@authticon/client 0.0.0-beta9 → 0.0.3

package/dist/password.d.ts

@@ -0,0 +1,8 @@
+type PasswordOptions = {
+    baseUrl?: string;
+};
+export declare const createPassword: ({ baseUrl }: PasswordOptions) => {
+    encrypt: (password: string) => Promise<string>;
+};
+export {};
+//# sourceMappingURL=password.d.ts.map

package/dist/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../src/password.ts"],"names":[],"mappings":"AAAA,KAAK,eAAe,GAAG;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,eAAO,MAAM,cAAc,GAAI,aAAa,eAAe;wBAuB7B,MAAM;CAWnC,CAAC"}

package/dist/password.js

@@ -0,0 +1,23 @@
+export const createPassword = ({ baseUrl }) => {
+    baseUrl = baseUrl ?? "https://authticon.com";
+    const importPublicKey = async () => {
+        const response = await fetch(`${baseUrl}/.well-known/encryption-key.pem`);
+        const pem = await response.text();
+        const pemContents = pem
+            .replace(/-----BEGIN PUBLIC KEY-----/, "")
+            .replace(/-----END PUBLIC KEY-----/, "")
+            .replace(/\s/g, "");
+        const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+        const publicKey = await window.crypto.subtle.importKey("spki", binaryDer.buffer, { name: "RSA-OAEP", hash: "SHA-256" }, false, ["encrypt"]);
+        return publicKey;
+    };
+    return {
+        encrypt: async (password) => {
+            const publicKey = await importPublicKey();
+            const encoded = new TextEncoder().encode(password);
+            const encrypted = await window.crypto.subtle.encrypt({ name: "RSA-OAEP" }, publicKey, encoded);
+            return btoa(String.fromCharCode(...new Uint8Array(encrypted)));
+        },
+    };
+};
+//# sourceMappingURL=password.js.map

package/dist/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../src/password.ts"],"names":[],"mappings":"AAIA,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,EAAE,OAAO,EAAmB,EAAE,EAAE;IAC7D,OAAO,GAAG,OAAO,IAAI,uBAAuB,CAAC;IAC7C,MAAM,eAAe,GAAG,KAAK,IAAI,EAAE;QACjC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,iCAAiC,CAAC,CAAC;QAC1E,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAClC,MAAM,WAAW,GAAG,GAAG;aACpB,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC;aACzC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;aACvC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtB,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CACzD,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAChB,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CACpD,MAAM,EACN,SAAS,CAAC,MAAM,EAChB,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,EACrC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,KAAK,EAAE,QAAgB,EAAE,EAAE;YAClC,MAAM,SAAS,GAAG,MAAM,eAAe,EAAE,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACnD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAClD,EAAE,IAAI,EAAE,UAAU,EAAE,EACpB,SAAS,EACT,OAAO,CACR,CAAC;YACF,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QACjE,CAAC;KACF,CAAC;AACJ,CAAC,CAAC"}

package/dist/session.d.ts

@@ -0,0 +1,99 @@
+import type { Logger } from "pino";
+import type { AdminClient } from "./clients/admin.js";
+import type { AcceptInvitationData, ChangeEmailData, ChangePasswordData, ChangePhoneData, CreateGuestUserData, CreateInvitationData, DeleteInvitationData, DisableTwoFaData, EnableTwoFaData, ForgotPasswordData, LoginByMagicLinkData, LoginData, RegisterData, ResendEmailConfirmationData, SendTwoFaCodeData, SetPasswordData, UpdateMeData, VerifyPhoneData } from "./clients/generated/types.gen.js";
+import { type TokenVerifier } from "./tokens.js";
+import type { AccessTokenPayload, Challenge, CookieAdapter, DefaultAccessTokenPayload, SessionUser, TokenStorageOptions } from "./types.js";
+export type SessionClientDeps = {
+    readonly projectId: string;
+    readonly baseUrl: string;
+    readonly verifier: TokenVerifier<any>;
+    readonly logger?: Logger;
+};
+export type Session<Payload extends Record<string, any> = DefaultAccessTokenPayload> = Awaited<ReturnType<typeof createSession<Payload>>>;
+export declare const createSession: <Payload extends Record<string, any> = Record<string, any>>(deps: SessionClientDeps, cookies: CookieAdapter, tokenStorageOptions?: TokenStorageOptions) => Promise<{
+    login: (params: LoginData["body"]) => Promise<SessionUser<Payload>>;
+    loginByMagicLink: (params: LoginByMagicLinkData["body"]) => Promise<SessionUser<Payload>>;
+    loginAs: (admin: AdminClient, targetUserId: string) => Promise<SessionUser<Payload> | null>;
+    backToAdmin: () => Promise<SessionUser<Payload> | null>;
+    register: (params: RegisterData["body"]) => Promise<{
+        userId: string;
+    }>;
+    forgotPassword: (params: ForgotPasswordData["body"]) => Promise<null>;
+    verifyEmail: (token: string) => Promise<void>;
+    createGuest: (params: CreateGuestUserData["body"]) => Promise<SessionUser<Payload>>;
+    acceptInvitation: (params: AcceptInvitationData["body"]) => Promise<SessionUser<Payload>>;
+    resendConfirmation: (params: ResendEmailConfirmationData["body"]) => Promise<null>;
+    getMe: () => Promise<{
+        id: string;
+        email: string;
+        firstName: string | null;
+        lastName: string | null;
+        isGuest: boolean;
+        claims: unknown;
+        phone: string | null;
+        locale: string;
+        passwordUpdatedAt: string | null;
+        hasPassword: boolean;
+        twoFaEnabled: boolean;
+        twoFaType: "APP" | "EMAIL" | "PHONE";
+        isBlocked: boolean;
+        isBlockedUntil: string | null;
+        phoneVerified: boolean;
+        emailVerified: boolean;
+        roles: Array<{
+            id: string;
+            role: string;
+            group: string;
+        }>;
+        metadata: {
+            [key: string]: unknown;
+        };
+    }>;
+    updateUser: (params: UpdateMeData["body"]) => Promise<{
+        id: string;
+    }>;
+    updateMe: (params: UpdateMeData["body"]) => Promise<{
+        id: string;
+    }>;
+    getUser: () => SessionUser<Payload> | null;
+    requireUser: () => SessionUser<Payload>;
+    getFirstChallenge: () => Challenge | undefined;
+    isLoggedIn: () => boolean;
+    isLoggedInByAdmin: () => boolean;
+    logout: () => Promise<void>;
+    refresh: () => Promise<void>;
+    getDeviceId: () => string | null;
+    changeEmail: (params: ChangeEmailData["body"]) => Promise<null>;
+    changePassword: (params: ChangePasswordData["body"]) => Promise<null>;
+    setPassword: (params: SetPasswordData["body"]) => Promise<null>;
+    changePhone: (params: ChangePhoneData["body"]) => Promise<null>;
+    verifyPhone: (params: VerifyPhoneData["body"]) => Promise<null>;
+    getTwoFaSecret: () => Promise<{
+        secret: string;
+        uri: string;
+    }>;
+    enableTwoFa: (params: EnableTwoFaData["body"]) => Promise<void>;
+    disableTwoFa: (params: DisableTwoFaData["body"]) => Promise<void>;
+    sendTwoFaCode: (params: SendTwoFaCodeData["body"]) => Promise<void>;
+    verifyTwoFaCode: (code: string, remember?: boolean) => Promise<SessionUser<Payload>>;
+    createInvitation: (params: CreateInvitationData["body"]) => Promise<{
+        id: string;
+        email: string;
+        token: string;
+        validTo: string;
+        role: string | null;
+        group: string | null;
+        returnUrl: string | null;
+    }>;
+    deleteInvitation: (params: DeleteInvitationData["path"]) => Promise<{
+        id: string;
+    }>;
+    tokens: {
+        getAccessToken: () => string | null;
+        getRefreshToken: () => string | null;
+        verify: (token?: string) => Promise<AccessTokenPayload<Payload>>;
+        clear: () => void;
+    };
+    cookies: CookieAdapter;
+}>;
+//# sourceMappingURL=session.d.ts.map

