@happyvertical/auth 0.74.8

package/dist/shared/errors.d.ts

@@ -0,0 +1,227 @@
+/**
+ * @happyvertical/auth - Error Classes
+ *
+ * Standardized authentication error types for consistent error handling
+ * across all providers (Keycloak, Cognito, Nostr).
+ */
+/**
+ * Authentication error codes.
+ */
+export declare enum AuthErrorCode {
+    INVALID_CREDENTIALS = "INVALID_CREDENTIALS",
+    INVALID_TOKEN = "INVALID_TOKEN",
+    TOKEN_EXPIRED = "TOKEN_EXPIRED",
+    INVALID_REFRESH_TOKEN = "INVALID_REFRESH_TOKEN",
+    SESSION_EXPIRED = "SESSION_EXPIRED",
+    MFA_REQUIRED = "MFA_REQUIRED",
+    INVALID_MFA_CODE = "INVALID_MFA_CODE",
+    ACCESS_DENIED = "ACCESS_DENIED",
+    INSUFFICIENT_SCOPE = "INSUFFICIENT_SCOPE",
+    INVALID_ROLE = "INVALID_ROLE",
+    USER_NOT_FOUND = "USER_NOT_FOUND",
+    USER_ALREADY_EXISTS = "USER_ALREADY_EXISTS",
+    USER_DISABLED = "USER_DISABLED",
+    PROVIDER_ERROR = "PROVIDER_ERROR",
+    CONFIGURATION_ERROR = "CONFIGURATION_ERROR",
+    NETWORK_ERROR = "NETWORK_ERROR",
+    INVALID_STATE = "INVALID_STATE",
+    INVALID_NONCE = "INVALID_NONCE",
+    INVALID_GRANT = "INVALID_GRANT",
+    INVALID_CLIENT = "INVALID_CLIENT",
+    INVALID_REDIRECT_URI = "INVALID_REDIRECT_URI",
+    INVALID_SIGNATURE = "INVALID_SIGNATURE",
+    RELAY_ERROR = "RELAY_ERROR",
+    CHALLENGE_EXPIRED = "CHALLENGE_EXPIRED",
+    EXTENSION_NOT_FOUND = "EXTENSION_NOT_FOUND",
+    INVALID_KEY = "INVALID_KEY",
+    NOT_IMPLEMENTED = "NOT_IMPLEMENTED",
+    UNKNOWN_ERROR = "UNKNOWN_ERROR"
+}
+/**
+ * Base authentication error class.
+ */
+export declare class AuthError extends Error {
+    readonly code: AuthErrorCode;
+    readonly provider?: string;
+    readonly context?: Record<string, unknown>;
+    constructor(message: string, code: AuthErrorCode, provider?: string, context?: Record<string, unknown>);
+    /**
+     * Convert error to JSON for logging/serialization.
+     */
+    toJSON(): Record<string, unknown>;
+}
+/**
+ * Invalid credentials error.
+ */
+export declare class InvalidCredentialsError extends AuthError {
+    constructor(provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Invalid token error.
+ */
+export declare class InvalidTokenError extends AuthError {
+    constructor(message?: string, provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Token expired error.
+ */
+export declare class TokenExpiredError extends AuthError {
+    readonly expiredAt?: Date;
+    constructor(provider?: string, expiredAt?: Date, context?: Record<string, unknown>);
+}
+/**
+ * Invalid refresh token error.
+ */
+export declare class InvalidRefreshTokenError extends AuthError {
+    constructor(provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Session expired error.
+ */
+export declare class SessionExpiredError extends AuthError {
+    constructor(provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * MFA required error.
+ */
+export declare class MfaRequiredError extends AuthError {
+    readonly mfaMethods?: string[];
+    constructor(provider?: string, mfaMethods?: string[], context?: Record<string, unknown>);
+}
+/**
+ * Invalid MFA code error.
+ */
+export declare class InvalidMfaCodeError extends AuthError {
+    constructor(provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Access denied error.
+ */
+export declare class AccessDeniedError extends AuthError {
+    constructor(message?: string, provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Insufficient scope error.
+ */
+export declare class InsufficientScopeError extends AuthError {
+    readonly requiredScopes?: string[];
+    readonly grantedScopes?: string[];
+    constructor(requiredScopes?: string[], grantedScopes?: string[], provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * User not found error.
+ */
+export declare class UserNotFoundError extends AuthError {
+    readonly userId?: string;
+    constructor(userId?: string, provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * User already exists error.
+ */
+export declare class UserAlreadyExistsError extends AuthError {
+    constructor(identifier?: string, provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * User disabled error.
+ */
+export declare class UserDisabledError extends AuthError {
+    constructor(userId?: string, provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Provider error.
+ */
+export declare class ProviderError extends AuthError {
+    readonly originalError?: Error;
+    constructor(message: string, provider?: string, originalError?: Error, context?: Record<string, unknown>);
+}
+/**
+ * Configuration error.
+ */
+export declare class ConfigurationError extends AuthError {
+    constructor(message: string, provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Network error.
+ */
+export declare class NetworkError extends AuthError {
+    readonly originalError?: Error;
+    constructor(message?: string, provider?: string, originalError?: Error, context?: Record<string, unknown>);
+}
+/**
+ * Invalid state error.
+ */
+export declare class InvalidStateError extends AuthError {
+    constructor(provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Invalid nonce error.
+ */
+export declare class InvalidNonceError extends AuthError {
+    constructor(provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Invalid grant error.
+ */
+export declare class InvalidGrantError extends AuthError {
+    constructor(message?: string, provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Invalid client error.
+ */
+export declare class InvalidClientError extends AuthError {
+    constructor(provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Invalid redirect URI error.
+ */
+export declare class InvalidRedirectUriError extends AuthError {
+    constructor(provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Invalid signature error.
+ */
+export declare class InvalidSignatureError extends AuthError {
+    constructor(message?: string, context?: Record<string, unknown>);
+}
+/**
+ * Relay error.
+ */
+export declare class RelayError extends AuthError {
+    readonly relayUrl?: string;
+    readonly originalError?: Error;
+    constructor(message: string, relayUrl?: string, originalError?: Error, context?: Record<string, unknown>);
+}
+/**
+ * Challenge expired error.
+ */
+export declare class ChallengeExpiredError extends AuthError {
+    constructor(context?: Record<string, unknown>);
+}
+/**
+ * NIP-07 extension not found error.
+ */
+export declare class ExtensionNotFoundError extends AuthError {
+    constructor(context?: Record<string, unknown>);
+}
+/**
+ * Invalid key error.
+ */
+export declare class InvalidKeyError extends AuthError {
+    constructor(message?: string, context?: Record<string, unknown>);
+}
+/**
+ * Not implemented error.
+ */
+export declare class NotImplementedError extends AuthError {
+    readonly operation: string;
+    constructor(operation: string, provider?: string, context?: Record<string, unknown>);
+}
+/**
+ * Check if an error is an AuthError.
+ */
+export declare function isAuthError(error: unknown): error is AuthError;
+/**
+ * Check if an error has a specific error code.
+ */
+export declare function hasErrorCode(error: unknown, code: AuthErrorCode): boolean;
+//# sourceMappingURL=errors.d.ts.map

