@joethebigbuddy/auth 0.0.1

package/dist/lib/adapters/redis/create-redis-auth-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-redis-auth-storage.d.ts","sourceRoot":"","sources":["../../../../src/lib/adapters/redis/create-redis-auth-storage.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgB,KAAK,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAC9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAE3D,MAAM,WAAW,6BAA8B,SAAQ,uBAAuB;IAC5E,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B;AAED,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,6BAA6B;;;;;qMAgBzD,GAAI;;;;;qMAM2iB,GAAI;;;;;4MAA+nB,CAAC;;;;;4MAAyqB,CAAC;;;;;oNAAkrB,GAAI;;;;;oNAAwoB,GAAI;;;;;sIAAyiB,CAAC;;;;;sIAA+kB,CAAC;;;;;sIAAglB,CAAC;;;;;;;;sIAAm/B,CAAC;;;;;;;;;;;;;;;;;;sIAA0nE,CAAC;;;;;sIAA2Z,CAAC;;;;;sIAAka,CAAC;;;;;sIAA8a,CAAC;;;;;sIAAsa,CAAC;;;;;sIAAqZ,CAAC;;;;;sIAAwZ,CAAC;;;;;sIAA8Z,CAAC;;;;;sIAA2Z,CAAC;;;;;sIAA0Z,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sIAA8mM,CAAC;;;;;sIAA2sB,CAAC;;;;;sIAAysB,CAAC;;;;;sIAA+kB,CAAC;;;;;4MAAiqB,CAAC;;;;;4MAAqiB,CAAC;;;;;sJAAue,CAAC;;;;;sJAAymB,CAAC;;;;;sIAAqlB,CAAC;;;;;sIAA+kB,CAAC;;;;;;;;;;;;;;;sIAAywD,CAAC;;;;;;;;sIAAu0C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8KAAy4G,CAAC;;yLAAyU,GAAI;;;;;;;8KAAwtB,CAAC;;yLAAyU,GAAI;;;;;;;;8KAA4vB,CAAC;;mLAA8S,GAAI,uJAAiJ,CAAC,kBAAkB,CAAC;;;;;;;;8KAA+iB,CAAC;;mLAA8S,GAAI,uJAAiJ,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kLAA2pK,CAAC;;;;;;kLAAigB,CAAC;;;;;;;;;;;;;;;;;;gRAAylD,CAAC;;yLAAuT,GAAI;;;;;;;;gRAAg1B,CAAC;;yLAAuT,GAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wIAAmzH,CAAC;;;;;;;;;wIAA0mB,CAAC;;;;;;;;;8KAAspB,CAAC;;;;;;8KAAogB,CAAC;;;;;;8KAAugB,CAAC;;;;;;8KAAmkB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;uDAA22D,CAAC,kBAAkB,CAAC;;;;;;;;;;uDAA6kB,CAAC,kBAAkB,CAAC;;;;;;;;8KAAwiB,CAAC;;;;;;;;;;8KAAs+B,CAAC;;;;;;;;;;gIAA26B,CAAC;;iLAAwX,GAAI;;;;;;;;gIAA2xB,CAAC;;iLAAwX,GAAI;;;;;;;;8KAAy1B,CAAC;;;;;;;;;;8KAAkvB,CAAC;;;;;;;;;;8KAAyuB,CAAC;;;;;;;;;;8KAA6rB,CAAC;;;;;;;;;;8KAAisB,CAAC;;;;;;;;;;;;;;;;8KAAw5B,CAAC;;;;;;;;;;;;;;;4LAAo3B,CAAC;;;;;4LAA2d,CAAC;;;;;;;;;;;;;;;6KAAisC,CAAC;;;;;;;;6KAAgwB,CAAC;;;;;;;;6KAA4wB,CAAC;;qLAA2S,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;6KAAsrC,CAAC;;qLAA2S,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;6KAA2qC,CAAC;;qLAA2S,CAAC,kBAAkB,CAAC;;;;;;;;;;;;6KAA86B,CAAC;;qLAA2S,CAAC,kBAAkB,CAAC;;;;;;;;;;;;6KAAo6B,CAAC;;;;;6KAAgkB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gRAAywG,CAAC;;;;;;gRAAumB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qOAAi3D,CAAC;;;;;qOAAuf,CAAC;;;;;sIAAqa,CAAC;;;;;sIAA6a,CAAC;;;;;sIAA8a,CAAC;;;;;sIAAgb,CAAC;;;;;sRAAylB,CAAC;;;;;sRAA0hB,CAAC;;;;;qJAAgY,CAAC;;;;;qJAA2b,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;sIAA4oE,CAAC;;;;;;;;;;;;;;sIAAq5C,CAAC;;;;;;;;;;;;;;qJAAw6C,CAAC;;;;;qJAA2b,CAAC;;;;;;;8pBAA8jC,CAAC;;;;;;;;;8pBAA8mC,CAAC;;;;;;;;;4IAAymB,CAAC;;;;;;;;;4IAA8lB,CAAC;;;;;;;;;;;;;;;;;4SAA+jD,CAAC;;sRAA0Y,CAAC;;;;;;;;;;;;;;;;;;4SAAw6D,CAAC;;sRAA0Y,CAAC;;;;;;;;;;;;;;;;;;mMAA+zD,CAAC;;2NAAuW,CAAC;;;;;;;;;;;;;;;;;;mMAAspD,CAAC;;2NAAuW,CAAC;;;;;;;;;;;;;;;;;;;mMAA0rD,CAAC;;6IAAuQ,CAAC;;;;;;;;;;;;;;;;;mMAA2rC,CAAC;;6IAAuQ,CAAC;;;;;;;;;;;;;;;;wbAAm