@factiii/auth 0.2.0 → 0.4.0

package/dist/index.js

@@ -35,12 +35,12 @@ __export(index_exports, {
   biometricVerifySchema: () => biometricVerifySchema,
   changePasswordSchema: () => changePasswordSchema,
   cleanBase32String: () => cleanBase32String,
-  clearAuthCookies: () => clearAuthCookies,
+  clearAuthCookie: () => clearAuthCookie,
   comparePassword: () => comparePassword,
-  createAccessToken: () => createAccessToken,
   createAuthConfig: () => createAuthConfig,
   createAuthGuard: () => createAuthGuard,
   createAuthRouter: () => createAuthRouter,
+  createAuthToken: () => createAuthToken,
   createConsoleEmailAdapter: () => createConsoleEmailAdapter,
   createNoopEmailAdapter: () => createNoopEmailAdapter,
   createOAuthVerifier: () => createOAuthVerifier,
@@ -60,20 +60,16 @@ __export(index_exports, {
   isTokenExpiredError: () => isTokenExpiredError,
   isTokenInvalidError: () => isTokenInvalidError,
   loginSchema: () => loginSchema,
-  logoutSchema: () => logoutSchema,
   oAuthLoginSchema: () => oAuthLoginSchema,
-  otpLoginRequestSchema: () => otpLoginRequestSchema,
-  otpLoginVerifySchema: () => otpLoginVerifySchema,
-  parseAuthCookies: () => parseAuthCookies,
+  parseAuthCookie: () => parseAuthCookie,
   requestPasswordResetSchema: () => requestPasswordResetSchema,
   resetPasswordSchema: () => resetPasswordSchema,
-  setAuthCookies: () => setAuthCookies,
+  setAuthCookie: () => setAuthCookie,
   signupSchema: () => signupSchema,
   twoFaResetSchema: () => twoFaResetSchema,
-  twoFaSetupSchema: () => twoFaSetupSchema,
   twoFaVerifySchema: () => twoFaVerifySchema,
   validatePasswordStrength: () => validatePasswordStrength,
-  verifyAccessToken: () => verifyAccessToken,
+  verifyAuthToken: () => verifyAuthToken,
   verifyEmailSchema: () => verifyEmailSchema,
   verifyTotp: () => verifyTotp
 });
@@ -137,7 +133,8 @@ function createConsoleEmailAdapter() {
 
 // src/utilities/config.ts
 var defaultTokenSettings = {
-  accessTokenExpiry: "5m",
+  jwtExpiry: 30 * 24 * 60 * 60,
+  // 30 days in seconds
   passwordResetExpiryMs: 60 * 60 * 1e3,
   // 1 hour
   otpValidityMs: 15 * 60 * 1e3
@@ -146,15 +143,13 @@ var defaultTokenSettings = {
 var defaultCookieSettings = {
   secure: true,
   sameSite: "Strict",
-  httpOnly: true,
-  accessTokenPath: "/",
-  refreshTokenPath: "/api/trpc/auth.refresh",
-  maxAge: 365 * 24 * 60 * 60
-  // 1 year in seconds
+  httpOnly: false,
+  path: "/",
+  maxAge: 30 * 24 * 60 * 60
+  // 30 days in seconds
 };
 var defaultStorageKeys = {
-  accessToken: "auth-at",
-  refreshToken: "auth-rt"
+  authToken: "auth-token"
 };
 var defaultFeatures = {
   twoFa: true,
@@ -186,21 +181,17 @@ var defaultAuthConfig = {
 
 // src/utilities/cookies.ts
 var DEFAULT_STORAGE_KEYS = {
-  ACCESS_TOKEN: "auth-at",
-  REFRESH_TOKEN: "auth-rt"
+  AUTH_TOKEN: "auth-token"
 };
-function parseAuthCookies(cookieHeader, storageKeys = {
-  accessToken: DEFAULT_STORAGE_KEYS.ACCESS_TOKEN,
-  refreshToken: DEFAULT_STORAGE_KEYS.REFRESH_TOKEN
+function parseAuthCookie(cookieHeader, storageKeys = {
+  authToken: DEFAULT_STORAGE_KEYS.AUTH_TOKEN
 }) {
   if (!cookieHeader) {
     return {};
   }
-  const accessToken = cookieHeader.split(`${storageKeys.accessToken}=`)[1]?.split(";")[0];
-  const refreshToken = cookieHeader.split(`${storageKeys.refreshToken}=`)[1]?.split(";")[0];
+  const authToken = cookieHeader.split(`${storageKeys.authToken}=`)[1]?.split(";")[0];
   return {
-    accessToken: accessToken || void 0,
-    refreshToken: refreshToken || void 0
+    authToken: authToken || void 0
   };
 }
 function extractDomain(req) {
@@ -224,76 +215,47 @@ function extractDomain(req) {
