@draftlab/auth 0.14.0 → 0.15.0

package/dist/core.d.mts

@@ -2,11 +2,11 @@ import { AllowCheckInput } from "./allow.mjs";
 import { UnknownStateError } from "./error.mjs";
 import { Prettify } from "./util.mjs";
 import { SubjectPayload, SubjectSchema } from "./subject.mjs";
+import { Router } from "./router/index.mjs";
 import { StorageAdapter } from "./storage/storage.mjs";
 import { Provider } from "./provider/provider.mjs";
 import { Theme } from "./themes/theme.mjs";
 import { AuthorizationState } from "./types.mjs";
-import { Router } from "@draftlab/auth-router";
 
 //#region src/core.d.ts
 

package/dist/core.mjs

@@ -6,12 +6,12 @@ import { generateSecureToken } from "./random.mjs";
 import { Storage } from "./storage/storage.mjs";
 import { encryptionKeys, signingKeys } from "./keys.mjs";
 import { Revocation } from "./revocation.mjs";
+import { Router } from "./router/index.mjs";
+import { deleteCookie, getCookie, setCookie } from "./router/cookies.mjs";
+import { cors } from "./router/middleware/cors.mjs";
 import { setTheme } from "./themes/theme.mjs";
 import { Select } from "./ui/select.mjs";
 import { CompactEncrypt, SignJWT, compactDecrypt } from "jose";
-import { Router } from "@draftlab/auth-router";
-import { deleteCookie, getCookie, setCookie } from "@draftlab/auth-router/cookies";
-import { cors } from "@draftlab/auth-router/middleware/cors";
 
 //#region src/core.ts
 /**

package/dist/provider/code.mjs

@@ -2,6 +2,89 @@ import { generateUnbiasedDigits, timingSafeCompare } from "../random.mjs";
 
 //#region src/provider/code.ts
 /**
+* PIN code authentication provider for Draft Auth.
+* Supports flexible claim-based authentication via email, phone, or custom identifiers.
+*
+* ## Quick Setup
+*
+* ```ts
+* import { CodeUI } from "@draftlab/auth/ui/code"
+* import { CodeProvider } from "@draftlab/auth/provider/code"
+*
+* export default issuer({
+*   providers: {
+*     code: CodeProvider(
+*       CodeUI({
+*         copy: {
+*           code_info: "We'll send a PIN code to your email"
+*         },
+*         sendCode: async (claims, code) => {
+*           try {
+*             await sendEmail(claims.email, `Your code: ${code}`)
+*           } catch {
+*             return { type: "invalid_claim", key: "delivery", value: "Failed to send code" }
+*           }
+*         }
+*       })
+*     )
+*   }
+* })
+* ```
+*
+* ## Custom Configuration
+*
+* ```ts
+* const customCodeProvider = CodeProvider({
+*   length: 4, // 4-digit PIN instead of default 6
+*   request: async (req, state, form, error) => {
+*     return new Response(renderCodePage(state, form, error))
+*   },
+*   sendCode: async (claims, code) => {
+*     try {
+*       if (claims.email) {
+*         await emailService.send(claims.email, code)
+*       } else if (claims.phone) {
+*         await smsService.send(claims.phone, code)
+*       } else {
+*         return { type: "invalid_claim", key: "email", value: "Email or phone number is required" }
+*       }
+*     } catch {
+*       return { type: "invalid_claim", key: "delivery", value: "Failed to send code" }
+*     }
+*   }
+* })
+* ```
+*
+* ## Features
+*
+* - **Flexible claims**: Support any claim type (email, phone, username, etc.)
+* - **Configurable PIN length**: 4-6 digit codes typically
+* - **Resend functionality**: Built-in code resend capability
+* - **Custom UI**: Full control over the authentication interface
+* - **Error handling**: Comprehensive error states for different failure modes
+*
+* ## Flow States
+*
+* The provider manages a two-step authentication flow:
+*
+* 1. **Start**: User enters their claim (email, phone, etc.)
+* 2. **Code**: User enters the PIN code sent to their claim
+*
+* ## User Data
+*
+* ```ts
+* success: async (ctx, value) => {
+*   if (value.provider === "code") {
+*     // User's email: value.claims.email
+*     // User's phone (if provided): value.claims.phone
+*     // Any other claims collected during the flow
+*   }
+* }
+* ```
+*
+* @packageDocumentation
+*/
+/**
 * Creates a PIN code authentication provider.
 * Implements a flexible claim-based authentication flow with PIN verification.
 *

package/dist/provider/magiclink.mjs

@@ -2,6 +2,63 @@ import { generateUnbiasedDigits, timingSafeCompare } from "../random.mjs";
 
 //#region src/provider/magiclink.ts
 /**
+* Magic Link authentication provider for Draft Auth.
+* Sends clickable links that authenticate users in one click.
+*
+* ## Quick Setup
+*
+* ```ts
+* import { MagicLinkUI } from "@draftlab/auth/ui/magiclink"
+* import { MagicLinkProvider } from "@draftlab/auth/provider/magiclink"
+*
+* export default issuer({
+*   providers: {
+*     magiclink: MagicLinkProvider(
+*       MagicLinkUI({
+*         sendLink: async (claims, magicUrl) => {
+*           await emailService.send({
+*             to: claims.email,
+*             subject: "Sign in to your account",
+*             html: `<a href="${magicUrl}">Sign In</a>`
+*           })
+*         }
+*       })
+*     )
+*   }
+* })
+* ```
+*
+* ## Custom Configuration
+*
+* ```ts
+* const customMagicLink = MagicLinkProvider({
+*   expiry: 600, // 10 minutes instead of default 15
+*
+*   request: async (req, state, form, error) => {
+*     return new Response(renderMagicLinkForm(state, form, error))
+*   },
+*
+*   sendLink: async (claims, magicUrl) => {
+*     try {
+*       if (claims.email) {
+*         await emailService.send(claims.email, {
+*           subject: "Your secure sign-in link",
+*           template: "magic-link",
+*           data: { magicUrl, userEmail: claims.email }
+*         })
+*       } else {
+*         return { type: "invalid_claim", key: "email", value: "Email is required" }
+*       }
+*     } catch {
+*       return { type: "invalid_claim", key: "delivery", value: "Failed to send magic link" }
+*     }
+*   }
+* })
+* ```
+*
+* @packageDocumentation
+*/
+/**
 * Creates a Magic Link authentication provider.
 * Implements a flexible claim-based authentication flow with magic link verification.
 *

package/dist/provider/oauth2.mjs

@@ -6,6 +6,63 @@ import { createRemoteJWKSet, jwtVerify } from "jose";
 
