@holeauth/core 0.0.1-alpha.0 → 0.0.2-alpha.0

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Robert Kratz
+Copyright (c) 2026 Robert Julian Kratz <contact@holeauth.dev> (https://holeauth.dev)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/dist/cookies/index.d.ts

@@ -1,3 +1,3 @@
-export { B as BuildCookieInput, C as CSRF_HEADER, a as CookieName, b as CookieSpec, c as buildCookie, d as cookieName, e as deleteCookie, g as generateCsrfToken, f as isProduction, s as serializeCookie, v as verifyCsrf } from '../index-BIXESLma.js';
-import '../index-BmYQquGs.js';
+export { B as BuildCookieInput, C as CSRF_HEADER, a as CookieName, b as CookieSpec, c as buildCookie, d as cookieName, e as deleteCookie, g as generateCsrfToken, f as isProduction, s as serializeCookie, v as verifyCsrf } from '../index-BELADTaD.js';
+import '../index-Bt3CyLaq.js';
 import '../index-CNtnPdzk.js';

package/dist/events/index.d.ts

@@ -1,3 +1,3 @@
-export { u as HoleauthEvent, v as HoleauthEventType } from '../index-BmYQquGs.js';
-export { e as emit, s as subscribe, u as unsubscribe } from '../index-DRN-5E_H.js';
+export { v as CoreHoleauthEventType, u as HoleauthEvent, w as HoleauthEventType } from '../index-Bt3CyLaq.js';
+export { e as emit, s as subscribe, u as unsubscribe } from '../index-CngIcZZk.js';
 import '../index-CNtnPdzk.js';

package/dist/flows/index.d.ts

@@ -1,4 +1,4 @@
-export { c as changePassword, a as consumeInvite, b as consumePasswordReset, d as createInvite, e as deleteUser, g as getInviteInfo, f as issuePendingToken, l as listInvites, r as refresh, h as register, j as requestPasswordReset, k as revokeInvite, s as signIn, m as signOut, u as updateUser, v as verifyPendingToken } from '../index-BbEXbI_k.js';
-import '../index-BmYQquGs.js';
+export { c as changePassword, a as consumeInvite, b as consumePasswordReset, d as createInvite, e as deleteUser, g as getInviteInfo, f as issuePendingToken, l as listInvites, r as refresh, h as register, j as requestPasswordReset, k as revokeInvite, s as signIn, m as signOut, u as updateUser, v as verifyPendingToken } from '../index-C3lSoShz.js';
+import '../index-Bt3CyLaq.js';
 import '../index-CNtnPdzk.js';
-import '../registry-CZhM1tEB.js';
+import '../registry-B-I45f0J.js';

package/dist/{index-BIXESLma.d.ts → index-BELADTaD.d.ts}

@@ -1,4 +1,4 @@
-import { a as HoleauthConfig } from './index-BmYQquGs.js';
+import { a as HoleauthConfig } from './index-Bt3CyLaq.js';
 
 interface CookieSpec {
     name: string;

package/dist/{index-BmYQquGs.d.ts → index-Bt3CyLaq.d.ts}

@@ -1,18 +1,21 @@
 import { a as AdapterAuditEvent, A as AdapterUser, U as UserAdapter, S as SessionAdapter, b as AuditLogAdapter, c as AccountAdapter, V as VerificationTokenAdapter, T as TransactionAdapter } from './index-CNtnPdzk.js';
 
