@draftlab/auth 0.4.1 → 0.5.0

package/dist/adapters/{node.js → node.mjs}

@@ -5,8 +5,7 @@ import { Readable } from "node:stream";
 * Converts Node.js IncomingMessage to Web Standards Request
 */
 const nodeRequestAdapter = (req) => {
-	const host = req.headers.host || "localhost";
-	const sanitizedHost = host.split(",")[0]?.trim();
+	const sanitizedHost = (req.headers.host || "localhost").split(",")[0]?.trim();
 	const url = new URL(req.url || "/", `http://${sanitizedHost}`);
 	const headers = new Headers();
 	for (const [key, value] of Object.entries(req.headers)) if (value !== void 0) if (Array.isArray(value)) for (const v of value) headers.append(key, v);
@@ -49,8 +48,7 @@ const nodeResponseAdapter = async (response, res) => {
 const createNodeHandler = (fetchHandler) => {
 	return (req, res) => {
 		try {
-			const request = nodeRequestAdapter(req);
-			fetchHandler(request).then((response) => nodeResponseAdapter(response, res)).catch((error) => {
+			fetchHandler(nodeRequestAdapter(req)).then((response) => nodeResponseAdapter(response, res)).catch((error) => {
 				console.error("Handler error:", error instanceof Error ? error.message : "Unknown error");
 				if (!res.headersSent) {
 					res.statusCode = 500;

package/dist/{allow.js → allow.mjs}

@@ -1,4 +1,4 @@
-import { isDomainMatch } from "./util.js";
+import { isDomainMatch } from "./util.mjs";
 
 //#region src/allow.ts
 /**

package/dist/{client.d.ts → client.d.mts}

@@ -1,5 +1,5 @@
-import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.js";
-import { SubjectSchema } from "./subject.js";
+import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.mjs";
+import { SubjectSchema } from "./subject.mjs";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/client.d.ts

package/dist/{client.js → client.mjs}

@@ -1,9 +1,58 @@
-import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.js";
-import { generatePKCE } from "./pkce.js";
+import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.mjs";
+import { generatePKCE } from "./pkce.mjs";
 import { createLocalJWKSet, errors, jwtVerify } from "jose";
 
 //#region src/client.ts
 /**
+* Draft Auth client for OAuth 2.0 authentication.
+*
+* ## Quick Start
+*
+* First, create a client.
+*
+* ```ts title="client.ts"
+* import { createClient } from "@draftlab/auth/client"
+*
+* const client = createClient({
+*   clientID: "my-client",
+*   issuer: "https://auth.myserver.com"
+* })
+* ```
+*
+* Start the OAuth flow by calling `authorize`.
+*
+* ```ts
+* const result = await client.authorize(
+*   "https://myapp.com/callback",
+*   "code"
+* )
+* if (result.success) {
+*   window.location.href = result.data.url
+* }
+* ```
+*
+* When the user completes the flow, exchange the code for tokens.
+*
+* ```ts
+* const result = await client.exchange(code, redirectUri)
+* if (result.success) {
+*   const { access, refresh } = result.data
+*   // Store tokens securely
+* }
+* ```
+*
+* Verify tokens to get user information.
+*
+* ```ts
+* const result = await client.verify(subjects, accessToken)
+* if (result.success) {
+*   // Access user properties: result.data.subject.properties
+* }
+* ```
+*
+* @packageDocumentation
+*/
+/**
 * Create a Draft Auth client.
 *
 * @param input - Client configuration
@@ -34,8 +83,7 @@ const createClient = (input) => {
 		const wk = await getIssuer();
 		const cached = jwksCache.get(issuer);
 		if (cached) return cached;
-		const keyset = await f(wk.jwks_uri).then((r) => r.json());
-		const result = createLocalJWKSet(keyset);
+		const result = createLocalJWKSet(await f(wk.jwks_uri).then((r) => r.json()));
 		jwksCache.set(issuer, result);
 		return result;
 	};
@@ -72,8 +120,7 @@ const createClient = (input) => {
 		},
 		async exchange(code, redirectURI, verifier) {
 			try {
-				const wk = await getIssuer();
-				const response = await f(wk.token_endpoint, {
+				const response = await f((await getIssuer()).token_endpoint, {
 					method: "POST",
 					headers: { "Content-Type": "application/x-www-form-urlencoded" },
 					body: new URLSearchParams({
@@ -124,8 +171,7 @@ const createClient = (input) => {
 						data: {}
 					};
 				} catch {}
-				const wk = await getIssuer();
-				const response = await f(wk.token_endpoint, {
+				const response = await f((await getIssuer()).token_endpoint, {
 					method: "POST",
 					headers: { "Content-Type": "application/x-www-form-urlencoded" },
 					body: new URLSearchParams({
@@ -155,8 +201,7 @@ const createClient = (input) => {
 		},
 		async verify(subjects, token, options) {
 			try {
-				const jwks = await getJWKS();
-				const jwtResult = await jwtVerify(token, jwks, { issuer });
+				const jwtResult = await jwtVerify(token, await getJWKS(), { issuer });
 				const validated = await subjects[jwtResult.payload.type]?.["~standard"].validate(jwtResult.payload.properties);
 				if (!validated?.issues && jwtResult.payload.mode === "access") return {
 					success: true,

