@flink-app/otp-auth-plugin 0.12.1-alpha.40

package/dist/functions/verify.js

@@ -0,0 +1,142 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verify = void 0;
+var flink_1 = require("@flink-app/flink");
+function verify(ctx, options) {
+    return __awaiter(this, void 0, void 0, function () {
+        var sessionId, code, pluginOptions, session, codeMatches, updatedSession, remainingAttempts, user, authResult, error_1;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0:
+                    sessionId = options.sessionId, code = options.code;
+                    pluginOptions = ctx.plugins.otpAuth.options;
+                    // Validate input
+                    if (!sessionId || !code) {
+                        throw (0, flink_1.badRequest)("Session ID and code are required");
+                    }
+                    return [4 /*yield*/, ctx.repos.otpSessionRepo.getSession(sessionId)];
+                case 1:
+                    session = _a.sent();
+                    if (!session) {
+                        flink_1.log.warn("OTP session not found: ".concat(sessionId));
+                        return [2 /*return*/, {
+                                status: "not_found",
+                                message: "Session not found or expired",
+                            }];
+                    }
+                    // Check if session is already verified
+                    if (session.status === "verified") {
+                        flink_1.log.warn("Attempt to verify already verified session: ".concat(sessionId));
+                        throw (0, flink_1.badRequest)("Session already verified");
+                    }
+                    // Check if session is locked
+                    if (session.status === "locked") {
+                        flink_1.log.warn("Attempt to verify locked session: ".concat(sessionId));
+                        return [2 /*return*/, {
+                                status: "locked",
+                                message: "Too many failed attempts. Session is locked.",
+                            }];
+                    }
+                    if (!(session.status === "expired" || new Date() > session.expiresAt)) return [3 /*break*/, 4];
+                    if (!(session.status !== "expired")) return [3 /*break*/, 3];
+                    return [4 /*yield*/, ctx.repos.otpSessionRepo.markAsExpired(sessionId)];
+                case 2:
+                    _a.sent();
+                    _a.label = 3;
+                case 3:
+                    flink_1.log.warn("Attempt to verify expired session: ".concat(sessionId));
+                    return [2 /*return*/, {
+                            status: "expired",
+                            message: "Verification code has expired",
+                        }];
+                case 4:
+                    codeMatches = session.code === code;
+                    if (!!codeMatches) return [3 /*break*/, 6];
+                    return [4 /*yield*/, ctx.repos.otpSessionRepo.incrementAttempts(sessionId)];
+                case 5:
+                    updatedSession = _a.sent();
+                    remainingAttempts = updatedSession.maxAttempts - updatedSession.attempts;
+                    flink_1.log.warn("Invalid OTP code for session ".concat(sessionId, ". Remaining attempts: ").concat(remainingAttempts));
+                    if (updatedSession.status === "locked") {
+                        return [2 /*return*/, {
+                                status: "locked",
+                                message: "Too many failed attempts. Session is locked.",
+                                remainingAttempts: 0,
+                            }];
+                    }
+                    return [2 /*return*/, {
+                            status: "invalid_code",
+                            message: "Invalid verification code",
+                            remainingAttempts: remainingAttempts,
+                        }];
+                case 6: 
+                // Code is valid - mark session as verified
+                return [4 /*yield*/, ctx.repos.otpSessionRepo.markAsVerified(sessionId)];
+                case 7:
+                    // Code is valid - mark session as verified
+                    _a.sent();
+                    return [4 /*yield*/, pluginOptions.onGetUser(session.identifier, session.method, session.payload)];
+                case 8:
+                    user = _a.sent();
+                    if (!user) {
+                        flink_1.log.error("User not found for identifier ".concat(session.identifier, " after successful OTP verification"));
+                        throw (0, flink_1.notFound)("User not found");
+                    }
+                    _a.label = 9;
+                case 9:
+                    _a.trys.push([9, 11, , 12]);
+                    return [4 /*yield*/, pluginOptions.onVerifySuccess(user, session.identifier, session.method, session.payload)];
+                case 10:
+                    authResult = _a.sent();
+                    flink_1.log.info("OTP verification successful for session ".concat(sessionId, ", identifier: ").concat(session.identifier));
+                    return [2 /*return*/, {
+                            status: "success",
+                            token: authResult.token,
+                            user: authResult.user,
+                        }];
+                case 11:
+                    error_1 = _a.sent();
+                    flink_1.log.error("Error in onVerifySuccess callback: ".concat(error_1));
+                    throw new Error("Failed to complete authentication");
+                case 12: return [2 /*return*/];
+            }
+        });
+    });
+}
+exports.verify = verify;

