@eaccess/auth 0.1.1 → 0.1.3

package/dist/index.d.cts

@@ -15,6 +15,24 @@ interface AzureProviderConfig extends OAuthProviderConfig {
 }
 interface AuthConfig {
     db: Pool;
+    /**
+     * If a user logs in with an OAuth provider, but a matching account (identified by the OAuth user's email address) doesn't
+     * exist, createUser will be called:
+     *
+     * @example:
+     *
+     * if (this.authConfig.createUser) {
+     *   userId = await this.authConfig.createUser(userData);
+     * } else {
+     *   // Generate UUID for OAuth users when no createUser function is provided
+     *   userId = crypto.randomUUID();
+     * }
+     *
+     * This callback is your opportunity to create a user account in *your* database, and return
+     * the user ID of the newly-created user for this provider account to be linked to.
+     * @param userData
+     * @returns
+     */
     createUser?: (userData: OAuthUserData) => string | number | Promise<string | number>;
     tablePrefix?: string;
     minPasswordLength?: number;
@@ -513,6 +531,67 @@ declare function getAuthTableStats(config: AuthConfig): Promise<{
     expiredTwoFactorTokens: number;
 }>;
 
+/**
+ * Create a new user account without requiring Express request/response objects.
+ * This function is suitable for use in seeders, CLI tools, and other standalone contexts.
+ *
+ * @param config - Auth configuration containing database connection and settings
+ * @param credentials - Email and password for new account
+ * @param userId - Optional user ID to link this auth account to. If not provided, a UUID will be generated automatically.
+ * @param callback - If provided, account is created unverified and callback receives confirmation token. Create a URL like /confirm/{token} and call confirmEmail() in that handler. If omitted, account is immediately verified.
+ * @returns The created account record
+ * @throws {EmailTakenError} Email is already registered
+ * @throws {InvalidPasswordError} Password doesn't meet length requirements
+ */
+declare function createUser(config: AuthConfig, credentials: {
+    email: string;
+    password: string;
+}, userId?: string | number, callback?: TokenCallback): Promise<AuthAccount>;
+
+type UserIdentifier = {
+    accountId?: number;
+    email?: string;
+    userId?: string;
+};
+/**
+ * Add a role to a user's account.
+ * Uses bitwise OR to add role to existing rolemask.
+ *
+ * @param config - Auth configuration containing database connection
+ * @param identifier - Find user by accountId, email, or userId
+ * @param role - Role bitmask to add (e.g., AuthRole.Admin)
+ * @throws {UserNotFoundError} No account matches the identifier
+ */
+declare function addRoleToUser(config: AuthConfig, identifier: UserIdentifier, role: number): Promise<void>;
+/**
+ * Remove a role from a user's account.
+ * Uses bitwise operations to remove role from rolemask.
+ *
+ * @param config - Auth configuration containing database connection
+ * @param identifier - Find user by accountId, email, or userId
+ * @param role - Role bitmask to remove (e.g., AuthRole.Admin)
+ * @throws {UserNotFoundError} No account matches the identifier
+ */
+declare function removeRoleFromUser(config: AuthConfig, identifier: UserIdentifier, role: number): Promise<void>;
+/**
+ * Set a user's complete role mask, replacing any existing roles.
+ *
+ * @param config - Auth configuration containing database connection
+ * @param identifier - Find user by accountId, email, or userId
+ * @param rolemask - Complete role bitmask to set
+ * @throws {UserNotFoundError} No account matches the identifier
+ */
+declare function setUserRoles(config: AuthConfig, identifier: UserIdentifier, rolemask: number): Promise<void>;
+/**
+ * Get a user's current role mask.
+ *
+ * @param config - Auth configuration containing database connection
+ * @param identifier - Find user by accountId, email, or userId
+ * @returns The user's current role bitmask
+ * @throws {UserNotFoundError} No account matches the identifier
+ */
+declare function getUserRoles(config: AuthConfig, identifier: UserIdentifier): Promise<number>;
+
 declare class AuthError extends Error {
     constructor(message: string);
 }
@@ -927,4 +1006,4 @@ declare class AzureProvider extends BaseOAuthProvider {
     protected exchangeCodeForToken(code: string, tokenUrl: string): Promise<string>;
 }
 
