@draftlab/auth 0.10.3 → 0.11.0

package/dist/client.d.mts

@@ -218,6 +218,7 @@ interface VerifyOptions {
   issuer?: string;
   /**
    * Expected audience for validation.
+   * Defaults to clientID for security. Override only if you know what you're doing.
    * @internal
    */
   audience?: string;

package/dist/client.mjs

@@ -203,7 +203,7 @@ const createClient = (input) => {
 			try {
 				const jwtResult = await jwtVerify(token, await getJWKS(), {
 					issuer: options?.issuer ?? issuer,
-					...options?.audience && { audience: options.audience }
+					audience: options?.audience ?? input.clientID
 				});
 				const validated = await subjects[jwtResult.payload.type]?.["~standard"].validate(jwtResult.payload.properties);
 				if (!validated?.issues && jwtResult.payload.mode === "access") return {

package/dist/core.d.mts

@@ -3,7 +3,6 @@ import { UnknownStateError } from "./error.mjs";
 import { Prettify } from "./util.mjs";
 import { SubjectPayload, SubjectSchema } from "./subject.mjs";
 import { StorageAdapter } from "./storage/storage.mjs";
-import { Plugin } from "./plugin/types.mjs";
 import { Provider } from "./provider/provider.mjs";
 import { Theme } from "./themes/theme.mjs";
 import { AuthorizationState } from "./types.mjs";
@@ -61,8 +60,6 @@ interface IssuerInput<Providers extends Record<string, Provider<unknown>>, Subje
   error?(error: UnknownStateError, req: Request): Promise<Response>;
   /** Client authorization check function */
   allow?(input: AllowCheckInput, req: Request): Promise<boolean>;
-  /** Plugin configuration */
-  plugins?: Plugin[];
   /**
    * Refresh callback for updating user claims.
    *

package/dist/core.mjs

@@ -5,7 +5,6 @@ import { validatePKCE } from "./pkce.mjs";
 import { generateSecureToken } from "./random.mjs";
 import { Storage } from "./storage/storage.mjs";
 import { encryptionKeys, signingKeys } from "./keys.mjs";
-import { PluginManager } from "./plugin/manager.mjs";
 import { Revocation } from "./revocation.mjs";
 import { setTheme } from "./themes/theme.mjs";
 import { Select } from "./ui/select.mjs";
@@ -188,15 +187,6 @@ const issuer = (input) => {
 			const authorization = await getAuthorization(ctx);
 			const currentProvider = ctx.get("provider") || "unknown";
 			if (!authorization.client_id) throw new Error("client_id is required");
-			if (manager) try {
-				const subjectProperties = properties && typeof properties === "object" ? properties : {};
-				await manager.executeSuccessHooks(authorization.client_id, currentProvider, {
-					type: currentProvider,
-					properties: subjectProperties
-				});
-			} catch (error$1) {
-				console.error("Plugin success hook failed:", error$1);
-			}
 			return await input.success({ async subject(type, properties$1, subjectOpts) {
 				const subject = subjectOpts?.subject ?? await resolveSubject(type, properties$1);
 				await successOpts?.invalidate?.(await resolveSubject(type, properties$1));
@@ -287,22 +277,6 @@ const issuer = (input) => {
 		storage
 	};
 	const app = new Router({ basePath: input.basePath });
-	const manager = input.plugins && input.plugins.length > 0 ? new PluginManager(input.storage) : null;
-	let pluginsInitialized = false;
-	if (manager && input.plugins) {
-		manager.registerAll(input.plugins);
-		manager.setupRoutes(app);
-		app.use(async (c, next) => {
-			if (!pluginsInitialized) try {
-				await manager.initialize();
-				pluginsInitialized = true;
-			} catch (error$1) {
-				console.error("Plugin initialization failed:", error$1);
-				return c.newResponse("Plugin initialization failed", { status: 500 });
-			}
-			return await next();
-		});
-	}
 	for (const [name, value] of Object.entries(input.providers)) {
 		const route = new Router();
 		route.use(async (c, next) => {
@@ -396,6 +370,7 @@ const issuer = (input) => {
 				await Storage.remove(storage, key);
 				const response = {
 					access_token: tokens.access,
+					token_type: "Bearer",
 					expires_in: tokens.expiresIn,
 					refresh_token: tokens.refresh
 				};
@@ -475,6 +450,7 @@ const issuer = (input) => {
 				}, { generateRefreshToken });
 				const response = {
 					access_token: tokens.access,
+					token_type: "Bearer",
 					refresh_token: tokens.refresh,
 					expires_in: tokens.expiresIn
 				};
@@ -574,6 +550,12 @@ const issuer = (input) => {
 		};
 		c.set("authorization", authorization);
 		if (!redirect_uri) return c.text("Missing redirect_uri", { status: 400 });
+		try {
+			const uri = new URL(redirect_uri);
+			if (!uri.protocol || !uri.host) return c.text("Invalid redirect_uri format", { status: 400 });
+		} catch {
+			return c.text("Invalid redirect_uri format", { status: 400 });
+		}
 		if (!response_type) throw new MissingParameterError("response_type");
 		if (!client_id) throw new MissingParameterError("client_id");
 		if (input.start) await input.start(c.request);
@@ -582,10 +564,6 @@ const issuer = (input) => {
 			redirectURI: redirect_uri,
 			audience
 		}, c.request)) throw new UnauthorizedClientError(client_id, redirect_uri);
-		if (manager) {
-			const scopes = scope ? scope.split(" ") : void 0;
-			await manager.executeAuthorizeHooks(client_id, provider, scopes);
-		}
 		await auth.set(c, "authorization", 900, authorization);
 		if (provider) return c.redirect(`${provider}/authorize`);
 		const availableProviders = Object.keys(input.providers);
@@ -593,12 +571,6 @@ const issuer = (input) => {
 		return auth.forward(c, await select()(Object.fromEntries(Object.entries(input.providers).map(([key, value]) => [key, value.type])), c.request));
 	});
 	app.onError(async (err, c) => {
-		if (manager) try {
-			const errorObj = err instanceof Error ? err : new Error(String(err));
-			await manager.executeErrorHooks(errorObj);
-		} catch (hookError) {
-			console.error("Plugin error hook failed:", hookError);
-		}
 		if (err instanceof UnknownStateError) return auth.forward(c, await error(err, c.request));
 		try {
 			const authorization = await getAuthorization(c);

