@draftlab/auth 0.15.0 → 0.16.0

package/dist/types/provider/spotify.d.ts

@@ -0,0 +1,168 @@
+/**
+ * Spotify authentication provider for Draft Auth.
+ * Implements OAuth 2.0 flow for authenticating users with their Spotify accounts.
+ *
+ * ## Quick Setup
+ *
+ * ```ts
+ * import { SpotifyProvider } from "@draftlab/auth/provider/spotify"
+ *
+ * export default issuer({
+ *   basePath: "/auth", // Important for callback URL
+ *   providers: {
+ *     spotify: SpotifyProvider({
+ *       clientID: process.env.SPOTIFY_CLIENT_ID,
+ *       clientSecret: process.env.SPOTIFY_CLIENT_SECRET,
+ *       scopes: ["user-read-private", "user-read-email"]
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
+ * - Development: `http://localhost:3000/auth/spotify/callback`
+ * - Production: `https://yourapp.com/auth/spotify/callback`
+ *
+ * Register this URL in your Spotify Developer Dashboard.
+ *
+ * ## Common Scopes
+ *
+ * - `user-read-private` - Access user's private data
+ * - `user-read-email` - Access user's email address
+ * - `user-top-read` - Read user's top artists and tracks
+ * - `user-read-playback-state` - Read current playback state
+ * - `user-modify-playback-state` - Modify playback state
+ * - `user-read-currently-playing` - Read currently playing track
+ * - `playlist-read-private` - Access private playlists
+ * - `playlist-read-public` - Access public playlists
+ * - `user-library-read` - Read user's library
+ * - `user-follow-read` - Read followed artists and users
+ *
+ * ## User Data Access
+ *
+ * ```ts
+ * success: async (ctx, value) => {
+ *   if (value.provider === "spotify") {
+ *     const accessToken = value.tokenset.access
+ *
+ *     // Fetch user profile
+ *     const userResponse = await fetch('https://api.spotify.com/v1/me', {
+ *       headers: { Authorization: `Bearer ${accessToken}` }
+ *     })
+ *     const user = await userResponse.json()
+ *
+ *     // User info: id, email, display_name, external_urls, images, followers
+ *   }
+ * }
+ * ```
+ *
+ * @packageDocumentation
+ */
+import { type Oauth2WrappedConfig } from "./oauth2";
+/**
+ * Configuration options for Spotify OAuth 2.0 provider.
+ * Extends the base OAuth 2.0 configuration with Spotify-specific documentation.
+ */
+export interface SpotifyConfig extends Oauth2WrappedConfig {
+    /**
+     * Spotify app client ID.
+     * Get this from your Spotify App at https://developer.spotify.com/dashboard
+     *
+     * @example
+     * ```ts
+     * {
+     *   clientID: "abcdef123456"
+     * }
+     * ```
+     */
+    readonly clientID: string;
+    /**
+     * Spotify app client secret.
+     * Keep this secure and never expose it to client-side code.
+     *
+     * @example
+     * ```ts
+     * {
+     *   clientSecret: process.env.SPOTIFY_CLIENT_SECRET
+     * }
+     * ```
+     */
+    readonly clientSecret: string;
+    /**
+     * Spotify OAuth scopes to request access for.
+     * Determines what data and actions your app can access.
+     *
+     * @example
+     * ```ts
+     * {
+     *   scopes: [
+     *     "user-read-private",   // Access private user data
+     *     "user-read-email",     // Access user email
+     *     "user-top-read"        // Read top artists and tracks
+     *   ]
+     * }
+     * ```
+     */
+    readonly scopes: string[];
+}
+/**
+ * Creates a Spotify OAuth 2.0 authentication provider.
+ * Allows users to authenticate using their Spotify accounts.
+ *
+ * @param config - Spotify OAuth 2.0 configuration
+ * @returns OAuth 2.0 provider configured for Spotify
+ *
+ * @example
+ * ```ts
+ * // Basic Spotify authentication
+ * const basicSpotify = SpotifyProvider({
+ *   clientID: process.env.SPOTIFY_CLIENT_ID,
+ *   clientSecret: process.env.SPOTIFY_CLIENT_SECRET
+ * })
+ *
+ * // Spotify with user data access
+ * const spotifyWithScopes = SpotifyProvider({
+ *   clientID: process.env.SPOTIFY_CLIENT_ID,
+ *   clientSecret: process.env.SPOTIFY_CLIENT_SECRET,
+ *   scopes: ["user-read-private", "user-read-email", "user-top-read"]
+ * })
+ *
+ * // Using the access token to fetch user data
+ * export default issuer({
+ *   providers: { spotify: spotifyWithScopes },
+ *   success: async (ctx, value) => {
+ *     if (value.provider === "spotify") {
+ *       const token = value.tokenset.access
+ *
+ *       const userRes = await fetch('https://api.spotify.com/v1/me', {
+ *         headers: { Authorization: `Bearer ${token}` }
+ *       })
+ *       const user = await userRes.json()
+ *
+ *       // Optionally fetch top tracks
+ *       const topRes = await fetch('https://api.spotify.com/v1/me/top/tracks?limit=5', {
+ *         headers: { Authorization: `Bearer ${token}` }
+ *       })
+ *       const { items: topTracks } = await topRes.json()
+ *
+ *       return ctx.subject("user", {
+ *         spotifyId: user.id,
+ *         email: user.email,
+ *         displayName: user.display_name,
+ *         profileUrl: user.external_urls?.spotify,
+ *         followers: user.followers?.total,
+ *         topTracks: topTracks.map(t => t.name)
+ *       })
+ *     }
+ *   }
+ * })
+ * ```
+ *
+ * **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
+ * - Development: `http://localhost:3000/auth/spotify/callback`
+ * - Production: `https://yourapp.com/auth/spotify/callback`
+ *
+ * Register this URL in your Spotify Developer Dashboard.
+ */
+export declare const SpotifyProvider: (config: SpotifyConfig) => import("./provider").Provider<import("./oauth2").Oauth2UserData>;
+//# sourceMappingURL=spotify.d.ts.map