 //#region src/provider/oauth2.ts
 /**
+* OAuth 2.0 authentication provider for Draft Auth.
+* Implements the Authorization Code Grant flow with optional PKCE support.
+*
+* ## Quick Setup
+*
+* ```ts
+* import { Oauth2Provider } from "@draftlab/auth/provider/oauth2"
+*
+* export default issuer({
+*   providers: {
+*     github: Oauth2Provider({
+*       clientID: process.env.GITHUB_CLIENT_ID,
+*       clientSecret: process.env.GITHUB_CLIENT_SECRET,
+*       endpoint: {
+*         authorization: "https://github.com/login/oauth/authorize",
+*         token: "https://github.com/login/oauth/access_token"
+*       },
+*       scopes: ["user:email", "read:user"]
+*     }),
+*     discord: Oauth2Provider({
+*       clientID: process.env.DISCORD_CLIENT_ID,
+*       clientSecret: process.env.DISCORD_CLIENT_SECRET,
+*       endpoint: {
+*         authorization: "https://discord.com/api/oauth2/authorize",
+*         token: "https://discord.com/api/oauth2/token"
+*       },
+*       scopes: ["identify", "email"],
+*       pkce: true // Required by some providers
+*     })
+*   }
+* })
+* ```
+*
+* ## Features
+*
+* - **Authorization Code Grant**: Secure server-side OAuth 2.0 flow
+* - **PKCE Support**: Optional Proof Key for Code Exchange for enhanced security
+* - **Flexible Endpoints**: Configure custom authorization and token endpoints
+* - **Custom Parameters**: Support for provider-specific authorization parameters
+*
+* ## User Data
+*
+* The provider returns access tokens:
+*
+* ```ts
+* success: async (ctx, value) => {
+*   if (value.provider === "oauth2") {
+*     // Access token for API calls: value.tokenset.access
+*     // Refresh token (if provided): value.tokenset.refresh
+*     // Client ID used: value.clientID
+*   }
+* }
+* ```
+*
+* @packageDocumentation
+*/
+/**
 * Creates an OAuth 2.0 authentication provider.
 * Implements the Authorization Code Grant flow with optional PKCE support.
 *

package/dist/provider/provider.d.mts

@@ -1,6 +1,6 @@
+import { RouterContext } from "../router/types.mjs";
+import { Router } from "../router/index.mjs";
 import { StorageAdapter } from "../storage/storage.mjs";
-import { Router } from "@draftlab/auth-router";
-import { RouterContext } from "@draftlab/auth-router/types";
 
 //#region src/provider/provider.d.ts
 

package/dist/router/context.d.mts

@@ -0,0 +1,21 @@
+import { RouterContext, VariableMap } from "./types.mjs";
+
+//#region src/router/context.d.ts
+declare class ContextBuilder<TVariables extends VariableMap = VariableMap> {
+  private readonly request;
+  private readonly matchedParams;
+  private readonly searchParams;
+  private readonly cookies;
+  private readonly variableManager;
+  private readonly responseHeaders;
+  private status;
+  private finalized;
+  private cachedFormData;
+  private formDataPromise;
+  private bodyText;
+  constructor(request: Request, matchedParams: Record<string, string>, initialVariables?: Partial<TVariables>);
+  build<TParams extends Record<string, string>>(): RouterContext<TParams, TVariables>;
+  newResponse(body?: BodyInit, init?: ResponseInit): Response;
+}
+//#endregion
+export { ContextBuilder };