 /**
- * Event type is intentionally an open string. Core emits well-known
- * `user.*`, `session.*`, `account.*`, `sso.*` events; plugins emit under
- * their own `<pluginId>.<name>` namespace (e.g. `twofa.verified`).
+ * Well-known event types emitted by @holeauth/core.
  *
- * Well-known core event names (non-exhaustive):
- *   - user.registered, user.signed_in, user.signed_out
- *   - session.created, session.rotated, session.revoked, session.reuse_detected
- *   - account.linked, account.unlinked
- *   - sso.authorize, sso.callback_ok, sso.callback_failed
- *   - plugin.error
+ * IDEs will autocomplete these names when calling `subscribe()` or
+ * `auth.on()`. The type is intentionally open-ended: plugins emit
+ * additional events under their own `<pluginId>.<name>` namespace
+ * (e.g. `twofa.verified`, `rbac.group_assigned`). Those names are
+ * accepted via the `(string & {})` escape hatch.
  */
-type HoleauthEventType = string;
+type CoreHoleauthEventType = 'user.registered' | 'user.signed_in' | 'user.signed_out' | 'user.updated' | 'user.deleted' | 'session.created' | 'session.rotated' | 'session.revoked' | 'session.reuse_detected' | 'password.changed' | 'password.reset_requested' | 'password.reset_consumed' | 'account.linked' | 'account.unlinked' | 'sso.authorize' | 'sso.callback_ok' | 'sso.callback_failed' | 'invite.created' | 'user.invite_consumed' | 'invite.revoked' | 'plugin.error';
+/**
+ * The discriminant of all holeauth events. Extends `CoreHoleauthEventType`
+ * with an open-string escape hatch so plugin-namespaced events still type-
+ * check, while preserving IDE autocomplete for the well-known names.
+ */
+type HoleauthEventType = CoreHoleauthEventType | (string & {});
 interface HoleauthEvent extends AdapterAuditEvent {
     type: HoleauthEventType;
 }
@@ -558,6 +561,22 @@ interface HoleauthInstance {
             tokens: IssuedTokens;
         }>;
     };
+    /**
+     * Subscribe to an event emitted by this auth instance.
+     * Shorthand for `import { events } from '@holeauth/core'; events.subscribe(auth.config, type, handler)`.
+     *
+     * @param type - Well-known event type (autocompleted) or any plugin-namespaced string.
+     * @param handler - Async-safe handler; errors are swallowed to avoid blocking flows.
+     * @returns An unsubscribe function.
+     *
+     * @example
+     * ```ts
+     * auth.on('user.registered', async (e) => {
+     *   await assignDefaultGroup(e.userId);
+     * });
+     * ```
+     */
+    on(type: HoleauthEventType, handler: (e: HoleauthEvent) => void | Promise<void>): () => void;
 }
 
-export type { SessionRevokeHookData as A, BaseProviderConfig as B, ChallengeResult as C, SessionRotateHookData as D, HoleauthPlugin as H, InviteClaims as I, LoggerOptions as L, OAuth2ProviderConfig as O, PluginsApi as P, RegistrationConfig as R, SessionData as S, TokenPolicy as T, HoleauthConfig as a, HoleauthInstance as b, ConsumeInviteInput as c, ConsumeInviteResult as d, CreateInviteResult as e, HoleauthAdapters as f, HoleauthHooks as g, HoleauthSecrets as h, InviteInput as i, InviteListEntry as j, IssuedTokens as k, OIDCProviderConfig as l, PluginContext as m, PluginCoreSurface as n, PluginEvents as o, PluginLogger as p, PluginRoute as q, PluginRouteContext as r, ProviderConfig as s, SignInResult as t, HoleauthEvent as u, HoleauthEventType as v, PasswordChangeHookInput as w, PasswordResetHookInput as x, RegisterHookInput as y, SessionIssueHookData as z };
+export type { SessionIssueHookData as A, BaseProviderConfig as B, ChallengeResult as C, SessionRevokeHookData as D, SessionRotateHookData as E, HoleauthPlugin as H, InviteClaims as I, LoggerOptions as L, OAuth2ProviderConfig as O, PluginsApi as P, RegistrationConfig as R, SessionData as S, TokenPolicy as T, HoleauthConfig as a, HoleauthInstance as b, ConsumeInviteInput as c, ConsumeInviteResult as d, CreateInviteResult as e, HoleauthAdapters as f, HoleauthHooks as g, HoleauthSecrets as h, InviteInput as i, InviteListEntry as j, IssuedTokens as k, OIDCProviderConfig as l, PluginContext as m, PluginCoreSurface as n, PluginEvents as o, PluginLogger as p, PluginRoute as q, PluginRouteContext as r, ProviderConfig as s, SignInResult as t, HoleauthEvent as u, CoreHoleauthEventType as v, HoleauthEventType as w, PasswordChangeHookInput as x, PasswordResetHookInput as y, RegisterHookInput as z };

package/dist/{index-CotvcK_b.d.ts → index-BydOBZfs.d.ts}

@@ -1,5 +1,5 @@
-import { H as HoleauthPlugin, C as ChallengeResult, g as HoleauthHooks, w as PasswordChangeHookInput, x as PasswordResetHookInput, m as PluginContext, n as PluginCoreSurface, o as PluginEvents, p as PluginLogger, q as PluginRoute, r as PluginRouteContext, P as PluginsApi, y as RegisterHookInput, z as SessionIssueHookData, A as SessionRevokeHookData, D as SessionRotateHookData } from './index-BmYQquGs.js';
-import { H as HookRunner, P as PluginRegistry, b as buildRegistry, e as emptyRegistry, r as runOnInit } from './registry-CZhM1tEB.js';
+import { H as HoleauthPlugin, C as ChallengeResult, g as HoleauthHooks, x as PasswordChangeHookInput, y as PasswordResetHookInput, m as PluginContext, n as PluginCoreSurface, o as PluginEvents, p as PluginLogger, q as PluginRoute, r as PluginRouteContext, P as PluginsApi, z as RegisterHookInput, A as SessionIssueHookData, D as SessionRevokeHookData, E as SessionRotateHookData } from './index-Bt3CyLaq.js';
+import { H as HookRunner, P as PluginRegistry, b as buildRegistry, e as emptyRegistry, r as runOnInit } from './registry-B-I45f0J.js';
 