package/dist/{core.d.ts → core.d.mts}

@@ -1,11 +1,11 @@
-import { AllowCheckInput } from "./allow.js";
-import { UnknownStateError } from "./error.js";
-import { Prettify } from "./util.js";
-import { SubjectPayload, SubjectSchema } from "./subject.js";
-import { StorageAdapter } from "./storage/storage.js";
-import { Plugin } from "./plugin/types.js";
-import { Provider } from "./provider/provider.js";
-import { Theme } from "./themes/theme.js";
+import { AllowCheckInput } from "./allow.mjs";
+import { UnknownStateError } from "./error.mjs";
+import { Prettify } from "./util.mjs";
+import { SubjectPayload, SubjectSchema } from "./subject.mjs";
+import { StorageAdapter } from "./storage/storage.mjs";
+import { Plugin } from "./plugin/types.mjs";
+import { Provider } from "./provider/provider.mjs";
+import { Theme } from "./themes/theme.mjs";
 import { Router } from "@draftlab/auth-router";
 
 //#region src/core.d.ts
@@ -13,11 +13,11 @@ import { Router } from "@draftlab/auth-router";
 /**
  * Sets the subject payload in the JWT token and returns the response.
  */
-interface OnSuccessResponder<T extends {
+interface OnSuccessResponder<T$1 extends {
   type: string;
   properties: unknown;
 }> {
-  subject<Type extends T["type"]>(type: Type, properties: Extract<T, {
+  subject<Type extends T$1["type"]>(type: Type, properties: Extract<T$1, {
     type: Type;
   }>["properties"], opts?: {
     ttl?: {

package/dist/{core.js → core.mjs}

@@ -1,13 +1,13 @@
-import { getRelativeUrl, lazy } from "./util.js";
-import { defaultAllowCheck } from "./allow.js";
-import { MissingParameterError, OauthError, UnauthorizedClientError, UnknownStateError } from "./error.js";
-import { validatePKCE } from "./pkce.js";
-import { generateSecureToken } from "./random.js";
-import { Storage } from "./storage/storage.js";
-import { encryptionKeys, signingKeys } from "./keys.js";
-import { PluginManager } from "./plugin/manager.js";
-import { setTheme } from "./themes/theme.js";
-import { Select } from "./ui/select.js";
+import { getRelativeUrl, lazy } from "./util.mjs";
+import { defaultAllowCheck } from "./allow.mjs";
+import { MissingParameterError, OauthError, UnauthorizedClientError, UnknownStateError } from "./error.mjs";
+import { validatePKCE } from "./pkce.mjs";
+import { generateSecureToken } from "./random.mjs";
+import { Storage } from "./storage/storage.mjs";
+import { encryptionKeys, signingKeys } from "./keys.mjs";
+import { PluginManager } from "./plugin/manager.mjs";
+import { setTheme } from "./themes/theme.mjs";
+import { Select } from "./ui/select.mjs";
 import { CompactEncrypt, SignJWT, compactDecrypt } from "jose";
 import { Router } from "@draftlab/auth-router";
 import { deleteCookie, getCookie, setCookie } from "@draftlab/auth-router/cookies";
@@ -15,6 +15,33 @@ import { cors } from "@draftlab/auth-router/middleware/cors";
 
