@digiko-npm/cms 0.1.0

package/dist/auth/index.d.ts

@@ -0,0 +1,20 @@
+import { A as AuthConfig } from '../config-qNdTlg1g.js';
+
+/**
+ * Hash a password using PBKDF2.
+ * Returns a hex-encoded hash string.
+ */
+declare function hashPassword(password: string, salt: string, config?: AuthConfig['pbkdf2']): string;
+/**
+ * Verify a password against a stored hash using timing-safe comparison.
+ * Returns true if the password matches.
+ */
+declare function verifyPassword(password: string, salt: string, storedHash: string, config?: AuthConfig['pbkdf2']): boolean;
+
+/**
+ * Generate a cryptographically secure session token.
+ * Returns a hex string (default: 64 characters from 32 bytes).
+ */
+declare function generateSessionToken(bytes?: number): string;
+
+export { generateSessionToken, hashPassword, verifyPassword };

package/dist/auth/index.js

@@ -0,0 +1,34 @@
+// src/auth/password.ts
+import crypto from "crypto";
+var DEFAULTS = {
+  iterations: 1e5,
+  keyLength: 64,
+  digest: "sha512"
+};
+function hashPassword(password, salt, config) {
+  const iterations = config?.iterations ?? DEFAULTS.iterations;
+  const keyLength = config?.keyLength ?? DEFAULTS.keyLength;
+  const digest = config?.digest ?? DEFAULTS.digest;
+  return crypto.pbkdf2Sync(password, salt, iterations, keyLength, digest).toString("hex");
+}
+function verifyPassword(password, salt, storedHash, config) {
+  const inputHash = hashPassword(password, salt, config);
+  const storedBuffer = Buffer.from(storedHash, "hex");
+  const inputBuffer = Buffer.from(inputHash, "hex");
+  if (storedBuffer.length !== inputBuffer.length) {
+    return false;
+  }
+  return crypto.timingSafeEqual(storedBuffer, inputBuffer);
+}
+
+// src/auth/token.ts
+import crypto2 from "crypto";
+var DEFAULT_TOKEN_BYTES = 32;
+function generateSessionToken(bytes) {
+  return crypto2.randomBytes(bytes ?? DEFAULT_TOKEN_BYTES).toString("hex");
+}
+export {
+  generateSessionToken,
+  hashPassword,
+  verifyPassword
+};

package/dist/auth-C8Nq_GmD.d.ts

@@ -0,0 +1,31 @@
+/** Server-side session data stored in Redis */
+interface Session {
+    createdAt: number;
+    expiresAt: number;
+    ip?: string;
+    userAgent?: string;
+}
+/** Result of an authentication attempt */
+interface AuthResult {
+    success: boolean;
+    message: string;
+    sessionToken?: string;
+    expiresAt?: number;
+}
+/** Result of admin request verification */
+type VerifyResult = {
+    authorized: true;
+    token: string;
+} | {
+    authorized: false;
+    status: number;
+    message: string;
+};
+/** Rate limit check result */
+interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    retryAfterMs?: number;
+}
+
+export type { AuthResult as A, RateLimitResult as R, Session as S, VerifyResult as V };

