@ericminassian/auth 0.1.0

package/README.md

@@ -0,0 +1,90 @@
+# @ericminassian/auth
+
+TypeScript SDK for [auth.ericminassian.com](https://auth.ericminassian.com) — the
+OIDC provider for `*.ericminassian.com` apps. ESM-only; subpath exports keep the
+browser and server surfaces separate.
+
+```sh
+pnpm add @ericminassian/auth
+```
+
+## Browser (`/client`, `/react`)
+
+Authorization code + PKCE, run entirely in the browser:
+
+```ts
+import { createAuthClient } from "@ericminassian/auth/client";
+
+const auth = createAuthClient({
+  clientId: "my-app",
+  redirectUri: "https://my-app.ericminassian.com/callback",
+});
+
+// Kick off login
+await auth.signInWithRedirect();
+
+// On your /callback route
+const { returnTo } = await auth.handleRedirectCallback();
+
+// Call your API
+const token = await auth.getAccessToken();
+```
+
+React bindings:
+
+```tsx
+import { createAuthClient } from "@ericminassian/auth/client";
+import { AuthProvider, useAuth, useUser } from "@ericminassian/auth/react";
+
+const client = createAuthClient({ clientId: "my-app", redirectUri: "…/callback" });
+
+function App() {
+  return (
+    <AuthProvider client={client}>
+      <Profile />
+    </AuthProvider>
+  );
+}
+
+function Profile() {
+  const { state, signIn, signOut } = useAuth();
+  const user = useUser();
+  if (state.status !== "authenticated") return <button onClick={() => signIn()}>Sign in</button>;
+  return <button onClick={() => signOut()}>Sign out {user?.email}</button>;
+}
+```
+
+## Server (`/server`, `/server/hono`, `/server/express`)
+
+Verify access tokens locally against the JWKS (no network call per request, edge-safe):
+
+```ts
+import { createAuthVerifier } from "@ericminassian/auth/server";
+
+const verifier = createAuthVerifier({ audience: "my-app" });
+
+const result = await verifier.authenticateRequest(request);
+if (result.authenticated) {
+  console.log(result.claims.sub, result.claims.scope);
+}
+```
+
+Framework middleware:
+
+```ts
+import { authMiddleware } from "@ericminassian/auth/server/hono";
+app.use("/api/*", authMiddleware(verifier)); // claims at c.var.auth
+
+import { requireAuth } from "@ericminassian/auth/server/express";
+app.use("/api", requireAuth(verifier)); // claims at req.auth
+```
+
+`verifyLogoutToken` validates back-channel logout tokens at your RP's logout receiver.
+
+## Development
+
+```sh
+pnpm generate   # regenerate wire types from ../../openapi/openapi.json
+pnpm build      # tsdown → dist/
+pnpm test       # vitest
+```

package/dist/auth-client-DZWvgw3X.d.ts

@@ -0,0 +1,59 @@
+import { i as User } from "./index-CiPxwNnj.js";
+
+//#region src/client/storage.d.ts
+
+/**
+ * Pluggable persistence for the refresh token and the in-flight authorization
+ * transaction (PKCE verifier + state). Access tokens are never persisted —
+ * they live in memory only.
+ */
+interface TokenStorage {
+  get(key: string): string | null;
+  set(key: string, value: string): void;
+  remove(key: string): void;
+}
+//#endregion
+//#region src/client/auth-client.d.ts
+interface AuthClientOptions {
+  clientId: string;
+  redirectUri: string;
+  /** Defaults to `https://auth.ericminassian.com`. */
+  issuer?: string;
+  /** Defaults to `openid email offline_access`. */
+  scope?: string;
+  storage?: TokenStorage;
+}
+type AuthState = {
+  status: "loading";
+} | {
+  status: "authenticated";
+  user: User;
+} | {
+  status: "unauthenticated";
+};
+interface SignInOptions {
+  /** Where to return after the callback completes. Defaults to the current URL. */
+  returnTo?: string;
+}
+interface AuthClient {
+  /** Build a PKCE+state transaction and navigate to the authorize endpoint. */
+  signInWithRedirect(options?: SignInOptions): Promise<void>;
+  /** Complete the redirect: exchange the code for tokens. Returns the saved returnTo. */
+  handleRedirectCallback(url?: string): Promise<{
+    returnTo: string | undefined;
+  }>;
+  /** A valid access token, refreshing if necessary. Throws `login_required` if not signed in. */
+  getAccessToken(options?: {
+    forceRefresh?: boolean;
+  }): Promise<string>;
+  getUser(): User | undefined;
+  getState(): AuthState;
+  onStateChange(listener: (state: AuthState) => void): () => void;
+  /** Revoke the refresh token, clear local state, and navigate to end_session. */
+  signOut(options?: {
+    postLogoutRedirectUri?: string;
+  }): Promise<void>;
+}
+declare function createAuthClient(options: AuthClientOptions): AuthClient;
+//#endregion
+export { createAuthClient as a, SignInOptions as i, AuthClientOptions as n, TokenStorage as o, AuthState as r, AuthClient as t };