   }
   return void 0;
 }
-function setAuthCookies(res, credentials, settings, storageKeys = {
-  accessToken: DEFAULT_STORAGE_KEYS.ACCESS_TOKEN,
-  refreshToken: DEFAULT_STORAGE_KEYS.REFRESH_TOKEN
+function setAuthCookie(res, authToken, settings, storageKeys = {
+  authToken: DEFAULT_STORAGE_KEYS.AUTH_TOKEN
 }) {
-  const cookies = [];
   const domain = settings.domain ?? extractDomain(res.req);
   const expiresDate = settings.maxAge ? new Date(Date.now() + settings.maxAge * 1e3).toUTCString() : void 0;
-  if (credentials.refreshToken) {
-    const refreshCookie = [
-      `${storageKeys.refreshToken}=${credentials.refreshToken}`,
-      "HttpOnly",
-      settings.secure ? "Secure=true" : "",
-      `SameSite=${settings.sameSite}`,
-      `Path=${settings.refreshTokenPath}`,
-      domain ? `Domain=${domain}` : "",
-      `Expires=${expiresDate}`
-    ].filter(Boolean).join("; ");
-    cookies.push(refreshCookie);
-  }
-  if (credentials.accessToken) {
-    const accessCookie = [
-      `${storageKeys.accessToken}=${credentials.accessToken}`,
-      settings.secure ? "Secure=true" : "",
-      `SameSite=${settings.sameSite}`,
-      `Path=${settings.accessTokenPath}`,
-      domain ? `Domain=${domain}` : "",
-      `Expires=${expiresDate}`
-    ].filter(Boolean).join("; ");
-    cookies.push(accessCookie);
-  }
-  if (cookies.length > 0) {
-    res.setHeader("Set-Cookie", cookies);
-  }
+  const cookie = [
+    `${storageKeys.authToken}=${authToken}`,
+    settings.httpOnly ? "HttpOnly" : "",
+    settings.secure ? "Secure=true" : "",
+    `SameSite=${settings.sameSite}`,
+    `Path=${settings.path ?? "/"}`,
+    domain ? `Domain=${domain}` : "",
+    expiresDate ? `Expires=${expiresDate}` : ""
+  ].filter(Boolean).join("; ");
+  res.setHeader("Set-Cookie", cookie);
 }
-function clearAuthCookies(res, settings, storageKeys = {
-  accessToken: DEFAULT_STORAGE_KEYS.ACCESS_TOKEN,
-  refreshToken: DEFAULT_STORAGE_KEYS.REFRESH_TOKEN
+function clearAuthCookie(res, settings, storageKeys = {
+  authToken: DEFAULT_STORAGE_KEYS.AUTH_TOKEN
 }) {
   const domain = extractDomain(res.req);
   const expiredDate = (/* @__PURE__ */ new Date(0)).toUTCString();
-  const cookies = [
-    [
-      `${storageKeys.refreshToken}=destroy`,
-      "HttpOnly",
-      settings.secure ? "Secure=true" : "",
-      `SameSite=${settings.sameSite}`,
-      `Path=${settings.refreshTokenPath}`,
-      domain ? `Domain=${domain}` : "",
-      `Expires=${expiredDate}`
-    ].filter(Boolean).join("; "),
-    [
-      `${storageKeys.accessToken}=destroy`,
-      settings.secure ? "Secure=true" : "",
-      `SameSite=${settings.sameSite}`,
-      `Path=${settings.accessTokenPath}`,
-      domain ? `Domain=${domain}` : "",
-      `Expires=${expiredDate}`
-    ].filter(Boolean).join("; ")
-  ];
-  res.setHeader("Set-Cookie", cookies);
+  const cookie = [
+    `${storageKeys.authToken}=destroy`,
+    settings.httpOnly ? "HttpOnly" : "",
+    settings.secure ? "Secure=true" : "",
+    `SameSite=${settings.sameSite}`,
+    `Path=${settings.path ?? "/"}`,
+    domain ? `Domain=${domain}` : "",
+    `Expires=${expiredDate}`
+  ].filter(Boolean).join("; ");
+  res.setHeader("Set-Cookie", cookie);
 }
 
 // src/utilities/jwt.ts
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
-function createAccessToken(payload, options) {
+function createAuthToken(payload, options) {
   return import_jsonwebtoken.default.sign(payload, options.secret, {
     expiresIn: options.expiresIn
   });
 }
-function verifyAccessToken(token, options) {
+function verifyAuthToken(token, options) {
   return import_jsonwebtoken.default.verify(token, options.secret, {