package/dist/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AACnC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,KAAK,EACV,oBAAoB,EACpB,eAAe,EACf,kBAAkB,EAClB,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,EACpB,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,SAAS,EACT,YAAY,EACZ,2BAA2B,EAC3B,iBAAiB,EACjB,eAAe,EACf,YAAY,EACZ,eAAe,EAChB,MAAM,kCAAkC,CAAC;AAG1C,OAAO,EAAsB,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,KAAK,EACV,kBAAkB,EAClB,SAAS,EACT,aAAa,EACb,yBAAyB,EACzB,WAAW,EACX,mBAAmB,EACpB,MAAM,YAAY,CAAC;AAEpB,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC;IACtC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,OAAO,CACjB,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,yBAAyB,IAC7D,OAAO,CAAC,UAAU,CAAC,OAAO,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAEvD,eAAO,MAAM,aAAa,GACxB,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAEzD,MAAM,iBAAiB,EACvB,SAAS,aAAa,EACtB,sBAAsB,mBAAmB;oBAuGvB,SAAS,CAAC,MAAM,CAAC;+BAYA,oBAAoB,CAAC,MAAM,CAAC;qBAYtC,WAAW,gBAAgB,MAAM;;uBAyB/B,YAAY,CAAC,MAAM,CAAC;;;6BAMpB,kBAAkB,CAAC,MAAM,CAAC;yBAG9B,MAAM;0BAEC,mBAAmB,CAAC,MAAM,CAAC;+BAQ5B,oBAAoB,CAAC,MAAM,CAAC;iCAM1B,2BAA2B,CAAC,MAAM,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAKrC,YAAY,CAAC,MAAM,CAAC;;;uBAGtB,YAAY,CAAC,MAAM,CAAC;;;mBAGhC,WAAW,CAAC,OAAO,CAAC,GAAG,IAAI;uBAEvB,WAAW,CAAC,OAAO,CAAC;6BAKd,SAAS,GAAG,SAAS;;;;;;0BAgChB,eAAe,CAAC,MAAM,CAAC;6BAGpB,kBAAkB,CAAC,MAAM,CAAC;0BAG7B,eAAe,CAAC,MAAM,CAAC;0BAGvB,eAAe,CAAC,MAAM,CAAC;0BAGvB,eAAe,CAAC,MAAM,CAAC;;;;;0BASvB,eAAe,CAAC,MAAM,CAAC;2BAGtB,gBAAgB,CAAC,MAAM,CAAC;4BAGvB,iBAAiB,CAAC,MAAM,CAAC;4BAGzB,MAAM;+BAQH,oBAAoB,CAAC,MAAM,CAAC;;;;;;;;;+BAG5B,oBAAoB,CAAC,MAAM,CAAC;;;;;;yBAMpC,MAAM;;;;EAelC,CAAC"}