package/dist/router/context.mjs

@@ -0,0 +1,193 @@
+import { ContextVariableManager } from "./variables.mjs";
+
+//#region src/router/context.ts
+const parseCookies = (request) => {
+	const cookies = /* @__PURE__ */ new Map();
+	const cookieHeader = request.headers.get("cookie");
+	if (!cookieHeader) return cookies;
+	try {
+		for (const cookie of cookieHeader.split(";")) {
+			const trimmedCookie = cookie.trim();
+			if (!trimmedCookie) continue;
+			const [name, ...valueParts] = trimmedCookie.split("=");
+			if (!name || name.trim() === "") continue;
+			const trimmedName = name.trim();
+			if (!/^[!#$%&'*+\-.0-9A-Z^_`a-z|~]+$/.test(trimmedName)) {
+				console.warn(`Invalid cookie name: ${trimmedName}`);
+				continue;
+			}
+			const value = valueParts.join("=");
+			try {
+				cookies.set(trimmedName, decodeURIComponent(value));
+			} catch {
+				cookies.set(trimmedName, value);
+			}
+		}
+	} catch (error) {
+		console.error("Failed to parse cookies:", error);
+	}
+	return cookies;
+};
+const serializeCookie = (name, value, options = {}) => {
+	if (!/^[!#$%&'*+\-.0-9A-Z^_`a-z|~]+$/.test(name)) throw new Error(`Invalid cookie name: ${name}`);
+	const parts = [`${name}=${encodeURIComponent(value)}`];
+	if (options.domain) parts.push(`Domain=${options.domain}`);
+	if (options.path) parts.push(`Path=${options.path}`);
+	if (options.expires) parts.push(`Expires=${options.expires.toUTCString()}`);
+	if (options.maxAge) parts.push(`Max-Age=${options.maxAge}`);
+	if (options.httpOnly) parts.push("HttpOnly");
+	if (options.secure) parts.push("Secure");
+	if (options.sameSite) parts.push(`SameSite=${options.sameSite}`);
+	return parts.join("; ");
+};
+const validateRedirectStatus = (status) => {
+	if (![
+		300,
+		301,
+		302,
+		303,
+		307,
+		308
+	].includes(status)) throw new Error(`Invalid redirect status code: ${status}.`);
+	return true;
+};
+var ContextBuilder = class {
+	request;
+	matchedParams;
+	searchParams;
+	cookies;
+	variableManager;
+	responseHeaders = new Headers();
+	status = 200;
+	finalized = false;
+	cachedFormData = null;
+	formDataPromise = null;
+	bodyText = null;
+	constructor(request, matchedParams, initialVariables) {
+		if (!request || typeof request !== "object" || !request.url || !request.method) throw new Error("Invalid request object provided to ContextBuilder.");
+		this.request = request;
+		this.matchedParams = matchedParams;
+		this.searchParams = new URL(request.url).searchParams;
+		this.cookies = parseCookies(request);
+		this.variableManager = new ContextVariableManager(initialVariables);
+		Object.freeze(this.matchedParams);
+	}
+	build() {
+		return {
+			request: this.request,
+			params: this.matchedParams,
+			searchParams: this.searchParams,
+			query: (key) => this.searchParams.get(key) ?? void 0,
+			header: (key) => this.request.headers.get(key) ?? void 0,
+			cookie: (key) => this.cookies.get(key),
+			formData: async () => {
+				if (this.cachedFormData) return this.cachedFormData;
+				if (this.formDataPromise) try {
+					return await this.formDataPromise;
+				} catch {
+					this.formDataPromise = null;
+				}
+				this.formDataPromise = (async () => {
+					try {
+						const formData = await this.request.formData();
+						this.cachedFormData = formData;
+						return formData;
+					} catch (error) {
+						this.formDataPromise = null;
+						throw new Error(`Failed to read form data: ${error instanceof Error ? error.message : "Unknown error"}`);
+					}
+				})();
+				return this.formDataPromise;
+			},
+			parseJson: async () => {
+				try {
+					if (this.bodyText !== null) {
+						if (!this.bodyText) throw new Error("Request body is empty.");
+						return JSON.parse(this.bodyText);
+					}
+					const text = await this.request.text();
+					this.bodyText = text;
+					if (!text) throw new Error("Request body is empty.");
+					return JSON.parse(text);
+				} catch (error) {
+					throw new Error(`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`);
+				}
+			},
+			redirect: (url, status = 302) => {
+				validateRedirectStatus(status);
+				const location = url instanceof URL ? url.toString() : url;
+				return this.newResponse(void 0, {
+					status,
+					headers: { location }
+				});
+			},
+			json: (data, init) => {
+				const finalInit = {
+					...init,
+					headers: {
+						"content-type": "application/json; charset=utf-8",
+						...init?.headers
+					}
+				};
+				return this.newResponse(JSON.stringify(data), finalInit);
+			},
+			text: (data, init) => {
+				const finalInit = {
+					...init,
+					headers: {
+						"content-type": "text/plain; charset=utf-8",
+						...init?.headers
+					}
+				};
+				return this.newResponse(data, finalInit);
+			},
+			setCookie: (name, value, options) => {
+				try {
+					const cookie = serializeCookie(name, value, options);
+					this.responseHeaders.append("Set-Cookie", cookie);
+				} catch (error) {
+					console.error(`Failed to set cookie "${name}":`, error);
+				}
+			},
+			deleteCookie: (name, options) => {
+				try {
+					const cookie = serializeCookie(name, "", {
+						...options,
+						expires: /* @__PURE__ */ new Date(0)
+					});
+					this.responseHeaders.append("Set-Cookie", cookie);
+				} catch (error) {
+					console.error(`Failed to delete cookie "${name}":`, error);
+				}
+			},
+			newResponse: (body, init) => this.newResponse(body, init),
+			set: (key, value) => {
+				this.variableManager.set(key, value);
+			},
+			get: (key) => {
+				return this.variableManager.get(key);
+			},
+			has: (key) => {
+				return this.variableManager.has(key);
+			}
+		};
+	}
+	newResponse(body, init) {
+		if (this.finalized) throw new Error("Response already finalized");
+		const finalHeaders = new Headers(this.responseHeaders);
+		if (init?.headers) new Headers(init.headers).forEach((value, key) => {
+			if (key.toLowerCase() === "set-cookie") finalHeaders.append(key, value);
+			else finalHeaders.set(key, value);
+		});
+		const response = new Response(body, {
+			status: init?.status || this.status,
+			statusText: init?.statusText,
+			headers: finalHeaders
+		});
+		this.finalized = true;
+		return response;
+	}
+};
+
+//#endregion
+export { ContextBuilder };

package/dist/router/cookies.d.mts

@@ -0,0 +1,8 @@
+import { CookieOptions, RouterContext, VariableMap } from "./types.mjs";
+
+//#region src/router/cookies.d.ts
+declare const getCookie: <TVariables extends VariableMap = VariableMap>(ctx: RouterContext<Record<string, string>, TVariables>, name: string) => string | undefined;
+declare const setCookie: <TVariables extends VariableMap = VariableMap>(ctx: RouterContext<Record<string, string>, TVariables>, name: string, value: string, options?: CookieOptions) => void;
+declare const deleteCookie: <TVariables extends VariableMap = VariableMap>(ctx: RouterContext<Record<string, string>, TVariables>, name: string, options?: Pick<CookieOptions, "domain" | "path">) => void;
+//#endregion
+export { deleteCookie, getCookie, setCookie };

