@authcore/core 0.7.0 → 0.12.0

package/dist/oauth/discord.js

@@ -0,0 +1,86 @@
+const DEFAULT_SCOPES = ['identify', 'email'];
+/**
+ * Create a Discord OAuth 2.0 provider.
+ *
+ * ```ts
+ * import { createDiscordProvider } from '@authcore/core'
+ * const discord = createDiscordProvider({
+ *   clientId: process.env.DISCORD_CLIENT_ID!,
+ *   clientSecret: process.env.DISCORD_CLIENT_SECRET!,
+ * })
+ * createAuth({ ..., oauth: { discord } })
+ * ```
+ *
+ * Notes:
+ * - Discord exposes `verified` on the user object — AuthCore threads that
+ *   straight through to `emailVerified`. Unverified Discord users will hit
+ *   the standard AuthCore "EMAIL_NOT_VERIFIED_BY_PROVIDER" gate when linking
+ *   to an existing local account.
+ * - User avatar URLs are constructed from the user's `id` + `avatar` hash
+ *   (https://discord.com/developers/docs/reference#image-formatting).
+ */
+export function createDiscordProvider(config) {
+    const scopes = config.scopes ?? DEFAULT_SCOPES;
+    return {
+        id: 'discord',
+        scopes,
+        authorize: ({ state, codeChallenge, redirectUri }) => {
+            const url = new URL('https://discord.com/oauth2/authorize');
+            url.searchParams.set('client_id', config.clientId);
+            url.searchParams.set('redirect_uri', redirectUri);
+            url.searchParams.set('response_type', 'code');
+            url.searchParams.set('scope', scopes.join(' '));
+            url.searchParams.set('state', state);
+            url.searchParams.set('code_challenge', codeChallenge);
+            url.searchParams.set('code_challenge_method', 'S256');
+            // `prompt=consent` ensures Discord re-asks (vs. silently re-using a prior approval).
+            url.searchParams.set('prompt', 'consent');
+            return url.toString();
+        },
+        exchangeCode: async ({ code, codeVerifier, redirectUri }) => {
+            const res = await fetch('https://discord.com/api/oauth2/token', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: new URLSearchParams({
+                    code,
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    redirect_uri: redirectUri,
+                    grant_type: 'authorization_code',
+                    code_verifier: codeVerifier,
+                }),
+            });
+            if (!res.ok) {
+                throw new Error(`Discord token exchange failed (${res.status}): ${await res.text()}`);
+            }
+            const body = (await res.json());
+            return {
+                accessToken: body.access_token,
+                ...(body.refresh_token !== undefined ? { refreshToken: body.refresh_token } : {}),
+                ...(body.expires_in !== undefined ? { expiresIn: body.expires_in } : {}),
+            };
+        },
+        getUserInfo: async (accessToken) => {
+            const res = await fetch('https://discord.com/api/users/@me', {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            if (!res.ok) {
+                throw new Error(`Discord /users/@me failed (${res.status}): ${await res.text()}`);
+            }
+            const me = (await res.json());
+            if (!me.email) {
+                throw new Error('Discord account has no email (was the `email` scope requested?)');
+            }
+            return {
+                id: me.id,
+                email: me.email,
+                emailVerified: me.verified === true,
+                ...(me.global_name || me.username ? { name: me.global_name ?? me.username } : {}),
+                ...(me.avatar
+                    ? { picture: `https://cdn.discordapp.com/avatars/${me.id}/${me.avatar}.png` }
+                    : {}),
+            };
+        },
+    };
+}
+//# sourceMappingURL=discord.js.map

