@electr0zed/auth-gateway-cf 0.1.0

package/dist/providers/baseProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseProvider.js","sourceRoot":"","sources":["../../src/providers/baseProvider.ts"],"names":[],"mappings":"AAUA,MAAM,OAAgB,YAAY;IACxB,EAAE,CAAkB;IACZ,iBAAiB,CAAS;IAC1B,aAAa,CAAS;IACtB,aAAa,CAAS;IACtB,YAAY,CAAU;IACtB,gBAAgB,CAAU;IAC1B,UAAU,CAAa;IAExC,YAAY,SAAyB;QACpC,IAAI,CAAC,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC;QACvB,IAAI,CAAC,iBAAiB,GAAG,SAAS,CAAC,iBAAiB,CAAC;QACrD,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC,aAAa,CAAC;QAC7C,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC,aAAa,CAAC;QAC7C,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC;QAC3C,IAAI,CAAC,gBAAgB,GAAG,SAAS,CAAC,gBAAgB,CAAC;QACnD,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC;IACxC,CAAC;IAIS,eAAe,CAAC,GAAmB;QAC5C,OAAO,GAAG,CAAC,KAAK,IAAI,IAAI,CAAC,YAAY,IAAI,sBAAsB,CAAC;IACjE,CAAC;IAES,cAAc,CAAC,OAAe;QACvC,OAAO,GAAG,OAAO,gBAAgB,CAAC;IACnC,CAAC;IAES,eAAe,CAAC,GAAQ,EAAE,GAAmB;QACtD,MAAM,GAAG,GAAG,GAAG,CAAC,eAAe,CAAC;QAChC,OAAO,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACnC,CAAC;IAED,QAAQ,CAAC,GAAmB,EAAE,OAAe,EAAE,KAAa,EAAE,aAAqB;QAClF,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAEjD,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC;YAC9B,SAAS,EAAE,GAAG,CAAC,QAAQ;YACvB,aAAa,EAAE,MAAM;YACrB,YAAY,EAAE,WAAW;YACzB,KAAK;YACL,cAAc,EAAE,aAAa;YAC7B,qBAAqB,EAAE,MAAM;YAC7B,KAAK;SACL,CAAC,CAAC;QAEH,OAAO,GAAG,IAAI,CAAC,iBAAiB,IAAI,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAmB,EAAE,GAAQ,EAAE,IAAY,EAAE,YAAoB,EAAE,WAAmB;QACxG,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAEpD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAChC,SAAS,EAAE,GAAG,CAAC,QAAQ;YACvB,IAAI;YACJ,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,WAAW;YACzB,KAAK;SACL,CAAC,CAAC;QACH,IAAI,YAAY;YAAE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;QAE1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;YAC3C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI;SACJ,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;QAEjD,IAAI,MAAM,GAAY,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YACpC,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;YAE3E,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAA4B,CAAC;YACxE,MAAM,GAAG,OAAO,CAAC;YAEjB,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;YAExD,MAAM;YACN,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;gBAC/D,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;YAC/B,CAAC;YAED,2BAA2B;YAC3B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YACxB,MAAM,KAAK,GAAG,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;YACtH,IAAI,CAAC,KAAK;gBAAE,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;YAE5C,MAAM;YACN,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YACxB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,IAAI,GAAG;gBAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAChF,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YAC3C,IAAI,CAAC,IAAI,CAAC,gBAAgB,IAAI,OAAO,IAAI,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;gBACrE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YACzC,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,gBAAgB,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;YAChF,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QACtB,CAAC;aAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACvC,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;QACnD,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAEtD,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;QACxD,OAAO;YACN,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,QAAQ,EAAE,IAAI,CAAC,EAAE;YACjB,MAAM;YACN,OAAO,EAAE,IAAI,CAAC,OAAO;SACrB,CAAC;IACH,CAAC;IAES,KAAK,CAAC,aAAa,CAAC,gBAAwB,EAAE,WAAmB;QAC1E,MAAM,CAAC,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;QACjG,IAAI,CAAC,CAAC,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAY,CAAC;QAC3C,OAAO,EAAE,MAAM,EAAE,CAAC;IACnB,CAAC;IAES,QAAQ,CAAC,KAAa;QAC/B,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,CAAC,CAAC;YAAE,OAAO,EAAE,CAAC;QAElB,mCAAmC;QACnC,IAAI,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;QAC3B,IAAI,GAAG;YAAE,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;QAEpC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;CACD"}