package/dist/client/index.d.ts

@@ -0,0 +1,3 @@
+import { i as User, n as AuthErrorCode, r as DEFAULT_ISSUER, t as AuthError } from "../index-CiPxwNnj.js";
+import { a as createAuthClient, i as SignInOptions, n as AuthClientOptions, o as TokenStorage, r as AuthState, t as AuthClient } from "../auth-client-DZWvgw3X.js";
+export { type AuthClient, type AuthClientOptions, AuthError, type AuthErrorCode, type AuthState, DEFAULT_ISSUER, type SignInOptions, type TokenStorage, type User, createAuthClient };

package/dist/client/index.js

@@ -0,0 +1,234 @@
+import { n as DEFAULT_ISSUER, t as AuthError } from "../src-C0axRlLQ.js";
+
+//#region src/client/pkce.ts
+/** PKCE (RFC 7636) S256 helpers, built on the Web Crypto API. */
+const VERIFIER_BYTES = 32;
+function base64url(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function randomBase64url(byteLength) {
+	const bytes = new Uint8Array(byteLength);
+	crypto.getRandomValues(bytes);
+	return base64url(bytes);
+}
+function createState() {
+	return randomBase64url(16);
+}
+async function createPkcePair() {
+	const verifier = randomBase64url(VERIFIER_BYTES);
+	const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+	return {
+		verifier,
+		challenge: base64url(new Uint8Array(digest))
+	};
+}
+
+//#endregion
+//#region src/client/storage.ts
+/** Default storage: `sessionStorage` when available, else an in-memory map. */
+function defaultStorage() {
+	if (typeof sessionStorage !== "undefined") return {
+		get: (key) => sessionStorage.getItem(key),
+		set: (key, value) => sessionStorage.setItem(key, value),
+		remove: (key) => sessionStorage.removeItem(key)
+	};
+	const map = /* @__PURE__ */ new Map();
+	return {
+		get: (key) => map.get(key) ?? null,
+		set: (key, value) => {
+			map.set(key, value);
+		},
+		remove: (key) => {
+			map.delete(key);
+		}
+	};
+}
+
+//#endregion
+//#region src/client/auth-client.ts
+const TX_KEY = "ema_auth_tx";
+const RT_KEY = "ema_auth_rt";
+const ID_KEY = "ema_auth_id";
+const EXPIRY_SKEW_SECONDS = 30;
+function createAuthClient(options) {
+	const issuer = (options.issuer ?? DEFAULT_ISSUER).replace(/\/$/, "");
+	const scope = options.scope ?? "openid email offline_access";
+	const storage = options.storage ?? defaultStorage();
+	let discovery;
+	let cachedToken;
+	let user = decodeStoredUser(storage);
+	let state = user ? {
+		status: "authenticated",
+		user
+	} : { status: "unauthenticated" };
+	const listeners = /* @__PURE__ */ new Set();
+	function setState(next) {
+		state = next;
+		user = next.status === "authenticated" ? next.user : void 0;
+		for (const listener of listeners) listener(state);
+	}
+	function getDiscovery() {
+		discovery ??= fetchJson(`${issuer}/.well-known/openid-configuration`).catch(() => {
+			discovery = void 0;
+			throw new AuthError("network_error", "failed to load OIDC discovery document");
+		});
+		return discovery;
+	}
+	async function exchange(body) {
+		const { token_endpoint } = await getDiscovery();
+		const response = await fetch(token_endpoint, {
+			method: "POST",
+			headers: { "content-type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams(body)
+		});
+		if (!response.ok) throw new AuthError(body.grant_type === "refresh_token" ? "token_refresh_failed" : "invalid_grant", "token endpoint rejected the request");
+		const tokens = await response.json();
+		cachedToken = {
+			accessToken: tokens.access_token,
+			expiresAt: Date.now() + (tokens.expires_in - EXPIRY_SKEW_SECONDS) * 1e3
+		};
+		if (tokens.refresh_token) storage.set(RT_KEY, tokens.refresh_token);
+		if (tokens.id_token) {
+			storage.set(ID_KEY, tokens.id_token);
+			const next = userFromIdToken(tokens.id_token);
+			if (next) setState({
+				status: "authenticated",
+				user: next
+			});
+		}
+	}
+	return {
+		async signInWithRedirect(signInOptions) {
+			const { authorization_endpoint } = await getDiscovery();
+			const pkce = await createPkcePair();
+			const tx = {
+				verifier: pkce.verifier,
+				state: createState(),
+				returnTo: signInOptions?.returnTo ?? currentUrl()
+			};
+			storage.set(TX_KEY, JSON.stringify(tx));
+			const url = new URL(authorization_endpoint);
+			url.search = new URLSearchParams({
+				response_type: "code",
+				client_id: options.clientId,
+				redirect_uri: options.redirectUri,
+				scope,
+				state: tx.state,
+				code_challenge: pkce.challenge,
