@draftlab/auth 0.15.0 → 0.16.0

package/dist/provider/vercel.d.mts

@@ -1,177 +0,0 @@
-import { Provider } from "./provider.mjs";
-import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.mjs";
-
-//#region src/provider/vercel.d.ts
-
-/**
- * Configuration options for Vercel OAuth 2.0 + OpenID Connect provider.
- * Extends the base OAuth 2.0 configuration with Vercel-specific documentation.
- */
-interface VercelConfig extends Oauth2WrappedConfig {
-  /**
-   * Vercel OAuth App client ID.
-   * Found in your Vercel App settings under the Authentication tab.
-   *
-   * To create an app:
-   * 1. Go to Team Settings → Apps → Create
-   * 2. Configure app details and callback URLs
-   * 3. Copy the Client ID from the Authentication tab
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientID: "oac_abc123xyz789" // Vercel OAuth App Client ID
-   * }
-   * ```
-   */
-  readonly clientID: string;
-  /**
-   * Vercel OAuth App client secret.
-   * Generated in your Vercel App settings under the Authentication tab.
-   * Keep this secure and never expose it to client-side code.
-   *
-   * To generate:
-   * 1. Go to your app's Authentication tab
-   * 2. Click "Generate Client Secret"
-   * 3. Copy and store securely (shown only once)
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientSecret: process.env.VERCEL_CLIENT_SECRET
-   * }
-   * ```
-   */
-  readonly clientSecret: string;
-  /**
-   * OpenID Connect scopes to request.
-   * Controls what user information is included in the ID Token.
-   *
-   * Available scopes (must be enabled in Vercel App dashboard first):
-   * - `openid`: Required for ID Token issuance
-   * - `email`: User's email address
-   * - `profile`: Name, username, and avatar
-   * - `offline_access`: Refresh token for long-lived access (optional)
-   *
-   * **Important**: Enable scopes in: Vercel App → Permissions page
-   *
-   * @example
-   * ```ts
-   * {
-   *   // Basic scopes (usually sufficient)
-   *   scopes: ["openid", "email", "profile"]
-   *
-   *   // With refresh token support (enable offline_access in dashboard first)
-   *   scopes: ["openid", "email", "profile", "offline_access"]
-   * }
-   * ```
-   */
-  readonly scopes: string[];
-  /**
-   * Additional query parameters for Vercel OAuth authorization.
-   * Useful for customizing the authorization flow.
-   *
-   * @example
-   * ```ts
-   * {
-   *   query: {
-   *     prompt: "consent"  // Force consent screen every time
-   *   }
-   * }
-   * ```
-   */
-  readonly query?: Record<string, string>;
-}
-/**
- * Creates a Vercel OAuth 2.0 + OpenID Connect authentication provider.
- * Implements "Sign in with Vercel" for user authentication.
- *
- * This provider uses the standard OAuth 2.0 Authorization Code Grant flow
- * with PKCE (Proof Key for Code Exchange) for enhanced security.
- *
- * @param config - Vercel OAuth 2.0 configuration
- * @returns OAuth 2.0 provider configured for Vercel
- *
- * @example
- * ```ts
- * // Basic Vercel authentication (email + profile)
- * const basicVercel = VercelProvider({
