@byline/admin 2.3.3 → 2.4.1

package/dist/modules/auth/index.js

@@ -1,24 +1,3 @@
-/**
- * This Source Code is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * Copyright (c) Infonomic Company Limited
- */
-/**
- * `@byline/admin/auth` — session handling for the built-in admin realm.
- *
- * Hosts the reference `JwtSessionProvider` and the sign-in / refresh /
- * revoke orchestration that consumes it, along with password hashing
- * (`hashPassword` / `verifyPassword`) and the `RefreshTokensRepository`
- * contract the provider drives.
- *
- * The `SessionProvider` **interface** lives in `@byline/auth` so the
- * pluggability contract stays narrow; this module supplies the
- * Byline-native implementation. Third-party providers (Lucia, WorkOS,
- * Clerk, institutional SSO) should be shipped as separate packages
- * against `@byline/auth` rather than added here.
- */
-export { JwtSessionProvider } from './jwt-session-provider.js';
-export { hashPassword, verifyPassword } from './password.js';
-export { resolveActor } from './resolve-actor.js';
+export { JwtSessionProvider } from "./jwt-session-provider.js";
+export { hashPassword, verifyPassword } from "./password.js";
+export { resolveActor } from "./resolve-actor.js";

package/dist/modules/auth/jwt-session-provider.js

@@ -1,214 +1,244 @@
-/**
- * This Source Code is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * Copyright (c) Infonomic Company Limited
- */
-import { createHash, randomBytes, randomUUID } from 'node:crypto';
-import { ERR_ACCOUNT_DISABLED, ERR_INVALID_CREDENTIALS, ERR_INVALID_TOKEN, ERR_REVOKED_TOKEN, } from '@byline/auth';
-import { jwtVerify, SignJWT } from 'jose';
-import { v7 as uuidv7 } from 'uuid';
-import { verifyPassword } from './password.js';
-import { resolveActor } from './resolve-actor.js';
+import { createHash, randomBytes, randomUUID } from "node:crypto";
+import { ERR_ACCOUNT_DISABLED, ERR_INVALID_CREDENTIALS, ERR_INVALID_TOKEN, ERR_REVOKED_TOKEN } from "@byline/auth";
+import { SignJWT, jwtVerify } from "jose";
+import { v7 } from "uuid";
+import { verifyPassword } from "./password.js";
+import { resolveActor } from "./resolve-actor.js";
+function _check_private_redeclaration(obj, privateCollection) {
+    if (privateCollection.has(obj)) throw new TypeError("Cannot initialize the same private elements twice on an object");
+}
+function _class_apply_descriptor_get(receiver, descriptor) {
+    if (descriptor.get) return descriptor.get.call(receiver);
+    return descriptor.value;
+}
+function _class_apply_descriptor_set(receiver, descriptor, value) {
+    if (descriptor.set) descriptor.set.call(receiver, value);
+    else {
+        if (!descriptor.writable) throw new TypeError("attempted to set read only private field");
+        descriptor.value = value;
+    }
+}
+function _class_extract_field_descriptor(receiver, privateMap, action) {
+    if (!privateMap.has(receiver)) throw new TypeError("attempted to " + action + " private field on non-instance");
+    return privateMap.get(receiver);
+}
+function _class_private_field_get(receiver, privateMap) {
+    var descriptor = _class_extract_field_descriptor(receiver, privateMap, "get");
+    return _class_apply_descriptor_get(receiver, descriptor);
+}
+function _class_private_field_init(obj, privateMap, value) {
+    _check_private_redeclaration(obj, privateMap);
+    privateMap.set(obj, value);
+}
+function _class_private_field_set(receiver, privateMap, value) {
+    var descriptor = _class_extract_field_descriptor(receiver, privateMap, "set");
+    _class_apply_descriptor_set(receiver, descriptor, value);
+    return value;
+}
+function _class_private_method_get(receiver, privateSet, fn) {
