@draftlab/auth 0.15.0 → 0.16.0

package/dist/provider/spotify.mjs

@@ -1,135 +0,0 @@
-import { Oauth2Provider } from "./oauth2.mjs";
-
-//#region src/provider/spotify.ts
-/**
-* Spotify authentication provider for Draft Auth.
-* Implements OAuth 2.0 flow for authenticating users with their Spotify accounts.
-*
-* ## Quick Setup
-*
-* ```ts
-* import { SpotifyProvider } from "@draftlab/auth/provider/spotify"
-*
-* export default issuer({
-*   basePath: "/auth", // Important for callback URL
-*   providers: {
-*     spotify: SpotifyProvider({
-*       clientID: process.env.SPOTIFY_CLIENT_ID,
-*       clientSecret: process.env.SPOTIFY_CLIENT_SECRET,
-*       scopes: ["user-read-private", "user-read-email"]
-*     })
-*   }
-* })
-* ```
-*
-* **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
-* - Development: `http://localhost:3000/auth/spotify/callback`
-* - Production: `https://yourapp.com/auth/spotify/callback`
-*
-* Register this URL in your Spotify Developer Dashboard.
-*
-* ## Common Scopes
-*
-* - `user-read-private` - Access user's private data
-* - `user-read-email` - Access user's email address
-* - `user-top-read` - Read user's top artists and tracks
-* - `user-read-playback-state` - Read current playback state
-* - `user-modify-playback-state` - Modify playback state
-* - `user-read-currently-playing` - Read currently playing track
-* - `playlist-read-private` - Access private playlists
-* - `playlist-read-public` - Access public playlists
-* - `user-library-read` - Read user's library
-* - `user-follow-read` - Read followed artists and users
-*
-* ## User Data Access
-*
-* ```ts
-* success: async (ctx, value) => {
-*   if (value.provider === "spotify") {
-*     const accessToken = value.tokenset.access
-*
-*     // Fetch user profile
-*     const userResponse = await fetch('https://api.spotify.com/v1/me', {
-*       headers: { Authorization: `Bearer ${accessToken}` }
-*     })
-*     const user = await userResponse.json()
-*
-*     // User info: id, email, display_name, external_urls, images, followers
-*   }
-* }
-* ```
-*
-* @packageDocumentation
-*/
-/**
-* Creates a Spotify OAuth 2.0 authentication provider.
-* Allows users to authenticate using their Spotify accounts.
-*
-* @param config - Spotify OAuth 2.0 configuration
-* @returns OAuth 2.0 provider configured for Spotify
-*
-* @example
-* ```ts
-* // Basic Spotify authentication
-* const basicSpotify = SpotifyProvider({
-*   clientID: process.env.SPOTIFY_CLIENT_ID,
-*   clientSecret: process.env.SPOTIFY_CLIENT_SECRET
-* })
-*
-* // Spotify with user data access
-* const spotifyWithScopes = SpotifyProvider({
-*   clientID: process.env.SPOTIFY_CLIENT_ID,
-*   clientSecret: process.env.SPOTIFY_CLIENT_SECRET,
-*   scopes: ["user-read-private", "user-read-email", "user-top-read"]
-* })
-*
-* // Using the access token to fetch user data
-* export default issuer({
-*   providers: { spotify: spotifyWithScopes },
-*   success: async (ctx, value) => {
-*     if (value.provider === "spotify") {
-*       const token = value.tokenset.access
-*
-*       const userRes = await fetch('https://api.spotify.com/v1/me', {
-*         headers: { Authorization: `Bearer ${token}` }
-*       })
-*       const user = await userRes.json()
-*
-*       // Optionally fetch top tracks
-*       const topRes = await fetch('https://api.spotify.com/v1/me/top/tracks?limit=5', {
-*         headers: { Authorization: `Bearer ${token}` }
-*       })
-*       const { items: topTracks } = await topRes.json()
-*
-*       return ctx.subject("user", {
-*         spotifyId: user.id,
-*         email: user.email,
-*         displayName: user.display_name,
-*         profileUrl: user.external_urls?.spotify,
-*         followers: user.followers?.total,
-*         topTracks: topTracks.map(t => t.name)
-*       })
-*     }
-*   }
-* })
-* ```
-*
-* **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
-* - Development: `http://localhost:3000/auth/spotify/callback`
-* - Production: `https://yourapp.com/auth/spotify/callback`
-*
-* Register this URL in your Spotify Developer Dashboard.