package/dist/providers/google.d.ts

@@ -0,0 +1,9 @@
+import type { ProviderConfig, NormalizedClaims } from '../types';
+import { AuthProvider } from './baseProvider';
+export declare class GoogleProvider extends AuthProvider {
+    constructor();
+    /** Providers must supply a normalize() — no `any` needed. */
+    protected normalize(claims: unknown): NormalizedClaims;
+    protected getDefaultScope(cfg: ProviderConfig): string;
+}
+//# sourceMappingURL=google.d.ts.map

package/dist/providers/google.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../src/providers/google.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAc9C,qBAAa,cAAe,SAAQ,YAAY;;IAa/C,6DAA6D;IAC7D,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,GAAG,gBAAgB;cAWnC,eAAe,CAAC,GAAG,EAAE,cAAc,GAAG,MAAM;CAG/D"}

package/dist/providers/google.js

@@ -0,0 +1,27 @@
+import { AuthProvider } from './baseProvider';
+export class GoogleProvider extends AuthProvider {
+    constructor() {
+        super({
+            id: 'google',
+            authorizeEndpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
+            tokenEndpoint: 'https://oauth2.googleapis.com/token',
+            defaultIssuer: 'https://accounts.google.com',
+            defaultScope: 'openid email profile',
+            userInfoEndpoint: 'https://openidconnect.googleapis.com/v1/userinfo',
+            claimsMode: 'userinfo',
+        });
+    }
+    /** Providers must supply a normalize() — no `any` needed. */
+    normalize(claims) {
+        // We accept either ID token payload or userinfo payload
+        const c = claims;
+        const subject = typeof c?.sub === 'string' ? c.sub : '';
+        const email = typeof c?.email === 'string' ? c.email : '';
+        return { email, subject };
+    }
+    // (Optional) If you need provider-specific scope overrides per cfg:
+    getDefaultScope(cfg) {
+        return cfg.scope ?? 'openid email profile';
+    }
+}
+//# sourceMappingURL=google.js.map

package/dist/providers/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../src/providers/google.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAc9C,MAAM,OAAO,cAAe,SAAQ,YAAY;IAC/C;QACC,KAAK,CAAC;YACL,EAAE,EAAE,QAAQ;YACZ,iBAAiB,EAAE,8CAA8C;YACjE,aAAa,EAAE,qCAAqC;YACpD,aAAa,EAAE,6BAA6B;YAC5C,YAAY,EAAE,sBAAsB;YACpC,gBAAgB,EAAE,kDAAkD;YACpE,UAAU,EAAE,UAAU;SACtB,CAAC,CAAC;IACJ,CAAC;IAED,6DAA6D;IACnD,SAAS,CAAC,MAAe;QAClC,wDAAwD;QACxD,MAAM,CAAC,GAAG,MAAsE,CAAC;QAEjF,MAAM,OAAO,GAAG,OAAO,CAAC,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QACxD,MAAM,KAAK,GAAG,OAAO,CAAC,EAAE,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAE1D,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,oEAAoE;IACjD,eAAe,CAAC,GAAmB;QACrD,OAAO,GAAG,CAAC,KAAK,IAAI,sBAAsB,CAAC;IAC5C,CAAC;CACD"}

package/dist/providers/index.d.ts

@@ -0,0 +1,3 @@
+import type { AuthProvider } from './baseProvider';
+export declare const ProviderRegistry: Record<string, AuthProvider>;
+//# sourceMappingURL=index.d.ts.map

package/dist/providers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAGnD,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAEzD,CAAC"}

package/dist/providers/index.js

@@ -0,0 +1,5 @@
+import { GoogleProvider } from './google';
+export const ProviderRegistry = {
+    google: new GoogleProvider(),
+};
+//# sourceMappingURL=index.js.map

package/dist/providers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE1C,MAAM,CAAC,MAAM,gBAAgB,GAAiC;IAC7D,MAAM,EAAE,IAAI,cAAc,EAAE;CAC5B,CAAC"}

package/dist/routing/routeMatcher.d.ts

@@ -0,0 +1,15 @@
+import type { RouteRule } from '../types';
+/**
+ * Ordered, short-circuit route matcher.
+ * - First matching rule wins (stop on first hit).
+ * - String paths are globbed ("**" any depth, "*" segment); trailing slash optional.
+ * - RegExp paths are used as-is.
+ * - Methods are case-insensitive; empty = any method.
+ */
+export declare class RouteMatcher {
+    private compiled;
+    constructor(rules: RouteRule[]);
+    /** Returns the FIRST matching rule, or undefined. */
+    match(url: URL, method: string): RouteRule | undefined;
+}
+//# sourceMappingURL=routeMatcher.d.ts.map

