spec, label is "Issuer:AccountName" (URL-encoded).
+    const label = `${encodeURIComponent(issuer)}:${encodeURIComponent(accountName)}`;
+    const query = new URLSearchParams({
+        secret,
+        issuer,
+        algorithm: 'SHA1',
+        digits: String(TOTP_DIGITS),
+        period: String(TOTP_PERIOD_SECONDS),
+    });
+    return `otpauth://totp/${label}?${query.toString()}`;
+}
+/**
+ * Generate `count` user-friendly recovery codes. Format: `xxxx-xxxx-xxxx`
+ * (12 chars + 2 dashes), drawn from an unambiguous alphabet (no 0/O/1/I/L).
+ *
+ * Recovery codes are intentionally meant to be one-time backups when a user
+ * loses their authenticator device. Store the SHA-256 hash; show the raw
+ * value to the user exactly once.
+ */
+export function generateRecoveryCodes(count = 10) {
+    const ALPHABET = 'ABCDEFGHJKMNPQRSTUVWXYZ23456789'; // 31 chars, no 0/O/1/I/L
+    const codes = [];
+    for (let i = 0; i < count; i++) {
+        const groups = [];
+        for (let g = 0; g < 3; g++) {
+            const bytes = randomBytes(4);
+            let s = '';
+            for (let j = 0; j < 4; j++) {
+                s += ALPHABET[bytes[j] % ALPHABET.length];
+            }
+            groups.push(s);
+        }
+        codes.push(groups.join('-'));
+    }
+    return codes;
+}
+// --- internals ---
+function hotp(key, counter) {
+    // RFC 4226: counter is a 64-bit big-endian unsigned integer.
+    const counterBuf = Buffer.alloc(8);
+    // JavaScript bitwise ops are 32-bit. Split into two halves.
+    const hi = Math.floor(counter / 0x100000000);
+    const lo = counter >>> 0;
+    counterBuf.writeUInt32BE(hi, 0);
+    counterBuf.writeUInt32BE(lo, 4);
+    const hmac = createHmac(TOTP_ALGORITHM, key).update(counterBuf).digest();
+    // Dynamic truncation: offset is the low 4 bits of the last byte.
+    const offset = hmac[hmac.length - 1] & 0x0f;
+    const binary = ((hmac[offset] & 0x7f) << 24) |
+        ((hmac[offset + 1] & 0xff) << 16) |
+        ((hmac[offset + 2] & 0xff) << 8) |
+        (hmac[offset + 3] & 0xff);
+    return String(binary % 10 ** TOTP_DIGITS).padStart(TOTP_DIGITS, '0');
+}
+function safeStringEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(Buffer.from(a, 'utf8'), Buffer.from(b, 'utf8'));
+}
+//# sourceMappingURL=totp.js.map