3C,CAAC;;gJAA4Q,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;wbAAuiD,CAAC;;gJAA4Q,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;iiBAA8pD,CAAC;;+JAA2R,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;iiBAA6tE,CAAC;;+JAA2R,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;scAAgoE,CAAC;;+JAA2R,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;scAAwuD,CAAC;;+JAA2R,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;wbAA+tD,CAAC;;qKAAiS,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;wbAAgjE,CAAC;;qKAAiS,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;;6VAAggE,CAAC;;sJAAkR,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;6VAAyrD,CAAC;;sJAAkR,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;6VAA+qD,CAAC;;iIAA6P,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;6VAAitC,CAAC;;iIAA6P,CAAC,kBAAkB,CAAC;;;;;;;;;;;;wbAAswC,CAAC;;gJAA4Q,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;wbAA0iD,CAAC;;gJAA4Q,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;iiBAAiqD,CAAC;;+JAA2R,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;iiBAAguE,CAAC;;+JAA2R,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;scAAmoE,CAAC;;+JAA2R,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;scAA2uD,CAAC;;+JAA2R,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;wbAAkuD,CAAC;;qKAAiS,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;wbAAmjE,CAAC;;qKAAiS,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;;6VAAmgE,CAAC;;sJAAkR,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;6VAA4rD,CAAC;;sJAAkR,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;6VAAkrD,CAAC;;iIAA6P,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;6VAAotC,CAAC;;iIAA6P,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;4SAA8+E,CAAC;;;;;;;;;;;;;;4SAA4vD,CAAC;;;;;;;;;;;;;;4SAA+vD,CAAC;;;;;;;;;;;;;;4SAA+vD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;y3BAAmrK,CAAC;;;;;;;;y3BAAmzC,CAAC;;;;;;sOAAshB,CAAC;;;;;;;;sOAAwwB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2KAA0qI,CAAC;;;;;2KAAud,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sfAAgzG,CAAC;;;;;;;;sfAAi9B,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qxCAA2yT,CAAC;;;;;;;;qxCAAksD,CAAC;;;;;;sOAAwhB,CAAC;;;;;;;;sOAAywB,CAAC;;;;;;;;sOAA2wB,CAAC;;;;;;;;sOAA2wB,CAAC;;;;;;;;;;;;;;;;;;wJAA6+C,CAAC;;;;;wJAAsc,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iHAAwxF,CAAC,kBAAkB,CAAC;;;;;;;;iHAAuoB,CAAC,kBAAkB,CAAC;;;;;;;;iHAA0oB,CAAC,kBAAkB,CAAC;;;;;;;;iHAA0oB,CAAC,kBAAkB,CAAC;;;;;;;;iHAAqoB,CAAC,kBAAkB,CAAC;;;;;;;;iHAAqoB,CAAC,kBAAkB,CAAC;;;;;;sIAAoe,CAAC;;;;;sIAAwb,CAAC;;;;;;;s5CAA0zD,CAAC;;;;;;;;s5CAAi0D,CAAC;;;;;;;;+GAA4kB,CAAC,kBAAkB,CAAC;;;;;;;;+GAAujB,CAAC,kBAAkB,CAAC;;;;;;+OAA+gB,CAAC;;;;;+OAA2hB,CAAC;;;;;;;+GAAmkB,CAAC,kBAAkB,CAAC;;;;;;;;+GAAujB,CAAC,kBAAkB,CAAC;;;;;;;;iHAAmlB,CAAC,kBAAkB,CAAC;;;;;;;;iHAA6oB,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;+GAAu7F,CAAC,kBAAkB,CAAC;;;;;;;;+GAAonB,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8mBAA+nI,CAAC,kBAAkB,CAAC;;;;;;;;8mBAAqjC,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oJAAyyH,CAAC;;;;;oJAAmc,CAAC;;;;;;;mBAZ77yN,OAAO,CAAC,IAAI,CAAC;iBAKf,OAAO,CAAC,IAAI,CAAC;EAMjC"}