package/dist/session.js

@@ -0,0 +1,223 @@
+import { createAuthClient } from "./clients/auth.js";
+import { createUserClient } from "./clients/user.js";
+import { AuthticonError } from "./errors.js";
+import { createTokenStorage } from "./tokens.js";
+export const createSession = async (deps, cookies, tokenStorageOptions) => {
+    const storage = createTokenStorage(cookies, tokenStorageOptions, deps.logger?.child({ authticon: "token-storage" }));
+    const { projectId, baseUrl, verifier, logger } = deps;
+    const authApi = createAuthClient({ projectId, baseUrl, logger });
+    const toSessionUser = (raw) => {
+        const { authticon, ...payload } = raw;
+        return {
+            ...payload,
+            sessionId: authticon.sessionId,
+            projectId: authticon.projectId,
+            challenges: authticon.challenges,
+            raw,
+        };
+    };
+    let cachedUser = null;
+    const buildUserApi = () => {
+        const accessToken = storage.getAccessToken();
+        if (!accessToken)
+            throw new AuthticonError("No access token available");
+        return createUserClient({ accessToken, baseUrl, logger });
+    };
+    const saveTokens = (tokens) => {
+        storage.setAccessToken(tokens.accessToken);
+        storage.setRefreshToken(tokens.refreshToken);
+        if (tokens.deviceId)
+            storage.setDeviceId(tokens.deviceId);
+    };
+    const verifyAndBuildUser = async (token) => {
+        const accessToken = token ?? storage.getAccessToken();
+        if (!accessToken)
+            throw new AuthticonError("No access token found");
+        const payload = (await verifier.verifyToken(accessToken));
+        return toSessionUser(payload);
+    };
+    const tryRefresh = async () => {
+        const refreshToken = storage.getRefreshToken();
+        if (!refreshToken)
+            return null;
+        try {
+            const result = await buildUserApi().refresh(refreshToken);
+            if (!result)
+                return null;
+            storage.setAccessToken(result.accessToken);
+            storage.setRefreshToken(result.refreshToken);
+            return result.accessToken;
+        }
+        catch {
+            storage.clear();
+            return null;
+        }
+    };
+    const resolveUser = async () => {
+        const accessToken = storage.getAccessToken();
+        if (!accessToken)
+            return null;
+        try {
+            return await verifyAndBuildUser(accessToken);
+        }
+        catch {
+            const newToken = await tryRefresh();
+            return newToken ? verifyAndBuildUser(newToken) : null;
+        }
+    };
+    const authenticateWith = async (apiCall, errorMsg) => {
+        const result = await apiCall();
+        if (!result)
+            throw new AuthticonError(errorMsg);
+        saveTokens(result);
+        cachedUser = await verifyAndBuildUser(result.accessToken);
+        return cachedUser;
+    };
+    const refreshAfterCall = async (apiCall) => {
+        const result = await apiCall();
+        await tryRefresh();
+        cachedUser = await resolveUser();
+        if (!cachedUser)
+            throw new AuthticonError("User is not authenticated");
+        return result;
+    };
+    cachedUser = await resolveUser();
+    return {
+        login: (params) => {
+            const deviceId = storage.getDeviceId() || undefined;
+            return authenticateWith(() => authApi.login({
+                ...params,
+                deviceId,
+            }), "Login failed");
+        },
+        loginByMagicLink: async (params) => {
+            const deviceId = storage.getDeviceId() || undefined;
+            return authenticateWith(() => authApi.loginByMagicLink({
+                ...params,
+                deviceId,
+            }), "Login by magic link failed");
+        },
+        loginAs: async (admin, targetUserId) => {
+            if (!cachedUser)
+                throw new AuthticonError("User is not authenticated");
+            const deviceId = storage.getDeviceId() || undefined;
+            if (!deviceId)
+                throw new AuthticonError("Device ID is not set");
+            const result = await admin.loginAs({
+                userId: cachedUser.id,
+                deviceId,
+                targetUserId,
+            });
+            storage.setAdminRefreshToken(storage.getRefreshToken());
+            storage.setRefreshToken(result.refreshToken);
+            storage.setAccessToken(result.accessToken);
+            return resolveUser();
+        },
+        backToAdmin: async () => {
+            const adminRefreshToken = storage.getAdminRefreshToken();
+            if (!adminRefreshToken)
+                throw new AuthticonError("Admin refresh token is not set");
+            storage.clearAdminRefreshToken();
+            storage.setRefreshToken(adminRefreshToken);
+            await tryRefresh();
+            return resolveUser();
+        },
+        register: async (params) => {
+            const result = await authApi.register(params);
+            if (!result)
+                throw new AuthticonError("Register failed");
+            return result;
+        },
+        forgotPassword: (params) => authApi.forgotPassword(params),
+        verifyEmail: (token) => authApi.verifyEmail({ token }),
+        createGuest: async (params) => {
+            const result = await authApi.createGuestUser(params);
+            if (!result)
+                throw new AuthticonError("Guest creation failed");
+            storage.setAccessToken(result.token);
+            cachedUser = await verifyAndBuildUser(result.token);
+            return cachedUser;
+        },
+        acceptInvitation: (params) => authenticateWith(() => authApi.acceptInvitation(params), "Invitation acceptance failed"),
+        resendConfirmation: (params) => authApi.resendConfirmation(params),
+        getMe: async () => buildUserApi().getMe(),
+        updateUser: async (params) => buildUserApi().updateMe(params),
+        updateMe: async (params) => buildUserApi().updateMe(params),
+        getUser: () => cachedUser,
+        requireUser: () => {
+            if (!cachedUser)
+                throw new AuthticonError("User is not authenticated");
+            return cachedUser;
+        },
+        getFirstChallenge: () => {
+            if (!cachedUser)
+                throw new AuthticonError("User is not authenticated");
+            return cachedUser.challenges[0];
+        },
+        isLoggedIn: () => storage.getAccessToken() !== null,
+        isLoggedInByAdmin: () => storage.getAdminRefreshToken() !== null,
+        logout: async () => {
+            try {
+                if (storage.getAccessToken()) {
+                    await buildUserApi().logout();
+                }
+            }
+            catch (error) {
+                logger?.warn({ error }, "Server logout failed");
+            }
+            finally {
+                storage.clearAccessToken();
+                storage.clearRefreshToken();
+                storage.clearAdminRefreshToken();
+                cachedUser = null;
+            }
+        },
+        refresh: async () => {
+            const newToken = await tryRefresh();
+            if (!newToken)
+                throw new AuthticonError("Token refresh failed");
+            cachedUser = await verifyAndBuildUser(newToken);
+        },
+        getDeviceId: () => storage.getDeviceId(),
+        changeEmail: async (params) => buildUserApi().changeEmail(params),
+        changePassword: async (params) => buildUserApi().changePassword(params),
+        setPassword: async (params) => buildUserApi().setPassword(params),
+        changePhone: async (params) => buildUserApi().changePhone(params),
+        verifyPhone: async (params) => buildUserApi().verifyPhone(params),
+        getTwoFaSecret: async () => {
+            const result = await buildUserApi().getTwoFaSecret();
+            if (!result)
+                throw new AuthticonError("Failed to get 2FA secret");
+            return result;
+        },
+        enableTwoFa: async (params) => refreshAfterCall(() => buildUserApi().enableTwoFa(params)),
+        disableTwoFa: async (params) => refreshAfterCall(() => buildUserApi().disableTwoFa(params)),
+        sendTwoFaCode: async (params) => buildUserApi().sendTwoFaCode(params),
+        verifyTwoFaCode: async (code, remember = false) => {
+            await buildUserApi().verifyTwoFa({ code, remember });
+            await tryRefresh();
+            cachedUser = await resolveUser();
+            if (!cachedUser)
+                throw new AuthticonError("User is not authenticated");
+            return cachedUser;
+        },
+        createInvitation: async (params) => buildUserApi().createInvitation(params),
+        deleteInvitation: async (params) => buildUserApi().deleteInvitation(params),
+        tokens: {
+            getAccessToken: () => storage.getAccessToken(),
+            getRefreshToken: () => storage.getRefreshToken(),
+            verify: async (token) => {
+                const accessToken = token ?? storage.getAccessToken();
+                if (!accessToken)
+                    throw new AuthticonError("No access token found");
+                return verifier.verifyToken(accessToken);
+            },
+            clear: () => {
+                storage.clear();
+                cachedUser = null;
+            },
+        },
+        cookies,
+    };
+};
+//# sourceMappingURL=session.js.map