 /**
  * Identity helper that preserves the literal `id` on the plugin type so

package/dist/{index-BbEXbI_k.d.ts → index-C3lSoShz.d.ts}

@@ -1,6 +1,6 @@
-import { a as HoleauthConfig, t as SignInResult, k as IssuedTokens, c as ConsumeInviteInput, d as ConsumeInviteResult, i as InviteInput, e as CreateInviteResult, I as InviteClaims, j as InviteListEntry } from './index-BmYQquGs.js';
+import { a as HoleauthConfig, t as SignInResult, k as IssuedTokens, c as ConsumeInviteInput, d as ConsumeInviteResult, i as InviteInput, e as CreateInviteResult, I as InviteClaims, j as InviteListEntry } from './index-Bt3CyLaq.js';
 import { A as AdapterUser } from './index-CNtnPdzk.js';
-import { H as HookRunner } from './registry-CZhM1tEB.js';
+import { H as HookRunner } from './registry-B-I45f0J.js';
 
 interface RegisterInput {
     email: string;

package/dist/{index-CHS-socJ.d.ts → index-CcMMWIEe.d.ts}

@@ -1,4 +1,4 @@
-import { a as HoleauthConfig, s as ProviderConfig, k as IssuedTokens, l as OIDCProviderConfig, O as OAuth2ProviderConfig } from './index-BmYQquGs.js';
+import { a as HoleauthConfig, s as ProviderConfig, k as IssuedTokens, l as OIDCProviderConfig, O as OAuth2ProviderConfig } from './index-Bt3CyLaq.js';
 import { A as AdapterUser } from './index-CNtnPdzk.js';
 
 interface AuthorizeParams {
@@ -76,9 +76,73 @@ interface GithubOptions {
 /** GitHub OAuth2 provider. Uses REST userinfo (no OIDC). */
 declare function GithubProvider(opts: GithubOptions): OAuth2ProviderConfig;
 
+interface DiscordOptions {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    id?: string;
+    scopes?: string[];
+}
+/** Discord OAuth2 provider. Uses REST userinfo (no OIDC discovery). */
+declare function DiscordProvider(opts: DiscordOptions): OAuth2ProviderConfig;
+
+interface MicrosoftOptions {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    /**
+     * Microsoft tenant. Common values:
+     *   - 'common'          → both work + school and personal accounts
+     *   - 'organizations'   → work + school only
+     *   - 'consumers'       → personal Microsoft accounts only
+     *   - '<tenant-guid>'   → a specific Azure AD tenant
+     *
+     * Default: 'common'.
+     */
+    tenantId?: string;
+    id?: string;
+    scopes?: string[];
+}
+/**
+ * Microsoft Identity Platform (Azure AD / Entra ID) OpenID Connect provider.
+ *
+ * Note: the issuer for tenant 'common' is technically per-tenant at runtime
+ * (`https://login.microsoftonline.com/{tid}/v2.0`). We expose the multi-tenant
+ * issuer string; callers that need strict issuer validation should pin a
+ * specific tenant ID.
+ */
+declare function MicrosoftProvider(opts: MicrosoftOptions): OIDCProviderConfig;
+
+interface OIDCOptions {
+    /** Provider id (used as the `:provider` URL segment). */
+    id: string;
+    /** Display name. */
+    name?: string;
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    /** OIDC issuer (used for ID token `iss` validation). */
+    issuer: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    userinfoUrl: string;
+    scopes?: string[];
+}
+/**
+ * Generic OpenID Connect provider. Use this for any spec-compliant OIDC
+ * Identity Provider (Keycloak, Auth0, Okta, Authentik, holeauth-as-IDP, …).
+ *
+ * Endpoint discovery is currently the caller's responsibility — fetch
+ * `${issuer}/.well-known/openid-configuration` and pass the resulting URLs.
+ */
+declare function OIDCProvider(opts: OIDCOptions): OIDCProviderConfig;
+
 type index_AuthorizeParams = AuthorizeParams;
+declare const index_DiscordProvider: typeof DiscordProvider;
 declare const index_GithubProvider: typeof GithubProvider;
 declare const index_GoogleProvider: typeof GoogleProvider;
+declare const index_MicrosoftProvider: typeof MicrosoftProvider;
+declare const index_OIDCProvider: typeof OIDCProvider;
 type index_TokenExchangeInput = TokenExchangeInput;
 declare const index_authorize: typeof authorize;
 declare const index_base64url: typeof base64url;
@@ -91,7 +155,7 @@ declare const index_generateNonce: typeof generateNonce;
 declare const index_generatePkcePair: typeof generatePkcePair;
 declare const index_generateState: typeof generateState;
 declare namespace index {
-  export { type index_AuthorizeParams as AuthorizeParams, index_GithubProvider as GithubProvider, index_GoogleProvider as GoogleProvider, type index_TokenExchangeInput as TokenExchangeInput, index_authorize as authorize, index_base64url as base64url, index_buildAuthorizeUrl as buildAuthorizeUrl, index_callback as callback, index_exchangeCode as exchangeCode, index_fetchUserInfo as fetchUserInfo, index_findProvider as findProvider, index_generateNonce as generateNonce, index_generatePkcePair as generatePkcePair, index_generateState as generateState };
+  export { type index_AuthorizeParams as AuthorizeParams, index_DiscordProvider as DiscordProvider, index_GithubProvider as GithubProvider, index_GoogleProvider as GoogleProvider, index_MicrosoftProvider as MicrosoftProvider, index_OIDCProvider as OIDCProvider, type index_TokenExchangeInput as TokenExchangeInput, index_authorize as authorize, index_base64url as base64url, index_buildAuthorizeUrl as buildAuthorizeUrl, index_callback as callback, index_exchangeCode as exchangeCode, index_fetchUserInfo as fetchUserInfo, index_findProvider as findProvider, index_generateNonce as generateNonce, index_generatePkcePair as generatePkcePair, index_generateState as generateState };
 }
 