+    if (!privateSet.has(receiver)) throw new TypeError("attempted to get private field on non-instance");
+    return fn;
+}
+function _class_private_method_init(obj, privateSet) {
+    _check_private_redeclaration(obj, privateSet);
+    privateSet.add(obj);
+}
 const DEFAULT_ISSUER = 'byline';
-const DEFAULT_ACCESS_TOKEN_TTL_SECONDS = 15 * 60; // 15 minutes
-const DEFAULT_REFRESH_TOKEN_TTL_SECONDS = 30 * 24 * 60 * 60; // 30 days
+const DEFAULT_ACCESS_TOKEN_TTL_SECONDS = 900;
+const DEFAULT_REFRESH_TOKEN_TTL_SECONDS = 2592000;
 const CAPABILITIES = {
     passwordChange: true,
     magicLink: false,
-    sso: false,
+    sso: false
 };
-export class JwtSessionProvider {
-    capabilities = CAPABILITIES;
-    #store;
-    #signingKey;
-    #issuer;
-    #accessTtl;
-    #refreshTtl;
-    #now;
-    constructor(config) {
-        this.#store = config.store;
-        this.#signingKey =
-            typeof config.signingSecret === 'string'
-                ? new TextEncoder().encode(config.signingSecret)
-                : config.signingSecret;
-        if (this.#signingKey.byteLength < 32) {
-            throw new Error('JwtSessionProvider: signingSecret must carry at least 32 bytes of entropy (256 bits)');
-        }
-        this.#issuer = config.issuer ?? DEFAULT_ISSUER;
-        this.#accessTtl = config.accessTokenTtlSeconds ?? DEFAULT_ACCESS_TOKEN_TTL_SECONDS;
-        this.#refreshTtl = config.refreshTokenTtlSeconds ?? DEFAULT_REFRESH_TOKEN_TTL_SECONDS;
-        this.#now = config.now ?? (() => new Date());
-    }
-    // -----------------------------------------------------------------------
-    // SessionProvider
-    // -----------------------------------------------------------------------
+var _store = /*#__PURE__*/ new WeakMap(), _signingKey = /*#__PURE__*/ new WeakMap(), _issuer = /*#__PURE__*/ new WeakMap(), _accessTtl = /*#__PURE__*/ new WeakMap(), _refreshTtl = /*#__PURE__*/ new WeakMap(), _now = /*#__PURE__*/ new WeakMap(), _issueTokens = /*#__PURE__*/ new WeakSet(), _signAccessToken = /*#__PURE__*/ new WeakSet();
+class JwtSessionProvider {
     async signInWithPassword(args) {
-        const users = this.#store.adminUsers;
+        const users = _class_private_field_get(this, _store).adminUsers;
         const row = await users.getByEmailForSignIn(args.email);
-        // Uniform error response for unknown email vs. wrong password — don't
-        // leak which one. Still do a real verify against a dummy hash so the
-        // timing is comparable; the argon2 cost dominates regardless.
         if (!row) {
             await verifyPassword(args.password, DUMMY_HASH_FOR_TIMING);
-            throw ERR_INVALID_CREDENTIALS({ message: 'invalid credentials' });
+            throw ERR_INVALID_CREDENTIALS({
+                message: 'invalid credentials'
+            });
         }
         const ok = await verifyPassword(args.password, row.password_hash);
         if (!ok) {
             await users.recordLoginFailure(row.id);
-            throw ERR_INVALID_CREDENTIALS({ message: 'invalid credentials' });
-        }
-        if (!row.is_enabled) {
-            throw ERR_ACCOUNT_DISABLED({ message: 'account disabled' });
+            throw ERR_INVALID_CREDENTIALS({
+                message: 'invalid credentials'
+            });
         }
+        if (!row.is_enabled) throw ERR_ACCOUNT_DISABLED({
+            message: 'account disabled'
+        });
         await users.recordLoginSuccess(row.id, args.ip ?? null);
-        const actor = await resolveActor(this.#store, row.id);
-        // resolveActor also checks is_enabled, but we just recorded success
-        // above, so null here would indicate a race (the account was disabled
-        // between the check and the resolve). Treat as disabled.