package/dist/router/cookies.mjs

@@ -0,0 +1,13 @@
+//#region src/router/cookies.ts
+const getCookie = (ctx, name) => {
+	return ctx.cookie(name);
+};
+const setCookie = (ctx, name, value, options) => {
+	ctx.setCookie(name, value, options);
+};
+const deleteCookie = (ctx, name, options) => {
+	ctx.deleteCookie(name, options);
+};
+
+//#endregion
+export { deleteCookie, getCookie, setCookie };

package/dist/router/index.d.mts

@@ -0,0 +1,21 @@
+import { AnyHandler, ErrorHandler, ExtractParams, GlobalMiddleware, RouterEnvironment, RouterOptions } from "./types.mjs";
+
+//#region src/router/index.d.ts
+declare class Router<TEnvironment extends RouterEnvironment = RouterEnvironment> {
+  private readonly routes;
+  private readonly matcher;
+  private readonly globalMiddleware;
+  private errorHandler?;
+  constructor(routerOptions?: RouterOptions);
+  private addRoute;
+  get<TPath extends string>(path: TPath, handler: AnyHandler<ExtractParams<TPath>, TEnvironment["Variables"]>): this;
+  post<TPath extends string>(path: TPath, handler: AnyHandler<ExtractParams<TPath>, TEnvironment["Variables"]>): this;
+  use(middleware: GlobalMiddleware<TEnvironment["Variables"]>): this;
+  onError(handler: ErrorHandler<TEnvironment["Variables"]>): this;
+  mount<TMountedEnvironment extends RouterEnvironment>(path: string, router: Router<TMountedEnvironment>): this;
+  handle(request: Request, initialVariables?: Partial<TEnvironment["Variables"]>): Promise<Response>;
+  get fetch(): (request: Request) => Promise<Response>;
+  private createErrorResponse;
+}
+//#endregion
+export { Router };

package/dist/router/index.mjs

@@ -0,0 +1,107 @@
+import { ContextBuilder } from "./context.mjs";
+import { RouteMatcher } from "./matcher.mjs";
+import { makeSafeRequest } from "./safe-request.mjs";
+
+//#region src/router/index.ts
+var Router = class {
+	routes = /* @__PURE__ */ new Map();
+	matcher;
+	globalMiddleware = [];
+	errorHandler;
+	constructor(routerOptions = {}) {
+		this.matcher = new RouteMatcher(routerOptions);
+	}
+	addRoute(method, path, handler) {
+		const { handler: mainHandler, middleware = [] } = typeof handler === "function" ? { handler } : handler;
+		if (typeof mainHandler !== "function") throw new Error(`Handler for ${method} ${path} must be a function.`);
+		const route = {
+			method,
+			pattern: path,
+			handler: mainHandler,
+			middleware: [...this.globalMiddleware, ...middleware],
+			compiled: this.matcher.compile(path)
+		};
+		const methodRoutes = this.routes.get(method) ?? [];
+		if (methodRoutes.some((r) => r.pattern === path)) console.warn(`Route already exists: ${method} ${path}. Overwriting.`);
+		const newRoutes = [...methodRoutes.filter((r) => r.pattern !== path), route];
+		const sortedPatterns = this.matcher.sortRoutesBySpecificity(newRoutes.map((r) => r.pattern));
+		newRoutes.sort((a, b) => sortedPatterns.indexOf(a.pattern) - sortedPatterns.indexOf(b.pattern));
+		this.routes.set(method, newRoutes);
+		return this;
+	}
+	get(path, handler) {
+		return this.addRoute("GET", path, handler);
+	}
+	post(path, handler) {
+		return this.addRoute("POST", path, handler);
+	}
+	use(middleware) {
+		this.globalMiddleware.push(middleware);
+		return this;
+	}
+	onError(handler) {
+		this.errorHandler = handler;
+		return this;
+	}
+	mount(path, router) {
+		const normalizedPath = path.endsWith("/") ? path.slice(0, -1) : path;
+		for (const [method, routes] of router.routes) for (const route of routes) this.addRoute(method, `${normalizedPath}${route.pattern}`, {
+			handler: route.handler,
+			middleware: route.middleware
+		});
+		return this;
+	}
+	async handle(request, initialVariables) {
+		const safeRequest = await makeSafeRequest(request);
+		try {
+			const url = new URL(safeRequest.url);
+			const method = safeRequest.method.toUpperCase();
+			const pathname = this.matcher.normalizePath(url.pathname);
+			const methodRoutes = this.routes.get(method);
+			if (!methodRoutes) return this.createErrorResponse("Not Found", 404);
+			for (const route of methodRoutes) {
+				const match = this.matcher.match(route.pattern, pathname);
+				if (match) {
+					const context = new ContextBuilder(safeRequest, match.params, initialVariables).build();
+					const allMiddleware = [...this.globalMiddleware, ...route.middleware];
+					const run = async (index, ctx) => {
+						if (index < allMiddleware.length) {
+							const middleware = allMiddleware[index];
+							if (middleware) return middleware(ctx, () => run(index + 1, ctx));
+						}
+						return route.handler(ctx);
+					};
+					return await run(0, context);
+				}
+			}
+			return this.createErrorResponse(`Route not found: ${method} ${pathname}`, 404);
+		} catch (error) {
+			console.error("Router handle error:", error);
+			if (this.errorHandler) try {
+				const errorContext = new ContextBuilder(safeRequest, {}, initialVariables).build();
+				return await this.errorHandler(error, errorContext);
+			} catch (handlerError) {
+				console.error("Error handler failed:", handlerError);
+			}
+			const message = error instanceof Error ? error.message : "Internal Server Error";
+			return this.createErrorResponse(message, 500);
+		}
+	}
+	get fetch() {
+		return (request) => {
+			return this.handle(request);
+		};
+	}
+	createErrorResponse(message, status) {
+		return new Response(JSON.stringify({
+			error: message,
+			status
+		}), {
+			status,
+			headers: { "Content-Type": "application/json" }
+		});
+	}
+};
+
+//#endregion
+export { Router };

