@factiii/auth 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +120 -0
  3. package/bin/init.mjs +315 -0
  4. package/dist/chunk-CLHDX2R2.mjs +118 -0
  5. package/dist/chunk-CLHDX2R2.mjs.map +1 -0
  6. package/dist/hooks-B4Kl294A.d.mts +400 -0
  7. package/dist/hooks-B4Kl294A.d.ts +400 -0
  8. package/dist/index.d.mts +1061 -0
  9. package/dist/index.d.ts +1061 -0
  10. package/dist/index.js +2096 -0
  11. package/dist/index.js.map +1 -0
  12. package/dist/index.mjs +1947 -0
  13. package/dist/index.mjs.map +1 -0
  14. package/dist/validators.d.mts +2 -0
  15. package/dist/validators.d.ts +2 -0
  16. package/dist/validators.js +164 -0
  17. package/dist/validators.js.map +1 -0
  18. package/dist/validators.mjs +51 -0
  19. package/dist/validators.mjs.map +1 -0
  20. package/package.json +104 -0
  21. package/prisma/schema.prisma +138 -0
package/dist/index.d.mts ADDED
@@ -0,0 +1,1061 @@
1
+ import * as http from 'http';
2
+ import * as SuperJSON from 'superjson';
3
+ import SuperJSON__default from 'superjson';
4
+ import * as _prisma_client from '@prisma/client';
5
+ import { PrismaClient } from '@prisma/client';
6
+ import * as _trpc_server from '@trpc/server';
7
+ import * as zod from 'zod';
8
+ import { CreateHTTPContextOptions } from '@trpc/server/adapters/standalone';
9
+ import { S as SchemaExtensions, A as AuthHooks } from './hooks-B4Kl294A.mjs';
10
+ export { C as ChangePasswordInput, L as LoginInput, a as LogoutInput, O as OAuthLoginInput, R as ResetPasswordInput, b as SignupInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, e as endAllSessionsSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, r as requestPasswordResetSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-B4Kl294A.mjs';
11
+ import { SignOptions } from 'jsonwebtoken';
12
+
13
+ //# sourceMappingURL=TRPCError.d.ts.map
14
+ //#endregion
15
+ //#region src/vendor/standard-schema-v1/spec.d.ts
16
+ /**
17
+ *
18
+ * @see https://github.com/standard-schema/standard-schema/blob/main/packages/spec/src/index.ts
19
+ */
20
+ /** The Standard Schema interface. */
21
+ interface StandardSchemaV1<Input = unknown, Output = Input> {
22
+ /** The Standard Schema properties. */
23
+ readonly '~standard': StandardSchemaV1.Props<Input, Output>;
24
+ }
25
+ declare namespace StandardSchemaV1 {
26
+ /** The Standard Schema properties interface. */
27
+ interface Props<Input = unknown, Output = Input> {
28
+ /** The version number of the standard. */
29
+ readonly version: 1;
30
+ /** The vendor name of the schema library. */
31
+ readonly vendor: string;
32
+ /** Validates unknown input values. */
33
+ readonly validate: (value: unknown) => Result<Output> | Promise<Result<Output>>;
34
+ /** Inferred types associated with the schema. */
35
+ readonly types?: Types<Input, Output> | undefined;
36
+ }
37
+ /** The result interface of the validate function. */
38
+ type Result<Output> = SuccessResult<Output> | FailureResult;
39
+ /** The result interface if validation succeeds. */
40
+ interface SuccessResult<Output> {
41
+ /** The typed output value. */
42
+ readonly value: Output;
43
+ /** The non-existent issues. */
44
+ readonly issues?: undefined;
45
+ }
46
+ /** The result interface if validation fails. */
47
+ interface FailureResult {
48
+ /** The issues of failed validation. */
49
+ readonly issues: ReadonlyArray<Issue>;
50
+ }
51
+ /** The issue interface of the failure output. */
52
+ interface Issue {
53
+ /** The error message of the issue. */
54
+ readonly message: string;
55
+ /** The path of the issue, if any. */
56
+ readonly path?: ReadonlyArray<PropertyKey | PathSegment> | undefined;
57
+ }
58
+ /** The path segment interface of the issue. */
59
+ interface PathSegment {
60
+ /** The key representing a path segment. */
61
+ readonly key: PropertyKey;
62
+ }
63
+ /** The Standard Schema types interface. */
64
+ interface Types<Input = unknown, Output = Input> {
65
+ /** The input type of the schema. */
66
+ readonly input: Input;
67
+ /** The output type of the schema. */
68
+ readonly output: Output;
69
+ }
70
+ /** Infers the input type of a Standard Schema. */
71
+ type InferInput<Schema extends StandardSchemaV1> = NonNullable<Schema['~standard']['types']>['input'];
72
+ /** Infers the output type of a Standard Schema. */
73
+ type InferOutput<Schema extends StandardSchemaV1> = NonNullable<Schema['~standard']['types']>['output'];
74
+ }
75
+ //# sourceMappingURL=spec.d.ts.map
76
+ //#endregion
77
+ //#region src/unstable-core-do-not-import/parser.d.ts
78
+ type ParserZodEsque<TInput, TParsedInput> = {
79
+ _input: TInput;
80
+ _output: TParsedInput;
81
+ };
82