-        if (!actor) {
-            throw ERR_ACCOUNT_DISABLED({ message: 'account disabled' });
-        }
-        const tokens = await this.#issueTokens({
+        const actor = await resolveActor(_class_private_field_get(this, _store), row.id);
+        if (!actor) throw ERR_ACCOUNT_DISABLED({
+            message: 'account disabled'
+        });
+        const tokens = await _class_private_method_get(this, _issueTokens, issueTokens).call(this, {
             adminUserId: row.id,
             ip: args.ip ?? null,
-            userAgent: args.userAgent ?? null,
+            userAgent: args.userAgent ?? null
         });
-        return { ...tokens, actor };
+        return {
+            ...tokens,
+            actor
+        };
     }
     async verifyAccessToken(token) {
         let payload;
         try {
-            const result = await jwtVerify(token, this.#signingKey, {
-                issuer: this.#issuer,
+            const result = await jwtVerify(token, _class_private_field_get(this, _signingKey), {
+                issuer: _class_private_field_get(this, _issuer)
             });
             payload = result.payload;
+        } catch (err) {
+            throw ERR_INVALID_TOKEN({
+                message: 'access token verification failed',
+                cause: err
+            });
         }
-        catch (err) {
-            throw ERR_INVALID_TOKEN({ message: 'access token verification failed', cause: err });
-        }
-        if (payload.typ !== 'access') {
-            throw ERR_INVALID_TOKEN({ message: 'unexpected token type' });
-        }
-        const actor = await resolveActor(this.#store, payload.sub);
-        if (!actor) {
-            // The token was valid but the user is now disabled or deleted.
-            throw ERR_ACCOUNT_DISABLED({ message: 'account disabled or deleted' });
-        }
-        return { actor };
+        if ('access' !== payload.typ) throw ERR_INVALID_TOKEN({
+            message: 'unexpected token type'
+        });
+        const actor = await resolveActor(_class_private_field_get(this, _store), payload.sub);
+        if (!actor) throw ERR_ACCOUNT_DISABLED({
+            message: 'account disabled or deleted'
+        });
+        return {
+            actor
+        };
     }
     async refreshSession(args) {
-        const refreshTokens = this.#store.refreshTokens;
+        const refreshTokens = _class_private_field_get(this, _store).refreshTokens;
         const hash = hashToken(args.refreshToken);
         const row = await refreshTokens.findByHash(hash);
-        if (!row) {
-            throw ERR_INVALID_TOKEN({ message: 'refresh token not recognised' });
-        }
-        const now = this.#now();
-        // Already revoked?
-        if (row.revoked_at != null) {
-            if (row.rotated_to_id != null) {
-                // Rotated token replayed — the chain is compromised. Revoke every
-                // descendant so the attacker and the legitimate holder are both
-                // signed out.
+        if (!row) throw ERR_INVALID_TOKEN({
+            message: 'refresh token not recognised'
+        });
+        const now = _class_private_field_get(this, _now).call(this);
+        if (null != row.revoked_at) {
+            if (null != row.rotated_to_id) {
                 await refreshTokens.revokeChain(row.id, now);
                 throw ERR_REVOKED_TOKEN({
-                    message: 'refresh token was already rotated — chain revoked',
+                    message: 'refresh token was already rotated — chain revoked'
                 });
             }
-            throw ERR_REVOKED_TOKEN({ message: 'refresh token has been revoked' });
-        }
-        if (row.expires_at.getTime() <= now.getTime()) {
-            throw ERR_INVALID_TOKEN({ message: 'refresh token expired' });
+            throw ERR_REVOKED_TOKEN({
+                message: 'refresh token has been revoked'
+            });
         }
-        // Rotate: mint a new token, mark the old one rotated_to the new id.
-        const newId = uuidv7();
+        if (row.expires_at.getTime() <= now.getTime()) throw ERR_INVALID_TOKEN({
+            message: 'refresh token expired'
+        });
+        const newId = v7();
         const newRefreshPlain = generateOpaqueToken();
         const newRefreshHash = hashToken(newRefreshPlain);
-        const refreshExpiresAt = new Date(now.getTime() + this.#refreshTtl * 1000);
+        const refreshExpiresAt = new Date(now.getTime() + 1000 * _class_private_field_get(this, _refreshTtl));
         await refreshTokens.issue({
             id: newId,
             admin_user_id: row.admin_user_id,
             token_hash: newRefreshHash,
             expires_at: refreshExpiresAt,
             user_agent: args.userAgent ?? null,
-            ip: args.ip ?? null,
+            ip: args.ip ?? null
         });
         await refreshTokens.markRotated(row.id, newId, now);
-        const accessToken = await this.#signAccessToken(row.admin_user_id, now);
-        const accessExpiresAt = new Date(now.getTime() + this.#accessTtl * 1000);
+        const accessToken = await _class_private_method_get(this, _signAccessToken, signAccessToken).call(this, row.admin_user_id, now);
+        const accessExpiresAt = new Date(now.getTime() + 1000 * _class_private_field_get(this, _accessTtl));
         return {
             accessToken,
             refreshToken: newRefreshPlain,
             accessTokenExpiresAt: accessExpiresAt,
-            refreshTokenExpiresAt: refreshExpiresAt,
+            refreshTokenExpiresAt: refreshExpiresAt
         };
     }
     async revokeSession(refreshToken) {
-        const refreshTokens = this.#store.refreshTokens;
+        const refreshTokens = _class_private_field_get(this, _store).refreshTokens;
         const row = await refreshTokens.findByHash(hashToken(refreshToken));
-        if (!row)
-            return; // Idempotent — unknown tokens are a no-op.