package/dist/keys.mjs

@@ -1,3 +1,4 @@
+import { Mutex } from "./mutex.mjs";
 import { generateSecureToken } from "./random.mjs";
 import { Storage } from "./storage/storage.mjs";
 import { exportJWK, exportPKCS8, exportSPKI, generateKeyPair, importPKCS8, importSPKI } from "jose";
@@ -11,6 +12,9 @@ import { exportJWK, exportPKCS8, exportSPKI, generateKeyPair, importPKCS8, impor
 const signingAlg = "ES256";
 /** RSA algorithm used for token encryption operations */
 const encryptionAlg = "RSA-OAEP-512";
+/** Mutex to prevent concurrent key generation (race condition with eventually consistent storage) */
+const signingKeyMutex = new Mutex();
+const encryptionKeyMutex = new Mutex();
 /**
 * Loads or generates signing keys for JWT operations.
 * Returns existing valid keys, or generates new ones if none are available.
@@ -31,47 +35,49 @@ const encryptionAlg = "RSA-OAEP-512";
 * ```
 */
 const signingKeys = async (storage) => {
-	const results = [];
-	const scanner = Storage.scan(storage, ["signing:key"]);
-	for await (const [, value] of scanner) try {
-		const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
-		const privateKey = await importPKCS8(value.privateKey, value.alg);
-		const jwk$1 = await exportJWK(publicKey);
-		jwk$1.kid = value.id;
-		jwk$1.use = "sig";
-		results.push({
-			id: value.id,
+	return signingKeyMutex.runExclusive(async () => {
+		const results = [];
+		const scanner = Storage.scan(storage, ["signing:key"]);
+		for await (const [, value] of scanner) try {
+			const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
+			const privateKey = await importPKCS8(value.privateKey, value.alg);
+			const jwk$1 = await exportJWK(publicKey);
+			jwk$1.kid = value.id;
+			jwk$1.use = "sig";
+			results.push({
+				id: value.id,
+				alg: signingAlg,
+				created: new Date(value.created),
+				expired: value.expired ? new Date(value.expired) : void 0,
+				public: publicKey,
+				private: privateKey,
+				jwk: jwk$1
+			});
+		} catch {}
+		results.sort((a, b) => b.created.getTime() - a.created.getTime());
+		if (results.filter((item) => !item.expired).length) return results;
+		const key = await generateKeyPair(signingAlg, { extractable: true });
+		const serialized = {
+			id: generateSecureToken(16),
+			publicKey: await exportSPKI(key.publicKey),
+			privateKey: await exportPKCS8(key.privateKey),
+			created: Date.now(),
+			alg: signingAlg
+		};
+		await Storage.set(storage, ["signing:key", serialized.id], serialized);
+		const jwk = await exportJWK(key.publicKey);
+		jwk.kid = serialized.id;
+		jwk.use = "sig";
+		return [{
+			id: serialized.id,
 			alg: signingAlg,
-			created: new Date(value.created),
-			expired: value.expired ? new Date(value.expired) : void 0,
-			public: publicKey,
-			private: privateKey,
-			jwk: jwk$1
-		});
-	} catch {}
-	results.sort((a, b) => b.created.getTime() - a.created.getTime());
-	if (results.filter((item) => !item.expired).length) return results;
-	const key = await generateKeyPair(signingAlg, { extractable: true });
-	const serialized = {
-		id: generateSecureToken(16),
-		publicKey: await exportSPKI(key.publicKey),
-		privateKey: await exportPKCS8(key.privateKey),
-		created: Date.now(),
-		alg: signingAlg
-	};
-	await Storage.set(storage, ["signing:key", serialized.id], serialized);
-	const jwk = await exportJWK(key.publicKey);
-	jwk.kid = serialized.id;
-	jwk.use = "sig";
-	return [{
-		id: serialized.id,
-		alg: signingAlg,