package/dist/types/provider/spotify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"spotify.d.ts","sourceRoot":"","sources":["../../../src/provider/spotify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2DG;AAEH,OAAO,EAAkB,KAAK,mBAAmB,EAAE,MAAM,UAAU,CAAA;AAEnE;;;GAGG;AACH,MAAM,WAAW,aAAc,SAAQ,mBAAmB;IACzD;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IAEzB;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAE7B;;;;;;;;;;;;;;OAcG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CACzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AACH,eAAO,MAAM,eAAe,GAAI,QAAQ,aAAa,qEASpD,CAAA"}

package/dist/types/provider/twitch.d.ts

@@ -0,0 +1,163 @@
+/**
+ * Twitch authentication provider for Draft Auth.
+ * Implements OAuth 2.0 flow for authenticating users with their Twitch accounts.
+ *
+ * ## Quick Setup
+ *
+ * ```ts
+ * import { TwitchProvider } from "@draftlab/auth/provider/twitch"
+ *
+ * export default issuer({
+ *   basePath: "/auth", // Important for callback URL
+ *   providers: {
+ *     twitch: TwitchProvider({
+ *       clientID: process.env.TWITCH_CLIENT_ID,
+ *       clientSecret: process.env.TWITCH_CLIENT_SECRET,
+ *       scopes: ["user:read:email"]
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
+ * - Development: `http://localhost:3000/auth/twitch/callback`
+ * - Production: `https://yourapp.com/auth/twitch/callback`
+ *
+ * Register this URL in your Twitch Developer Console.
+ *
+ * ## Common Scopes
+ *
+ * - `user:read:email` - Access user's email address
+ * - `user:read:subscriptions` - View user subscriptions
+ * - `user:read:follows` - View user's follows
+ * - `channel:read:subscriptions` - View channel subscribers
+ * - `analytics:read:games` - View game analytics
+ * - `bits:read` - View bits information
+ *
+ * ## User Data Access
+ *
+ * ```ts
+ * success: async (ctx, value) => {
+ *   if (value.provider === "twitch") {
+ *     const accessToken = value.tokenset.access
+ *
+ *     // Fetch user information
+ *     const userResponse = await fetch('https://api.twitch.tv/helix/users', {
+ *       headers: {
+ *         'Authorization': `Bearer ${accessToken}`,
+ *         'Client-ID': process.env.TWITCH_CLIENT_ID
+ *       }
+ *     })
+ *     const { data } = await userResponse.json()
+ *     const user = data[0]
+ *
+ *     // User info available: id, login, display_name, email, profile_image_url
+ *   }
+ * }
+ * ```
+ *
+ * @packageDocumentation
+ */
+import { type Oauth2WrappedConfig } from "./oauth2";
+/**
+ * Configuration options for Twitch OAuth 2.0 provider.
+ * Extends the base OAuth 2.0 configuration with Twitch-specific documentation.
+ */
+export interface TwitchConfig extends Oauth2WrappedConfig {
+    /**
+     * Twitch application client ID.
+     * Get this from your Twitch Console at https://dev.twitch.tv/console
+     *
+     * @example
+     * ```ts
+     * {
+     *   clientID: "abcdef123456"
+     * }
+     * ```
+     */
+    readonly clientID: string;
+    /**
+     * Twitch application client secret.
+     * Keep this secure and never expose it to client-side code.
+     *
+     * @example
+     * ```ts
+     * {
+     *   clientSecret: process.env.TWITCH_CLIENT_SECRET
+     * }
+     * ```
+     */
+    readonly clientSecret: string;
+    /**
+     * Twitch OAuth scopes to request access for.
+     * Determines what data and actions your app can access.
+     *
+     * @example
+     * ```ts
+     * {
+     *   scopes: [
+     *     "user:read:email",           // Access user email
+     *     "user:read:subscriptions"    // View subscriptions
+     *   ]
+     * }
+     * ```
+     */
+    readonly scopes: string[];
+}
+/**
+ * Creates a Twitch OAuth 2.0 authentication provider.
+ * Allows users to authenticate using their Twitch accounts.
+ *
+ * @param config - Twitch OAuth 2.0 configuration
+ * @returns OAuth 2.0 provider configured for Twitch
+ *
+ * @example
+ * ```ts
+ * // Basic Twitch authentication
+ * const basicTwitch = TwitchProvider({
+ *   clientID: process.env.TWITCH_CLIENT_ID,
+ *   clientSecret: process.env.TWITCH_CLIENT_SECRET
+ * })
+ *
+ * // Twitch with email scope
+ * const twitchWithEmail = TwitchProvider({
+ *   clientID: process.env.TWITCH_CLIENT_ID,
+ *   clientSecret: process.env.TWITCH_CLIENT_SECRET,
+ *   scopes: ["user:read:email"]
+ * })
+ *
+ * // Using the access token to fetch user data
+ * export default issuer({
+ *   providers: { twitch: twitchWithEmail },
+ *   success: async (ctx, value) => {
+ *     if (value.provider === "twitch") {
+ *       const token = value.tokenset.access
+ *
+ *       const userRes = await fetch('https://api.twitch.tv/helix/users', {
+ *         headers: {
+ *           'Authorization': `Bearer ${token}`,
+ *           'Client-ID': process.env.TWITCH_CLIENT_ID
+ *         }
+ *       })
+ *       const { data } = await userRes.json()
+ *       const user = data[0]
+ *
+ *       return ctx.subject("user", {
+ *         twitchId: user.id,
+ *         login: user.login,
+ *         email: user.email,
+ *         displayName: user.display_name
+ *       })
+ *     }
+ *   }
+ * })
+ * ```
+ *
+ * **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
+ * - Development: `http://localhost:3000/auth/twitch/callback`
+ * - Production: `https://yourapp.com/auth/twitch/callback`
+ *
+ * Register this URL in your Twitch Developer Console.
+ */
+export declare const TwitchProvider: (config: TwitchConfig) => import("./provider").Provider<import("./oauth2").Oauth2UserData>;
+//# sourceMappingURL=twitch.d.ts.map

package/dist/types/provider/twitch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"twitch.d.ts","sourceRoot":"","sources":["../../../src/provider/twitch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2DG;AAEH,OAAO,EAAkB,KAAK,mBAAmB,EAAE,MAAM,UAAU,CAAA;AAEnE;;;GAGG;AACH,MAAM,WAAW,YAAa,SAAQ,mBAAmB;IACxD;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IAEzB;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAE7B;;;;;;;;;;;;;OAaG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CACzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,YAAY,qEASlD,CAAA"}