 //#region src/core.ts
 /**
+* Core issuer implementation.
+*/
+/**
+* Performs an operation with guaranteed minimum execution time.
+* Adds random jitter to prevent timing-based attacks even if operation completes quickly.
+*
+* Used for validating sensitive data where timing differences could leak information
+* (e.g., authorization codes, refresh tokens).
+*
+* @param fn - Async function to execute
+* @param minTimeMs - Minimum execution time in milliseconds (default: 100ms)
+* @returns Result of the function, guaranteed to take at least minTimeMs
+*/
+const normalizeTimingAsync = async (fn, minTimeMs = 100) => {
+	const startTime = performance.now();
+	const result = await fn();
+	const elapsed = performance.now() - startTime;
+	const remainingTime = Math.max(0, minTimeMs - elapsed);
+	if (remainingTime > 0) {
+		const jitterBuffer = new Uint32Array(1);
+		crypto.getRandomValues(jitterBuffer);
+		const totalDelay = remainingTime + (jitterBuffer[0] ?? 0) / 4294967295 * 20;
+		await new Promise((resolve) => setTimeout(resolve, totalDelay));
+	}
+	return result;
+};
+/**
 * Determines if the incoming request is using HTTPS protocol.
 * Checks multiple proxy headers to handle load balancers and reverse proxies.
 *
@@ -60,8 +87,7 @@ const issuer = (input) => {
 	const issuer$1 = (ctx) => {
 		const baseUrl = new URL(getRelativeUrl(ctx, "/"));
 		if (input.basePath) {
-			const normalizedBasePath = input.basePath.startsWith("/") ? input.basePath : `/${input.basePath}`;
-			baseUrl.pathname = normalizedBasePath.replace(/\/$/, "");
+			baseUrl.pathname = (input.basePath.startsWith("/") ? input.basePath : `/${input.basePath}`).replace(/\/$/, "");
 			return baseUrl.href;
 		}
 		return baseUrl.origin;
@@ -90,12 +116,9 @@ const issuer = (input) => {
 	*/
 	const resolveSubject = async (type, properties) => {
 		const jsonString = JSON.stringify(properties);
-		const encoder = new TextEncoder();
-		const data = encoder.encode(jsonString);
+		const data = new TextEncoder().encode(jsonString);
 		const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-		const hashArray = Array.from(new Uint8Array(hashBuffer));
-		const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
-		return `${type}:${hashHex.slice(0, 16)}`;
+		return `${type}:${Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("").slice(0, 16)}`;
 	};
 	/**
 	* Generates access and refresh tokens for OAuth 2.0.
@@ -128,23 +151,21 @@ const issuer = (input) => {
 		if (!signingKeyData) throw new Error("Signing key not available");
 		const now = Math.floor(Date.now() / 1e3);
 		if (!value.clientID.trim()) throw new Error("Invalid audience: client ID cannot be empty");
-		const accessPayload = {
-			type: value.type,
-			properties: value.properties,
-			sub: value.subject,
-			aud: value.clientID,
-			iss: issuer$1(ctx),
-			exp: now + value.ttl.access,
-			iat: now,
-			mode: "access"
-		};
-		const access = await new SignJWT(accessPayload).setExpirationTime(Math.floor(now + value.ttl.access)).setProtectedHeader({
-			alg: signingKeyData.alg,
-			kid: signingKeyData.id,
-			typ: "JWT"
-		}).sign(signingKeyData.private);
 		return {
-			access,
+			access: await new SignJWT({
+				type: value.type,
+				properties: value.properties,
+				sub: value.subject,
+				aud: value.clientID,
+				iss: issuer$1(ctx),
+				exp: now + value.ttl.access,
+				iat: now,
+				mode: "access"
+			}).setExpirationTime(Math.floor(now + value.ttl.access)).setProtectedHeader({
+				alg: signingKeyData.alg,
+				kid: signingKeyData.id,
+				typ: "JWT"
+			}).sign(signingKeyData.private),
 			refresh: [value.subject, refreshToken].join(":"),
 			expiresIn: Math.floor(now + value.ttl.access - Date.now() / 1e3)
 		};
@@ -227,8 +248,7 @@ const issuer = (input) => {
 		},
 		async set(ctx, key, maxAge, value) {
 			const isHttps = isHttpsRequest(ctx);