package/dist/shared/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/shared/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,oBAAY,aAAa;IAEvB,mBAAmB,wBAAwB;IAC3C,aAAa,kBAAkB;IAC/B,aAAa,kBAAkB;IAC/B,qBAAqB,0BAA0B;IAC/C,eAAe,oBAAoB;IACnC,YAAY,iBAAiB;IAC7B,gBAAgB,qBAAqB;IAGrC,aAAa,kBAAkB;IAC/B,kBAAkB,uBAAuB;IACzC,YAAY,iBAAiB;IAG7B,cAAc,mBAAmB;IACjC,mBAAmB,wBAAwB;IAC3C,aAAa,kBAAkB;IAG/B,cAAc,mBAAmB;IACjC,mBAAmB,wBAAwB;IAC3C,aAAa,kBAAkB;IAG/B,aAAa,kBAAkB;IAC/B,aAAa,kBAAkB;IAC/B,aAAa,kBAAkB;IAC/B,cAAc,mBAAmB;IACjC,oBAAoB,yBAAyB;IAG7C,iBAAiB,sBAAsB;IACvC,WAAW,gBAAgB;IAC3B,iBAAiB,sBAAsB;IACvC,mBAAmB,wBAAwB;IAC3C,WAAW,gBAAgB;IAG3B,eAAe,oBAAoB;IACnC,aAAa,kBAAkB;CAChC;AAED;;GAEG;AACH,qBAAa,SAAU,SAAQ,KAAK;IAClC,SAAgB,IAAI,EAAE,aAAa,CAAC;IACpC,SAAgB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClC,SAAgB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAGhD,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,aAAa,EACnB,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAcnC;;OAEG;IACH,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAUlC;AAMD;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;gBACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CASjE;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;gBAE5C,OAAO,CAAC,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAUpC;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;IAC9C,SAAgB,SAAS,CAAC,EAAE,IAAI,CAAC;gBAG/B,QAAQ,CAAC,EAAE,MAAM,EACjB,SAAS,CAAC,EAAE,IAAI,EAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAMpC;AAED;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;gBACzC,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CASjE;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;gBACpC,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CASjE;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;IAC7C,SAAgB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;gBAGpC,QAAQ,CAAC,EAAE,MAAM,EACjB,UAAU,CAAC,EAAE,MAAM,EAAE,EACrB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAWpC;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;gBACpC,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CASjE;AAMD;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;gBAE5C,OAAO,CAAC,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAUpC;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,SAAS;IACnD,SAAgB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1C,SAAgB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;gBAGvC,cAAc,CAAC,EAAE,MAAM,EAAE,EACzB,aAAa,CAAC,EAAE,MAAM,EAAE,EACxB,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAYpC;AAMD;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;IAC9C,SAAgB,MAAM,CAAC,EAAE,MAAM,CAAC;gBAG9B,MAAM,CAAC,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAWpC;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,SAAS;gBAEjD,UAAU,CAAC,EAAE,MAAM,EACnB,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAUpC;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;gBAE5C,MAAM,CAAC,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAUpC;AAMD;;GAEG;AACH,qBAAa,aAAc,SAAQ,SAAS;IAC1C,SAAgB,aAAa,CAAC,EAAE,KAAK,CAAC;gBAGpC,OAAO,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,MAAM,EACjB,aAAa,CAAC,EAAE,KAAK,EACrB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAMpC;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;gBAE7C,OAAO,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAKpC;AAED;;GAEG;AACH,qBAAa,YAAa,SAAQ,SAAS;IACzC,SAAgB,aAAa,CAAC,EAAE,KAAK,CAAC;gBAGpC,OAAO,CAAC,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,EACjB,aAAa,CAAC,EAAE,KAAK,EACrB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAWpC;AAMD;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;gBAClC,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CASjE;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;gBAClC,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CASjE;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;gBAE5C,OAAO,CAAC,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAUpC;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;gBACnC,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CASjE;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;gBACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CASjE;AAMD;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;gBACtC,OAAO,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAShE;AAED;;GAEG;AACH,qBAAa,UAAW,SAAQ,SAAS;IACvC,SAAgB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClC,SAAgB,aAAa,CAAC,EAAE,KAAK,CAAC;gBAGpC,OAAO,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,MAAM,EACjB,aAAa,CAAC,EAAE,KAAK,EACrB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAUpC;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;gBACtC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAS9C;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,SAAS;gBACvC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAS9C;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,SAAS;gBAChC,OAAO,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAShE;AAMD;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;IAChD,SAAgB,SAAS,EAAE,MAAM,CAAC;gBAGhC,SAAS,EAAE,MAAM,EACjB,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAWpC;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,SAAS,CAE9D;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAEzE"}