-*/
-const SpotifyProvider = (config) => {
-	return Oauth2Provider({
-		...config,
-		type: "spotify",
-		endpoint: {
-			authorization: "https://accounts.spotify.com/authorize",
-			token: "https://accounts.spotify.com/api/token"
-		}
-	});
-};
-
-//#endregion
-export { SpotifyProvider };

package/dist/provider/totp.d.mts

@@ -1,112 +0,0 @@
-import { Provider } from "./provider.mjs";
-
-//#region src/provider/totp.d.ts
-
-/**
- * TOTP data model stored in the database.
- * Contains the user's TOTP configuration and backup codes.
- */
-interface TOTPModel {
-  /** Base32-encoded secret key */
-  secret: string;
-  /** Whether TOTP is enabled for this user */
-  enabled: boolean;
-  /** Array of one-time backup/recovery codes */
-  backupCodes: string[];
-  /** Timestamp when TOTP was first set up */
-  createdAt: string;
-  /** Optional user label for the TOTP */
-  label?: string;
-}
-/**
- * Configuration for the TOTPProvider.
- * Defines how the TOTP authentication flow should behave.
- */
-interface TOTPProviderConfig {
-  /**
-   * The human-readable name of the issuer (your application).
-   * This appears in authenticator apps next to the TOTP entry.
-   */
-  issuer: string;
-  /**
-   * Custom authorize handler that generates the UI for TOTP login.
-   * Called when user wants to login with TOTP (main page).
-   *
-   * @param req - The HTTP request object
-   * @param error - Optional error message to display
-   */
-  authorize: (req: Request, error?: string) => Promise<Response>;
-  /**
-   * Custom register handler that generates the UI for TOTP setup.
-   * Called when user is setting up TOTP for the first time.
-   *
-   * @param req - The HTTP request object
-   * @param qrCodeUrl - The otpauth:// URL for QR code generation
-   * @param secret - The raw secret (for manual entry)
-   * @param backupCodes - Array of backup/recovery codes
-   * @param error - Optional error message to display
-   */
-  register: (req: Request, qrCodeUrl: string, secret: string, backupCodes: string[], error?: string, email?: string) => Promise<Response>;
-  /**
-   * Custom recovery handler that generates the UI for backup code entry.
-   * Called when user wants to use a recovery code instead of TOTP.
-   *
-   * @param req - The HTTP request object
-   * @param error - Optional error message to display
-   */
-  recovery: (req: Request, error?: string) => Promise<Response>;
-  /**
-   * Optional TOTP algorithm. Defaults to SHA1 for maximum compatibility.
-   * Most authenticator apps support SHA1, fewer support SHA256/SHA512.
-   */
-  algorithm?: "SHA1" | "SHA256" | "SHA512";
-  /**
-   * Optional number of digits in TOTP codes. Defaults to 6.
-   * Some apps support 8 digits for increased security.
-   */
-  digits?: 6 | 8;
-  /**
-   * Optional validity period for TOTP codes in seconds. Defaults to 30.
-   * Standard is 30 seconds, some high-security apps use 60.
-   */
-  period?: number;
-  /**
-   * Optional time window tolerance for clock drift. Defaults to 1.
-   * Allows tokens from previous/next time window to be valid.
-   */
-  window?: number;
-  /**
-   * Optional number of backup codes to generate. Defaults to 10.
-   */
-  backupCodesCount?: number;
-  /**
-   * Optional function to check if a user is allowed to set up TOTP.
