@jezweb/oauth-token-manager 0.1.0

package/dist/errors.js

@@ -0,0 +1,117 @@
+/**
+ * Custom error types for OAuth Token Manager
+ *
+ * These errors provide clear, actionable information about what went wrong
+ * and what the application should do to recover.
+ */
+/**
+ * Base error class for all token manager errors
+ */
+export class TokenManagerError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = 'TokenManagerError';
+    }
+}
+/**
+ * Token not found for the given user and provider
+ *
+ * Recovery: Redirect user to OAuth flow to connect this provider
+ */
+export class TokenNotFoundError extends TokenManagerError {
+    userId;
+    provider;
+    constructor(userId, provider) {
+        super(`No token found for user "${userId}" and provider "${provider}". User needs to connect this provider.`, 'TOKEN_NOT_FOUND');
+        this.userId = userId;
+        this.provider = provider;
+        this.name = 'TokenNotFoundError';
+    }
+}
+/**
+ * Token has expired and refresh failed or no refresh token available
+ *
+ * Recovery: Redirect user to OAuth flow to re-authenticate
+ */
+export class TokenExpiredError extends TokenManagerError {
+    userId;
+    provider;
+    reason;
+    constructor(userId, provider, reason) {
+        const reasons = {
+            no_refresh_token: 'No refresh token available',
+            refresh_failed: 'Token refresh request failed',
+            refresh_token_expired: 'Refresh token has expired',
+        };
+        super(`Token expired for user "${userId}" and provider "${provider}". ${reasons[reason]}. User needs to re-authenticate.`, 'TOKEN_EXPIRED');
+        this.userId = userId;
+        this.provider = provider;
+        this.reason = reason;
+        this.name = 'TokenExpiredError';
+    }
+}
+/**
+ * Token exists but doesn't have the required scopes
+ *
+ * Recovery: Redirect user to OAuth flow with incremental consent for missing scopes
+ */
+export class InsufficientScopesError extends TokenManagerError {
+    userId;
+    provider;
+    requiredScopes;
+    grantedScopes;
+    constructor(userId, provider, requiredScopes, grantedScopes) {
+        const missing = requiredScopes.filter((s) => !grantedScopes.includes(s));
+        super(`Token for user "${userId}" and provider "${provider}" is missing required scopes: ${missing.join(', ')}. User needs to grant additional permissions.`, 'INSUFFICIENT_SCOPES');
+        this.userId = userId;
+        this.provider = provider;
+        this.requiredScopes = requiredScopes;
+        this.grantedScopes = grantedScopes;
+        this.name = 'InsufficientScopesError';
+    }
+    get missingScopes() {
+        return this.requiredScopes.filter((s) => !this.grantedScopes.includes(s));
+    }
+}
+/**
+ * Provider is not configured in the token manager
+ *
+ * Recovery: Add provider configuration to TokenManager constructor
+ */
+export class ProviderNotConfiguredError extends TokenManagerError {
+    provider;
+    constructor(provider) {
+        super(`Provider "${provider}" is not configured. Add it to the TokenManager providers config.`, 'PROVIDER_NOT_CONFIGURED');
+        this.provider = provider;
+        this.name = 'ProviderNotConfiguredError';
+    }
+}
+/**
+ * Encryption/decryption failed
+ *
+ * Recovery: Check encryption key is correct and hasn't changed
+ */
+export class CryptoError extends TokenManagerError {
+    cause;
+    constructor(operation, cause) {
+        super(`Failed to ${operation} token data. This may indicate a corrupted token or incorrect encryption key.`, 'CRYPTO_ERROR');
+        this.cause = cause;
+        this.name = 'CryptoError';
+    }
+}
+/**
+ * Storage operation failed
+ *
+ * Recovery: Check storage backend (KV/D1) is available and configured correctly
+ */
+export class StorageError extends TokenManagerError {
+    cause;
+    constructor(operation, cause) {
+        super(`Storage operation "${operation}" failed. Check your storage backend configuration.`, 'STORAGE_ERROR');
+        this.cause = cause;
+        this.name = 'StorageError';