package/dist/types/provider/vercel.d.ts

@@ -0,0 +1,294 @@
+/**
+ * Vercel OAuth 2.0 + OpenID Connect authentication provider for Draft Auth.
+ * Implements "Sign in with Vercel" for user authentication.
+ *
+ * ## Quick Setup
+ *
+ * ```ts
+ * import { VercelProvider } from "@draftlab/auth/provider/vercel"
+ *
+ * export default issuer({
+ *   basePath: "/auth", // Important for callback URL
+ *   providers: {
+ *     vercel: VercelProvider({
+ *       clientID: process.env.VERCEL_CLIENT_ID,
+ *       clientSecret: process.env.VERCEL_CLIENT_SECRET,
+ *       scopes: ["openid", "email", "profile"]
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
+ * - Example: `http://localhost:3000/auth/vercel/callback`
+ * - Production: `https://yourapp.com/auth/vercel/callback`
+ *
+ * ## Creating a Vercel App
+ *
+ * Before using this provider, create a Vercel App in your dashboard:
+ *
+ * 1. Go to **Team Settings** → **Apps** → **Create**
+ * 2. Fill in app name, description, and logo
+ * 3. Add **Authorization Callback URLs**:
+ *    - Development: `http://localhost:3000/auth/vercel/callback`
+ *    - Production: `https://yourapp.com/auth/vercel/callback`
+ *    - Pattern: `{baseURL}{basePath}/{provider}/callback`
+ * 4. Configure **Scopes** in the app's Permissions page:
+ *    - ✅ openid (Required)
+ *    - ✅ email
+ *    - ✅ profile
+ *    - ✅ offline_access (optional, for refresh tokens)
+ * 5. Generate a **Client Secret** in the Authentication tab
+ * 6. Copy the **Client ID** and **Client Secret**
+ *
+ * **Important**: You must enable the scopes in the Vercel App dashboard before requesting them!
+ *
+ * ## Available Scopes
+ *
+ * - `openid` - **Required**. Enables ID Token issuance for user identification
+ * - `email` - Access user's email address in ID Token
+ * - `profile` - Access user's name, username, and avatar in ID Token
+ * - `offline_access` - Issue a Refresh Token for long-lived access (30 days)
+ *
+ * ## Tokens Returned
+ *
+ * - **ID Token**: Signed JWT with user identity claims (verified automatically)
+ * - **Access Token**: Bearer token for Vercel API calls (1 hour duration)
+ * - **Refresh Token**: Rotates on each use (30 days, requires offline_access scope)
+ *
+ * ## User Data Access
+ *
+ * ```ts
+ * success: async (ctx, value) => {
+ *   if (value.provider === "vercel") {
+ *     // ID Token is automatically validated (signature, issuer, audience, expiration)
+ *     const idToken = value.tokenset.raw.id_token as string | undefined
+ *     const accessToken = value.tokenset.access
+ *     const refreshToken = value.tokenset.refresh
+ *
+ *     // Decode ID Token to access user claims
+ *     if (idToken) {
+ *       const claims = JSON.parse(
+ *         Buffer.from(idToken.split('.')[1], 'base64').toString()
+ *       )
+ *
+ *       // Claims available (depending on scopes):
+ *       // - sub: Unique Vercel user ID (always present)
+ *       // - email: User's email (if email scope granted)
+ *       // - name: User's full name (if profile scope granted)
+ *       // - picture: Avatar URL (if profile scope granted)
+ *       // - preferred_username: Vercel username (if profile scope granted)
+ *
+ *       return ctx.subject("user", {
+ *         email: claims.email || claims.sub
+ *       })
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * ## Calling Vercel API
+ *
+ * Use the access token to call Vercel's REST API:
+ *
+ * ```ts
+ * // Get user information