package/dist/shared/factory.d.ts

@@ -0,0 +1,85 @@
+import { AuthInterface, GetAuthOptions } from './types';
+/**
+ * Creates an authentication provider instance based on the provided options.
+ *
+ * Supports environment variable configuration using the pattern:
+ * - HAVE_AUTH_TYPE → provider type ('keycloak' | 'cognito' | 'nostr')
+ * - HAVE_AUTH_SERVER_URL → serverUrl (Keycloak)
+ * - HAVE_AUTH_REALM → realm (Keycloak)
+ * - HAVE_AUTH_CLIENT_ID → clientId
+ * - HAVE_AUTH_CLIENT_SECRET → clientSecret
+ * - HAVE_AUTH_REDIRECT_URI → redirectUri
+ * - HAVE_AUTH_REGION → region (Cognito)
+ * - HAVE_AUTH_USER_POOL_ID → userPoolId (Cognito)
+ * - HAVE_AUTH_DOMAIN → domain (Cognito)
+ * - HAVE_AUTH_RELAYS → relays (Nostr, comma-separated)
+ * - HAVE_AUTH_TIMEOUT → timeout (number)
+ * - HAVE_AUTH_MAX_RETRIES → maxRetries (number)
+ *
+ * User-provided options always take precedence over environment variables.
+ *
+ * @param options - Configuration options for the auth provider
+ * @returns Promise resolving to an AuthInterface implementation
+ * @throws {ValidationError} When the provider type is unsupported or invalid
+ *
+ * @example
+ * ```typescript
+ * // Create Keycloak client
+ * const auth = await getAuth({
+ *   type: 'keycloak',
+ *   serverUrl: 'https://auth.example.com',
+ *   realm: 'my-realm',
+ *   clientId: 'my-app'
+ * });
+ *
+ * // Create Cognito client
+ * const auth = await getAuth({
+ *   type: 'cognito',
+ *   region: 'us-east-1',
+ *   userPoolId: 'us-east-1_xxx',
+ *   clientId: 'xxx'
+ * });
+ *
+ * // Create Nostr client
+ * const auth = await getAuth({
+ *   type: 'nostr',
+ *   relays: ['wss://relay.damus.io', 'wss://nos.lol']
+ * });
+ *
+ * // Use environment variables
+ * // Set: HAVE_AUTH_TYPE=keycloak, HAVE_AUTH_SERVER_URL=..., etc.
+ * const auth = await getAuth({} as GetAuthOptions);
+ * ```
+ */
+export declare function getAuth(options: GetAuthOptions): Promise<AuthInterface>;
+/**
+ * Auto-detect provider based on available configuration.
+ *
+ * @param options - Configuration options that may contain provider-specific settings
+ * @returns Promise resolving to an AuthInterface based on detected configuration
+ * @throws {ValidationError} When no provider can be detected
+ *
+ * @example
+ * ```typescript
+ * // Auto-detect Keycloak from serverUrl and realm
+ * const auth = await getAuthAuto({
+ *   serverUrl: 'https://auth.example.com',
+ *   realm: 'my-realm',
+ *   clientId: 'my-app'
+ * });
+ *
+ * // Auto-detect Cognito from region and userPoolId
+ * const auth = await getAuthAuto({
+ *   region: 'us-east-1',
+ *   userPoolId: 'us-east-1_xxx',
+ *   clientId: 'xxx'
+ * });
+ *
+ * // Auto-detect Nostr from relays
+ * const auth = await getAuthAuto({
+ *   relays: ['wss://relay.damus.io']
+ * });
+ * ```
+ */
+export declare function getAuthAuto(options: Record<string, unknown>): Promise<AuthInterface>;
+//# sourceMappingURL=factory.d.ts.map