package/dist/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAqBrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAsB,MAAM,aAAa,CAAC;AAqBrE,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,EAGhC,IAAuB,EACvB,OAAsB,EACtB,mBAAyC,EACzC,EAAE;IACF,MAAM,OAAO,GAAG,kBAAkB,CAChC,OAAO,EACP,mBAAmB,EACnB,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CACnD,CAAC;IACF,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IACtD,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAEjE,MAAM,aAAa,GAAG,CACpB,GAAgC,EACV,EAAE;QACxB,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,EAAE,GAAG,GAAG,CAAC;QACtC,OAAO;YACL,GAAI,OAAmB;YACvB,SAAS,EAAE,SAAS,CAAC,SAAS;YAC9B,SAAS,EAAE,SAAS,CAAC,SAAS;YAC9B,UAAU,EAAE,SAAS,CAAC,UAAU;YAChC,GAAG;SACJ,CAAC;IACJ,CAAC,CAAC;IAEF,IAAI,UAAU,GAAgC,IAAI,CAAC;IAEnD,MAAM,YAAY,GAAG,GAAG,EAAE;QACxB,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;QAC7C,IAAI,CAAC,WAAW;YAAE,MAAM,IAAI,cAAc,CAAC,2BAA2B,CAAC,CAAC;QACxE,OAAO,gBAAgB,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC;IAEF,MAAM,UAAU,GAAG,CAAC,MAInB,EAAQ,EAAE;QACT,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC3C,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC7C,IAAI,MAAM,CAAC,QAAQ;YAAE,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC5D,CAAC,CAAC;IAEF,MAAM,kBAAkB,GAAG,KAAK,EAC9B,KAAc,EACiB,EAAE;QACjC,MAAM,WAAW,GAAG,KAAK,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QACtD,IAAI,CAAC,WAAW;YAAE,MAAM,IAAI,cAAc,CAAC,uBAAuB,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,WAAW,CACzC,WAAW,CACZ,CAAgC,CAAC;QAClC,OAAO,aAAa,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC,CAAC;IAEF,MAAM,UAAU,GAAG,KAAK,IAA4B,EAAE;QACpD,MAAM,YAAY,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;QAC/C,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,YAAY,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM;gBAAE,OAAO,IAAI,CAAC;YACzB,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC3C,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7C,OAAO,MAAM,CAAC,WAAW,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC,CAAC;IAEF,MAAM,WAAW,GAAG,KAAK,IAA0C,EAAE;QACnE,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;QAC7C,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAC9B,IAAI,CAAC;YACH,OAAO,MAAM,kBAAkB,CAAC,WAAW,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,QAAQ,GAAG,MAAM,UAAU,EAAE,CAAC;YACpC,OAAO,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACxD,CAAC;IACH,CAAC,CAAC;IAEF,MAAM,gBAAgB,GAAG,KAAK,EAC5B,OAGC,EACD,QAAgB,EAChB,EAAE;QACF,MAAM,MAAM,GAAG,MAAM,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,cAAc,CAAC,QAAQ,CAAC,CAAC;QAChD,UAAU,CAAC,MAAM,CAAC,CAAC;QACnB,UAAU,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC1D,OAAO,UAAU,CAAC;IACpB,CAAC,CAAC;IAEF,MAAM,gBAAgB,GAAG,KAAK,EAAK,OAAyB,EAAE,EAAE;QAC9D,MAAM,MAAM,GAAG,MAAM,OAAO,EAAE,CAAC;QAC/B,MAAM,UAAU,EAAE,CAAC;QACnB,UAAU,GAAG,MAAM,WAAW,EAAE,CAAC;QACjC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,cAAc,CAAC,2BAA2B,CAAC,CAAC;QACvE,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IAEF,UAAU,GAAG,MAAM,WAAW,EAAE,CAAC;IAEjC,OAAO;QACL,KAAK,EAAE,CAAC,MAAyB,EAAE,EAAE;YACnC,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,IAAI,SAAS,CAAC;YACpD,OAAO,gBAAgB,CACrB,GAAG,EAAE,CACH,OAAO,CAAC,KAAK,CAAC;gBACZ,GAAG,MAAM;gBACT,QAAQ;aACT,CAAC,EACJ,cAAc,CACf,CAAC;QACJ,CAAC;QAED,gBAAgB,EAAE,KAAK,EAAE,MAAoC,EAAE,EAAE;YAC/D,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,IAAI,SAAS,CAAC;YACpD,OAAO,gBAAgB,CACrB,GAAG,EAAE,CACH,OAAO,CAAC,gBAAgB,CAAC;gBACvB,GAAG,MAAM;gBACT,QAAQ;aACT,CAAC,EACJ,4BAA4B,CAC7B,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,KAAkB,EAAE,YAAoB,EAAE,EAAE;YAC1D,IAAI,CAAC,UAAU;gBAAE,MAAM,IAAI,cAAc,CAAC,2BAA2B,CAAC,CAAC;YACvE,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,IAAI,SAAS,CAAC;YACpD,IAAI,CAAC,QAAQ;gBAAE,MAAM,IAAI,cAAc,CAAC,sBAAsB,CAAC,CAAC;YAChE,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC;gBACjC,MAAM,EAAE,UAAU,CAAC,EAAE;gBACrB,QAAQ;gBACR,YAAY;aACb,CAAC,CAAC;YACH,OAAO,CAAC,oBAAoB,CAAC,OAAO,CAAC,eAAe,EAAG,CAAC,CAAC;YACzD,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7C,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC3C,OAAO,WAAW,EAAE,CAAC;QACvB,CAAC;QAED,WAAW,EAAE,KAAK,IAAI,EAAE;YACtB,MAAM,iBAAiB,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;YACzD,IAAI,CAAC,iBAAiB;gBACpB,MAAM,IAAI,cAAc,CAAC,gCAAgC,CAAC,CAAC;YAC7D,OAAO,CAAC,sBAAsB,EAAE,CAAC;YACjC,OAAO,CAAC,eAAe,CAAC,iBAAiB,CAAC,CAAC;YAC3C,MAAM,UAAU,EAAE,CAAC;YACnB,OAAO,WAAW,EAAE,CAAC;QACvB,CAAC;QAED,QAAQ,EAAE,KAAK,EAAE,MAA4B,EAAE,EAAE;YAC/C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC9C,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