- *   clientID: process.env.VERCEL_CLIENT_ID,
- *   clientSecret: process.env.VERCEL_CLIENT_SECRET,
- *   scopes: ["openid", "email", "profile"]
- * })
- *
- * // Vercel with refresh token support
- * const vercelWithRefresh = VercelProvider({
- *   clientID: process.env.VERCEL_CLIENT_ID,
- *   clientSecret: process.env.VERCEL_CLIENT_SECRET,
- *   scopes: ["openid", "email", "profile", "offline_access"]
- * })
- *
- * // Minimal setup (only user ID in ID Token)
- * const minimalVercel = VercelProvider({
- *   clientID: process.env.VERCEL_CLIENT_ID,
- *   clientSecret: process.env.VERCEL_CLIENT_SECRET,
- *   scopes: ["openid"] // Only sub claim in ID Token
- * })
- *
- * // Using the tokens in your app
- * export default issuer({
- *   providers: { vercel: vercelWithRefresh },
- *   success: async (ctx, value) => {
- *     if (value.provider === "vercel") {
- *       const idToken = value.tokenset.raw.id_token as string | undefined
- *       const accessToken = value.tokenset.access
- *       const refreshToken = value.tokenset.refresh
- *
- *       if (idToken) {
- *         // Decode ID Token to access user claims
- *         // (Already validated by oauth2.ts - signature, issuer, audience, exp)
- *         const claims = JSON.parse(
- *           Buffer.from(idToken.split('.')[1], 'base64').toString()
- *         )
- *
- *         // Claims available (depending on scopes):
- *         // - sub: Vercel user ID (always present)
- *         // - email: user@example.com (if email scope)
- *         // - name: "John Doe" (if profile scope)
- *         // - picture: "https://..." (if profile scope)
- *         // - preferred_username: "johndoe" (if profile scope)
- *
- *         // Optionally call Vercel API for more data
- *         const userRes = await fetch('https://api.vercel.com/v2/user', {
- *           headers: { Authorization: `Bearer ${accessToken}` }
- *         })
- *         const user = await userRes.json()
- *
- *         // Get user's teams
- *         const teamsRes = await fetch('https://api.vercel.com/v2/teams', {
- *           headers: { Authorization: `Bearer ${accessToken}` }
- *         })
- *         const teams = await teamsRes.json()
- *
- *         return ctx.subject("user", {
- *           vercelId: claims.sub,
- *           email: claims.email,
- *           name: claims.name,
- *           username: claims.preferred_username,
- *           avatar: claims.picture,
- *           teamCount: teams.teams?.length || 0
- *         })
- *       }
- *     }
- *   }
- * })
- * ```
- *
- * @remarks
- * - Requires creating a Vercel App in Team Settings → Apps
- * - PKCE is enabled by default for enhanced security
- * - ID Token is automatically validated (signature, issuer, audience, expiration)
- * - Access tokens expire after 1 hour
- * - Refresh tokens rotate on each use and last 30 days
- * - The `openid` scope is required for ID Token issuance
- */
-declare const VercelProvider: (config: VercelConfig) => Provider<Oauth2UserData>;
-//#endregion
-export { VercelConfig, VercelProvider };