-export { type AuthorizeParams as A, GithubProvider as G, type TokenExchangeInput as T, GoogleProvider as a, authorize as b, base64url as c, buildAuthorizeUrl as d, callback as e, exchangeCode as f, fetchUserInfo as g, findProvider as h, index as i, generateNonce as j, generatePkcePair as k, generateState as l };
+export { type AuthorizeParams as A, DiscordProvider as D, GithubProvider as G, MicrosoftProvider as M, OIDCProvider as O, type TokenExchangeInput as T, GoogleProvider as a, authorize as b, base64url as c, buildAuthorizeUrl as d, callback as e, exchangeCode as f, fetchUserInfo as g, findProvider as h, index as i, generateNonce as j, generatePkcePair as k, generateState as l };

package/dist/{index-DRN-5E_H.d.ts → index-CngIcZZk.d.ts}

@@ -1,4 +1,4 @@
-import { a as HoleauthConfig, u as HoleauthEvent, v as HoleauthEventType } from './index-BmYQquGs.js';
+import { a as HoleauthConfig, u as HoleauthEvent, v as CoreHoleauthEventType, w as HoleauthEventType } from './index-Bt3CyLaq.js';
 
 type Handler = (e: HoleauthEvent) => void | Promise<void>;
 /** Subscribe to an event type. Use '*' to match all events. Returns an unsubscribe fn. */
@@ -14,13 +14,14 @@ declare function unsubscribe(cfg: HoleauthConfig, type: string, handler: Handler
  */
 declare function emit(cfg: HoleauthConfig, event: HoleauthEvent): Promise<void>;
 
+declare const index_CoreHoleauthEventType: typeof CoreHoleauthEventType;
 declare const index_HoleauthEvent: typeof HoleauthEvent;
 declare const index_HoleauthEventType: typeof HoleauthEventType;
 declare const index_emit: typeof emit;
 declare const index_subscribe: typeof subscribe;
 declare const index_unsubscribe: typeof unsubscribe;
 declare namespace index {
-  export { index_HoleauthEvent as HoleauthEvent, index_HoleauthEventType as HoleauthEventType, index_emit as emit, index_subscribe as subscribe, index_unsubscribe as unsubscribe };
+  export { index_CoreHoleauthEventType as CoreHoleauthEventType, index_HoleauthEvent as HoleauthEvent, index_HoleauthEventType as HoleauthEventType, index_emit as emit, index_subscribe as subscribe, index_unsubscribe as unsubscribe };
 }
 
 export { emit as e, index as i, subscribe as s, unsubscribe as u };

package/dist/{index-D57PvFMN.d.ts → index-D0r6eY4L.d.ts}

@@ -1,4 +1,4 @@
-import { a as HoleauthConfig, k as IssuedTokens, S as SessionData, b as HoleauthInstance } from './index-BmYQquGs.js';
+import { a as HoleauthConfig, k as IssuedTokens, S as SessionData, b as HoleauthInstance } from './index-Bt3CyLaq.js';
 
 interface IssueInput {
     userId: string;
@@ -87,10 +87,52 @@ interface GetSessionOrRefreshResult {
  */
 declare function getSessionOrRefresh(instance: HoleauthInstance, input: GetSessionOrRefreshInput): Promise<GetSessionOrRefreshResult>;
 