     ignoreExpiration: options.ignoreExpiration ?? false
   });
@@ -320,9 +282,10 @@ function createAuthGuard(config, t) {
   const storageKeys = config.storageKeys ?? defaultStorageKeys;
   const cookieSettings = { ...defaultCookieSettings, ...config.cookieSettings };
   const revokeSession = async (ctx, sessionId, description, errorStack, path) => {
-    clearAuthCookies(ctx.res, cookieSettings, storageKeys);
+    clearAuthCookie(ctx.res, cookieSettings, storageKeys);
     if (config.hooks?.logError) {
       try {
+        const cookieHeader = ctx.headers.cookie;
         const contextInfo = {
           reason: description,
           sessionId,
@@ -330,6 +293,10 @@ function createAuthGuard(config, t) {
           ip: ctx.ip,
           userAgent: ctx.headers["user-agent"],
           ...path ? { path } : {},
+          hasCookieHeader: Boolean(cookieHeader),
+          cookieKeys: cookieHeader ? cookieHeader.split(";").map((c) => c.trim().split("=")[0]).filter(Boolean) : [],
+          origin: ctx.headers.origin ?? null,
+          referer: ctx.headers.referer ?? null,
           timestamp: (/* @__PURE__ */ new Date()).toISOString()
         };
         const combinedStack = [
@@ -368,9 +335,8 @@ ${errorStack}` : null,
     }
   };
   const authGuard = t.middleware(async ({ ctx, meta, next, path }) => {
-    const cookies = parseAuthCookies(ctx.headers.cookie, storageKeys);
-    const authToken = cookies.accessToken;
-    const refreshToken = cookies.refreshToken;
+    const cookies = parseAuthCookie(ctx.headers.cookie, storageKeys);
+    const authToken = cookies.authToken;
     const userAgent = ctx.headers["user-agent"];
     if (!userAgent) {
       throw new import_server.TRPCError({
@@ -380,27 +346,13 @@ ${errorStack}` : null,
     }
     if (authToken) {
       try {
-        const decodedToken = verifyAccessToken(authToken, {
+        const decodedToken = verifyAuthToken(authToken, {
           secret: config.secrets.jwt,
           ignoreExpiration: meta?.ignoreExpiration ?? false
         });
-        if (path === "auth.refresh" && !refreshToken) {
-          await revokeSession(
-            ctx,
-            decodedToken.id,
-            "Session revoked: No refresh token",
-            void 0,
-            path
-          );
-          throw new import_server.TRPCError({
-            message: "Unauthorized",
-            code: "UNAUTHORIZED"
-          });
-        }
         const session = await config.prisma.session.findUnique({
           where: {
-            id: decodedToken.id,
-            ...path === "auth.refresh" ? { refreshToken } : {}
+            id: decodedToken.id
           },
           select: {
             userId: true,
@@ -491,8 +443,7 @@ ${errorStack}` : null,
             ...ctx,
             userId: session.userId,
             socketId: session.socketId,
-            sessionId: session.id,
-            refreshToken
+            sessionId: session.id
           }
         });
       } catch (err) {
@@ -537,7 +488,6 @@ ${errorStack}` : null,
 }
 
 // src/procedures/base.ts
-var import_node_crypto = require("crypto");
 var import_server2 = require("@trpc/server");
 
 // src/utilities/browser.ts
@@ -736,9 +686,6 @@ var twoFaVerifySchema = import_zod.z.object({
   code: import_zod.z.string().min(6, { message: "Verification code is required" }),
   sessionId: import_zod.z.number().optional()
 });
-var twoFaSetupSchema = import_zod.z.object({
-  code: import_zod.z.string().min(6, { message: "Verification code is required" })
-});
 var twoFaResetSchema = import_zod.z.object({
   username: import_zod.z.string().min(1),
