@holeauth/core 0.0.1-alpha.0

package/dist/index-BmYQquGs.d.ts

@@ -0,0 +1,563 @@
+import { a as AdapterAuditEvent, A as AdapterUser, U as UserAdapter, S as SessionAdapter, b as AuditLogAdapter, c as AccountAdapter, V as VerificationTokenAdapter, T as TransactionAdapter } from './index-CNtnPdzk.js';
+
+/**
+ * Event type is intentionally an open string. Core emits well-known
+ * `user.*`, `session.*`, `account.*`, `sso.*` events; plugins emit under
+ * their own `<pluginId>.<name>` namespace (e.g. `twofa.verified`).
+ *
+ * Well-known core event names (non-exhaustive):
+ *   - user.registered, user.signed_in, user.signed_out
+ *   - session.created, session.rotated, session.revoked, session.reuse_detected
+ *   - account.linked, account.unlinked
+ *   - sso.authorize, sso.callback_ok, sso.callback_failed
+ *   - plugin.error
+ */
+type HoleauthEventType = string;
+interface HoleauthEvent extends AdapterAuditEvent {
+    type: HoleauthEventType;
+}
+
+/**
+ * Plugin types.
+ *
+ * A holeauth plugin is a first-class extension that can:
+ *   - contribute its own adapter (opaque to core, typed to the plugin)
+ *   - hook into core flows (register / signIn / refresh / signOut /
+ *     passwordChange / passwordReset / userUpdate / userDelete / session.*)
+ *   - contribute HTTP routes that the framework binding (@holeauth/nextjs)
+ *     mounts automatically under the same prefix as core routes
+ *   - expose a typed API surface that is merged into the returned
+ *     HoleauthInstance at `auth[plugin.id]`
+ *
+ * Plugins are registered via `defineHoleauth({ plugins: [...] as const })`.
+ * The returned instance type is inferred from the tuple so consumers get
+ * full IntelliSense without any `declare module` augmentation.
+ */
+
+/** Minimal logger surface. Plugins MUST NOT depend on console directly. */
+interface PluginLogger {
+    debug(msg: string, data?: unknown): void;
+    info(msg: string, data?: unknown): void;
+    warn(msg: string, data?: unknown): void;
+    error(msg: string, err?: unknown): void;
+}
+/**
+ * Event emitter handle exposed to plugins. Intentionally narrower than the
+ * internal emitter — plugins may subscribe, unsubscribe, and emit events
+ * scoped to their id namespace.
+ */
+interface PluginEvents {
+    on(type: string, handler: (e: HoleauthEvent) => void | Promise<void>): () => void;
+    off(type: string, handler: (e: HoleauthEvent) => void | Promise<void>): void;
+    /** Emit a (persisted + observed) event. Plugins should namespace as `<id>.<name>`. */
+    emit(e: HoleauthEvent): Promise<void>;
+}
+/**
+ * Request context passed to plugin-owned routes. Framework bindings
+ * (e.g. @holeauth/nextjs) adapt their native primitives into this shape.