-			const encryptedValue = await encrypt(value);
-			setCookie(ctx, key, encryptedValue, {
+			setCookie(ctx, key, await encrypt(value), {
 				maxAge,
 				httpOnly: true,
 				secure: isHttps,
@@ -238,13 +258,12 @@ const issuer = (input) => {
 		},
 		async get(ctx, key) {
 			const raw = getCookie(ctx, key);
-			if (!raw) return void 0;
+			if (!raw) return;
 			try {
-				const decrypted = await decrypt(raw);
-				return decrypted;
+				return await decrypt(raw);
 			} catch {
 				deleteCookie(ctx, key, { path: input.basePath || "/" });
-				return void 0;
+				return;
 			}
 		},
 		async unset(ctx, key) {
@@ -281,8 +300,7 @@ const issuer = (input) => {
 			credentials: false
 		})],
 		handler: async (c) => {
-			const signingKeys$1 = await allSigning();
-			const jwksDocument = { keys: signingKeys$1.map((keyInfo) => ({
+			const jwksDocument = { keys: (await allSigning()).map((keyInfo) => ({
 				...keyInfo.jwk,
 				alg: keyInfo.alg,
 				exp: keyInfo.expired ? Math.floor(keyInfo.expired.getTime() / 1e3) : void 0
@@ -326,19 +344,20 @@ const issuer = (input) => {
 					return c.json(error$1.toJSON(), { status: 400 });
 				}
 				const key = ["oauth:code", code.toString()];
-				const payload = await Storage.get(storage, key);
-				if (!payload) {
+				const { isValid, payload } = await normalizeTimingAsync(async () => {
+					const data = await Storage.get(storage, key);
+					const redirectUri = form.get("redirect_uri");
+					const clientId = form.get("client_id");
+					const valid = !!(data && data.redirectURI === redirectUri && data.clientID === clientId);
+					return {
+						isValid: valid,
+						payload: valid ? data : void 0
+					};
+				});
+				if (!isValid || !payload) {
 					const error$1 = new OauthError("invalid_grant", "Authorization code has been used or expired");
 					return c.json(error$1.toJSON(), { status: 400 });
 				}
-				if (payload.redirectURI !== form.get("redirect_uri")) {
-					const error$1 = new OauthError("invalid_redirect_uri", "Redirect URI mismatch");
-					return c.json(error$1.toJSON(), { status: 400 });
-				}
-				if (payload.clientID !== form.get("client_id")) {
-					const error$1 = new OauthError("unauthorized_client", "Client is not authorized to use this authorization code");
-					return c.json(error$1.toJSON(), { status: 400 });
-				}
 				if (payload.pkce) {
 					const codeVerifier = form.get("code_verifier")?.toString();
 					if (!codeVerifier) {
@@ -398,7 +417,6 @@ const issuer = (input) => {
 					payload.properties = refreshResult.properties;
 					if (refreshResult.subject) payload.subject = refreshResult.subject;
 					if (refreshResult.scopes) payload.scopes = refreshResult.scopes;
-					payload.properties = refreshResult.properties;
 				} catch {
 					return c.json({
 						error: "server_error",
@@ -449,14 +467,13 @@ const issuer = (input) => {
 		const audience = c.query("audience");
 		const code_challenge = c.query("code_challenge");
 		const code_challenge_method = c.query("code_challenge_method");
-		const scope = c.query("scope");
 		const authorization = {
 			response_type,
 			redirect_uri,
 			state,
 			client_id,
 			audience,
-			scope,
+			scope: c.query("scope"),
 			...code_challenge && code_challenge_method && { pkce: {
 				challenge: code_challenge,
 				method: code_challenge_method
@@ -472,7 +489,7 @@ const issuer = (input) => {
 			redirectURI: redirect_uri,
 			audience
 		}, c.request)) throw new UnauthorizedClientError(client_id, redirect_uri);
-		await auth.set(c, "authorization", 3600 * 24, authorization);
+		await auth.set(c, "authorization", 900, authorization);
 		if (provider) return c.redirect(`${provider}/authorize`);
 		const availableProviders = Object.keys(input.providers);
 		if (availableProviders.length === 1) return c.redirect(`${availableProviders[0]}/authorize`);