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAGxB;IAFlB,YACE,OAAe,EACC,IAAY;QAE5B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,SAAI,GAAJ,IAAI,CAAQ;QAG5B,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,kBAAmB,SAAQ,iBAAiB;IAErC;IACA;IAFlB,YACkB,MAAc,EACd,QAAgB;QAEhC,KAAK,CACH,4BAA4B,MAAM,mBAAmB,QAAQ,yCAAyC,EACtG,iBAAiB,CAClB,CAAC;QANc,WAAM,GAAN,MAAM,CAAQ;QACd,aAAQ,GAAR,QAAQ,CAAQ;QAMhC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,iBAAkB,SAAQ,iBAAiB;IAEpC;IACA;IACA;IAHlB,YACkB,MAAc,EACd,QAAgB,EAChB,MAAuE;QAEvF,MAAM,OAAO,GAAG;YACd,gBAAgB,EAAE,4BAA4B;YAC9C,cAAc,EAAE,8BAA8B;YAC9C,qBAAqB,EAAE,2BAA2B;SACnD,CAAC;QACF,KAAK,CACH,2BAA2B,MAAM,mBAAmB,QAAQ,MAAM,OAAO,CAAC,MAAM,CAAC,kCAAkC,EACnH,eAAe,CAChB,CAAC;QAZc,WAAM,GAAN,MAAM,CAAQ;QACd,aAAQ,GAAR,QAAQ,CAAQ;QAChB,WAAM,GAAN,MAAM,CAAiE;QAWvF,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,uBAAwB,SAAQ,iBAAiB;IAE1C;IACA;IACA;IACA;IAJlB,YACkB,MAAc,EACd,QAAgB,EAChB,cAAwB,EACxB,aAAuB;QAEvC,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,KAAK,CACH,mBAAmB,MAAM,mBAAmB,QAAQ,iCAAiC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,+CAA+C,EACtJ,qBAAqB,CACtB,CAAC;QATc,WAAM,GAAN,MAAM,CAAQ;QACd,aAAQ,GAAR,QAAQ,CAAQ;QAChB,mBAAc,GAAd,cAAc,CAAU;QACxB,kBAAa,GAAb,aAAa,CAAU;QAOvC,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;IAED,IAAI,aAAa;QACf,OAAO,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5E,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,0BAA2B,SAAQ,iBAAiB;IACnC;IAA5B,YAA4B,QAAgB;QAC1C,KAAK,CACH,aAAa,QAAQ,mEAAmE,EACxF,yBAAyB,CAC1B,CAAC;QAJwB,aAAQ,GAAR,QAAQ,CAAQ;QAK1C,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;IAC3C,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,WAAY,SAAQ,iBAAiB;IAG9B;IAFlB,YACE,SAAgC,EAChB,KAAa;QAE7B,KAAK,CACH,aAAa,SAAS,+EAA+E,EACrG,cAAc,CACf,CAAC;QALc,UAAK,GAAL,KAAK,CAAQ;QAM7B,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,YAAa,SAAQ,iBAAiB;IAG/B;IAFlB,YACE,SAA4C,EAC5B,KAAa;QAE7B,KAAK,CACH,sBAAsB,SAAS,qDAAqD,EACpF,eAAe,CAChB,CAAC;QALc,UAAK,GAAL,KAAK,CAAQ;QAM7B,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;IAC7B,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,54 @@
+/**
+ * @jezweb/oauth-token-manager
+ *
+ * OAuth token management for Cloudflare Workers.
+ * Store, refresh, and retrieve tokens for downstream API access.
+ *
+ * @example
+ * ```typescript
+ * import { TokenManager } from '@jezweb/oauth-token-manager';
+ * import { KVStorage } from '@jezweb/oauth-token-manager/storage/kv';
+ *
+ * const tokens = new TokenManager({
+ *   storage: new KVStorage({
+ *     namespace: env.TOKEN_KV,
+ *     encryptionKey: env.TOKEN_ENCRYPTION_KEY,
+ *   }),
+ *   encryptionKey: env.TOKEN_ENCRYPTION_KEY,
+ *   providers: {
+ *     google: {
+ *       clientId: env.GOOGLE_CLIENT_ID,
+ *       clientSecret: env.GOOGLE_CLIENT_SECRET,
+ *     },
+ *   },
+ * });
+ *
+ * // Store token after OAuth callback
+ * await tokens.store({
+ *   userId: 'user-123',
+ *   provider: 'google',
+ *   accessToken: '...',
+ *   refreshToken: '...',
+ *   expiresAt: Date.now() + 3600000,
+ *   scopes: ['calendar', 'drive'],
+ * });
+ *
+ * // Get valid token (auto-refreshes if expired)
+ * const { accessToken } = await tokens.get({
+ *   userId: 'user-123',
+ *   provider: 'google',
+ *   requiredScopes: ['calendar'],
+ * });
+ * ```
+ *
+ * @packageDocumentation
+ */
+export { TokenManager } from './token-manager';
+export type { TokenManagerConfig, TokenStorage, TokenProvider, ProviderConfig, StoredToken, TokenData, StoreTokenOptions, GetTokenOptions, ListTokensOptions, ConnectedProvider, RevokeTokenOptions, RefreshResult, } from './types';
+export { TokenManagerError, TokenNotFoundError, TokenExpiredError, InsufficientScopesError, ProviderNotConfiguredError, CryptoError, StorageError, } from './errors';
+export { encrypt, decrypt, encryptObject, decryptObject } from './crypto';
+export { KVStorage, type KVStorageOptions } from './storage/kv';
+export { GoogleProvider, googleProvider } from './providers/google';
+export { MicrosoftProvider, microsoftProvider } from './providers/microsoft';
+export { GitHubProvider, githubProvider, revokeGitHubToken, } from './providers/github';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAG/C,YAAY,EACV,kBAAkB,EAClB,YAAY,EACZ,aAAa,EACb,cAAc,EACd,WAAW,EACX,SAAS,EACT,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,aAAa,GACd,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B,EAC1B,WAAW,EACX,YAAY,GACb,MAAM,UAAU,CAAC;AAGlB,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAG1E,OAAO,EAAE,SAAS,EAAE,KAAK,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGhE,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC7E,OAAO,EACL,cAAc,EACd,cAAc,EACd,iBAAiB,GAClB,MAAM,oBAAoB,CAAC"}