,cAAc,CAAC,iBAAiB,CAAC,CAAC;YACzD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,cAAc,EAAE,CAAC,MAAkC,EAAE,EAAE,CACrD,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC;QAEhC,WAAW,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,KAAK,EAAE,CAAC;QAE9D,WAAW,EAAE,KAAK,EAAE,MAAmC,EAAE,EAAE;YACzD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;YACrD,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,cAAc,CAAC,uBAAuB,CAAC,CAAC;YAC/D,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACrC,UAAU,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpD,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,gBAAgB,EAAE,CAAC,MAAoC,EAAE,EAAE,CACzD,gBAAgB,CACd,GAAG,EAAE,CAAC,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,EACtC,8BAA8B,CAC/B;QAEH,kBAAkB,EAAE,CAAC,MAA2C,EAAE,EAAE,CAClE,OAAO,CAAC,kBAAkB,CAAC,MAAM,CAAC;QAEpC,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE;QAEzC,UAAU,EAAE,KAAK,EAAE,MAA4B,EAAE,EAAE,CACjD,YAAY,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAEjC,QAAQ,EAAE,KAAK,EAAE,MAA4B,EAAE,EAAE,CAC/C,YAAY,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAEjC,OAAO,EAAE,GAAgC,EAAE,CAAC,UAAU;QAEtD,WAAW,EAAE,GAAyB,EAAE;YACtC,IAAI,CAAC,UAAU;gBAAE,MAAM,IAAI,cAAc,CAAC,2BAA2B,CAAC,CAAC;YACvE,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,iBAAiB,EAAE,GAA0B,EAAE;YAC7C,IAAI,CAAC,UAAU;gBAAE,MAAM,IAAI,cAAc,CAAC,2BAA2B,CAAC,CAAC;YACvE,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QAED,UAAU,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,KAAK,IAAI;QAEnD,iBAAiB,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,oBAAoB,EAAE,KAAK,IAAI;QAEhE,MAAM,EAAE,KAAK,IAAI,EAAE;YACjB,IAAI,CAAC;gBACH,IAAI,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;oBAC7B,MAAM,YAAY,EAAE,CAAC,MAAM,EAAE,CAAC;gBAChC,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,EAAE,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,sBAAsB,CAAC,CAAC;YAClD,CAAC;oBAAS,CAAC;gBACT,OAAO,CAAC,gBAAgB,EAAE,CAAC;gBAC3B,OAAO,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,OAAO,CAAC,sBAAsB,EAAE,CAAC;gBACjC,UAAU,GAAG,IAAI,CAAC;YACpB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,IAAI,EAAE;YAClB,MAAM,QAAQ,GAAG,MAAM,UAAU,EAAE,CAAC;YACpC,IAAI,CAAC,QAAQ;gBAAE,MAAM,IAAI,cAAc,CAAC,sBAAsB,CAAC,CAAC;YAChE,UAAU,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAClD,CAAC;QAED,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE;QAExC,WAAW,EAAE,KAAK,EAAE,MAA+B,EAAE,EAAE,CACrD,YAAY,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC;QAEpC,cAAc,EAAE,KAAK,EAAE,MAAkC,EAAE,EAAE,CAC3D,YAAY,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC;QAEvC,WAAW,EAAE,KAAK,EAAE,MAA+B,EAAE,EAAE,CACrD,YAAY,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC;QAEpC,WAAW,EAAE,KAAK,EAAE,MAA+B,EAAE,EAAE,CACrD,YAAY,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC;QAEpC,WAAW,EAAE,KAAK,EAAE,MAA+B,EAAE,EAAE,CACrD,YAAY,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC;QAEpC,cAAc,EAAE,KAAK,IAAI,EAAE;YACzB,MAAM,MAAM,GAAG,MAAM,YAAY,EAAE,CAAC,cAAc,EAAE,CAAC;YACrD,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,cAAc,CAAC,0BAA0B,CAAC,CAAC;YAClE,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,WAAW,EAAE,KAAK,EAAE,MAA+B,EAAE,EAAE,CACrD,gBAAgB,CAAC,GAAG,EAAE,CAAC,YAAY,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAE5D,YAAY,EAAE,KAAK,EAAE,MAAgC,EAAE,EAAE,CACvD,gBAAgB,CAAC,GAAG,EAAE,CAAC,YAAY,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAE7D,aAAa,EAAE,KAAK,EAAE,MAAiC,EAAE,EAAE,CACzD,YAAY,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;QAEtC,eAAe,EAAE,KAAK,EAAE,IAAY,EAAE,QAAQ,GAAG,KAAK,EAAE,EAAE;YACxD,MAAM,YAAY,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;YACrD,MAAM,UAAU,EAAE,CAAC;YACnB,UAAU,GAAG,MAAM,WAAW,EAAE,CAAC;YACjC,IAAI,CAAC,UAAU;gBAAE,MAAM,IAAI,cAAc,CAAC,2BAA2B,CAAC,CAAC;YACvE,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,gBAAgB,EAAE,KAAK,EAAE,MAAoC,EAAE,EAAE,CAC/D,YAAY,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;QAEzC,gBAAgB,EAAE,KAAK,EAAE,MAAoC,EAAE,EAAE,CAC/D,YAAY,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;QAEzC,MAAM,EAAE;YACN,cAAc,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE;YAC9C,eAAe,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,eAAe,EAAE;YAChD,MAAM,EAAE,KAAK,EAAE,KAAc,EAAE,EAAE;gBAC/B,MAAM,WAAW,GAAG,KAAK,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBACtD,IAAI,CAAC,WAAW;oBAAE,MAAM,IAAI,cAAc,CAAC,uBAAuB,CAAC,CAAC;gBACpE,OAAO,QAAQ,CAAC,WAAW,CAAC,WAAW,CAEtC,CAAC;YACJ,CAAC;YACD,KAAK,EAAE,GAAG,EAAE;gBACV,OAAO,CAAC,KAAK,EAAE,CAAC;gBAChB,UAAU,GAAG,IAAI,CAAC;YACpB,CAAC;SACF;QAED,OAAO;KACR,CAAC;AACJ,CAAC,CAAC"}

