@draftlab/auth 0.15.0 → 0.15.1

package/dist/client.mjs

@@ -210,6 +210,7 @@ const createClient = (input) => {
 					success: true,
 					data: {
 						aud: jwtResult.payload.aud,
+						sub: jwtResult.payload.sub,
 						subject: {
 							type: jwtResult.payload.type,
 							properties: validated?.value

package/dist/core.d.mts

@@ -9,7 +9,6 @@ import { Theme } from "./themes/theme.mjs";
 import { AuthorizationState } from "./types.mjs";
 
 //#region src/core.d.ts
-
 /**
  * Sets the subject payload in the JWT token and returns the response.
  */
@@ -61,28 +60,28 @@ interface IssuerInput<Providers extends Record<string, Provider<unknown>>, Subje
   /** Client authorization check function */
   allow?(input: AllowCheckInput, req: Request): Promise<boolean>;
   /**
-   * Refresh callback for updating user claims.
-   *
-   * @example
-   * ```typescript
-   * refresh: async (payload, req) => {
-   *   const user = await getUserBySubject(payload.subject)
-   *   if (!user || !user.active) {
-   *     return undefined // Revoke the token
-   *   }
-   *
-   *   return {
-   *     type: payload.type,
-   *     properties: {
-   *       userID: user.id,
-   *       role: user.role,
-   *       permissions: user.permissions,
-   *       lastLogin: new Date().toISOString()
-   *     }
-   *   }
-   * }
-   * ```
-   */
+       * Refresh callback for updating user claims.
+       *
+       * @example
+       * ```typescript
+       * refresh: async (payload, req) => {
+       *   const user = await getUserBySubject(payload.subject)
+       *   if (!user || !user.active) {
+       *     return undefined // Revoke the token
+       *   }
+       *
+       *   return {
+       *     type: payload.type,
+       *     properties: {
+       *       userID: user.id,
+       *       role: user.role,
+       *       permissions: user.permissions,
+       *       lastLogin: new Date().toISOString()
+       *     }
+       *   }
+       * }
+       * ```
+       */
   refresh?(payload: {
     type: SubjectPayload<Subjects>["type"];
     properties: SubjectPayload<Subjects>["properties"];

package/dist/core.mjs

@@ -84,7 +84,7 @@ const issuer = (input) => {
 	* Resolves issuer URL from context.
 	* Returns the base URL for the OAuth issuer, considering basePath configuration.
 	*/
-	const issuer$1 = (ctx) => {
+	const issuer = (ctx) => {
 		const baseUrl = new URL(getRelativeUrl(ctx, "/"));
 		if (input.basePath) {
 			baseUrl.pathname = (input.basePath.startsWith("/") ? input.basePath : `/${input.basePath}`).replace(/\/$/, "");
@@ -158,7 +158,7 @@ const issuer = (input) => {
 				properties: value.properties,
 				sub: value.subject,
 				aud: value.clientID,
-				iss: issuer$1(ctx),
+				iss: issuer(ctx),
 				exp: now + value.ttl.access,
 				iat: now,
 				mode: "access"
@@ -313,7 +313,7 @@ const issuer = (input) => {
 			credentials: false
 		})],
 		handler: (c) => {
-			const iss = issuer$1(c);
+			const iss = issuer(c);
 			const oauth2Document = {
 				issuer: iss,
 				authorization_endpoint: `${iss}/authorize`,