+				code_challenge_method: "S256"
+			}).toString();
+			redirect(url.toString());
+		},
+		async handleRedirectCallback(url) {
+			const params = new URL(url ?? currentUrl()).searchParams;
+			const raw = storage.get(TX_KEY);
+			storage.remove(TX_KEY);
+			if (!raw) throw new AuthError("state_mismatch", "no authorization transaction in progress");
+			const tx = JSON.parse(raw);
+			if (params.get("error")) throw new AuthError("invalid_grant", params.get("error_description") ?? params.get("error") ?? "authorization failed");
+			if (params.get("state") !== tx.state) throw new AuthError("state_mismatch", "state parameter mismatch");
+			const code = params.get("code");
+			if (!code) throw new AuthError("invalid_grant", "missing authorization code");
+			await exchange({
+				grant_type: "authorization_code",
+				code,
+				redirect_uri: options.redirectUri,
+				client_id: options.clientId,
+				code_verifier: tx.verifier
+			});
+			return { returnTo: tx.returnTo };
+		},
+		async getAccessToken(getOptions) {
+			if (!getOptions?.forceRefresh && cachedToken && cachedToken.expiresAt > Date.now()) return cachedToken.accessToken;
+			const refreshToken = storage.get(RT_KEY);
+			if (!refreshToken) throw new AuthError("login_required", "no refresh token available");
+			try {
+				await exchange({
+					grant_type: "refresh_token",
+					refresh_token: refreshToken,
+					client_id: options.clientId
+				});
+			} catch (error) {
+				storage.remove(RT_KEY);
+				storage.remove(ID_KEY);
+				setState({ status: "unauthenticated" });
+				if (error instanceof AuthError) throw new AuthError("login_required", error.message);
+				throw new AuthError("login_required");
+			}
+			if (!cachedToken) throw new AuthError("login_required");
+			return cachedToken.accessToken;
+		},
+		getUser: () => user,
+		getState: () => state,
+		onStateChange(listener) {
+			listeners.add(listener);
+			return () => listeners.delete(listener);
+		},
+		async signOut(signOutOptions) {
+			const idToken = storage.get(ID_KEY);
+			const refreshToken = storage.get(RT_KEY);
+			const { end_session_endpoint, revocation_endpoint } = await getDiscovery();
+			if (refreshToken) await fetch(revocation_endpoint, {
+				method: "POST",
+				headers: { "content-type": "application/x-www-form-urlencoded" },
+				body: new URLSearchParams({ token: refreshToken })
+			}).catch(() => void 0);
+			storage.remove(RT_KEY);
+			storage.remove(ID_KEY);
+			cachedToken = void 0;
+			setState({ status: "unauthenticated" });
+			const url = new URL(end_session_endpoint);
+			const search = new URLSearchParams();
+			if (idToken) search.set("id_token_hint", idToken);
+			search.set("client_id", options.clientId);
+			const postLogout = signOutOptions?.postLogoutRedirectUri;
+			if (postLogout) search.set("post_logout_redirect_uri", postLogout);
+			url.search = search.toString();
+			redirect(url.toString());
+		}
+	};
+}
+function decodeStoredUser(storage) {
+	const idToken = storage.get(ID_KEY);
+	return idToken ? userFromIdToken(idToken) : void 0;
+}
+/**
+* Decode (not verify) the ID token to surface profile info in the UI. The
+* token arrives directly from the token endpoint over TLS; RP *backends* must
+* still verify via the server entry point's JWKS check.
+*/
+function userFromIdToken(idToken) {
+	const parts = idToken.split(".");
+	if (parts.length !== 3) return void 0;
+	try {
+		const payload = JSON.parse(base64urlDecode(parts[1] ?? ""));
+		if (!payload.sub) return void 0;
+		if (typeof payload.exp === "number" && payload.exp * 1e3 <= Date.now()) return;
+		const user = { sub: payload.sub };
+		if (payload.email !== void 0) user.email = payload.email;
+		if (payload.email_verified !== void 0) user.emailVerified = payload.email_verified;
+		return user;
+	} catch {
+		return;
+	}
+}
+function base64urlDecode(input) {
+	const padded = input.replace(/-/g, "+").replace(/_/g, "/");
+	return atob(padded);
+}
+async function fetchJson(url) {
+	const response = await fetch(url);
+	if (!response.ok) throw new Error(`fetch ${url} failed: ${response.status}`);
+	return await response.json();
+}
+function currentUrl() {
+	return typeof location !== "undefined" ? location.href : "";
+}
+function redirect(url) {
+	if (typeof location !== "undefined") location.assign(url);
+}
+
+//#endregion
+export { AuthError, DEFAULT_ISSUER, createAuthClient };