-        await refreshTokens.revoke(row.id, this.#now());
+        if (!row) return;
+        await refreshTokens.revoke(row.id, _class_private_field_get(this, _now).call(this));
     }
     async resolveActor(adminUserId) {
-        return resolveActor(this.#store, adminUserId);
+        return resolveActor(_class_private_field_get(this, _store), adminUserId);
     }
-    // -----------------------------------------------------------------------
-    // Internals
-    // -----------------------------------------------------------------------
-    async #issueTokens(input) {
-        const now = this.#now();
-        const refreshTokens = this.#store.refreshTokens;
-        const accessToken = await this.#signAccessToken(input.adminUserId, now);
-        const accessExpiresAt = new Date(now.getTime() + this.#accessTtl * 1000);
-        const refreshPlain = generateOpaqueToken();
-        const refreshHash = hashToken(refreshPlain);
-        const refreshExpiresAt = new Date(now.getTime() + this.#refreshTtl * 1000);
-        await refreshTokens.issue({
-            id: uuidv7(),
-            admin_user_id: input.adminUserId,
-            token_hash: refreshHash,
-            expires_at: refreshExpiresAt,
-            user_agent: input.userAgent,
-            ip: input.ip,
+    constructor(config){
+        _class_private_method_init(this, _issueTokens);
+        _class_private_method_init(this, _signAccessToken);
+        _class_private_field_init(this, _store, {
+            writable: true,
+            value: void 0
         });
-        return {
-            accessToken,
-            refreshToken: refreshPlain,
-            accessTokenExpiresAt: accessExpiresAt,
-            refreshTokenExpiresAt: refreshExpiresAt,
-        };
-    }
-    async #signAccessToken(adminUserId, now) {
-        const iat = Math.floor(now.getTime() / 1000);
-        const exp = iat + this.#accessTtl;
-        return new SignJWT({ typ: 'access' })
-            .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
-            .setSubject(adminUserId)
-            .setIssuer(this.#issuer)
-            .setIssuedAt(iat)
-            .setExpirationTime(exp)
-            .setJti(randomUUID())
-            .sign(this.#signingKey);
+        _class_private_field_init(this, _signingKey, {
+            writable: true,
+            value: void 0
+        });
+        _class_private_field_init(this, _issuer, {
+            writable: true,
+            value: void 0
+        });
+        _class_private_field_init(this, _accessTtl, {
+            writable: true,
+            value: void 0
+        });
+        _class_private_field_init(this, _refreshTtl, {
+            writable: true,
+            value: void 0
+        });
+        _class_private_field_init(this, _now, {
+            writable: true,
+            value: void 0
+        });
+        this.capabilities = CAPABILITIES;
+        _class_private_field_set(this, _store, config.store);
+        _class_private_field_set(this, _signingKey, 'string' == typeof config.signingSecret ? new TextEncoder().encode(config.signingSecret) : config.signingSecret);
+        if (_class_private_field_get(this, _signingKey).byteLength < 32) throw new Error('JwtSessionProvider: signingSecret must carry at least 32 bytes of entropy (256 bits)');
+        _class_private_field_set(this, _issuer, config.issuer ?? DEFAULT_ISSUER);
+        _class_private_field_set(this, _accessTtl, config.accessTokenTtlSeconds ?? DEFAULT_ACCESS_TOKEN_TTL_SECONDS);
+        _class_private_field_set(this, _refreshTtl, config.refreshTokenTtlSeconds ?? DEFAULT_REFRESH_TOKEN_TTL_SECONDS);
+        _class_private_field_set(this, _now, config.now ?? (()=>new Date()));
     }
 }