package/dist/provider/vercel.mjs

@@ -1,230 +0,0 @@
-import { Oauth2Provider } from "./oauth2.mjs";
-
-//#region src/provider/vercel.ts
-/**
-* Vercel OAuth 2.0 + OpenID Connect authentication provider for Draft Auth.
-* Implements "Sign in with Vercel" for user authentication.
-*
-* ## Quick Setup
-*
-* ```ts
-* import { VercelProvider } from "@draftlab/auth/provider/vercel"
-*
-* export default issuer({
-*   basePath: "/auth", // Important for callback URL
-*   providers: {
-*     vercel: VercelProvider({
-*       clientID: process.env.VERCEL_CLIENT_ID,
-*       clientSecret: process.env.VERCEL_CLIENT_SECRET,
-*       scopes: ["openid", "email", "profile"]
-*     })
-*   }
-* })
-* ```
-*
-* **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
-* - Example: `http://localhost:3000/auth/vercel/callback`
-* - Production: `https://yourapp.com/auth/vercel/callback`
-*
-* ## Creating a Vercel App
-*
-* Before using this provider, create a Vercel App in your dashboard:
-*
-* 1. Go to **Team Settings** → **Apps** → **Create**
-* 2. Fill in app name, description, and logo
-* 3. Add **Authorization Callback URLs**:
-*    - Development: `http://localhost:3000/auth/vercel/callback`
-*    - Production: `https://yourapp.com/auth/vercel/callback`
-*    - Pattern: `{baseURL}{basePath}/{provider}/callback`
-* 4. Configure **Scopes** in the app's Permissions page:
-*    - ✅ openid (Required)
-*    - ✅ email
-*    - ✅ profile
-*    - ✅ offline_access (optional, for refresh tokens)
-* 5. Generate a **Client Secret** in the Authentication tab
-* 6. Copy the **Client ID** and **Client Secret**
-*
-* **Important**: You must enable the scopes in the Vercel App dashboard before requesting them!
-*
-* ## Available Scopes
-*
-* - `openid` - **Required**. Enables ID Token issuance for user identification
-* - `email` - Access user's email address in ID Token
-* - `profile` - Access user's name, username, and avatar in ID Token
-* - `offline_access` - Issue a Refresh Token for long-lived access (30 days)
-*
-* ## Tokens Returned
-*
-* - **ID Token**: Signed JWT with user identity claims (verified automatically)
-* - **Access Token**: Bearer token for Vercel API calls (1 hour duration)
-* - **Refresh Token**: Rotates on each use (30 days, requires offline_access scope)
-*
-* ## User Data Access
-*
-* ```ts
-* success: async (ctx, value) => {
-*   if (value.provider === "vercel") {
-*     // ID Token is automatically validated (signature, issuer, audience, expiration)
-*     const idToken = value.tokenset.raw.id_token as string | undefined
-*     const accessToken = value.tokenset.access
-*     const refreshToken = value.tokenset.refresh
-*
-*     // Decode ID Token to access user claims
-*     if (idToken) {
-*       const claims = JSON.parse(
-*         Buffer.from(idToken.split('.')[1], 'base64').toString()
-*       )
-*
-*       // Claims available (depending on scopes):
-*       // - sub: Unique Vercel user ID (always present)
-*       // - email: User's email (if email scope granted)
-*       // - name: User's full name (if profile scope granted)
-*       // - picture: Avatar URL (if profile scope granted)
-*       // - preferred_username: Vercel username (if profile scope granted)
-*
-*       return ctx.subject("user", {
-*         email: claims.email || claims.sub
-*       })
-*     }
-*   }
-* }
-* ```
-*
-* ## Calling Vercel API
-*
-* Use the access token to call Vercel's REST API:
-*
-* ```ts
-* // Get user information
-* const userRes = await fetch('https://api.vercel.com/v2/user', {
-*   headers: { Authorization: `Bearer ${accessToken}` }
-* })
-*
-* // Get user's teams
-* const teamsRes = await fetch('https://api.vercel.com/v2/teams', {
-*   headers: { Authorization: `Bearer ${accessToken}` }
-* })
-*
-* // Get projects (requires appropriate permissions)
-* const projectsRes = await fetch('https://api.vercel.com/v9/projects', {
-*   headers: { Authorization: `Bearer ${accessToken}` }
-* })
-* ```
-*
-* ## Consent Page
-*