package/dist/index.js

@@ -0,0 +1,58 @@
+/**
+ * @jezweb/oauth-token-manager
+ *
+ * OAuth token management for Cloudflare Workers.
+ * Store, refresh, and retrieve tokens for downstream API access.
+ *
+ * @example
+ * ```typescript
+ * import { TokenManager } from '@jezweb/oauth-token-manager';
+ * import { KVStorage } from '@jezweb/oauth-token-manager/storage/kv';
+ *
+ * const tokens = new TokenManager({
+ *   storage: new KVStorage({
+ *     namespace: env.TOKEN_KV,
+ *     encryptionKey: env.TOKEN_ENCRYPTION_KEY,
+ *   }),
+ *   encryptionKey: env.TOKEN_ENCRYPTION_KEY,
+ *   providers: {
+ *     google: {
+ *       clientId: env.GOOGLE_CLIENT_ID,
+ *       clientSecret: env.GOOGLE_CLIENT_SECRET,
+ *     },
+ *   },
+ * });
+ *
+ * // Store token after OAuth callback
+ * await tokens.store({
+ *   userId: 'user-123',
+ *   provider: 'google',
+ *   accessToken: '...',
+ *   refreshToken: '...',
+ *   expiresAt: Date.now() + 3600000,
+ *   scopes: ['calendar', 'drive'],
+ * });
+ *
+ * // Get valid token (auto-refreshes if expired)
+ * const { accessToken } = await tokens.get({
+ *   userId: 'user-123',
+ *   provider: 'google',
+ *   requiredScopes: ['calendar'],
+ * });
+ * ```
+ *
+ * @packageDocumentation
+ */
+// Main class
+export { TokenManager } from './token-manager';
+// Errors
+export { TokenManagerError, TokenNotFoundError, TokenExpiredError, InsufficientScopesError, ProviderNotConfiguredError, CryptoError, StorageError, } from './errors';
+// Crypto utilities (for advanced usage)
+export { encrypt, decrypt, encryptObject, decryptObject } from './crypto';
+// Storage adapters (re-exported for convenience)
+export { KVStorage } from './storage/kv';
+// Provider implementations (for extension)
+export { GoogleProvider, googleProvider } from './providers/google';
+export { MicrosoftProvider, microsoftProvider } from './providers/microsoft';
+export { GitHubProvider, githubProvider, revokeGitHubToken, } from './providers/github';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAEH,aAAa;AACb,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAkB/C,SAAS;AACT,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B,EAC1B,WAAW,EACX,YAAY,GACb,MAAM,UAAU,CAAC;AAElB,wCAAwC;AACxC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAE1E,iDAAiD;AACjD,OAAO,EAAE,SAAS,EAAyB,MAAM,cAAc,CAAC;AAEhE,2CAA2C;AAC3C,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC7E,OAAO,EACL,cAAc,EACd,cAAc,EACd,iBAAiB,GAClB,MAAM,oBAAoB,CAAC"}