package/dist/routing/routeMatcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routeMatcher.d.ts","sourceRoot":"","sources":["../../src/routing/routeMatcher.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE1C;;;;;;GAMG;AACH,qBAAa,YAAY;IACxB,OAAO,CAAC,QAAQ,CAOb;gBAES,KAAK,EAAE,SAAS,EAAE;IAY9B,qDAAqD;IACrD,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;CAoBtD"}

package/dist/routing/routeMatcher.js

@@ -0,0 +1,83 @@
+/**
+ * Ordered, short-circuit route matcher.
+ * - First matching rule wins (stop on first hit).
+ * - String paths are globbed ("**" any depth, "*" segment); trailing slash optional.
+ * - RegExp paths are used as-is.
+ * - Methods are case-insensitive; empty = any method.
+ */
+export class RouteMatcher {
+    compiled;
+    constructor(rules) {
+        this.compiled = rules.map((rule) => {
+            const arr = Array.isArray(rule.match) ? rule.match : [rule.match];
+            const tests = arr.map((m) => ({
+                pathRe: toPathRegex(m.path),
+                hostRe: m.host ? toHostRegex(m.host) : undefined,
+                methods: m.methods?.map(up),
+            }));
+            return { rule, tests };
+        });
+    }
+    /** Returns the FIRST matching rule, or undefined. */
+    match(url, method) {
+        const path = normalizePath(url.pathname);
+        const host = normalizeHost(url.hostname);
+        const m = up(method);
+        for (const entry of this.compiled) {
+            for (const t of entry.tests) {
+                const methodOk = !t.methods || t.methods.includes(m);
+                if (!methodOk)
+                    continue;
+                const hostOk = !t.hostRe || t.hostRe.test(host);
+                if (!hostOk)
+                    continue;
+                if (t.pathRe.test(path)) {
+                    return entry.rule;
+                }
+            }
+        }
+        return undefined;
+    }
+}
+/** Normalizes path: removes trailing slash except for "/" */
+function normalizePath(p) {
+    return p.length > 1 && p.endsWith('/') ? p.slice(0, -1) : p;
+}
+function normalizeHost(h) {
+    return h.toLowerCase().replace(/\.$/, '');
+}
+function up(s) {
+    return s.toUpperCase();
+}
+/**
+ * Converts a string glob to a RegExp with optional trailing slash.
+ * - "**" -> ".*" (any depth)
+ * - "*"  -> "[^/]*" (single segment portion)
+ * If input is already RegExp, return as-is (no trailing-slash tweak).
+ */
+function toPathRegex(path) {
+    if (path instanceof RegExp)
+        return path;
+    // normalize pattern's trailing slash too (except root)
+    let pat = path;
+    if (pat.length > 1 && pat.endsWith('/'))
+        pat = pat.slice(0, -1);
+    pat = globToRegexSource(pat, '/');
+    const optSlash = pat === '/' ? '' : '(?:/)?';
+    return new RegExp(`^${pat}${optSlash}$`);
+}
+function toHostRegex(host) {
+    if (host instanceof RegExp)
+        return host;
+    const pat = globToRegexSource(normalizeHost(host), '.');
+    return new RegExp(`^${pat}$`, 'i');
+}
+function globToRegexSource(input, segmentSeparator) {
+    const segmentPattern = segmentSeparator === '/' ? '[^/]*' : '[^.]*';
+    return input
+        .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+        .replace(/\*\\\*/g, '**')
+        .replace(/\*\*/g, '.*')
+        .replace(/\*/g, segmentPattern);
+}
+//# sourceMappingURL=routeMatcher.js.map