   password: import_zod.z.string().min(1)
@@ -750,9 +697,6 @@ var twoFaResetVerifySchema = import_zod.z.object({
 var verifyEmailSchema = import_zod.z.object({
   code: import_zod.z.string().min(1, { message: "Verification code is required" })
 });
-var resendVerificationSchema = import_zod.z.object({
-  email: import_zod.z.string().email().optional()
-});
 var biometricVerifySchema = import_zod.z.object({});
 var registerPushTokenSchema = import_zod.z.object({
   pushToken: import_zod.z.string().min(1, { message: "Push token is required" })
@@ -766,19 +710,9 @@ var getTwofaSecretSchema = import_zod.z.object({
 var disableTwofaSchema = import_zod.z.object({
   password: import_zod.z.string().min(1, { message: "Password is required" })
 });
-var logoutSchema = import_zod.z.object({
-  allDevices: import_zod.z.boolean().optional().default(false)
-});
 var endAllSessionsSchema = import_zod.z.object({
   skipCurrentSession: import_zod.z.boolean().optional().default(true)
 });
-var otpLoginRequestSchema = import_zod.z.object({
-  email: import_zod.z.string().email({ message: "Invalid email address" })
-});
-var otpLoginVerifySchema = import_zod.z.object({
-  email: import_zod.z.string().email(),
-  code: import_zod.z.number().min(1e5).max(999999)
-});
 function createSchemas(extensions) {
   return {
     signup: extensions?.signup ? signupSchema.merge(extensions.signup) : signupSchema,
@@ -857,31 +791,29 @@ var BaseProcedureFactory = class {
       if (this.config.hooks?.onUserCreated) {
         await this.config.hooks.onUserCreated(user.id, typedInput);
       }
-      const refreshToken = (0, import_node_crypto.randomUUID)();
       const extraSessionData = this.config.hooks?.getSessionData ? await this.config.hooks.getSessionData(typedInput) : {};
       const session = await this.config.prisma.session.create({
         data: {
           userId: user.id,
           browserName: detectBrowser(userAgent),
           socketId: null,
-          refreshToken,
           ...extraSessionData
         },
-        select: { id: true, refreshToken: true, userId: true }
+        select: { id: true, userId: true }
       });
       if (this.config.hooks?.onSessionCreated) {
         await this.config.hooks.onSessionCreated(session.id, typedInput);
       }
-      const accessToken = createAccessToken(
+      const authToken = createAuthToken(
         { id: session.id, userId: session.userId, verifiedHumanAt: null },
         {
           secret: this.config.secrets.jwt,
-          expiresIn: this.config.tokenSettings.accessTokenExpiry
+          expiresIn: this.config.tokenSettings.jwtExpiry
         }
       );
-      setAuthCookies(
+      setAuthCookie(
         ctx.res,
-        { accessToken, refreshToken: session.refreshToken },
+        authToken,
         this.config.cookieSettings,
         this.config.storageKeys
       );
@@ -973,19 +905,13 @@ var BaseProcedureFactory = class {
           }
         }
         if (!validCode) {
-          const checkOTP = await this.config.prisma.oTPBasedLogin.findFirst({
-            where: {
-              code: Number(code),
-              userId: user.id,
-              disabled: false,
-              createdAt: { gte: new Date(Date.now() - this.config.tokenSettings.otpValidityMs) }
-            }
+          const checkOTP = await this.config.prisma.oTP.findUnique({
+            where: { userId: user.id }
           });
-          if (checkOTP) {
+          if (checkOTP && checkOTP.code === Number(code) && checkOTP.expiredAt >= /* @__PURE__ */ new Date()) {
             validCode = true;
-            await this.config.prisma.oTPBasedLogin.updateMany({
