@fnd-platform/cognito-auth 1.0.0-alpha.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 fnd-platform contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,323 @@
+# @fnd-platform/cognito-auth
+
+AWS Cognito authentication constructs and middleware for fnd-platform applications. Provides CDK constructs, JWT validation, Lambda authorizers, and Remix authentication utilities.
+
+## Installation
+
+```bash
+npm install @fnd-platform/cognito-auth
+# or
+pnpm add @fnd-platform/cognito-auth
+```
+
+## Quick Start
+
+### CDK Construct
+
+```typescript
+import { FndCognitoAuth } from '@fnd-platform/cognito-auth';
+
+const auth = new FndCognitoAuth(this, 'Auth', {
+  stage: 'dev',
+  appName: 'my-app',
+  callbackUrls: ['http://localhost:3000/auth/callback'],
+  logoutUrls: ['http://localhost:3000'],
+});
+
+// Access outputs
+auth.userPool;
+auth.userPoolClient;
+auth.identityPool;
+```
+
+### Lambda Middleware
+
+```typescript
+import { withCognitoAuth } from '@fnd-platform/cognito-auth';
+
+export const handler = withCognitoAuth({
+  userPoolId: process.env.USER_POOL_ID!,
+  clientId: process.env.CLIENT_ID!,
+})(async (event) => {
+  // event.requestContext.authorizer contains user claims
+  const userId = event.requestContext.authorizer?.claims?.sub;
+  return { statusCode: 200, body: JSON.stringify({ userId }) };
+});
+```
+
+### Remix Authentication
+
+```typescript
+import { requireAuth, getOptionalUser, logout } from '@fnd-platform/cognito-auth';
+
+// In a loader - require authentication
+export const loader = async ({ request }) => {
+  const user = await requireAuth(request);
+  return json({ user });
+};
+
+// In a loader - optional authentication
+export const loader = async ({ request }) => {
+  const user = await getOptionalUser(request);
+  return json({ user });
+};
+
+// Logout action
+export const action = async ({ request }) => {
+  return logout(request);
+};
+```
+
+## Features
+
+- **CDK Construct** - Fully configured Cognito User Pool with best practices
+- **JWT Validation** - Verify and extract claims from Cognito tokens
+- **Lambda Middleware** - Authenticate Lambda handlers
+- **Lambda Authorizer** - API Gateway authorizer function
+- **Token Refresh** - Automatic token refresh utilities
+- **Remix Integration** - Session management and auth utilities for Remix
+
+## CDK Construct Options
+
+```typescript
+interface FndCognitoAuthProps {
+  stage: 'dev' | 'staging' | 'prod';
+  appName: string;
+  callbackUrls: string[];
+  logoutUrls: string[];
+
+  // Optional
+  selfSignUp?: boolean; // Allow self-registration (default: true)
+  mfa?: 'off' | 'optional' | 'required'; // MFA setting (default: 'optional')
+  passwordPolicy?: {
+    minLength?: number; // Default: 8
+    requireUppercase?: boolean; // Default: true
+    requireLowercase?: boolean; // Default: true
+    requireDigits?: boolean; // Default: true
+    requireSymbols?: boolean; // Default: true
+  };
+}
+```
+
+## Examples
+
+### Role-Based Access Control
+
+```typescript
+import { requireRole, requireAdmin, hasRole } from '@fnd-platform/cognito-auth';
+
+// Require admin role
+export const loader = async ({ request }) => {
+  const user = await requireAdmin(request);
+  // Only admins can reach this point
+  return json({ user });
+};
+
+// Require specific roles
+export const loader = async ({ request }) => {
+  const user = await requireRole(request, ['admin', 'editor']);
+  return json({ user });
+};
+
+// Check role without redirecting
+export const loader = async ({ request }) => {
+  const user = await requireAuth(request);
+  const isAdmin = hasRole(user, 'admin');
+  return json({ user, isAdmin });
+};
+```
+
+### JWT Verification
+
+```typescript
+import { verifyToken, verifyAndExtract, getVerifier } from '@fnd-platform/cognito-auth';
+
+// Verify a token
+const isValid = await verifyToken(token, {
+  userPoolId: process.env.USER_POOL_ID!,
+  clientId: process.env.CLIENT_ID!,
+  tokenUse: 'access',
+});
+
+// Verify and get claims
+const claims = await verifyAndExtract(token, {