package/dist/oauth/discord.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discord.js","sourceRoot":"","sources":["../../src/oauth/discord.ts"],"names":[],"mappings":"AAYA,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;AAE5C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAA6B;IACjE,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,cAAc,CAAA;IAE9C,OAAO;QACL,EAAE,EAAE,SAAS;QACb,MAAM;QAEN,SAAS,EAAE,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,EAAE,EAAE;YACnD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,sCAAsC,CAAC,CAAA;YAC3D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;YAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;YACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAA;YAC7C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;YAC/C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;YACpC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAA;YACrD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAA;YACrD,qFAAqF;YACrF,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;YACzC,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;QACvB,CAAC;QAED,YAAY,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,EAAE,EAAE;YAC1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,sCAAsC,EAAE;gBAC9D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,IAAI;oBACJ,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;oBAClC,YAAY,EAAE,WAAW;oBACzB,UAAU,EAAE,oBAAoB;oBAChC,aAAa,EAAE,YAAY;iBAC5B,CAAC;aACH,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,kCAAkC,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YACvF,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAM7B,CAAA;YACD,OAAO;gBACL,WAAW,EAAE,IAAI,CAAC,YAAY;gBAC9B,GAAG,CAAC,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjF,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACzE,CAAA;QACH,CAAC;QAED,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE;YACjC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,mCAAmC,EAAE;gBAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;aACpD,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YACnF,CAAC;YACD,MAAM,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAO3B,CAAA;YACD,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBACd,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAA;YACpF,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,EAAE,CAAC,EAAE;gBACT,KAAK,EAAE,EAAE,CAAC,KAAK;gBACf,aAAa,EAAE,EAAE,CAAC,QAAQ,KAAK,IAAI;gBACnC,GAAG,CAAC,EAAE,CAAC,WAAW,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC,WAAW,IAAI,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjF,GAAG,CAAC,EAAE,CAAC,MAAM;oBACX,CAAC,CAAC,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,MAAM,MAAM,EAAE;oBAC7E,CAAC,CAAC,EAAE,CAAC;aACR,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/oauth/github.d.ts

@@ -0,0 +1,35 @@
+import type { OAuthProvider } from '@authcore/types';
+export interface GithubProviderConfig {
+    clientId: string;
+    clientSecret: string;
+    /**
+     * Defaults to `['read:user', 'user:email']`. `user:email` is required to read
+     * the user's verified primary email — GitHub does not include email in the
+     * user object unless it has been marked public on the account.
+     */
+    scopes?: string[];
+    /** Optional GitHub Enterprise base URL (e.g. `https://ghe.example.com`). */
+    enterpriseBaseUrl?: string;
+}
+/**
+ * Create a GitHub OAuth 2.0 provider.
+ *
+ * ```ts
+ * import { createGithubProvider } from '@authcore/core'
+ * const github = createGithubProvider({
+ *   clientId: process.env.GITHUB_CLIENT_ID!,
+ *   clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ * })
+ * createAuth({ ..., oauth: { github } })
+ * ```
+ *
+ * Notes:
+ * - GitHub does not natively support PKCE on the OAuth Apps endpoint, but it
+ *   accepts the `code_challenge`/`code_challenge_method` query params without
+ *   error. AuthCore sends them anyway; GitHub OAuth Apps ignore them while
+ *   GitHub Apps verify them when configured to.
+ * - The email returned is always the user's **verified primary** email. If
+ *   they have no verified email, the provider throws — login is refused.
+ */
+export declare function createGithubProvider(config: GithubProviderConfig): OAuthProvider;
+//# sourceMappingURL=github.d.ts.map

package/dist/oauth/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../src/oauth/github.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAEpD,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,4EAA4E;IAC5E,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAC3B;AAID;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,GAAG,aAAa,CAoHhF"}