package/dist/shared/factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/shared/factory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,aAAa,EAEb,cAAc,EAMf,MAAM,SAAS,CAAC;AAsDjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AACH,wBAAsB,OAAO,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC,CAqF7E;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,aAAa,CAAC,CA4BxB"}

package/dist/shared/providers/cognito.d.ts

@@ -0,0 +1,38 @@
+import { AuthCapabilities, AuthCredentials, AuthInterface, AuthorizationOptions, AuthorizationResult, AuthResult, CodeExchangeParams, CognitoOptions, CreateUserRequest, LogoutOptions, OIDCDiscoveryDocument, Session, TokenClaims, TokenIntrospection, TokenPayload, TokenValidationOptions, UserListResult, UserProfile, UserQuery } from '../types.js';
+/**
+ * AWS Cognito authentication provider.
+ *
+ * Implements OAuth2 authentication with AWS Cognito User Pools.
+ */
+export declare class CognitoProvider implements AuthInterface {
+    private options;
+    constructor(options: CognitoOptions);
+    getAuthorizationUrl(_options?: AuthorizationOptions): Promise<AuthorizationResult>;
+    exchangeCode(_params: CodeExchangeParams): Promise<AuthResult>;
+    authenticate(_credentials: AuthCredentials): Promise<AuthResult>;
+    refresh(_refreshToken: string): Promise<AuthResult>;
+    logout(_options?: LogoutOptions): Promise<void>;
+    validateToken(_token: string, _options?: TokenValidationOptions): Promise<TokenClaims | null>;
+    decodeToken(_token: string): TokenPayload;
+    introspectToken(_token: string): Promise<TokenIntrospection>;
+    getProfile(_tokenOrSession: string): Promise<UserProfile>;
+    updateProfile(_tokenOrSession: string, _profile: Partial<UserProfile>): Promise<UserProfile>;
+    getUser(_userId: string, _adminToken?: string): Promise<UserProfile>;
+    createUser(_user: CreateUserRequest, _adminToken: string): Promise<UserProfile>;
+    updateUser(_userId: string, _updates: Partial<CreateUserRequest>, _adminToken: string): Promise<UserProfile>;
+    deleteUser(_userId: string, _adminToken: string): Promise<void>;
+    listUsers(_query: UserQuery, _adminToken?: string): Promise<UserListResult>;
+    requestPasswordReset(_email: string): Promise<void>;
+    resetPassword(_token: string, _newPassword: string): Promise<void>;
+    listSessions(_userId: string, _adminToken?: string): Promise<Session[]>;
+    revokeSession(_sessionId: string, _adminToken?: string): Promise<void>;
+    revokeAllSessions(_userId: string, _adminToken?: string): Promise<void>;
+    hasRole(_tokenOrUserId: string, _role: string): Promise<boolean>;
+    hasPermission(_tokenOrUserId: string, _permission: string, _resource?: string): Promise<boolean>;
+    getRoles(_tokenOrUserId: string, _adminToken?: string): Promise<string[]>;
+    assignRole(_userId: string, _role: string, _adminToken: string): Promise<void>;
+    removeRole(_userId: string, _role: string, _adminToken: string): Promise<void>;
+    getCapabilities(): Promise<AuthCapabilities>;
+    getDiscoveryDocument(): Promise<OIDCDiscoveryDocument | null>;
+}
+//# sourceMappingURL=cognito.d.ts.map

package/dist/shared/providers/cognito.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognito.d.ts","sourceRoot":"","sources":["../../../src/shared/providers/cognito.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EACjB,aAAa,EACb,qBAAqB,EACrB,OAAO,EACP,WAAW,EACX,kBAAkB,EAClB,YAAY,EACZ,sBAAsB,EACtB,cAAc,EACd,WAAW,EACX,SAAS,EACV,MAAM,aAAa,CAAC;AAErB;;;;GAIG;AACH,qBAAa,eAAgB,YAAW,aAAa;IAEnD,OAAO,CAAC,OAAO,CAAiB;gBAEpB,OAAO,EAAE,cAAc;IAW7B,mBAAmB,CACvB,QAAQ,CAAC,EAAE,oBAAoB,GAC9B,OAAO,CAAC,mBAAmB,CAAC;IAIzB,YAAY,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC;IAI9D,YAAY,CAAC,YAAY,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;IAIhE,OAAO,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAInD,MAAM,CAAC,QAAQ,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ/C,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,sBAAsB,GAChC,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAI9B,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY;IAInC,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAQ5D,UAAU,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAIzD,aAAa,CACjB,eAAe,EAAE,MAAM,EACvB,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC,GAC7B,OAAO,CAAC,WAAW,CAAC;IAIjB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAIpE,UAAU,CACd,KAAK,EAAE,iBAAiB,EACxB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC;IAIjB,UAAU,CACd,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,OAAO,CAAC,iBAAiB,CAAC,EACpC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC;IAIjB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/D,SAAS,CACb,MAAM,EAAE,SAAS,EACjB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,cAAc,CAAC;IAIpB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAInD,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQlE,YAAY,CAChB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,EAAE,CAAC;IAIf,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAItE,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,CAAC;IAQV,OAAO,CAAC,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIhE,aAAa,CACjB,cAAc,EAAE,MAAM,EACtB,WAAW,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC;IAIb,QAAQ,CACZ,cAAc,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,EAAE,CAAC;IAId,UAAU,CACd,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAIV,UAAU,CACd,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAQV,eAAe,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAkB5C,oBAAoB,IAAI,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;CAGpE"}