-export { ActivityLogger, type AuthAccount, type AuthActivity, AuthActivityAction, type AuthActivityActionType, type AuthAdminManager, type AuthConfig, type AuthConfirmation, AuthError, type AuthManager$1 as AuthManager, type AuthProvider, type AuthRemember, type AuthReset, AuthRole, type AuthSession, AuthStatus, AzureProvider, type AzureProviderConfig, BaseOAuthProvider, ConfirmationExpiredError, ConfirmationNotFoundError, EmailNotVerifiedError, EmailTakenError, GitHubProvider, type GitHubProviderConfig, GoogleProvider, type GoogleProviderConfig, InvalidBackupCodeError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, InvalidTwoFactorCodeError, type OAuthProvider, type OAuthProviderConfig, type OAuthUserData, OtpProvider, ResetDisabledError, ResetExpiredError, ResetNotFoundError, SecondFactorRequiredError, type TokenCallback, TooManyResetsError, TotpProvider, TwoFactorAlreadyEnabledError, type TwoFactorChallenge, TwoFactorExpiredError, TwoFactorManager, TwoFactorMechanism, type TwoFactorMethod, TwoFactorNotSetupError, TwoFactorSetupIncompleteError, type TwoFactorSetupResult, type TwoFactorToken, UserInactiveError, UserNotFoundError, UserNotLoggedInError, cleanupExpiredTokens, createAuthMiddleware, createAuthTables, dropAuthTables, getAuthTableStats, isValidEmail, validateEmail };
+export { ActivityLogger, type AuthAccount, type AuthActivity, AuthActivityAction, type AuthActivityActionType, type AuthAdminManager, type AuthConfig, type AuthConfirmation, AuthError, type AuthManager$1 as AuthManager, type AuthProvider, type AuthRemember, type AuthReset, AuthRole, type AuthSession, AuthStatus, AzureProvider, type AzureProviderConfig, BaseOAuthProvider, ConfirmationExpiredError, ConfirmationNotFoundError, EmailNotVerifiedError, EmailTakenError, GitHubProvider, type GitHubProviderConfig, GoogleProvider, type GoogleProviderConfig, InvalidBackupCodeError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, InvalidTwoFactorCodeError, type OAuthProvider, type OAuthProviderConfig, type OAuthUserData, OtpProvider, ResetDisabledError, ResetExpiredError, ResetNotFoundError, SecondFactorRequiredError, type TokenCallback, TooManyResetsError, TotpProvider, TwoFactorAlreadyEnabledError, type TwoFactorChallenge, TwoFactorExpiredError, TwoFactorManager, TwoFactorMechanism, type TwoFactorMethod, TwoFactorNotSetupError, TwoFactorSetupIncompleteError, type TwoFactorSetupResult, type TwoFactorToken, type UserIdentifier, UserInactiveError, UserNotFoundError, UserNotLoggedInError, addRoleToUser, cleanupExpiredTokens, createAuthMiddleware, createAuthTables, createUser, dropAuthTables, getAuthTableStats, getUserRoles, isValidEmail, removeRoleFromUser, setUserRoles, validateEmail };