-		created: new Date(serialized.created),
-		expired: serialized.expired ? new Date(serialized.expired) : void 0,
-		public: key.publicKey,
-		private: key.privateKey,
-		jwk
-	}, ...results];
+			created: new Date(serialized.created),
+			expired: serialized.expired ? new Date(serialized.expired) : void 0,
+			public: key.publicKey,
+			private: key.privateKey,
+			jwk
+		}, ...results];
+	});
 };
 /**
 * Loads or generates encryption keys for token encryption operations.
@@ -93,45 +99,47 @@ const signingKeys = async (storage) => {
 * ```
 */
 const encryptionKeys = async (storage) => {
-	const results = [];
-	const scanner = Storage.scan(storage, ["encryption:key"]);
-	for await (const [, value] of scanner) try {
-		const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
-		const privateKey = await importPKCS8(value.privateKey, value.alg);
-		const jwk$1 = await exportJWK(publicKey);
-		jwk$1.kid = value.id;
-		results.push({
-			id: value.id,
+	return encryptionKeyMutex.runExclusive(async () => {
+		const results = [];
+		const scanner = Storage.scan(storage, ["encryption:key"]);
+		for await (const [, value] of scanner) try {
+			const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
+			const privateKey = await importPKCS8(value.privateKey, value.alg);
+			const jwk$1 = await exportJWK(publicKey);
+			jwk$1.kid = value.id;
+			results.push({
+				id: value.id,
+				alg: encryptionAlg,
+				created: new Date(value.created),
+				expired: value.expired ? new Date(value.expired) : void 0,
+				public: publicKey,
+				private: privateKey,
+				jwk: jwk$1
+			});
+		} catch {}
+		results.sort((a, b) => b.created.getTime() - a.created.getTime());
+		if (results.filter((item) => !item.expired).length) return results;
+		const key = await generateKeyPair(encryptionAlg, { extractable: true });
+		const serialized = {
+			id: generateSecureToken(16),
+			publicKey: await exportSPKI(key.publicKey),
+			privateKey: await exportPKCS8(key.privateKey),
+			created: Date.now(),
+			alg: encryptionAlg
+		};
+		await Storage.set(storage, ["encryption:key", serialized.id], serialized);
+		const jwk = await exportJWK(key.publicKey);
+		jwk.kid = serialized.id;
+		return [{
+			id: serialized.id,
 			alg: encryptionAlg,
-			created: new Date(value.created),
-			expired: value.expired ? new Date(value.expired) : void 0,
-			public: publicKey,
-			private: privateKey,
-			jwk: jwk$1
-		});
-	} catch {}
-	results.sort((a, b) => b.created.getTime() - a.created.getTime());
-	if (results.filter((item) => !item.expired).length) return results;
-	const key = await generateKeyPair(encryptionAlg, { extractable: true });
-	const serialized = {
-		id: generateSecureToken(16),
-		publicKey: await exportSPKI(key.publicKey),
-		privateKey: await exportPKCS8(key.privateKey),
-		created: Date.now(),
-		alg: encryptionAlg
-	};
-	await Storage.set(storage, ["encryption:key", serialized.id], serialized);
-	const jwk = await exportJWK(key.publicKey);
-	jwk.kid = serialized.id;
-	return [{
-		id: serialized.id,
-		alg: encryptionAlg,
-		created: new Date(serialized.created),
-		expired: serialized.expired ? new Date(serialized.expired) : void 0,
-		public: key.publicKey,
-		private: key.privateKey,
-		jwk
-	}, ...results];
+			created: new Date(serialized.created),
+			expired: serialized.expired ? new Date(serialized.expired) : void 0,
+			public: key.publicKey,
+			private: key.privateKey,
+			jwk
+		}, ...results];
+	});
 };
 