package/dist/tokens.d.ts

@@ -0,0 +1,27 @@
+import type { Logger } from "pino";
+import type { AccessTokenPayload, CacheAdapter, CookieAdapter, TokenPair, TokenStorageOptions } from "./types.js";
+export declare const createInMemoryCacheAdapter: () => CacheAdapter;
+export type TokenStorage = {
+    readonly save: (tokens: TokenPair) => void;
+    readonly clear: () => void;
+    readonly getAccessToken: () => string | null;
+    readonly getRefreshToken: () => string | null;
+    readonly getDeviceId: () => string | null;
+    readonly getAdminRefreshToken: () => string | null;
+    readonly setAccessToken: (accessToken: string) => void;
+    readonly setRefreshToken: (refreshToken: string) => void;
+    readonly setAdminRefreshToken: (adminRefreshToken: string) => void;
+    readonly setDeviceId: (deviceId: string) => void;
+    readonly clearAccessToken: () => void;
+    readonly clearRefreshToken: () => void;
+    readonly clearDeviceId: () => void;
+    readonly clearAdminRefreshToken: () => void;
+    readonly getAll: () => TokenPair | null;
+};
+export declare const createTokenStorage: (cookies: CookieAdapter, options?: TokenStorageOptions, logger?: Logger) => TokenStorage;
+export type TokenVerifier<Payload extends Record<string, any>> = {
+    readonly verifyToken: (token: string) => Promise<AccessTokenPayload<Payload>>;
+    readonly clearKeyCache: () => void;
+};
+export declare const createTokenVerifier: <Payload extends Record<string, any> = Record<string, any>>(jwksUrl: string, cacheTtlMs?: number, logger?: Logger, externalCache?: CacheAdapter) => TokenVerifier<Payload>;
+//# sourceMappingURL=tokens.d.ts.map