-   */
-  userCanSetupTOTP?: (userId: string, req: Request) => Promise<boolean>;
-  /**
-   * Optional custom label generator for TOTP entries.
-   * Defaults to using the userId as the label.
-   */
-  generateLabel?: (userId: string) => Promise<string>;
-}
-/**
- * Creates a TOTP (Time-based One-Time Password) authentication provider.
- *
- * TOTP tokens. Users can set up TOTP using any compatible authenticator app
- * and use backup codes when their primary device is unavailable.
- *
- * It handles:
- * - TOTP secret generation and QR code creation
- * - Token verification with timing attack protection
- * - Backup code generation and one-time usage validation
- * - Complete setup, verification, and recovery flows
- *
- * @param config Configuration options for the TOTP provider
- * @returns A Provider instance configured for TOTP authentication
- */
-declare const TOTPProvider: (config: TOTPProviderConfig) => Provider<{
-  email: string;
-  method: "totp" | "recovery";
-}>;
-//#endregion
-export { TOTPModel, TOTPProvider, TOTPProviderConfig };

package/dist/provider/totp.mjs

@@ -1,191 +0,0 @@
-import { generateSecureToken } from "../random.mjs";
-import { Storage } from "../storage/storage.mjs";
-import { Secret, TOTP } from "otpauth";
-
-//#region src/provider/totp.ts
-/**
-* Configures a provider that supports TOTP (Time-based One-Time Password) authentication.
-*
-* ```ts
-* import { TOTPProvider } from "@draftlab/auth/provider/totp"
-*
-* export default issuer({
-*   providers: {
-*     totp: TOTPProvider({
-*       issuer: "My Application",
-*       setup: async (req, qrCode, secret, backupCodes) => {
-*         return new Response(renderSetupPage(qrCode, secret, backupCodes))
-*       },
-*       verify: async (req, error) => {
-*         return new Response(renderVerifyPage(error))
-*       },
-*       recovery: async (req, error) => {
-*         return new Response(renderRecoveryPage(error))
-*       }
-*     })
-*   },
-*   // ...
-* })
-* ```
-*
-* TOTPProvider implements Time-based One-Time Password authentication.
-* It provides secure TOTP token generation and verification with backup recovery codes.
-*
-* The provider requires configuration of:
-* - Issuer name for authenticator apps
-* - UI handlers for setup, verification, and recovery flows
-* - Optional TOTP parameters (algorithm, digits, period)
-*
-* It automatically manages:
-* - Secure secret generation
-* - QR code URL generation for authenticator apps
-* - Token validation with timing attack protection
-* - Recovery codes generation and one-time usage
-* - Storage of TOTP configuration and backup codes
-*
-* @packageDocumentation
-*/
-const totpKey = (userId) => [
-	"totp",
-	"user",
-	userId
-];
-const DEFAULT_CONFIG = {
-	algorithm: "SHA1",
-	digits: 6,
-	period: 30,
-	window: 1,
-	backupCodesCount: 4,
-	qrSize: 200
-};
-/**
-* Creates a TOTP (Time-based One-Time Password) authentication provider.
-*
-* TOTP tokens. Users can set up TOTP using any compatible authenticator app
-* and use backup codes when their primary device is unavailable.