 //#endregion

package/dist/mutex.d.mts

@@ -0,0 +1,44 @@
+//#region src/mutex.d.ts
+/**
+ * A Mutex (mutual exclusion lock) for async functions.
+ * It allows only one async task to access a critical section at a time.
+ *
+ * @example
+ * const mutex = new Mutex();
+ *
+ * async function criticalSection() {
+ *   await mutex.acquire();
+ *   try {
+ *     // This code section cannot be executed simultaneously
+ *   } finally {
+ *     mutex.release();
+ *   }
+ * }
+ */
+declare class Mutex {
+  private semaphore;
+  /**
+   * Checks if the mutex is currently locked.
+   * @returns True if the mutex is locked, false otherwise.
+   */
+  get isLocked(): boolean;
+  /**
+   * Acquires the mutex, blocking if necessary until it is available.
+   * @returns A promise that resolves when the mutex is acquired.
+   */
+  acquire(): Promise<void>;
+  /**
+   * Releases the mutex, allowing another waiting task to proceed.
+   */
+  release(): void;
+  /**
+   * Runs a function while holding the mutex lock.
+   * Automatically acquires before and releases after the function execution.
+   *
+   * @param fn - The function to execute while holding the lock
+   * @returns The result of the function
+   */
+  runExclusive<T>(fn: () => Promise<T>): Promise<T>;
+}
+//#endregion
+export { Mutex };

package/dist/mutex.mjs

@@ -0,0 +1,110 @@
+//#region src/mutex.ts
+/**
+* A counting semaphore for async functions that manages available permits.
+* Semaphores are mainly used to limit the number of concurrent async tasks.
+*
+* Each `acquire` operation takes a permit or waits until one is available.
+* Each `release` operation adds a permit, potentially allowing a waiting task to proceed.
+*
+* The semaphore ensures fairness by maintaining a FIFO (First In, First Out) order for acquirers.
+*/
+var Semaphore = class {
+	/**
+	* The maximum number of concurrent operations allowed.
+	*/
+	capacity;
+	/**
+	* The number of available permits.
+	*/
+	available;
+	deferredTasks = [];
+	/**
+	* Creates an instance of Semaphore.
+	* @param capacity - The maximum number of concurrent operations allowed.
+	*/
+	constructor(capacity) {
+		this.capacity = capacity;
+		this.available = capacity;
+	}
+	/**
+	* Acquires a semaphore, blocking if necessary until one is available.
+	* @returns A promise that resolves when the semaphore is acquired.
+	*/
+	async acquire() {
+		if (this.available > 0) {
+			this.available--;
+			return;
+		}
+		return new Promise((resolve) => {
+			this.deferredTasks.push(resolve);
+		});
+	}
+	/**
+	* Releases a semaphore, allowing one more operation to proceed.
+	*/
+	release() {
+		const deferredTask = this.deferredTasks.shift();
+		if (deferredTask != null) {
+			deferredTask();
+			return;
+		}
+		if (this.available < this.capacity) this.available++;
+	}
+};
+/**
+* A Mutex (mutual exclusion lock) for async functions.
+* It allows only one async task to access a critical section at a time.
+*
+* @example
+* const mutex = new Mutex();
+*
+* async function criticalSection() {
+*   await mutex.acquire();
+*   try {
+*     // This code section cannot be executed simultaneously
+*   } finally {
+*     mutex.release();
+*   }
+* }
+*/
+var Mutex = class {
+	semaphore = new Semaphore(1);
+	/**
+	* Checks if the mutex is currently locked.
+	* @returns True if the mutex is locked, false otherwise.
+	*/
+	get isLocked() {
+		return this.semaphore.available === 0;
+	}
+	/**
+	* Acquires the mutex, blocking if necessary until it is available.
+	* @returns A promise that resolves when the mutex is acquired.
+	*/
+	async acquire() {
+		return this.semaphore.acquire();
+	}
+	/**
+	* Releases the mutex, allowing another waiting task to proceed.
+	*/
+	release() {
+		this.semaphore.release();
+	}
+	/**
+	* Runs a function while holding the mutex lock.
+	* Automatically acquires before and releases after the function execution.
+	*
+	* @param fn - The function to execute while holding the lock
+	* @returns The result of the function
+	*/
+	async runExclusive(fn) {
+		await this.acquire();
+		try {
+			return await fn();
+		} finally {
+			this.release();
+		}
+	}
+};
+
+//#endregion
+export { Mutex };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@draftlab/auth",
-  "version": "0.10.3",
+  "version": "0.11.0",
   "type": "module",
   "description": "Core implementation for @draftlab/auth",
   "author": "Matheus Pergoli",
@@ -39,7 +39,7 @@
   "devDependencies": {
     "@types/node": "^25.0.3",
     "@types/qrcode": "^1.5.6",
-    "tsdown": "^0.18.2",
+    "tsdown": "^0.18.3",
     "typescript": "^5.9.3",
     "@draftlab/tsconfig": "0.1.0"
   },
@@ -60,10 +60,10 @@
     "@standard-schema/spec": "^1.1.0",
     "jose": "^6.1.3",
     "otpauth": "^9.4.1",
-    "preact": "^10.28.0",
+    "preact": "^10.28.1",
     "preact-render-to-string": "^6.6.4",
     "qrcode": "^1.5.4",
-    "@draftlab/auth-router": "0.4.1"
+    "@draftlab/auth-router": "0.5.0"
   },
   "engines": {
     "node": ">=18"