+ */
+interface PluginRouteContext {
+    req: Request;
+    /** Parsed body (best-effort JSON) — may be empty object. */
+    body: Record<string, unknown>;
+    /** Response headers the handler can append Set-Cookie / other headers to. */
+    responseHeaders: Headers;
+    /** Read raw cookies. */
+    cookies: {
+        get(name: string): string | undefined;
+    };
+    /** Set a cookie on the response (framework-serialized). */
+    setCookie(spec: {
+        name: string;
+        value: string;
+        maxAge?: number;
+        httpOnly?: boolean;
+        path?: string;
+        sameSite?: 'lax' | 'strict' | 'none';
+    }): void;
+    /** Current authenticated session, if any (cheap — cached per request). */
+    getSession(): Promise<{
+        userId: string;
+        sessionId: string;
+        expiresAt: number;
+    } | null>;
+    /** Client metadata (ip + user-agent). */
+    meta: {
+        ip?: string;
+        userAgent?: string;
+    };
+    /** Plugin context (config + adapters + core helpers + other plugin APIs). */
+    plugin: PluginContext;
+}
+interface PluginRoute {
+    method: 'GET' | 'POST';
+    /** Path relative to the auth basePath (e.g. '/2fa/verify'). Must start with '/'. */
+    path: string;
+    /** If true, the dispatcher enforces a valid session before calling the handler. */
+    requireAuth?: boolean;
+    /** If true, the dispatcher enforces CSRF (double-submit). */
+    requireCsrf?: boolean;
+    /** Your handler. Return a Response; the dispatcher merges response headers. */
+    handler(ctx: PluginRouteContext): Promise<Response> | Response;
+}
+/**
+ * Result produced by a plugin's signIn challenge hook. Plugins may return
+ * `null` to opt out (user not enrolled in this factor) or a pending state
+ * to halt sign-in pending a follow-up verification step.
+ */
+interface ChallengeResult {
+    /** Plugin id (must match the returning plugin's id). */
+    pluginId: string;
+    /** Opaque token issued by the plugin (typically a short-lived JWT). */
+    pendingToken: string;
+    /** Unix-ms expiry. */
+    expiresAt: number;
+    /** Arbitrary extra payload echoed back to the caller. */
+    data?: Record<string, unknown> | null;
+}
+interface RegisterHookInput {
+    email: string;
+    password: string;
+    name?: string | null;
+}
+interface PasswordChangeHookInput {
+    userId: string;
+    currentPassword: string;
+    newPassword: string;
+}
+interface PasswordResetHookInput {
+    email: string;
+    token?: string;
+    newPassword?: string;
+}
+interface SessionIssueHookData {
+    userId: string;
+    sessionId: string;
+    familyId: string;
+}
+interface SessionRotateHookData {
+    userId: string;
+    sessionId: string;
+    familyId: string;
+}
+interface SessionRevokeHookData {
+    userId: string | null;
+    sessionId: string | null;
+    /** Set when the revoke is a global signout for the user. */
+    scope?: 'all';
+}
+/**
+ * Hooks are co-operative, never destructive. `before` hooks may throw to
+ * abort a flow; `after` hooks run post-success and must not throw —
+ * exceptions are caught, logged, and emitted as `plugin.error` events.
+ */
+interface HoleauthHooks {
+    register?: {
+        before?(input: RegisterHookInput, ctx: PluginContext): Promise<void> | void;
+        after?(user: AdapterUser, ctx: PluginContext): Promise<void> | void;
+    };
+    signIn?: {
+        before?(input: {
+            email: string;
+            ip?: string;
+            userAgent?: string;
+        }, ctx: PluginContext): Promise<void> | void;
+        /**
+         * Return a ChallengeResult to halt signIn and require a follow-up step.
+         * Return `null` to opt out. Only the first non-null wins; subsequent
+         * non-null results trigger a warning.