-// ---------------------------------------------------------------------------
-// Utilities
-// ---------------------------------------------------------------------------
-/** 32 bytes of randomness, base64url-encoded. ~43 chars on the wire. */
+async function issueTokens(input) {
+    const now = _class_private_field_get(this, _now).call(this);
+    const refreshTokens = _class_private_field_get(this, _store).refreshTokens;
+    const accessToken = await _class_private_method_get(this, _signAccessToken, signAccessToken).call(this, input.adminUserId, now);
+    const accessExpiresAt = new Date(now.getTime() + 1000 * _class_private_field_get(this, _accessTtl));
+    const refreshPlain = generateOpaqueToken();
+    const refreshHash = hashToken(refreshPlain);
+    const refreshExpiresAt = new Date(now.getTime() + 1000 * _class_private_field_get(this, _refreshTtl));
+    await refreshTokens.issue({
+        id: v7(),
+        admin_user_id: input.adminUserId,
+        token_hash: refreshHash,
+        expires_at: refreshExpiresAt,
+        user_agent: input.userAgent,
+        ip: input.ip
+    });
+    return {
+        accessToken,
+        refreshToken: refreshPlain,
+        accessTokenExpiresAt: accessExpiresAt,
+        refreshTokenExpiresAt: refreshExpiresAt
+    };
+}
+async function signAccessToken(adminUserId, now) {
+    const iat = Math.floor(now.getTime() / 1000);
+    const exp = iat + _class_private_field_get(this, _accessTtl);
+    return new SignJWT({
+        typ: 'access'
+    }).setProtectedHeader({
+        alg: 'HS256',
+        typ: 'JWT'
+    }).setSubject(adminUserId).setIssuer(_class_private_field_get(this, _issuer)).setIssuedAt(iat).setExpirationTime(exp).setJti(randomUUID()).sign(_class_private_field_get(this, _signingKey));
+}
 function generateOpaqueToken() {
     return randomBytes(32).toString('base64url');
 }
-/** SHA-256 hex digest of the raw refresh-token string. */
 function hashToken(token) {
     return createHash('sha256').update(token).digest('hex');
 }
-/**
- * A stable argon2id hash used only to equalise sign-in timing on the
- * unknown-email code path. The plaintext here is arbitrary — we never
- * succeed against it. This is pre-generated at module-load time so the
- * first sign-in call doesn't pay the generation cost.
- */
 const DUMMY_HASH_FOR_TIMING = '$argon2id$v=19$m=19456,t=2,p=1$c2lkZS1jaGFubmVsLW1pdGlnYXRpb24$0Hqf2vQKZqSfZZ4nJRr7K5IOjn9ngjzaQjV+yTG6iNY';
+export { JwtSessionProvider };

package/dist/modules/auth/password.js

@@ -1,62 +1,25 @@
-/**
- * This Source Code is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * Copyright (c) Infonomic Company Limited
- */
-/**
- * Password hashing — argon2id via the vendored `@noble/hashes` copy at
- * `../../vendor/noble-argon2/`. Pure-JS, runs anywhere with a modern JS
- * runtime (Node, Workers, Deno, Bun, browsers).
- *
- * Stores the full PHC string (`$argon2id$v=19$m=…$…$…`) in the
- * `byline_admin_users.password` column. That makes the algorithm and
- * parameters self-describing, so upgrading params later (or migrating off
- * argon2id entirely) is a straightforward re-hash on next successful sign-in.
- *
- * Defaults follow OWASP 2023 guidance for argon2id: memory 19 MiB,
- * iterations 2, parallelism 1. These are reasonable for typical server
- * hardware; tune if sign-in latency becomes a concern under load.
- *
- * Note: pure-JS argon2id is meaningfully slower than the previous
- * `@node-rs/argon2` Rust binding (~50–150 ms vs ~10 ms at these params on
- * modern server hardware). For interactive sign-in this is fine; for
- * high-throughput auth services consider tuning `HASH_OPTIONS` or
- * reintroducing a native binding behind a runtime-feature check.