+  userPoolId: process.env.USER_POOL_ID!,
+  clientId: process.env.CLIENT_ID!,
+});
+
+// Get a reusable verifier (cached)
+const verifier = getVerifier({
+  userPoolId: process.env.USER_POOL_ID!,
+  clientId: process.env.CLIENT_ID!,
+});
+```
+
+### Session Management
+
+```typescript
+import {
+  createSessionStorage,
+  getSession,
+  createUserSession,
+  getUserSession,
+} from '@fnd-platform/cognito-auth';
+
+// Create session storage
+const sessionStorage = createSessionStorage({
+  secret: process.env.SESSION_SECRET!,
+  secure: process.env.NODE_ENV === 'production',
+});
+
+// Create a user session after login
+export const action = async ({ request }) => {
+  const tokens = await authenticateUser(credentials);
+  return createUserSession(request, {
+    accessToken: tokens.accessToken,
+    idToken: tokens.idToken,
+    refreshToken: tokens.refreshToken,
+    redirectTo: '/dashboard',
+  });
+};
+```
+
+### Auth Client
+
+```typescript
+import { FndAuthClient, AuthError } from '@fnd-platform/cognito-auth';
+
+const authClient = new FndAuthClient({
+  userPoolId: process.env.USER_POOL_ID!,
+  clientId: process.env.CLIENT_ID!,
+  region: process.env.AWS_REGION!,
+});
+
+try {
+  // Sign up
+  const result = await authClient.signUp({
+    email: 'user@example.com',
+    password: 'SecurePassword123!',
+  });
+
+  // Sign in
+  const tokens = await authClient.signIn({
+    email: 'user@example.com',
+    password: 'SecurePassword123!',
+  });
+
+  // Refresh tokens
+  const newTokens = await authClient.refreshTokens(tokens.refreshToken);
+} catch (error) {
+  if (error instanceof AuthError) {
+    console.error(error.code, error.message);
+  }
+}
+```
+
+## API Reference
+
+See the [full API documentation](../../docs/api/modules/cognito_auth_src.html) for detailed type definitions and examples.
+
+### CDK Constructs
+
+- `FndCognitoAuth` - Main Cognito User Pool construct
+- `FndCognitoAuthProps` - Construct configuration
+- `Stage` - Valid stage values type
+- `validateStage` - Stage validation utility
+- `VALID_STAGES` - Array of valid stages
+
+### JWT Utilities
+
+```typescript
+import {
+  verifyToken, // Verify token validity
+  verifyAndExtract, // Verify and return claims
+  getVerifier, // Get cached verifier instance
+  clearVerifierCache, // Clear verifier cache
+} from '@fnd-platform/cognito-auth';
+```
+
+### Middleware
+
+```typescript
+import { withCognitoAuth } from '@fnd-platform/cognito-auth';
+```
+
+### Lambda Authorizer
+
+```typescript
+import { authorizerHandler } from '@fnd-platform/cognito-auth';
+```
+
+### Token Utilities
+
+```typescript
+import { refreshAccessToken, clearClientCache } from '@fnd-platform/cognito-auth';
+```
+
+### Auth Client
+
+```typescript
+import { FndAuthClient, AuthError, clearAuthClientCache } from '@fnd-platform/cognito-auth';
+```
+
+### Remix Utilities
+
+```typescript
+import {
+  // Session management
+  createSessionStorage,
+  getSession,
+  createUserSession,
+  getUserSession,
+  // Auth helpers
+  requireAuth,
+  getOptionalUser,
+  logout,
+  // Role-based access
+  requireAdmin,
+  requireRole,
+  hasRole,
+  hasAnyRole,
+} from '@fnd-platform/cognito-auth';
+```
+
+### Types
+
+```typescript
+import type {
+  FndCognitoAuthProps,
+  Stage,
+  CognitoAccessTokenPayload,
+  CognitoIdTokenPayload,
+  CognitoAuthOptions,
+  JwtVerifierConfig,
+  TokenVerificationResult,
+  CognitoAuthenticatedEvent,
+  CognitoMiddleware,
+  CognitoMiddlewareHandler,
+  TokenRefreshConfig,
+  RefreshResult,
+  AuthClientConfig,
+  AuthTokens,
+  SignUpResult,
+  SessionData,
+  SessionUser,
+  AuthErrorCode,
+} from '@fnd-platform/cognito-auth';
+```
+
+## Requirements
+
+- Node.js 20+
+- AWS CDK v2 (for constructs)
+- @remix-run/node (for Remix utilities)
+
+## Related
+
+- [@fnd-platform/api](../api/README.md) - API handlers with auth middleware
+- [@fnd-platform/frontend](../frontend/README.md) - Frontend with auth integration
+- [@fnd-platform/constructs](../constructs/README.md) - CDK constructs
+
+## License
+
+MIT