package/dist/providers/github.d.ts

@@ -0,0 +1,45 @@
+/**
+ * GitHub OAuth Provider
+ *
+ * Token characteristics:
+ * - Access token lifetime: Does not expire!
+ * - Refresh token: Not applicable (tokens don't expire)
+ * - Token rotation: Not applicable
+ *
+ * GitHub tokens are valid until explicitly revoked by the user or
+ * the OAuth app is deleted. This makes GitHub simpler to handle
+ * but also means stale tokens may accumulate if users disconnect
+ * without revoking access.
+ *
+ * To revoke a token programmatically, use the GitHub API:
+ * DELETE /applications/{client_id}/token
+ */
+import type { TokenProvider, ProviderConfig, RefreshResult } from '../types';
+/**
+ * GitHub OAuth token provider
+ *
+ * Note: GitHub tokens don't expire, so refresh() is a no-op that
+ * always returns null (indicating no refresh was needed/possible).
+ */
+export declare class GitHubProvider implements TokenProvider {
+    readonly id = "github";
+    readonly supportsRefresh = false;
+    refresh(_refreshToken: string, _config: ProviderConfig): Promise<RefreshResult | null>;
+}
+/**
+ * Default GitHub provider instance
+ */
+export declare const githubProvider: GitHubProvider;
+/**
+ * Revoke a GitHub OAuth token
+ *
+ * Call this when a user disconnects their GitHub account to properly
+ * clean up the token on GitHub's side.
+ *
+ * @param accessToken - The token to revoke
+ * @param clientId - Your GitHub OAuth app client ID
+ * @param clientSecret - Your GitHub OAuth app client secret
+ * @returns true if revoked successfully, false otherwise
+ */
+export declare function revokeGitHubToken(accessToken: string, clientId: string, clientSecret: string): Promise<boolean>;
+//# sourceMappingURL=github.d.ts.map

package/dist/providers/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../src/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAE7E;;;;;GAKG;AACH,qBAAa,cAAe,YAAW,aAAa;IAClD,QAAQ,CAAC,EAAE,YAAY;IACvB,QAAQ,CAAC,eAAe,SAAS;IAE3B,OAAO,CACX,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CASjC;AAED;;GAEG;AACH,eAAO,MAAM,cAAc,gBAAuB,CAAC;AAEnD;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAuBlB"}