package/dist/shared/providers/github.d.ts

@@ -0,0 +1,65 @@
+import { AuthCapabilities, AuthCredentials, AuthInterface, AuthorizationOptions, AuthorizationResult, AuthResult, CodeExchangeParams, CreateUserRequest, GitHubOptions, LogoutOptions, OIDCDiscoveryDocument, Session, TokenClaims, TokenIntrospection, TokenPayload, TokenValidationOptions, UserListResult, UserProfile, UserQuery } from '../types.js';
+/**
+ * GitHub authentication provider.
+ *
+ * Implements OAuth2 authentication with GitHub.
+ * Key differences from OIDC providers:
+ * - No ID token - user info fetched via API
+ * - No JWKS - tokens are opaque
+ * - No token introspection endpoint
+ */
+export declare class GitHubProvider implements AuthInterface {
+    private options;
+    private static readonly AUTHORIZATION_URL;
+    private static readonly TOKEN_URL;
+    private static readonly API_URL;
+    constructor(options: GitHubOptions);
+    /**
+     * Make an HTTP request to GitHub API with error handling.
+     */
+    private request;
+    /**
+     * Handle HTTP error responses.
+     */
+    private handleHttpError;
+    /**
+     * Fetch user info from GitHub API.
+     */
+    private fetchUser;
+    /**
+     * Fetch user emails from GitHub API.
+     */
+    private fetchEmails;
+    /**
+     * Get the primary verified email for a user.
+     */
+    private getPrimaryEmail;
+    getAuthorizationUrl(options?: AuthorizationOptions): Promise<AuthorizationResult>;
+    exchangeCode(params: CodeExchangeParams): Promise<AuthResult>;
+    authenticate(_credentials: AuthCredentials): Promise<AuthResult>;
+    refresh(_refreshToken: string): Promise<AuthResult>;
+    logout(options?: LogoutOptions): Promise<void>;
+    validateToken(token: string, _options?: TokenValidationOptions): Promise<TokenClaims | null>;
+    decodeToken(_token: string): TokenPayload;
+    introspectToken(token: string): Promise<TokenIntrospection>;
+    getProfile(tokenOrSession: string): Promise<UserProfile>;
+    updateProfile(_tokenOrSession: string, _profile: Partial<UserProfile>): Promise<UserProfile>;
+    getUser(_userId: string, _adminToken?: string): Promise<UserProfile>;
+    createUser(_user: CreateUserRequest, _adminToken: string): Promise<UserProfile>;
+    updateUser(_userId: string, _updates: Partial<CreateUserRequest>, _adminToken: string): Promise<UserProfile>;
+    deleteUser(_userId: string, _adminToken: string): Promise<void>;
+    listUsers(_query: UserQuery, _adminToken?: string): Promise<UserListResult>;
+    requestPasswordReset(_email: string): Promise<void>;
+    resetPassword(_token: string, _newPassword: string): Promise<void>;
+    listSessions(_userId: string, _adminToken?: string): Promise<Session[]>;
+    revokeSession(_sessionId: string, _adminToken?: string): Promise<void>;
+    revokeAllSessions(_userId: string, _adminToken?: string): Promise<void>;
+    hasRole(_tokenOrUserId: string, _role: string): Promise<boolean>;
+    hasPermission(_tokenOrUserId: string, _permission: string, _resource?: string): Promise<boolean>;
+    getRoles(_tokenOrUserId: string, _adminToken?: string): Promise<string[]>;
+    assignRole(_userId: string, _role: string, _adminToken: string): Promise<void>;
+    removeRole(_userId: string, _role: string, _adminToken: string): Promise<void>;
+    getCapabilities(): Promise<AuthCapabilities>;
+    getDiscoveryDocument(): Promise<OIDCDiscoveryDocument | null>;
+}
+//# sourceMappingURL=github.d.ts.map