package/dist/index.d.ts

@@ -15,6 +15,24 @@ interface AzureProviderConfig extends OAuthProviderConfig {
 }
 interface AuthConfig {
     db: Pool;
+    /**
+     * If a user logs in with an OAuth provider, but a matching account (identified by the OAuth user's email address) doesn't
+     * exist, createUser will be called:
+     *
+     * @example:
+     *
+     * if (this.authConfig.createUser) {
+     *   userId = await this.authConfig.createUser(userData);
+     * } else {
+     *   // Generate UUID for OAuth users when no createUser function is provided
+     *   userId = crypto.randomUUID();
+     * }
+     *
+     * This callback is your opportunity to create a user account in *your* database, and return
+     * the user ID of the newly-created user for this provider account to be linked to.
+     * @param userData
+     * @returns
+     */
     createUser?: (userData: OAuthUserData) => string | number | Promise<string | number>;
     tablePrefix?: string;
     minPasswordLength?: number;
@@ -513,6 +531,67 @@ declare function getAuthTableStats(config: AuthConfig): Promise<{
     expiredTwoFactorTokens: number;
 }>;
 
+/**
+ * Create a new user account without requiring Express request/response objects.
+ * This function is suitable for use in seeders, CLI tools, and other standalone contexts.
+ *
+ * @param config - Auth configuration containing database connection and settings
+ * @param credentials - Email and password for new account
+ * @param userId - Optional user ID to link this auth account to. If not provided, a UUID will be generated automatically.
+ * @param callback - If provided, account is created unverified and callback receives confirmation token. Create a URL like /confirm/{token} and call confirmEmail() in that handler. If omitted, account is immediately verified.
+ * @returns The created account record
+ * @throws {EmailTakenError} Email is already registered
+ * @throws {InvalidPasswordError} Password doesn't meet length requirements
+ */
+declare function createUser(config: AuthConfig, credentials: {
+    email: string;
+    password: string;
+}, userId?: string | number, callback?: TokenCallback): Promise<AuthAccount>;
+
+type UserIdentifier = {
+    accountId?: number;
+    email?: string;
+    userId?: string;
+};
+/**
+ * Add a role to a user's account.
+ * Uses bitwise OR to add role to existing rolemask.
+ *
+ * @param config - Auth configuration containing database connection
+ * @param identifier - Find user by accountId, email, or userId
+ * @param role - Role bitmask to add (e.g., AuthRole.Admin)
+ * @throws {UserNotFoundError} No account matches the identifier
+ */
+declare function addRoleToUser(config: AuthConfig, identifier: UserIdentifier, role: number): Promise<void>;
+/**
+ * Remove a role from a user's account.
+ * Uses bitwise operations to remove role from rolemask.
+ *
+ * @param config - Auth configuration containing database connection
+ * @param identifier - Find user by accountId, email, or userId
+ * @param role - Role bitmask to remove (e.g., AuthRole.Admin)
+ * @throws {UserNotFoundError} No account matches the identifier
+ */
+declare function removeRoleFromUser(config: AuthConfig, identifier: UserIdentifier, role: number): Promise<void>;
+/**
+ * Set a user's complete role mask, replacing any existing roles.
+ *
+ * @param config - Auth configuration containing database connection
+ * @param identifier - Find user by accountId, email, or userId
+ * @param rolemask - Complete role bitmask to set
+ * @throws {UserNotFoundError} No account matches the identifier
+ */
+declare function setUserRoles(config: AuthConfig, identifier: UserIdentifier, rolemask: number): Promise<void>;
+/**
+ * Get a user's current role mask.
+ *
+ * @param config - Auth configuration containing database connection
+ * @param identifier - Find user by accountId, email, or userId
+ * @returns The user's current role bitmask
+ * @throws {UserNotFoundError} No account matches the identifier
+ */
+declare function getUserRoles(config: AuthConfig, identifier: UserIdentifier): Promise<number>;
+
 declare class AuthError extends Error {
     constructor(message: string);
 }
@@ -927,4 +1006,4 @@ declare class AzureProvider extends BaseOAuthProvider {
     protected exchangeCodeForToken(code: string, tokenUrl: string): Promise<string>;
 }
 