package/dist/lib/adapters/redis/create-redis-auth-storage.js

@@ -0,0 +1,25 @@
+import { createClient } from 'redis';
+import { RedisRefreshTokenStore } from './redis-refresh-token-store.js';
+import { RedisSessionStore } from './redis-session-store.js';
+export function createRedisAuthStorage(options) {
+    const client = createClient({
+        url: options.url,
+        ...options.client,
+    });
+    return {
+        client,
+        sessionStore: new RedisSessionStore(client, options),
+        refreshTokenStore: new RedisRefreshTokenStore(client, options),
+        connect: async () => {
+            if (!client.isOpen) {
+                await client.connect();
+            }
+        },
+        close: async () => {
+            if (client.isOpen) {
+                await client.quit();
+            }
+        },
+    };
+}
+//# sourceMappingURL=create-redis-auth-storage.js.map

package/dist/lib/adapters/redis/create-redis-auth-storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-redis-auth-storage.js","sourceRoot":"","sources":["../../../../src/lib/adapters/redis/create-redis-auth-storage.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAA2B,MAAM,OAAO,CAAC;AAC9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAQ7D,MAAM,UAAU,sBAAsB,CAAC,OAAsC;IAC3E,MAAM,MAAM,GAAG,YAAY,CAAC;QAC1B,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,OAAO,CAAC,MAAM;KAClB,CAAC,CAAC;IAEH,OAAO;QACL,MAAM;QACN,YAAY,EAAE,IAAI,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC;QACpD,iBAAiB,EAAE,IAAI,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC;QAC9D,OAAO,EAAE,KAAK,IAAmB,EAAE;YACjC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,CAAC;QACH,CAAC;QACD,KAAK,EAAE,KAAK,IAAmB,EAAE;YAC/B,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YACtB,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/lib/adapters/redis/redis-refresh-token-store.d.ts