- */
-import { argon2idAsync } from '../../vendor/noble-argon2/argon2.js';
-import { decodeArgon2idPhc, encodeArgon2idPhc, timingSafeEqual } from './phc.js';
-/** Argon2id cost parameters. Matches the prior `@node-rs/argon2` defaults. */
+import { argon2idAsync } from "../../vendor/noble-argon2/argon2.js";
+import { decodeArgon2idPhc, encodeArgon2idPhc, timingSafeEqual } from "./phc.js";
 const HASH_OPTIONS = {
-    /** Memory cost in KiB (19 MiB). */
     memoryCost: 19456,
-    /** Iterations. */
     timeCost: 2,
-    /** Parallelism (lanes). */
     parallelism: 1,
-    /** Derived-key length in bytes — 32 matches the prior stored hashes. */
     hashLength: 32,
-    /** Salt length in bytes — 16 matches the prior stored hashes. */
-    saltLength: 16,
+    saltLength: 16
 };
-/** Argon2 v1.3 (RFC 9106). */
 const ARGON2_VERSION = 0x13;
 function randomSalt(length) {
     return crypto.getRandomValues(new Uint8Array(length));
 }
-/** Hash a plaintext password. Returns a full PHC string. */
-export async function hashPassword(plaintext) {
-    if (plaintext.length === 0) {
-        throw new Error('hashPassword: plaintext must be non-empty');
-    }
+async function hashPassword(plaintext) {
+    if (0 === plaintext.length) throw new Error('hashPassword: plaintext must be non-empty');
     const salt = randomSalt(HASH_OPTIONS.saltLength);
     const hash = await argon2idAsync(plaintext, salt, {
         m: HASH_OPTIONS.memoryCost,
         t: HASH_OPTIONS.timeCost,
         p: HASH_OPTIONS.parallelism,
         dkLen: HASH_OPTIONS.hashLength,
-        version: ARGON2_VERSION,
+        version: ARGON2_VERSION
     });
     return encodeArgon2idPhc({
         algorithm: 'argon2id',
@@ -65,24 +28,19 @@ export async function hashPassword(plaintext) {
         timeCost: HASH_OPTIONS.timeCost,
         parallelism: HASH_OPTIONS.parallelism,
         salt,
-        hash,
+        hash
     });
 }
-/**
- * Verify a plaintext password against a stored PHC string. Returns `false`
- * on mismatch — never throws for a normal mismatch. Re-throws on malformed
- * hash strings or underlying library errors so those get surfaced.
- */
-export async function verifyPassword(plaintext, phc) {
-    if (plaintext.length === 0 || phc.length === 0)
-        return false;
+async function verifyPassword(plaintext, phc) {
+    if (0 === plaintext.length || 0 === phc.length) return false;
     const decoded = decodeArgon2idPhc(phc);
     const candidate = await argon2idAsync(plaintext, decoded.salt, {
         m: decoded.memoryCost,
         t: decoded.timeCost,
         p: decoded.parallelism,
         dkLen: decoded.hash.length,
-        version: decoded.version,
+        version: decoded.version
     });
     return timingSafeEqual(candidate, decoded.hash);
 }
+export { hashPassword, verifyPassword };

package/dist/modules/auth/phc.js

@@ -1,68 +1,40 @@
-/**
- * This Source Code is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * Copyright (c) Infonomic Company Limited
- */
 function bytesToB64NoPad(bytes) {
     let bin = '';
-    for (let i = 0; i < bytes.length; i++)
-        bin += String.fromCharCode(bytes[i]);
+    for(let i = 0; i < bytes.length; i++)bin += String.fromCharCode(bytes[i]);
     return btoa(bin).replace(/=+$/, '');
 }
 function b64NoPadToBytes(b64) {
-    const padded = b64 + '='.repeat((4 - (b64.length % 4)) % 4);
+    const padded = b64 + '='.repeat((4 - b64.length % 4) % 4);
     const bin = atob(padded);
     const out = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++)
-        out[i] = bin.charCodeAt(i);
+    for(let i = 0; i < bin.length; i++)out[i] = bin.charCodeAt(i);
     return out;
 }
-export function encodeArgon2idPhc(phc) {
-    return (`$${phc.algorithm}` +
-        `$v=${phc.version}` +
-        `$m=${phc.memoryCost},t=${phc.timeCost},p=${phc.parallelism}` +
-        `$${bytesToB64NoPad(phc.salt)}` +
-        `$${bytesToB64NoPad(phc.hash)}`);
+function encodeArgon2idPhc(phc) {
+    return `$${phc.algorithm}$v=${phc.version}$m=${phc.memoryCost},t=${phc.timeCost},p=${phc.parallelism}$${bytesToB64NoPad(phc.salt)}$${bytesToB64NoPad(phc.hash)}`;
 }
-export function decodeArgon2idPhc(s) {
-    // Leading `$` produces an empty first segment, so a valid argon2id PHC string
-    // splits into exactly 6 parts: ['', algo, 'v=…', 'm=…,t=…,p=…', salt, hash].