package/dist/handlers/PostOtpInitiate.d.ts

@@ -0,0 +1,7 @@
+import { Handler, RouteProps } from "@flink-app/flink";
+import InitiateRequest from "../schemas/InitiateRequest";
+import InitiateResponse from "../schemas/InitiateResponse";
+import { OtpInternalContext } from "../OtpInternalContext";
+export declare const Route: RouteProps;
+declare const PostOtpInitiate: Handler<OtpInternalContext, InitiateRequest, InitiateResponse>;
+export default PostOtpInitiate;

package/dist/handlers/PostOtpInitiate.js

@@ -0,0 +1,70 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Route = void 0;
+var flink_1 = require("@flink-app/flink");
+var initiate_1 = require("../functions/initiate");
+exports.Route = {
+    path: "/otp/initiate",
+    method: flink_1.HttpMethod.post,
+};
+var PostOtpInitiate = function (_a) { return __awaiter(void 0, [_a], void 0, function (_b) {
+    var response, error_1;
+    var ctx = _b.ctx, req = _b.req;
+    return __generator(this, function (_c) {
+        switch (_c.label) {
+            case 0:
+                _c.trys.push([0, 2, , 3]);
+                return [4 /*yield*/, (0, initiate_1.initiate)(ctx, {
+                        identifier: req.body.identifier,
+                        method: req.body.method,
+                        payload: req.body.payload,
+                    })];
+            case 1:
+                response = _c.sent();
+                return [2 /*return*/, {
+                        data: response,
+                    }];
+            case 2:
+                error_1 = _c.sent();
+                return [2 /*return*/, (0, flink_1.internalServerError)(error_1.message || "Failed to initiate OTP authentication")];
+            case 3: return [2 /*return*/];
+        }
+    });
+}); };
+exports.default = PostOtpInitiate;

package/dist/handlers/PostOtpVerify.d.ts

@@ -0,0 +1,7 @@
+import { Handler, RouteProps } from "@flink-app/flink";
+import { OtpInternalContext } from "../OtpInternalContext";
+import VerifyRequest from "../schemas/VerifyRequest";
+import VerifyResponse from "../schemas/VerifyResponse";
+export declare const Route: RouteProps;
+declare const PostOtpVerify: Handler<OtpInternalContext, VerifyRequest, VerifyResponse>;
+export default PostOtpVerify;

package/dist/handlers/PostOtpVerify.js

@@ -0,0 +1,86 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Route = void 0;
+var flink_1 = require("@flink-app/flink");
+var verify_1 = require("../functions/verify");
+exports.Route = {
+    path: "/otp/verify",
+    method: flink_1.HttpMethod.post,
+};
+var PostOtpVerify = function (_a) { return __awaiter(void 0, [_a], void 0, function (_b) {
+    var response;
+    var ctx = _b.ctx, req = _b.req;
+    return __generator(this, function (_c) {
+        switch (_c.label) {
+            case 0: return [4 /*yield*/, (0, verify_1.verify)(ctx, {
+                    sessionId: req.body.sessionId,
+                    code: req.body.code,
+                })];
+            case 1:
+                response = _c.sent();
+                // Return appropriate HTTP status based on verification result
+                if (response.status === "success") {
+                    return [2 /*return*/, {
+                            data: response,
+                        }];
+                }
+                else if (response.status === "not_found") {
+                    return [2 /*return*/, {
+                            status: 404,
+                            data: response,
+                        }];
+                }
+                else if (response.status === "locked" || response.status === "expired") {
+                    return [2 /*return*/, {
+                            status: 403,
+                            data: response,
+                        }];
+                }
+                else {
+                    // invalid_code
+                    return [2 /*return*/, {
+                            status: 401,
+                            data: response,
+                        }];
+                }
+                return [2 /*return*/];
+        }
+    });
+}); };
+exports.default = PostOtpVerify;