package/dist/routing/routeMatcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"routeMatcher.js","sourceRoot":"","sources":["../../src/routing/routeMatcher.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,MAAM,OAAO,YAAY;IAChB,QAAQ,CAOb;IAEH,YAAY,KAAkB;QAC7B,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;YAClC,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAClE,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC7B,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC3B,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;gBAChD,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;aAC3B,CAAC,CAAC,CAAC;YACJ,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QACxB,CAAC,CAAC,CAAC;IACJ,CAAC;IAED,qDAAqD;IACrD,KAAK,CAAC,GAAQ,EAAE,MAAc;QAC7B,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;QAErB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC7B,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;gBACrD,IAAI,CAAC,QAAQ;oBAAE,SAAS;gBAExB,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAChD,IAAI,CAAC,MAAM;oBAAE,SAAS;gBAEtB,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzB,OAAO,KAAK,CAAC,IAAI,CAAC;gBACnB,CAAC;YACF,CAAC;QACF,CAAC;QACD,OAAO,SAAS,CAAC;IAClB,CAAC;CACD;AAED,6DAA6D;AAC7D,SAAS,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,EAAE,CAAC,CAAS;IACpB,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;AACxB,CAAC;AAED;;;;;GAKG;AACH,SAAS,WAAW,CAAC,IAAqB;IACzC,IAAI,IAAI,YAAY,MAAM;QAAE,OAAO,IAAI,CAAC;IAExC,uDAAuD;IACvD,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAEhE,GAAG,GAAG,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAElC,MAAM,QAAQ,GAAG,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC7C,OAAO,IAAI,MAAM,CAAC,IAAI,GAAG,GAAG,QAAQ,GAAG,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,WAAW,CAAC,IAAqB;IACzC,IAAI,IAAI,YAAY,MAAM;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,GAAG,GAAG,iBAAiB,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,OAAO,IAAI,MAAM,CAAC,IAAI,GAAG,GAAG,EAAE,GAAG,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa,EAAE,gBAA2B;IACpE,MAAM,cAAc,GAAG,gBAAgB,KAAK,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAEpE,OAAO,KAAK;SACV,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC;SACxB,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC;SACtB,OAAO,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;AAClC,CAAC"}

package/dist/sessions/durableObjectSession.d.ts

@@ -0,0 +1,25 @@
+import { SessionStrategy, Session, SessionStrategyCfg } from '../types';
+export declare class DurableObjectSessionStrategy implements SessionStrategy {
+    private cfg;
+    constructor(cfg: (SessionStrategyCfg & {
+        kind: 'durableObject';
+    }) & {
+        issuer?: string;
+        audience?: string;
+    });
+    resolve(request: Request, env: Env): Promise<{
+        session: null;
+        accessJwt?: undefined;
+    } | {
+        session: Session;
+        accessJwt: string;
+    }>;
+    issue(session: Session, env: Env): Promise<{
+        cookie: string;
+        accessJwt: string;
+    }>;
+    clear(request: Request, _env: Env): Promise<{
+        cookie: string;
+    }>;
+}
+//# sourceMappingURL=durableObjectSession.d.ts.map

package/dist/sessions/durableObjectSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"durableObjectSession.d.ts","sourceRoot":"","sources":["../../src/sessions/durableObjectSession.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAIxE,qBAAa,4BAA6B,YAAW,eAAe;IAElE,OAAO,CAAC,GAAG;gBAAH,GAAG,EAAE,CAAC,kBAAkB,GAAG;QAAE,IAAI,EAAE,eAAe,CAAA;KAAE,CAAC,GAAG;QAC/D,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;KAClB;IAGI,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG;;;;iBA+BL,OAAO;;;IAGpC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG;;;;IAqChC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG;;;CAuBvC"}