+         */
+        challenge?(user: AdapterUser, input: {
+            ip?: string;
+            userAgent?: string;
+        }, ctx: PluginContext): Promise<ChallengeResult | null> | ChallengeResult | null;
+        after?(result: {
+            user: AdapterUser;
+            tokens: IssuedTokens;
+            method: 'password' | 'passkey' | 'sso' | string;
+        }, ctx: PluginContext): Promise<void> | void;
+    };
+    signOut?: {
+        after?(data: {
+            userId: string | null;
+            sessionId: string | null;
+        }, ctx: PluginContext): Promise<void> | void;
+    };
+    refresh?: {
+        before?(input: {
+            ip?: string;
+            userAgent?: string;
+        }, ctx: PluginContext): Promise<void> | void;
+        after?(data: {
+            userId: string;
+            sessionId: string;
+            tokens: IssuedTokens;
+        }, ctx: PluginContext): Promise<void> | void;
+    };
+    passwordChange?: {
+        before?(input: PasswordChangeHookInput, ctx: PluginContext): Promise<void> | void;
+        after?(data: {
+            userId: string;
+        }, ctx: PluginContext): Promise<void> | void;
+    };
+    passwordReset?: {
+        before?(input: PasswordResetHookInput, ctx: PluginContext): Promise<void> | void;
+        after?(data: {
+            userId: string;
+            stage: 'request' | 'consume';
+        }, ctx: PluginContext): Promise<void> | void;
+    };
+    userUpdate?: {
+        after?(data: {
+            user: AdapterUser;
+            patch: Partial<AdapterUser>;
+        }, ctx: PluginContext): Promise<void> | void;
+    };
+    userDelete?: {
+        after?(data: {
+            userId: string;
+        }, ctx: PluginContext): Promise<void> | void;
+    };
+    session?: {
+        onIssue?(data: SessionIssueHookData, ctx: PluginContext): Promise<void> | void;
+        onRotate?(data: SessionRotateHookData, ctx: PluginContext): Promise<void> | void;
+        onRevoke?(data: SessionRevokeHookData, ctx: PluginContext): Promise<void> | void;
+    };
+}
+/**
+ * Curated core surface exposed to plugins. Deliberately narrower than
+ * HoleauthInstance to prevent plugins from ping-ponging through the
+ * public API and to keep plugin code decoupled from framework bindings.
+ */
+interface PluginCoreSurface {
+    getUserById(id: string): Promise<AdapterUser | null>;
+    getUserByEmail(email: string): Promise<AdapterUser | null>;
+    issueSession(input: {
+        userId: string;
+        ip?: string | null;
+        userAgent?: string | null;
+    }): Promise<IssuedTokens>;
+    /**
+     * Run `signIn.after` hooks for a given user + method, then issue tokens.
+     * Used by passkey / SSO to funnel through the same post-sign-in hook
+     * chain as password sign-in.
+     */
+    completeSignIn(userId: string, input: {
+        method: string;
+        ip?: string;
+        userAgent?: string;
+    }): Promise<{
+        user: AdapterUser;
+        tokens: IssuedTokens;
+    }>;
+    revokeSession(sessionId: string, userId?: string): Promise<void>;
+    /** Shortcut for read-only code paths: pre-computes the SignInResult for a user (no challenge). */
+    issueSignInResult(user: AdapterUser, input: {
+        ip?: string;
+        userAgent?: string;
+    }): Promise<SignInResult>;
+}
+/**
+ * Full context handed to plugins. `getPlugin` is typed via dependsOn-aware
+ * overloads at the registry level.
+ */
+interface PluginContext {
+    config: HoleauthConfig;
+    events: PluginEvents;
+    logger: PluginLogger;
+    core: PluginCoreSurface;
+    /** Retrieve another plugin's API by id. Throws if not found. */
+    getPlugin<T = unknown>(id: string): T;
+    /**
+     * Retrieve this plugin's adapter from `config.pluginAdapters[id]`.
+     * Returns `undefined` if none was supplied. Plugins decide whether
+     * that is an error (most will throw a friendly message).
+     */
+    getPluginAdapter<T = unknown>(id: string): T | undefined;
+}
+/**
+ * A holeauth plugin. Users construct plugins via `definePlugin(...)`.