@@ -0,0 +1,13 @@
+import type { RefreshTokenStore } from '../../ports.js';
+import type { RefreshTokenRecord } from '../../types.js';
+import { type RedisAuthStorageOptions, type RedisClientLike } from './shared.js';
+export declare class RedisRefreshTokenStore implements RefreshTokenStore {
+    private readonly client;
+    private readonly keyPrefix;
+    constructor(client: RedisClientLike, options?: RedisAuthStorageOptions);
+    save(record: RefreshTokenRecord): Promise<void>;
+    get(tokenId: string): Promise<RefreshTokenRecord | null>;
+    revoke(tokenId: string): Promise<void>;
+    revokeBySession(sessionId: string): Promise<number>;
+}
+//# sourceMappingURL=redis-refresh-token-store.d.ts.map

package/dist/lib/adapters/redis/redis-refresh-token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis-refresh-token-store.d.ts","sourceRoot":"","sources":["../../../../src/lib/adapters/redis/redis-refresh-token-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EAOL,KAAK,uBAAuB,EAC5B,KAAK,eAAe,EACrB,MAAM,aAAa,CAAC;AAErB,qBAAa,sBAAuB,YAAW,iBAAiB;IAI5D,OAAO,CAAC,QAAQ,CAAC,MAAM;IAHzB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAGhB,MAAM,EAAE,eAAe,EACxC,OAAO,GAAE,uBAA4B;IAKjC,IAAI,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAO/C,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAKxD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYtC,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAmB1D"}

package/dist/lib/adapters/redis/redis-refresh-token-store.js

@@ -0,0 +1,46 @@
+import { parseRefreshTokenRecord, refreshTokenKey, resolveRedisKeyPrefix, serializeRefreshTokenRecord, sessionRefreshTokensKey, toUnixSeconds, } from './shared.js';
+export class RedisRefreshTokenStore {
+    client;
+    keyPrefix;
+    constructor(client, options = {}) {
+        this.client = client;
+        this.keyPrefix = resolveRedisKeyPrefix(options);
+    }
+    async save(record) {
+        const key = refreshTokenKey(this.keyPrefix, record.tokenId);
+        await this.client.set(key, serializeRefreshTokenRecord(record));
+        await this.client.expireAt(key, toUnixSeconds(record.expiresAt));
+        await this.client.sAdd(sessionRefreshTokensKey(this.keyPrefix, record.sessionId), record.tokenId);
+    }
+    async get(tokenId) {
+        const value = await this.client.get(refreshTokenKey(this.keyPrefix, tokenId));
+        return value ? parseRefreshTokenRecord(value) : null;
+    }
+    async revoke(tokenId) {
+        const record = await this.get(tokenId);
+        if (!record) {
+            return;
+        }
+        await this.save({
+            ...record,
+            revokedAt: record.revokedAt ?? new Date(),
+        });
+    }
+    async revokeBySession(sessionId) {
+        const tokenIds = await this.client.sMembers(sessionRefreshTokensKey(this.keyPrefix, sessionId));
+        let count = 0;
+        for (const tokenId of tokenIds) {
+            const record = await this.get(tokenId);
+            if (!record || record.revokedAt) {
+                continue;
+            }
+            await this.save({
+                ...record,
+                revokedAt: new Date(),
+            });
+            count += 1;
+        }
+        return count;
+    }
+}
+//# sourceMappingURL=redis-refresh-token-store.js.map

package/dist/lib/adapters/redis/redis-refresh-token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis-refresh-token-store.js","sourceRoot":"","sources":["../../../../src/lib/adapters/redis/redis-refresh-token-store.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,uBAAuB,EACvB,eAAe,EACf,qBAAqB,EACrB,2BAA2B,EAC3B,uBAAuB,EACvB,aAAa,GAGd,MAAM,aAAa,CAAC;AAErB,MAAM,OAAO,sBAAsB;IAId;IAHF,SAAS,CAAS;IAEnC,YACmB,MAAuB,EACxC,UAAmC,EAAE;QADpB,WAAM,GAAN,MAAM,CAAiB;QAGxC,IAAI,CAAC,SAAS,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAA0B;QACnC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;QAC5D,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,2BAA2B,CAAC,MAAM,CAAC,CAAC,CAAC;QAChE,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACjE,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACpG,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe;QACvB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;QAC9E,OAAO,KAAK,CAAC,CAAC,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe;QAC1B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;QACT,CAAC;QAED,MAAM,IAAI,CAAC,IAAI,CAAC;YACd,GAAG,MAAM;YACT,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE;SAC1C,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,SAAiB;QACrC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;QAChG,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACvC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBAChC,SAAS;YACX,CAAC;YAED,MAAM,IAAI,CAAC,IAAI,CAAC;gBACd,GAAG,MAAM;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC;YACH,KAAK,IAAI,CAAC,CAAC;QACb,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/lib/adapters/redis/redis-session-store.d.ts