package/dist/config-qNdTlg1g.d.ts

@@ -0,0 +1,64 @@
+/** Supabase connection config */
+interface SupabaseConfig {
+    url: string;
+    anonKey: string;
+    serviceRoleKey?: string;
+}
+/** Cloudflare R2 storage config */
+interface R2Config {
+    accountId: string;
+    accessKeyId: string;
+    secretAccessKey: string;
+    bucketName: string;
+    publicUrl: string;
+}
+/** Redis session store config */
+interface SessionStoreConfig {
+    redisUrl: string;
+    redisToken: string;
+    /** Key namespace prefix (e.g. "marketplace:", "portfolio:") */
+    keyPrefix: string;
+    /** Session TTL in milliseconds. Default: 24 hours */
+    sessionDuration?: number;
+}
+/** Rate limiter config */
+interface RateLimiterConfig {
+    redisUrl: string;
+    redisToken: string;
+    keyPrefix: string;
+    /** Max attempts before blocking. Default: 10 */
+    maxAttempts?: number;
+    /** Time window in milliseconds. Default: 15 minutes */
+    windowMs?: number;
+}
+/** Auth/password config */
+interface AuthConfig {
+    /** Cookie name for admin session. Default: "admin_session" */
+    cookieName?: string;
+    pbkdf2?: {
+        iterations?: number;
+        keyLength?: number;
+        digest?: string;
+    };
+    /** Session token length in bytes. Default: 32 (64-char hex) */
+    tokenBytes?: number;
+}
+/** Client-side upload config (API endpoint paths) */
+interface UploadConfig {
+    /** Endpoint that returns presigned R2 URL (e.g. "/api/admin/upload") */
+    uploadEndpoint: string;
+    /** Endpoint to register media in DB (e.g. "/api/admin/media") */
+    mediaEndpoint: string;
+}
+/** Next.js request verifier config */
+interface RequestVerifierConfig {
+    cookieName?: string;
+    getSession: (token: string) => Promise<{
+        createdAt: number;
+        expiresAt: number;
+    } | undefined>;
+    unauthorizedMessage?: string;
+    sessionExpiredMessage?: string;
+}
+
+export type { AuthConfig as A, R2Config as R, SessionStoreConfig as S, UploadConfig as U, RateLimiterConfig as a, RequestVerifierConfig as b, SupabaseConfig as c };

package/dist/http/index.d.ts

@@ -0,0 +1,15 @@
+declare const HTTP_STATUS: {
+    readonly OK: 200;
+    readonly CREATED: 201;
+    readonly NO_CONTENT: 204;
+    readonly BAD_REQUEST: 400;
+    readonly UNAUTHORIZED: 401;
+    readonly FORBIDDEN: 403;
+    readonly NOT_FOUND: 404;
+    readonly CONFLICT: 409;
+    readonly TOO_MANY_REQUESTS: 429;
+    readonly INTERNAL_ERROR: 500;
+};
+type HttpStatus = (typeof HTTP_STATUS)[keyof typeof HTTP_STATUS];
+
+export { HTTP_STATUS, type HttpStatus };

package/dist/http/index.js

@@ -0,0 +1,16 @@
+// src/http/status.ts
+var HTTP_STATUS = {
+  OK: 200,
+  CREATED: 201,
+  NO_CONTENT: 204,
+  BAD_REQUEST: 400,
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  CONFLICT: 409,
+  TOO_MANY_REQUESTS: 429,
+  INTERNAL_ERROR: 500
+};
+export {
+  HTTP_STATUS
+};

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { createAdminClient, createBrowserClient, createPublicClient } from './supabase/index.js';
+export { UploadOptions, UploadResult, createR2Client, getR2Bucket, getR2PublicUrl, uploadFile } from './r2/index.js';
+export { generateSessionToken, hashPassword, verifyPassword } from './auth/index.js';
+export { RateLimiter, SessionStore, createRateLimiter, createSessionStore, getDefaultSessionDuration } from './session/index.js';
+export { HTTP_STATUS, HttpStatus } from './http/index.js';
+export { A as AuthConfig, R as R2Config, a as RateLimiterConfig, b as RequestVerifierConfig, S as SessionStoreConfig, c as SupabaseConfig, U as UploadConfig } from './config-qNdTlg1g.js';
+export { M as MediaInsert, a as MediaRecord, b as MediaUpdate } from './media-ExBfXePZ.js';
+export { A as AuthResult, R as RateLimitResult, S as Session, V as VerifyResult } from './auth-C8Nq_GmD.js';
+import '@supabase/supabase-js';
+import '@aws-sdk/client-s3';