-*
-* It handles:
-* - TOTP secret generation and QR code creation
-* - Token verification with timing attack protection
-* - Backup code generation and one-time usage validation
-* - Complete setup, verification, and recovery flows
-*
-* @param config Configuration options for the TOTP provider
-* @returns A Provider instance configured for TOTP authentication
-*/
-const TOTPProvider = (config) => {
-	const { issuer, algorithm = DEFAULT_CONFIG.algorithm, digits = DEFAULT_CONFIG.digits, period = DEFAULT_CONFIG.period, window = DEFAULT_CONFIG.window, backupCodesCount = DEFAULT_CONFIG.backupCodesCount } = config;
-	return {
-		type: "totp",
-		init(routes, ctx) {
-			const getTOTPData = async (userId) => {
-				return await Storage.get(ctx.storage, totpKey(userId));
-			};
-			const saveTOTPData = async (userId, data) => {
-				await Storage.set(ctx.storage, totpKey(userId), data);
-			};
-			const generateBackupCodes = (count) => {
-				const codes = [];
-				for (let i = 0; i < count; i++) {
-					const code = generateSecureToken().slice(0, 8).toUpperCase();
-					codes.push(`${code.slice(0, 4)}-${code.slice(4)}`);
-				}
-				return codes;
-			};
-			const createTOTPInstance = (secret, label) => {
-				return new TOTP({
-					issuer,
-					label,
-					algorithm,
-					digits,
-					period,
-					secret
-				});
-			};
-			routes.get("/register", async (c) => {
-				return ctx.forward(c, await config.register(c.request, "", "", []));
-			});
-			routes.post("/register", async (c) => {
-				const formData = await c.formData();
-				const email = formData.get("email")?.toString();
-				const action = formData.get("action")?.toString();
-				if (!email) return ctx.forward(c, await config.register(c.request, "", "", [], "Email is required"));
-				if (action === "generate") {
-					const secret = new Secret({ size: 20 });
-					const label = config.generateLabel ? await config.generateLabel(email) : email;
-					const backupCodes = generateBackupCodes(backupCodesCount);
-					const qrCodeUrl$1 = createTOTPInstance(secret.base32, label).toString();
-					await saveTOTPData(email, {
-						secret: secret.base32,
-						enabled: false,
-						backupCodes,
-						createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-						label
-					});
-					return ctx.forward(c, await config.register(c.request, qrCodeUrl$1, secret.base32, backupCodes, void 0, email));
-				}
-				const token = formData.get("token")?.toString();
-				if (!token) return ctx.forward(c, await config.register(c.request, "", "", [], "Verification code is required"));
-				const totpData = await getTOTPData(email);
-				if (!totpData) return ctx.forward(c, await config.register(c.request, "", "", [], "TOTP setup session not found"));
-				const totp = createTOTPInstance(totpData.secret, totpData.label || email);
-				if (totp.validate({
-					token,
-					window
-				}) !== null) {
-					totpData.enabled = true;
-					await saveTOTPData(email, totpData);
-					return ctx.success(c, {
-						email,
-						method: "totp"
-					});
-				}
-				const qrCodeUrl = totp.toString();
-				return ctx.forward(c, await config.register(c.request, qrCodeUrl, totpData.secret, totpData.backupCodes, "Invalid verification code. Please try again."));
-			});
-			routes.get("/authorize", async (c) => {
-				return ctx.forward(c, await config.authorize(c.request));
-			});
-			routes.post("/authorize", async (c) => {
-				const formData = await c.formData();
-				const email = formData.get("email")?.toString();
-				const token = formData.get("token")?.toString();
-				if (!email || !token) return ctx.forward(c, await config.authorize(c.request, "Email and verification code are required"));
-				const totpData = await getTOTPData(email);
-				if (!totpData || !totpData.enabled) return ctx.forward(c, await config.authorize(c.request, "TOTP is not set up for this email"));
-				if (createTOTPInstance(totpData.secret, totpData.label || email).validate({
-					token,
-					window
-				}) !== null) return ctx.success(c, {
-					email,
-					method: "totp"
-				});
-				return ctx.forward(c, await config.authorize(c.request, "Invalid verification code"));
-			});
-			routes.get("/recovery", async (c) => {
-				return ctx.forward(c, await config.recovery(c.request));
-			});
-			routes.post("/recovery", async (c) => {
-				const formData = await c.formData();
-				const email = formData.get("email")?.toString();
-				const code = formData.get("code")?.toString()?.toUpperCase();
-				if (!email || !code) return ctx.forward(c, await config.recovery(c.request, "Email and recovery code are required"));
-				const totpData = await getTOTPData(email);
-				if (!totpData || !totpData.enabled) return ctx.forward(c, await config.recovery(c.request, "TOTP is not set up for this email"));
-				const codeIndex = totpData.backupCodes.indexOf(code);
-				if (codeIndex !== -1) {
-					totpData.backupCodes.splice(codeIndex, 1);
-					await saveTOTPData(email, totpData);
-					return ctx.success(c, {
-						email,
-						method: "recovery"
-					});
-				}
-				return ctx.forward(c, await config.recovery(c.request, "Invalid or already used recovery code"));
-			});
-		}
-	};
-};
-
-//#endregion
-export { TOTPProvider };

package/dist/provider/twitch.d.mts

@@ -1,108 +0,0 @@
-import { Provider } from "./provider.mjs";
-import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.mjs";
-
-//#region src/provider/twitch.d.ts
-
-/**
- * Configuration options for Twitch OAuth 2.0 provider.