+ type ParserValibotEsque<TInput, TParsedInput> = {
83
+ schema: {
84
+ _types?: {
85
+ input: TInput;
86
+ output: TParsedInput;
87
+ };
88
+ };
89
+ };
90
+ type ParserArkTypeEsque<TInput, TParsedInput> = {
91
+ inferIn: TInput;
92
+ infer: TParsedInput;
93
+ };
94
+ type ParserStandardSchemaEsque<TInput, TParsedInput> = StandardSchemaV1<TInput, TParsedInput>;
95
+ type ParserMyZodEsque<TInput> = {
96
+ parse: (input: any) => TInput;
97
+ };
98
+ type ParserSuperstructEsque<TInput> = {
99
+ create: (input: unknown) => TInput;
100
+ };
101
+ type ParserCustomValidatorEsque<TInput> = (input: unknown) => Promise<TInput> | TInput;
102
+ type ParserYupEsque<TInput> = {
103
+ validateSync: (input: unknown) => TInput;
104
+ };
105
+ type ParserScaleEsque<TInput> = {
106
+ assert(value: unknown): asserts value is TInput;
107
+ };
108
+ type ParserWithoutInput<TInput> = ParserCustomValidatorEsque<TInput> | ParserMyZodEsque<TInput> | ParserScaleEsque<TInput> | ParserSuperstructEsque<TInput> | ParserYupEsque<TInput>;
109
+ type ParserWithInputOutput<TInput, TParsedInput> = ParserZodEsque<TInput, TParsedInput> | ParserValibotEsque<TInput, TParsedInput> | ParserArkTypeEsque<TInput, TParsedInput> | ParserStandardSchemaEsque<TInput, TParsedInput>;
110
+ type Parser = ParserWithInputOutput<any, any> | ParserWithoutInput<any>;
111
+ type inferParser<TParser extends Parser> = TParser extends ParserStandardSchemaEsque<infer $TIn, infer $TOut> ? {
112
+ in: $TIn;
113
+ out: $TOut;
114
+ } : TParser extends ParserWithInputOutput<infer $TIn, infer $TOut> ? {
115
+ in: $TIn;
116
+ out: $TOut;
117
+ } : TParser extends ParserWithoutInput<infer $InOut> ? {
118
+ in: $InOut;
119
+ out: $InOut;
120
+ } : never;//# sourceMappingURL=unstable-core-do-not-import.d-1RewV6pM.d.mts.map
121
+
122
+ /**
123
+ * Email service adapter interface
124
+ * Implement this interface to integrate your email service
125
+ */
126
+ interface EmailAdapter {
127
+ /**
128
+ * Send email verification email with OTP code
129
+ */
130
+ sendVerificationEmail(email: string, code: string): Promise<void>;
131
+ /**
132
+ * Send password reset email with token/link
133
+ */
134
+ sendPasswordResetEmail(email: string, token: string): Promise<void>;
135
+ /**
136
+ * Send OTP for passwordless login or 2FA reset
137
+ */
138
+ sendOTPEmail(email: string, otp: number): Promise<void>;
139
+ /**
140
+ * Send login notification to existing devices
141
+ */
142
+ sendLoginNotification?(email: string, browserName: string, ip?: string): Promise<void>;
143
+ }
144
+ /**
145
+ * No-op email adapter as default
146
+ */
147
+ declare function createNoopEmailAdapter(): EmailAdapter;
148
+ /**
149
+ * Console email adapter for development - logs emails to console
150
+ */
151
+ declare function createConsoleEmailAdapter(): EmailAdapter;
152
+
153
+ /**
154
+ * JWT payload structure
155
+ */
156
+ interface JwtPayload {
157
+ id: number;
158
+ userId: number;
159
+ verifiedHumanAt: Date | null;
160
+ exp?: number;
161
+ iat?: number;
162
+ }
163
+ /**
164
+ * Credentials returned after successful authentication
165
+ */
166
+ interface AuthCredentials {
167
+ accessToken: string;
168
+ refreshToken: string;
169
+ }
170
+ /**
171
+ * Cookie settings for auth tokens
172
+ */
173
+ interface CookieSettings {
174
+ secure: boolean;
175
+ sameSite: 'Strict' | 'Lax' | 'None';
176
+ domain?: string;
177
+ httpOnly: boolean;
178
+ accessTokenPath: string;
179
+ refreshTokenPath: string;
180
+ maxAge: number;
181
+ }
182
+
183
+ type OAuthProvider = 'GOOGLE' | 'APPLE';
184
+ interface OAuthResult {
185
+ email: string;
186
+ oauthId: string;
187
+ }
188
+ /**
189
+ * OAuth keys configuration for Google and Apple providers
190
+ */
191
+ interface OAuthKeys {
192
+ google?: {
193
+ clientId: string;
194
+ clientSecret?: string;
195
+ iosClientId?: string;
196
+ };
197
+ apple?: {
198
+ clientId: string;
199
+ iosClientId?: string;
200
+ };
201
+ }
202
+ /**
203
+ * OAuth verification error
204
+ */
205
+ declare class OAuthVerificationError extends Error {
206
+ readonly statusCode: number;
207
+ constructor(message: string, statusCode?: number);
208
+ }
209
+ /**
210
+ * Creates an OAuth token verifier with the provided keys
211
+ * @param keys OAuth provider keys configuration
212
+ * @returns A function to verify OAuth tokens
213
+ */
214
+ declare function createOAuthVerifier(keys: OAuthKeys): (provider: OAuthProvider, token: string, extra?: {
215
+ email?: string;
216
+ }) => Promise<OAuthResult>;
217
+
218
+ /**
219
+ * Token and OTP expiry settings
220
+ */
221
+ interface TokenSettings {
222
+ /** Access token expiry (e.g., '5m', '1h') */
223
+ accessTokenExpiry: string;