package/dist/oauth/github.js

@@ -0,0 +1,114 @@
+const DEFAULT_SCOPES = ['read:user', 'user:email'];
+/**
+ * Create a GitHub OAuth 2.0 provider.
+ *
+ * ```ts
+ * import { createGithubProvider } from '@authcore/core'
+ * const github = createGithubProvider({
+ *   clientId: process.env.GITHUB_CLIENT_ID!,
+ *   clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ * })
+ * createAuth({ ..., oauth: { github } })
+ * ```
+ *
+ * Notes:
+ * - GitHub does not natively support PKCE on the OAuth Apps endpoint, but it
+ *   accepts the `code_challenge`/`code_challenge_method` query params without
+ *   error. AuthCore sends them anyway; GitHub OAuth Apps ignore them while
+ *   GitHub Apps verify them when configured to.
+ * - The email returned is always the user's **verified primary** email. If
+ *   they have no verified email, the provider throws — login is refused.
+ */
+export function createGithubProvider(config) {
+    const scopes = config.scopes ?? DEFAULT_SCOPES;
+    const oauthBase = config.enterpriseBaseUrl
+        ? `${config.enterpriseBaseUrl}/login/oauth`
+        : 'https://github.com/login/oauth';
+    const apiBase = config.enterpriseBaseUrl
+        ? `${config.enterpriseBaseUrl}/api/v3`
+        : 'https://api.github.com';
+    return {
+        id: 'github',
+        scopes,
+        authorize: ({ state, codeChallenge, redirectUri }) => {
+            const url = new URL(`${oauthBase}/authorize`);
+            url.searchParams.set('client_id', config.clientId);
+            url.searchParams.set('redirect_uri', redirectUri);
+            url.searchParams.set('scope', scopes.join(' '));
+            url.searchParams.set('state', state);
+            url.searchParams.set('code_challenge', codeChallenge);
+            url.searchParams.set('code_challenge_method', 'S256');
+            return url.toString();
+        },
+        exchangeCode: async ({ code, codeVerifier, redirectUri }) => {
+            const res = await fetch(`${oauthBase}/access_token`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    Accept: 'application/json',
+                },
+                body: new URLSearchParams({
+                    code,
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    redirect_uri: redirectUri,
+                    code_verifier: codeVerifier,
+                }),
+            });
+            if (!res.ok) {
+                throw new Error(`GitHub token exchange failed (${res.status}): ${await res.text()}`);
+            }
+            const body = (await res.json());
+            if (body.error) {
+                throw new Error(`GitHub token exchange failed: ${body.error_description ?? body.error}`);
+            }
+            if (!body.access_token) {
+                throw new Error('GitHub token exchange returned no access_token');
+            }
+            return {
+                accessToken: body.access_token,
+                ...(body.refresh_token !== undefined ? { refreshToken: body.refresh_token } : {}),
+                ...(body.expires_in !== undefined ? { expiresIn: body.expires_in } : {}),
+            };
+        },
+        getUserInfo: async (accessToken) => {
+            // 1. Profile
+            const profileRes = await fetch(`${apiBase}/user`, {
+                headers: {
+                    Authorization: `Bearer ${accessToken}`,
+                    Accept: 'application/vnd.github+json',
+                    'X-GitHub-Api-Version': '2022-11-28',
+                },
+            });
+            if (!profileRes.ok) {
+                throw new Error(`GitHub /user failed (${profileRes.status}): ${await profileRes.text()}`);
+            }
+            const profile = (await profileRes.json());
+            // 2. Verified primary email — GitHub returns null on /user.email when the
+            //    user has hidden their email, so we always fetch the email list.
+            const emailRes = await fetch(`${apiBase}/user/emails`, {
+                headers: {
+                    Authorization: `Bearer ${accessToken}`,
+                    Accept: 'application/vnd.github+json',
+                    'X-GitHub-Api-Version': '2022-11-28',
+                },
+            });
+            if (!emailRes.ok) {
+                throw new Error(`GitHub /user/emails failed (${emailRes.status}): ${await emailRes.text()}`);
+            }
+            const emails = (await emailRes.json());
+            const primary = emails.find((e) => e.primary && e.verified) ?? emails.find((e) => e.verified);
+            if (!primary) {
+                throw new Error('GitHub account has no verified email');
+            }
+            return {
+                id: String(profile.id),
+                email: primary.email,
+                emailVerified: primary.verified,
+                ...(profile.name ? { name: profile.name } : { name: profile.login }),
+                ...(profile.avatar_url ? { picture: profile.avatar_url } : {}),
+            };
+        },
+    };
+}
+//# sourceMappingURL=github.js.map