package/dist/utils/totp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp.js","sourceRoot":"","sources":["../../src/utils/totp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAEtE;;;;;;;;;;;;GAYG;AAEH,MAAM,WAAW,GAAG,CAAC,CAAA;AACrB,MAAM,mBAAmB,GAAG,EAAE,CAAA;AAC9B,MAAM,cAAc,GAAG,MAAM,CAAA,CAAC,yDAAyD;AAEvF,oEAAoE;AACpE,MAAM,eAAe,GAAG,kCAAkC,CAAA;AAE1D;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,IAAI,IAAI,GAAG,CAAC,CAAA;IACZ,IAAI,KAAK,GAAG,CAAC,CAAA;IACb,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,CAAA;QAC3B,IAAI,IAAI,CAAC,CAAA;QACT,OAAO,IAAI,IAAI,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,eAAe,CAAC,CAAC,KAAK,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;YACxD,IAAI,IAAI,CAAC,CAAA;QACX,CAAC;IACH,CAAC;IACD,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;QACb,MAAM,IAAI,eAAe,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;IACzD,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAA;IAC3E,MAAM,KAAK,GAAa,EAAE,CAAA;IAC1B,IAAI,IAAI,GAAG,CAAC,CAAA;IACZ,IAAI,KAAK,GAAG,CAAC,CAAA;IACb,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QACzC,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,EAAE,CAAC,CAAA;QACtD,CAAC;QACD,KAAK,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,GAAG,CAAA;QAC1B,IAAI,IAAI,CAAC,CAAA;QACT,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;YACzC,IAAI,IAAI,CAAC,CAAA;QACX,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAC3B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,YAAY,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAA;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAc,EACd,YAAoB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAEjD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,mBAAmB,CAAC,CAAA;IACxD,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAA;AACzC,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAC5B,MAAc,EACd,IAAY,EACZ,SAAiB,CAAC,EAClB,YAAoB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAEjD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IAC1C,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAA;IAE7C,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;IAChC,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,mBAAmB,CAAC,CAAA;IAE/D,KAAK,IAAI,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,IAAI,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC;QACtD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,MAAM,CAAC,CAAA;QACjD,IAAI,eAAe,CAAC,SAAS,EAAE,UAAU,CAAC;YAAE,OAAO,IAAI,CAAA;IACzD,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,MAI/B;IACC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,MAAM,CAAA;IAC9C,8EAA8E;IAC9E,MAAM,KAAK,GAAG,GAAG,kBAAkB,CAAC,MAAM,CAAC,IAAI,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAA;IAChF,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC;QAChC,MAAM;QACN,MAAM;QACN,SAAS,EAAE,MAAM;QACjB,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC;QAC3B,MAAM,EAAE,MAAM,CAAC,mBAAmB,CAAC;KACpC,CAAC,CAAA;IACF,OAAO,kBAAkB,KAAK,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAA;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAK,GAAG,EAAE;IAC9C,MAAM,QAAQ,GAAG,iCAAiC,CAAA,CAAC,yBAAyB;IAC5E,MAAM,KAAK,GAAa,EAAE,CAAA;IAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAa,EAAE,CAAA;QAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAA;YAC5B,IAAI,CAAC,GAAG,EAAE,CAAA;YACV,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC3B,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAA;YAC5C,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChB,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;IAC9B,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,oBAAoB;AAEpB,SAAS,IAAI,CAAC,GAAW,EAAE,OAAe;IACxC,6DAA6D;IAC7D,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAClC,4DAA4D;IAC5D,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,WAAW,CAAC,CAAA;IAC5C,MAAM,EAAE,GAAG,OAAO,KAAK,CAAC,CAAA;IACxB,UAAU,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC,CAAC,CAAA;IAC/B,UAAU,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC,CAAC,CAAA;IAE/B,MAAM,IAAI,GAAG,UAAU,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,CAAA;IAExE,iEAAiE;IACjE,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAE,GAAG,IAAI,CAAA;IAC5C,MAAM,MAAM,GACV,CAAC,CAAC,IAAI,CAAC,MAAM,CAAE,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAE,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAClC,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAE,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAE,GAAG,IAAI,CAAC,CAAA;IAE5B,OAAO,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,WAAW,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,CAAC,CAAA;AACtE,CAAC;AAED,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IAC3C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACvC,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAA;AACxE,CAAC"}

package/dist/utils/validation.d.ts

@@ -70,6 +70,22 @@ export declare const acceptInvitationSchema: (minPasswordLength?: number) => z.Z
     password: string;
     token: string;
 }>;
+/** Schema for POST /magic-link/send */
+export declare const sendMagicLinkSchema: z.ZodObject<{
+    email: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    email: string;
+}, {
+    email: string;
+}>;
+/** Schema for POST /magic-link/consume */
+export declare const consumeMagicLinkSchema: z.ZodObject<{
+    token: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    token: string;
+}, {
+    token: string;
+}>;
 export type RegisterInput = z.infer<ReturnType<typeof registerSchema>>;
 export type LoginInput = z.infer<typeof loginSchema>;
 export type ForgotPasswordInput = z.infer<typeof forgotPasswordSchema>;
@@ -77,4 +93,6 @@ export type ResetPasswordInput = z.infer<ReturnType<typeof resetPasswordSchema>>
 export type VerifyEmailInput = z.infer<typeof verifyEmailSchema>;
 export type InviteInput = z.infer<typeof inviteSchema>;
 export type AcceptInvitationInput = z.infer<ReturnType<typeof acceptInvitationSchema>>;
+export type SendMagicLinkInput = z.infer<typeof sendMagicLinkSchema>;
+export type ConsumeMagicLinkInput = z.infer<typeof consumeMagicLinkSchema>;
 //# sourceMappingURL=validation.d.ts.map