package/lib/authorizer/handler.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Lambda authorizer for API Gateway.
+ *
+ * This handler validates JWT tokens and returns an IAM policy
+ * allowing or denying access to the API.
+ *
+ * @packageDocumentation
+ */
+import type { APIGatewayTokenAuthorizerHandler } from 'aws-lambda';
+/**
+ * Lambda authorizer handler.
+ *
+ * Validates JWT tokens and returns an IAM policy.
+ *
+ * Required environment variables:
+ * - COGNITO_USER_POOL_ID
+ * - COGNITO_CLIENT_ID
+ *
+ * @example
+ * ```typescript
+ * // In CDK construct
+ * const authorizer = new lambda.Function(this, 'Authorizer', {
+ *   code: lambda.Code.fromAsset('../cognito-auth/dist'),
+ *   handler: 'authorizer/handler.handler',
+ *   environment: {
+ *     COGNITO_USER_POOL_ID: userPool.userPoolId,
+ *     COGNITO_CLIENT_ID: client.userPoolClientId,
+ *   },
+ * });
+ * ```
+ */
+export declare const handler: APIGatewayTokenAuthorizerHandler;
+//# sourceMappingURL=handler.d.ts.map

package/lib/authorizer/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../src/authorizer/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,gCAAgC,EAA8B,MAAM,YAAY,CAAC;AAkD/F;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,OAAO,EAAE,gCAmCrB,CAAC"}

package/lib/authorizer/handler.js

@@ -0,0 +1,106 @@
+"use strict";
+/**
+ * Lambda authorizer for API Gateway.
+ *
+ * This handler validates JWT tokens and returns an IAM policy
+ * allowing or denying access to the API.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handler = void 0;
+const jwt_js_1 = require("../jwt.js");
+/**
+ * Generates an IAM policy for the authorizer response.
+ *
+ * @param principalId - User identifier
+ * @param effect - Allow or Deny
+ * @param resource - API Gateway resource ARN
+ * @param context - Additional context to pass to handlers
+ * @returns API Gateway authorizer result
+ */
+function generatePolicy(principalId, effect, resource, context) {
+    return {
+        principalId,
+        policyDocument: {
+            Version: '2012-10-17',
+            Statement: [
+                {
+                    Action: 'execute-api:Invoke',
+                    Effect: effect,
+                    Resource: resource,
+                },
+            ],
+        },
+        context,
+    };
+}
+/**
+ * Extracts the base resource ARN for wildcard matching.
+ * Allows access to all methods and paths under the API.
+ *
+ * @param methodArn - The specific method ARN from the event
+ * @returns Wildcard ARN for the API
+ */
+function getWildcardResource(methodArn) {
+    // methodArn format: arn:aws:execute-api:{region}:{accountId}:{apiId}/{stage}/{method}/{path}
+    const arnParts = methodArn.split(':');
+    const apiGatewayParts = arnParts[5].split('/');
+    // Return wildcard for all methods and paths: apiId/stage/*
+    return `${arnParts.slice(0, 5).join(':')}:${apiGatewayParts[0]}/${apiGatewayParts[1]}/*`;
+}
+/**
+ * Lambda authorizer handler.
+ *
+ * Validates JWT tokens and returns an IAM policy.
+ *
+ * Required environment variables:
+ * - COGNITO_USER_POOL_ID
+ * - COGNITO_CLIENT_ID
+ *
+ * @example
+ * ```typescript
+ * // In CDK construct
+ * const authorizer = new lambda.Function(this, 'Authorizer', {
+ *   code: lambda.Code.fromAsset('../cognito-auth/dist'),
+ *   handler: 'authorizer/handler.handler',
+ *   environment: {
+ *     COGNITO_USER_POOL_ID: userPool.userPoolId,
+ *     COGNITO_CLIENT_ID: client.userPoolClientId,
+ *   },
+ * });
+ * ```
+ */
+const handler = async (event) => {
+    const userPoolId = process.env.COGNITO_USER_POOL_ID;
+    const clientId = process.env.COGNITO_CLIENT_ID;
+    if (!userPoolId || !clientId) {
+        console.error('Missing required environment variables');
+        throw new Error('Unauthorized');
+    }
+    // Extract token from header
+    const token = event.authorizationToken?.replace(/^Bearer\s+/i, '');
+    if (!token) {
+        console.error('No token provided');
+        throw new Error('Unauthorized');
+    }
+    try {
+        const authResult = await (0, jwt_js_1.verifyAndExtract)(token, {
+            userPoolId,
+            clientId,
+        });
+        // Generate Allow policy with user context
+        const resource = getWildcardResource(event.methodArn);
+        return generatePolicy(authResult.userId, 'Allow', resource, {
+            userId: authResult.userId,
+            email: authResult.email ?? '',
+            groups: authResult.groups.join(','),
+        });
+    }
+    catch (error) {
+        console.error('Authorization failed:', error);
+        throw new Error('Unauthorized');
+    }
+};
+exports.handler = handler;
+//# sourceMappingURL=handler.js.map