package/dist/shared/providers/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../src/shared/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAYH,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,iBAAiB,EACjB,aAAa,EACb,aAAa,EACb,qBAAqB,EACrB,OAAO,EACP,WAAW,EACX,kBAAkB,EAClB,YAAY,EACZ,sBAAsB,EACtB,cAAc,EACd,WAAW,EACX,SAAS,EACV,MAAM,aAAa,CAAC;AA0CrB;;;;;;;;GAQG;AACH,qBAAa,cAAe,YAAW,aAAa;IAClD,OAAO,CAAC,OAAO,CAA4D;IAE3E,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CACI;IAC7C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CACe;IAChD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAA4B;gBAE/C,OAAO,EAAE,aAAa;IAoBlC;;OAEG;YACW,OAAO;IA0DrB;;OAEG;IACH,OAAO,CAAC,eAAe;IA6BvB;;OAEG;YACW,SAAS;IAQvB;;OAEG;YACW,WAAW;IAQzB;;OAEG;YACW,eAAe;IAevB,mBAAmB,CACvB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,mBAAmB,CAAC;IA2CzB,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC;IA2D7D,YAAY,CAAC,YAAY,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;IAOhE,OAAO,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAOnD,MAAM,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IA4B9C,aAAa,CACjB,KAAK,EAAE,MAAM,EACb,QAAQ,CAAC,EAAE,sBAAsB,GAChC,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IA8B9B,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY;IAQnC,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAY3D,UAAU,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAsBxD,aAAa,CACjB,eAAe,EAAE,MAAM,EACvB,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC,GAC7B,OAAO,CAAC,WAAW,CAAC;IAMjB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAMpE,UAAU,CACd,KAAK,EAAE,iBAAiB,EACxB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC;IAMjB,UAAU,CACd,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,OAAO,CAAC,iBAAiB,CAAC,EACpC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC;IAMjB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM/D,SAAS,CACb,MAAM,EAAE,SAAS,EACjB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,cAAc,CAAC;IAMpB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMnD,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUlE,YAAY,CAChB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,EAAE,CAAC;IAMf,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMtE,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,CAAC;IAUV,OAAO,CAAC,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIhE,aAAa,CACjB,cAAc,EAAE,MAAM,EACtB,WAAW,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC;IAIb,QAAQ,CACZ,cAAc,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,EAAE,CAAC;IAId,UAAU,CACd,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAMV,UAAU,CACd,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAUV,eAAe,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAkB5C,oBAAoB,IAAI,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;CAIpE"}

package/dist/shared/providers/google.d.ts

@@ -0,0 +1,58 @@
+import { AuthCapabilities, AuthCredentials, AuthInterface, AuthorizationOptions, AuthorizationResult, AuthResult, CodeExchangeParams, CreateUserRequest, GoogleOptions, LogoutOptions, OIDCDiscoveryDocument, Session, TokenClaims, TokenIntrospection, TokenPayload, TokenValidationOptions, UserListResult, UserProfile, UserQuery } from '../types.js';
+/**
+ * Google authentication provider.
+ *
+ * Implements OAuth2/OIDC authentication with Google.
+ * Uses standard OIDC discovery and PKCE for security.
+ */
+export declare class GoogleProvider implements AuthInterface {
+    private options;
+    private discoveryDocument;
+    private jwks;
+    private static readonly DISCOVERY_URL;
+    constructor(options: GoogleOptions);
+    /**
+     * Make an HTTP request with error handling.
+     */
+    private request;
+    /**
+     * Handle HTTP error responses.
+     */
+    private handleHttpError;
+    /**
+     * Fetch and cache the OIDC discovery document.
+     */
+    private fetchDiscoveryDocument;
+    /**
+     * Get JWKS for token validation.
+     */
+    private getJWKS;
+    getAuthorizationUrl(options?: AuthorizationOptions): Promise<AuthorizationResult>;
+    exchangeCode(params: CodeExchangeParams): Promise<AuthResult>;
+    authenticate(_credentials: AuthCredentials): Promise<AuthResult>;
+    refresh(refreshToken: string): Promise<AuthResult>;
+    logout(options?: LogoutOptions): Promise<void>;
+    validateToken(token: string, options?: TokenValidationOptions): Promise<TokenClaims | null>;
+    decodeToken(token: string): TokenPayload;
+    introspectToken(token: string): Promise<TokenIntrospection>;
+    getProfile(tokenOrSession: string): Promise<UserProfile>;
+    updateProfile(_tokenOrSession: string, _profile: Partial<UserProfile>): Promise<UserProfile>;
+    getUser(_userId: string, _adminToken?: string): Promise<UserProfile>;
+    createUser(_user: CreateUserRequest, _adminToken: string): Promise<UserProfile>;
+    updateUser(_userId: string, _updates: Partial<CreateUserRequest>, _adminToken: string): Promise<UserProfile>;
+    deleteUser(_userId: string, _adminToken: string): Promise<void>;
+    listUsers(_query: UserQuery, _adminToken?: string): Promise<UserListResult>;
+    requestPasswordReset(_email: string): Promise<void>;
+    resetPassword(_token: string, _newPassword: string): Promise<void>;
+    listSessions(_userId: string, _adminToken?: string): Promise<Session[]>;
+    revokeSession(_sessionId: string, _adminToken?: string): Promise<void>;
+    revokeAllSessions(_userId: string, _adminToken?: string): Promise<void>;
+    hasRole(_tokenOrUserId: string, _role: string): Promise<boolean>;
+    hasPermission(_tokenOrUserId: string, _permission: string, _resource?: string): Promise<boolean>;
+    getRoles(_tokenOrUserId: string, _adminToken?: string): Promise<string[]>;
+    assignRole(_userId: string, _role: string, _adminToken: string): Promise<void>;
+    removeRole(_userId: string, _role: string, _adminToken: string): Promise<void>;
+    getCapabilities(): Promise<AuthCapabilities>;
+    getDiscoveryDocument(): Promise<OIDCDiscoveryDocument | null>;
+}
+//# sourceMappingURL=google.d.ts.map