package/dist/sessions/durableObjectSession.js

@@ -0,0 +1,90 @@
+import { signJwtHS256 } from '../utils/jwt';
+import { getCookie } from '.';
+export class DurableObjectSessionStrategy {
+    cfg;
+    constructor(cfg) {
+        this.cfg = cfg;
+    }
+    async resolve(request, env) {
+        const sid = getCookie(request, this.cfg.cookieName ?? '__Host-sid');
+        if (!sid)
+            return { session: null };
+        const stub = this.cfg.doName.getByName(sid);
+        const res = await stub.fetch('https://do/session', {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ op: 'get' }),
+        });
+        if (!res.ok)
+            return { session: null };
+        const data = (await res.json().catch(() => null));
+        if (!data?.session)
+            return { session: null };
+        const now = Math.floor(Date.now() / 1000);
+        const exp = now + 15 * 60;
+        const accessJwt = await signJwtHS256({
+            iss: this.cfg.issuer ?? 'auth-gateway',
+            aud: this.cfg.audience ?? 'internal-services',
+            sub: data.session.userId,
+            email: data.session.email,
+            iat: now,
+            nbf: now - 30,
+            exp,
+            jti: crypto.randomUUID(),
+        }, env[this.cfg.jwtSecretEnv]);
+        return { session: data.session, accessJwt };
+    }
+    async issue(session, env) {
+        const sid = crypto.randomUUID();
+        const stub = this.cfg.doName.getByName(sid);
+        const idleTtlSec = this.cfg.idleTtlSec ?? 14 * 24 * 60 * 60;
+        const absoluteTtlSec = this.cfg.absoluteTtlSec ?? 30 * 24 * 60 * 60;
+        const res = await stub.fetch('https://do/session', {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ op: 'put', session, idleTtlSec, absoluteTtlSec }),
+        });
+        if (!res.ok)
+            throw new Error('session create failed');
+        const now = Math.floor(Date.now() / 1000);
+        const exp = now + 15 * 60;
+        const accessJwt = await signJwtHS256({
+            iss: this.cfg.issuer ?? 'auth-gateway',
+            aud: this.cfg.audience ?? 'internal-services',
+            sub: session.userId,
+            email: session.email,
+            iat: now,
+            nbf: now - 30,
+            exp,
+            jti: crypto.randomUUID(),
+        }, env[this.cfg.jwtSecretEnv]);
+        const cookieName = this.cfg.cookieName ?? '__Host-sid';
+        return {
+            cookie: `${cookieName}=${sid}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=${idleTtlSec}; Priority=Medium`,
+            accessJwt,
+        };
+    }
+    async clear(request, _env) {
+        // Get the session ID from the cookie
+        const sid = getCookie(request, this.cfg.cookieName ?? '__Host-sid');
+        // If there's a session ID, inform the Durable Object to delete the session data
+        if (sid) {
+            try {
+                const stub = this.cfg.doName.getByName(sid);
+                await stub.fetch('https://do/session', {
+                    method: 'POST',
+                    headers: { 'content-type': 'application/json' },
+                    body: JSON.stringify({ op: 'delete' }),
+                });
+            }
+            catch (_) {
+                // Silently fail if we can't delete from the DO - still clear the cookie
+            }
+        }
+        // Invalidate the cookie by setting it to expire immediately
+        return {
+            cookie: `${this.cfg.cookieName ?? '__Host-sid'}=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Lax`,
+        };
+    }
+}
+//# sourceMappingURL=durableObjectSession.js.map

package/dist/sessions/durableObjectSession.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"durableObjectSession.js","sourceRoot":"","sources":["../../src/sessions/durableObjectSession.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,GAAG,CAAC;AAE9B,MAAM,OAAO,4BAA4B;IAE/B;IADT,YACS,GAGP;QAHO,QAAG,GAAH,GAAG,CAGV;IACC,CAAC;IAEJ,KAAK,CAAC,OAAO,CAAC,OAAgB,EAAE,GAAQ;QACvC,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,YAAY,CAAC,CAAC;QACpE,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;SACnC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAEtC,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAwC,CAAC;QACzF,IAAI,CAAC,IAAI,EAAE,OAAO;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAE7C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,MAAM,YAAY,CACnC;YACC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,cAAc;YACtC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,mBAAmB;YAC7C,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM;YACxB,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK;YACzB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,EAAE;YACb,GAAG;YACH,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;SACxB,EACD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAE,CAC3B,CAAC;QAEF,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,OAAkB,EAAE,SAAS,EAAE,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,GAAQ;QACrC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAE5C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;QAC5D,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;QAEpE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,CAAC;SACxE,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAEtD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,MAAM,YAAY,CACnC;YACC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,cAAc;YACtC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,mBAAmB;YAC7C,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,EAAE;YACb,GAAG;YACH,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;SACxB,EACD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAE,CAC3B,CAAC;QAEF,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,YAAY,CAAC;QACvD,OAAO;YACN,MAAM,EAAE,GAAG,UAAU,IAAI,GAAG,qDAAqD,UAAU,mBAAmB;YAC9G,SAAS;SACT,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,IAAS;QACtC,qCAAqC;QACrC,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,YAAY,CAAC,CAAC;QAEpE,gFAAgF;QAChF,IAAI,GAAG,EAAE,CAAC;YACT,IAAI,CAAC;gBACJ,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBAC5C,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE;oBACtC,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC;iBACtC,CAAC,CAAC;YACJ,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACZ,wEAAwE;YACzE,CAAC;QACF,CAAC;QAED,4DAA4D;QAC5D,OAAO;YACN,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,YAAY,sDAAsD;SACpG,CAAC;IACH,CAAC;CACD"}