package/dist/index.js

@@ -0,0 +1,233 @@
+// src/supabase/client.ts
+import { createClient } from "@supabase/supabase-js";
+function createBrowserClient(config) {
+  return createClient(config.url, config.anonKey);
+}
+
+// src/supabase/server.ts
+import { createClient as createClient2 } from "@supabase/supabase-js";
+function createAdminClient(config) {
+  if (!config.serviceRoleKey) {
+    throw new Error("@digiko-npm/cms: serviceRoleKey is required for createAdminClient");
+  }
+  return createClient2(config.url, config.serviceRoleKey);
+}
+function createPublicClient(config) {
+  return createClient2(config.url, config.anonKey);
+}
+
+// src/r2/client.ts
+import { S3Client } from "@aws-sdk/client-s3";
+function createR2Client(config) {
+  return new S3Client({
+    region: "auto",
+    endpoint: `https://${config.accountId}.r2.cloudflarestorage.com`,
+    credentials: {
+      accessKeyId: config.accessKeyId,
+      secretAccessKey: config.secretAccessKey
+    },
+    requestChecksumCalculation: "WHEN_REQUIRED",
+    responseChecksumValidation: "WHEN_REQUIRED"
+  });
+}
+function getR2Bucket(config) {
+  return config.bucketName;
+}
+function getR2PublicUrl(config) {
+  return config.publicUrl;
+}
+
+// src/r2/upload.ts
+async function uploadFile(config, { file, folder = "media", onProgress }) {
+  const presignRes = await fetch(config.uploadEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      filename: file.name,
+      contentType: file.type,
+      folder
+    })
+  });
+  if (!presignRes.ok) {
+    throw new Error(`Failed to get upload URL: ${presignRes.status}`);
+  }
+  const { uploadUrl, publicUrl, key } = await presignRes.json();
+  await uploadToR2(uploadUrl, file, file.type, onProgress);
+  const confirmRes = await fetch(config.mediaEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      filename: key.split("/").pop(),
+      original_name: file.name,
+      mime_type: file.type,
+      size_bytes: file.size,
+      url: publicUrl
+    })
+  });
+  if (!confirmRes.ok) {
+    throw new Error(`Failed to register upload: ${confirmRes.status}`);
+  }
+  const media = await confirmRes.json();
+  return { url: publicUrl, key, media };
+}
+function uploadToR2(url, file, contentType, onProgress) {
+  return new Promise((resolve, reject) => {
+    const xhr = new XMLHttpRequest();
+    xhr.upload.addEventListener("progress", (e) => {
+      if (e.lengthComputable && onProgress) {
+        onProgress(Math.round(e.loaded / e.total * 100));
+      }
+    });
+    xhr.addEventListener("load", () => {
+      if (xhr.status >= 200 && xhr.status < 300) {
+        resolve();
+      } else {
+        reject(new Error(`Upload failed with status ${xhr.status}`));
+      }
+    });
+    xhr.addEventListener("error", () => reject(new Error("Upload failed")));
+    xhr.addEventListener("abort", () => reject(new Error("Upload aborted")));
+    xhr.open("PUT", url);
+    xhr.setRequestHeader("Content-Type", contentType);
+    xhr.send(file);
+  });
+}
+
+// src/auth/password.ts
+import crypto from "crypto";
+var DEFAULTS = {
+  iterations: 1e5,
+  keyLength: 64,
+  digest: "sha512"
+};
+function hashPassword(password, salt, config) {
+  const iterations = config?.iterations ?? DEFAULTS.iterations;
+  const keyLength = config?.keyLength ?? DEFAULTS.keyLength;
+  const digest = config?.digest ?? DEFAULTS.digest;
+  return crypto.pbkdf2Sync(password, salt, iterations, keyLength, digest).toString("hex");
+}
+function verifyPassword(password, salt, storedHash, config) {
+  const inputHash = hashPassword(password, salt, config);
+  const storedBuffer = Buffer.from(storedHash, "hex");