package/dist/router/matcher.d.mts

@@ -0,0 +1,15 @@
+import { CompiledRoute, MatchResult, RouterOptions } from "./types.mjs";
+
+//#region src/router/matcher.d.ts
+declare class RouteMatcher {
+  private readonly compiledRoutes;
+  private readonly options;
+  constructor(options?: RouterOptions);
+  compile(pattern: string): CompiledRoute;
+  match(pattern: string, pathname: string): MatchResult | null;
+  sortRoutesBySpecificity(patterns: string[]): string[];
+  private calculateSpecificity;
+  normalizePath(pathname: string): string;
+}
+//#endregion
+export { RouteMatcher };

package/dist/router/matcher.mjs

@@ -0,0 +1,76 @@
+//#region src/router/matcher.ts
+var RouteMatcher = class {
+	compiledRoutes = /* @__PURE__ */ new Map();
+	options;
+	constructor(options = {}) {
+		this.options = {
+			caseSensitive: false,
+			strict: false,
+			basePath: "",
+			...options
+		};
+	}
+	compile(pattern) {
+		const cacheKey = `${pattern}:${this.options.caseSensitive}:${this.options.strict}`;
+		const cached = this.compiledRoutes.get(cacheKey);
+		if (cached) return cached;
+		const paramNames = [];
+		let regexPattern = pattern.replace(/:([^/]+)/g, (_, name) => {
+			paramNames.push(name);
+			return "([^/]+)";
+		});
+		regexPattern = regexPattern.replace(/\*/g, "(.*)");
+		const finalPattern = this.options.strict || pattern === "/" ? regexPattern : `${regexPattern.replace(/\/$/, "")}/?`;
+		const compiled = {
+			regex: new RegExp(`^${finalPattern}$`, this.options.caseSensitive ? "" : "i"),
+			paramNames,
+			pattern
+		};
+		this.compiledRoutes.set(cacheKey, compiled);
+		return compiled;
+	}
+	match(pattern, pathname) {
+		const compiled = this.compile(pattern);
+		const match = pathname.match(compiled.regex);
+		if (!match) return null;
+		const params = {};
+		for (let i = 0; i < compiled.paramNames.length; i++) {
+			const name = compiled.paramNames[i];
+			const value = match[i + 1];
+			if (name && value !== void 0) try {
+				params[name] = decodeURIComponent(value);
+			} catch {
+				params[name] = value;
+			}
+		}
+		return {
+			params: Object.freeze(params),
+			pattern
+		};
+	}
+	sortRoutesBySpecificity(patterns) {
+		return [...patterns].sort((a, b) => {
+			const aScore = this.calculateSpecificity(a);
+			return this.calculateSpecificity(b) - aScore;
+		});
+	}
+	calculateSpecificity(pattern) {
+		const segments = pattern.split("/").filter(Boolean);
+		let score = 0;
+		for (const segment of segments) if (segment.startsWith(":")) score += 2;
+		else if (segment === "*") score += 1;
+		else score += 4;
+		return score;
+	}
+	normalizePath(pathname) {
+		let normalized = pathname;
+		const { basePath, strict } = this.options;
+		if (basePath && normalized.startsWith(basePath)) normalized = normalized.slice(basePath.length) || "/";
+		if (!normalized.startsWith("/")) normalized = `/${normalized}`;
+		if (!strict && normalized.length > 1 && normalized.endsWith("/")) normalized = normalized.slice(0, -1);
+		return normalized;
+	}
+};
+
+//#endregion
+export { RouteMatcher };

package/dist/router/middleware/cors.d.mts

@@ -0,0 +1,15 @@
+import { MiddlewareHandler, RouterContext, VariableMap } from "../types.mjs";
+
+//#region src/router/middleware/cors.d.ts
+interface CORSOptions {
+  origin?: "*" | string | readonly string[] | ((origin: string, ctx: RouterContext<Record<string, string>, VariableMap>) => string | null);
+  allowMethods?: readonly string[] | ((origin: string, ctx: RouterContext<Record<string, string>, VariableMap>) => readonly string[]);
+  allowHeaders?: readonly string[];
+  maxAge?: number;
+  credentials?: boolean;
+  exposeHeaders?: readonly string[];
+  preflightHandler?: <TVariables extends VariableMap>(ctx: RouterContext<Record<string, string>, TVariables>) => Promise<Response> | Response;
+}
+declare const cors: <TVariables extends VariableMap = VariableMap>(options?: CORSOptions) => MiddlewareHandler<Record<string, string>, TVariables>;
+//#endregion
+export { CORSOptions, cors };