-              where: { code: Number(code) },
-              data: { disabled: true }
+            await this.config.prisma.oTP.delete({
+              where: { userId: user.id }
             });
           }
         }
@@ -996,19 +922,16 @@ var BaseProcedureFactory = class {
           });
         }
       }
-      const refreshToken = (0, import_node_crypto.randomUUID)();
       const extraSessionData = this.config.hooks?.getSessionData ? await this.config.hooks.getSessionData(typedInput) : {};
       const session = await this.config.prisma.session.create({
         data: {
           userId: user.id,
           browserName: detectBrowser(userAgent),
           socketId: null,
-          refreshToken,
           ...extraSessionData
         },
         select: {
           id: true,
-          refreshToken: true,
           userId: true,
           socketId: true,
           browserName: true,
@@ -1025,16 +948,16 @@ var BaseProcedureFactory = class {
       if (this.config.hooks?.onSessionCreated) {
         await this.config.hooks.onSessionCreated(session.id, typedInput);
       }
-      const accessToken = createAccessToken(
+      const authToken = createAuthToken(
         { id: session.id, userId: session.userId, verifiedHumanAt: user.verifiedHumanAt },
         {
           secret: this.config.secrets.jwt,
-          expiresIn: this.config.tokenSettings.accessTokenExpiry
+          expiresIn: this.config.tokenSettings.jwtExpiry
         }
       );
-      setAuthCookies(
+      setAuthCookie(
         ctx.res,
-        { accessToken, refreshToken: session.refreshToken },
+        authToken,
         this.config.cookieSettings,
         this.config.storageKeys
       );
@@ -1045,7 +968,7 @@ var BaseProcedureFactory = class {
     });
   }
   logout() {
-    return this.procedure.mutation(async ({ ctx }) => {
+    return this.authProcedure.meta({ ignoreExpiration: true }).mutation(async ({ ctx }) => {
       const { userId, sessionId } = ctx;
       if (sessionId) {
         await this.config.prisma.session.update({
@@ -1062,18 +985,17 @@ var BaseProcedureFactory = class {
           await this.config.hooks.afterLogout(userId, sessionId, ctx.socketId);
         }
       }
-      clearAuthCookies(ctx.res, this.config.cookieSettings, this.config.storageKeys);
+      clearAuthCookie(ctx.res, this.config.cookieSettings, this.config.storageKeys);
       return { success: true };
     });
   }
   refresh() {
-    return this.authProcedure.meta({ ignoreExpiration: true }).query(async ({ ctx }) => {
+    return this.authProcedure.query(async ({ ctx }) => {
       const session = await this.config.prisma.session.update({
         where: { id: ctx.sessionId },
-        data: { refreshToken: (0, import_node_crypto.randomUUID)(), lastUsed: /* @__PURE__ */ new Date() },
+        data: { lastUsed: /* @__PURE__ */ new Date() },
         select: {
           id: true,
-          refreshToken: true,
           userId: true,
           user: { select: { verifiedHumanAt: true } }
         }
@@ -1082,16 +1004,16 @@ var BaseProcedureFactory = class {
         this.config.hooks.onRefresh(session.userId).catch(() => {
         });
       }
-      const accessToken = createAccessToken(
+      const authToken = createAuthToken(
         { id: session.id, userId: session.userId, verifiedHumanAt: session.user.verifiedHumanAt },
         {
           secret: this.config.secrets.jwt,
-          expiresIn: this.config.tokenSettings.accessTokenExpiry
+          expiresIn: this.config.tokenSettings.jwtExpiry
         }
       );
-      setAuthCookies(
+      setAuthCookie(
         ctx.res,