package/dist/index-CiPxwNnj.d.ts

@@ -0,0 +1,20 @@
+//#region src/index.d.ts
+/**
+ * Shared surface for `@ericminassian/auth`: error type, public user shape,
+ * and the default issuer. Import the client, react, or server entry points
+ * for actual functionality.
+ */
+declare const DEFAULT_ISSUER = "https://auth.ericminassian.com";
+type AuthErrorCode = "invalid_grant" | "login_required" | "token_refresh_failed" | "state_mismatch" | "network_error" | "invalid_token" | "configuration_error";
+declare class AuthError extends Error {
+  readonly code: AuthErrorCode;
+  constructor(code: AuthErrorCode, message?: string);
+}
+/** The authenticated subject, derived from the ID token / userinfo. */
+interface User {
+  sub: string;
+  email?: string;
+  emailVerified?: boolean;
+}
+//#endregion
+export { User as i, AuthErrorCode as n, DEFAULT_ISSUER as r, AuthError as t };

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+import { i as User, n as AuthErrorCode, r as DEFAULT_ISSUER, t as AuthError } from "./index-CiPxwNnj.js";
+export { AuthError, AuthErrorCode, DEFAULT_ISSUER, User };

package/dist/index.js

@@ -0,0 +1,3 @@
+import { n as DEFAULT_ISSUER, t as AuthError } from "./src-C0axRlLQ.js";
+
+export { AuthError, DEFAULT_ISSUER };

package/dist/react/index.d.ts

@@ -0,0 +1,23 @@
+import { i as User } from "../index-CiPxwNnj.js";
+import { i as SignInOptions, r as AuthState, t as AuthClient } from "../auth-client-DZWvgw3X.js";
+import { ReactNode } from "react";
+
+//#region src/react/context.d.ts
+interface AuthContextValue {
+  state: AuthState;
+  signIn: (options?: SignInOptions) => Promise<void>;
+  signOut: (options?: {
+    postLogoutRedirectUri?: string;
+  }) => Promise<void>;
+  getAccessToken: (options?: {
+    forceRefresh?: boolean;
+  }) => Promise<string>;
+}
+declare function AuthProvider(props: {
+  client: AuthClient;
+  children: ReactNode;
+}): ReactNode;
+declare function useAuth(): AuthContextValue;
+declare function useUser(): User | undefined;
+//#endregion
+export { type AuthContextValue, AuthProvider, useAuth, useUser };

package/dist/react/index.js

@@ -0,0 +1,31 @@
+import { createContext, createElement, useContext, useEffect, useMemo, useState } from "react";
+
+//#region src/react/context.tsx
+const AuthContext = createContext(void 0);
+function AuthProvider(props) {
+	const { client, children } = props;
+	const [state, setState] = useState(() => client.getState());
+	useEffect(() => {
+		setState(client.getState());
+		return client.onStateChange(setState);
+	}, [client]);
+	const value = useMemo(() => ({