package/dist/utils/validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAUvB,gCAAgC;AAChC,eAAO,MAAM,cAAc,GAAI,0BAAqB;;;;;;;;;EAIhD,CAAA;AAEJ,6BAA6B;AAC7B,eAAO,MAAM,WAAW;;;;;;;;;EAGtB,CAAA;AAEF,uCAAuC;AACvC,eAAO,MAAM,oBAAoB;;;;;;EAE/B,CAAA;AAEF,sCAAsC;AACtC,eAAO,MAAM,mBAAmB,GAAI,0BAAqB;;;;;;;;;EAIrD,CAAA;AAEJ,oCAAoC;AACpC,eAAO,MAAM,iBAAiB;;;;;;EAE5B,CAAA;AAEF,8BAA8B;AAC9B,eAAO,MAAM,YAAY;;;;;;;;;EAGvB,CAAA;AAEF,yCAAyC;AACzC,eAAO,MAAM,sBAAsB,GAAI,0BAAqB;;;;;;;;;EAIxD,CAAA;AAEJ,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC,CAAA;AACtE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAA;AACpD,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AACtE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC,CAAA;AAChF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAChE,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AACtD,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAA"}
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAUvB,gCAAgC;AAChC,eAAO,MAAM,cAAc,GAAI,0BAAqB;;;;;;;;;EAIhD,CAAA;AAEJ,6BAA6B;AAC7B,eAAO,MAAM,WAAW;;;;;;;;;EAGtB,CAAA;AAEF,uCAAuC;AACvC,eAAO,MAAM,oBAAoB;;;;;;EAE/B,CAAA;AAEF,sCAAsC;AACtC,eAAO,MAAM,mBAAmB,GAAI,0BAAqB;;;;;;;;;EAIrD,CAAA;AAEJ,oCAAoC;AACpC,eAAO,MAAM,iBAAiB;;;;;;EAE5B,CAAA;AAEF,8BAA8B;AAC9B,eAAO,MAAM,YAAY;;;;;;;;;EAGvB,CAAA;AAEF,yCAAyC;AACzC,eAAO,MAAM,sBAAsB,GAAI,0BAAqB;;;;;;;;;EAIxD,CAAA;AAEJ,uCAAuC;AACvC,eAAO,MAAM,mBAAmB;;;;;;EAE9B,CAAA;AAEF,0CAA0C;AAC1C,eAAO,MAAM,sBAAsB;;;;;;EAEjC,CAAA;AAEF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC,CAAA;AACtE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAA;AACpD,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AACtE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC,CAAA;AAChF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAChE,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AACtD,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAA;AACtF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AACpE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA"}

package/dist/utils/validation.js

@@ -37,4 +37,12 @@ export const acceptInvitationSchema = (minPasswordLength = 8) => z.object({
     token: z.string().min(1, 'Token is required'),
     password: passwordSchema(minPasswordLength),
 });
+/** Schema for POST /magic-link/send */
+export const sendMagicLinkSchema = z.object({
+    email: emailSchema,
+});
+/** Schema for POST /magic-link/consume */
+export const consumeMagicLinkSchema = z.object({
+    token: z.string().min(1, 'Token is required'),
+});
 //# sourceMappingURL=validation.js.map