-export { ActivityLogger, type AuthAccount, type AuthActivity, AuthActivityAction, type AuthActivityActionType, type AuthAdminManager, type AuthConfig, type AuthConfirmation, AuthError, type AuthManager$1 as AuthManager, type AuthProvider, type AuthRemember, type AuthReset, AuthRole, type AuthSession, AuthStatus, AzureProvider, type AzureProviderConfig, BaseOAuthProvider, ConfirmationExpiredError, ConfirmationNotFoundError, EmailNotVerifiedError, EmailTakenError, GitHubProvider, type GitHubProviderConfig, GoogleProvider, type GoogleProviderConfig, InvalidBackupCodeError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, InvalidTwoFactorCodeError, type OAuthProvider, type OAuthProviderConfig, type OAuthUserData, OtpProvider, ResetDisabledError, ResetExpiredError, ResetNotFoundError, SecondFactorRequiredError, type TokenCallback, TooManyResetsError, TotpProvider, TwoFactorAlreadyEnabledError, type TwoFactorChallenge, TwoFactorExpiredError, TwoFactorManager, TwoFactorMechanism, type TwoFactorMethod, TwoFactorNotSetupError, TwoFactorSetupIncompleteError, type TwoFactorSetupResult, type TwoFactorToken, UserInactiveError, UserNotFoundError, UserNotLoggedInError, cleanupExpiredTokens, createAuthMiddleware, createAuthTables, dropAuthTables, getAuthTableStats, isValidEmail, validateEmail };
+export { ActivityLogger, type AuthAccount, type AuthActivity, AuthActivityAction, type AuthActivityActionType, type AuthAdminManager, type AuthConfig, type AuthConfirmation, AuthError, type AuthManager$1 as AuthManager, type AuthProvider, type AuthRemember, type AuthReset, AuthRole, type AuthSession, AuthStatus, AzureProvider, type AzureProviderConfig, BaseOAuthProvider, ConfirmationExpiredError, ConfirmationNotFoundError, EmailNotVerifiedError, EmailTakenError, GitHubProvider, type GitHubProviderConfig, GoogleProvider, type GoogleProviderConfig, InvalidBackupCodeError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, InvalidTwoFactorCodeError, type OAuthProvider, type OAuthProviderConfig, type OAuthUserData, OtpProvider, ResetDisabledError, ResetExpiredError, ResetNotFoundError, SecondFactorRequiredError, type TokenCallback, TooManyResetsError, TotpProvider, TwoFactorAlreadyEnabledError, type TwoFactorChallenge, TwoFactorExpiredError, TwoFactorManager, TwoFactorMechanism, type TwoFactorMethod, TwoFactorNotSetupError, TwoFactorSetupIncompleteError, type TwoFactorSetupResult, type TwoFactorToken, type UserIdentifier, UserInactiveError, UserNotFoundError, UserNotLoggedInError, addRoleToUser, cleanupExpiredTokens, createAuthMiddleware, createAuthTables, createUser, dropAuthTables, getAuthTableStats, getUserRoles, isValidEmail, removeRoleFromUser, setUserRoles, validateEmail };

package/dist/index.js

@@ -1,69 +1,7 @@
 // src/auth-admin-manager.ts
-import { hash } from "@prsm/hash";
+import { hash as hash2 } from "@prsm/hash";
 import ms from "@prsm/ms";
 