+		state,
+		signIn: (options) => client.signInWithRedirect(options),
+		signOut: (options) => client.signOut(options),
+		getAccessToken: (options) => client.getAccessToken(options)
+	}), [client, state]);
+	return createElement(AuthContext.Provider, { value }, children);
+}
+function useAuth() {
+	const context = useContext(AuthContext);
+	if (!context) throw new Error("useAuth must be used within an <AuthProvider>");
+	return context;
+}
+function useUser() {
+	const { state } = useAuth();
+	return state.status === "authenticated" ? state.user : void 0;
+}
+
+//#endregion
+export { AuthProvider, useAuth, useUser };

package/dist/server/express.d.ts

@@ -0,0 +1,18 @@
+import { r as AuthVerifier, t as AccessTokenClaims } from "../verify-QJxbHc6P.js";
+import { RequestHandler } from "express";
+
+//#region src/server/express.d.ts
+declare global {
+  namespace Express {
+    interface Request {
+      auth?: AccessTokenClaims;
+    }
+  }
+}
+/**
+ * Express middleware that verifies the Bearer access token and attaches the
+ * claims to `req.auth`. Responds 401 when the token is missing or invalid.
+ */
+declare function requireAuth(verifier: AuthVerifier): RequestHandler;
+//#endregion
+export { requireAuth };

package/dist/server/express.js

@@ -0,0 +1,22 @@
+//#region src/server/express.ts
+/**
+* Express middleware that verifies the Bearer access token and attaches the
+* claims to `req.auth`. Responds 401 when the token is missing or invalid.
+*/
+function requireAuth(verifier) {
+	return (req, res, next) => {
+		const header = req.header("authorization");
+		const request = new Request("http://local/", { headers: header ? { authorization: header } : {} });
+		verifier.authenticateRequest(request).then((result) => {
+			if (!result.authenticated) {
+				res.status(401).json({ error: "unauthorized" });
+				return;
+			}
+			req.auth = result.claims;
+			next();
+		}).catch(next);
+	};
+}
+
+//#endregion
+export { requireAuth };

package/dist/server/hono.d.ts

@@ -0,0 +1,16 @@
+import { r as AuthVerifier, t as AccessTokenClaims } from "../verify-QJxbHc6P.js";
+import { MiddlewareHandler } from "hono";
+
+//#region src/server/hono.d.ts
+declare module "hono" {
+  interface ContextVariableMap {
+    auth: AccessTokenClaims;
+  }
+}
+/**
+ * Hono middleware that verifies the Bearer access token and stores the claims
+ * at `c.var.auth`. Responds 401 when the token is missing or invalid.
+ */
+declare function authMiddleware(verifier: AuthVerifier): MiddlewareHandler;
+//#endregion
+export { authMiddleware };