package/dist/utils/validation.js.map

@@ -1 +1 @@
-{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAA;AAE7D,MAAM,cAAc,GAAG,CAAC,SAAiB,EAAE,EAAE,CAC3C,CAAC;KACE,MAAM,EAAE;KACR,GAAG,CAAC,SAAS,EAAE,6BAA6B,SAAS,aAAa,CAAC;KACnE,GAAG,CAAC,EAAE,EAAE,wCAAwC,CAAC,CAAA,CAAC,aAAa;AAEpE,gCAAgC;AAChC,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,iBAAiB,GAAG,CAAC,EAAE,EAAE,CACtD,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,cAAc,CAAC,iBAAiB,CAAC;CAC5C,CAAC,CAAA;AAEJ,6BAA6B;AAC7B,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC;CACpD,CAAC,CAAA;AAEF,uCAAuC;AACvC,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,KAAK,EAAE,WAAW;CACnB,CAAC,CAAA;AAEF,sCAAsC;AACtC,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,iBAAiB,GAAG,CAAC,EAAE,EAAE,CAC3D,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,CAAC;IAC7C,QAAQ,EAAE,cAAc,CAAC,iBAAiB,CAAC;CAC5C,CAAC,CAAA;AAEJ,oCAAoC;AACpC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,CAAC;CAC9C,CAAC,CAAA;AAEF,8BAA8B;AAC9B,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,KAAK,EAAE,WAAW;IAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAA;AAEF,yCAAyC;AACzC,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,iBAAiB,GAAG,CAAC,EAAE,EAAE,CAC9D,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,CAAC;IAC7C,QAAQ,EAAE,cAAc,CAAC,iBAAiB,CAAC;CAC5C,CAAC,CAAA"}
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAA;AAE7D,MAAM,cAAc,GAAG,CAAC,SAAiB,EAAE,EAAE,CAC3C,CAAC;KACE,MAAM,EAAE;KACR,GAAG,CAAC,SAAS,EAAE,6BAA6B,SAAS,aAAa,CAAC;KACnE,GAAG,CAAC,EAAE,EAAE,wCAAwC,CAAC,CAAA,CAAC,aAAa;AAEpE,gCAAgC;AAChC,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,iBAAiB,GAAG,CAAC,EAAE,EAAE,CACtD,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,cAAc,CAAC,iBAAiB,CAAC;CAC5C,CAAC,CAAA;AAEJ,6BAA6B;AAC7B,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC;CACpD,CAAC,CAAA;AAEF,uCAAuC;AACvC,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,KAAK,EAAE,WAAW;CACnB,CAAC,CAAA;AAEF,sCAAsC;AACtC,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,iBAAiB,GAAG,CAAC,EAAE,EAAE,CAC3D,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,CAAC;IAC7C,QAAQ,EAAE,cAAc,CAAC,iBAAiB,CAAC;CAC5C,CAAC,CAAA;AAEJ,oCAAoC;AACpC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,CAAC;CAC9C,CAAC,CAAA;AAEF,8BAA8B;AAC9B,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,KAAK,EAAE,WAAW;IAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAA;AAEF,yCAAyC;AACzC,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,iBAAiB,GAAG,CAAC,EAAE,EAAE,CAC9D,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,CAAC;IAC7C,QAAQ,EAAE,cAAc,CAAC,iBAAiB,CAAC;CAC5C,CAAC,CAAA;AAEJ,uCAAuC;AACvC,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,KAAK,EAAE,WAAW;CACnB,CAAC,CAAA;AAEF,0CAA0C;AAC1C,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,CAAC;CAC9C,CAAC,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@authcore/core",
-  "version": "0.6.0",
+  "version": "0.12.0",
   "description": "Framework-agnostic authentication core for AuthCore",
   "license": "MIT",
   "author": "David Ouatedem",
@@ -35,10 +35,11 @@
   "dependencies": {
     "bcryptjs": "^2.4.3",
     "jsonwebtoken": "^9.0.2",
-    "zod": "^3.23.0"
+    "zod": "^3.23.0",
+    "@authcore/types": "^0.12.0"
   },
   "devDependencies": {
-    "@types/bcryptjs": "^2.4.0",
+    "@types/bcryptjs": "^2.4.3",
     "@types/jsonwebtoken": "^9.0.6",
     "@types/node": "^20.0.0",
     "typescript": "^5.4.0",