-// src/types.ts
-import "express-session";
-var TwoFactorMechanism = /* @__PURE__ */ ((TwoFactorMechanism2) => {
-  TwoFactorMechanism2[TwoFactorMechanism2["TOTP"] = 1] = "TOTP";
-  TwoFactorMechanism2[TwoFactorMechanism2["EMAIL"] = 2] = "EMAIL";
-  TwoFactorMechanism2[TwoFactorMechanism2["SMS"] = 3] = "SMS";
-  return TwoFactorMechanism2;
-})(TwoFactorMechanism || {});
-var AuthStatus = {
-  Normal: 0,
-  Archived: 1,
-  Banned: 2,
-  Locked: 3,
-  PendingReview: 4,
-  Suspended: 5
-};
-var AuthRole = {
-  Admin: 1,
-  Author: 2,
-  Collaborator: 4,
-  Consultant: 8,
-  Consumer: 16,
-  Contributor: 32,
-  Coordinator: 64,
-  Creator: 128,
-  Developer: 256,
-  Director: 512,
-  Editor: 1024,
-  Employee: 2048,
-  Maintainer: 4096,
-  Manager: 8192,
-  Moderator: 16384,
-  Publisher: 32768,
-  Reviewer: 65536,
-  Subscriber: 131072,
-  SuperAdmin: 262144,
-  SuperEditor: 524288,
-  SuperModerator: 1048576,
-  Translator: 2097152
-};
-var AuthActivityAction = {
-  Login: "login",
-  Logout: "logout",
-  FailedLogin: "failed_login",
-  Register: "register",
-  EmailConfirmed: "email_confirmed",
-  PasswordResetRequested: "password_reset_requested",
-  PasswordResetCompleted: "password_reset_completed",
-  PasswordChanged: "password_changed",
-  EmailChanged: "email_changed",
-  RoleChanged: "role_changed",
-  StatusChanged: "status_changed",
-  ForceLogout: "force_logout",
-  OAuthConnected: "oauth_connected",
-  RememberTokenCreated: "remember_token_created",
-  TwoFactorSetup: "two_factor_setup",
-  TwoFactorVerified: "two_factor_verified",
-  TwoFactorFailed: "two_factor_failed",
-  TwoFactorDisabled: "two_factor_disabled",
-  BackupCodeUsed: "backup_code_used"
-};
-
 // src/queries.ts
 var AuthQueries = class {
   constructor(config) {
@@ -440,6 +378,9 @@ var TwoFactorSetupIncompleteError = class extends AuthError {
   }
 };
 
+// src/create-user.ts
+import { hash } from "@prsm/hash";
+
 // src/util.ts
 var isValidEmail = (email) => {
   const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
@@ -458,6 +399,123 @@ var validateEmail = (email) => {
 };
 var createMapFromEnum = (enumObj) => Object.fromEntries(Object.entries(enumObj).map(([key, value]) => [value, key]));
 