package/dist/providers/github.js

@@ -0,0 +1,70 @@
+/**
+ * GitHub OAuth Provider
+ *
+ * Token characteristics:
+ * - Access token lifetime: Does not expire!
+ * - Refresh token: Not applicable (tokens don't expire)
+ * - Token rotation: Not applicable
+ *
+ * GitHub tokens are valid until explicitly revoked by the user or
+ * the OAuth app is deleted. This makes GitHub simpler to handle
+ * but also means stale tokens may accumulate if users disconnect
+ * without revoking access.
+ *
+ * To revoke a token programmatically, use the GitHub API:
+ * DELETE /applications/{client_id}/token
+ */
+/**
+ * GitHub OAuth token provider
+ *
+ * Note: GitHub tokens don't expire, so refresh() is a no-op that
+ * always returns null (indicating no refresh was needed/possible).
+ */
+export class GitHubProvider {
+    id = 'github';
+    supportsRefresh = false;
+    async refresh(_refreshToken, _config) {
+        // GitHub tokens don't expire - no refresh needed
+        // If a token is invalid, user needs to re-authenticate
+        console.warn('[GitHubProvider] refresh() called but GitHub tokens do not expire. ' +
+            'If the token is invalid, user needs to re-authenticate.');
+        return null;
+    }
+}
+/**
+ * Default GitHub provider instance
+ */
+export const githubProvider = new GitHubProvider();
+/**
+ * Revoke a GitHub OAuth token
+ *
+ * Call this when a user disconnects their GitHub account to properly
+ * clean up the token on GitHub's side.
+ *
+ * @param accessToken - The token to revoke
+ * @param clientId - Your GitHub OAuth app client ID
+ * @param clientSecret - Your GitHub OAuth app client secret
+ * @returns true if revoked successfully, false otherwise
+ */
+export async function revokeGitHubToken(accessToken, clientId, clientSecret) {
+    try {
+        const response = await fetch(`https://api.github.com/applications/${clientId}/token`, {
+            method: 'DELETE',
+            headers: {
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': '2022-11-28',
+                Authorization: `Basic ${btoa(`${clientId}:${clientSecret}`)}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ access_token: accessToken }),
+        });
+        // 204 No Content = success
+        // 404 = token already invalid/revoked
+        return response.status === 204 || response.status === 404;
+    }
+    catch (error) {
+        console.error('[GitHubProvider] Token revocation failed:', error);
+        return false;
+    }
+}
+//# sourceMappingURL=github.js.map

package/dist/providers/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../src/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH;;;;;GAKG;AACH,MAAM,OAAO,cAAc;IAChB,EAAE,GAAG,QAAQ,CAAC;IACd,eAAe,GAAG,KAAK,CAAC;IAEjC,KAAK,CAAC,OAAO,CACX,aAAqB,EACrB,OAAuB;QAEvB,iDAAiD;QACjD,uDAAuD;QACvD,OAAO,CAAC,IAAI,CACV,qEAAqE;YACnE,yDAAyD,CAC5D,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC;AAEnD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,WAAmB,EACnB,QAAgB,EAChB,YAAoB;IAEpB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,uCAAuC,QAAQ,QAAQ,EACvD;YACE,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE;gBACP,MAAM,EAAE,6BAA6B;gBACrC,sBAAsB,EAAE,YAAY;gBACpC,aAAa,EAAE,SAAS,IAAI,CAAC,GAAG,QAAQ,IAAI,YAAY,EAAE,CAAC,EAAE;gBAC7D,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;SACpD,CACF,CAAC;QAEF,2BAA2B;QAC3B,sCAAsC;QACtC,OAAO,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,CAAC;IAC5D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,KAAK,CAAC,CAAC;QAClE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/providers/google.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Google OAuth Provider
+ *
+ * Token characteristics:
+ * - Access token lifetime: ~1 hour
+ * - Refresh token: Does not expire (unless revoked)
+ * - Token rotation: Optional (configurable in Google Cloud Console)
+ *
+ * Requires `access_type=offline` during initial OAuth to get refresh token
+ */
+import type { TokenProvider, ProviderConfig, RefreshResult } from '../types';
+/**
+ * Google OAuth token provider
+ */
+export declare class GoogleProvider implements TokenProvider {
+    readonly id = "google";
+    readonly supportsRefresh = true;
+    refresh(refreshToken: string, config: ProviderConfig): Promise<RefreshResult | null>;
+}
+/**
+ * Default Google provider instance
+ */
+export declare const googleProvider: GoogleProvider;
+//# sourceMappingURL=google.d.ts.map