package/lib/authorizer/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../src/authorizer/handler.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAGH,sCAA6C;AAE7C;;;;;;;;GAQG;AACH,SAAS,cAAc,CACrB,WAAmB,EACnB,MAAwB,EACxB,QAAgB,EAChB,OAAmD;IAEnD,OAAO;QACL,WAAW;QACX,cAAc,EAAE;YACd,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,oBAAoB;oBAC5B,MAAM,EAAE,MAAM;oBACd,QAAQ,EAAE,QAAQ;iBACnB;aACF;SACF;QACD,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,SAAiB;IAC5C,6FAA6F;IAC7F,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,eAAe,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAE/C,2DAA2D;IAC3D,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,CAAC,CAAC,IAAI,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC;AAC3F,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,MAAM,OAAO,GAAqC,KAAK,EAAE,KAAK,EAAE,EAAE;IACvE,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAE/C,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC7B,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;IAClC,CAAC;IAED,4BAA4B;IAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,kBAAkB,EAAE,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;IAEnE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,IAAA,yBAAgB,EAAC,KAAK,EAAE;YAC/C,UAAU;YACV,QAAQ;SACT,CAAC,CAAC;QAEH,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAEtD,OAAO,cAAc,CAAC,UAAU,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE;YAC1D,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,KAAK,EAAE,UAAU,CAAC,KAAK,IAAI,EAAE;YAC7B,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACpC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;IAClC,CAAC;AACH,CAAC,CAAC;AAnCW,QAAA,OAAO,WAmClB"}

package/lib/authorizer/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Lambda authorizer exports.
+ *
+ * @packageDocumentation
+ */
+export { handler } from './handler.js';
+//# sourceMappingURL=index.d.ts.map

package/lib/authorizer/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/authorizer/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC"}

package/lib/authorizer/index.js

@@ -0,0 +1,16 @@
+'use strict';
+/**
+ * Lambda authorizer exports.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, '__esModule', { value: true });
+exports.handler = void 0;
+var handler_js_1 = require('./handler.js');
+Object.defineProperty(exports, 'handler', {
+  enumerable: true,
+  get: function () {
+    return handler_js_1.handler;
+  },
+});
+//# sourceMappingURL=index.js.map

package/lib/authorizer/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/authorizer/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,2CAAuC;AAA9B,qGAAA,OAAO,OAAA"}