+// src/types.ts
+import "express-session";
+var TwoFactorMechanism = /* @__PURE__ */ ((TwoFactorMechanism2) => {
+  TwoFactorMechanism2[TwoFactorMechanism2["TOTP"] = 1] = "TOTP";
+  TwoFactorMechanism2[TwoFactorMechanism2["EMAIL"] = 2] = "EMAIL";
+  TwoFactorMechanism2[TwoFactorMechanism2["SMS"] = 3] = "SMS";
+  return TwoFactorMechanism2;
+})(TwoFactorMechanism || {});
+var AuthStatus = {
+  Normal: 0,
+  Archived: 1,
+  Banned: 2,
+  Locked: 3,
+  PendingReview: 4,
+  Suspended: 5
+};
+var AuthRole = {
+  Admin: 1,
+  Author: 2,
+  Collaborator: 4,
+  Consultant: 8,
+  Consumer: 16,
+  Contributor: 32,
+  Coordinator: 64,
+  Creator: 128,
+  Developer: 256,
+  Director: 512,
+  Editor: 1024,
+  Employee: 2048,
+  Maintainer: 4096,
+  Manager: 8192,
+  Moderator: 16384,
+  Publisher: 32768,
+  Reviewer: 65536,
+  Subscriber: 131072,
+  SuperAdmin: 262144,
+  SuperEditor: 524288,
+  SuperModerator: 1048576,
+  Translator: 2097152
+};
+var AuthActivityAction = {
+  Login: "login",
+  Logout: "logout",
+  FailedLogin: "failed_login",
+  Register: "register",
+  EmailConfirmed: "email_confirmed",
+  PasswordResetRequested: "password_reset_requested",
+  PasswordResetCompleted: "password_reset_completed",
+  PasswordChanged: "password_changed",
+  EmailChanged: "email_changed",
+  RoleChanged: "role_changed",
+  StatusChanged: "status_changed",
+  ForceLogout: "force_logout",
+  OAuthConnected: "oauth_connected",
+  RememberTokenCreated: "remember_token_created",
+  TwoFactorSetup: "two_factor_setup",
+  TwoFactorVerified: "two_factor_verified",
+  TwoFactorFailed: "two_factor_failed",
+  TwoFactorDisabled: "two_factor_disabled",
+  BackupCodeUsed: "backup_code_used"
+};
+
+// src/create-user.ts
+function validatePassword(password, config) {
+  const minLength = config.minPasswordLength || 8;
+  const maxLength = config.maxPasswordLength || 64;
+  if (typeof password !== "string") {
+    throw new InvalidPasswordError();
+  }
+  if (password.length < minLength) {
+    throw new InvalidPasswordError();
+  }
+  if (password.length > maxLength) {
+    throw new InvalidPasswordError();
+  }
+}
+function generateAutoUserId() {
+  return crypto.randomUUID();
+}
+async function createConfirmationToken(queries, account, email, callback) {
+  const token = hash.encode(email);
+  const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
+  await queries.createConfirmation({
+    accountId: account.id,
+    token,
+    email,
+    expires
+  });
+  if (callback) {
+    callback(token);
+  }
+}
+async function createUser(config, credentials, userId, callback) {
+  validateEmail(credentials.email);
+  validatePassword(credentials.password, config);
+  const queries = new AuthQueries(config);
+  const existing = await queries.findAccountByEmail(credentials.email);
+  if (existing) {
+    throw new EmailTakenError();
+  }
+  const finalUserId = userId || generateAutoUserId();
+  const hashedPassword = hash.encode(credentials.password);
+  const verified = typeof callback !== "function";
+  const account = await queries.createAccount({
+    userId: finalUserId,
+    email: credentials.email,
+    password: hashedPassword,
+    verified,
+    status: AuthStatus.Normal,
+    rolemask: 0
+  });
+  if (!verified && callback) {
+    await createConfirmationToken(queries, account, credentials.email, callback);
+  }
+  return account;
+}
+
 // src/auth-admin-manager.ts
 var AuthAdminManager = class {
   constructor(req, res, config, auth) {
@@ -480,9 +538,6 @@ var AuthAdminManager = class {
       throw new InvalidPasswordError();
     }
   }
-  generateAutoUserId() {
-    return crypto.randomUUID();
-  }
   async findAccountByIdentifier(identifier) {
     if (identifier.accountId !== void 0) {
       return await this.queries.findAccountById(identifier.accountId);
@@ -494,7 +549,7 @@ var AuthAdminManager = class {
     return null;
   }
   async createConfirmationToken(account, email, callback) {
-    const token = hash.encode(email);
+    const token = hash2.encode(email);
     const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
     await this.queries.createConfirmation({
       accountId: account.id,
@@ -517,27 +572,7 @@ var AuthAdminManager = class {
    * @throws {InvalidPasswordError} Password doesn't meet length requirements
    */
   async createUser(credentials, userId, callback) {
-    validateEmail(credentials.email);
-    this.validatePassword(credentials.password);
-    const existing = await this.queries.findAccountByEmail(credentials.email);
-    if (existing) {
-      throw new EmailTakenError();
-    }
-    const finalUserId = userId || this.generateAutoUserId();
-    const hashedPassword = hash.encode(credentials.password);
-    const verified = typeof callback !== "function";
-    const account = await this.queries.createAccount({
-      userId: finalUserId,
-      email: credentials.email,
-      password: hashedPassword,
-      verified,
-      status: AuthStatus.Normal,
-      rolemask: 0
-    });
-    if (!verified && callback) {
-      await this.createConfirmationToken(account, credentials.email, callback);
-    }
-    return account;
+    return createUser(this.config, credentials, userId, callback);
   }
   /**
    * Log in as another user (admin function).
@@ -630,7 +665,7 @@ var AuthAdminManager = class {
       throw new UserNotFoundError();
     }
     await this.queries.updateAccount(account.id, {
-      password: hash.encode(password)
+      password: hash2.encode(password)
     });
   }
   /**
@@ -666,7 +701,7 @@ var AuthAdminManager = class {
       throw new EmailNotVerifiedError();
     }
     const expiry = !expiresAfter ? ms("6h") : ms(expiresAfter);
-    const token = hash.encode(account.email);
+    const token = hash2.encode(account.email);
     const expires = new Date(Date.now() + expiry);
     await this.queries.createResetToken({
       accountId: account.id,
@@ -698,7 +733,7 @@ var AuthAdminManager = class {
 };
 