package/dist/providers/google.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../src/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAiB7E;;GAEG;AACH,qBAAa,cAAe,YAAW,aAAa;IAClD,QAAQ,CAAC,EAAE,YAAY;IACvB,QAAQ,CAAC,eAAe,QAAQ;IAE1B,OAAO,CACX,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAgDjC;AAED;;GAEG;AACH,eAAO,MAAM,cAAc,gBAAuB,CAAC"}

package/dist/providers/google.js

@@ -0,0 +1,63 @@
+/**
+ * Google OAuth Provider
+ *
+ * Token characteristics:
+ * - Access token lifetime: ~1 hour
+ * - Refresh token: Does not expire (unless revoked)
+ * - Token rotation: Optional (configurable in Google Cloud Console)
+ *
+ * Requires `access_type=offline` during initial OAuth to get refresh token
+ */
+const TOKEN_URL = 'https://oauth2.googleapis.com/token';
+/**
+ * Google OAuth token provider
+ */
+export class GoogleProvider {
+    id = 'google';
+    supportsRefresh = true;
+    async refresh(refreshToken, config) {
+        try {
+            const response = await fetch(TOKEN_URL, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                },
+                body: new URLSearchParams({
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    refresh_token: refreshToken,
+                    grant_type: 'refresh_token',
+                }).toString(),
+            });
+            if (!response.ok) {
+                const error = (await response.json());
+                console.error(`[GoogleProvider] Token refresh failed: ${error.error} - ${error.error_description}`);
+                // Check for specific errors that indicate re-auth is needed
+                if (error.error === 'invalid_grant' ||
+                    error.error === 'unauthorized_client') {
+                    // Refresh token is invalid/revoked - user needs to re-authenticate
+                    return null;
+                }
+                // Other errors - throw to retry later
+                throw new Error(`Token refresh failed: ${error.error}`);
+            }
+            const data = (await response.json());
+            return {
+                accessToken: data.access_token,
+                // Google may return a new refresh token (rare, but handle it)
+                refreshToken: data.refresh_token,
+                expiresAt: Date.now() + data.expires_in * 1000,
+            };
+        }
+        catch (error) {
+            console.error('[GoogleProvider] Refresh error:', error);
+            // Network errors or unexpected issues - return null to trigger re-auth
+            return null;
+        }
+    }
+}
+/**
+ * Default Google provider instance
+ */
+export const googleProvider = new GoogleProvider();
+//# sourceMappingURL=google.js.map

package/dist/providers/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../src/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,MAAM,SAAS,GAAG,qCAAqC,CAAC;AAexD;;GAEG;AACH,MAAM,OAAO,cAAc;IAChB,EAAE,GAAG,QAAQ,CAAC;IACd,eAAe,GAAG,IAAI,CAAC;IAEhC,KAAK,CAAC,OAAO,CACX,YAAoB,EACpB,MAAsB;QAEtB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;gBACtC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;oBAClC,aAAa,EAAE,YAAY;oBAC3B,UAAU,EAAE,eAAe;iBAC5B,CAAC,CAAC,QAAQ,EAAE;aACd,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,KAAK,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;gBAC7D,OAAO,CAAC,KAAK,CACX,0CAA0C,KAAK,CAAC,KAAK,MAAM,KAAK,CAAC,iBAAiB,EAAE,CACrF,CAAC;gBAEF,4DAA4D;gBAC5D,IACE,KAAK,CAAC,KAAK,KAAK,eAAe;oBAC/B,KAAK,CAAC,KAAK,KAAK,qBAAqB,EACrC,CAAC;oBACD,mEAAmE;oBACnE,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,sCAAsC;gBACtC,MAAM,IAAI,KAAK,CAAC,yBAAyB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YAC1D,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;YAE5D,OAAO;gBACL,WAAW,EAAE,IAAI,CAAC,YAAY;gBAC9B,8DAA8D;gBAC9D,YAAY,EAAE,IAAI,CAAC,aAAa;gBAChC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;aAC/C,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAC;YACxD,uEAAuE;YACvE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC"}