+interface RequestRefreshResult {
+    /** Resolved session, or null if both validation and refresh failed. */
+    session: SessionData | null;
+    /** Freshly-issued token bundle when a refresh occurred; null otherwise. */
+    tokens: IssuedTokens | null;
+    /** True when the refresh token was rotated. */
+    refreshed: boolean;
+    /**
+     * Ready-to-forward `Set-Cookie` header values. Empty when no rotation
+     * occurred. The caller must append these to its outgoing response.
+     */
+    setCookieHeaders: string[];
+}
+/**
+ * Read cookies from a Web API `Request`, validate the access token, and
+ * transparently rotate the refresh token when needed.
+ *
+ * **Framework-agnostic** — works wherever the Web Fetch `Request` type is
+ * available: Next.js App Router route handlers, Hono, plain `fetch` handlers,
+ * tRPC fetch adapters, Cloudflare Workers, Deno, etc.
+ *
+ * The caller is responsible for forwarding `setCookieHeaders` on the response
+ * when the result's `refreshed` flag is `true`.
+ *
+ * @example tRPC context (fetch adapter)
+ * ```ts
+ * import { getSessionOrRefreshFromRequest } from '@holeauth/core/session';
+ *
+ * export const createTrpcContext = createHoleauthContext(auth);
+ * // internally calls getSessionOrRefreshFromRequest(req, auth)
+ * ```
+ *
+ * @example Manual use in a route handler
+ * ```ts
+ * const { session, setCookieHeaders } = await getSessionOrRefreshFromRequest(req, auth);
+ * for (const c of setCookieHeaders) resHeaders.append('Set-Cookie', c);
+ * ```
+ */
+declare function getSessionOrRefreshFromRequest(req: Request, instance: HoleauthInstance): Promise<RequestRefreshResult>;
+
 type index_GetSessionOrRefreshInput = GetSessionOrRefreshInput;
 type index_GetSessionOrRefreshResult = GetSessionOrRefreshResult;
 type index_IssueInput = IssueInput;
+type index_RequestRefreshResult = RequestRefreshResult;
 declare const index_getSessionOrRefresh: typeof getSessionOrRefresh;
+declare const index_getSessionOrRefreshFromRequest: typeof getSessionOrRefreshFromRequest;
 declare const index_issueSession: typeof issueSession;
 declare const index_revokeAllForUser: typeof revokeAllForUser;
 declare const index_revokeByRefresh: typeof revokeByRefresh;
@@ -99,7 +141,7 @@ declare const index_rotateRefresh: typeof rotateRefresh;
 declare const index_sha256b64url: typeof sha256b64url;
 declare const index_validateSession: typeof validateSession;
 declare namespace index {
-  export { type index_GetSessionOrRefreshInput as GetSessionOrRefreshInput, type index_GetSessionOrRefreshResult as GetSessionOrRefreshResult, type index_IssueInput as IssueInput, index_getSessionOrRefresh as getSessionOrRefresh, index_issueSession as issueSession, index_revokeAllForUser as revokeAllForUser, index_revokeByRefresh as revokeByRefresh, index_revokeSession as revokeSession, index_rotateRefresh as rotateRefresh, index_sha256b64url as sha256b64url, index_validateSession as validateSession };
+  export { type index_GetSessionOrRefreshInput as GetSessionOrRefreshInput, type index_GetSessionOrRefreshResult as GetSessionOrRefreshResult, type index_IssueInput as IssueInput, type index_RequestRefreshResult as RequestRefreshResult, index_getSessionOrRefresh as getSessionOrRefresh, index_getSessionOrRefreshFromRequest as getSessionOrRefreshFromRequest, index_issueSession as issueSession, index_revokeAllForUser as revokeAllForUser, index_revokeByRefresh as revokeByRefresh, index_revokeSession as revokeSession, index_rotateRefresh as rotateRefresh, index_sha256b64url as sha256b64url, index_validateSession as validateSession };
 }
 