package/dist/server/hono.js

@@ -0,0 +1,16 @@
+//#region src/server/hono.ts
+/**
+* Hono middleware that verifies the Bearer access token and stores the claims
+* at `c.var.auth`. Responds 401 when the token is missing or invalid.
+*/
+function authMiddleware(verifier) {
+	return async (c, next) => {
+		const result = await verifier.authenticateRequest(c.req.raw);
+		if (!result.authenticated) return c.json({ error: "unauthorized" }, 401);
+		c.set("auth", result.claims);
+		await next();
+	};
+}
+
+//#endregion
+export { authMiddleware };

package/dist/server/index.d.ts

@@ -0,0 +1,3 @@
+import { n as AuthErrorCode, t as AuthError } from "../index-CiPxwNnj.js";
+import { a as createAuthVerifier, i as VerifierOptions, n as AuthResult, r as AuthVerifier, t as AccessTokenClaims } from "../verify-QJxbHc6P.js";
+export { type AccessTokenClaims, AuthError, type AuthErrorCode, type AuthResult, type AuthVerifier, type VerifierOptions, createAuthVerifier };

package/dist/server/index.js

@@ -0,0 +1,72 @@
+import { n as DEFAULT_ISSUER, t as AuthError } from "../src-C0axRlLQ.js";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+
+//#region src/server/verify.ts
+function createAuthVerifier(options) {
+	const issuer = (options.issuer ?? DEFAULT_ISSUER).replace(/\/$/, "");
+	const clockTolerance = options.clockTolerance ?? "30s";
+	const jwks = createRemoteJWKSet(new URL(`${issuer}/.well-known/jwks.json`));
+	async function verifyAccessToken(token) {
+		try {
+			const { payload } = await jwtVerify(token, jwks, {
+				issuer,
+				audience: options.audience,
+				clockTolerance,
+				typ: "at+jwt",
+				algorithms: ["ES256"]
+			});
+			return payload;
+		} catch (error) {
+			throw new AuthError("invalid_token", describe(error));
+		}
+	}
+	return {
+		verifyAccessToken,
+		async authenticateRequest(request) {
+			const header = request.headers.get("authorization");
+			const token = header?.startsWith("Bearer ") ? header.slice(7) : void 0;
+			if (!token) return {
+				authenticated: false,
+				reason: "missing"
+			};
+			try {
+				return {
+					authenticated: true,
+					claims: await verifyAccessToken(token)
+				};
+			} catch {
+				return {
+					authenticated: false,
+					reason: "invalid"
+				};
+			}
+		},
+		async verifyLogoutToken(token) {
+			try {
+				const { payload } = await jwtVerify(token, jwks, {
+					issuer,
+					audience: options.audience,
+					clockTolerance,
+					typ: "logout+jwt",
+					algorithms: ["ES256"]
+				});
+				if (!payload["events"]?.["http://schemas.openid.net/event/backchannel-logout"]) throw new AuthError("invalid_token", "not a back-channel logout token");
+				if ("nonce" in payload) throw new AuthError("invalid_token", "logout token must not contain a nonce");
+				const result = {};
+				if (typeof payload.sub === "string") result.sub = payload.sub;
+				if (typeof payload["sid"] === "string") result.sid = payload["sid"];
+				if (result.sub === void 0 && result.sid === void 0) throw new AuthError("invalid_token", "logout token has neither sub nor sid");
+				return result;
+			} catch (error) {
+				if (error instanceof AuthError) throw error;
+				throw new AuthError("invalid_token", describe(error));
+			}
+		}
+	};
+}
+function describe(error) {
+	return error instanceof Error ? error.message : "token verification failed";
+}
+
+//#endregion
+export { AuthError, createAuthVerifier };