+ * const userRes = await fetch('https://api.vercel.com/v2/user', {
+ *   headers: { Authorization: `Bearer ${accessToken}` }
+ * })
+ *
+ * // Get user's teams
+ * const teamsRes = await fetch('https://api.vercel.com/v2/teams', {
+ *   headers: { Authorization: `Bearer ${accessToken}` }
+ * })
+ *
+ * // Get projects (requires appropriate permissions)
+ * const projectsRes = await fetch('https://api.vercel.com/v9/projects', {
+ *   headers: { Authorization: `Bearer ${accessToken}` }
+ * })
+ * ```
+ *
+ * ## Consent Page
+ *
+ * The first time a user signs in, Vercel shows a consent page with:
+ * - Your app's name and logo
+ * - Requested scopes and permissions
+ * - Allow/Cancel buttons
+ *
+ * If the user grants access, they're redirected back with an authorization code.
+ * If they cancel, they're redirected with an error parameter.
+ *
+ * @packageDocumentation
+ */
+import { type Oauth2WrappedConfig } from "./oauth2";
+/**
+ * Configuration options for Vercel OAuth 2.0 + OpenID Connect provider.
+ * Extends the base OAuth 2.0 configuration with Vercel-specific documentation.
+ */
+export interface VercelConfig extends Oauth2WrappedConfig {
+    /**
+     * Vercel OAuth App client ID.
+     * Found in your Vercel App settings under the Authentication tab.
+     *
+     * To create an app:
+     * 1. Go to Team Settings → Apps → Create
+     * 2. Configure app details and callback URLs
+     * 3. Copy the Client ID from the Authentication tab
+     *
+     * @example
+     * ```ts
+     * {
+     *   clientID: "oac_abc123xyz789" // Vercel OAuth App Client ID
+     * }
+     * ```
+     */
+    readonly clientID: string;
+    /**
+     * Vercel OAuth App client secret.
+     * Generated in your Vercel App settings under the Authentication tab.
+     * Keep this secure and never expose it to client-side code.
+     *
+     * To generate:
+     * 1. Go to your app's Authentication tab
+     * 2. Click "Generate Client Secret"
+     * 3. Copy and store securely (shown only once)
+     *
+     * @example
+     * ```ts
+     * {
+     *   clientSecret: process.env.VERCEL_CLIENT_SECRET
+     * }
+     * ```
+     */
+    readonly clientSecret: string;
+    /**
+     * OpenID Connect scopes to request.
+     * Controls what user information is included in the ID Token.
+     *
+     * Available scopes (must be enabled in Vercel App dashboard first):
+     * - `openid`: Required for ID Token issuance
+     * - `email`: User's email address
+     * - `profile`: Name, username, and avatar
+     * - `offline_access`: Refresh token for long-lived access (optional)
+     *
+     * **Important**: Enable scopes in: Vercel App → Permissions page
+     *
+     * @example
+     * ```ts
+     * {
+     *   // Basic scopes (usually sufficient)
+     *   scopes: ["openid", "email", "profile"]
+     *
+     *   // With refresh token support (enable offline_access in dashboard first)
+     *   scopes: ["openid", "email", "profile", "offline_access"]
+     * }
+     * ```
+     */
+    readonly scopes: string[];
+    /**
+     * Additional query parameters for Vercel OAuth authorization.
+     * Useful for customizing the authorization flow.
+     *
+     * @example
+     * ```ts
+     * {
+     *   query: {
+     *     prompt: "consent"  // Force consent screen every time
+     *   }
+     * }
+     * ```
+     */
+    readonly query?: Record<string, string>;
+}
+/**
+ * Creates a Vercel OAuth 2.0 + OpenID Connect authentication provider.
+ * Implements "Sign in with Vercel" for user authentication.