-export { type GetSessionOrRefreshInput as G, type IssueInput as I, type GetSessionOrRefreshResult as a, issueSession as b, revokeByRefresh as c, revokeSession as d, rotateRefresh as e, getSessionOrRefresh as g, index as i, revokeAllForUser as r, sha256b64url as s, validateSession as v };
+export { type GetSessionOrRefreshInput as G, type IssueInput as I, type RequestRefreshResult as R, type GetSessionOrRefreshResult as a, getSessionOrRefreshFromRequest as b, issueSession as c, revokeByRefresh as d, revokeSession as e, rotateRefresh as f, getSessionOrRefresh as g, index as i, revokeAllForUser as r, sha256b64url as s, validateSession as v };

package/dist/index.d.ts

@@ -1,17 +1,17 @@
-import { H as HoleauthPlugin, a as HoleauthConfig, b as HoleauthInstance, P as PluginsApi } from './index-BmYQquGs.js';
-export { B as BaseProviderConfig, C as ChallengeResult, c as ConsumeInviteInput, d as ConsumeInviteResult, e as CreateInviteResult, f as HoleauthAdapters, g as HoleauthHooks, h as HoleauthSecrets, I as InviteClaims, i as InviteInput, j as InviteListEntry, k as IssuedTokens, L as LoggerOptions, O as OAuth2ProviderConfig, l as OIDCProviderConfig, m as PluginContext, n as PluginCoreSurface, o as PluginEvents, p as PluginLogger, q as PluginRoute, r as PluginRouteContext, s as ProviderConfig, R as RegistrationConfig, S as SessionData, t as SignInResult, T as TokenPolicy } from './index-BmYQquGs.js';
+import { H as HoleauthPlugin, a as HoleauthConfig, b as HoleauthInstance, P as PluginsApi } from './index-Bt3CyLaq.js';
+export { B as BaseProviderConfig, C as ChallengeResult, c as ConsumeInviteInput, d as ConsumeInviteResult, e as CreateInviteResult, f as HoleauthAdapters, g as HoleauthHooks, h as HoleauthSecrets, I as InviteClaims, i as InviteInput, j as InviteListEntry, k as IssuedTokens, L as LoggerOptions, O as OAuth2ProviderConfig, l as OIDCProviderConfig, m as PluginContext, n as PluginCoreSurface, o as PluginEvents, p as PluginLogger, q as PluginRoute, r as PluginRouteContext, s as ProviderConfig, R as RegistrationConfig, S as SessionData, t as SignInResult, T as TokenPolicy } from './index-Bt3CyLaq.js';
 export { AccountConflictError, AdapterError, CredentialsError, CsrfError, HoleauthError, InvalidTokenError, NotSupportedError, PendingChallengeError, ProviderError, RefreshReuseError, RegistrationDisabledError, SessionExpiredError } from './errors/index.js';
 export { i as jwt } from './index-CjEXpqaW.js';
-export { i as session } from './index-D57PvFMN.js';
+export { i as session } from './index-D0r6eY4L.js';
 export { i as password } from './index-BYtkmk9_.js';
 export { i as otp } from './index-BwEvEa8-.js';
-export { i as sso } from './index-CHS-socJ.js';
+export { i as sso } from './index-CcMMWIEe.js';
 export { i as adapters } from './index-CNtnPdzk.js';
-export { i as cookies } from './index-BIXESLma.js';
-export { i as events } from './index-DRN-5E_H.js';
-export { i as flows } from './index-BbEXbI_k.js';
-export { d as definePlugin, i as plugins } from './index-CotvcK_b.js';
-import { P as PluginRegistry } from './registry-CZhM1tEB.js';
+export { i as cookies } from './index-BELADTaD.js';
+export { i as events } from './index-CngIcZZk.js';
+export { i as flows } from './index-C3lSoShz.js';
+export { d as definePlugin, i as plugins } from './index-BydOBZfs.js';
+import { P as PluginRegistry } from './registry-B-I45f0J.js';
 import 'jose';
 
 /** Framework-binding helper (not part of the public API surface). */

package/dist/index.js

@@ -112,6 +112,7 @@ function decode(token) {
 var session_exports = {};
 __export(session_exports, {
   getSessionOrRefresh: () => getSessionOrRefresh,
+  getSessionOrRefreshFromRequest: () => getSessionOrRefreshFromRequest,
   issueSession: () => issueSession,
   revokeAllForUser: () => revokeAllForUser,
   revokeByRefresh: () => revokeByRefresh,
@@ -446,6 +447,97 @@ async function getSessionOrRefresh(instance, input) {
   return { session, tokens, refreshed: true };
 }
 