+  const inputBuffer = Buffer.from(inputHash, "hex");
+  if (storedBuffer.length !== inputBuffer.length) {
+    return false;
+  }
+  return crypto.timingSafeEqual(storedBuffer, inputBuffer);
+}
+
+// src/auth/token.ts
+import crypto2 from "crypto";
+var DEFAULT_TOKEN_BYTES = 32;
+function generateSessionToken(bytes) {
+  return crypto2.randomBytes(bytes ?? DEFAULT_TOKEN_BYTES).toString("hex");
+}
+
+// src/session/store.ts
+import { Redis } from "@upstash/redis";
+var DEFAULT_SESSION_DURATION = 24 * 60 * 60 * 1e3;
+function createSessionStore(config) {
+  const redis = new Redis({
+    url: config.redisUrl,
+    token: config.redisToken
+  });
+  const sessionKey = (token) => `${config.keyPrefix}session:${token}`;
+  return {
+    async addSession(token, session) {
+      const ttlMs = session.expiresAt - Date.now();
+      const ttlSeconds = Math.max(Math.ceil(ttlMs / 1e3), 1);
+      await redis.set(sessionKey(token), JSON.stringify(session), { ex: ttlSeconds });
+    },
+    async getSession(token) {
+      const data = await redis.get(sessionKey(token));
+      if (!data) return void 0;
+      const session = typeof data === "string" ? JSON.parse(data) : data;
+      if (Date.now() > session.expiresAt) {
+        await redis.del(sessionKey(token));
+        return void 0;
+      }
+      return session;
+    },
+    async removeSession(token) {
+      const result = await redis.del(sessionKey(token));
+      return result > 0;
+    }
+  };
+}
+function getDefaultSessionDuration() {
+  return DEFAULT_SESSION_DURATION;
+}
+
+// src/session/rate-limit.ts
+import { Redis as Redis2 } from "@upstash/redis";
+var DEFAULTS2 = {
+  maxAttempts: 10,
+  windowMs: 15 * 60 * 1e3
+  // 15 minutes
+};
+function createRateLimiter(config) {
+  const redis = new Redis2({
+    url: config.redisUrl,
+    token: config.redisToken
+  });
+  const maxAttempts = config.maxAttempts ?? DEFAULTS2.maxAttempts;
+  const windowMs = config.windowMs ?? DEFAULTS2.windowMs;
+  const rateLimitKey = (key) => `${config.keyPrefix}ratelimit:${key}`;
+  return {
+    async check(key) {
+      const now = Date.now();
+      const redisKey = rateLimitKey(key);
+      const data = await redis.get(redisKey);
+      let entry = null;
+      if (data) {
+        entry = typeof data === "string" ? JSON.parse(data) : data;
+        if (entry && now > entry.resetAt) entry = null;
+      }
+      if (!entry) {
+        const newEntry = { count: 1, resetAt: now + windowMs };
+        await redis.set(redisKey, JSON.stringify(newEntry), { ex: Math.ceil(windowMs / 1e3) });
+        return { allowed: true, remaining: maxAttempts - 1 };
+      }
+      if (entry.count >= maxAttempts) {
+        return { allowed: false, remaining: 0, retryAfterMs: entry.resetAt - now };
+      }
+      entry.count++;
+      const ttlSeconds = Math.max(Math.ceil((entry.resetAt - now) / 1e3), 1);
+      await redis.set(redisKey, JSON.stringify(entry), { ex: ttlSeconds });
+      return { allowed: true, remaining: maxAttempts - entry.count };
+    },
+    async reset(key) {
+      await redis.del(rateLimitKey(key));
+    }
+  };
+}
+
+// src/http/status.ts
+var HTTP_STATUS = {
+  OK: 200,
+  CREATED: 201,
+  NO_CONTENT: 204,
+  BAD_REQUEST: 400,
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  CONFLICT: 409,
+  TOO_MANY_REQUESTS: 429,
+  INTERNAL_ERROR: 500
+};
+export {
+  HTTP_STATUS,
+  createAdminClient,
+  createBrowserClient,
+  createPublicClient,
+  createR2Client,
+  createRateLimiter,
+  createSessionStore,
+  generateSessionToken,
+  getDefaultSessionDuration,
+  getR2Bucket,
+  getR2PublicUrl,
+  hashPassword,
+  uploadFile,
+  verifyPassword
+};