package/dist/providers/microsoft.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Microsoft OAuth Provider (Azure AD / Entra)
+ *
+ * Token characteristics:
+ * - Access token lifetime: ~1 hour (configurable via token lifetime policies)
+ * - Refresh token: 90 days (revoked on password change)
+ * - Token rotation: Yes (Microsoft rotates refresh tokens by default)
+ *
+ * Tenant options:
+ * - 'common': Any Microsoft account (personal + work)
+ * - 'organizations': Work/school accounts only
+ * - 'consumers': Personal Microsoft accounts only
+ * - '{tenant-id}': Specific organization only
+ */
+import type { TokenProvider, ProviderConfig, RefreshResult } from '../types';
+/**
+ * Microsoft OAuth token provider
+ */
+export declare class MicrosoftProvider implements TokenProvider {
+    readonly id = "microsoft";
+    readonly supportsRefresh = true;
+    private getTokenUrl;
+    refresh(refreshToken: string, config: ProviderConfig): Promise<RefreshResult | null>;
+}
+/**
+ * Default Microsoft provider instance
+ */
+export declare const microsoftProvider: MicrosoftProvider;
+//# sourceMappingURL=microsoft.d.ts.map

package/dist/providers/microsoft.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"microsoft.d.ts","sourceRoot":"","sources":["../../src/providers/microsoft.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAkB7E;;GAEG;AACH,qBAAa,iBAAkB,YAAW,aAAa;IACrD,QAAQ,CAAC,EAAE,eAAe;IAC1B,QAAQ,CAAC,eAAe,QAAQ;IAEhC,OAAO,CAAC,WAAW;IAIb,OAAO,CACX,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAqDjC;AAED;;GAEG;AACH,eAAO,MAAM,iBAAiB,mBAA0B,CAAC"}

package/dist/providers/microsoft.js

@@ -0,0 +1,72 @@
+/**
+ * Microsoft OAuth Provider (Azure AD / Entra)
+ *
+ * Token characteristics:
+ * - Access token lifetime: ~1 hour (configurable via token lifetime policies)
+ * - Refresh token: 90 days (revoked on password change)
+ * - Token rotation: Yes (Microsoft rotates refresh tokens by default)
+ *
+ * Tenant options:
+ * - 'common': Any Microsoft account (personal + work)
+ * - 'organizations': Work/school accounts only
+ * - 'consumers': Personal Microsoft accounts only
+ * - '{tenant-id}': Specific organization only
+ */
+const DEFAULT_TENANT = 'common';
+/**
+ * Microsoft OAuth token provider
+ */
+export class MicrosoftProvider {
+    id = 'microsoft';
+    supportsRefresh = true;
+    getTokenUrl(tenantId) {
+        return `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
+    }
+    async refresh(refreshToken, config) {
+        const tenantId = config.tenantId ?? DEFAULT_TENANT;
+        const tokenUrl = this.getTokenUrl(tenantId);
+        try {
+            const response = await fetch(tokenUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                },
+                body: new URLSearchParams({
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    refresh_token: refreshToken,
+                    grant_type: 'refresh_token',
+                }).toString(),
+            });
+            if (!response.ok) {
+                const error = (await response.json());
+                console.error(`[MicrosoftProvider] Token refresh failed: ${error.error} - ${error.error_description}`);
+                // Check for specific AADSTS errors that indicate re-auth is needed
+                // AADSTS70000: Refresh token expired
+                // AADSTS50173: Refresh token expired (password change)
+                // AADSTS700082: Refresh token expired (inactivity)
+                if (error.error === 'invalid_grant' ||
+                    error.error_codes?.some((code) => [70000, 50173, 700082].includes(code))) {
+                    return null;
+                }
+                throw new Error(`Token refresh failed: ${error.error}`);
+            }
+            const data = (await response.json());
+            return {
+                accessToken: data.access_token,
+                // Microsoft typically returns a new refresh token - always use it!
+                refreshToken: data.refresh_token,
+                expiresAt: Date.now() + data.expires_in * 1000,
+            };
+        }
+        catch (error) {
+            console.error('[MicrosoftProvider] Refresh error:', error);
+            return null;
+        }
+    }
+}
+/**
+ * Default Microsoft provider instance
+ */
+export const microsoftProvider = new MicrosoftProvider();
+//# sourceMappingURL=microsoft.js.map