+// src/cookies/spec.ts
+function cookieName(cfg, kind) {
+  const prefix = cfg.tokens?.cookiePrefix ?? "holeauth";
+  switch (kind) {
+    case "access":
+      return `${prefix}.at`;
+    case "refresh":
+      return `${prefix}.rt`;
+    case "csrf":
+      return `${prefix}.csrf`;
+    case "pending":
+      return `${prefix}.pending`;
+    case "oauthState":
+      return `${prefix}.oauth.state`;
+    case "oauthPkce":
+      return `${prefix}.oauth.pkce`;
+  }
+}
+function isProduction() {
+  return globalThis.process?.env?.NODE_ENV === "production";
+}
+function buildCookie(cfg, input) {
+  const httpOnly = input.httpOnly ?? input.kind !== "csrf";
+  const secure = cfg.tokens?.cookieSecure ?? isProduction();
+  return {
+    name: cookieName(cfg, input.kind),
+    value: input.value,
+    maxAge: input.maxAge,
+    httpOnly,
+    secure,
+    sameSite: input.sameSite ?? cfg.tokens?.sameSite ?? "lax",
+    path: input.path ?? "/",
+    domain: cfg.tokens?.cookieDomain
+  };
+}
+function serializeCookie(c) {
+  const parts = [`${c.name}=${encodeURIComponent(c.value)}`];
+  parts.push(`Path=${c.path}`);
+  if (c.domain) parts.push(`Domain=${c.domain}`);
+  if (c.maxAge !== void 0) {
+    parts.push(`Max-Age=${c.maxAge}`);
+    if (c.maxAge === 0) parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
+  }
+  if (c.httpOnly) parts.push("HttpOnly");
+  if (c.secure) parts.push("Secure");
+  parts.push(`SameSite=${c.sameSite.charAt(0).toUpperCase()}${c.sameSite.slice(1)}`);
+  return parts.join("; ");
+}
+function deleteCookie(cfg, kind) {
+  return buildCookie(cfg, { kind, value: "", maxAge: 0 });
+}
+
+// src/session/request.ts
+function parseCookies(header) {
+  const out = {};
+  if (!header) return out;
+  for (const part of header.split(";")) {
+    const i = part.indexOf("=");
+    if (i < 0) continue;
+    const k = part.slice(0, i).trim();
+    const v = decodeURIComponent(part.slice(i + 1).trim());
+    if (k) out[k] = v;
+  }
+  return out;
+}
+function buildSetCookieHeaders(cfg, tokens) {
+  const accessTtl = cfg.tokens?.accessTtl ?? 900;
+  const refreshTtl = cfg.tokens?.refreshTtl ?? 2592e3;
+  return [
+    serializeCookie(buildCookie(cfg, { kind: "access", value: tokens.accessToken, maxAge: accessTtl })),
+    serializeCookie(buildCookie(cfg, { kind: "refresh", value: tokens.refreshToken, maxAge: refreshTtl })),
+    serializeCookie(buildCookie(cfg, { kind: "csrf", value: tokens.csrfToken, maxAge: refreshTtl, httpOnly: false }))
+  ];
+}
+async function getSessionOrRefreshFromRequest(req, instance) {
+  const cfg = instance.config;
+  const jar = parseCookies(req.headers.get("cookie"));
+  const accessToken = jar[cookieName(cfg, "access")];
+  const refreshToken = jar[cookieName(cfg, "refresh")];
+  const ip = req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? req.headers.get("x-real-ip") ?? void 0;
+  const userAgent = req.headers.get("user-agent") ?? void 0;
+  const result = await getSessionOrRefresh(instance, {
+    accessToken,
+    refreshToken,
+    ip,
+    userAgent
+  });
+  const setCookieHeaders = result.tokens ? buildSetCookieHeaders(cfg, result.tokens) : [];
+  return { ...result, setCookieHeaders };
+}
+
 // src/password/index.ts
 var password_exports = {};
 __export(password_exports, {
@@ -545,8 +637,11 @@ function isExpired(challenge) {
 // src/sso/index.ts
 var sso_exports = {};
 __export(sso_exports, {
+  DiscordProvider: () => DiscordProvider,
   GithubProvider: () => GithubProvider,
   GoogleProvider: () => GoogleProvider,
+  MicrosoftProvider: () => MicrosoftProvider,
+  OIDCProvider: () => OIDCProvider,
   authorize: () => authorize,
   base64url: () => base64url,
   buildAuthorizeUrl: () => buildAuthorizeUrl,
@@ -840,6 +935,69 @@ function GithubProvider(opts) {
   };
 }
 