package/dist/shared/providers/google.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../../src/shared/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAgBH,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,iBAAiB,EACjB,aAAa,EACb,aAAa,EACb,qBAAqB,EACrB,OAAO,EACP,WAAW,EACX,kBAAkB,EAClB,YAAY,EACZ,sBAAsB,EACtB,cAAc,EACd,WAAW,EACX,SAAS,EACV,MAAM,aAAa,CAAC;AA+BrB;;;;;GAKG;AACH,qBAAa,cAAe,YAAW,aAAa;IAClD,OAAO,CAAC,OAAO,CAA4D;IAC3E,OAAO,CAAC,iBAAiB,CAAsC;IAC/D,OAAO,CAAC,IAAI,CAAqC;IAEjD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAC4B;gBAErD,OAAO,EAAE,aAAa;IAqBlC;;OAEG;YACW,OAAO;IAyDrB;;OAEG;IACH,OAAO,CAAC,eAAe;IAgCvB;;OAEG;YACW,sBAAsB;IAWpC;;OAEG;YACW,OAAO;IAcf,mBAAmB,CACvB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,mBAAmB,CAAC;IAyDzB,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC;IAoD7D,YAAY,CAAC,YAAY,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;IAOhE,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAyClD,MAAM,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IA6B9C,aAAa,CACjB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IA+D9B,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IAwBlC,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAc3D,UAAU,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IA2BxD,aAAa,CACjB,eAAe,EAAE,MAAM,EACvB,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC,GAC7B,OAAO,CAAC,WAAW,CAAC;IAMjB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAMpE,UAAU,CACd,KAAK,EAAE,iBAAiB,EACxB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC;IAMjB,UAAU,CACd,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,OAAO,CAAC,iBAAiB,CAAC,EACpC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC;IAMjB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM/D,SAAS,CACb,MAAM,EAAE,SAAS,EACjB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,cAAc,CAAC;IAMpB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMnD,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUlE,YAAY,CAChB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,EAAE,CAAC;IAMf,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMtE,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,CAAC;IAUV,OAAO,CAAC,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKhE,aAAa,CACjB,cAAc,EAAE,MAAM,EACtB,WAAW,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC;IAIb,QAAQ,CACZ,cAAc,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,EAAE,CAAC;IAId,UAAU,CACd,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAMV,UAAU,CACd,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAUV,eAAe,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAkB5C,oBAAoB,IAAI,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;CAGpE"}