224
+ /** Password reset token expiry in ms (default: 1 hour) */
225
+ passwordResetExpiryMs: number;
226
+ /** OTP validity window in ms (default: 15 minutes) */
227
+ otpValidityMs: number;
228
+ }
229
+ /**
230
+ * Feature flags for optional auth features
231
+ */
232
+ interface AuthFeatures {
233
+ /** Enable two-factor authentication */
234
+ twoFa?: boolean;
235
+ /** OAuth providers configuration */
236
+ oauth?: {
237
+ google?: boolean;
238
+ apple?: boolean;
239
+ };
240
+ /** Enable biometric verification */
241
+ biometric?: boolean;
242
+ /** Enable email verification */
243
+ emailVerification?: boolean;
244
+ /** Enable password reset via email */
245
+ passwordReset?: boolean;
246
+ /** Enable OTP-based login */
247
+ otpLogin?: boolean;
248
+ }
249
+ interface AuthConfig<TExtensions extends SchemaExtensions = {}> {
250
+ /**
251
+ * Prisma client instance with required models
252
+ */
253
+ prisma: PrismaClient;
254
+ /**
255
+ * Secret keys for JWT signing
256
+ */
257
+ secrets: {
258
+ jwt: string;
259
+ };
260
+ /**
261
+ * Email service adapter for sending verification/reset emails
262
+ */
263
+ emailService?: EmailAdapter;
264
+ /**
265
+ * Lifecycle hooks for business logic
266
+ * Receives extended input types based on schemaExtensions
267
+ */
268
+ hooks?: AuthHooks<TExtensions>;
269
+ /**
270
+ * Feature flags
271
+ */
272
+ features?: AuthFeatures;
273
+ /**
274
+ * Token expiry settings
275
+ */
276
+ tokenSettings?: TokenSettings;
277
+ /**
278
+ * Cookie configuration
279
+ */
280
+ cookieSettings?: Partial<CookieSettings>;
281
+ /**
282
+ * OAuth keys for Google and Apple providers
283
+ * Required if OAuth is enabled
284
+ */
285
+ oauthKeys?: OAuthKeys;
286
+ /**
287
+ * Username generator for OAuth signups
288
+ * Defaults to a simple email-based generator
289
+ */
290
+ generateUsername?: () => string;
291
+ /**
292
+ * Cookie storage keys
293
+ */
294
+ storageKeys?: {
295
+ accessToken: string;
296
+ refreshToken: string;
297
+ };
298
+ /**
299
+ * Schema extensions for adding custom fields to auth inputs
300
+ * Extensions are merged with base schemas and validated automatically
301
+ * Custom fields are then available in hooks with proper typing
302
+ */
303
+ schemaExtensions?: TExtensions;
304
+ }
305
+
306
+ declare function createAuthGuard(config: AuthConfig, t: TrpcBuilder): _trpc_server.TRPCMiddlewareBuilder<TrpcContext, Meta, {
307
+ userId: number;
308
+ socketId: string | null;
309
+ sessionId: number;
310
+ refreshToken: string | undefined;
311
+ headers: http.IncomingHttpHeaders;
312
+ res: http.ServerResponse<http.IncomingMessage>;
313
+ ip: string | undefined;
314
+ }, unknown>;
315
+
316
+ /**
317
+ * Default token settings
318
+ */
319
+ declare const defaultTokenSettings: TokenSettings;
320
+ /**
321
+ * Default cookie settings
322
+ */
323
+ declare const defaultCookieSettings: CookieSettings;
324
+ /**
325
+ * Default storage keys
326
+ */
327
+ declare const defaultStorageKeys: {
328
+ accessToken: string;
329
+ refreshToken: string;
330
+ };
331
+ /**
332
+ * Create a fully resolved auth config with defaults applied
333
+ */
334
+ declare function createAuthConfig(config: AuthConfig): Required<Omit<AuthConfig, 'hooks' | 'oauthKeys' | 'schemaExtensions'>> & AuthConfig;
335
+ type ResolvedAuthConfig = ReturnType<typeof createAuthConfig>;
336
+ /**
337
+ * Default auth config (requires prisma and secrets to be provided)
338
+ */
339
+ declare const defaultAuthConfig: {
340
+ features: AuthFeatures;
341
+ tokenSettings: TokenSettings;
342
+ cookieSettings: CookieSettings;
343
+ storageKeys: {
344
+ accessToken: string;
345
+ refreshToken: string;
346
+ };
347
+ };
348
+
349
+ declare function createTrpcBuilder(config: ResolvedAuthConfig): _trpc_server.TRPCRootObject<TrpcContext, Meta, {
350
+ transformer: typeof SuperJSON__default;
351
+ errorFormatter: (opts: {
352
+ error: _trpc_server.TRPCError;
353
+ type: _trpc_server.ProcedureType | "unknown";
354
+ path: string | undefined;
355
+ input: unknown;
356
+ ctx: TrpcContext | undefined;
357
+ shape: _trpc_server.TRPCDefaultErrorShape;
358
+ }) => {
359
+ message: string;
360
+ data: {
361
+ zodError: zod.typeToFlattenedError<any, string> | null;
362
+ code: _trpc_server.TRPC_ERROR_CODE_KEY;
363
+ httpStatus: number;
364
+ path?: string;
365
+ };
366
+ code: _trpc_server.TRPC_ERROR_CODE_NUMBER;
367
+ };
368
+ }, {
369
+ ctx: TrpcContext;
370
+ meta: Meta;
371
+ errorShape: {
372
+ message: string;
373
+ data: {
374
+ zodError: zod.typeToFlattenedError<any, string> | null;
375
+ code: _trpc_server.TRPC_ERROR_CODE_KEY;
376
+ httpStatus: number;
377