package/dist/oauth/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../src/oauth/github.ts"],"names":[],"mappings":"AAeA,MAAM,cAAc,GAAG,CAAC,WAAW,EAAE,YAAY,CAAC,CAAA;AAElD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAA4B;IAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,cAAc,CAAA;IAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,iBAAiB;QACxC,CAAC,CAAC,GAAG,MAAM,CAAC,iBAAiB,cAAc;QAC3C,CAAC,CAAC,gCAAgC,CAAA;IACpC,MAAM,OAAO,GAAG,MAAM,CAAC,iBAAiB;QACtC,CAAC,CAAC,GAAG,MAAM,CAAC,iBAAiB,SAAS;QACtC,CAAC,CAAC,wBAAwB,CAAA;IAE5B,OAAO;QACL,EAAE,EAAE,QAAQ;QACZ,MAAM;QAEN,SAAS,EAAE,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,EAAE,EAAE;YACnD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,SAAS,YAAY,CAAC,CAAA;YAC7C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;YAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;YACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;YAC/C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;YACpC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAA;YACrD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAA;YACrD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;QACvB,CAAC;QAED,YAAY,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,EAAE,EAAE;YAC1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,eAAe,EAAE;gBACnD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,MAAM,EAAE,kBAAkB;iBAC3B;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,IAAI;oBACJ,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;oBAClC,YAAY,EAAE,WAAW;oBACzB,aAAa,EAAE,YAAY;iBAC5B,CAAC;aACH,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YACtF,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAQ7B,CAAA;YACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC,CAAA;YAC1F,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;YACnE,CAAC;YACD,OAAO;gBACL,WAAW,EAAE,IAAI,CAAC,YAAY;gBAC9B,GAAG,CAAC,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjF,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACzE,CAAA;QACH,CAAC;QAED,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE;YACjC,aAAa;YACb,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,OAAO,EAAE;gBAChD,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,WAAW,EAAE;oBACtC,MAAM,EAAE,6BAA6B;oBACrC,sBAAsB,EAAE,YAAY;iBACrC;aACF,CAAC,CAAA;YACF,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,wBAAwB,UAAU,CAAC,MAAM,MAAM,MAAM,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YAC3F,CAAC;YACD,MAAM,OAAO,GAAG,CAAC,MAAM,UAAU,CAAC,IAAI,EAAE,CAMvC,CAAA;YAED,0EAA0E;YAC1E,qEAAqE;YACrE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,cAAc,EAAE;gBACrD,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,WAAW,EAAE;oBACtC,MAAM,EAAE,6BAA6B;oBACrC,sBAAsB,EAAE,YAAY;iBACrC;aACF,CAAC,CAAA;YACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,MAAM,MAAM,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YAC9F,CAAC;YACD,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAKnC,CAAA;YACF,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;YAC7F,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;YACzD,CAAC;YAED,OAAO;gBACL,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,aAAa,EAAE,OAAO,CAAC,QAAQ;gBAC/B,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;gBACpE,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/D,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/oauth/google.d.ts

@@ -0,0 +1,21 @@
+import type { OAuthProvider } from '@authcore/types';
+export interface GoogleProviderConfig {
+    clientId: string;
+    clientSecret: string;
+    /** Defaults to `['openid', 'email', 'profile']` — matches the OpenID Connect minimum. */
+    scopes?: string[];
+}
+/**
+ * Create a Google OAuth 2.0 / OpenID Connect provider.
+ *
+ * ```ts
+ * import { createGoogleProvider } from '@authcore/core'
+ * const google = createGoogleProvider({
+ *   clientId: process.env.GOOGLE_CLIENT_ID!,
+ *   clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+ * })
+ * createAuth({ ..., oauth: { google } })
+ * ```
+ */
+export declare function createGoogleProvider(config: GoogleProviderConfig): OAuthProvider;
+//# sourceMappingURL=google.d.ts.map

package/dist/oauth/google.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../src/oauth/google.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAEpD,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,yFAAyF;IACzF,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAID;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,GAAG,aAAa,CA2EhF"}