package/dist/media-ExBfXePZ.d.ts

@@ -0,0 +1,19 @@
+/** Generic media record — shared across all projects that use R2 uploads */
+interface MediaRecord {
+    id: string;
+    filename: string;
+    original_name: string;
+    mime_type: string;
+    size_bytes: number;
+    url: string;
+    width?: number | null;
+    height?: number | null;
+    alt_text?: string | null;
+    created_at: string;
+}
+/** Fields required when creating a media record */
+type MediaInsert = Omit<MediaRecord, 'id' | 'created_at'>;
+/** Fields that can be updated on an existing media record */
+type MediaUpdate = Partial<Pick<MediaRecord, 'alt_text' | 'filename'>>;
+
+export type { MediaInsert as M, MediaRecord as a, MediaUpdate as b };

package/dist/next/index.d.ts

@@ -0,0 +1,19 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { b as RequestVerifierConfig } from '../config-qNdTlg1g.js';
+
+type AuthSuccess = {
+    authorized: true;
+    token: string;
+};
+type AuthFailure = {
+    authorized: false;
+    response: NextResponse;
+};
+/**
+ * Create a request verifier for Next.js API routes.
+ * Extracts session token from cookie or Authorization header,
+ * then validates against the provided session store.
+ */
+declare function createRequestVerifier(config: RequestVerifierConfig): (request: NextRequest) => Promise<AuthSuccess | AuthFailure>;
+
+export { createRequestVerifier };

package/dist/next/index.js

@@ -0,0 +1,54 @@
+// src/next/verify-request.ts
+import { NextResponse } from "next/server";
+
+// src/http/status.ts
+var HTTP_STATUS = {
+  OK: 200,
+  CREATED: 201,
+  NO_CONTENT: 204,
+  BAD_REQUEST: 400,
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  CONFLICT: 409,
+  TOO_MANY_REQUESTS: 429,
+  INTERNAL_ERROR: 500
+};
+
+// src/next/verify-request.ts
+var DEFAULTS = {
+  cookieName: "admin_session",
+  unauthorizedMessage: "Unauthorized",
+  sessionExpiredMessage: "Session expired"
+};
+function createRequestVerifier(config) {
+  const cookieName = config.cookieName ?? DEFAULTS.cookieName;
+  const unauthorizedMsg = config.unauthorizedMessage ?? DEFAULTS.unauthorizedMessage;
+  const sessionExpiredMsg = config.sessionExpiredMessage ?? DEFAULTS.sessionExpiredMessage;
+  return async function verifyAdminRequest(request) {
+    const token = request.cookies.get(cookieName)?.value || request.headers.get("Authorization")?.replace("Bearer ", "");
+    if (!token) {
+      return {
+        authorized: false,
+        response: NextResponse.json(
+          { error: unauthorizedMsg },
+          { status: HTTP_STATUS.UNAUTHORIZED }
+        )
+      };
+    }
+    const session = await config.getSession(token);
+    if (!session) {
+      return {
+        authorized: false,
+        response: NextResponse.json(
+          { error: sessionExpiredMsg },
+          { status: HTTP_STATUS.UNAUTHORIZED }
+        )
+      };
+    }
+    return { authorized: true, token };
+  };
+}
+export {
+  createRequestVerifier
+};

package/dist/r2/index.d.ts

@@ -0,0 +1,34 @@
+import { S3Client } from '@aws-sdk/client-s3';
+import { R as R2Config, U as UploadConfig } from '../config-qNdTlg1g.js';
+import { a as MediaRecord } from '../media-ExBfXePZ.js';
+
+/**
+ * Create a Cloudflare R2 client (S3-compatible).
+ */
+declare function createR2Client(config: R2Config): S3Client;
+/** Get the R2 bucket name from config */
+declare function getR2Bucket(config: R2Config): string;
+/** Get the R2 public URL from config */
+declare function getR2PublicUrl(config: R2Config): string;
+
+interface UploadOptions {
+    file: File;
+    folder?: string;
+    onProgress?: (percent: number) => void;
+}
+interface UploadResult {
+    url: string;
+    key: string;
+    media: MediaRecord;
+}
+/**
+ * Upload a file to R2 via presigned URL, then register in the DB.
+ *
+ * Flow:
+ * 1. POST to uploadEndpoint → get presigned PUT URL
+ * 2. PUT file directly to R2 (with progress tracking via XHR)
+ * 3. POST metadata to mediaEndpoint → register the upload
+ */
+declare function uploadFile(config: UploadConfig, { file, folder, onProgress }: UploadOptions): Promise<UploadResult>;
+
+export { type UploadOptions, type UploadResult, createR2Client, getR2Bucket, getR2PublicUrl, uploadFile };