package/dist/error.d.mts

@@ -49,28 +49,28 @@ declare class OauthError extends Error {
   /** Human-readable description of the error */
   readonly description: string;
   /**
-   * Creates a new OAuth error with the specified error code and description.
-   *
-   * @param error - The OAuth error type
-   * @param description - Human-readable error description
-   *
-   * @example
-   * ```ts
-   * throw new OauthError("invalid_grant", "Authorization code has expired")
-   * ```
-   */
+       * Creates a new OAuth error with the specified error code and description.
+       *
+       * @param error - The OAuth error type
+       * @param description - Human-readable error description
+       *
+       * @example
+       * ```ts
+       * throw new OauthError("invalid_grant", "Authorization code has expired")
+       * ```
+       */
   constructor(error: OauthErrorType, description: string);
   /**
-   * Converts the error to a standard OAuth JSON response format.
-   *
-   * @returns Object with error and error_description fields
-   *
-   * @example
-   * ```ts
-   * const oauthError = new OauthError("invalid_request", "Missing parameter")
-   * return c.json(oauthError.toJSON(), 400)
-   * ```
-   */
+       * Converts the error to a standard OAuth JSON response format.
+       *
+       * @returns Object with error and error_description fields
+       *
+       * @example
+       * ```ts
+       * const oauthError = new OauthError("invalid_request", "Missing parameter")
+       * return c.json(oauthError.toJSON(), 400)
+       * ```
+       */
   toJSON(): {
     error: OauthErrorType;
     error_description: string;
@@ -82,9 +82,9 @@ declare class OauthError extends Error {
  */
 declare class MissingProviderError extends OauthError {
   /**
-   * Creates a missing provider error.
-   * Thrown when the provider query parameter is required but not provided.
-   */
+       * Creates a missing provider error.
+       * Thrown when the provider query parameter is required but not provided.
+       */
   constructor();
 }
 /**
@@ -95,15 +95,15 @@ declare class MissingParameterError extends OauthError {
   /** The name of the missing parameter */
   readonly parameter: string;
   /**
-   * Creates a missing parameter error.
-   *
-   * @param parameter - The name of the missing parameter
-   *
-   * @example
-   * ```ts
-   * throw new MissingParameterError("client_id")
-   * ```
-   */
+       * Creates a missing parameter error.
+       *
+       * @param parameter - The name of the missing parameter
+       *
+       * @example
+       * ```ts
+       * throw new MissingParameterError("client_id")
+       * ```
+       */
   constructor(parameter: string);
 }
 /**
@@ -114,16 +114,16 @@ declare class UnauthorizedClientError extends OauthError {
   /** The client ID that attempted unauthorized access */
   readonly clientID: string;
   /**
-   * Creates an unauthorized client error.
-   *
-   * @param clientID - The client ID attempting unauthorized access
-   * @param redirectURI - The unauthorized redirect URI
-   *
-   * @example
-   * ```ts
-   * throw new UnauthorizedClientError("malicious-client", "https://evil.com/callback")
-   * ```
-   */
+       * Creates an unauthorized client error.
+       *
+       * @param clientID - The client ID attempting unauthorized access
+       * @param redirectURI - The unauthorized redirect URI
+       *
+       * @example
+       * ```ts
+       * throw new UnauthorizedClientError("malicious-client", "https://evil.com/callback")
+       * ```
+       */
   constructor(clientID: string, redirectURI: string);
 }
 /**
@@ -146,9 +146,9 @@ declare class UnauthorizedClientError extends OauthError {
  */
 declare class UnknownStateError extends Error {
   /**
-   * Creates an unknown state error.
-   * Indicates that the authentication flow cannot continue due to missing state.
-   */
+       * Creates an unknown state error.
+       * Indicates that the authentication flow cannot continue due to missing state.
+       */
   constructor();
 }
 /**
@@ -166,8 +166,8 @@ declare class UnknownStateError extends Error {
  */
 declare class InvalidSubjectError extends Error {
   /**
-   * Creates an invalid subject error.
-   */
+       * Creates an invalid subject error.
+       */
   constructor();
 }
 /**
@@ -189,8 +189,8 @@ declare class InvalidSubjectError extends Error {
  */
 declare class InvalidRefreshTokenError extends Error {
   /**
-   * Creates an invalid refresh token error.
-   */
+       * Creates an invalid refresh token error.
+       */
   constructor();
 }
 /**
@@ -212,8 +212,8 @@ declare class InvalidRefreshTokenError extends Error {
  */
 declare class InvalidAccessTokenError extends Error {
   /**
-   * Creates an invalid access token error.
-   */
+       * Creates an invalid access token error.
+       */
   constructor();
 }
 /**
@@ -235,8 +235,8 @@ declare class InvalidAccessTokenError extends Error {
  */
 declare class InvalidAuthorizationCodeError extends Error {
   /**
-   * Creates an invalid authorization code error.
-   */
+       * Creates an invalid authorization code error.
+       */
   constructor();
 }
 //#endregion

package/dist/keys.d.mts

@@ -2,7 +2,6 @@ import { StorageAdapter } from "./storage/storage.mjs";
 import { CryptoKey, JWK } from "jose";
 
 //#region src/keys.d.ts
-
 /**
  * Runtime key pair with loaded cryptographic keys and metadata.
  * Ready for immediate use in signing and encryption operations.

package/dist/mutex.d.mts

@@ -18,26 +18,26 @@
 declare class Mutex {
   private semaphore;
   /**
-   * Checks if the mutex is currently locked.
-   * @returns True if the mutex is locked, false otherwise.
-   */
+       * Checks if the mutex is currently locked.
+       * @returns True if the mutex is locked, false otherwise.
+       */
   get isLocked(): boolean;
   /**
-   * Acquires the mutex, blocking if necessary until it is available.
-   * @returns A promise that resolves when the mutex is acquired.
-   */
+       * Acquires the mutex, blocking if necessary until it is available.
+       * @returns A promise that resolves when the mutex is acquired.
+       */
   acquire(): Promise<void>;
   /**
-   * Releases the mutex, allowing another waiting task to proceed.
-   */
+       * Releases the mutex, allowing another waiting task to proceed.
+       */
   release(): void;
   /**
-   * Runs a function while holding the mutex lock.
-   * Automatically acquires before and releases after the function execution.
-   *
-   * @param fn - The function to execute while holding the lock
-   * @returns The result of the function
-   */
+       * Runs a function while holding the mutex lock.
+       * Automatically acquires before and releases after the function execution.
+       *
+       * @param fn - The function to execute while holding the lock
+       * @returns The result of the function
+       */
   runExclusive<T>(fn: () => Promise<T>): Promise<T>;
 }
 //#endregion