package/dist/oauth/google.js

@@ -0,0 +1,76 @@
+const DEFAULT_SCOPES = ['openid', 'email', 'profile'];
+/**
+ * Create a Google OAuth 2.0 / OpenID Connect provider.
+ *
+ * ```ts
+ * import { createGoogleProvider } from '@authcore/core'
+ * const google = createGoogleProvider({
+ *   clientId: process.env.GOOGLE_CLIENT_ID!,
+ *   clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+ * })
+ * createAuth({ ..., oauth: { google } })
+ * ```
+ */
+export function createGoogleProvider(config) {
+    const scopes = config.scopes ?? DEFAULT_SCOPES;
+    return {
+        id: 'google',
+        scopes,
+        authorize: ({ state, codeChallenge, redirectUri }) => {
+            const url = new URL('https://accounts.google.com/o/oauth2/v2/auth');
+            url.searchParams.set('client_id', config.clientId);
+            url.searchParams.set('redirect_uri', redirectUri);
+            url.searchParams.set('response_type', 'code');
+            url.searchParams.set('scope', scopes.join(' '));
+            url.searchParams.set('state', state);
+            url.searchParams.set('code_challenge', codeChallenge);
+            url.searchParams.set('code_challenge_method', 'S256');
+            // access_type=offline + prompt=consent ensures we get a refresh_token from Google.
+            // Without these, Google only issues a refresh token on the user's FIRST consent.
+            url.searchParams.set('access_type', 'offline');
+            url.searchParams.set('prompt', 'consent');
+            return url.toString();
+        },
+        exchangeCode: async ({ code, codeVerifier, redirectUri }) => {
+            const res = await fetch('https://oauth2.googleapis.com/token', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: new URLSearchParams({
+                    code,
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    redirect_uri: redirectUri,
+                    grant_type: 'authorization_code',
+                    code_verifier: codeVerifier,
+                }),
+            });
+            if (!res.ok) {
+                throw new Error(`Google token exchange failed (${res.status}): ${await res.text()}`);
+            }
+            const body = (await res.json());
+            return {
+                accessToken: body.access_token,
+                ...(body.refresh_token !== undefined ? { refreshToken: body.refresh_token } : {}),
+                ...(body.expires_in !== undefined ? { expiresIn: body.expires_in } : {}),
+                ...(body.id_token !== undefined ? { idToken: body.id_token } : {}),
+            };
+        },
+        getUserInfo: async (accessToken) => {
+            const res = await fetch('https://openidconnect.googleapis.com/v1/userinfo', {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            if (!res.ok) {
+                throw new Error(`Google userinfo failed (${res.status}): ${await res.text()}`);
+            }
+            const body = (await res.json());
+            return {
+                id: body.sub,
+                email: body.email,
+                emailVerified: body.email_verified === true,
+                ...(body.name !== undefined ? { name: body.name } : {}),
+                ...(body.picture !== undefined ? { picture: body.picture } : {}),
+            };
+        },
+    };
+}
+//# sourceMappingURL=google.js.map

package/dist/oauth/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../src/oauth/google.ts"],"names":[],"mappings":"AASA,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAA;AAErD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAA4B;IAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,cAAc,CAAA;IAC9C,OAAO;QACL,EAAE,EAAE,QAAQ;QACZ,MAAM;QAEN,SAAS,EAAE,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,EAAE,EAAE;YACnD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,8CAA8C,CAAC,CAAA;YACnE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;YAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;YACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAA;YAC7C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;YAC/C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;YACpC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAA;YACrD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAA;YACrD,mFAAmF;YACnF,iFAAiF;YACjF,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAA;YAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;YACzC,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;QACvB,CAAC;QAED,YAAY,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,EAAE,EAAE;YAC1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;gBAC7D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,IAAI;oBACJ,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;oBAClC,YAAY,EAAE,WAAW;oBACzB,UAAU,EAAE,oBAAoB;oBAChC,aAAa,EAAE,YAAY;iBAC5B,CAAC;aACH,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YACtF,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAK7B,CAAA;YACD,OAAO;gBACL,WAAW,EAAE,IAAI,CAAC,YAAY;gBAC9B,GAAG,CAAC,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjF,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxE,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACnE,CAAA;QACH,CAAC;QAED,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE;YACjC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,kDAAkD,EAAE;gBAC1E,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;aACpD,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YAChF,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAM7B,CAAA;YACD,OAAO;gBACL,EAAE,EAAE,IAAI,CAAC,GAAG;gBACZ,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,aAAa,EAAE,IAAI,CAAC,cAAc,KAAK,IAAI;gBAC3C,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvD,GAAG,CAAC,IAAI,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACjE,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/oauth/microsoft.d.ts