-* The first time a user signs in, Vercel shows a consent page with:
-* - Your app's name and logo
-* - Requested scopes and permissions
-* - Allow/Cancel buttons
-*
-* If the user grants access, they're redirected back with an authorization code.
-* If they cancel, they're redirected with an error parameter.
-*
-* @packageDocumentation
-*/
-/**
-* Creates a Vercel OAuth 2.0 + OpenID Connect authentication provider.
-* Implements "Sign in with Vercel" for user authentication.
-*
-* This provider uses the standard OAuth 2.0 Authorization Code Grant flow
-* with PKCE (Proof Key for Code Exchange) for enhanced security.
-*
-* @param config - Vercel OAuth 2.0 configuration
-* @returns OAuth 2.0 provider configured for Vercel
-*
-* @example
-* ```ts
-* // Basic Vercel authentication (email + profile)
-* const basicVercel = VercelProvider({
-*   clientID: process.env.VERCEL_CLIENT_ID,
-*   clientSecret: process.env.VERCEL_CLIENT_SECRET,
-*   scopes: ["openid", "email", "profile"]
-* })
-*
-* // Vercel with refresh token support
-* const vercelWithRefresh = VercelProvider({
-*   clientID: process.env.VERCEL_CLIENT_ID,
-*   clientSecret: process.env.VERCEL_CLIENT_SECRET,
-*   scopes: ["openid", "email", "profile", "offline_access"]
-* })
-*
-* // Minimal setup (only user ID in ID Token)
-* const minimalVercel = VercelProvider({
-*   clientID: process.env.VERCEL_CLIENT_ID,
-*   clientSecret: process.env.VERCEL_CLIENT_SECRET,
-*   scopes: ["openid"] // Only sub claim in ID Token
-* })
-*
-* // Using the tokens in your app
-* export default issuer({
-*   providers: { vercel: vercelWithRefresh },
-*   success: async (ctx, value) => {
-*     if (value.provider === "vercel") {
-*       const idToken = value.tokenset.raw.id_token as string | undefined
-*       const accessToken = value.tokenset.access
-*       const refreshToken = value.tokenset.refresh
-*
-*       if (idToken) {
-*         // Decode ID Token to access user claims
-*         // (Already validated by oauth2.ts - signature, issuer, audience, exp)
-*         const claims = JSON.parse(
-*           Buffer.from(idToken.split('.')[1], 'base64').toString()
-*         )
-*
-*         // Claims available (depending on scopes):
-*         // - sub: Vercel user ID (always present)
-*         // - email: user@example.com (if email scope)
-*         // - name: "John Doe" (if profile scope)
-*         // - picture: "https://..." (if profile scope)
-*         // - preferred_username: "johndoe" (if profile scope)
-*
-*         // Optionally call Vercel API for more data
-*         const userRes = await fetch('https://api.vercel.com/v2/user', {
-*           headers: { Authorization: `Bearer ${accessToken}` }
-*         })
-*         const user = await userRes.json()
-*
-*         // Get user's teams
-*         const teamsRes = await fetch('https://api.vercel.com/v2/teams', {
-*           headers: { Authorization: `Bearer ${accessToken}` }
-*         })
-*         const teams = await teamsRes.json()
-*
-*         return ctx.subject("user", {
-*           vercelId: claims.sub,
-*           email: claims.email,
-*           name: claims.name,
-*           username: claims.preferred_username,
-*           avatar: claims.picture,
-*           teamCount: teams.teams?.length || 0
-*         })
-*       }
-*     }
-*   }
-* })
-* ```
-*
-* @remarks
-* - Requires creating a Vercel App in Team Settings → Apps
-* - PKCE is enabled by default for enhanced security
-* - ID Token is automatically validated (signature, issuer, audience, expiration)
-* - Access tokens expire after 1 hour
-* - Refresh tokens rotate on each use and last 30 days
-* - The `openid` scope is required for ID Token issuance
-*/
-const VercelProvider = (config) => {
-	return Oauth2Provider({
-		...config,
-		type: "vercel",
-		endpoint: {
-			authorization: "https://vercel.com/oauth/authorize",
-			token: "https://api.vercel.com/login/oauth/token",
-			jwks: "https://vercel.com/.well-known/jwks.json"
-		},
-		pkce: true
-	});
-};
-
-//#endregion
-export { VercelProvider };