+ *
+ * Type parameters:
+ *   - Id:  literal id (so `auth[plugin.id]` can be inferred)
+ *   - Api: the typed public API produced by `api(ctx)`
+ */
+interface HoleauthPlugin<Id extends string = string, Api = unknown> {
+    readonly id: Id;
+    readonly version?: string;
+    /** Plugin ids that must be loaded before this plugin. */
+    readonly dependsOn?: readonly string[];
+    /** Plugin-owned adapter instance. Opaque to core; typed inside the plugin. */
+    readonly adapter?: unknown;
+    /** Hook implementations. Every key optional. */
+    readonly hooks?: HoleauthHooks;
+    /** HTTP routes auto-mounted by the framework binding. */
+    readonly routes?: readonly PluginRoute[];
+    /** Construct the public API surface. Called once per defineHoleauth(). */
+    readonly api: (ctx: PluginContext) => Api;
+    /** Called after all plugins have been wired. */
+    readonly onInit?: (ctx: PluginContext) => Promise<void> | void;
+    /** Called on shutdown (best-effort; consumer-controlled). */
+    readonly onShutdown?: () => Promise<void> | void;
+}
+/** Helper type: derive `auth[id]` mapping from a plugins tuple. */
+type PluginsApi<Plugins extends readonly HoleauthPlugin<string, unknown>[]> = {
+    [P in Plugins[number] as P['id']]: ReturnType<P['api']>;
+};
+
+interface TokenPolicy {
+    /** Access token lifetime in seconds. Default: 900 (15m). */
+    accessTtl?: number;
+    /** Refresh token lifetime in seconds. Default: 2592000 (30d). */
+    refreshTtl?: number;
+    /** Pending challenge cookie lifetime. Default: 300 (5m). */
+    pendingTtl?: number;
+    /** Cookie name prefix. Default: 'holeauth'. */
+    cookiePrefix?: string;
+    /** Optional cookie Domain attribute (e.g. '.example.com'). */
+    cookieDomain?: string;
+    /** Override Secure flag for cookies (auto-true in production). */
+    cookieSecure?: boolean;
+    /** SameSite. Default: 'lax'. SSO callbacks always bypass to avoid drops. */
+    sameSite?: 'lax' | 'strict' | 'none';
+}
+interface HoleauthSecrets {
+    /** JWT signing secret (or asymmetric key material). */
+    jwtSecret: string | Uint8Array;
+}
+interface BaseProviderConfig {
+    id: string;
+    name: string;
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scopes?: string[];
+}
+interface OIDCProviderConfig extends BaseProviderConfig {
+    kind: 'oidc';
+    issuer: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    userinfoUrl: string;
+}
+interface OAuth2ProviderConfig extends BaseProviderConfig {
+    kind: 'oauth2';
+    authorizationUrl: string;
+    tokenUrl: string;
+    userinfoUrl: string;
+    /** Map provider-specific profile to a normalised shape. */
+    profile: (raw: unknown) => {
+        providerAccountId: string;
+        email: string;
+        name?: string | null;
+        image?: string | null;
+    };
+}
+type ProviderConfig = OIDCProviderConfig | OAuth2ProviderConfig;
+interface HoleauthAdapters {
+    user: UserAdapter;
+    session: SessionAdapter;
+    /** MANDATORY — persisted audit log (awaited). */
+    auditLog: AuditLogAdapter;
+    account?: AccountAdapter;
+    verificationToken?: VerificationTokenAdapter;
+    /** Optional — wraps multi-step writes in a DB transaction when provided. */
+    transaction?: TransactionAdapter;
+}
+interface LoggerOptions {
+    silent?: boolean;
+}
+interface RegistrationConfig {
+    /**
+     * If `false`, the public `register` flow throws `REGISTRATION_DISABLED` (403).
+     * Invites continue to work regardless. Default: `true`.
+     */
+    selfServe?: boolean;
+    /** Default TTL (seconds) for invite tokens when callers do not pass one. */
+    inviteTtlSeconds?: number;
+    /**
+     * Builder for the user-visible invite acceptance URL. Called by
+     * `createInvite`; returning `undefined` omits the `url` field from the
+     * result and leaves URL construction to the caller.
+     */
+    inviteUrl?: (args: {
+        token: string;
+        email: string;
+    }) => string | undefined;
+}
+interface HoleauthConfig {
+    secrets: HoleauthSecrets;
+    adapters: HoleauthAdapters;
+    tokens?: TokenPolicy;
+    providers?: ProviderConfig[];
+    /** Plugins to register. See `@holeauth/core/plugins`. */
+    plugins?: readonly HoleauthPlugin<string, unknown>[];
+    /**
+     * Per-plugin adapter map, keyed by plugin id. Preferred over embedding
+     * adapters inside each plugin's options closure — keeps adapters in one
+     * place and out of serialisable plugin configuration.