@@ -0,0 +1,40 @@
+import type { OAuthProvider } from '@authcore/types';
+export interface MicrosoftProviderConfig {
+    clientId: string;
+    clientSecret: string;
+    /**
+     * Defaults to `['openid', 'profile', 'email']`. Add `offline_access` to receive
+     * a refresh token. Add `User.Read` for Microsoft Graph profile reads.
+     */
+    scopes?: string[];
+    /**
+     * Microsoft tenant — controls which accounts can sign in.
+     *   - `'common'` (default): personal Microsoft accounts AND work/school accounts in any Entra tenant.
+     *   - `'organizations'`: any Entra (work/school) tenant, no personal accounts.
+     *   - `'consumers'`: personal Microsoft accounts only.
+     *   - `<tenant-id-or-domain>`: restrict to a specific tenant.
+     */
+    tenant?: 'common' | 'organizations' | 'consumers' | (string & {});
+}
+/**
+ * Create a Microsoft Identity Platform (Entra ID) OAuth 2.0 provider.
+ *
+ * ```ts
+ * import { createMicrosoftProvider } from '@authcore/core'
+ * const microsoft = createMicrosoftProvider({
+ *   clientId: process.env.MICROSOFT_CLIENT_ID!,
+ *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
+ * })
+ * createAuth({ ..., oauth: { microsoft } })
+ * ```
+ *
+ * Notes:
+ * - Reads the user's email + name from the OpenID Connect `id_token` claims
+ *   (no extra Graph call needed). Falls back to `/me` on Microsoft Graph if
+ *   the id_token is missing the email.
+ * - Microsoft does not have a `email_verified` flag in the id_token, so we
+ *   treat the email as verified (Microsoft verifies emails before issuing
+ *   accounts) — this matches the practice of other providers.
+ */
+export declare function createMicrosoftProvider(config: MicrosoftProviderConfig): OAuthProvider;
+//# sourceMappingURL=microsoft.d.ts.map

package/dist/oauth/microsoft.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"microsoft.d.ts","sourceRoot":"","sources":["../../src/oauth/microsoft.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAEpD,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB;;;;;;OAMG;IACH,MAAM,CAAC,EAAE,QAAQ,GAAG,eAAe,GAAG,WAAW,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAA;CAClE;AAID;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,uBAAuB,GAAG,aAAa,CAmGtF"}