package/dist/random.mjs

@@ -1,86 +0,0 @@
-import { timingSafeEqual } from "node:crypto";
-
-//#region src/random.ts
-/**
-* Cryptographic utilities for secure random generation and comparison operations.
-* These functions are designed to prevent timing attacks and provide unbiased randomness.
-*/
-/**
-* Generates a cryptographically secure token with enhanced entropy.
-* Uses Web Crypto API and provides 256 bits of entropy
-*
-* @param length - Length of random data in bytes (default: 32 for 256-bit security)
-* @returns Base64url-encoded secure token
-*
-* @example
-* ```ts
-* const authCode = generateSecureToken()
-* // Returns: "7B8kJ9mN3pQ2rS5tU8vW0xY1zA3bC6dE9fG2hI5jK8lM" (example)
-*
-* const refreshToken = generateSecureToken(24) // 192-bit token
-* // Returns: "4A7bC9dF2gH5iJ8kL1mN4pQ7rS0tU" (example)
-* ```
-*/
-const generateSecureToken = (length = 32) => {
-	if (length <= 0 || !Number.isInteger(length)) throw new RangeError("Token length must be a positive integer");
-	const randomBytes$1 = new Uint8Array(length);
-	crypto.getRandomValues(randomBytes$1);
-	return btoa(String.fromCharCode.apply(null, Array.from(randomBytes$1))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-};
-/**
-* Generates a cryptographically secure string of random digits without modulo bias.
-* Uses rejection sampling to ensure each digit (0-9) has an equal probability of being selected.
-*
-* @param length - Number of digits to generate (must be positive)
-* @returns String containing exactly the specified number of random digits
-*
-* @example
-* ```ts
-* const pinCode = generateUnbiasedDigits(6)
-* // Returns: "492847" (example - actual result is random)
-*
-* const shortCode = generateUnbiasedDigits(4)
-* // Returns: "7291" (example - actual result is random)
-* ```
-*
-* @throws {RangeError} If length is not a positive number
-*/
-const generateUnbiasedDigits = (length) => {
-	if (length <= 0 || !Number.isInteger(length)) throw new RangeError("Length must be a positive integer");
-	const result = [];
-	while (result.length < length) {
-		const buffer = crypto.getRandomValues(new Uint8Array(length * 2));
-		for (const byte of buffer) if (byte < 250 && result.length < length) result.push(byte % 10);
-	}
-	return result.join("");
-};
-/**
-* Performs a timing-safe comparison of two strings to prevent timing attacks.
-* Always takes the same amount of time regardless of where the strings differ,
-* making it safe for comparing sensitive values like tokens or passwords.
-*
-* @param a - First string to compare
-* @param b - Second string to compare
-* @returns True if strings are identical, false otherwise
-*
-* @example
-* ```ts
-* // Safe for comparing sensitive values
-* const isValidToken = timingSafeCompare(userToken, expectedToken)
-*
-* // Safe for password verification
-* const isValidPassword = timingSafeCompare(hashedInput, storedHash)
-*
-* // Returns false for different types or lengths
-* timingSafeCompare("abc", 123 as any) // false
-* timingSafeCompare("abc", "abcd") // false
-* ```
-*/
-const timingSafeCompare = (a, b) => {
-	if (typeof a !== "string" || typeof b !== "string") return false;
-	if (a.length !== b.length) return false;
-	return timingSafeEqual(Buffer.from(a), Buffer.from(b));
-};
-
-//#endregion
-export { generateSecureToken, generateUnbiasedDigits, timingSafeCompare };