+ path?: string;
378
+ };
379
+ code: _trpc_server.TRPC_ERROR_CODE_NUMBER;
380
+ };
381
+ transformer: true;
382
+ }>;
383
+
384
+ type TrpcBuilder = ReturnType<typeof createTrpcBuilder>;
385
+ type Meta = {
386
+ authRequired?: boolean;
387
+ adminRequired?: boolean;
388
+ ignoreExpiration?: boolean;
389
+ };
390
+ interface TrpcContext {
391
+ userId: number | null;
392
+ sessionId: number | null;
393
+ refreshToken: string | null;
394
+ socketId: string | null;
395
+ headers: CreateHTTPContextOptions['req']['headers'];
396
+ res: CreateHTTPContextOptions['res'];
397
+ ip?: string;
398
+ }
399
+
400
+ declare function createAuthRouter<TExtensions extends SchemaExtensions = {}>(config: AuthConfig<TExtensions>): {
401
+ router: _trpc_server.TRPCBuiltRouter<{
402
+ ctx: TrpcContext;
403
+ meta: Meta;
404
+ errorShape: {
405
+ message: string;
406
+ data: {
407
+ zodError: zod.typeToFlattenedError<any, string> | null;
408
+ code: _trpc_server.TRPC_ERROR_CODE_KEY;
409
+ httpStatus: number;
410
+ path?: string;
411
+ };
412
+ code: _trpc_server.TRPC_ERROR_CODE_NUMBER;
413
+ };
414
+ transformer: true;
415
+ }, _trpc_server.TRPCDecorateCreateRouterOptions<{
416
+ auth: _trpc_server.TRPCBuiltRouter<{
417
+ ctx: TrpcContext;
418
+ meta: Meta;
419
+ errorShape: {
420
+ message: string;
421
+ data: {
422
+ zodError: zod.typeToFlattenedError<any, string> | null;
423
+ code: _trpc_server.TRPC_ERROR_CODE_KEY;
424
+ httpStatus: number;
425
+ path?: string;
426
+ };
427
+ code: _trpc_server.TRPC_ERROR_CODE_NUMBER;
428
+ };
429
+ transformer: true;
430
+ }, _trpc_server.TRPCDecorateCreateRouterOptions<{
431
+ sendVerificationEmail: _trpc_server.TRPCMutationProcedure<{
432
+ input: void;
433
+ output: {
434
+ message: string;
435
+ emailSent: boolean;
436
+ };
437
+ meta: Meta;
438
+ }>;
439
+ verifyEmail: _trpc_server.TRPCMutationProcedure<{
440
+ input: {
441
+ code: string;
442
+ };
443
+ output: {
444
+ success: boolean;
445
+ message: string;
446
+ };
447
+ meta: Meta;
448
+ }>;
449
+ getVerificationStatus: _trpc_server.TRPCQueryProcedure<{
450
+ input: void;
451
+ output: {
452
+ email: string;
453
+ status: _prisma_client.$Enums.EmailVerificationStatus;
454
+ isVerified: boolean;
455
+ };
456
+ meta: Meta;
457
+ }>;
458
+ verifyBiometric: _trpc_server.TRPCMutationProcedure<{
459
+ input: {};
460
+ output: {
461
+ success: boolean;
462
+ verifiedAt: Date;
463
+ };
464
+ meta: Meta;
465
+ }>;
466
+ getBiometricStatus: _trpc_server.TRPCQueryProcedure<{
467
+ input: void;
468
+ output: {
469
+ verifiedHumanAt: Date | null;
470
+ isVerified: boolean;
471
+ isExpired: boolean;
472
+ requiresVerification: boolean;
473
+ };
474
+ meta: Meta;
475
+ }>;
476
+ enableTwofa: _trpc_server.TRPCMutationProcedure<{
477
+ input: void;
478
+ output: {
479
+ secret: string;
480
+ };
481
+ meta: Meta;
482
+ }>;
483
+ disableTwofa: _trpc_server.TRPCMutationProcedure<{
484
+ input: {
485
+ password: string;
486
+ };
487
+ output: {
488
+ disabled: boolean;
489
+ };
490
+ meta: Meta;
491
+ }>;
492
+ getTwofaSecret: _trpc_server.TRPCQueryProcedure<{
493
+ input: {
494
+ pushCode: string;
495
+ };
496
+ output: {
497
+ secret: string;
498
+ };
499
+ meta: Meta;
500
+ }>;
501
+ twoFaReset: _trpc_server.TRPCMutationProcedure<{
502
+ input: {
503
+ username: string;
504
+ password: string;
505
+ };
506
+ output: {
507
+ success: boolean;
508
+ };
509
+ meta: Meta;
510
+ }>;
511
+ twoFaResetVerify: _trpc_server.TRPCMutationProcedure<{
512
+ input: {
513
+ username: string;
514
+ code: number;
515
+ };
516
+ output: {
517
+ success: boolean;
518
+ message: string;
519
+ };
520
+ meta: Meta;
521
+ }>;
522
+ registerPushToken: _trpc_server.TRPCMutationProcedure<{
523
+ input: {
524
+ pushToken: string;
525
+ };
526
+ output: {
527
+ registered: boolean;
528
+ };
529
+ meta: Meta;
530
+ }>;
531
+ deregisterPushToken: _trpc_server.TRPCMutationProcedure<{
532
+ input: {
533
+ pushToken: string;
534
+ };
535
+ output: {
536
+ deregistered: boolean;
537
+ };
538
+ meta: Meta;
539
+ }>;
540
+ oAuthLogin: _trpc_server.TRPCMutationProcedure<{
541
+ input: inferParser<[TExtensions["oauth"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
542
+ idToken: zod.ZodString;
543
+ user: zod.ZodOptional<zod.ZodObject<{
544
+ email: zod.ZodOptional<zod.ZodString>;
545
+ }, "strip", zod.ZodTypeAny, {
546
+ email?: string | undefined;
547
+ }, {
548
+ email?: string | undefined;
549
+ }>>;
550
+ provider: zod.ZodEnum<["GOOGLE", "APPLE"]>;
551
+ } & TExtensions["oauth"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
552
+ idToken: zod.ZodString;
553
+ user: zod.ZodOptional<zod.ZodObject<{
554
+ email: zod.ZodOptional<zod.ZodString>;