package/dist/shared/providers/kanidm.d.ts

@@ -0,0 +1,78 @@
+import { AuthCapabilities, AuthCredentials, AuthInterface, AuthorizationOptions, AuthorizationResult, AuthResult, CodeExchangeParams, CreateUserRequest, KanidmOptions, LogoutOptions, OIDCDiscoveryDocument, Session, TokenClaims, TokenIntrospection, TokenPayload, TokenValidationOptions, UserListResult, UserProfile, UserQuery } from '../types.js';
+/**
+ * Kanidm authentication provider.
+ *
+ * Implements OAuth2/OIDC authentication with Kanidm server.
+ * Key differences from Keycloak:
+ * - Client-specific OIDC endpoints: /oauth2/openid/{clientId}/...
+ * - ES256 token signing (not RS256)
+ * - Authorization code flow only (no password grant)
+ * - Native /v1/ API for admin operations (multi-step auth)
+ */
+export declare class KanidmProvider implements AuthInterface {
+    private options;
+    private discoveryDocument;
+    private jwks;
+    private adminToken;
+    private adminTokenExpiry;
+    constructor(options: KanidmOptions);
+    /**
+     * Get the OIDC base URL for this client.
+     * Kanidm uses client-specific OIDC endpoints.
+     */
+    private getOidcBaseUrl;
+    /**
+     * Get the native API base URL.
+     */
+    private getApiBaseUrl;
+    /**
+     * Make an HTTP request with error handling.
+     */
+    private request;
+    /**
+     * Handle HTTP error responses.
+     */
+    private handleHttpError;
+    /**
+     * Fetch and cache the OIDC discovery document.
+     */
+    private fetchDiscoveryDocument;
+    /**
+     * Get JWKS for token validation.
+     */
+    private getJWKS;
+    /**
+     * Authenticate with Kanidm's native API to get an admin token.
+     * Uses the multi-step authentication flow.
+     */
+    private getAdminToken;
+    getAuthorizationUrl(options?: AuthorizationOptions): Promise<AuthorizationResult>;
+    exchangeCode(params: CodeExchangeParams): Promise<AuthResult>;
+    authenticate(_credentials: AuthCredentials): Promise<AuthResult>;
+    refresh(refreshToken: string): Promise<AuthResult>;
+    logout(options?: LogoutOptions): Promise<void>;
+    validateToken(token: string, options?: TokenValidationOptions): Promise<TokenClaims | null>;
+    decodeToken(token: string): TokenPayload;
+    introspectToken(token: string): Promise<TokenIntrospection>;
+    getProfile(tokenOrSession: string): Promise<UserProfile>;
+    updateProfile(_tokenOrSession: string, _profile: Partial<UserProfile>): Promise<UserProfile>;
+    getUser(userId: string, _adminToken?: string): Promise<UserProfile>;
+    createUser(user: CreateUserRequest, _adminToken: string): Promise<UserProfile>;
+    updateUser(userId: string, updates: Partial<CreateUserRequest>, _adminToken: string): Promise<UserProfile>;
+    deleteUser(userId: string, _adminToken: string): Promise<void>;
+    listUsers(query: UserQuery, _adminToken?: string): Promise<UserListResult>;
+    requestPasswordReset(_email: string): Promise<void>;
+    resetPassword(_token: string, _newPassword: string): Promise<void>;
+    listSessions(_userId: string, _adminToken?: string): Promise<Session[]>;
+    revokeSession(_sessionId: string, _adminToken?: string): Promise<void>;
+    revokeAllSessions(_userId: string, _adminToken?: string): Promise<void>;
+    hasRole(tokenOrUserId: string, role: string): Promise<boolean>;
+    hasPermission(tokenOrUserId: string, permission: string, resource?: string): Promise<boolean>;
+    getRoles(tokenOrUserId: string, _adminToken?: string): Promise<string[]>;
+    assignRole(_userId: string, _role: string, _adminToken: string): Promise<void>;
+    removeRole(_userId: string, _role: string, _adminToken: string): Promise<void>;
+    getCapabilities(): Promise<AuthCapabilities>;
+    getDiscoveryDocument(): Promise<OIDCDiscoveryDocument | null>;
+    private mapKanidmPerson;
+}
+//# sourceMappingURL=kanidm.d.ts.map

package/dist/shared/providers/kanidm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kanidm.d.ts","sourceRoot":"","sources":["../../../src/shared/providers/kanidm.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAmBH,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,iBAAiB,EACjB,aAAa,EACb,aAAa,EACb,qBAAqB,EACrB,OAAO,EACP,WAAW,EACX,kBAAkB,EAClB,YAAY,EACZ,sBAAsB,EACtB,cAAc,EACd,WAAW,EACX,SAAS,EACV,MAAM,aAAa,CAAC;AA+BrB;;;;;;;;;GASG;AACH,qBAAa,cAAe,YAAW,aAAa;IAClD,OAAO,CAAC,OAAO,CACC;IAChB,OAAO,CAAC,iBAAiB,CAAsC;IAC/D,OAAO,CAAC,IAAI,CAAqC;IACjD,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,gBAAgB,CAAa;gBAEzB,OAAO,EAAE,aAAa;IAsBlC;;;OAGG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,aAAa;IAIrB;;OAEG;YACW,OAAO;IA2DrB;;OAEG;IACH,OAAO,CAAC,eAAe;IAuCvB;;OAEG;YACW,sBAAsB;IAUpC;;OAEG;YACW,OAAO;IAUrB;;;OAGG;YACW,aAAa;IA6GrB,mBAAmB,CACvB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,mBAAmB,CAAC;IAoDzB,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC;IAuD7D,YAAY,CAAC,YAAY,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;IAShE,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IA4ClD,MAAM,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAwD9C,aAAa,CACjB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAyD9B,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IAwBlC,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA8D3D,UAAU,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAgCxD,aAAa,CACjB,eAAe,EAAE,MAAM,EACvB,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC,GAC7B,OAAO,CAAC,WAAW,CAAC;IAQjB,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAYnE,UAAU,CACd,IAAI,EAAE,iBAAiB,EACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC;IAuCjB,UAAU,CACd,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,CAAC,iBAAiB,CAAC,EACnC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC;IA+BjB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAU9D,SAAS,CACb,KAAK,EAAE,SAAS,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,cAAc,CAAC;IAkDpB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMnD,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUlE,YAAY,CAChB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,EAAE,CAAC;IAMf,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMtE,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,CAAC;IAUV,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK9D,aAAa,CACjB,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC;IAOb,QAAQ,CACZ,aAAa,EAAE,MAAM,EACrB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,EAAE,CAAC;IAsBd,UAAU,CACd,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAOV,UAAU,CACd,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAWV,eAAe,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAkB5C,oBAAoB,IAAI,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;IAQnE,OAAO,CAAC,eAAe;CAYxB"}