package/dist/index.d.mts

@@ -0,0 +1,2 @@
+import { issuer } from "./core.mjs";
+export { issuer };

package/dist/index.mjs

@@ -0,0 +1,3 @@
+import { issuer } from "./core.mjs";
+
+export { issuer };

package/dist/{keys.d.ts → keys.d.mts}

@@ -1,4 +1,4 @@
-import { StorageAdapter } from "./storage/storage.js";
+import { StorageAdapter } from "./storage/storage.mjs";
 import { CryptoKey, JWK } from "jose";
 
 //#region src/keys.d.ts

package/dist/{keys.js → keys.mjs}

@@ -1,5 +1,5 @@
-import { generateSecureToken } from "./random.js";
-import { Storage } from "./storage/storage.js";
+import { generateSecureToken } from "./random.mjs";
+import { Storage } from "./storage/storage.mjs";
 import { exportJWK, exportPKCS8, exportSPKI, generateKeyPair, importPKCS8, importSPKI } from "jose";
 
 //#region src/keys.ts
@@ -63,7 +63,7 @@ const signingKeys = async (storage) => {
 	const jwk = await exportJWK(key.publicKey);
 	jwk.kid = serialized.id;
 	jwk.use = "sig";
-	const newKeyPair = {
+	return [{
 		id: serialized.id,
 		alg: signingAlg,
 		created: new Date(serialized.created),
@@ -71,8 +71,7 @@ const signingKeys = async (storage) => {
 		public: key.publicKey,
 		private: key.privateKey,
 		jwk
-	};
-	return [newKeyPair, ...results];
+	}, ...results];
 };
 /**
 * Loads or generates encryption keys for token encryption operations.
@@ -124,7 +123,7 @@ const encryptionKeys = async (storage) => {
 	await Storage.set(storage, ["encryption:key", serialized.id], serialized);
 	const jwk = await exportJWK(key.publicKey);
 	jwk.kid = serialized.id;
-	const newKeyPair = {
+	return [{
 		id: serialized.id,
 		alg: encryptionAlg,
 		created: new Date(serialized.created),
@@ -132,8 +131,7 @@ const encryptionKeys = async (storage) => {
 		public: key.publicKey,
 		private: key.privateKey,
 		jwk
-	};
-	return [newKeyPair, ...results];
+	}, ...results];
 };
 