555
+ }, "strip", zod.ZodTypeAny, {
556
+ email?: string | undefined;
557
+ }, {
558
+ email?: string | undefined;
559
+ }>>;
560
+ provider: zod.ZodEnum<["GOOGLE", "APPLE"]>;
561
+ } & TExtensions["oauth"]["shape"]>, any> extends infer T ? { [k in keyof T]: T[k]; } : never, zod.baseObjectInputType<{
562
+ idToken: zod.ZodString;
563
+ user: zod.ZodOptional<zod.ZodObject<{
564
+ email: zod.ZodOptional<zod.ZodString>;
565
+ }, "strip", zod.ZodTypeAny, {
566
+ email?: string | undefined;
567
+ }, {
568
+ email?: string | undefined;
569
+ }>>;
570
+ provider: zod.ZodEnum<["GOOGLE", "APPLE"]>;
571
+ } & TExtensions["oauth"]["shape"]> extends infer T_1 ? { [k_1 in keyof T_1]: T_1[k_1]; } : never> : zod.ZodObject<{
572
+ idToken: zod.ZodString;
573
+ user: zod.ZodOptional<zod.ZodObject<{
574
+ email: zod.ZodOptional<zod.ZodString>;
575
+ }, "strip", zod.ZodTypeAny, {
576
+ email?: string | undefined;
577
+ }, {
578
+ email?: string | undefined;
579
+ }>>;
580
+ provider: zod.ZodEnum<["GOOGLE", "APPLE"]>;
581
+ }, "strip", zod.ZodTypeAny, {
582
+ idToken: string;
583
+ provider: "GOOGLE" | "APPLE";
584
+ user?: {
585
+ email?: string | undefined;
586
+ } | undefined;
587
+ }, {
588
+ idToken: string;
589
+ provider: "GOOGLE" | "APPLE";
590
+ user?: {
591
+ email?: string | undefined;
592
+ } | undefined;
593
+ }>>["in"] extends infer T_2 ? T_2 extends inferParser<[TExtensions["oauth"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
594
+ idToken: zod.ZodString;
595
+ user: zod.ZodOptional<zod.ZodObject<{
596
+ email: zod.ZodOptional<zod.ZodString>;
597
+ }, "strip", zod.ZodTypeAny, {
598
+ email?: string | undefined;
599
+ }, {
600
+ email?: string | undefined;
601
+ }>>;
602
+ provider: zod.ZodEnum<["GOOGLE", "APPLE"]>;
603
+ } & TExtensions["oauth"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
604
+ idToken: zod.ZodString;
605
+ user: zod.ZodOptional<zod.ZodObject<{
606
+ email: zod.ZodOptional<zod.ZodString>;
607
+ }, "strip", zod.ZodTypeAny, {
608
+ email?: string | undefined;
609
+ }, {
610
+ email?: string | undefined;
611
+ }>>;
612
+ provider: zod.ZodEnum<["GOOGLE", "APPLE"]>;
613
+ } & TExtensions["oauth"]["shape"]>, any> extends infer T_3 ? { [k in keyof T_3]: T_3[k]; } : never, zod.baseObjectInputType<{
614
+ idToken: zod.ZodString;
615
+ user: zod.ZodOptional<zod.ZodObject<{
616
+ email: zod.ZodOptional<zod.ZodString>;
617
+ }, "strip", zod.ZodTypeAny, {
618
+ email?: string | undefined;
619
+ }, {
620
+ email?: string | undefined;
621
+ }>>;
622
+ provider: zod.ZodEnum<["GOOGLE", "APPLE"]>;
623
+ } & TExtensions["oauth"]["shape"]> extends infer T_4 ? { [k_1 in keyof T_4]: T_4[k_1]; } : never> : zod.ZodObject<{
624
+ idToken: zod.ZodString;
625
+ user: zod.ZodOptional<zod.ZodObject<{
626
+ email: zod.ZodOptional<zod.ZodString>;
627
+ }, "strip", zod.ZodTypeAny, {
628
+ email?: string | undefined;
629
+ }, {
630
+ email?: string | undefined;
631
+ }>>;
632
+ provider: zod.ZodEnum<["GOOGLE", "APPLE"]>;
633
+ }, "strip", zod.ZodTypeAny, {
634
+ idToken: string;
635
+ provider: "GOOGLE" | "APPLE";
636
+ user?: {
637
+ email?: string | undefined;
638
+ } | undefined;
639
+ }, {
640
+ idToken: string;
641
+ provider: "GOOGLE" | "APPLE";
642
+ user?: {
643
+ email?: string | undefined;
644
+ } | undefined;
645
+ }>>["in"] ? T_2 extends _trpc_server.TRPCUnsetMarker ? void : T_2 : never : never;
646
+ output: {
647
+ success: boolean;
648
+ user: {
649
+ id: number;
650
+ email: string;
651
+ username: string;
652
+ };
653
+ };
654
+ meta: Meta;
655
+ }>;
656
+ register: _trpc_server.TRPCMutationProcedure<{
657
+ input: inferParser<[TExtensions["signup"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
658
+ username: zod.ZodString;
659
+ email: zod.ZodString;
660
+ password: zod.ZodString;
661
+ } & TExtensions["signup"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
662
+ username: zod.ZodString;
663
+ email: zod.ZodString;
664
+ password: zod.ZodString;
665
+ } & TExtensions["signup"]["shape"]>, any> extends infer T_5 ? { [k_2 in keyof T_5]: T_5[k_2]; } : never, zod.baseObjectInputType<{
666
+ username: zod.ZodString;
667
+ email: zod.ZodString;
668
+ password: zod.ZodString;
669
+ } & TExtensions["signup"]["shape"]> extends infer T_6 ? { [k_3 in keyof T_6]: T_6[k_3]; } : never> : zod.ZodObject<{
670
+ username: zod.ZodString;
671
+ email: zod.ZodString;
672
+ password: zod.ZodString;
673
+ }, "strip", zod.ZodTypeAny, {
674
+ username: string;
675
+ email: string;
676
+ password: string;
677
+ }, {
678
+ username: string;
679
+ email: string;
680
+ password: string;
681
+ }>>["in"] extends infer T_7 ? T_7 extends inferParser<[TExtensions["signup"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