+// src/sso/providers/discord.ts
+function DiscordProvider(opts) {
+  return {
+    kind: "oauth2",
+    id: opts.id ?? "discord",
+    name: "Discord",
+    clientId: opts.clientId,
+    clientSecret: opts.clientSecret,
+    redirectUri: opts.redirectUri,
+    scopes: opts.scopes ?? ["identify", "email"],
+    authorizationUrl: "https://discord.com/oauth2/authorize",
+    tokenUrl: "https://discord.com/api/oauth2/token",
+    userinfoUrl: "https://discord.com/api/users/@me",
+    profile: (raw) => {
+      const p = raw ?? {};
+      const id = String(p.id ?? "");
+      const image = id && p.avatar ? `https://cdn.discordapp.com/avatars/${id}/${p.avatar}.png` : null;
+      return {
+        providerAccountId: id,
+        email: p.email ?? "",
+        name: p.global_name ?? p.username ?? null,
+        image
+      };
+    }
+  };
+}
+
+// src/sso/providers/microsoft.ts
+function MicrosoftProvider(opts) {
+  const tenant = opts.tenantId ?? "common";
+  const base = `https://login.microsoftonline.com/${tenant}`;
+  return {
+    kind: "oidc",
+    id: opts.id ?? "microsoft",
+    name: "Microsoft",
+    clientId: opts.clientId,
+    clientSecret: opts.clientSecret,
+    redirectUri: opts.redirectUri,
+    scopes: opts.scopes ?? ["openid", "email", "profile"],
+    issuer: `${base}/v2.0`,
+    authorizationUrl: `${base}/oauth2/v2.0/authorize`,
+    tokenUrl: `${base}/oauth2/v2.0/token`,
+    userinfoUrl: "https://graph.microsoft.com/oidc/userinfo"
+  };
+}
+
+// src/sso/providers/oidc.ts
+function OIDCProvider(opts) {
+  return {
+    kind: "oidc",
+    id: opts.id,
+    name: opts.name ?? opts.id,
+    clientId: opts.clientId,
+    clientSecret: opts.clientSecret,
+    redirectUri: opts.redirectUri,
+    scopes: opts.scopes ?? ["openid", "email", "profile"],
+    issuer: opts.issuer,
+    authorizationUrl: opts.authorizationUrl,
+    tokenUrl: opts.tokenUrl,
+    userinfoUrl: opts.userinfoUrl
+  };
+}
+
 // src/adapters/index.ts
 var adapters_exports = {};
 
@@ -856,58 +1014,6 @@ __export(cookies_exports, {
   verifyCsrf: () => verifyCsrf
 });
 
-// src/cookies/spec.ts
-function cookieName(cfg, kind) {
-  const prefix = cfg.tokens?.cookiePrefix ?? "holeauth";
-  switch (kind) {
-    case "access":
-      return `${prefix}.at`;
-    case "refresh":
-      return `${prefix}.rt`;
-    case "csrf":
-      return `${prefix}.csrf`;
-    case "pending":
-      return `${prefix}.pending`;
-    case "oauthState":
-      return `${prefix}.oauth.state`;
-    case "oauthPkce":
-      return `${prefix}.oauth.pkce`;
-  }
-}
-function isProduction() {
-  return globalThis.process?.env?.NODE_ENV === "production";
-}
-function buildCookie(cfg, input) {
-  const httpOnly = input.httpOnly ?? input.kind !== "csrf";
-  const secure = cfg.tokens?.cookieSecure ?? isProduction();
-  return {
-    name: cookieName(cfg, input.kind),
-    value: input.value,
-    maxAge: input.maxAge,
-    httpOnly,
-    secure,
-    sameSite: input.sameSite ?? cfg.tokens?.sameSite ?? "lax",
-    path: input.path ?? "/",
-    domain: cfg.tokens?.cookieDomain
-  };
-}
-function serializeCookie(c) {
-  const parts = [`${c.name}=${encodeURIComponent(c.value)}`];
-  parts.push(`Path=${c.path}`);
-  if (c.domain) parts.push(`Domain=${c.domain}`);
-  if (c.maxAge !== void 0) {
-    parts.push(`Max-Age=${c.maxAge}`);
-    if (c.maxAge === 0) parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
-  }
-  if (c.httpOnly) parts.push("HttpOnly");
-  if (c.secure) parts.push("Secure");
-  parts.push(`SameSite=${c.sameSite.charAt(0).toUpperCase()}${c.sameSite.slice(1)}`);
-  return parts.join("; ");
-}
-function deleteCookie(cfg, kind) {
-  return buildCookie(cfg, { kind, value: "", maxAge: 0 });
-}
-
 // src/events/index.ts
 var events_exports = {};
 __export(events_exports, {
@@ -1737,6 +1843,9 @@ function defineHoleauth(config) {
     sso: {
       authorize: (providerId) => authorize(config, providerId),
       callback: (providerId, input) => callback(config, providerId, input)
+    },
+    on(type, handler) {
+      return subscribe(config, type, handler);
     }
   };
   const merged = { ...instance, ...registry.api };