package/dist/plugin/builder.d.mts

@@ -1,27 +0,0 @@
-import { PluginBuilder } from "./plugin.mjs";
-
-//#region src/plugin/builder.d.ts
-
-/**
- * Create a new plugin builder.
- * Plugins are built using a fluent API that supports routes and lifecycle hooks.
- *
- * @param id - Unique identifier for the plugin
- * @returns Plugin builder with chainable methods
- *
- * @example
- * ```ts
- * const analytics = plugin("analytics")
- *   .onSuccess(async (ctx) => {
- *     await ctx.storage.set(`success:${ctx.clientID}`, ctx.subject)
- *   })
- *   .post("/stats", async (ctx) => {
- *     const stats = await ctx.pluginStorage.get("stats")
- *     return ctx.json(stats)
- *   })
- *   .build()
- * ```
- */
-declare const plugin: (id: string) => PluginBuilder;
-//#endregion
-export { plugin };

package/dist/plugin/builder.mjs

@@ -1,93 +0,0 @@
-//#region src/plugin/builder.ts
-/**
-* Create a new plugin builder.
-* Plugins are built using a fluent API that supports routes and lifecycle hooks.
-*
-* @param id - Unique identifier for the plugin
-* @returns Plugin builder with chainable methods
-*
-* @example
-* ```ts
-* const analytics = plugin("analytics")
-*   .onSuccess(async (ctx) => {
-*     await ctx.storage.set(`success:${ctx.clientID}`, ctx.subject)
-*   })
-*   .post("/stats", async (ctx) => {
-*     const stats = await ctx.pluginStorage.get("stats")
-*     return ctx.json(stats)
-*   })
-*   .build()
-* ```
-*/
-const plugin = (id) => {
-	if (!id || typeof id !== "string") throw new Error("Plugin id must be a non-empty string");
-	const routes = [];
-	const registeredPaths = /* @__PURE__ */ new Set();
-	let initHook;
-	let authorizeHook;
-	let successHook;
-	let errorHook;
-	const validatePath = (path) => {
-		if (!path || typeof path !== "string") throw new Error("Route path must be a non-empty string");
-		if (!path.startsWith("/")) throw new Error("Route path must start with '/'");
-	};
-	return {
-		get(path, handler) {
-			validatePath(path);
-			const routeKey = `GET ${path}`;
-			if (registeredPaths.has(routeKey)) throw new Error(`Route ${routeKey} already registered in plugin '${id}'`);
-			registeredPaths.add(routeKey);
-			routes.push({
-				method: "GET",
-				path,
-				handler
-			});
-			return this;
-		},
-		post(path, handler) {
-			validatePath(path);
-			const routeKey = `POST ${path}`;
-			if (registeredPaths.has(routeKey)) throw new Error(`Route ${routeKey} already registered in plugin '${id}'`);
-			registeredPaths.add(routeKey);
-			routes.push({
-				method: "POST",
-				path,
-				handler
-			});
-			return this;
-		},
-		onInit(handler) {
-			if (initHook) throw new Error(`onInit hook already defined for plugin '${id}'`);
-			initHook = handler;
-			return this;
-		},
-		onAuthorize(handler) {
-			if (authorizeHook) throw new Error(`onAuthorize hook already defined for plugin '${id}'`);
-			authorizeHook = handler;
-			return this;
-		},
-		onSuccess(handler) {
-			if (successHook) throw new Error(`onSuccess hook already defined for plugin '${id}'`);
-			successHook = handler;
-			return this;
-		},
-		onError(handler) {
-			if (errorHook) throw new Error(`onError hook already defined for plugin '${id}'`);
-			errorHook = handler;
-			return this;
-		},
-		build() {
-			return {
-				id,
-				routes: routes.length > 0 ? routes : void 0,
-				onInit: initHook,
-				onAuthorize: authorizeHook,
-				onSuccess: successHook,
-				onError: errorHook
-			};
-		}
-	};
-};
-
-//#endregion
-export { plugin };