- * Extends the base OAuth 2.0 configuration with Twitch-specific documentation.
- */
-interface TwitchConfig extends Oauth2WrappedConfig {
-  /**
-   * Twitch application client ID.
-   * Get this from your Twitch Console at https://dev.twitch.tv/console
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientID: "abcdef123456"
-   * }
-   * ```
-   */
-  readonly clientID: string;
-  /**
-   * Twitch application client secret.
-   * Keep this secure and never expose it to client-side code.
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientSecret: process.env.TWITCH_CLIENT_SECRET
-   * }
-   * ```
-   */
-  readonly clientSecret: string;
-  /**
-   * Twitch OAuth scopes to request access for.
-   * Determines what data and actions your app can access.
-   *
-   * @example
-   * ```ts
-   * {
-   *   scopes: [
-   *     "user:read:email",           // Access user email
-   *     "user:read:subscriptions"    // View subscriptions
-   *   ]
-   * }
-   * ```
-   */
-  readonly scopes: string[];
-}
-/**
- * Creates a Twitch OAuth 2.0 authentication provider.
- * Allows users to authenticate using their Twitch accounts.
- *
- * @param config - Twitch OAuth 2.0 configuration
- * @returns OAuth 2.0 provider configured for Twitch
- *
- * @example
- * ```ts
- * // Basic Twitch authentication
- * const basicTwitch = TwitchProvider({
- *   clientID: process.env.TWITCH_CLIENT_ID,
- *   clientSecret: process.env.TWITCH_CLIENT_SECRET
- * })
- *
- * // Twitch with email scope
- * const twitchWithEmail = TwitchProvider({
- *   clientID: process.env.TWITCH_CLIENT_ID,
- *   clientSecret: process.env.TWITCH_CLIENT_SECRET,
- *   scopes: ["user:read:email"]
- * })
- *
- * // Using the access token to fetch user data
- * export default issuer({
- *   providers: { twitch: twitchWithEmail },
- *   success: async (ctx, value) => {
- *     if (value.provider === "twitch") {
- *       const token = value.tokenset.access
- *
- *       const userRes = await fetch('https://api.twitch.tv/helix/users', {
- *         headers: {
- *           'Authorization': `Bearer ${token}`,
- *           'Client-ID': process.env.TWITCH_CLIENT_ID
- *         }
- *       })
- *       const { data } = await userRes.json()
- *       const user = data[0]
- *
- *       return ctx.subject("user", {
- *         twitchId: user.id,
- *         login: user.login,
- *         email: user.email,
- *         displayName: user.display_name
- *       })
- *     }
- *   }
- * })
- * ```
- *
- * **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
- * - Development: `http://localhost:3000/auth/twitch/callback`
- * - Production: `https://yourapp.com/auth/twitch/callback`
- *
- * Register this URL in your Twitch Developer Console.
- */
-declare const TwitchProvider: (config: TwitchConfig) => Provider<Oauth2UserData>;
-//#endregion
-export { TwitchConfig, TwitchProvider };

package/dist/provider/twitch.mjs

@@ -1,131 +0,0 @@
-import { Oauth2Provider } from "./oauth2.mjs";
-
-//#region src/provider/twitch.ts
-/**
-* Twitch authentication provider for Draft Auth.