package/dist/provider/apple.d.mts

@@ -2,51 +2,50 @@ import { Provider } from "./provider.mjs";
 import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.mjs";
 
 //#region src/provider/apple.d.ts
-
 /**
  * Configuration options for Apple OAuth 2.0 provider.
  * Extends the base OAuth 2.0 configuration with Apple-specific documentation.
  */
 interface AppleConfig extends Oauth2WrappedConfig {
   /**
-   * Apple Service ID (app identifier for your Sign in with Apple implementation).
-   * Get this from your Apple Developer account when creating a Service ID.
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientID: "com.example.app.signin"
-   * }
-   * ```
-   */
+       * Apple Service ID (app identifier for your Sign in with Apple implementation).
+       * Get this from your Apple Developer account when creating a Service ID.
+       *
+       * @example
+       * ```ts
+       * {
+       *   clientID: "com.example.app.signin"
+       * }
+       * ```
+       */
   readonly clientID: string;
   /**
-   * Apple client secret (JWT token signed with your private key).
-   * This is different from other providers - Apple requires a JWT token
-   * generated from your private key.
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientSecret: process.env.APPLE_CLIENT_SECRET
-   * }
-   * ```
-   */
+       * Apple client secret (JWT token signed with your private key).
+       * This is different from other providers - Apple requires a JWT token
+       * generated from your private key.
+       *
+       * @example
+       * ```ts
+       * {
+       *   clientSecret: process.env.APPLE_CLIENT_SECRET
+       * }
+       * ```
+       */
   readonly clientSecret: string;
   /**
-   * Apple OAuth scopes to request access for.
-   * Apple only supports "name" and "email" scopes.
-   *
-   * Important: Apple only provides user data (name, email) on the FIRST authorization.
-   * Subsequent authorizations won't include this data.
-   *
-   * @example
-   * ```ts
-   * {
-   *   scopes: ["name", "email"]
-   * }
-   * ```
-   */
+       * Apple OAuth scopes to request access for.
+       * Apple only supports "name" and "email" scopes.
+       *
+       * Important: Apple only provides user data (name, email) on the FIRST authorization.
+       * Subsequent authorizations won't include this data.
+       *
+       * @example
+       * ```ts
+       * {
+       *   scopes: ["name", "email"]
+       * }
+       * ```
+       */
   readonly scopes: string[];
 }
 /**

package/dist/provider/code.d.mts

@@ -1,7 +1,6 @@
 import { Provider } from "./provider.mjs";
 