+     *
+     * Access inside a plugin via `ctx.getPluginAdapter<T>(id)`.
+     */
+    pluginAdapters?: Record<string, unknown>;
+    /** Allow auto-linking on matching verified email (UNSAFE when provider does not verify email). */
+    allowDangerousEmailAccountLinking?: boolean;
+    /** Registration / invite configuration. */
+    registration?: RegistrationConfig;
+    /** Legacy single-listener event hook. Still supported; new code should use `events.on(...)`. */
+    onEvent?: (e: HoleauthEvent) => void | Promise<void>;
+    logger?: LoggerOptions;
+}
+interface SessionData {
+    userId: string;
+    sessionId: string;
+    expiresAt: number;
+    [key: string]: unknown;
+}
+interface IssuedTokens {
+    accessToken: string;
+    refreshToken: string;
+    csrfToken: string;
+    sessionId: string;
+    familyId: string;
+    accessExpiresAt: number;
+    refreshExpiresAt: number;
+}
+/**
+ * A signIn outcome.
+ *   - `ok`: fully authenticated; tokens ready to be set as cookies.
+ *   - `pending`: a plugin's challenge hook halted the flow. The caller
+ *     must drive the plugin's follow-up verification step. `pluginId`
+ *     identifies which plugin issued the challenge.
+ */
+type SignInResult = {
+    kind: 'ok';
+    user: AdapterUser;
+    tokens: IssuedTokens;
+} | {
+    kind: 'pending';
+    pluginId: string;
+    userId: string;
+    pendingToken: string;
+    pendingExpiresAt: number;
+    data?: Record<string, unknown> | null;
+};
+interface InviteInput {
+    email: string;
+    name?: string | null;
+    /** RBAC group ids to assign on consume. Consumer/plugin hooks handle assignment. */
+    groupIds?: string[];
+    /** User id of the admin creating the invite (for audit). */
+    invitedBy?: string | null;
+    /** Opaque metadata stored in the JWT claim `meta`. */
+    metadata?: Record<string, unknown> | null;
+    /** Override default TTL (seconds). Falls back to `registration.inviteTtlSeconds`. */
+    ttlSeconds?: number;
+}
+interface InviteClaims {
+    /** Target email (JWT subject). */
+    email: string;
+    name?: string | null;
+    groupIds?: string[];
+    invitedBy?: string | null;
+    metadata?: Record<string, unknown> | null;
+    expiresAt: number;
+    /** JWT id; also the verification token identifier. */
+    identifier: string;
+}
+interface CreateInviteResult {
+    token: string;
+    url?: string;
+    identifier: string;
+    expiresAt: number;
+}
+interface ConsumeInviteInput {
+    token: string;
+    password: string;
+    name?: string;
+    autoSignIn?: boolean;
+    ip?: string;
+    userAgent?: string;
+}
+interface ConsumeInviteResult {
+    user: AdapterUser;
+    tokens?: IssuedTokens;
+    groupIds?: string[];
+}
+interface InviteListEntry {
+    identifier: string;
+    email: string;
+    expiresAt: number;
+}
+interface HoleauthInstance {
+    config: HoleauthConfig;
+    register(input: {
+        email: string;
+        password: string;
+        name?: string;
+    }): Promise<AdapterUser>;
+    signIn(input: {
+        email: string;
+        password: string;
+        ip?: string;
+        userAgent?: string;
+    }): Promise<SignInResult>;
+    signOut(input: {
+        accessToken?: string;
+        refreshToken?: string;
+    }): Promise<void>;
+    refresh(input: {
+        refreshToken: string;
+        ip?: string;
+        userAgent?: string;
+    }): Promise<IssuedTokens>;
+    getSession(accessToken?: string): Promise<SessionData | null>;
+    changePassword(input: {
+        userId: string;
+        currentPassword: string;
+        newPassword: string;
+        revokeOtherSessions?: boolean;
+    }): Promise<void>;
+    requestPasswordReset(input: {
+        email: string;
+    }): Promise<{
+        token?: string;
+        userId?: string;
+    }>;
+    consumePasswordReset(input: {
+        email: string;
+        token: string;
+        newPassword: string;
+    }): Promise<void>;
+    updateUser(userId: string, patch: Partial<AdapterUser>): Promise<AdapterUser>;
+    deleteUser(userId: string): Promise<void>;
+    createInvite(input: InviteInput): Promise<CreateInviteResult>;