package/dist/router/middleware/cors.mjs

@@ -0,0 +1,114 @@
+//#region src/router/middleware/cors.ts
+const DEFAULT_CORS_OPTIONS = {
+	origin: "*",
+	allowMethods: [
+		"GET",
+		"HEAD",
+		"PUT",
+		"POST",
+		"DELETE",
+		"PATCH",
+		"OPTIONS"
+	],
+	allowHeaders: [],
+	maxAge: 86400,
+	credentials: false,
+	exposeHeaders: []
+};
+const createOriginResolver = (origin) => {
+	if (!origin || origin === "*") return () => "*";
+	if (typeof origin === "string") return (requestOrigin) => origin === requestOrigin ? origin : null;
+	if (typeof origin === "function") return origin;
+	if (Array.isArray(origin)) {
+		const allowedOrigins = new Set(origin);
+		return (requestOrigin) => allowedOrigins.has(requestOrigin) ? requestOrigin : null;
+	}
+	return () => null;
+};
+const createMethodsResolver = (methods) => {
+	if (typeof methods === "function") return methods;
+	if (Array.isArray(methods)) return () => methods;
+	return () => DEFAULT_CORS_OPTIONS.allowMethods;
+};
+const normalizeCORSOptions = (options = {}) => {
+	const opts = {
+		...DEFAULT_CORS_OPTIONS,
+		...options
+	};
+	if (opts.maxAge < 0) throw new Error("CORS maxAge must be non-negative");
+	if (Array.isArray(opts.allowMethods)) {
+		const validMethods = new Set([
+			"GET",
+			"HEAD",
+			"PUT",
+			"POST",
+			"DELETE",
+			"PATCH",
+			"OPTIONS"
+		]);
+		const invalidMethods = opts.allowMethods.filter((method) => !validMethods.has(method.toUpperCase()));
+		if (invalidMethods.length > 0) console.warn(`CORS: Invalid HTTP methods detected: ${invalidMethods.join(", ")}`);
+	}
+	return {
+		...opts,
+		_originResolver: createOriginResolver(options.origin),
+		_methodsResolver: createMethodsResolver(options.allowMethods)
+	};
+};
+const cors = (options = {}) => {
+	const opts = normalizeCORSOptions(options);
+	return async (ctx, next) => {
+		const requestOrigin = ctx.header("origin") || "";
+		const requestMethod = ctx.request.method.toUpperCase();
+		const allowedOrigin = opts._originResolver(requestOrigin, ctx);
+		const corsHeaders = {};
+		if (allowedOrigin) corsHeaders["Access-Control-Allow-Origin"] = allowedOrigin;
+		if (opts.origin !== "*" && allowedOrigin) {
+			const existingVary = ctx.header("vary");
+			corsHeaders.Vary = existingVary ? `${existingVary}, Origin` : "Origin";
+		}
+		if (opts.credentials) corsHeaders["Access-Control-Allow-Credentials"] = "true";
+		if (opts.exposeHeaders && opts.exposeHeaders.length > 0) corsHeaders["Access-Control-Expose-Headers"] = opts.exposeHeaders.join(",");
+		if (requestMethod === "OPTIONS") {
+			if (opts.preflightHandler) return await opts.preflightHandler(ctx);
+			if (opts.maxAge != null) corsHeaders["Access-Control-Max-Age"] = opts.maxAge.toString();
+			const allowedMethods = opts._methodsResolver(requestOrigin, ctx);
+			if (allowedMethods.length > 0) corsHeaders["Access-Control-Allow-Methods"] = allowedMethods.join(",");
+			let allowedHeaders = opts.allowHeaders;
+			if (!allowedHeaders || allowedHeaders.length === 0) {
+				const requestHeaders = ctx.header("access-control-request-headers");
+				if (requestHeaders) allowedHeaders = requestHeaders.split(/\s*,\s*/);
+			}
+			if (allowedHeaders && allowedHeaders.length > 0) {
+				corsHeaders["Access-Control-Allow-Headers"] = allowedHeaders.join(",");
+				const existingVary = corsHeaders.Vary || ctx.header("vary");
+				corsHeaders.Vary = existingVary ? `${existingVary}, Access-Control-Request-Headers` : "Access-Control-Request-Headers";
+			}
+			const headers = new Headers();
+			Object.entries(corsHeaders).forEach(([key, value]) => {
+				headers.set(key, value);
+			});
+			return new Response(null, {
+				status: 204,
+				statusText: "No Content",
+				headers
+			});
+		}
+		return applyCORSHeaders(await next(), corsHeaders);
+	};
+};
+const applyCORSHeaders = (response, corsHeaders) => {
+	if (Object.keys(corsHeaders).length === 0) return response;
+	const newHeaders = new Headers(response.headers);
+	Object.entries(corsHeaders).forEach(([key, value]) => {
+		newHeaders.set(key, value);
+	});
+	return new Response(response.body, {
+		status: response.status,
+		statusText: response.statusText,
+		headers: newHeaders
+	});
+};
+
+//#endregion
+export { cors };

package/dist/router/safe-request.d.mts

@@ -0,0 +1,52 @@
+//#region src/router/safe-request.d.ts
+/**
+ * SafeRequest wraps a Request to cache the body and allow multiple reads.
+ * This solves issues with Request implementations that don't support multiple body reads.
+ */
+interface SafeRequestOptions {
+  cache?: RequestCache;
+  credentials?: RequestCredentials;
+  destination?: RequestDestination;
+  integrity?: string;
+  keepalive?: boolean;
+  mode?: RequestMode;
+  redirect?: RequestRedirect;
+  referrer?: string;
+  referrerPolicy?: ReferrerPolicy;
+  signal?: AbortSignal;
+}
+declare class SafeRequest implements Request {
+  private cachedBody;
+  private bodyBuffer;
+  private readonly textDecoder;
+  readonly cache: RequestCache;
+  readonly credentials: RequestCredentials;
+  readonly destination: RequestDestination;
+  readonly headers: Headers;
+  readonly integrity: string;
+  readonly keepalive: boolean;
+  readonly method: string;
+  readonly mode: RequestMode;
+  readonly redirect: RequestRedirect;
+  readonly referrer: string;
+  readonly referrerPolicy: ReferrerPolicy;
+  readonly signal: AbortSignal;
+  readonly url: string;
+  constructor(url: string, method: string, headers: Headers, body: ArrayBuffer | null, options?: SafeRequestOptions);
+  arrayBuffer(): Promise<ArrayBuffer>;
+  blob(): Promise<Blob>;
+  formData(): Promise<FormData>;
+  json<T = unknown>(): Promise<T>;
+  text(): Promise<string>;
+  bytes(): Promise<Uint8Array<ArrayBuffer>>;
+  get body(): ReadableStream<Uint8Array<ArrayBuffer>> | null;
+  get bodyUsed(): boolean;
+  clone(): Request;
+}
+/**
+ * Extracts data from a Request and creates a SafeRequest.
+ * Uses ReadableStream to safely read the body and avoid issues with certain Request implementations.
+ */
+declare function makeSafeRequest(request: Request): Promise<Request>;
+//#endregion
+export { SafeRequest, makeSafeRequest };