-        { accessToken, refreshToken: session.refreshToken },
+        authToken,
         this.config.cookieSettings,
         this.config.storageKeys
       );
@@ -1319,7 +1241,7 @@ var BiometricProcedureFactory = class {
 };
 
 // src/procedures/emailVerification.ts
-var import_node_crypto2 = require("crypto");
+var import_node_crypto = require("crypto");
 var import_server4 = require("@trpc/server");
 var EmailVerificationProcedureFactory = class {
   constructor(config, authProcedure) {
@@ -1352,7 +1274,7 @@ var EmailVerificationProcedureFactory = class {
       if (user.emailVerificationStatus === "VERIFIED") {
         return { message: "Email is already verified", emailSent: false };
       }
-      const otp = (0, import_node_crypto2.randomUUID)();
+      const otp = (0, import_node_crypto.randomUUID)();
       await this.config.prisma.user.update({
         where: { id: userId },
         data: { emailVerificationStatus: "PENDING", otpForEmailVerification: otp }
@@ -1417,7 +1339,6 @@ var EmailVerificationProcedureFactory = class {
 };
 
 // src/procedures/oauth.ts
-var import_node_crypto3 = require("crypto");
 var import_server5 = require("@trpc/server");
 var OAuthLoginProcedureFactory = class {
   constructor(config, procedure) {
@@ -1516,19 +1437,16 @@ var OAuthLoginProcedureFactory = class {
       if (user.status === "BANNED") {
         throw new import_server5.TRPCError({ code: "FORBIDDEN", message: "Your account has been banned." });
       }
-      const refreshToken = (0, import_node_crypto3.randomUUID)();
       const extraSessionData = this.config.hooks?.getSessionData ? await this.config.hooks.getSessionData(typedInput) : {};
       const session = await this.config.prisma.session.create({
         data: {
           userId: user.id,
           browserName: detectBrowser(userAgent),
           socketId: null,
-          refreshToken,
           ...extraSessionData
         },
         select: {
           id: true,
-          refreshToken: true,
           userId: true,
           socketId: true,
           browserName: true,
@@ -1545,16 +1463,16 @@ var OAuthLoginProcedureFactory = class {
       if (this.config.hooks?.onSessionCreated) {
         await this.config.hooks.onSessionCreated(session.id, typedInput);
       }
-      const accessToken = createAccessToken(
+      const authToken = createAuthToken(
         { id: session.id, userId: session.userId, verifiedHumanAt: user.verifiedHumanAt ?? null },
         {
           secret: this.config.secrets.jwt,
-          expiresIn: this.config.tokenSettings.accessTokenExpiry
+          expiresIn: this.config.tokenSettings.jwtExpiry
         }
       );
-      setAuthCookies(
+      setAuthCookie(
         ctx.res,
-        { accessToken, refreshToken: session.refreshToken },
+        authToken,
         this.config.cookieSettings,
         this.config.storageKeys
       );
@@ -1752,8 +1670,11 @@ var TwoFaProcedureFactory = class {
         throw new import_server6.TRPCError({ code: "FORBIDDEN", message: "Invalid credentials." });
       }
       const otp = generateOtp();
-      await this.config.prisma.oTPBasedLogin.create({
-        data: { userId: user.id, code: otp }
+      const expiredAt = new Date(Date.now() + this.config.tokenSettings.otpValidityMs);
+      await this.config.prisma.oTP.upsert({
+        where: { userId: user.id },
+        update: { code: otp, expiredAt },
+        create: { userId: user.id, code: otp, expiredAt }
       });
       if (this.config.emailService) {
         await this.config.emailService.sendOTPEmail(user.email, otp);
@@ -1772,20 +1693,14 @@ var TwoFaProcedureFactory = class {