package/dist/sessions/index.d.ts

@@ -0,0 +1,19 @@
+import type { SessionStrategy, SessionStrategyCfg } from '../types';
+/**
+ * Gets a cookie value from a request
+ *
+ * @export
+ * @param {Request} req
+ * @param {string} name
+ * @returns {string | null}
+ */
+export declare function getCookie(req: Request, name: string): string | null;
+/**
+ * Creates a session strategy based on configuration
+ *
+ * @export
+ * @param {SessionStrategyCfg} sessionCfg
+ * @returns {SessionStrategy}
+ */
+export declare function makeSessionStrategy(sessionCfg: SessionStrategyCfg): SessionStrategy;
+//# sourceMappingURL=index.d.ts.map

package/dist/sessions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sessions/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAIpE;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKnE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,kBAAkB,GAAG,eAAe,CAKnF"}

package/dist/sessions/index.js

@@ -0,0 +1,32 @@
+import { JwtSessionStrategy } from './jwtSession';
+import { DurableObjectSessionStrategy } from './durableObjectSession';
+/**
+ * Gets a cookie value from a request
+ *
+ * @export
+ * @param {Request} req
+ * @param {string} name
+ * @returns {string | null}
+ */
+export function getCookie(req, name) {
+    const h = req.headers.get('cookie');
+    if (!h)
+        return null;
+    const m = h.match(new RegExp(`(?:^|; )${name}=([^;]*)`));
+    return m ? decodeURIComponent(m[1]) : null;
+}
+/**
+ * Creates a session strategy based on configuration
+ *
+ * @export
+ * @param {SessionStrategyCfg} sessionCfg
+ * @returns {SessionStrategy}
+ */
+export function makeSessionStrategy(sessionCfg) {
+    if (sessionCfg.kind === 'jwt')
+        return new JwtSessionStrategy(sessionCfg);
+    if (sessionCfg.kind === 'durableObject')
+        return new DurableObjectSessionStrategy(sessionCfg);
+    throw new Error(`unknown session strategy kind: ${sessionCfg.kind}`);
+}
+//# sourceMappingURL=index.js.map

package/dist/sessions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sessions/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,4BAA4B,EAAE,MAAM,wBAAwB,CAAC;AAEtE;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,GAAY,EAAE,IAAY;IACnD,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,WAAW,IAAI,UAAU,CAAC,CAAC,CAAC;IACzD,OAAO,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC5C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,UAA8B;IACjE,IAAI,UAAU,CAAC,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,kBAAkB,CAAC,UAAU,CAAC,CAAC;IACzE,IAAI,UAAU,CAAC,IAAI,KAAK,eAAe;QAAE,OAAO,IAAI,4BAA4B,CAAC,UAAU,CAAC,CAAC;IAE7F,MAAM,IAAI,KAAK,CAAC,kCAAmC,UAAiC,CAAC,IAAI,EAAE,CAAC,CAAC;AAC9F,CAAC"}

package/dist/sessions/jwtSession.d.ts

@@ -0,0 +1,19 @@
+import { SessionStrategy, Session, SessionStrategyCfg } from '../types';
+export declare class JwtSessionStrategy implements SessionStrategy {
+    private cfg;
+    constructor(cfg: SessionStrategyCfg & {
+        kind: 'jwt';
+    });
+    resolve(request: Request, env: Env): Promise<{
+        session: null;
+    } | {
+        session: Session;
+    }>;
+    issue(session: Session, env: Env): Promise<{
+        cookie: string;
+    }>;
+    clear(_request: Request, _env: Env): Promise<{
+        cookie: string;
+    }>;
+}
+//# sourceMappingURL=jwtSession.d.ts.map

package/dist/sessions/jwtSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtSession.d.ts","sourceRoot":"","sources":["../../src/sessions/jwtSession.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAKxE,qBAAa,kBAAmB,YAAW,eAAe;IAC7C,OAAO,CAAC,GAAG;gBAAH,GAAG,EAAE,kBAAkB,GAAG;QAAE,IAAI,EAAE,KAAK,CAAA;KAAE;IAEvD,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG;;;iBAWhC,OAAO;;IAOT,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG;;;IAoBhC,KAAK,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG;;;CAKxC"}