package/dist/router/safe-request.mjs

@@ -0,0 +1,160 @@
+//#region src/router/safe-request.ts
+var SafeRequest = class SafeRequest {
+	cachedBody = null;
+	bodyBuffer = null;
+	textDecoder = new TextDecoder();
+	cache;
+	credentials;
+	destination;
+	headers;
+	integrity;
+	keepalive;
+	method;
+	mode;
+	redirect;
+	referrer;
+	referrerPolicy;
+	signal;
+	url;
+	constructor(url, method, headers, body, options) {
+		this.url = url;
+		this.method = method;
+		this.headers = headers;
+		this.bodyBuffer = body;
+		this.cache = options?.cache ?? "default";
+		this.credentials = options?.credentials ?? "same-origin";
+		this.destination = options?.destination ?? "";
+		this.integrity = options?.integrity ?? "";
+		this.keepalive = options?.keepalive ?? false;
+		this.mode = options?.mode ?? "cors";
+		this.redirect = options?.redirect ?? "follow";
+		this.referrer = options?.referrer ?? "";
+		this.referrerPolicy = options?.referrerPolicy ?? "";
+		this.signal = options?.signal ?? new AbortController().signal;
+	}
+	async arrayBuffer() {
+		return this.bodyBuffer ?? /* @__PURE__ */ new ArrayBuffer(0);
+	}
+	async blob() {
+		const buffer = await this.arrayBuffer();
+		return new Blob([buffer]);
+	}
+	async formData() {
+		const buffer = await this.arrayBuffer();
+		const blob = new Blob([buffer], { type: this.headers.get("content-type") || "application/x-www-form-urlencoded" });
+		return new Request(this.url, {
+			method: this.method,
+			headers: this.headers,
+			body: blob
+		}).formData();
+	}
+	async json() {
+		const text = await this.text();
+		return JSON.parse(text);
+	}
+	async text() {
+		const buffer = await this.arrayBuffer();
+		return this.textDecoder.decode(buffer);
+	}
+	async bytes() {
+		return this.arrayBuffer().then((buffer) => new Uint8Array(buffer));
+	}
+	get body() {
+		if (this.cachedBody) return this.cachedBody;
+		if (this.bodyBuffer) {
+			const buffer = this.bodyBuffer;
+			this.cachedBody = new ReadableStream({ start(controller) {
+				controller.enqueue(new Uint8Array(buffer));
+				controller.close();
+			} });
+			return this.cachedBody;
+		}
+		return null;
+	}
+	get bodyUsed() {
+		return false;
+	}
+	clone() {
+		return new SafeRequest(this.url, this.method, this.headers, this.bodyBuffer, {
+			cache: this.cache,
+			credentials: this.credentials,
+			destination: this.destination,
+			integrity: this.integrity,
+			keepalive: this.keepalive,
+			mode: this.mode,
+			redirect: this.redirect,
+			referrer: this.referrer,
+			referrerPolicy: this.referrerPolicy,
+			signal: this.signal
+		});
+	}
+};
+/**
+* Extracts data from a Request and creates a SafeRequest.
+* Uses ReadableStream to safely read the body and avoid issues with certain Request implementations.
+*/
+async function makeSafeRequest(request) {
+	if (request instanceof SafeRequest) return request;
+	const url = request.url;
+	const method = request.method;
+	const headers = new Headers(request.headers);
+	let bodyBuffer = null;
+	const requestMethod = method.toUpperCase();
+	if (requestMethod === "POST" || requestMethod === "PUT" || requestMethod === "PATCH") try {
+		const body = request.body;
+		if (body) {
+			const reader = body.getReader();
+			const chunks = [];
+			while (true) {
+				const { done, value } = await reader.read();
+				if (done) break;
+				if (value) chunks.push(value);
+			}
+			const totalLength = chunks.reduce((acc, chunk) => acc + chunk.length, 0);
+			const combined = new Uint8Array(totalLength);
+			let offset = 0;
+			for (const chunk of chunks) {
+				combined.set(chunk, offset);
+				offset += chunk.length;
+			}
+			bodyBuffer = combined.buffer;
+		}
+	} catch (error) {
+		console.warn("Failed to read request body via stream:", error);
+	}
+	const options = {};
+	try {
+		options.cache = request.cache;
+	} catch {}
+	try {
+		options.credentials = request.credentials;
+	} catch {}
+	try {
+		options.destination = request.destination;
+	} catch {}
+	try {
+		options.integrity = request.integrity;
+	} catch {}
+	try {
+		options.keepalive = request.keepalive;
+	} catch {}
+	try {
+		options.mode = request.mode;
+	} catch {}
+	try {
+		options.redirect = request.redirect;
+	} catch {}
+	try {
+		options.referrer = request.referrer;
+	} catch {}
+	try {
+		options.referrerPolicy = request.referrerPolicy;
+	} catch {}
+	try {
+		options.signal = request.signal;
+	} catch {}
+	return new SafeRequest(url, method, headers, bodyBuffer, options);
+}
+
+//#endregion
+export { SafeRequest, makeSafeRequest };