package/dist/plugin/manager.d.mts

@@ -1,62 +0,0 @@
-import { StorageAdapter } from "../storage/storage.mjs";
-import { Plugin } from "./types.mjs";
-import { Router } from "@draftlab/auth-router";
-
-//#region src/plugin/manager.d.ts
-
-declare class PluginManager {
-  private readonly plugins;
-  private readonly storage;
-  constructor(storage: StorageAdapter);
-  /**
-   * Register a plugin
-   */
-  register(plugin: Plugin): void;
-  /**
-   * Register multiple plugins at once
-   */
-  registerAll(plugins: Plugin[]): void;
-  /**
-   * Get all registered plugins
-   */
-  getAll(): Plugin[];
-  /**
-   * Get plugin by id
-   */
-  get(id: string): Plugin | undefined;
-  /**
-   * Initialize all plugins.
-   * Called once during issuer setup.
-   * Plugins can set up initial state or validate configuration.
-   *
-   * @throws PluginError if any plugin initialization fails
-   */
-  initialize(): Promise<void>;
-  /**
-   * Execute authorize hooks for all plugins.
-   * Called before processing an authorization request.
-   * Can validate, rate limit, or enhance the request.
-   */
-  executeAuthorizeHooks(clientID: string, provider?: string, scopes?: string[]): Promise<void>;
-  /**
-   * Execute success hooks for all plugins.
-   * Called after successful authentication.
-   * Runs in parallel for better performance.
-   * Plugins cannot modify the response.
-   */
-  executeSuccessHooks(clientID: string, provider: string | undefined, subject: {
-    type: string;
-    properties: Record<string, unknown>;
-  }): Promise<void>;
-  /**
-   * Execute error hooks for all plugins.
-   * Called when an authentication error occurs.
-   */
-  executeErrorHooks(error: Error, clientID?: string, provider?: string): Promise<void>;
-  /**
-   * Setup plugin routes on a router
-   */
-  setupRoutes(router: Router): void;
-}
-//#endregion
-export { PluginManager };