@@ -0,0 +1,16 @@
+import type { SessionStore } from '../../ports.js';
+import type { SessionRecord } from '../../types.js';
+import { type RedisAuthStorageOptions, type RedisClientLike } from './shared.js';
+export declare class RedisSessionStore implements SessionStore {
+    private readonly client;
+    private readonly keyPrefix;
+    constructor(client: RedisClientLike, options?: RedisAuthStorageOptions);
+    create(session: SessionRecord): Promise<void>;
+    get(sessionId: string): Promise<SessionRecord | null>;
+    update(session: SessionRecord): Promise<void>;
+    delete(sessionId: string): Promise<void>;
+    deleteBySubject(subjectId: string): Promise<number>;
+    listBySubject(subjectId: string): Promise<SessionRecord[]>;
+    private writeSession;
+}
+//# sourceMappingURL=redis-session-store.d.ts.map

package/dist/lib/adapters/redis/redis-session-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis-session-store.d.ts","sourceRoot":"","sources":["../../../../src/lib/adapters/redis/redis-session-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,EAOL,KAAK,uBAAuB,EAC5B,KAAK,eAAe,EACrB,MAAM,aAAa,CAAC;AAErB,qBAAa,iBAAkB,YAAW,YAAY;IAIlD,OAAO,CAAC,QAAQ,CAAC,MAAM;IAHzB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAGhB,MAAM,EAAE,eAAe,EACxC,OAAO,GAAE,uBAA4B;IAKjC,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAI7C,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAKrD,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAI7C,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASxC,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAcnD,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;YAMlD,YAAY;CAM3B"}

package/dist/lib/adapters/redis/redis-session-store.js

@@ -0,0 +1,49 @@
+import { parseSessionRecord, resolveRedisKeyPrefix, serializeSessionRecord, sessionKey, subjectSessionsKey, toUnixSeconds, } from './shared.js';
+export class RedisSessionStore {
+    client;
+    keyPrefix;
+    constructor(client, options = {}) {
+        this.client = client;
+        this.keyPrefix = resolveRedisKeyPrefix(options);
+    }
+    async create(session) {
+        await this.writeSession(session);
+    }
+    async get(sessionId) {
+        const value = await this.client.get(sessionKey(this.keyPrefix, sessionId));
+        return value ? parseSessionRecord(value) : null;
+    }
+    async update(session) {
+        await this.writeSession(session);
+    }
+    async delete(sessionId) {
+        const existing = await this.get(sessionId);
+        await this.client.del(sessionKey(this.keyPrefix, sessionId));
+        if (existing) {
+            await this.client.sRem(subjectSessionsKey(this.keyPrefix, existing.subjectId), sessionId);
+        }
+    }
+    async deleteBySubject(subjectId) {
+        const membershipKey = subjectSessionsKey(this.keyPrefix, subjectId);
+        const sessionIds = await this.client.sMembers(membershipKey);
+        if (sessionIds.length === 0) {
+            return 0;
+        }
+        const keys = sessionIds.map((sessionId) => sessionKey(this.keyPrefix, sessionId));
+        await this.client.del(keys);
+        await this.client.del(membershipKey);
+        return sessionIds.length;
+    }
+    async listBySubject(subjectId) {
+        const sessionIds = await this.client.sMembers(subjectSessionsKey(this.keyPrefix, subjectId));
+        const sessions = await Promise.all(sessionIds.map((sessionId) => this.get(sessionId)));
+        return sessions.filter((session) => session !== null);
+    }
+    async writeSession(session) {
+        const key = sessionKey(this.keyPrefix, session.id);
+        await this.client.set(key, serializeSessionRecord(session));
+        await this.client.expireAt(key, toUnixSeconds(session.expiresAt));
+        await this.client.sAdd(subjectSessionsKey(this.keyPrefix, session.subjectId), session.id);
+    }
+}
+//# sourceMappingURL=redis-session-store.js.map