package/dist/router/types.d.mts

@@ -0,0 +1,67 @@
+//#region src/router/types.d.ts
+type ExtractParams<T extends string> = string extends T ? Record<string, string> : T extends `${string}:${infer Param}/${infer Rest}` ? { readonly [K in Param]: string } & ExtractParams<`/${Rest}`> : T extends `${string}:${infer Param}` ? { readonly [K in Param]: string } : Record<string, never>;
+type VariableMap = Record<string, unknown>;
+interface RouterEnvironment<TVariables extends VariableMap = VariableMap> {
+  Variables: TVariables;
+}
+interface CookieOptions {
+  domain?: string;
+  path?: string;
+  expires?: Date;
+  maxAge?: number;
+  httpOnly?: boolean;
+  secure?: boolean;
+  sameSite?: "Strict" | "Lax" | "None";
+}
+interface RouterContext<TParams extends Record<string, string> = Record<string, string>, TVariables extends VariableMap = VariableMap> {
+  readonly request: Request;
+  readonly params: Readonly<TParams>;
+  readonly searchParams: Readonly<URLSearchParams>;
+  query<K extends string>(key: K): string | undefined;
+  header<K extends string>(key: K): string | undefined;
+  cookie<K extends string>(key: K): string | undefined;
+  formData(): Promise<FormData>;
+  parseJson<T = unknown>(): Promise<T>;
+  json<T>(data: T, init?: ResponseInit): Response;
+  redirect(url: string | URL, status?: 300 | 301 | 302 | 303 | 307 | 308): Response;
+  text(data: string, init?: ResponseInit): Response;
+  setCookie(name: string, value: string, options?: CookieOptions): void;
+  deleteCookie(name: string, options?: Pick<CookieOptions, "domain" | "path">): void;
+  newResponse(body?: BodyInit, init?: ResponseInit): Response;
+  set<K extends keyof TVariables>(key: K, value: TVariables[K]): void;
+  get<K extends keyof TVariables>(key: K): TVariables[K];
+  has<K extends keyof TVariables>(key: K): key is K;
+}
+type RouteHandler<TParams extends Record<string, string> = Record<string, string>, TVariables extends VariableMap = VariableMap> = (ctx: RouterContext<TParams, TVariables>) => Promise<Response> | Response;
+type MiddlewareHandler<TParams extends Record<string, string> = Record<string, string>, TVariables extends VariableMap = VariableMap> = (ctx: RouterContext<TParams, TVariables>, next: () => Promise<Response> | Response) => Promise<Response> | Response;
+type EnhancedRouteHandler<TParams extends Record<string, string> = Record<string, string>, TVariables extends VariableMap = VariableMap> = {
+  handler: RouteHandler<TParams, TVariables>;
+  middleware?: MiddlewareHandler<TParams, TVariables>[];
+};
+type AnyHandler<TParams extends Record<string, string>, TVariables extends VariableMap = VariableMap> = RouteHandler<TParams, TVariables> | EnhancedRouteHandler<TParams, TVariables>;
+type HttpMethod = "GET" | "POST";
+interface CompiledRoute {
+  regex: RegExp;
+  paramNames: string[];
+  pattern: string;
+}
+interface MatchResult {
+  params: Record<string, string>;
+  pattern: string;
+}
+interface RouteDefinition<TVariables extends VariableMap = VariableMap> {
+  method: HttpMethod;
+  pattern: string;
+  handler: RouteHandler<Record<string, string>, TVariables>;
+  middleware: MiddlewareHandler<Record<string, string>, TVariables>[];
+  compiled: CompiledRoute;
+}
+interface RouterOptions {
+  caseSensitive?: boolean;
+  strict?: boolean;
+  basePath?: string;
+}
+type ErrorHandler<TVariables extends VariableMap = VariableMap> = (error: Error, ctx: RouterContext<Record<string, string>, TVariables>) => Promise<Response> | Response;
+type GlobalMiddleware<TVariables extends VariableMap = VariableMap> = (ctx: RouterContext<Record<string, string>, TVariables>, next: () => Promise<Response> | Response) => Promise<Response> | Response;
+//#endregion
+export { AnyHandler, CompiledRoute, CookieOptions, EnhancedRouteHandler, ErrorHandler, ExtractParams, GlobalMiddleware, HttpMethod, MatchResult, MiddlewareHandler, RouteDefinition, RouteHandler, RouterContext, RouterEnvironment, RouterOptions, VariableMap };

package/dist/router/types.mjs

@@ -0,0 +1 @@
+export {  };

package/dist/router/variables.d.mts

@@ -0,0 +1,12 @@
+import { VariableMap } from "./types.mjs";
+
+//#region src/router/variables.d.ts
+declare class ContextVariableManager<TVariables extends VariableMap = VariableMap> {
+  private readonly state;
+  constructor(initialVariables?: Partial<TVariables>);
+  set<K extends keyof TVariables>(key: K, value: TVariables[K]): void;
+  get<K extends keyof TVariables>(key: K): TVariables[K];
+  has<K extends keyof TVariables>(key: K): key is K;
+}
+//#endregion
+export { ContextVariableManager };

package/dist/router/variables.mjs

@@ -0,0 +1,20 @@
+//#region src/router/variables.ts
+var ContextVariableManager = class {
+	state = /* @__PURE__ */ new Map();
+	constructor(initialVariables) {
+		if (initialVariables) for (const [key, value] of Object.entries(initialVariables)) this.state.set(key, value);
+	}
+	set(key, value) {
+		if (typeof key !== "string" || key.length === 0) throw new Error("Variable key must be a non-empty string");
+		this.state.set(key, value);
+	}
+	get(key) {
+		return this.state.get(key);
+	}
+	has(key) {
+		return this.state.has(key);
+	}
+};
+
+//#endregion
+export { ContextVariableManager };

package/dist/util.d.mts

@@ -1,4 +1,4 @@
-import { RouterContext } from "@draftlab/auth-router/types";
+import { RouterContext } from "./router/types.mjs";
 
 //#region src/util.d.ts
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@draftlab/auth",
-  "version": "0.14.0",
+  "version": "0.15.0",
   "type": "module",
   "description": "Core implementation for @draftlab/auth",
   "author": "Matheus Pergoli",
@@ -39,7 +39,7 @@
   "devDependencies": {
     "@types/node": "^25.0.3",
     "@types/qrcode": "^1.5.6",
-    "tsdown": "^0.18.3",
+    "tsdown": "0.19.0-beta.5",
     "typescript": "^5.9.3",
     "@draftlab/tsconfig": "0.1.0"
   },
@@ -60,10 +60,9 @@
     "@standard-schema/spec": "^1.1.0",
     "jose": "^6.1.3",
     "otpauth": "^9.4.1",
-    "preact": "^10.28.1",
-    "preact-render-to-string": "^6.6.4",
-    "qrcode": "^1.5.4",
-    "@draftlab/auth-router": "0.5.0"
+    "preact": "^10.28.2",
+    "preact-render-to-string": "^6.6.5",
+    "qrcode": "^1.5.4"
   },
   "engines": {
     "node": ">=18"