+ *
+ * This provider uses the standard OAuth 2.0 Authorization Code Grant flow
+ * with PKCE (Proof Key for Code Exchange) for enhanced security.
+ *
+ * @param config - Vercel OAuth 2.0 configuration
+ * @returns OAuth 2.0 provider configured for Vercel
+ *
+ * @example
+ * ```ts
+ * // Basic Vercel authentication (email + profile)
+ * const basicVercel = VercelProvider({
+ *   clientID: process.env.VERCEL_CLIENT_ID,
+ *   clientSecret: process.env.VERCEL_CLIENT_SECRET,
+ *   scopes: ["openid", "email", "profile"]
+ * })
+ *
+ * // Vercel with refresh token support
+ * const vercelWithRefresh = VercelProvider({
+ *   clientID: process.env.VERCEL_CLIENT_ID,
+ *   clientSecret: process.env.VERCEL_CLIENT_SECRET,
+ *   scopes: ["openid", "email", "profile", "offline_access"]
+ * })
+ *
+ * // Minimal setup (only user ID in ID Token)
+ * const minimalVercel = VercelProvider({
+ *   clientID: process.env.VERCEL_CLIENT_ID,
+ *   clientSecret: process.env.VERCEL_CLIENT_SECRET,
+ *   scopes: ["openid"] // Only sub claim in ID Token
+ * })
+ *
+ * // Using the tokens in your app
+ * export default issuer({
+ *   providers: { vercel: vercelWithRefresh },
+ *   success: async (ctx, value) => {
+ *     if (value.provider === "vercel") {
+ *       const idToken = value.tokenset.raw.id_token as string | undefined
+ *       const accessToken = value.tokenset.access
+ *       const refreshToken = value.tokenset.refresh
+ *
+ *       if (idToken) {
+ *         // Decode ID Token to access user claims
+ *         // (Already validated by oauth2.ts - signature, issuer, audience, exp)
+ *         const claims = JSON.parse(
+ *           Buffer.from(idToken.split('.')[1], 'base64').toString()
+ *         )
+ *
+ *         // Claims available (depending on scopes):
+ *         // - sub: Vercel user ID (always present)
+ *         // - email: user@example.com (if email scope)
+ *         // - name: "John Doe" (if profile scope)
+ *         // - picture: "https://..." (if profile scope)
+ *         // - preferred_username: "johndoe" (if profile scope)
+ *
+ *         // Optionally call Vercel API for more data
+ *         const userRes = await fetch('https://api.vercel.com/v2/user', {
+ *           headers: { Authorization: `Bearer ${accessToken}` }
+ *         })
+ *         const user = await userRes.json()
+ *
+ *         // Get user's teams
+ *         const teamsRes = await fetch('https://api.vercel.com/v2/teams', {
+ *           headers: { Authorization: `Bearer ${accessToken}` }
+ *         })
+ *         const teams = await teamsRes.json()
+ *
+ *         return ctx.subject("user", {
+ *           vercelId: claims.sub,
+ *           email: claims.email,
+ *           name: claims.name,
+ *           username: claims.preferred_username,
+ *           avatar: claims.picture,
+ *           teamCount: teams.teams?.length || 0
+ *         })
+ *       }
+ *     }
+ *   }
+ * })
+ * ```
+ *
+ * @remarks
+ * - Requires creating a Vercel App in Team Settings → Apps
+ * - PKCE is enabled by default for enhanced security
+ * - ID Token is automatically validated (signature, issuer, audience, expiration)
+ * - Access tokens expire after 1 hour
+ * - Refresh tokens rotate on each use and last 30 days
+ * - The `openid` scope is required for ID Token issuance
+ */
+export declare const VercelProvider: (config: VercelConfig) => import("./provider").Provider<import("./oauth2").Oauth2UserData>;
+//# sourceMappingURL=vercel.d.ts.map