 //#region src/provider/code.d.ts
-
 /**
  * Configuration options for the PIN code authentication provider.
  *
@@ -9,78 +8,78 @@ import { Provider } from "./provider.mjs";
  */
 interface CodeProviderConfig<Claims extends Record<string, string> = Record<string, string>> {
   /**
-   * The length of the generated PIN code.
-   * Common values are 4, 6, or 8 digits.
-   *
-   * @default 6
-   *
-   * @example
-   * ```ts
-   * {
-   *   length: 4 // 4-digit PIN for easier entry
-   * }
-   * ```
-   */
+       * The length of the generated PIN code.
+       * Common values are 4, 6, or 8 digits.
+       *
+       * @default 6
+       *
+       * @example
+       * ```ts
+       * {
+       *   length: 4 // 4-digit PIN for easier entry
+       * }
+       * ```
+       */
   readonly length?: number;
   /**
-   * Request handler for rendering the authentication UI.
-   * Handles both the initial claim collection and PIN code entry screens.
-   *
-   * @param req - The HTTP request object
-   * @param state - Current authentication state (start or code verification)
-   * @param form - Form data from POST requests (if any)
-   * @param error - Authentication error to display (if any)
-   * @returns Promise resolving to the authentication page response
-   *
-   * @example
-   * ```ts
-   * request: async (req, state, form, error) => {
-   *   if (state.type === 'start') {
-   *     return new Response(renderClaimForm(form, error))
-   *   } else {
-   *     return new Response(renderCodeForm(state.claims.email, error))
-   *   }
-   * }
-   * ```
-   */
+       * Request handler for rendering the authentication UI.
+       * Handles both the initial claim collection and PIN code entry screens.
+       *
+       * @param req - The HTTP request object
+       * @param state - Current authentication state (start or code verification)
+       * @param form - Form data from POST requests (if any)
+       * @param error - Authentication error to display (if any)
+       * @returns Promise resolving to the authentication page response
+       *
+       * @example
+       * ```ts
+       * request: async (req, state, form, error) => {
+       *   if (state.type === 'start') {
+       *     return new Response(renderClaimForm(form, error))
+       *   } else {
+       *     return new Response(renderCodeForm(state.claims.email, error))
+       *   }
+       * }
+       * ```
+       */
   request: (req: Request, state: CodeProviderState, form?: FormData, error?: CodeProviderError) => Promise<Response>;
   /**
-   * Callback for sending PIN codes to users via their preferred method.
-   * Should handle delivery via email, SMS, or other communication channels.
-   *
-   * @param claims - User claims containing contact information
-   * @param code - The generated PIN code to send
-   * @returns Promise resolving to undefined on success, or error object on failure
-   *
-   * @example
-   * ```ts
-   * sendCode: async (claims, code) => {
-   *   try {
-   *     if (claims.email) {
-   *       await emailService.send({
-   *         to: claims.email,
-   *         subject: 'Your verification code',
-   *         text: `Your PIN code is: ${code}`
-   *       })
-   *     } else if (claims.phone) {
-   *       await smsService.send(claims.phone, `PIN: ${code}`)
-   *     } else {
-   *       return {
-   *         type: "invalid_claim",
-   *         key: "email",
-   *         value: "Email or phone number is required"
-   *       }
-   *     }
-   *   } catch (error) {
-   *     return {
-   *       type: "invalid_claim",
-   *       key: "delivery",
-   *       value: "Failed to send code"
-   *     }
-   *   }
-   * }
-   * ```
-   */
+       * Callback for sending PIN codes to users via their preferred method.
+       * Should handle delivery via email, SMS, or other communication channels.
+       *
+       * @param claims - User claims containing contact information
+       * @param code - The generated PIN code to send
+       * @returns Promise resolving to undefined on success, or error object on failure
+       *
+       * @example
+       * ```ts
+       * sendCode: async (claims, code) => {
+       *   try {
+       *     if (claims.email) {
+       *       await emailService.send({
+       *         to: claims.email,
+       *         subject: 'Your verification code',
+       *         text: `Your PIN code is: ${code}`
+       *       })
+       *     } else if (claims.phone) {
+       *       await smsService.send(claims.phone, `PIN: ${code}`)
+       *     } else {
+       *       return {
+       *         type: "invalid_claim",
+       *         key: "email",
+       *         value: "Email or phone number is required"
+       *       }
+       *     }
+       *   } catch (error) {
+       *     return {
+       *       type: "invalid_claim",
+       *       key: "delivery",
+       *       value: "Failed to send code"
+       *     }
+       *   }
+       * }
+       * ```
+       */
   sendCode: (claims: Claims, code: string) => Promise<CodeProviderError | undefined>;
 }
 /**
@@ -88,30 +87,21 @@ interface CodeProviderConfig<Claims extends Record<string, string> = Record<stri
  * The provider transitions between these states during authentication.
  */
 type CodeProviderState = {
-  /** Initial state: user enters their claims (email, phone, etc.) */
-  readonly type: "start";
+  /** Initial state: user enters their claims (email, phone, etc.) */readonly type: "start";
 } | {
-  /** Code verification state: user enters the PIN code */
-  readonly type: "code";
-  /** Whether this is a code resend request */
-  readonly resend?: boolean;
-  /** The generated PIN code for verification */
-  readonly code: string;
-  /** User claims collected during the start phase */
+  /** Code verification state: user enters the PIN code */readonly type: "code"; /** Whether this is a code resend request */
+  readonly resend?: boolean; /** The generated PIN code for verification */
+  readonly code: string; /** User claims collected during the start phase */
   readonly claims: Record<string, string>;
 };
 /**
  * Possible errors during PIN code authentication.
  */
 type CodeProviderError = {
-  /** The entered PIN code is incorrect */
-  readonly type: "invalid_code";
+  /** The entered PIN code is incorrect */readonly type: "invalid_code";
 } | {
-  /** A user claim is invalid or missing */
-  readonly type: "invalid_claim";
-  /** The claim field that failed validation */
-  readonly key: string;
-  /** The invalid value or error description */
+  /** A user claim is invalid or missing */readonly type: "invalid_claim"; /** The claim field that failed validation */
+  readonly key: string; /** The invalid value or error description */
   readonly value: string;
 };
 /**