package/dist/oauth/microsoft.js

@@ -0,0 +1,126 @@
+const DEFAULT_SCOPES = ['openid', 'profile', 'email'];
+/**
+ * Create a Microsoft Identity Platform (Entra ID) OAuth 2.0 provider.
+ *
+ * ```ts
+ * import { createMicrosoftProvider } from '@authcore/core'
+ * const microsoft = createMicrosoftProvider({
+ *   clientId: process.env.MICROSOFT_CLIENT_ID!,
+ *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
+ * })
+ * createAuth({ ..., oauth: { microsoft } })
+ * ```
+ *
+ * Notes:
+ * - Reads the user's email + name from the OpenID Connect `id_token` claims
+ *   (no extra Graph call needed). Falls back to `/me` on Microsoft Graph if
+ *   the id_token is missing the email.
+ * - Microsoft does not have a `email_verified` flag in the id_token, so we
+ *   treat the email as verified (Microsoft verifies emails before issuing
+ *   accounts) — this matches the practice of other providers.
+ */
+export function createMicrosoftProvider(config) {
+    const scopes = config.scopes ?? DEFAULT_SCOPES;
+    const tenant = config.tenant ?? 'common';
+    const base = `https://login.microsoftonline.com/${encodeURIComponent(tenant)}/oauth2/v2.0`;
+    return {
+        id: 'microsoft',
+        scopes,
+        authorize: ({ state, codeChallenge, redirectUri }) => {
+            const url = new URL(`${base}/authorize`);
+            url.searchParams.set('client_id', config.clientId);
+            url.searchParams.set('redirect_uri', redirectUri);
+            url.searchParams.set('response_type', 'code');
+            url.searchParams.set('response_mode', 'query');
+            url.searchParams.set('scope', scopes.join(' '));
+            url.searchParams.set('state', state);
+            url.searchParams.set('code_challenge', codeChallenge);
+            url.searchParams.set('code_challenge_method', 'S256');
+            return url.toString();
+        },
+        exchangeCode: async ({ code, codeVerifier, redirectUri }) => {
+            const res = await fetch(`${base}/token`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: new URLSearchParams({
+                    code,
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    redirect_uri: redirectUri,
+                    grant_type: 'authorization_code',
+                    code_verifier: codeVerifier,
+                    scope: scopes.join(' '),
+                }),
+            });
+            if (!res.ok) {
+                throw new Error(`Microsoft token exchange failed (${res.status}): ${await res.text()}`);
+            }
+            const body = (await res.json());
+            return {
+                accessToken: body.access_token,
+                ...(body.refresh_token !== undefined ? { refreshToken: body.refresh_token } : {}),
+                ...(body.expires_in !== undefined ? { expiresIn: body.expires_in } : {}),
+                ...(body.id_token !== undefined ? { idToken: body.id_token } : {}),
+            };
+        },
+        getUserInfo: async (accessToken, idToken) => {
+            // Prefer id_token claims (no extra network call).
+            if (idToken) {
+                const claims = decodeIdTokenClaims(idToken);
+                if (claims && typeof claims['sub'] === 'string') {
+                    const email = (typeof claims['email'] === 'string' && claims['email']) ||
+                        (typeof claims['preferred_username'] === 'string' && claims['preferred_username']) ||
+                        null;
+                    if (email) {
+                        return {
+                            id: claims['sub'],
+                            email,
+                            emailVerified: true,
+                            ...(typeof claims['name'] === 'string' ? { name: claims['name'] } : {}),
+                        };
+                    }
+                }
+            }
+            // Fallback to Microsoft Graph /me.
+            const res = await fetch('https://graph.microsoft.com/v1.0/me', {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            if (!res.ok) {
+                throw new Error(`Microsoft Graph /me failed (${res.status}): ${await res.text()}`);
+            }
+            const me = (await res.json());
+            const email = me.mail ?? me.userPrincipalName;
+            if (!email) {
+                throw new Error('Microsoft account has no email or userPrincipalName');
+            }
+            return {
+                id: me.id,
+                email,
+                emailVerified: true,
+                ...(me.displayName ? { name: me.displayName } : {}),
+            };
+        },
+    };
+}
+/**
+ * Decode the *payload* of a JWS (id_token) without verifying its signature.
+ *
+ * Safe in this context because:
+ *  - The id_token was just returned from a TLS-protected exchange with Microsoft.
+ *  - We only use it to read non-sensitive identity claims (sub, email, name).
+ *  - We do NOT use it for authentication decisions — AuthCore mints its own
+ *    JWT (HS256, signed with `session.secret`) for the session.
+ */
+function decodeIdTokenClaims(idToken) {
+    const parts = idToken.split('.');
+    if (parts.length < 2)
+        return null;
+    try {
+        const payload = Buffer.from(parts[1], 'base64url').toString('utf8');
+        return JSON.parse(payload);
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=microsoft.js.map

package/dist/oauth/microsoft.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"microsoft.js","sourceRoot":"","sources":["../../src/oauth/microsoft.ts"],"names":[],"mappings":"AAoBA,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;AAErD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAA+B;IACrE,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,cAAc,CAAA;IAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,QAAQ,CAAA;IACxC,MAAM,IAAI,GAAG,qCAAqC,kBAAkB,CAAC,MAAM,CAAC,cAAc,CAAA;IAE1F,OAAO;QACL,EAAE,EAAE,WAAW;QACf,MAAM;QAEN,SAAS,EAAE,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,EAAE,EAAE;YACnD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,YAAY,CAAC,CAAA;YACxC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;YAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;YACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAA;YAC7C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,CAAA;YAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;YAC/C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;YACpC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAA;YACrD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAA;YACrD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;QACvB,CAAC;QAED,YAAY,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,EAAE,EAAE;YAC1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,QAAQ,EAAE;gBACvC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,IAAI;oBACJ,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;oBAClC,YAAY,EAAE,WAAW;oBACzB,UAAU,EAAE,oBAAoB;oBAChC,aAAa,EAAE,YAAY;oBAC3B,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;iBACxB,CAAC;aACH,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,oCAAoC,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YACzF,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAM7B,CAAA;YACD,OAAO;gBACL,WAAW,EAAE,IAAI,CAAC,YAAY;gBAC9B,GAAG,CAAC,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjF,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxE,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACnE,CAAA;QACH,CAAC;QAED,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE;YAC1C,kDAAkD;YAClD,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,MAAM,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAA;gBAC3C,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAChD,MAAM,KAAK,GACT,CAAC,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;wBACxD,CAAC,OAAO,MAAM,CAAC,oBAAoB,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,oBAAoB,CAAC,CAAC;wBAClF,IAAI,CAAA;oBACN,IAAI,KAAK,EAAE,CAAC;wBACV,OAAO;4BACL,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC;4BACjB,KAAK;4BACL,aAAa,EAAE,IAAI;4BACnB,GAAG,CAAC,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;yBACxE,CAAA;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,mCAAmC;YACnC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;gBAC7D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;aACpD,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YACpF,CAAC;YACD,MAAM,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAK3B,CAAA;YACD,MAAM,KAAK,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,iBAAiB,CAAA;YAC7C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAA;YACxE,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,EAAE,CAAC,EAAE;gBACT,KAAK;gBACL,aAAa,EAAE,IAAI;gBACnB,GAAG,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,mBAAmB,CAAC,OAAe;IAC1C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAChC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACjC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAA;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/utils/token.d.ts