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+export * from "./OtpAuthPlugin";
+export * from "./OtpAuthPluginContext";
+export * from "./OtpAuthPluginOptions";
+export * from "./functions/initiate";
+export * from "./functions/verify";
+export type { default as OtpSession } from "./schemas/OtpSession";
+export type { default as InitiateRequest } from "./schemas/InitiateRequest";
+export type { default as InitiateResponse } from "./schemas/InitiateResponse";
+export type { default as VerifyRequest } from "./schemas/VerifyRequest";
+export type { default as VerifyResponse } from "./schemas/VerifyResponse";
+export * from "./utils/otp-utils";

package/dist/index.js

@@ -0,0 +1,24 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./OtpAuthPlugin"), exports);
+__exportStar(require("./OtpAuthPluginContext"), exports);
+__exportStar(require("./OtpAuthPluginOptions"), exports);
+// Functions
+__exportStar(require("./functions/initiate"), exports);
+__exportStar(require("./functions/verify"), exports);
+// Utils
+__exportStar(require("./utils/otp-utils"), exports);

package/dist/repos/OtpSessionRepo.d.ts

@@ -0,0 +1,13 @@
+import { FlinkRepo } from "@flink-app/flink";
+import OtpSession from "../schemas/OtpSession";
+declare class OtpSessionRepo extends FlinkRepo<any, OtpSession> {
+    getSession(sessionId: string): Promise<OtpSession | null>;
+    createSession(session: Omit<OtpSession, "_id">): Promise<Omit<OtpSession, "_id"> & {
+        _id: string;
+    }>;
+    incrementAttempts(sessionId: string): Promise<OtpSession | null>;
+    markAsVerified(sessionId: string): Promise<OtpSession | null>;
+    markAsExpired(sessionId: string): Promise<OtpSession | null>;
+    ensureExpiringIndex(ttlSec: number): Promise<void>;
+}
+export default OtpSessionRepo;

package/dist/repos/OtpSessionRepo.js

@@ -0,0 +1,145 @@
+"use strict";
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (Object.prototype.hasOwnProperty.call(b, p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    };
+    return function (d, b) {
+        if (typeof b !== "function" && b !== null)
+            throw new TypeError("Class extends value " + String(b) + " is not a constructor or null");
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+var flink_1 = require("@flink-app/flink");
+var OtpSessionRepo = /** @class */ (function (_super) {
+    __extends(OtpSessionRepo, _super);
+    function OtpSessionRepo() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    OtpSessionRepo.prototype.getSession = function (sessionId) {
+        return __awaiter(this, void 0, void 0, function () {
+            return __generator(this, function (_a) {
+                return [2 /*return*/, this.getOne({ sessionId: sessionId })];
+            });
+        });
+    };
+    OtpSessionRepo.prototype.createSession = function (session) {
+        return __awaiter(this, void 0, void 0, function () {
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0: return [4 /*yield*/, this.create(session)];
+                    case 1: return [2 /*return*/, _a.sent()];
+                }
+            });
+        });
+    };
+    OtpSessionRepo.prototype.incrementAttempts = function (sessionId) {
+        return __awaiter(this, void 0, void 0, function () {
+            var session, newAttempts, newStatus;
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0: return [4 /*yield*/, this.getSession(sessionId)];
+                    case 1:
+                        session = _a.sent();
+                        if (!session) {
+                            throw new Error("Session not found");
+                        }
+                        newAttempts = session.attempts + 1;
+                        newStatus = newAttempts >= session.maxAttempts ? "locked" : session.status;
+                        return [4 /*yield*/, this.collection.updateOne({ sessionId: sessionId }, { $set: { attempts: newAttempts, status: newStatus } })];
+                    case 2:
+                        _a.sent();
+                        return [2 /*return*/, this.getSession(sessionId)];
+                }
+            });
+        });
+    };
+    OtpSessionRepo.prototype.markAsVerified = function (sessionId) {
+        return __awaiter(this, void 0, void 0, function () {
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0: return [4 /*yield*/, this.collection.updateOne({ sessionId: sessionId }, { $set: { status: "verified", verifiedAt: new Date() } })];
+                    case 1:
+                        _a.sent();
+                        return [2 /*return*/, this.getSession(sessionId)];
+                }
+            });
+        });
+    };
+    OtpSessionRepo.prototype.markAsExpired = function (sessionId) {
+        return __awaiter(this, void 0, void 0, function () {
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0: return [4 /*yield*/, this.collection.updateOne({ sessionId: sessionId }, { $set: { status: "expired" } })];
+                    case 1:
+                        _a.sent();
+                        return [2 /*return*/, this.getSession(sessionId)];
+                }
+            });
+        });
+    };
+    OtpSessionRepo.prototype.ensureExpiringIndex = function (ttlSec) {
+        return __awaiter(this, void 0, void 0, function () {
+            var err_1;
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        _a.trys.push([0, 2, , 3]);
+                        return [4 /*yield*/, this.collection.createIndex({ createdAt: 1 }, { expireAfterSeconds: ttlSec })];
+                    case 1:
+                        _a.sent();
+                        flink_1.log.info("OTP Auth Plugin: Created TTL index with ".concat(ttlSec, "s expiration"));
+                        return [3 /*break*/, 3];
+                    case 2:
+                        err_1 = _a.sent();
+                        flink_1.log.error("Error creating expiring index for OTP sessions:", err_1);
+                        return [3 /*break*/, 3];
+                    case 3: return [2 /*return*/];
+                }
+            });
+        });
+    };
+    return OtpSessionRepo;
+}(flink_1.FlinkRepo));
+exports.default = OtpSessionRepo;