 // src/auth-manager.ts
-import { hash as hash4 } from "@prsm/hash";
+import { hash as hash5 } from "@prsm/hash";
 import ms3 from "@prsm/ms";
 
 // src/activity-logger.ts
@@ -1096,7 +1131,7 @@ var AzureProvider = class extends BaseOAuthProvider {
 
 // src/two-factor/totp-provider.ts
 import Otp from "@eaccess/totp";
-import { hash as hash2 } from "@prsm/hash";
+import { hash as hash3 } from "@prsm/hash";
 var TotpProvider = class {
   constructor(config) {
     this.config = config;
@@ -1125,11 +1160,11 @@ var TotpProvider = class {
     return codes;
   }
   hashBackupCodes(codes) {
-    return codes.map((code) => hash2.encode(code));
+    return codes.map((code) => hash3.encode(code));
   }
   verifyBackupCode(hashedCodes, inputCode) {
     for (let i = 0; i < hashedCodes.length; i++) {
-      if (hash2.verify(hashedCodes[i], inputCode.toUpperCase())) {
+      if (hash3.verify(hashedCodes[i], inputCode.toUpperCase())) {
         return { isValid: true, index: i };
       }
     }
@@ -1146,7 +1181,7 @@ var TotpProvider = class {
 
 // src/two-factor/otp-provider.ts
 import ms2 from "@prsm/ms";
-import { hash as hash3 } from "@prsm/hash";
+import { hash as hash4 } from "@prsm/hash";
 var OtpProvider = class {
   constructor(config) {
     this.config = config;
@@ -1171,7 +1206,7 @@ var OtpProvider = class {
   async createAndStoreOTP(accountId, mechanism) {
     const otp = this.generateOTP();
     const selector = this.generateSelector();
-    const tokenHash = hash3.encode(otp);
+    const tokenHash = hash4.encode(otp);
     const expiryDuration = this.config.twoFactor?.tokenExpiry || "5m";
     const expiresAt = new Date(Date.now() + ms2(expiryDuration));
     await this.queries.deleteTwoFactorTokensByAccountAndMechanism(accountId, mechanism);
@@ -1193,7 +1228,7 @@ var OtpProvider = class {
       await this.queries.deleteTwoFactorToken(token.id);
       return { isValid: false };
     }
-    const isValid = hash3.verify(token.token_hash, inputCode);
+    const isValid = hash4.verify(token.token_hash, inputCode);
     if (isValid) {
       await this.queries.deleteTwoFactorToken(token.id);
       return { isValid: true, token };
@@ -1782,7 +1817,7 @@ var AuthManager = class {
     });
   }
   async createRememberDirective(account) {
-    const token = hash4.encode(account.email);
+    const token = hash5.encode(account.email);
     const duration = this.config.rememberDuration || "30d";
     const expires = new Date(Date.now() + ms3(duration));
     await this.queries.createRememberToken({
@@ -1820,7 +1855,7 @@ var AuthManager = class {
         await this.activityLogger.logActivity(null, AuthActivityAction.FailedLogin, this.req, false, { email, reason: "account_not_found" });
         throw new UserNotFoundError();
       }
-      if (!account.password || !hash4.verify(account.password, password)) {
+      if (!account.password || !hash5.verify(account.password, password)) {
         await this.activityLogger.logActivity(account.id, AuthActivityAction.FailedLogin, this.req, false, { email, reason: "invalid_password" });
         throw new InvalidPasswordError();
       }
@@ -1932,7 +1967,7 @@ var AuthManager = class {
       throw new EmailTakenError();
     }
     const finalUserId = userId || this.generateAutoUserId();
-    const hashedPassword = hash4.encode(password);
+    const hashedPassword = hash5.encode(password);
     const verified = typeof callback !== "function";
     const account = await this.queries.createAccount({
       userId: finalUserId,
@@ -1949,7 +1984,7 @@ var AuthManager = class {