+function decodeArgon2idPhc(s) {
     const parts = s.split('$');
-    if (parts.length !== 6 || parts[0] !== '') {
-        throw new Error('decodeArgon2idPhc: malformed PHC string');
-    }
+    if (6 !== parts.length || '' !== parts[0]) throw new Error('decodeArgon2idPhc: malformed PHC string');
     const algorithm = parts[1] ?? '';
     const versionField = parts[2] ?? '';
     const paramsField = parts[3] ?? '';
     const saltB64 = parts[4] ?? '';
     const hashB64 = parts[5] ?? '';
-    if (algorithm !== 'argon2id') {
-        throw new Error(`decodeArgon2idPhc: unsupported algorithm "${algorithm}"`);
-    }
-    if (!versionField.startsWith('v=')) {
-        throw new Error('decodeArgon2idPhc: missing version field');
-    }
+    if ('argon2id' !== algorithm) throw new Error(`decodeArgon2idPhc: unsupported algorithm "${algorithm}"`);
+    if (!versionField.startsWith('v=')) throw new Error('decodeArgon2idPhc: missing version field');
     const version = Number.parseInt(versionField.slice(2), 10);
-    if (!Number.isInteger(version)) {
-        throw new Error(`decodeArgon2idPhc: invalid version "${versionField}"`);
-    }
+    if (!Number.isInteger(version)) throw new Error(`decodeArgon2idPhc: invalid version "${versionField}"`);
     const params = {};
-    for (const kv of paramsField.split(',')) {
+    for (const kv of paramsField.split(',')){
         const eq = kv.indexOf('=');
-        if (eq <= 0)
-            throw new Error(`decodeArgon2idPhc: malformed param "${kv}"`);
+        if (eq <= 0) throw new Error(`decodeArgon2idPhc: malformed param "${kv}"`);
         const k = kv.slice(0, eq);
         const v = Number.parseInt(kv.slice(eq + 1), 10);
-        if (!Number.isInteger(v))
-            throw new Error(`decodeArgon2idPhc: malformed param value "${kv}"`);
-        if (k === 'm' || k === 't' || k === 'p')
-            params[k] = v;
-    }
-    if (params.m === undefined || params.t === undefined || params.p === undefined) {
-        throw new Error('decodeArgon2idPhc: missing required m/t/p params');
+        if (!Number.isInteger(v)) throw new Error(`decodeArgon2idPhc: malformed param value "${kv}"`);
+        if ('m' === k || 't' === k || 'p' === k) params[k] = v;
     }
+    if (void 0 === params.m || void 0 === params.t || void 0 === params.p) throw new Error('decodeArgon2idPhc: missing required m/t/p params');
     return {
         algorithm: 'argon2id',
         version,
@@ -70,18 +42,13 @@ export function decodeArgon2idPhc(s) {
         timeCost: params.t,
         parallelism: params.p,
         salt: b64NoPadToBytes(saltB64),
-        hash: b64NoPadToBytes(hashB64),
+        hash: b64NoPadToBytes(hashB64)
     };
 }
-/**
- * Constant-time byte comparison. Returns `true` only if both arrays have the
- * same length and every byte matches. Intended for hash verification.
- */
-export function timingSafeEqual(a, b) {
-    if (a.length !== b.length)
-        return false;
+function timingSafeEqual(a, b) {
+    if (a.length !== b.length) return false;
     let diff = 0;
-    for (let i = 0; i < a.length; i++)
-        diff |= a[i] ^ b[i];
-    return diff === 0;
+    for(let i = 0; i < a.length; i++)diff |= a[i] ^ b[i];
+    return 0 === diff;
 }
+export { decodeArgon2idPhc, encodeArgon2idPhc, timingSafeEqual };

package/dist/modules/auth/refresh-tokens-repository.js

@@ -1,8 +1 @@
-/**
- * This Source Code is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * Copyright (c) Infonomic Company Limited
- */
-export {};
+export { };