-* Implements OAuth 2.0 flow for authenticating users with their Twitch accounts.
-*
-* ## Quick Setup
-*
-* ```ts
-* import { TwitchProvider } from "@draftlab/auth/provider/twitch"
-*
-* export default issuer({
-*   basePath: "/auth", // Important for callback URL
-*   providers: {
-*     twitch: TwitchProvider({
-*       clientID: process.env.TWITCH_CLIENT_ID,
-*       clientSecret: process.env.TWITCH_CLIENT_SECRET,
-*       scopes: ["user:read:email"]
-*     })
-*   }
-* })
-* ```
-*
-* **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
-* - Development: `http://localhost:3000/auth/twitch/callback`
-* - Production: `https://yourapp.com/auth/twitch/callback`
-*
-* Register this URL in your Twitch Developer Console.
-*
-* ## Common Scopes
-*
-* - `user:read:email` - Access user's email address
-* - `user:read:subscriptions` - View user subscriptions
-* - `user:read:follows` - View user's follows
-* - `channel:read:subscriptions` - View channel subscribers
-* - `analytics:read:games` - View game analytics
-* - `bits:read` - View bits information
-*
-* ## User Data Access
-*
-* ```ts
-* success: async (ctx, value) => {
-*   if (value.provider === "twitch") {
-*     const accessToken = value.tokenset.access
-*
-*     // Fetch user information
-*     const userResponse = await fetch('https://api.twitch.tv/helix/users', {
-*       headers: {
-*         'Authorization': `Bearer ${accessToken}`,
-*         'Client-ID': process.env.TWITCH_CLIENT_ID
-*       }
-*     })
-*     const { data } = await userResponse.json()
-*     const user = data[0]
-*
-*     // User info available: id, login, display_name, email, profile_image_url
-*   }
-* }
-* ```
-*
-* @packageDocumentation
-*/
-/**
-* Creates a Twitch OAuth 2.0 authentication provider.
-* Allows users to authenticate using their Twitch accounts.
-*
-* @param config - Twitch OAuth 2.0 configuration
-* @returns OAuth 2.0 provider configured for Twitch
-*
-* @example
-* ```ts
-* // Basic Twitch authentication
-* const basicTwitch = TwitchProvider({
-*   clientID: process.env.TWITCH_CLIENT_ID,
-*   clientSecret: process.env.TWITCH_CLIENT_SECRET
-* })
-*
-* // Twitch with email scope
-* const twitchWithEmail = TwitchProvider({
-*   clientID: process.env.TWITCH_CLIENT_ID,
-*   clientSecret: process.env.TWITCH_CLIENT_SECRET,
-*   scopes: ["user:read:email"]
-* })
-*
-* // Using the access token to fetch user data
-* export default issuer({
-*   providers: { twitch: twitchWithEmail },
-*   success: async (ctx, value) => {
-*     if (value.provider === "twitch") {
-*       const token = value.tokenset.access
-*
-*       const userRes = await fetch('https://api.twitch.tv/helix/users', {
-*         headers: {
-*           'Authorization': `Bearer ${token}`,
-*           'Client-ID': process.env.TWITCH_CLIENT_ID
-*         }
-*       })
-*       const { data } = await userRes.json()
-*       const user = data[0]
-*
-*       return ctx.subject("user", {
-*         twitchId: user.id,
-*         login: user.login,
-*         email: user.email,
-*         displayName: user.display_name
-*       })
-*     }
-*   }
-* })
-* ```
-*
-* **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
-* - Development: `http://localhost:3000/auth/twitch/callback`
-* - Production: `https://yourapp.com/auth/twitch/callback`
-*
-* Register this URL in your Twitch Developer Console.
-*/
-const TwitchProvider = (config) => {
-	return Oauth2Provider({
-		...config,
-		type: "twitch",
-		endpoint: {
-			authorization: "https://id.twitch.tv/oauth2/authorize",
-			token: "https://id.twitch.tv/oauth2/token"
-		}
-	});
-};
-
-//#endregion
-export { TwitchProvider };