package/dist/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAEnC,OAAO,KAAK,EACV,kBAAkB,EAClB,YAAY,EACZ,aAAa,EAGb,SAAS,EACT,mBAAmB,EACpB,MAAM,YAAY,CAAC;AAIpB,eAAO,MAAM,0BAA0B,QAAO,YAY7C,CAAC;AAYF,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,SAAS,KAAK,IAAI,CAAC;IAC3C,QAAQ,CAAC,KAAK,EAAE,MAAM,IAAI,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IAC7C,QAAQ,CAAC,eAAe,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IAC9C,QAAQ,CAAC,WAAW,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IAC1C,QAAQ,CAAC,oBAAoB,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IACnD,QAAQ,CAAC,cAAc,EAAE,CAAC,WAAW,EAAE,MAAM,KAAK,IAAI,CAAC;IACvD,QAAQ,CAAC,eAAe,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,IAAI,CAAC;IACzD,QAAQ,CAAC,oBAAoB,EAAE,CAAC,iBAAiB,EAAE,MAAM,KAAK,IAAI,CAAC;IACnE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,IAAI,CAAC;IACjD,QAAQ,CAAC,gBAAgB,EAAE,MAAM,IAAI,CAAC;IACtC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,IAAI,CAAC;IACvC,QAAQ,CAAC,aAAa,EAAE,MAAM,IAAI,CAAC;IACnC,QAAQ,CAAC,sBAAsB,EAAE,MAAM,IAAI,CAAC;IAC5C,QAAQ,CAAC,MAAM,EAAE,MAAM,SAAS,GAAG,IAAI,CAAC;CACzC,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,SAAS,aAAa,EACtB,UAAS,mBAAwB,EACjC,SAAS,MAAM,KACd,YA0IF,CAAC;AAoCF,MAAM,MAAM,aAAa,CAAC,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI;IAC/D,QAAQ,CAAC,WAAW,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9E,QAAQ,CAAC,aAAa,EAAE,MAAM,IAAI,CAAC;CACpC,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAEzD,SAAS,MAAM,EACf,aAAY,MAA6B,EACzC,SAAS,MAAM,EACf,gBAAgB,YAAY,KAC3B,aAAa,CAAC,OAAO,CAiEvB,CAAC"}

package/dist/tokens.js

@@ -0,0 +1,212 @@
+import * as jose from "jose";
+import { decodeProtectedHeader, importJWK, jwtVerify, } from "jose";
+import { AuthticonError, AuthticonTokenError } from "./errors.js";
+// --- In-memory cache ---
+export const createInMemoryCacheAdapter = () => {
+    const store = new Map();
+    return {
+        get: (key) => store.get(key),
+        set: (key, value) => {
+            store.set(key, value);
+        },
+        delete: (key) => {
+            store.delete(key);
+        },
+    };
+};
+// --- Token storage ---
+const DEFAULT_ACCESS_TOKEN_NAME = "access_token";
+const DEFAULT_REFRESH_TOKEN_NAME = "refresh_token";
+const DEFAULT_DEVICE_ID_NAME = "device_id";
+const DEFAULT_ADMIN_REFRESH_TOKEN_NAME = "admin_refresh_token";
+const DEFAULT_ACCESS_TOKEN_MAX_AGE = 900;
+const DEFAULT_REFRESH_TOKEN_MAX_AGE = 2_592_000;
+const DEFAULT_ADMIN_REFRESH_TOKEN_MAX_AGE = 2_592_000;
+export const createTokenStorage = (cookies, options = {}, logger) => {
+    const accessName = options.accessTokenName ?? DEFAULT_ACCESS_TOKEN_NAME;
+    const refreshName = options.refreshTokenName ?? DEFAULT_REFRESH_TOKEN_NAME;
+    const deviceIdName = options.deviceIdName ?? DEFAULT_DEVICE_ID_NAME;
+    const adminRefreshName = options.adminRefreshTokenName ?? DEFAULT_ADMIN_REFRESH_TOKEN_NAME;
+    const path = options.path ?? "/";
+    const domain = options.domain;
+    const secure = options.secure ?? true;
+    const sameSite = options.sameSite ?? "lax";
+    const setOpts = {
+        access: {
+            path,
+            domain,
+            secure,
+            sameSite,
+            maxAge: options.accessTokenMaxAge ?? DEFAULT_ACCESS_TOKEN_MAX_AGE,
+        },
+        refresh: {
+            path,
+            domain,
+            secure,
+            sameSite,
+            maxAge: options.refreshTokenMaxAge ?? DEFAULT_REFRESH_TOKEN_MAX_AGE,
+        },
+        deviceId: {
+            path,
+            domain,
+            secure,
+            sameSite,
+            maxAge: options.refreshTokenMaxAge ?? DEFAULT_REFRESH_TOKEN_MAX_AGE,
+        },
+        adminRefresh: {
+            path,
+            domain,
+            secure,
+            sameSite,
+            maxAge: options.adminRefreshTokenMaxAge ?? DEFAULT_ADMIN_REFRESH_TOKEN_MAX_AGE,
+        },
+    };
+    const removeOpts = { path, domain };
+    const setAccessToken = (accessToken) => {
+        logger?.debug({ accessToken: accessToken.slice(0, 10) + "..." }, "Setting access token");
+        cookies.set(accessName, accessToken, setOpts.access);
+    };
+    const setRefreshToken = (refreshToken) => {
+        logger?.debug({ refreshToken: refreshToken.slice(0, 10) + "..." }, "Setting refresh token");
+        cookies.set(refreshName, refreshToken, setOpts.refresh);
+    };
+    const setAdminRefreshToken = (adminRefreshToken) => {
+        logger?.debug({ adminRefreshToken: adminRefreshToken.slice(0, 10) + "..." }, "Setting admin refresh token");
+        cookies.set(adminRefreshName, adminRefreshToken, setOpts.adminRefresh);
+    };
+    const setDeviceId = (deviceId) => {
+        logger?.debug({ deviceId }, "Setting device id");
+        cookies.set(deviceIdName, deviceId, setOpts.deviceId);
+    };
+    const clearAccessToken = () => {
+        logger?.debug("Clearing access token");
+        cookies.remove(accessName, removeOpts);
+    };
+    const clearRefreshToken = () => {
+        logger?.debug("Clearing refresh token");
+        cookies.remove(refreshName, removeOpts);
+    };
+    const clearDeviceId = () => {
+        logger?.debug("Clearing device id");
+        cookies.remove(deviceIdName, removeOpts);
+    };
+    const clearAdminRefreshToken = () => {
+        logger?.debug("Clearing admin refresh token");
+        cookies.remove(adminRefreshName, removeOpts);
+    };
+    const getAccessToken = () => cookies.get(accessName);
+    const getRefreshToken = () => cookies.get(refreshName);
+    const getDeviceId = () => cookies.get(deviceIdName);
+    const getAdminRefreshToken = () => cookies.get(adminRefreshName);
+    return {
+        save: (tokens) => {
+            setAccessToken(tokens.accessToken);
+            setRefreshToken(tokens.refreshToken);
+            if (tokens.deviceId)
+                setDeviceId(tokens.deviceId);
+            if (tokens.adminRefreshToken)
+                setAdminRefreshToken(tokens.adminRefreshToken);
+        },
+        clear: () => {
+            clearAccessToken();
+            clearRefreshToken();
+            clearDeviceId();
+            clearAdminRefreshToken();
+        },
+        getAccessToken,
+        getRefreshToken,
+        getDeviceId,
+        getAdminRefreshToken,
+        setAccessToken,
+        setRefreshToken,
+        setAdminRefreshToken,
+        setDeviceId,
+        clearAccessToken,
+        clearRefreshToken,
+        clearDeviceId,
+        clearAdminRefreshToken,
+        getAll: () => {
+            const accessToken = getAccessToken();
+            const refreshToken = getRefreshToken();
+            if (!accessToken || !refreshToken)
+                return null;
+            return {
+                accessToken,
+                refreshToken,
+                deviceId: getDeviceId() ?? undefined,
+                adminRefreshToken: getAdminRefreshToken() ?? undefined,
+            };
+        },
+    };
+};
+const DEFAULT_CACHE_TTL_MS = 3_600_000;
+const JWKS_CACHE_KEY = "authticon:jwks";
+const importKeysFromJwks = async (jwks) => {
+    const keysWithKid = jwks.filter((jwk) => typeof jwk.kid === "string");
+    const entries = await Promise.all(keysWithKid.map(async (jwk) => {
+        const imported = await importJWK(jwk);
+        if (imported instanceof Uint8Array) {
+            throw new Error(`Symmetric key (kid: ${jwk.kid}) is not supported`);
+        }
+        return [jwk.kid, imported];
+    }));
+    return new Map(entries);
+};
+export const createTokenVerifier = (jwksUrl, cacheTtlMs = DEFAULT_CACHE_TTL_MS, logger, externalCache) => {
+    const cache = externalCache ?? createInMemoryCacheAdapter();
+    const fetchJwks = async () => {
+        const response = await fetch(jwksUrl);
+        if (!response.ok) {
+            throw new AuthticonError(`Failed to fetch JWKS: ${response.status}`);
+        }
+        const data = await response.json();
+        const keys = await importKeysFromJwks(data.keys);
+        cache.set(JWKS_CACHE_KEY, { keys, fetchedAt: Date.now() });
+        logger?.debug({ jwksUrl }, "JWKS fetched");
+        return keys;
+    };
+    const getCachedOrFetch = async () => {
+        const cached = cache.get(JWKS_CACHE_KEY);
+        if (cached && Date.now() - cached.fetchedAt < cacheTtlMs) {
+            return cached.keys;
+        }
+        return fetchJwks();
+    };
+    const resolveKey = async (kid) => {
+        const keys = await getCachedOrFetch();
+        const key = keys.get(kid);
+        if (key)
+            return key;
+        cache.delete(JWKS_CACHE_KEY);
+        const freshKeys = await fetchJwks();
+        const freshKey = freshKeys.get(kid);
+        if (!freshKey) {
+            throw new AuthticonError(`Key with kid "${kid}" not found in JWKS`);
+        }
+        return freshKey;
+    };
+    return {
+        verifyToken: async (token) => {
+            try {
+                const header = decodeProtectedHeader(token);
+                if (!header.kid) {
+                    throw new AuthticonError("Token header is missing 'kid' claim");
+                }
+                const key = await resolveKey(header.kid);
+                const { payload } = await jwtVerify(token, key);
+                return payload;
+            }
+            catch (error) {
+                if (error instanceof jose.errors.JOSEError) {
+                    throw new AuthticonTokenError(error.message, error.code, error);
+                }
+                throw error;
+            }
+        },
+        clearKeyCache: () => {
+            cache.delete(JWKS_CACHE_KEY);
+            logger?.debug("Key cache cleared");
+        },
+    };
+};
+//# sourceMappingURL=tokens.js.map