package/dist/sessions/jwtSession.js

@@ -0,0 +1,49 @@
+import { signJwtHS256, verifyJwtHS256 } from '../utils/jwt';
+import { getCookie } from '.';
+// Stateless cookie that IS the JWT
+export class JwtSessionStrategy {
+    cfg;
+    constructor(cfg) {
+        this.cfg = cfg;
+    }
+    async resolve(request, env) {
+        const token = getCookie(request, this.cfg.cookieName ?? '__Host-session');
+        if (!token)
+            return { session: null };
+        try {
+            const payload = await verifyJwtHS256(token, env[this.cfg.jwtSecretEnv]);
+            return {
+                session: {
+                    userId: payload.sub,
+                    email: payload.email,
+                    systemRoles: payload.systemRoles,
+                },
+            };
+        }
+        catch {
+            return { session: null };
+        }
+    }
+    async issue(session, env) {
+        const expMinutes = this.cfg.expMinutes ?? 15;
+        const now = Math.floor(Date.now() / 1000);
+        const jwt = await signJwtHS256({
+            sub: session.userId,
+            email: session.email,
+            systemRoles: session.systemRoles,
+            iat: now,
+            nbf: now - 30,
+            exp: now + expMinutes * 60,
+            jti: crypto.randomUUID(),
+        }, env[this.cfg.jwtSecretEnv]);
+        return {
+            cookie: `${this.cfg.cookieName ?? '__Host-session'}=${jwt}; Path=/; HttpOnly; Secure; SameSite=Lax`,
+        };
+    }
+    async clear(_request, _env) {
+        return {
+            cookie: `${this.cfg.cookieName ?? '__Host-session'}=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Lax`,
+        };
+    }
+}
+//# sourceMappingURL=jwtSession.js.map

package/dist/sessions/jwtSession.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtSession.js","sourceRoot":"","sources":["../../src/sessions/jwtSession.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,GAAG,CAAC;AAE9B,mCAAmC;AACnC,MAAM,OAAO,kBAAkB;IACV;IAApB,YAAoB,GAAyC;QAAzC,QAAG,GAAH,GAAG,CAAsC;IAAG,CAAC;IAEjE,KAAK,CAAC,OAAO,CAAC,OAAgB,EAAE,GAAQ;QACvC,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,gBAAgB,CAAC,CAAC;QAC1E,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAErC,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAE,CAAC,CAAC;YACzE,OAAO;gBACN,OAAO,EAAE;oBACR,MAAM,EAAE,OAAO,CAAC,GAAG;oBACnB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;iBACrB;aACZ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC1B,CAAC;IACF,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,GAAQ;QACrC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,MAAM,YAAY,CAC7B;YACC,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,EAAE;YACb,GAAG,EAAE,GAAG,GAAG,UAAU,GAAG,EAAE;YAC1B,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;SACxB,EACD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAE,CAC3B,CAAC;QACF,OAAO;YACN,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,gBAAgB,IAAI,GAAG,0CAA0C;SACnG,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,QAAiB,EAAE,IAAS;QACvC,OAAO;YACN,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,gBAAgB,sDAAsD;SACxG,CAAC;IACH,CAAC;CACD"}

package/dist/stores/index.d.ts

@@ -0,0 +1,3 @@
+import type { UserStoreCfg, UserStore } from '../types';
+export declare function makeUserStore(cfg: UserStoreCfg): UserStore;
+//# sourceMappingURL=index.d.ts.map

package/dist/stores/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/stores/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAGxD,wBAAgB,aAAa,CAAC,GAAG,EAAE,YAAY,GAAG,SAAS,CAO1D"}

package/dist/stores/index.js

@@ -0,0 +1,10 @@
+import { PostgresUserStore } from './postgres';
+export function makeUserStore(cfg) {
+    switch (cfg.kind) {
+        case 'postgres':
+            return new PostgresUserStore(cfg.hyperdrive);
+        default:
+            throw new Error('UserStore kind not supported in this build');
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/stores/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/stores/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE/C,MAAM,UAAU,aAAa,CAAC,GAAiB;IAC9C,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,UAAU;YACd,OAAO,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC9C;YACC,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;AACF,CAAC"}