package/dist/lib/adapters/redis/redis-session-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis-session-store.js","sourceRoot":"","sources":["../../../../src/lib/adapters/redis/redis-session-store.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,sBAAsB,EACtB,UAAU,EACV,kBAAkB,EAClB,aAAa,GAGd,MAAM,aAAa,CAAC;AAErB,MAAM,OAAO,iBAAiB;IAIT;IAHF,SAAS,CAAS;IAEnC,YACmB,MAAuB,EACxC,UAAmC,EAAE;QADpB,WAAM,GAAN,MAAM,CAAiB;QAGxC,IAAI,CAAC,SAAS,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAsB;QACjC,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;QAC3E,OAAO,KAAK,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAsB;QACjC,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;QAE7D,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,SAAiB;QACrC,MAAM,aAAa,GAAG,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QACpE,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAE7D,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,CAAC;QACX,CAAC;QAED,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;QAClF,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5B,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACrC,OAAO,UAAU,CAAC,MAAM,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;QAC7F,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QACvF,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAA4B,EAAE,CAAC,OAAO,KAAK,IAAI,CAAC,CAAC;IAClF,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,OAAsB;QAC/C,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,sBAAsB,CAAC,OAAO,CAAC,CAAC,CAAC;QAC5D,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QAClE,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;CACF"}

package/dist/lib/adapters/redis/shared.d.ts

@@ -0,0 +1,24 @@
+import type { RefreshTokenRecord, SessionRecord } from '../../types.js';
+export interface RedisClientLike {
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string): Promise<unknown>;
+    del(keys: string | string[]): Promise<number>;
+    sAdd(key: string, members: string | string[]): Promise<number>;
+    sMembers(key: string): Promise<string[]>;
+    sRem(key: string, members: string | string[]): Promise<number>;
+    expireAt(key: string, unixTimeSeconds: number): Promise<number | boolean>;
+}
+export interface RedisAuthStorageOptions {
+    keyPrefix?: string;
+}
+export declare function resolveRedisKeyPrefix(options?: RedisAuthStorageOptions): string;
+export declare function sessionKey(prefix: string, sessionId: string): string;
+export declare function subjectSessionsKey(prefix: string, subjectId: string): string;
+export declare function refreshTokenKey(prefix: string, tokenId: string): string;
+export declare function sessionRefreshTokensKey(prefix: string, sessionId: string): string;
+export declare function serializeSessionRecord(record: SessionRecord): string;
+export declare function parseSessionRecord(value: string): SessionRecord;
+export declare function serializeRefreshTokenRecord(record: RefreshTokenRecord): string;
+export declare function parseRefreshTokenRecord(value: string): RefreshTokenRecord;
+export declare function toUnixSeconds(value: Date): number;
+//# sourceMappingURL=shared.d.ts.map

package/dist/lib/adapters/redis/shared.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../../../src/lib/adapters/redis/shared.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAExE,MAAM,WAAW,eAAe;IAC9B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClD,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACzC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC;CAC3E;AAED,MAAM,WAAW,uBAAuB;IACtC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAkBD,wBAAgB,qBAAqB,CAAC,OAAO,GAAE,uBAA4B,GAAG,MAAM,CAEnF;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAEpE;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAE5E;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAEvE;AAED,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAEjF;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAUpE;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAS/D;AAED,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CAU9E;AAED,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,GAAG,kBAAkB,CASzE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,IAAI,GAAG,MAAM,CAEjD"}