package/dist/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EACL,qBAAqB,EACrB,SAAS,EACT,SAAS,GAGV,MAAM,MAAM,CAAC;AAEd,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAWlE,0BAA0B;AAE1B,MAAM,CAAC,MAAM,0BAA0B,GAAG,GAAiB,EAAE;IAC3D,MAAM,KAAK,GAAG,IAAI,GAAG,EAAmB,CAAC;IAEzC,OAAO;QACL,GAAG,EAAE,CAAI,GAAW,EAAiB,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAkB;QACvE,GAAG,EAAE,CAAI,GAAW,EAAE,KAAQ,EAAQ,EAAE;YACtC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxB,CAAC;QACD,MAAM,EAAE,CAAC,GAAW,EAAQ,EAAE;YAC5B,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;KACF,CAAC;AACJ,CAAC,CAAC;AAEF,wBAAwB;AAExB,MAAM,yBAAyB,GAAG,cAAc,CAAC;AACjD,MAAM,0BAA0B,GAAG,eAAe,CAAC;AACnD,MAAM,sBAAsB,GAAG,WAAW,CAAC;AAC3C,MAAM,gCAAgC,GAAG,qBAAqB,CAAC;AAC/D,MAAM,4BAA4B,GAAG,GAAG,CAAC;AACzC,MAAM,6BAA6B,GAAG,SAAS,CAAC;AAChD,MAAM,mCAAmC,GAAG,SAAS,CAAC;AAoBtD,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,OAAsB,EACtB,UAA+B,EAAE,EACjC,MAAe,EACD,EAAE;IAChB,MAAM,UAAU,GAAG,OAAO,CAAC,eAAe,IAAI,yBAAyB,CAAC;IACxE,MAAM,WAAW,GAAG,OAAO,CAAC,gBAAgB,IAAI,0BAA0B,CAAC;IAC3E,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,sBAAsB,CAAC;IACpE,MAAM,gBAAgB,GACpB,OAAO,CAAC,qBAAqB,IAAI,gCAAgC,CAAC;IAEpE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,GAAG,CAAC;IACjC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC;IACtC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC;IAE3C,MAAM,OAAO,GAAqC;QAChD,MAAM,EAAE;YACN,IAAI;YACJ,MAAM;YACN,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,OAAO,CAAC,iBAAiB,IAAI,4BAA4B;SAClE;QACD,OAAO,EAAE;YACP,IAAI;YACJ,MAAM;YACN,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,OAAO,CAAC,kBAAkB,IAAI,6BAA6B;SACpE;QACD,QAAQ,EAAE;YACR,IAAI;YACJ,MAAM;YACN,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,OAAO,CAAC,kBAAkB,IAAI,6BAA6B;SACpE;QACD,YAAY,EAAE;YACZ,IAAI;YACJ,MAAM;YACN,MAAM;YACN,QAAQ;YACR,MAAM,EACJ,OAAO,CAAC,uBAAuB,IAAI,mCAAmC;SACzE;KACF,CAAC;IAEF,MAAM,UAAU,GAAwB,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAEzD,MAAM,cAAc,GAAG,CAAC,WAAmB,EAAQ,EAAE;QACnD,MAAM,EAAE,KAAK,CACX,EAAE,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,EAAE,EACjD,sBAAsB,CACvB,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,EAAE,OAAO,CAAC,MAAO,CAAC,CAAC;IACxD,CAAC,CAAC;IAEF,MAAM,eAAe,GAAG,CAAC,YAAoB,EAAQ,EAAE;QACrD,MAAM,EAAE,KAAK,CACX,EAAE,YAAY,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,EAAE,EACnD,uBAAuB,CACxB,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,YAAY,EAAE,OAAO,CAAC,OAAQ,CAAC,CAAC;IAC3D,CAAC,CAAC;IAEF,MAAM,oBAAoB,GAAG,CAAC,iBAAyB,EAAQ,EAAE;QAC/D,MAAM,EAAE,KAAK,CACX,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,EAAE,EAC7D,6BAA6B,CAC9B,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,OAAO,CAAC,YAAa,CAAC,CAAC;IAC1E,CAAC,CAAC;IAEF,MAAM,WAAW,GAAG,CAAC,QAAgB,EAAQ,EAAE;QAC7C,MAAM,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,EAAE,mBAAmB,CAAC,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAS,CAAC,CAAC;IACzD,CAAC,CAAC;IAEF,MAAM,gBAAgB,GAAG,GAAS,EAAE;QAClC,MAAM,EAAE,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACvC,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IACzC,CAAC,CAAC;IAEF,MAAM,iBAAiB,GAAG,GAAS,EAAE;QACnC,MAAM,EAAE,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACxC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAC1C,CAAC,CAAC;IAEF,MAAM,aAAa,GAAG,GAAS,EAAE;QAC/B,MAAM,EAAE,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACpC,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAC3C,CAAC,CAAC;IAEF,MAAM,sBAAsB,GAAG,GAAS,EAAE;QACxC,MAAM,EAAE,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAC9C,OAAO,CAAC,MAAM,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;IAC/C,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,WAAW,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,oBAAoB,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAEjE,OAAO;QACL,IAAI,EAAE,CAAC,MAAM,EAAE,EAAE;YACf,cAAc,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACnC,eAAe,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YACrC,IAAI,MAAM,CAAC,QAAQ;gBAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAClD,IAAI,MAAM,CAAC,iBAAiB;gBAC1B,oBAAoB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;QACnD,CAAC;QACD,KAAK,EAAE,GAAG,EAAE;YACV,gBAAgB,EAAE,CAAC;YACnB,iBAAiB,EAAE,CAAC;YACpB,aAAa,EAAE,CAAC;YAChB,sBAAsB,EAAE,CAAC;QAC3B,CAAC;QACD,cAAc;QACd,eAAe;QACf,WAAW;QACX,oBAAoB;QACpB,cAAc;QACd,eAAe;QACf,oBAAoB;QACpB,WAAW;QACX,gBAAgB;QAChB,iBAAiB;QACjB,aAAa;QACb,sBAAsB;QACtB,MAAM,EAAE,GAAG,EAAE;YACX,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;YACrC,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;YACvC,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC;YAC/C,OAAO;gBACL,WAAW;gBACX,YAAY;gBACZ,QAAQ,EAAE,WAAW,EAAE,IAAI,SAAS;gBACpC,iBAAiB,EAAE,oBAAoB,EAAE,IAAI,SAAS;aACvD,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC,CAAC;AAaF,MAAM,oBAAoB,GAAG,SAAS,CAAC;AACvC,MAAM,cAAc,GAAG,gBAAgB,CAAC;AAExC,MAAM,kBAAkB,GAAG,KAAK,EAC9B,IAAoB,EACyB,EAAE;IAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAC7B,CAAC,GAAG,EAAyC,EAAE,CAAC,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,CAC5E,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAC5B,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,QAAQ,YAAY,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,GAAG,oBAAoB,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAU,CAAC;IACtC,CAAC,CAAC,CACH,CAAC;IAEF,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;AAC1B,CAAC,CAAC;AAOF,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAGjC,OAAe,EACf,aAAqB,oBAAoB,EACzC,MAAe,EACf,aAA4B,EACJ,EAAE;IAC1B,MAAM,KAAK,GAAG,aAAa,IAAI,0BAA0B,EAAE,CAAC;IAE5D,MAAM,SAAS,GAAG,KAAK,IAAiD,EAAE;QACxE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,cAAc,CAAC,yBAAyB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,IAAI,GAAiB,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,KAAK,CAAC,GAAG,CAAa,cAAc,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACvE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAAE,EAAE,cAAc,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;IAEF,MAAM,gBAAgB,GAAG,KAAK,IAE5B,EAAE;QACF,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAa,cAAc,CAAC,CAAC;QACrD,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,UAAU,EAAE,CAAC;YACzD,OAAO,MAAM,CAAC,IAAI,CAAC;QACrB,CAAC;QACD,OAAO,SAAS,EAAE,CAAC;IACrB,CAAC,CAAC;IAEF,MAAM,UAAU,GAAG,KAAK,EAAE,GAAW,EAA0B,EAAE;QAC/D,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;QAEpB,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC7B,MAAM,SAAS,GAAG,MAAM,SAAS,EAAE,CAAC;QACpC,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,cAAc,CAAC,iBAAiB,GAAG,qBAAqB,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO;QACL,WAAW,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC3B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;gBAC5C,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;oBAChB,MAAM,IAAI,cAAc,CAAC,qCAAqC,CAAC,CAAC;gBAClE,CAAC;gBACD,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACzC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CACjC,KAAK,EACL,GAAG,CACJ,CAAC;gBACF,OAAO,OAAO,CAAC;YACjB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;oBAC3C,MAAM,IAAI,mBAAmB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;gBAClE,CAAC;gBACD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;QAED,aAAa,EAAE,GAAG,EAAE;YAClB,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;YAC7B,MAAM,EAAE,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACrC,CAAC;KACF,CAAC;AACJ,CAAC,CAAC"}