+    getInviteInfo(input: {
+        token: string;
+    }): Promise<InviteClaims>;
+    consumeInvite(input: ConsumeInviteInput): Promise<ConsumeInviteResult>;
+    revokeInvite(input: {
+        identifier: string;
+    }): Promise<void>;
+    listInvites(): Promise<InviteListEntry[]>;
+    sso: {
+        authorize(providerId: string): Promise<{
+            url: string;
+            state: string;
+            codeVerifier: string;
+            nonce?: string;
+        }>;
+        callback(providerId: string, input: {
+            code: string;
+            state: string;
+            codeVerifier: string;
+            ip?: string;
+            userAgent?: string;
+        }): Promise<{
+            user: AdapterUser;
+            tokens: IssuedTokens;
+        }>;
+    };
+}
+
+export type { SessionRevokeHookData as A, BaseProviderConfig as B, ChallengeResult as C, SessionRotateHookData as D, HoleauthPlugin as H, InviteClaims as I, LoggerOptions as L, OAuth2ProviderConfig as O, PluginsApi as P, RegistrationConfig as R, SessionData as S, TokenPolicy as T, HoleauthConfig as a, HoleauthInstance as b, ConsumeInviteInput as c, ConsumeInviteResult as d, CreateInviteResult as e, HoleauthAdapters as f, HoleauthHooks as g, HoleauthSecrets as h, InviteInput as i, InviteListEntry as j, IssuedTokens as k, OIDCProviderConfig as l, PluginContext as m, PluginCoreSurface as n, PluginEvents as o, PluginLogger as p, PluginRoute as q, PluginRouteContext as r, ProviderConfig as s, SignInResult as t, HoleauthEvent as u, HoleauthEventType as v, PasswordChangeHookInput as w, PasswordResetHookInput as x, RegisterHookInput as y, SessionIssueHookData as z };

package/dist/index-BwEvEa8-.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Email / numeric OTP helpers. The mailer itself is adapter-injected.
+ */
+declare function generateNumericOtp(length?: number): string;
+interface OtpChallenge {
+    code: string;
+    expiresAt: number;
+}
+declare function createChallenge(ttlSeconds?: number, length?: number): OtpChallenge;
+declare function isExpired(challenge: OtpChallenge): boolean;
+
+type index_OtpChallenge = OtpChallenge;
+declare const index_createChallenge: typeof createChallenge;
+declare const index_generateNumericOtp: typeof generateNumericOtp;
+declare const index_isExpired: typeof isExpired;
+declare namespace index {
+  export { type index_OtpChallenge as OtpChallenge, index_createChallenge as createChallenge, index_generateNumericOtp as generateNumericOtp, index_isExpired as isExpired };
+}
+
+export { type OtpChallenge as O, isExpired as a, createChallenge as c, generateNumericOtp as g, index as i };

package/dist/index-CHS-socJ.d.ts

@@ -0,0 +1,97 @@
+import { a as HoleauthConfig, s as ProviderConfig, k as IssuedTokens, l as OIDCProviderConfig, O as OAuth2ProviderConfig } from './index-BmYQquGs.js';
+import { A as AdapterUser } from './index-CNtnPdzk.js';
+
+interface AuthorizeParams {
+    issuerAuthUrl: string;
+    clientId: string;
+    redirectUri: string;
+    scopes?: string[];
+    state: string;
+    codeChallenge: string;
+    nonce?: string;
+    /** Extra params merged into the query string. */
+    extra?: Record<string, string>;
+}
+declare function buildAuthorizeUrl(p: AuthorizeParams): string;
+declare function generatePkcePair(): Promise<{
+    verifier: string;
+    challenge: string;
+}>;
+declare function generateState(): string;
+declare function generateNonce(): string;
+interface TokenExchangeInput {
+    tokenUrl: string;
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    code: string;
+    codeVerifier: string;
+}
+declare function exchangeCode(i: TokenExchangeInput): Promise<Record<string, unknown>>;
+declare function fetchUserInfo(userinfoUrl: string, accessToken: string): Promise<Record<string, unknown>>;
+declare function base64url(bytes: Uint8Array): string;
+
+declare function findProvider(cfg: HoleauthConfig, id: string): ProviderConfig;
+/**
+ * Begin the SSO hop. Returns a URL to redirect the user to, plus state +
+ * PKCE verifier the caller must persist (typically in httpOnly cookies)
+ * to validate the callback.