package/lib/client/auth-client.d.ts

@@ -0,0 +1,131 @@
+/**
+ * Cognito authentication client for frontend applications.
+ *
+ * Provides methods for sign-in, sign-up, sign-out, and token refresh
+ * using AWS Cognito User Pools.
+ *
+ * @packageDocumentation
+ */
+import type { AuthClientConfig, AuthTokens, SignUpResult } from '../types.js';
+/**
+ * Clears the client cache. Useful for testing.
+ */
+export declare function clearClientCache(): void;
+/**
+ * Cognito authentication client for frontend applications.
+ *
+ * Provides methods for user authentication including sign-in, sign-up,
+ * email confirmation, token refresh, and sign-out.
+ *
+ * @example
+ * ```typescript
+ * const authClient = new FndAuthClient({
+ *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
+ *   clientId: process.env.COGNITO_CLIENT_ID!,
+ *   region: process.env.AWS_REGION,
+ * });
+ *
+ * // Sign in
+ * const tokens = await authClient.signIn('user@example.com', 'password');
+ *
+ * // Use access token for API calls
+ * const response = await fetch('/api/data', {
+ *   headers: { Authorization: `Bearer ${tokens.accessToken}` },
+ * });
+ * ```
+ */
+export declare class FndAuthClient {
+  private readonly client;
+  private readonly clientId;
+  /**
+   * Creates a new FndAuthClient.
+   *
+   * @param config - Configuration for the auth client
+   */
+  constructor(config: AuthClientConfig);
+  /**
+   * Signs in a user with email and password.
+   *
+   * @param email - User's email address
+   * @param password - User's password
+   * @returns Authentication tokens
+   * @throws {AuthError} If authentication fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const tokens = await authClient.signIn('user@example.com', 'password');
+   *   console.log('Logged in!', tokens.accessToken);
+   * } catch (error) {
+   *   if (error instanceof AuthError && error.code === 'USER_NOT_CONFIRMED') {
+   *     // Redirect to confirmation page
+   *   }
+   * }
+   * ```
+   */
+  signIn(email: string, password: string): Promise<AuthTokens>;
+  /**
+   * Signs up a new user.
+   *
+   * @param email - User's email address
+   * @param password - User's password
+   * @param name - Optional user's name
+   * @returns Sign-up result with confirmation status
+   * @throws {AuthError} If sign-up fails
+   *
+   * @example
+   * ```typescript
+   * const result = await authClient.signUp('user@example.com', 'password', 'John Doe');
+   * if (!result.userConfirmed) {
+   *   // Show confirmation code input
+   *   console.log(`Code sent to ${result.codeDeliveryDetails?.destination}`);
+   * }
+   * ```
+   */
+  signUp(email: string, password: string, name?: string): Promise<SignUpResult>;
+  /**
+   * Confirms a user's sign-up with the verification code.
+   *
+   * @param email - User's email address
+   * @param code - Verification code from email/SMS
+   * @throws {AuthError} If confirmation fails
+   *
+   * @example
+   * ```typescript
+   * await authClient.confirmSignUp('user@example.com', '123456');
+   * // User is now confirmed, can sign in
+   * ```
+   */
+  confirmSignUp(email: string, code: string): Promise<void>;
+  /**
+   * Refreshes authentication tokens using a refresh token.
+   *
+   * @param refreshToken - The refresh token from a previous authentication
+   * @returns New authentication tokens
+   * @throws {AuthError} If refresh fails
+   *
+   * @example
+   * ```typescript
+   * // When access token is about to expire
+   * const newTokens = await authClient.refreshTokens(tokens.refreshToken);
+   * ```
+   */
+  refreshTokens(refreshToken: string): Promise<AuthTokens>;
+  /**
+   * Signs out the user from all devices.
+   *
+   * This invalidates all refresh tokens for the user, effectively
+   * signing them out from all devices.
+   *
+   * @param accessToken - The user's current access token
+   * @throws {AuthError} If sign-out fails
+   *
+   * @example
+   * ```typescript
+   * await authClient.signOut(tokens.accessToken);
+   * // User is now signed out from all devices
+   * ```
+   */
+  signOut(accessToken: string): Promise<void>;
+}
+//# sourceMappingURL=auth-client.d.ts.map

package/lib/client/auth-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-client.d.ts","sourceRoot":"","sources":["../../src/client/auth-client.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAUH,OAAO,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA8B9E;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgC;IACvD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAElC;;;;OAIG;gBACS,MAAM,EAAE,gBAAgB;IAKpC;;;;;;;;;;;;;;;;;;;OAmBG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAkClE;;;;;;;;;;;;;;;;;OAiBG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IA+BnF;;;;;;;;;;;;OAYG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAc/D;;;;;;;;;;;;OAYG;IACG,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAkC9D;;;;;;;;;;;;;;OAcG;IACG,OAAO,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAWlD"}