682
+ username: zod.ZodString;
683
+ email: zod.ZodString;
684
+ password: zod.ZodString;
685
+ } & TExtensions["signup"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
686
+ username: zod.ZodString;
687
+ email: zod.ZodString;
688
+ password: zod.ZodString;
689
+ } & TExtensions["signup"]["shape"]>, any> extends infer T_8 ? { [k_2 in keyof T_8]: T_8[k_2]; } : never, zod.baseObjectInputType<{
690
+ username: zod.ZodString;
691
+ email: zod.ZodString;
692
+ password: zod.ZodString;
693
+ } & TExtensions["signup"]["shape"]> extends infer T_9 ? { [k_3 in keyof T_9]: T_9[k_3]; } : never> : zod.ZodObject<{
694
+ username: zod.ZodString;
695
+ email: zod.ZodString;
696
+ password: zod.ZodString;
697
+ }, "strip", zod.ZodTypeAny, {
698
+ username: string;
699
+ email: string;
700
+ password: string;
701
+ }, {
702
+ username: string;
703
+ email: string;
704
+ password: string;
705
+ }>>["in"] ? T_7 extends _trpc_server.TRPCUnsetMarker ? void : T_7 : never : never;
706
+ output: {
707
+ success: boolean;
708
+ user: {
709
+ id: number;
710
+ email: string;
711
+ username: string;
712
+ };
713
+ };
714
+ meta: Meta;
715
+ }>;
716
+ login: _trpc_server.TRPCMutationProcedure<{
717
+ input: inferParser<[TExtensions["login"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
718
+ username: zod.ZodString;
719
+ password: zod.ZodString;
720
+ code: zod.ZodOptional<zod.ZodString>;
721
+ } & TExtensions["login"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
722
+ username: zod.ZodString;
723
+ password: zod.ZodString;
724
+ code: zod.ZodOptional<zod.ZodString>;
725
+ } & TExtensions["login"]["shape"]>, any> extends infer T_10 ? { [k_4 in keyof T_10]: T_10[k_4]; } : never, zod.baseObjectInputType<{
726
+ username: zod.ZodString;
727
+ password: zod.ZodString;
728
+ code: zod.ZodOptional<zod.ZodString>;
729
+ } & TExtensions["login"]["shape"]> extends infer T_11 ? { [k_5 in keyof T_11]: T_11[k_5]; } : never> : zod.ZodObject<{
730
+ username: zod.ZodString;
731
+ password: zod.ZodString;
732
+ code: zod.ZodOptional<zod.ZodString>;
733
+ }, "strip", zod.ZodTypeAny, {
734
+ username: string;
735
+ password: string;
736
+ code?: string | undefined;
737
+ }, {
738
+ username: string;
739
+ password: string;
740
+ code?: string | undefined;
741
+ }>>["in"] extends infer T_12 ? T_12 extends inferParser<[TExtensions["login"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
742
+ username: zod.ZodString;
743
+ password: zod.ZodString;
744
+ code: zod.ZodOptional<zod.ZodString>;
745
+ } & TExtensions["login"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
746
+ username: zod.ZodString;
747
+ password: zod.ZodString;
748
+ code: zod.ZodOptional<zod.ZodString>;
749
+ } & TExtensions["login"]["shape"]>, any> extends infer T_13 ? { [k_4 in keyof T_13]: T_13[k_4]; } : never, zod.baseObjectInputType<{
750
+ username: zod.ZodString;
751
+ password: zod.ZodString;
752
+ code: zod.ZodOptional<zod.ZodString>;
753
+ } & TExtensions["login"]["shape"]> extends infer T_14 ? { [k_5 in keyof T_14]: T_14[k_5]; } : never> : zod.ZodObject<{
754
+ username: zod.ZodString;
755
+ password: zod.ZodString;
756
+ code: zod.ZodOptional<zod.ZodString>;
757
+ }, "strip", zod.ZodTypeAny, {
758
+ username: string;
759
+ password: string;
760
+ code?: string | undefined;
761
+ }, {
762
+ username: string;
763
+ password: string;
764
+ code?: string | undefined;
765
+ }>>["in"] ? T_12 extends _trpc_server.TRPCUnsetMarker ? void : T_12 : never : never;
766
+ output: {
767
+ success: boolean;
768
+ user: {
769
+ id: number;
770
+ email: string;
771
+ username: string;
772
+ };
773
+ };
774
+ meta: Meta;
775
+ }>;
776
+ logout: _trpc_server.TRPCMutationProcedure<{
777
+ input: void;
778
+ output: {
779
+ success: boolean;
780
+ };
781
+ meta: Meta;
782
+ }>;
783
+ refresh: _trpc_server.TRPCQueryProcedure<{
784
+ input: void;
785
+ output: {
786
+ success: boolean;
787
+ };
788
+ meta: Meta;
789
+ }>;
790
+ endAllSessions: _trpc_server.TRPCMutationProcedure<{
791
+ input: {
792
+ skipCurrentSession?: boolean | undefined;
793
+ };
794
+ output: {
795
+ success: boolean;
796
+ revokedCount: number;
797
+ };
798
+ meta: Meta;
799
+ }>;
800
+ changePassword: _trpc_server.TRPCMutationProcedure<{
801
+ input: {
802
+ currentPassword: string;
803
+ newPassword: string;
804
+ };
805
+ output: {
806
+ success: boolean;
807
+ message: string;
808
+ };
809
+ meta: Meta;
810
+ }>;
811
+ sendPasswordResetEmail: _trpc_server.TRPCMutationProcedure<{
812
+ input: {
813
+ email: string;
814
+ };
815
+ output: {
816
+ message: string;
817
+ };
818
+ meta: Meta;
819