package/dist/r2/index.js

@@ -0,0 +1,82 @@
+// src/r2/client.ts
+import { S3Client } from "@aws-sdk/client-s3";
+function createR2Client(config) {
+  return new S3Client({
+    region: "auto",
+    endpoint: `https://${config.accountId}.r2.cloudflarestorage.com`,
+    credentials: {
+      accessKeyId: config.accessKeyId,
+      secretAccessKey: config.secretAccessKey
+    },
+    requestChecksumCalculation: "WHEN_REQUIRED",
+    responseChecksumValidation: "WHEN_REQUIRED"
+  });
+}
+function getR2Bucket(config) {
+  return config.bucketName;
+}
+function getR2PublicUrl(config) {
+  return config.publicUrl;
+}
+
+// src/r2/upload.ts
+async function uploadFile(config, { file, folder = "media", onProgress }) {
+  const presignRes = await fetch(config.uploadEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      filename: file.name,
+      contentType: file.type,
+      folder
+    })
+  });
+  if (!presignRes.ok) {
+    throw new Error(`Failed to get upload URL: ${presignRes.status}`);
+  }
+  const { uploadUrl, publicUrl, key } = await presignRes.json();
+  await uploadToR2(uploadUrl, file, file.type, onProgress);
+  const confirmRes = await fetch(config.mediaEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      filename: key.split("/").pop(),
+      original_name: file.name,
+      mime_type: file.type,
+      size_bytes: file.size,
+      url: publicUrl
+    })
+  });
+  if (!confirmRes.ok) {
+    throw new Error(`Failed to register upload: ${confirmRes.status}`);
+  }
+  const media = await confirmRes.json();
+  return { url: publicUrl, key, media };
+}
+function uploadToR2(url, file, contentType, onProgress) {
+  return new Promise((resolve, reject) => {
+    const xhr = new XMLHttpRequest();
+    xhr.upload.addEventListener("progress", (e) => {
+      if (e.lengthComputable && onProgress) {
+        onProgress(Math.round(e.loaded / e.total * 100));
+      }
+    });
+    xhr.addEventListener("load", () => {
+      if (xhr.status >= 200 && xhr.status < 300) {
+        resolve();
+      } else {
+        reject(new Error(`Upload failed with status ${xhr.status}`));
+      }
+    });
+    xhr.addEventListener("error", () => reject(new Error("Upload failed")));
+    xhr.addEventListener("abort", () => reject(new Error("Upload aborted")));
+    xhr.open("PUT", url);
+    xhr.setRequestHeader("Content-Type", contentType);
+    xhr.send(file);
+  });
+}
+export {
+  createR2Client,
+  getR2Bucket,
+  getR2PublicUrl,
+  uploadFile
+};

package/dist/session/index.d.ts

@@ -0,0 +1,27 @@
+import { S as SessionStoreConfig, a as RateLimiterConfig } from '../config-qNdTlg1g.js';
+import { S as Session, R as RateLimitResult } from '../auth-C8Nq_GmD.js';
+
+interface SessionStore {
+    addSession: (token: string, session: Session) => Promise<void>;
+    getSession: (token: string) => Promise<Session | undefined>;
+    removeSession: (token: string) => Promise<boolean>;
+}
+/**
+ * Create a Redis-backed session store.
+ * All keys are namespaced with the configured keyPrefix.
+ */
+declare function createSessionStore(config: SessionStoreConfig): SessionStore;
+/** Get the default session duration in milliseconds */
+declare function getDefaultSessionDuration(): number;
+
+interface RateLimiter {
+    check: (key: string) => Promise<RateLimitResult>;
+    reset: (key: string) => Promise<void>;
+}
+/**
+ * Create a Redis-backed sliding-window rate limiter.
+ * Keys are namespaced with the configured keyPrefix.
+ */
+declare function createRateLimiter(config: RateLimiterConfig): RateLimiter;
+
+export { type RateLimiter, type SessionStore, createRateLimiter, createSessionStore, getDefaultSessionDuration };