package/dist/src-C0axRlLQ.js

@@ -0,0 +1,18 @@
+//#region src/index.ts
+/**
+* Shared surface for `@ericminassian/auth`: error type, public user shape,
+* and the default issuer. Import the client, react, or server entry points
+* for actual functionality.
+*/
+const DEFAULT_ISSUER = "https://auth.ericminassian.com";
+var AuthError = class extends Error {
+	code;
+	constructor(code, message) {
+		super(message ?? code);
+		this.name = "AuthError";
+		this.code = code;
+	}
+};
+
+//#endregion
+export { DEFAULT_ISSUER as n, AuthError as t };

package/dist/verify-QJxbHc6P.d.ts

@@ -0,0 +1,40 @@
+//#region src/server/verify.d.ts
+interface VerifierOptions {
+  /** Your registered `client_id` — checked against the token `aud`. */
+  audience: string;
+  /** Defaults to `https://auth.ericminassian.com`. */
+  issuer?: string;
+  /** Clock skew tolerance, e.g. `"30s"`. Defaults to `"30s"`. */
+  clockTolerance?: string;
+}
+interface AccessTokenClaims {
+  sub: string;
+  sid: string;
+  scope: string;
+  client_id: string;
+  iat: number;
+  exp: number;
+  jti: string;
+  email?: string;
+}
+type AuthResult = {
+  authenticated: true;
+  claims: AccessTokenClaims;
+} | {
+  authenticated: false;
+  reason: "missing" | "invalid" | "expired";
+};
+interface AuthVerifier {
+  /** Verify a Bearer access token; throws `AuthError` on failure. */
+  verifyAccessToken(token: string): Promise<AccessTokenClaims>;
+  /** Inspect an HTTP `Request`'s `Authorization: Bearer` header. Never throws. */
+  authenticateRequest(request: Request): Promise<AuthResult>;
+  /** Verify a back-channel logout token (for an RP's logout receiver). */
+  verifyLogoutToken(token: string): Promise<{
+    sub?: string;
+    sid?: string;
+  }>;
+}
+declare function createAuthVerifier(options: VerifierOptions): AuthVerifier;
+//#endregion
+export { createAuthVerifier as a, VerifierOptions as i, AuthResult as n, AuthVerifier as r, AccessTokenClaims as t };

package/package.json

@@ -0,0 +1,84 @@
+{
+  "name": "@ericminassian/auth",
+  "version": "0.1.0",
+  "description": "TypeScript SDK for auth.ericminassian.com — OIDC client, React bindings, and server-side JWT verification.",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/eric-minassian/auth.git",
+    "directory": "packages/auth-sdk"
+  },
+  "type": "module",
+  "sideEffects": false,
+  "engines": {
+    "node": ">=20.19"
+  },
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./client": {
+      "types": "./dist/client/index.d.ts",
+      "default": "./dist/client/index.js"
+    },
+    "./react": {
+      "types": "./dist/react/index.d.ts",
+      "default": "./dist/react/index.js"
+    },
+    "./server": {
+      "types": "./dist/server/index.d.ts",
+      "default": "./dist/server/index.js"
+    },
+    "./server/hono": {
+      "types": "./dist/server/hono.d.ts",
+      "default": "./dist/server/hono.js"
+    },
+    "./server/express": {
+      "types": "./dist/server/express.d.ts",
+      "default": "./dist/server/express.js"
+    }
+  },
+  "scripts": {
+    "build": "tsdown",
+    "typecheck": "tsc --noEmit",
+    "generate": "openapi-typescript ../../openapi/openapi.json -o src/generated/api.d.ts",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "jose": "^6"
+  },
+  "peerDependencies": {
+    "react": ">=18",
+    "hono": ">=4",
+    "express": ">=5"
+  },
+  "peerDependenciesMeta": {
+    "react": {
+      "optional": true
+    },
+    "hono": {
+      "optional": true
+    },
+    "express": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.0",
+    "@types/react": "^19",
+    "express": "^5.1.0",
+    "hono": "^4.6.0",
+    "openapi-typescript": "^7.4.0",
+    "react": "^19.0.0",
+    "tsdown": "^0.15.0",
+    "typescript": "~5.7.0",
+    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}