package/dist/revocation.d.mts

@@ -1,55 +0,0 @@
-import { StorageAdapter } from "./storage/storage.mjs";
-
-//#region src/revocation.d.ts
-
-/**
- * Data stored for a revoked token.
- * Tracks when the token was revoked and when it naturally expires.
- */
-interface RevocationRecord {
-  /** Timestamp when the token was revoked (milliseconds) */
-  revokedAt: number;
-  /** Timestamp when the token naturally expires (milliseconds) */
-  expiresAt: number;
-}
-/**
- * Token revocation manager.
- * Provides methods to revoke tokens and check if a token has been revoked.
- */
-declare const Revocation: {
-  /**
-   * Revokes a token, preventing it from being used even if not yet expired.
-   *
-   * @param storage - Storage adapter to use
-   * @param token - The token to revoke (access or refresh token)
-   * @param expiresAt - When the token naturally expires (milliseconds since epoch)
-   * @returns Promise that resolves when revocation is stored
-   *
-   * @example
-   * ```ts
-   * // Revoke a refresh token on logout
-   * await Revocation.revoke(storage, refreshToken, expiresAt)
-   * ```
-   */
-  readonly revoke: (storage: StorageAdapter, token: string, expiresAt: number) => Promise<void>;
-  /**
-   * Checks if a token has been revoked.
-   * Returns false if token is not in revocation list (never revoked or already expired).
-   *
-   * @param storage - Storage adapter to use
-   * @param token - The token to check
-   * @returns Promise resolving to true if token is revoked, false otherwise
-   *
-   * @example
-   * ```ts
-   * // Check if token was revoked before using it
-   * const isRevoked = await Revocation.isRevoked(storage, accessToken)
-   * if (isRevoked) {
-   *   throw new InvalidAccessTokenError()
-   * }
-   * ```
-   */
-  readonly isRevoked: (storage: StorageAdapter, token: string) => Promise<boolean>;
-};
-//#endregion
-export { Revocation, RevocationRecord };

package/dist/revocation.mjs

@@ -1,63 +0,0 @@
-import { Storage } from "./storage/storage.mjs";
-import { createHash } from "node:crypto";
-
-//#region src/revocation.ts
-/**
-* Token revocation management for Draft Auth.
-* Handles blacklisting of revoked tokens to prevent their use.
-*
-* ## Overview
-*
-* Revocation allows users to invalidate specific tokens before their natural expiration.
-* This is essential for logout functionality and security in case of token compromise.
-*
-* ## Storage Structure
-*
-* Revoked tokens are stored with their expiration time to allow automatic cleanup:
-* ```
-* revocation:token:{tokenHash} → { revokedAt: timestamp, expiresAt: timestamp }
-* ```
-*
-* ## Security Considerations
-*
-* - Revoked tokens are checked on every use
-* - Storage automatically cleans up expired revocations
-* - Hash tokens for storage to reduce memory usage
-* - Use constant-time comparison for hash verification
-*
-* @packageDocumentation
-*/
-/**
-* Hashes a token for storage.
-* Uses SHA-256 to reduce storage size and prevent exposure of full token value.
-*
-* @param token - The token to hash
-* @returns SHA-256 hash of the token
-*
-* @internal
-*/
-const hashToken = (token) => {
-	return createHash("sha256").update(token).digest("hex");
-};
-/**
-* Token revocation manager.
-* Provides methods to revoke tokens and check if a token has been revoked.
-*/
-const Revocation = {
-	revoke: async (storage, token, expiresAt) => {
-		const key = ["revocation:token", hashToken(token)];
-		const record = {
-			revokedAt: Date.now(),
-			expiresAt
-		};
-		const ttlSeconds = Math.ceil((expiresAt - Date.now()) / 1e3);
-		await Storage.set(storage, key, record, Math.max(1, ttlSeconds));
-	},
-	isRevoked: async (storage, token) => {
-		const key = ["revocation:token", hashToken(token)];
-		return !!await Storage.get(storage, key);
-	}
-};
-
-//#endregion
-export { Revocation };

package/dist/router/context.d.mts

@@ -1,21 +0,0 @@
-import { RouterContext, VariableMap } from "./types.mjs";
-
-//#region src/router/context.d.ts
-declare class ContextBuilder<TVariables extends VariableMap = VariableMap> {
-  private readonly request;
-  private readonly matchedParams;
-  private readonly searchParams;
-  private readonly cookies;
-  private readonly variableManager;
-  private readonly responseHeaders;
-  private status;
-  private finalized;
-  private cachedFormData;
-  private formDataPromise;
-  private bodyText;
-  constructor(request: Request, matchedParams: Record<string, string>, initialVariables?: Partial<TVariables>);
-  build<TParams extends Record<string, string>>(): RouterContext<TParams, TVariables>;
-  newResponse(body?: BodyInit, init?: ResponseInit): Response;
-}
-//#endregion
-export { ContextBuilder };