+ */
+declare function authorize(cfg: HoleauthConfig, providerId: string): Promise<{
+    url: string;
+    state: string;
+    codeVerifier: string;
+    nonce?: string;
+}>;
+
+interface CallbackInput {
+    code: string;
+    state: string;
+    codeVerifier: string;
+    ip?: string;
+    userAgent?: string;
+}
+declare function callback(cfg: HoleauthConfig, providerId: string, input: CallbackInput): Promise<{
+    user: AdapterUser;
+    tokens: IssuedTokens;
+}>;
+
+interface GoogleOptions {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    id?: string;
+    scopes?: string[];
+}
+/** Google OpenID Connect provider. */
+declare function GoogleProvider(opts: GoogleOptions): OIDCProviderConfig;
+
+interface GithubOptions {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    id?: string;
+    scopes?: string[];
+}
+/** GitHub OAuth2 provider. Uses REST userinfo (no OIDC). */
+declare function GithubProvider(opts: GithubOptions): OAuth2ProviderConfig;
+
+type index_AuthorizeParams = AuthorizeParams;
+declare const index_GithubProvider: typeof GithubProvider;
+declare const index_GoogleProvider: typeof GoogleProvider;
+type index_TokenExchangeInput = TokenExchangeInput;
+declare const index_authorize: typeof authorize;
+declare const index_base64url: typeof base64url;
+declare const index_buildAuthorizeUrl: typeof buildAuthorizeUrl;
+declare const index_callback: typeof callback;
+declare const index_exchangeCode: typeof exchangeCode;
+declare const index_fetchUserInfo: typeof fetchUserInfo;
+declare const index_findProvider: typeof findProvider;
+declare const index_generateNonce: typeof generateNonce;
+declare const index_generatePkcePair: typeof generatePkcePair;
+declare const index_generateState: typeof generateState;
+declare namespace index {
+  export { type index_AuthorizeParams as AuthorizeParams, index_GithubProvider as GithubProvider, index_GoogleProvider as GoogleProvider, type index_TokenExchangeInput as TokenExchangeInput, index_authorize as authorize, index_base64url as base64url, index_buildAuthorizeUrl as buildAuthorizeUrl, index_callback as callback, index_exchangeCode as exchangeCode, index_fetchUserInfo as fetchUserInfo, index_findProvider as findProvider, index_generateNonce as generateNonce, index_generatePkcePair as generatePkcePair, index_generateState as generateState };
+}
+
+export { type AuthorizeParams as A, GithubProvider as G, type TokenExchangeInput as T, GoogleProvider as a, authorize as b, base64url as c, buildAuthorizeUrl as d, callback as e, exchangeCode as f, fetchUserInfo as g, findProvider as h, index as i, generateNonce as j, generatePkcePair as k, generateState as l };