package/dist/stores/postgres.d.ts

@@ -0,0 +1,74 @@
+import type { UserStore } from '../types';
+import { type Transaction, type Generated } from 'kysely';
+export interface DB {
+    users: {
+        id: Generated<string>;
+        username: string | null;
+        email: string;
+        system_roles: Generated<string[]>;
+        created_at: Generated<Date>;
+        last_login_at: Date | null;
+    };
+    user_states: {
+        user_id: string;
+        is_disabled: boolean;
+        disabled_at: Date | null;
+        disabled_by: string | null;
+        is_approved: boolean;
+        approved_at: Date | null;
+        approved_by: string | null;
+        is_email_verified: boolean;
+        email_verified_at: Date | null;
+        email_verification_token_hash: string | null;
+        created_at: Date;
+        updated_at: Date;
+    };
+    user_identities: {
+        id: Generated<number>;
+        user_id: string;
+        provider: string;
+        issuer: string;
+        subject: string;
+        created_at: Generated<Date>;
+    };
+    user_passwords: {
+        user_id: string;
+        password_hash: string;
+        created_at: Generated<Date>;
+        updated_at: Generated<Date>;
+    };
+}
+export declare class PostgresUserStore implements UserStore {
+    private pool;
+    private db;
+    constructor(hyperdrive: Hyperdrive);
+    findUserIdByIdentity(issuer: string, subject: string): Promise<string | null>;
+    findUserIdByEmail(email: string): Promise<string | null>;
+    createUserWithIdentity(email: string, identity: {
+        provider: string;
+        issuer: string;
+        subject: string;
+    }, generateUsernameFunc?: (email: string) => string): Promise<string>;
+    addIdentityToUser(userId: string, identity: {
+        provider: string;
+        issuer: string;
+        subject: string;
+    }): Promise<void>;
+    getUserRoles(userId: string): Promise<string[]>;
+    getUserStates(userId: string): Promise<DB['user_states'] | null>;
+    createUser(trx: Transaction<DB>, email: string, username?: string | null): Promise<{
+        id: string;
+    } | undefined>;
+    createUserStates(trx: Transaction<DB>, userId: string): Promise<void>;
+    createUserWithPassword(email: string, passwordHash: string, username?: string | null): Promise<string>;
+    getUserIdByEmailForPassword(email: string): Promise<{
+        userId: string;
+        passwordHash: string;
+    } | null>;
+    getPasswordHashByUserId(userId: string): Promise<string | null>;
+    setPasswordHash(userId: string, passwordHash: string): Promise<void>;
+    checkUsernameExists(username: string): Promise<boolean>;
+    checkEmailExists(email: string): Promise<boolean>;
+    destroy(): Promise<void>;
+}
+//# sourceMappingURL=postgres.d.ts.map

package/dist/stores/postgres.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"postgres.d.ts","sourceRoot":"","sources":["../../src/stores/postgres.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE1C,OAAO,EAA2B,KAAK,WAAW,EAAE,KAAK,SAAS,EAAE,MAAM,QAAQ,CAAC;AAInF,MAAM,WAAW,EAAE;IAClB,KAAK,EAAE;QACN,EAAE,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;QACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,KAAK,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QAClC,UAAU,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5B,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;KAC3B,CAAC;IACF,WAAW,EAAE;QACZ,OAAO,EAAE,MAAM,CAAC;QAEhB,WAAW,EAAE,OAAO,CAAC;QACrB,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;QACzB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAE3B,WAAW,EAAE,OAAO,CAAC;QACrB,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;QACzB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAE3B,iBAAiB,EAAE,OAAO,CAAC;QAC3B,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;QAC/B,6BAA6B,EAAE,MAAM,GAAG,IAAI,CAAC;QAE7C,UAAU,EAAE,IAAI,CAAC;QACjB,UAAU,EAAE,IAAI,CAAC;KACjB,CAAC;IACF,eAAe,EAAE;QAChB,EAAE,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;KAC5B,CAAC;IACF,cAAc,EAAE;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5B,UAAU,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;KAC5B,CAAC;CACF;AAED,qBAAa,iBAAkB,YAAW,SAAS;IAClD,OAAO,CAAC,IAAI,CAAO;IACnB,OAAO,CAAC,EAAE,CAAa;gBAEX,UAAU,EAAE,UAAU;IAU5B,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAa7E,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAMxD,sBAAsB,CAC3B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,EAC/D,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAC9C,OAAO,CAAC,MAAM,CAAC;IA+DZ,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IA6BjH,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAM/C,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;IAMhE,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAM,GAAG,IAAW,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS,CAAC;IA0BpH,gBAAgB,CAAC,GAAG,EAAE,WAAW,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwBrE,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAM,GAAG,IAAW,GAAG,OAAO,CAAC,MAAM,CAAC;IAgC5G,2BAA2B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAWpG,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAM/D,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAgBpE,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKvD,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKjD,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAI9B"}