package/dist/schemas/InitiateRequest.d.ts

@@ -0,0 +1,8 @@
+export default interface InitiateRequest {
+    /** User identifier (phone number or email) */
+    identifier: string;
+    /** Delivery method for the OTP code */
+    method: "sms" | "email";
+    /** Optional custom payload to attach to the session */
+    payload?: Record<string, any>;
+}

package/dist/schemas/InitiateRequest.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/schemas/InitiateResponse.d.ts

@@ -0,0 +1,8 @@
+export default interface InitiateResponse {
+    /** Unique session ID for this OTP session */
+    sessionId: string;
+    /** When the code expires */
+    expiresAt: Date;
+    /** Time-to-live in seconds */
+    ttl: number;
+}

package/dist/schemas/InitiateResponse.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/schemas/OtpSession.d.ts

@@ -0,0 +1,25 @@
+export default interface OtpSession {
+    _id?: string;
+    /** Unique identifier for the OTP session */
+    sessionId: string;
+    /** User identifier (phone number, email, or user ID) */
+    identifier: string;
+    /** The delivery method for this session */
+    method: "sms" | "email";
+    /** The generated OTP code */
+    code: string;
+    /** Number of verification attempts made */
+    attempts: number;
+    /** Maximum allowed attempts before session is locked */
+    maxAttempts: number;
+    /** Session status */
+    status: "pending" | "verified" | "expired" | "locked";
+    /** When the session was created */
+    createdAt: Date;
+    /** When the session expires */
+    expiresAt: Date;
+    /** When the session was verified (if verified) */
+    verifiedAt?: Date;
+    /** Optional custom payload passed during initiation */
+    payload?: Record<string, any>;
+}

package/dist/schemas/OtpSession.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/schemas/VerifyRequest.d.ts

@@ -0,0 +1,6 @@
+export default interface VerifyRequest {
+    /** The session ID from the initiate response */
+    sessionId: string;
+    /** The OTP code entered by the user */
+    code: string;
+}

package/dist/schemas/VerifyRequest.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/schemas/VerifyResponse.d.ts

@@ -0,0 +1,12 @@
+export default interface VerifyResponse {
+    /** Verification status */
+    status: "success" | "invalid_code" | "expired" | "locked" | "not_found";
+    /** JWT token if successful */
+    token?: string;
+    /** User object if successful */
+    user?: any;
+    /** Remaining attempts if code was invalid */
+    remainingAttempts?: number;
+    /** Error message */
+    message?: string;
+}

package/dist/schemas/VerifyResponse.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/utils/otp-utils.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Generates a random numeric OTP code.
+ *
+ * @param length - Number of digits (4-8)
+ * @returns A numeric string of the specified length
+ */
+export declare function generateOtpCode(length?: number): string;
+/**
+ * Generates a unique session ID.
+ *
+ * @returns A cryptographically secure random hex string
+ */
+export declare function generateSessionId(): string;
+/**
+ * Validates that an identifier looks like a valid phone number or email.
+ *
+ * @param identifier - The identifier to validate
+ * @param method - The expected delivery method
+ * @returns true if valid, false otherwise
+ */
+export declare function validateIdentifier(identifier: string, method: "sms" | "email"): boolean;
+/**
+ * Normalizes a phone number by removing formatting characters.
+ *
+ * @param phoneNumber - The phone number to normalize
+ * @returns Normalized phone number (digits and + only)
+ */
+export declare function normalizePhoneNumber(phoneNumber: string): string;
+/**
+ * Normalizes an email by converting to lowercase and trimming.
+ *
+ * @param email - The email to normalize
+ * @returns Normalized email
+ */
+export declare function normalizeEmail(email: string): string;
+/**
+ * Normalizes an identifier based on the delivery method.
+ *
+ * @param identifier - The identifier to normalize
+ * @param method - The delivery method
+ * @returns Normalized identifier
+ */
+export declare function normalizeIdentifier(identifier: string, method: "sms" | "email"): string;