package/dist/providers/microsoft.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"microsoft.js","sourceRoot":"","sources":["../../src/providers/microsoft.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,MAAM,cAAc,GAAG,QAAQ,CAAC;AAgBhC;;GAEG;AACH,MAAM,OAAO,iBAAiB;IACnB,EAAE,GAAG,WAAW,CAAC;IACjB,eAAe,GAAG,IAAI,CAAC;IAExB,WAAW,CAAC,QAAgB;QAClC,OAAO,qCAAqC,QAAQ,oBAAoB,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,OAAO,CACX,YAAoB,EACpB,MAAsB;QAEtB,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,cAAc,CAAC;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE5C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBACrC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;oBAClC,aAAa,EAAE,YAAY;oBAC3B,UAAU,EAAE,eAAe;iBAC5B,CAAC,CAAC,QAAQ,EAAE;aACd,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,KAAK,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA2B,CAAC;gBAChE,OAAO,CAAC,KAAK,CACX,6CAA6C,KAAK,CAAC,KAAK,MAAM,KAAK,CAAC,iBAAiB,EAAE,CACxF,CAAC;gBAEF,mEAAmE;gBACnE,qCAAqC;gBACrC,uDAAuD;gBACvD,mDAAmD;gBACnD,IACE,KAAK,CAAC,KAAK,KAAK,eAAe;oBAC/B,KAAK,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAC/B,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CACtC,EACD,CAAC;oBACD,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,MAAM,IAAI,KAAK,CAAC,yBAAyB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YAC1D,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA2B,CAAC;YAE/D,OAAO;gBACL,WAAW,EAAE,IAAI,CAAC,YAAY;gBAC9B,mEAAmE;gBACnE,YAAY,EAAE,IAAI,CAAC,aAAa;gBAChC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;aAC/C,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,iBAAiB,EAAE,CAAC"}

package/dist/providers/types.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Provider types
+ *
+ * Re-export from main types for convenience
+ */
+export type { TokenProvider, ProviderConfig, RefreshResult } from '../types';
+//# sourceMappingURL=types.d.ts.map

package/dist/providers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC"}

package/dist/providers/types.js

@@ -0,0 +1,7 @@
+/**
+ * Provider types
+ *
+ * Re-export from main types for convenience
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/providers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/dist/storage/d1.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Cloudflare D1 Storage Adapter (Placeholder)
+ *
+ * D1 provides stronger consistency guarantees than KV and allows
+ * for more complex queries (e.g., find all tokens expiring soon).
+ *
+ * TODO: Implement full D1 adapter with migrations
+ */
+import type { TokenStorage, StoredToken, ConnectedProvider } from '../types';
+/**
+ * D1 Storage adapter for Cloudflare D1
+ *
+ * NOT YET IMPLEMENTED - Use KVStorage for now
+ */
+export declare class D1Storage implements TokenStorage {
+    constructor(_db: D1Database, _encryptionKey: string);
+    get(_userId: string, _provider: string): Promise<StoredToken | null>;
+    set(_token: StoredToken): Promise<void>;
+    delete(_userId: string, _provider: string): Promise<void>;
+    list(_userId: string): Promise<ConnectedProvider[]>;
+}
+//# sourceMappingURL=d1.d.ts.map

package/dist/storage/d1.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"d1.d.ts","sourceRoot":"","sources":["../../src/storage/d1.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAE7E;;;;GAIG;AACH,qBAAa,SAAU,YAAW,YAAY;gBAChC,GAAG,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM;IAMnD,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAIpE,GAAG,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;CAGpD"}