package/dist/adapters/database.interface.d.ts

@@ -1,42 +0,0 @@
-import type { User, Token, TokenType, CreateUserInput, CreateTokenInput } from '../types.js';
-/**
- * DatabaseAdapter defines the contract that any database implementation must fulfill.
- * Implement this interface to add support for a new database (Drizzle, Mongoose, etc.).
- *
- * @example
- * ```ts
- * import type { DatabaseAdapter } from '@authcore/core'
- *
- * export function myAdapter(client: MyClient): DatabaseAdapter {
- *   return {
- *     findUserByEmail: (email) => client.user.findUnique({ where: { email } }),
- *     // ...
- *   }
- * }
- * ```
- */
-export interface DatabaseAdapter {
-    /** Find a user by their email address. Returns null if not found. */
-    findUserByEmail(email: string): Promise<User | null>;
-    /** Find a user by their ID. Returns null if not found. */
-    findUserById(id: string): Promise<User | null>;
-    /** Create a new user record. */
-    createUser(data: CreateUserInput): Promise<User>;
-    /** Update fields on an existing user. */
-    updateUser(id: string, data: Partial<Omit<User, 'id' | 'createdAt'>>): Promise<User>;
-    /**
-     * Create a new token record.
-     * The `token` field in `data` must be the SHA-256 hash of the raw token.
-     */
-    createToken(data: CreateTokenInput): Promise<Token>;
-    /**
-     * Find a token record by the raw token value and type.
-     * Implementations MUST hash the raw token before querying.
-     */
-    findToken(rawToken: string, type: TokenType): Promise<Token | null>;
-    /** Delete a token by its ID. */
-    deleteToken(id: string): Promise<void>;
-    /** Delete all expired tokens. Call periodically for housekeeping. */
-    deleteExpiredTokens(): Promise<void>;
-}
-//# sourceMappingURL=database.interface.d.ts.map

package/dist/adapters/database.interface.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"database.interface.d.ts","sourceRoot":"","sources":["../../src/adapters/database.interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAE5F;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,eAAe;IAC9B,qEAAqE;IACrE,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAA;IAEpD,0DAA0D;IAC1D,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAA;IAE9C,gCAAgC;IAChC,UAAU,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEhD,yCAAyC;IACzC,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,GAAG,WAAW,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEpF;;;OAGG;IACH,WAAW,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;IAEnD;;;OAGG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAA;IAEnE,gCAAgC;IAChC,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEtC,qEAAqE;IACrE,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CAAA;CACrC"}

package/dist/adapters/database.interface.js

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=database.interface.js.map

package/dist/adapters/database.interface.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"database.interface.js","sourceRoot":"","sources":["../../src/adapters/database.interface.ts"],"names":[],"mappings":""}

package/dist/adapters/email.interface.d.ts

@@ -1,31 +0,0 @@
-/**
- * EmailAdapter defines the contract for any email provider implementation.
- * Implement this interface to add support for a new email provider (SendGrid, Mailgun, etc.).
- *
- * @example
- * ```ts
- * import type { EmailAdapter } from '@authcore/core'
- *
- * export function myEmailAdapter(apiKey: string): EmailAdapter {
- *   return {
- *     send: async ({ to, subject, html, text }) => {
- *       await myEmailClient.send({ apiKey, to, subject, html, text })
- *     }
- *   }
- * }
- * ```
- */
-export interface EmailAdapter {
-    /**
-     * Send an email.
-     * Must throw on failure — AuthCore will not retry automatically.
-     */
-    send(options: {
-        from: string;
-        to: string;
-        subject: string;
-        html: string;
-        text: string;
-    }): Promise<void>;
-}
-//# sourceMappingURL=email.interface.d.ts.map

package/dist/adapters/email.interface.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"email.interface.d.ts","sourceRoot":"","sources":["../../src/adapters/email.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,IAAI,CAAC,OAAO,EAAE;QACZ,IAAI,EAAE,MAAM,CAAA;QACZ,EAAE,EAAE,MAAM,CAAA;QACV,OAAO,EAAE,MAAM,CAAA;QACf,IAAI,EAAE,MAAM,CAAA;QACZ,IAAI,EAAE,MAAM,CAAA;KACb,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClB"}

package/dist/adapters/email.interface.js

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=email.interface.js.map

package/dist/adapters/email.interface.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"email.interface.js","sourceRoot":"","sources":["../../src/adapters/email.interface.ts"],"names":[],"mappings":""}