package/dist/types/provider/vercel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vercel.d.ts","sourceRoot":"","sources":["../../../src/provider/vercel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyHG;AAEH,OAAO,EAAkB,KAAK,mBAAmB,EAAE,MAAM,UAAU,CAAA;AAEnE;;;GAGG;AACH,MAAM,WAAW,YAAa,SAAQ,mBAAmB;IACxD;;;;;;;;;;;;;;;OAeG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IAEzB;;;;;;;;;;;;;;;;OAgBG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAE7B;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,CAAA;IAEzB;;;;;;;;;;;;OAYG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACvC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyFG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,YAAY,qEAYlD,CAAA"}

package/dist/{random.d.mts → types/random.d.ts}

@@ -1,4 +1,3 @@
-//#region src/random.d.ts
 /**
  * Cryptographic utilities for secure random generation and comparison operations.
  * These functions are designed to prevent timing attacks and provide unbiased randomness.
@@ -19,7 +18,7 @@
  * // Returns: "4A7bC9dF2gH5iJ8kL1mN4pQ7rS0tU" (example)
  * ```
  */
-declare const generateSecureToken: (length?: number) => string;
+export declare const generateSecureToken: (length?: number) => string;
 /**
  * Generates a cryptographically secure string of random digits without modulo bias.
  * Uses rejection sampling to ensure each digit (0-9) has an equal probability of being selected.
@@ -38,7 +37,7 @@ declare const generateSecureToken: (length?: number) => string;
  *
  * @throws {RangeError} If length is not a positive number
  */
-declare const generateUnbiasedDigits: (length: number) => string;
+export declare const generateUnbiasedDigits: (length: number) => string;
 /**
  * Performs a timing-safe comparison of two strings to prevent timing attacks.
  * Always takes the same amount of time regardless of where the strings differ,
@@ -61,6 +60,5 @@ declare const generateUnbiasedDigits: (length: number) => string;
  * timingSafeCompare("abc", "abcd") // false
  * ```
  */
-declare const timingSafeCompare: (a: string, b: string) => boolean;
-//#endregion
-export { generateSecureToken, generateUnbiasedDigits, timingSafeCompare };
+export declare const timingSafeCompare: (a: string, b: string) => boolean;
+//# sourceMappingURL=random.d.ts.map

package/dist/types/random.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"random.d.ts","sourceRoot":"","sources":["../../src/random.ts"],"names":[],"mappings":"AAEA;;;GAGG;AAEH;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAQ,MAAW,KAAG,MAWzD,CAAA;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,sBAAsB,GAAI,QAAQ,MAAM,KAAG,MAevD,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,iBAAiB,GAAI,GAAG,MAAM,EAAE,GAAG,MAAM,KAAG,OAQxD,CAAA"}