 //#endregion

package/dist/{pkce.js → pkce.mjs}

@@ -57,8 +57,7 @@ const generateVerifier = (length) => {
 */
 const generateChallenge = async (verifier, method) => {
 	if (method === "plain") return verifier;
-	const encoder = new TextEncoder();
-	const data = encoder.encode(verifier);
+	const data = new TextEncoder().encode(verifier);
 	const hash = await crypto.subtle.digest("SHA-256", data);
 	return base64url.encode(new Uint8Array(hash));
 };
@@ -89,10 +88,9 @@ const generatePKCE = async (length = 48) => {
 	const verifier = generateVerifier(length);
 	if (verifier.length < 43 || verifier.length > 128) throw new Error("Generated verifier does not meet requirements");
 	if (!/^[A-Za-z0-9_-]+$/.test(verifier)) throw new Error("Generated verifier is not valid base64url format");
-	const challenge = await generateChallenge(verifier, "S256");
 	return {
 		verifier,
-		challenge,
+		challenge: await generateChallenge(verifier, "S256"),
 		method: "S256"
 	};
 };
@@ -129,19 +127,16 @@ const validatePKCE = async (verifier, challenge, method = "S256") => {
 	let hasEarlyFailure = false;
 	const normalizedVerifier = String(verifier || "");
 	const normalizedChallenge = String(challenge || "");
-	const validations = [
+	hasEarlyFailure = ![
 		typeof verifier === "string" && typeof challenge === "string" && verifier && challenge,
 		normalizedVerifier.length >= 43 && normalizedVerifier.length <= 128,
 		normalizedChallenge.length >= 43 && normalizedChallenge.length <= 128,
 		/^[A-Za-z0-9_-]+$/.test(normalizedVerifier),
 		/^[A-Za-z0-9_-]+$/.test(normalizedChallenge)
-	];
-	hasEarlyFailure = !validations.every(Boolean);
+	].every(Boolean);
 	const verifierToUse = hasEarlyFailure ? "dummyverifier_".repeat(6) : normalizedVerifier;
 	try {
-		const generatedChallenge = await generateChallenge(verifierToUse, method);
-		const challengeToCompare = hasEarlyFailure ? "dummychallenge_".repeat(6) : normalizedChallenge;
-		const comparisonResult = timingSafeCompare(generatedChallenge, challengeToCompare);
+		const comparisonResult = timingSafeCompare(await generateChallenge(verifierToUse, method), hasEarlyFailure ? "dummychallenge_".repeat(6) : normalizedChallenge);
 		isValid = !hasEarlyFailure && comparisonResult;
 	} catch {
 		isValid = false;

package/dist/plugin/{builder.d.ts → builder.d.mts}

@@ -1,4 +1,4 @@
-import { PluginBuilder } from "./plugin.js";
+import { PluginBuilder } from "./plugin.mjs";
 
 //#region src/plugin/builder.d.ts
 

package/dist/plugin/{manager.d.ts → manager.d.mts}

@@ -1,5 +1,5 @@
-import { StorageAdapter } from "../storage/storage.js";
-import { Plugin } from "./types.js";
+import { StorageAdapter } from "../storage/storage.mjs";
+import { Plugin } from "./types.mjs";
 import { Router } from "@draftlab/auth-router";
 
 //#region src/plugin/manager.d.ts

package/dist/plugin/{manager.js → manager.mjs}

@@ -1,4 +1,4 @@
-import { PluginError } from "./types.js";
+import { PluginError } from "./types.mjs";
 
 //#region src/plugin/manager.ts
 var PluginManager = class {

package/dist/plugin/{plugin.d.ts → plugin.d.mts}

@@ -1,4 +1,4 @@
-import { Plugin, PluginRouteHandler } from "./types.js";
+import { Plugin, PluginRouteHandler } from "./types.mjs";
 
 //#region src/plugin/plugin.d.ts
 

package/dist/plugin/{types.d.ts → types.d.mts}

@@ -1,4 +1,4 @@
-import { StorageAdapter } from "../storage/storage.js";
+import { StorageAdapter } from "../storage/storage.mjs";
 import { RouterContext } from "@draftlab/auth-router/types";
 
 //#region src/plugin/types.d.ts

package/dist/provider/{code.d.ts → code.d.mts}

@@ -1,4 +1,4 @@
-import { Provider } from "./provider.js";
+import { Provider } from "./provider.mjs";
 