package/dist/plugin/manager.mjs

@@ -1,160 +0,0 @@
-import { PluginError } from "./types.mjs";
-
-//#region src/plugin/manager.ts
-var PluginManager = class {
-	plugins = /* @__PURE__ */ new Map();
-	storage;
-	constructor(storage) {
-		this.storage = storage;
-	}
-	/**
-	* Register a plugin
-	*/
-	register(plugin) {
-		if (this.plugins.has(plugin.id)) throw new PluginError(`Plugin already registered`, plugin.id);
-		this.plugins.set(plugin.id, plugin);
-	}
-	/**
-	* Register multiple plugins at once
-	*/
-	registerAll(plugins) {
-		for (const plugin of plugins) this.register(plugin);
-	}
-	/**
-	* Get all registered plugins
-	*/
-	getAll() {
-		return Array.from(this.plugins.values());
-	}
-	/**
-	* Get plugin by id
-	*/
-	get(id) {
-		return this.plugins.get(id);
-	}
-	/**
-	* Initialize all plugins.
-	* Called once during issuer setup.
-	* Plugins can set up initial state or validate configuration.
-	*
-	* @throws PluginError if any plugin initialization fails
-	*/
-	async initialize() {
-		for (const plugin of this.plugins.values()) {
-			if (!plugin.onInit) continue;
-			try {
-				const context = {
-					pluginId: plugin.id,
-					request: new Request("http://internal/init"),
-					now: /* @__PURE__ */ new Date(),
-					storage: this.storage
-				};
-				await plugin.onInit(context);
-			} catch (error) {
-				throw new PluginError(`Initialization failed: ${error instanceof Error ? error.message : String(error)}`, plugin.id);
-			}
-		}
-	}
-	/**
-	* Execute authorize hooks for all plugins.
-	* Called before processing an authorization request.
-	* Can validate, rate limit, or enhance the request.
-	*/
-	async executeAuthorizeHooks(clientID, provider, scopes) {
-		for (const plugin of this.plugins.values()) {
-			if (!plugin.onAuthorize) continue;
-			try {
-				const context = {
-					pluginId: plugin.id,
-					request: new Request("http://internal/authorize"),
-					now: /* @__PURE__ */ new Date(),
-					storage: this.storage,
-					clientID,
-					provider,
-					scopes
-				};
-				await plugin.onAuthorize(context);
-			} catch (error) {
-				throw new PluginError(`Authorization hook failed: ${error instanceof Error ? error.message : String(error)}`, plugin.id);
-			}
-		}
-	}
-	/**
-	* Execute success hooks for all plugins.
-	* Called after successful authentication.
-	* Runs in parallel for better performance.
-	* Plugins cannot modify the response.
-	*/
-	async executeSuccessHooks(clientID, provider, subject) {
-		const hooks = Array.from(this.plugins.values()).filter((p) => p.onSuccess).map(async (plugin) => {
-			const context = {
-				pluginId: plugin.id,
-				request: new Request("http://internal/success"),
-				now: /* @__PURE__ */ new Date(),
-				storage: this.storage,
-				clientID,
-				provider,
-				subject
-			};
-			return plugin.onSuccess?.(context).catch((error) => {
-				console.error(`[Plugin: ${plugin.id}] Success hook failed:`, error instanceof Error ? error.message : String(error));
-			});
-		});
-		await Promise.all(hooks);
-	}
-	/**
-	* Execute error hooks for all plugins.
-	* Called when an authentication error occurs.
-	*/
-	async executeErrorHooks(error, clientID, provider) {
-		for (const plugin of this.plugins.values()) {
-			if (!plugin.onError) continue;
-			try {
-				const context = {
-					pluginId: plugin.id,
-					request: new Request("http://internal/error"),
-					now: /* @__PURE__ */ new Date(),
-					storage: this.storage,
-					error,
-					clientID,
-					provider
-				};
-				await plugin.onError(context);
-			} catch (hookError) {
-				console.error(`[Plugin: ${plugin.id}] Error hook failed:`, hookError instanceof Error ? hookError.message : String(hookError));
-			}
-		}
-	}
-	/**
-	* Setup plugin routes on a router
-	*/
-	setupRoutes(router) {
-		const registeredPaths = /* @__PURE__ */ new Set();
-		for (const plugin of this.plugins.values()) {
-			if (!plugin.routes) continue;
-			for (const route of plugin.routes) {
-				const fullPath = `/plugin/${plugin.id}${route.path}`;
-				if (registeredPaths.has(fullPath)) throw new PluginError(`Route conflict: ${fullPath} already registered`, plugin.id);
-				registeredPaths.add(fullPath);
-				const handler = async (ctx) => {
-					const pluginCtx = {
-						...ctx,
-						storage: this.storage
-					};
-					return await route.handler(pluginCtx);
-				};
-				switch (route.method) {
-					case "GET":
-						router.get(fullPath, handler);
-						break;
-					case "POST":
-						router.post(fullPath, handler);
-						break;
-				}
-			}
-		}
-	}
-};
-
-//#endregion
-export { PluginManager };

package/dist/plugin/plugin.d.mts

@@ -1,42 +0,0 @@
-import { Plugin, PluginAuthorizeHook, PluginErrorHook, PluginInitHook, PluginRouteHandler, PluginSuccessHook } from "./types.mjs";
-
-//#region src/plugin/plugin.d.ts
-
-/**
- * Plugin builder interface for creating plugins with a fluent API.
- *
- * The builder pattern allows for elegant plugin definition:
- * - Chain route definitions with lifecycle hooks
- * - Each method returns this for chaining
- * - Build finalizes the plugin definition
- *
- * @example
- * ```ts
- * const myPlugin = plugin("my-plugin")
- *   .onInit(async (ctx) => {
- *     console.log("Plugin initialized")
- *   })
- *   .post("/action", async (ctx) => {
- *     return ctx.json({ success: true })
- *   })
- *   .build()
- * ```
- */
-interface PluginBuilder {
-  /** Register a GET route */
-  get(path: string, handler: PluginRouteHandler): PluginBuilder;
-  /** Register a POST route */
-  post(path: string, handler: PluginRouteHandler): PluginBuilder;
-  /** Register initialization hook (called once during issuer setup) */
-  onInit(handler: PluginInitHook): PluginBuilder;
-  /** Register authorization hook (called before authorization request) */
-  onAuthorize(handler: PluginAuthorizeHook): PluginBuilder;
-  /** Register success hook (called after successful authentication) */
-  onSuccess(handler: PluginSuccessHook): PluginBuilder;
-  /** Register error hook (called when authentication fails) */
-  onError(handler: PluginErrorHook): PluginBuilder;
-  /** Build the final plugin */
-  build(): Plugin;
-}
-//#endregion
-export { PluginBuilder };