+ }>;
820
+ checkPasswordReset: _trpc_server.TRPCQueryProcedure<{
821
+ input: {
822
+ token: string;
823
+ };
824
+ output: {
825
+ valid: boolean;
826
+ };
827
+ meta: Meta;
828
+ }>;
829
+ resetPassword: _trpc_server.TRPCMutationProcedure<{
830
+ input: {
831
+ password: string;
832
+ token: string;
833
+ };
834
+ output: {
835
+ message: string;
836
+ };
837
+ meta: Meta;
838
+ }>;
839
+ }>>;
840
+ }>>;
841
+ t: _trpc_server.TRPCRootObject<TrpcContext, Meta, {
842
+ transformer: typeof SuperJSON.default;
843
+ errorFormatter: (opts: {
844
+ error: _trpc_server.TRPCError;
845
+ type: _trpc_server.ProcedureType | "unknown";
846
+ path: string | undefined;
847
+ input: unknown;
848
+ ctx: TrpcContext | undefined;
849
+ shape: _trpc_server.TRPCDefaultErrorShape;
850
+ }) => {
851
+ message: string;
852
+ data: {
853
+ zodError: zod.typeToFlattenedError<any, string> | null;
854
+ code: _trpc_server.TRPC_ERROR_CODE_KEY;
855
+ httpStatus: number;
856
+ path?: string;
857
+ };
858
+ code: _trpc_server.TRPC_ERROR_CODE_NUMBER;
859
+ };
860
+ }, {
861
+ ctx: TrpcContext;
862
+ meta: Meta;
863
+ errorShape: {
864
+ message: string;
865
+ data: {
866
+ zodError: zod.typeToFlattenedError<any, string> | null;
867
+ code: _trpc_server.TRPC_ERROR_CODE_KEY;
868
+ httpStatus: number;
869
+ path?: string;
870
+ };
871
+ code: _trpc_server.TRPC_ERROR_CODE_NUMBER;
872
+ };
873
+ transformer: true;
874
+ }>;
875
+ procedure: _trpc_server.TRPCProcedureBuilder<TrpcContext, Meta, {
876
+ sessionId: number;
877
+ userId: number;
878
+ refreshToken: string | undefined;
879
+ socketId: string | null;
880
+ headers: http.IncomingHttpHeaders;
881
+ res: http.ServerResponse<http.IncomingMessage>;
882
+ ip: string | undefined;
883
+ }, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, false>;
884
+ authProcedure: _trpc_server.TRPCProcedureBuilder<TrpcContext, Meta, {
885
+ sessionId: number;
886
+ userId: number;
887
+ refreshToken: string | undefined;
888
+ socketId: string | null;
889
+ headers: http.IncomingHttpHeaders;
890
+ res: http.ServerResponse<http.IncomingMessage>;
891
+ ip: string | undefined;
892
+ }, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, false>;
893
+ createContext: ({ req, res }: CreateHTTPContextOptions) => TrpcContext;
894
+ };
895
+ type AuthRouter<TExtensions extends SchemaExtensions = {}> = ReturnType<typeof createAuthRouter<TExtensions>>;
896
+
897
+ /**
898
+ * Detect browser/platform from user agent string
899
+ * @param userAgent - User agent string from request headers
900
+ * @returns Detected browser name
901
+ */
902
+ declare function detectBrowser(userAgent: string): string;
903
+ /**
904
+ * Check if the user agent indicates a mobile device
905
+ * @param userAgent - User agent string
906
+ * @returns True if mobile device
907
+ */
908
+ declare function isMobileDevice(userAgent: string): boolean;
909
+ /**
910
+ * Check if the user agent indicates a native app
911
+ * @param userAgent - User agent string
912
+ * @returns True if native app
913
+ */
914
+ declare function isNativeApp(userAgent: string): boolean;
915
+
916
+ /**
917
+ * Default storage keys for auth cookies
918
+ */
919
+ declare const DEFAULT_STORAGE_KEYS: {
920
+ ACCESS_TOKEN: string;
921
+ REFRESH_TOKEN: string;
922
+ };
923
+ /**
924
+ * Parse auth tokens from cookie header
925
+ * @param cookieHeader - Raw cookie header string
926
+ * @param storageKeys - Custom storage keys (optional)
927
+ * @returns Parsed tokens
928
+ */
929
+ declare function parseAuthCookies(cookieHeader: string | undefined, storageKeys?: {
930
+ accessToken: string;
931
+ refreshToken: string;
932
+ }): {
933
+ accessToken?: string;
934
+ refreshToken?: string;
935
+ };
936
+ /**
937
+ * Set auth cookies on response
938
+ * @param res - HTTP response object
939
+ * @param credentials - Access and refresh tokens
940
+ * @param settings - Cookie settings
941
+ * @param storageKeys - Storage key names
942
+ */
943
+ declare function setAuthCookies(res: CreateHTTPContextOptions['res'], credentials: Partial<AuthCredentials>, settings: Partial<CookieSettings>, storageKeys?: {
944
+ accessToken: string;
945
+ refreshToken: string;
946
+ }): void;
947
+ /**
948
+ * Clear auth cookies (for logout)
949
+ * @param res - HTTP response object
950
+ * @param settings - Cookie settings
951
+ * @param storageKeys - Storage key names
952
+ */
953
+ declare function clearAuthCookies(res: CreateHTTPContextOptions['res'], settings: Partial<CookieSettings>, storageKeys?: {
954
+ accessToken: string;
955
+ refreshToken: string;
956
+ }): void;
957
+
958
+ /**
959
+ * Options for creating access tokens
960
+ */
961