 //#region src/provider/code.d.ts
 

package/dist/provider/{code.js → code.mjs}

@@ -1,4 +1,4 @@
-import { generateUnbiasedDigits, timingSafeCompare } from "../random.js";
+import { generateUnbiasedDigits, timingSafeCompare } from "../random.mjs";
 
 //#region src/provider/code.ts
 /**
@@ -130,8 +130,7 @@ const CodeProvider = (config) => {
 				const action = formData.get("action")?.toString();
 				if (action === "request" || action === "resend") {
 					const code = generateCode();
-					const formEntries = Object.fromEntries(formData);
-					const { action: _,...claims } = formEntries;
+					const { action: _, ...claims } = Object.fromEntries(formData);
 					const sendError = await config.sendCode(claims, code);
 					if (sendError) return transition(c, { type: "start" }, formData, sendError);
 					return transition(c, {

package/dist/provider/{discord.d.ts → discord.d.mts}

@@ -1,5 +1,5 @@
-import { Provider } from "./provider.js";
-import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.js";
+import { Provider } from "./provider.mjs";
+import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.mjs";
 
 //#region src/provider/discord.d.ts
 

package/dist/provider/{discord.js → discord.mjs}

@@ -1,7 +1,65 @@
-import { Oauth2Provider } from "./oauth2.js";
+import { Oauth2Provider } from "./oauth2.mjs";
 
 //#region src/provider/discord.ts
 /**
+* Discord OAuth 2.0 authentication provider for Draft Auth.
+* Provides access tokens for calling Discord APIs on behalf of users.
+*
+* ## Quick Setup
+*
+* ```ts
+* import { DiscordProvider } from "@draftlab/auth/provider/discord"
+*
+* export default issuer({
+*   providers: {
+*     discord: DiscordProvider({
+*       clientID: process.env.DISCORD_CLIENT_ID,
+*       clientSecret: process.env.DISCORD_CLIENT_SECRET,
+*       scopes: ["identify", "email", "guilds"]
+*     })
+*   }
+* })
+* ```
+*
+* ## Common Scopes
+*
+* - `identify` - Access to user's basic account information
+* - `email` - Access to user's email address
+* - `guilds` - Access to user's guilds (servers)
+* - `guilds.join` - Ability to join user to guilds
+* - `gdm.join` - Ability to join user to group DMs
+* - `connections` - Access to user's connections (Steam, YouTube, etc.)
+* - `guilds.members.read` - Read guild member information
+* - `bot` - For bot applications (requires additional setup)
+*
+* ## User Data Access
+*
+* ```ts
+* success: async (ctx, value) => {
+*   if (value.provider === "discord") {
+*     const accessToken = value.tokenset.access
+*
+*     // Fetch user information
+*     const userResponse = await fetch('https://discord.com/api/users/@me', {
+*       headers: { Authorization: `Bearer ${accessToken}` }
+*     })
+*     const user = await userResponse.json()
+*
+*     // Fetch user guilds (requires guilds scope)
+*     const guildsResponse = await fetch('https://discord.com/api/users/@me/guilds', {
+*       headers: { Authorization: `Bearer ${accessToken}` }
+*     })
+*     const guilds = await guildsResponse.json()
+*
+*     // User info: user.username + user.discriminator
+*     // Avatar: `https://cdn.discordapp.com/avatars/${user.id}/${user.avatar}.png`
+*   }
+* }
+* ```
+*
+* @packageDocumentation
+*/
+/**
 * Creates a Discord OAuth 2.0 authentication provider.
 * Use this when you need access tokens to call Discord APIs on behalf of the user.
 *

package/dist/provider/{facebook.d.ts → facebook.d.mts}

@@ -1,5 +1,5 @@
-import { Provider } from "./provider.js";
-import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.js";
+import { Provider } from "./provider.mjs";
+import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.mjs";
 
 //#region src/provider/facebook.d.ts