       if (!user) {
         throw new import_server6.TRPCError({ code: "NOT_FOUND", message: "User not found" });
       }
-      const otp = await this.config.prisma.oTPBasedLogin.findFirst({
-        where: {
-          userId: user.id,
-          code,
-          disabled: false,
-          createdAt: { gte: new Date(Date.now() - this.config.tokenSettings.otpValidityMs) }
-        }
+      const otp = await this.config.prisma.oTP.findUnique({
+        where: { userId: user.id }
       });
-      if (!otp) {
+      if (!otp || otp.code !== code || otp.expiredAt < /* @__PURE__ */ new Date()) {
         throw new import_server6.TRPCError({ code: "FORBIDDEN", message: "Invalid or expired OTP" });
       }
-      await this.config.prisma.oTPBasedLogin.update({
-        where: { id: otp.id },
-        data: { disabled: true }
+      await this.config.prisma.oTP.delete({
+        where: { userId: user.id }
       });
       await this.config.prisma.user.update({
         where: { id: user.id },
@@ -1838,21 +1753,35 @@ var TwoFaProcedureFactory = class {
     });
   }
   deregisterPushToken() {
-    return this.authProcedure.meta({ ignoreExpiration: true }).input(deregisterPushTokenSchema).mutation(async ({ ctx, input }) => {
+    return this.authProcedure.input(deregisterPushTokenSchema).mutation(async ({ ctx, input }) => {
       this.checkConfig();
       const { userId } = ctx;
       const { pushToken } = input;
       const device = await this.config.prisma.device.findFirst({
         where: {
-          ...userId !== 0 && { users: { some: { id: userId } } },
+          users: { some: { id: userId } },
           pushToken
         },
         select: { id: true }
       });
       if (device) {
-        await this.config.prisma.device.delete({
-          where: { id: device.id }
+        await this.config.prisma.session.updateMany({
+          where: { userId, deviceId: device.id },
+          data: { deviceId: null }
         });
+        await this.config.prisma.device.update({
+          where: { id: device.id },
+          data: { users: { disconnect: { id: userId } } }
+        });
+        const remainingUsers = await this.config.prisma.device.findUnique({
+          where: { id: device.id },
+          select: { users: { select: { id: true }, take: 1 } }
+        });
+        if (!remainingUsers?.users.length) {
+          await this.config.prisma.device.delete({
+            where: { id: device.id }
+          });
+        }
       }
       return { deregistered: true };
     });
@@ -1943,7 +1872,6 @@ var createContext = ({ req, res }) => ({
   headers: req.headers,
   userId: null,
   sessionId: null,
-  refreshToken: null,
   socketId: null,
   ip: getClientIp(req),
   res
@@ -2003,12 +1931,12 @@ function createAuthRouter(config) {
   biometricVerifySchema,
   changePasswordSchema,
   cleanBase32String,
-  clearAuthCookies,
+  clearAuthCookie,
   comparePassword,
-  createAccessToken,
   createAuthConfig,
   createAuthGuard,
   createAuthRouter,
+  createAuthToken,
   createConsoleEmailAdapter,
   createNoopEmailAdapter,
   createOAuthVerifier,
@@ -2028,20 +1956,16 @@ function createAuthRouter(config) {
   isTokenExpiredError,
   isTokenInvalidError,
   loginSchema,
-  logoutSchema,
   oAuthLoginSchema,
-  otpLoginRequestSchema,
-  otpLoginVerifySchema,
-  parseAuthCookies,
+  parseAuthCookie,
   requestPasswordResetSchema,
   resetPasswordSchema,
-  setAuthCookies,
+  setAuthCookie,
   signupSchema,
   twoFaResetSchema,
-  twoFaSetupSchema,
   twoFaVerifySchema,
   validatePasswordStrength,
-  verifyAccessToken,
+  verifyAuthToken,
   verifyEmailSchema,
   verifyTotp
 });