+ interface CreateTokenOptions {
962
+ secret: string;
963
+ expiresIn: SignOptions['expiresIn'];
964
+ }
965
+ /**
966
+ * Options for verifying access tokens
967
+ */
968
+ interface VerifyTokenOptions {
969
+ secret: string;
970
+ ignoreExpiration?: boolean;
971
+ }
972
+ /**
973
+ * Create a JWT access token
974
+ * @param payload - Token payload containing session and user info
975
+ * @param options - Token creation options
976
+ * @returns Signed JWT token
977
+ */
978
+ declare function createAccessToken(payload: Omit<JwtPayload, 'exp' | 'iat'>, options: CreateTokenOptions): string;
979
+ /**
980
+ * Verify and decode a JWT access token
981
+ * @param token - JWT token to verify
982
+ * @param options - Verification options
983
+ * @returns Decoded token payload
984
+ * @throws Error if token is invalid or expired
985
+ */
986
+ declare function verifyAccessToken(token: string, options: VerifyTokenOptions): JwtPayload;
987
+ /**
988
+ * Decode a JWT token without verification
989
+ * @param token - JWT token to decode
990
+ * @returns Decoded payload or null if invalid
991
+ */
992
+ declare function decodeToken(token: string): JwtPayload | null;
993
+ /**
994
+ * Check if a token error is an expiration error
995
+ */
996
+ declare function isTokenExpiredError(error: unknown): boolean;
997
+ /**
998
+ * Check if a token error is a validation error
999
+ */
1000
+ declare function isTokenInvalidError(error: unknown): boolean;
1001
+
1002
+ /**
1003
+ * Hash a plain text password
1004
+ * @param password - Plain text password
1005
+ * @param saltRounds - Number of salt rounds (default: 10)
1006
+ * @returns Hashed password
1007
+ */
1008
+ declare function hashPassword(password: string, saltRounds?: number): Promise<string>;
1009
+ /**
1010
+ * Compare a plain text password with a hashed password
1011
+ * @param password - Plain text password
1012
+ * @param hashedPassword - Hashed password to compare against
1013
+ * @returns True if passwords match
1014
+ */
1015
+ declare function comparePassword(password: string, hashedPassword: string): Promise<boolean>;
1016
+ /**
1017
+ * Check if a password meets minimum requirements
1018
+ * @param password - Password to validate
1019
+ * @param minLength - Minimum length (default: 6)
1020
+ * @returns Validation result with error message if invalid
1021
+ */
1022
+ declare function validatePasswordStrength(password: string, minLength?: number): {
1023
+ valid: boolean;
1024
+ error?: string;
1025
+ };
1026
+
1027
+ /**
1028
+ * Generate a random TOTP secret
1029
+ * @param length - Length of the secret (default: 16)
1030
+ * @returns Base32 encoded secret
1031
+ */
1032
+ declare function generateTotpSecret(length?: number): string;
1033
+ /**
1034
+ * Clean a Base32 string by removing invalid characters
1035
+ * @param input - Input string to clean
1036
+ * @returns Cleaned Base32 string
1037
+ */
1038
+ declare function cleanBase32String(input: string): string;
1039
+ /**
1040
+ * Generate a TOTP code from a secret
1041
+ * @param secret - Base32 encoded secret
1042
+ * @returns Current TOTP code
1043
+ */
1044
+ declare function generateTotpCode(secret: string): Promise<string>;
1045
+ /**
1046
+ * Verify a TOTP code against a secret
1047
+ * @param code - TOTP code to verify
1048
+ * @param secret - Base32 encoded secret
1049
+ * @param window - Number of time steps to check before/after current (default: 1)
1050
+ * @returns True if code is valid
1051
+ */
1052
+ declare function verifyTotp(code: string, secret: string): Promise<boolean>;
1053
+ /**
1054
+ * Generate a random OTP code (for email-based verification)
1055
+ * @param min - Minimum value (default: 100000)
1056
+ * @param max - Maximum value (default: 999999)
1057
+ * @returns Random 6-digit OTP
1058
+ */
1059
+ declare function generateOtp(min?: number, max?: number): number;
1060
+
1061
+ export { type AuthConfig, type AuthFeatures, AuthHooks, type AuthRouter, DEFAULT_STORAGE_KEYS, type EmailAdapter, type OAuthKeys, type OAuthProvider, type OAuthResult, OAuthVerificationError, SchemaExtensions, type TokenSettings, type TrpcContext, cleanBase32String, clearAuthCookies, comparePassword, createAccessToken, createAuthConfig, createAuthGuard, createAuthRouter, createConsoleEmailAdapter, createNoopEmailAdapter, createOAuthVerifier, decodeToken, defaultAuthConfig, defaultCookieSettings, defaultStorageKeys, defaultTokenSettings, detectBrowser, generateOtp, generateTotpCode, generateTotpSecret, hashPassword, isMobileDevice, isNativeApp, isTokenExpiredError, isTokenInvalidError, parseAuthCookies, setAuthCookies, validatePasswordStrength, verifyAccessToken, verifyTotp };