package/dist/plugin/plugin.mjs

@@ -1 +0,0 @@
-export {  };

package/dist/plugin/types.d.mts

@@ -1,99 +0,0 @@
-import { StorageAdapter } from "../storage/storage.mjs";
-import { RouterContext } from "@draftlab/auth-router/types";
-
-//#region src/plugin/types.d.ts
-
-interface PluginContext extends RouterContext {
-  storage: StorageAdapter;
-}
-/**
- * Plugin route handler function
- */
-type PluginRouteHandler = (context: PluginContext) => Promise<Response>;
-/**
- * Plugin route definition
- */
-interface PluginRoute {
-  /** Route path (e.g., "/admin", "/stats") */
-  readonly path: string;
-  /** HTTP method */
-  readonly method: "GET" | "POST";
-  /** Route handler function */
-  readonly handler: PluginRouteHandler;
-}
-/**
- * Lifecycle hook context provided to plugin hooks.
- * Contains information about the current operation and access to isolated storage.
- */
-interface PluginHookContext {
-  /** Unique identifier for the plugin */
-  pluginId: string;
-  /** Raw request object */
-  request: Request;
-  /** Current time for consistency across hook execution */
-  now: Date;
-  /** Storage adapter for data persistence */
-  storage: StorageAdapter;
-}
-/**
- * Hook called when the issuer is being initialized.
- * Useful for plugins that need to set up initial state or validate configuration.
- * Should complete quickly - takes place during server startup.
- */
-type PluginInitHook = (context: PluginHookContext) => Promise<void>;
-/**
- * Hook called before an authorization request is processed.
- * Use for validation, rate limiting, or request enhancement.
- */
-type PluginAuthorizeHook = (context: PluginHookContext & {
-  clientID: string;
-  provider?: string;
-  scopes?: string[];
-}) => Promise<void>;
-/**
- * Hook called after successful authentication.
- * Use for logging, analytics, webhooks, or side effects.
- * Cannot modify the response - hooks run in parallel.
- */
-type PluginSuccessHook = (context: PluginHookContext & {
-  clientID: string;
-  provider?: string;
-  subject: {
-    type: string;
-    properties: Record<string, unknown>;
-  };
-}) => Promise<void>;
-/**
- * Hook called when an authentication error occurs.
- * Use for error logging, custom error pages, or error transformation.
- */
-type PluginErrorHook = (context: PluginHookContext & {
-  error: Error;
-  clientID?: string;
-  provider?: string;
-}) => Promise<void>;
-/**
- * Main plugin interface with lifecycle hooks and storage isolation
- */
-interface Plugin {
-  /** Unique plugin identifier */
-  readonly id: string;
-  /** Custom routes added by this plugin */
-  readonly routes?: readonly PluginRoute[];
-  /** Called once when the issuer initializes */
-  readonly onInit?: PluginInitHook;
-  /** Called before authorization request is processed */
-  readonly onAuthorize?: PluginAuthorizeHook;
-  /** Called after successful authentication */
-  readonly onSuccess?: PluginSuccessHook;
-  /** Called when an error occurs during authentication */
-  readonly onError?: PluginErrorHook;
-}
-/**
- * Plugin error types
- */
-declare class PluginError extends Error {
-  constructor(message: string, pluginId: string);
-}
-//#endregion
-export { Plugin, PluginAuthorizeHook, PluginContext, PluginError, PluginErrorHook, PluginHookContext, PluginInitHook, PluginRoute, PluginRouteHandler, PluginSuccessHook };

package/dist/plugin/types.mjs

@@ -1,13 +0,0 @@
-//#region src/plugin/types.ts
-/**
-* Plugin error types
-*/
-var PluginError = class extends Error {
-	constructor(message, pluginId) {
-		super(`[Plugin: ${pluginId}] ${message}`);
-		this.name = "PluginError";
-	}
-};
-
-//#endregion
-export { PluginError };