package/dist/types.d.ts

@@ -1,76 +0,0 @@
-/**
- * Core domain types for AuthCore.
- * These are the canonical shapes that adapters must produce/consume.
- */
-export type TokenType = 'EMAIL_VERIFICATION' | 'PASSWORD_RESET' | 'SESSION' | 'INVITATION';
-/** A user record as stored in the database. */
-export interface User {
-    id: string;
-    email: string;
-    passwordHash: string;
-    emailVerified: boolean;
-    role: string;
-    createdAt: Date;
-    updatedAt: Date;
-}
-/** A token record as stored in the database. The `token` field is the hashed value. */
-export interface Token {
-    id: string;
-    userId: string;
-    type: TokenType;
-    /** SHA-256 hash of the raw token. Never the raw token itself. */
-    token: string;
-    expiresAt: Date;
-    createdAt: Date;
-}
-/** Input shape for creating a new user. */
-export interface CreateUserInput {
-    email: string;
-    passwordHash: string;
-    role?: string;
-}
-/** Input shape for creating a new token. */
-export interface CreateTokenInput {
-    userId: string;
-    type: TokenType;
-    /** SHA-256 hash of the raw token. */
-    token: string;
-    expiresAt: Date;
-}
-/** Safe user shape returned to callers (no passwordHash). */
-export type PublicUser = Omit<User, 'passwordHash'>;
-/** Configuration for the AuthCore session/JWT strategy. */
-export interface SessionConfig {
-    strategy: 'jwt';
-    secret: string;
-    expiresIn?: string;
-}
-/** Configuration for email features. */
-export interface EmailConfig {
-    provider: import('./adapters/email.interface.js').EmailAdapter;
-    from: string;
-}
-/** Optional lifecycle callbacks. */
-export interface AuthCallbacks {
-    onSignUp?: (user: PublicUser) => void | Promise<void>;
-    onSignIn?: (user: PublicUser) => void | Promise<void>;
-    onSignOut?: (userId: string) => void | Promise<void>;
-    onPasswordReset?: (user: PublicUser) => void | Promise<void>;
-}
-/** Top-level AuthCore configuration object. */
-export interface AuthCoreConfig {
-    db: import('./adapters/database.interface.js').DatabaseAdapter;
-    session: SessionConfig;
-    email?: EmailConfig;
-    features?: Array<'emailVerification' | 'passwordReset' | 'invitation'>;
-    mode?: 'api' | 'monorepo' | 'auto';
-    password?: {
-        minLength?: number;
-        saltRounds?: number;
-    };
-    rbac?: {
-        defaultRole?: string;
-    };
-    callbacks?: AuthCallbacks;
-}
-//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,SAAS,GAAG,oBAAoB,GAAG,gBAAgB,GAAG,SAAS,GAAG,YAAY,CAAA;AAE1F,+CAA+C;AAC/C,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,uFAAuF;AACvF,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAA;IACV,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,SAAS,CAAA;IACf,iEAAiE;IACjE,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,2CAA2C;AAC3C,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;IACpB,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAED,4CAA4C;AAC5C,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,SAAS,CAAA;IACf,qCAAqC;IACrC,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,6DAA6D;AAC7D,MAAM,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAA;AAEnD,2DAA2D;AAC3D,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,KAAK,CAAA;IACf,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,wCAAwC;AACxC,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,OAAO,+BAA+B,EAAE,YAAY,CAAA;IAC9D,IAAI,EAAE,MAAM,CAAA;CACb;AAED,oCAAoC;AACpC,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACrD,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACrD,SAAS,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACpD,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7D;AAED,+CAA+C;AAC/C,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,OAAO,kCAAkC,EAAE,eAAe,CAAA;IAC9D,OAAO,EAAE,aAAa,CAAA;IACtB,KAAK,CAAC,EAAE,WAAW,CAAA;IACnB,QAAQ,CAAC,EAAE,KAAK,CAAC,mBAAmB,GAAG,eAAe,GAAG,YAAY,CAAC,CAAA;IACtE,IAAI,CAAC,EAAE,KAAK,GAAG,UAAU,GAAG,MAAM,CAAA;IAClC,QAAQ,CAAC,EAAE;QACT,SAAS,CAAC,EAAE,MAAM,CAAA;QAClB,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;IACD,IAAI,CAAC,EAAE;QACL,WAAW,CAAC,EAAE,MAAM,CAAA;KACrB,CAAA;IACD,SAAS,CAAC,EAAE,aAAa,CAAA;CAC1B"}

package/dist/types.js

@@ -1,6 +0,0 @@
-/**
- * Core domain types for AuthCore.
- * These are the canonical shapes that adapters must produce/consume.
- */
-export {};
-//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG"}