     return account;
   }
   async createConfirmationToken(account, email, callback) {
-    const token = hash4.encode(email);
+    const token = hash5.encode(email);
     const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
     await this.queries.createConfirmation({
       accountId: account.id,
@@ -2083,7 +2118,7 @@ var AuthManager = class {
     if (new Date(confirmation.expires) < /* @__PURE__ */ new Date()) {
       throw new ConfirmationExpiredError();
     }
-    if (!hash4.verify(token, confirmation.email)) {
+    if (!hash5.verify(token, confirmation.email)) {
       throw new InvalidTokenError();
     }
     await this.queries.updateAccount(confirmation.account_id, {
@@ -2180,7 +2215,7 @@ var AuthManager = class {
     if (openRequests >= maxRequests) {
       throw new TooManyResetsError();
     }
-    const token = hash4.encode(email);
+    const token = hash5.encode(email);
     const expires = new Date(Date.now() + expiry);
     await this.queries.createResetToken({
       accountId: account.id,
@@ -2222,11 +2257,11 @@ var AuthManager = class {
       throw new ResetDisabledError();
     }
     this.validatePassword(password);
-    if (!hash4.verify(token, account.email)) {
+    if (!hash5.verify(token, account.email)) {
       throw new InvalidTokenError();
     }
     await this.queries.updateAccount(account.id, {
-      password: hash4.encode(password)
+      password: hash5.encode(password)
     });
     if (logout) {
       await this.forceLogoutForAccountById(account.id);
@@ -2254,7 +2289,7 @@ var AuthManager = class {
     if (!account.password) {
       return false;
     }
-    return hash4.verify(account.password, password);
+    return hash5.verify(account.password, password);
   }
   async forceLogoutForAccountById(accountId) {
     await this.queries.deleteRememberTokensForAccount(accountId);
@@ -2509,6 +2544,44 @@ async function getAuthTableStats(config) {
     expiredTwoFactorTokens: parseInt(expiredTwoFactorTokensResult.rows[0]?.count || "0")
   };
 }
+
+// src/user-roles.ts
+async function findAccountByIdentifier(queries, identifier) {
+  let account = null;
+  if (identifier.accountId !== void 0) {
+    account = await queries.findAccountById(identifier.accountId);
+  } else if (identifier.email !== void 0) {
+    account = await queries.findAccountByEmail(identifier.email);
+  } else if (identifier.userId !== void 0) {
+    account = await queries.findAccountByUserId(identifier.userId);
+  }
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  return account;
+}
+async function addRoleToUser(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  const rolemask = account.rolemask | role;
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function removeRoleFromUser(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  const rolemask = account.rolemask & ~role;
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function setUserRoles(config, identifier, rolemask) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function getUserRoles(config, identifier) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  return account.rolemask;
+}
 export {
   ActivityLogger,
   AuthActivityAction,
@@ -2544,12 +2617,17 @@ export {
   UserInactiveError,
   UserNotFoundError,
   UserNotLoggedInError,
+  addRoleToUser,
   cleanupExpiredTokens,
   createAuthMiddleware,
   createAuthTables,
+  createUser,
   dropAuthTables,
   getAuthTableStats,
+  getUserRoles,
   isValidEmail,
+  removeRoleFromUser,
+  setUserRoles,
   validateEmail
 };
 //# sourceMappingURL=index.js.map