@@ -3,6 +3,23 @@
  * Returns a 64-character hex string (256 bits of entropy).
  */
 export declare function generateOpaqueToken(): string;
+/**
+ * Generate a CSRF token. Same shape as `generateOpaqueToken` (256 bits of entropy)
+ * but kept as a separate export to make intent explicit at call sites.
+ * The CSRF token is NOT hashed before storage — it's sent to the client as a cookie
+ * value AND compared byte-for-byte against the `X-CSRF-Token` header on each request.
+ */
+export declare function generateCsrfToken(): string;
+/**
+ * Generate a PKCE code verifier (RFC 7636 §4.1).
+ * 32 random bytes → 43-char base64url string (no padding), within the 43-128 char range.
+ */
+export declare function generatePkceVerifier(): string;
+/**
+ * Build the PKCE code challenge (S256 method) from a verifier.
+ * SHA-256 of the verifier, base64url-encoded (no padding).
+ */
+export declare function pkceChallenge(verifier: string): string;
 /**
  * Hash a raw token using SHA-256 for safe database storage.
  * Store the hash; return the raw token to the user.
@@ -42,4 +59,24 @@ export declare function signJwt(payload: Omit<JwtPayload, 'iat' | 'exp'>, secret
  * @returns Decoded payload, or null if invalid/expired
  */
 export declare function verifyJwt(token: string, secret: string): JwtPayload | null;
+/** Payload shape for a short-lived 2FA challenge token. */
+export interface TwoFactorChallengePayload {
+    sub: string;
+    scope: '2fa-pending';
+    iat?: number;
+    exp?: number;
+}
+/**
+ * Sign a short-lived JWT used as a 2FA login challenge. The token carries the
+ * user id + a scope claim, and expires after `expiresIn` (default 5 minutes).
+ * It is NOT a session token — verify with {@link verifyTwoFactorChallenge}.
+ */
+export declare function signTwoFactorChallenge(userId: string, secret: string, expiresIn?: string): string;
+/**
+ * Verify a 2FA challenge token. Rejects tokens with the wrong scope so a
+ * session JWT can't be reused as a challenge (and vice versa).
+ *
+ * @returns The decoded payload, or `null` if invalid / expired / wrong scope.
+ */
+export declare function verifyTwoFactorChallenge(token: string, secret: string): TwoFactorChallengePayload | null;
 //# sourceMappingURL=token.d.ts.map

package/dist/utils/token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/utils/token.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAElD;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAK/D;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,GAAG,KAAK,CAAC,EACxC,MAAM,EAAE,MAAM,EACd,SAAS,SAAO,GACf,MAAM,CAIR;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAQ1E"}
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/utils/token.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAEtD;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAElD;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAK/D;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,GAAG,KAAK,CAAC,EACxC,MAAM,EAAE,MAAM,EACd,SAAS,SAAO,GACf,MAAM,CAIR;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAQ1E;AAED,2DAA2D;AAC3D,MAAM,WAAW,yBAAyB;IACxC,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,aAAa,CAAA;IACpB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,SAAO,GAAG,MAAM,CAI/F;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,yBAAyB,GAAG,IAAI,CAUlC"}