package/dist/lib/adapters/redis/shared.js

@@ -0,0 +1,60 @@
+const DEFAULT_KEY_PREFIX = 'auth';
+export function resolveRedisKeyPrefix(options = {}) {
+    return options.keyPrefix?.trim() || DEFAULT_KEY_PREFIX;
+}
+export function sessionKey(prefix, sessionId) {
+    return `${prefix}:session:${sessionId}`;
+}
+export function subjectSessionsKey(prefix, subjectId) {
+    return `${prefix}:subject-sessions:${subjectId}`;
+}
+export function refreshTokenKey(prefix, tokenId) {
+    return `${prefix}:refresh-token:${tokenId}`;
+}
+export function sessionRefreshTokensKey(prefix, sessionId) {
+    return `${prefix}:session-refresh-tokens:${sessionId}`;
+}
+export function serializeSessionRecord(record) {
+    const payload = {
+        ...record,
+        createdAt: record.createdAt.toISOString(),
+        expiresAt: record.expiresAt.toISOString(),
+        lastSeenAt: record.lastSeenAt.toISOString(),
+        revokedAt: record.revokedAt ? record.revokedAt.toISOString() : null,
+    };
+    return JSON.stringify(payload);
+}
+export function parseSessionRecord(value) {
+    const payload = JSON.parse(value);
+    return {
+        ...payload,
+        createdAt: new Date(payload.createdAt),
+        expiresAt: new Date(payload.expiresAt),
+        lastSeenAt: new Date(payload.lastSeenAt),
+        revokedAt: payload.revokedAt ? new Date(payload.revokedAt) : null,
+    };
+}
+export function serializeRefreshTokenRecord(record) {
+    const payload = {
+        ...record,
+        issuedAt: record.issuedAt.toISOString(),
+        expiresAt: record.expiresAt.toISOString(),
+        consumedAt: record.consumedAt ? record.consumedAt.toISOString() : null,
+        revokedAt: record.revokedAt ? record.revokedAt.toISOString() : null,
+    };
+    return JSON.stringify(payload);
+}
+export function parseRefreshTokenRecord(value) {
+    const payload = JSON.parse(value);
+    return {
+        ...payload,
+        issuedAt: new Date(payload.issuedAt),
+        expiresAt: new Date(payload.expiresAt),
+        consumedAt: payload.consumedAt ? new Date(payload.consumedAt) : null,
+        revokedAt: payload.revokedAt ? new Date(payload.revokedAt) : null,
+    };
+}
+export function toUnixSeconds(value) {
+    return Math.max(1, Math.floor(value.getTime() / 1000));
+}
+//# sourceMappingURL=shared.js.map

package/dist/lib/adapters/redis/shared.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shared.js","sourceRoot":"","sources":["../../../../src/lib/adapters/redis/shared.ts"],"names":[],"mappings":"AA8BA,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,MAAM,UAAU,qBAAqB,CAAC,UAAmC,EAAE;IACzE,OAAO,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,kBAAkB,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAc,EAAE,SAAiB;IAC1D,OAAO,GAAG,MAAM,YAAY,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,SAAiB;IAClE,OAAO,GAAG,MAAM,qBAAqB,SAAS,EAAE,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAc,EAAE,OAAe;IAC7D,OAAO,GAAG,MAAM,kBAAkB,OAAO,EAAE,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,SAAiB;IACvE,OAAO,GAAG,MAAM,2BAA2B,SAAS,EAAE,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAqB;IAC1D,MAAM,OAAO,GAA4B;QACvC,GAAG,MAAM;QACT,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE;QACzC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,WAAW,EAAE;QAC3C,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI;KACpE,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAA4B,CAAC;IAC7D,OAAO;QACL,GAAG,OAAO;QACV,SAAS,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;QACtC,SAAS,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;QACtC,UAAU,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;QACxC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI;KAClE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAA0B;IACpE,MAAM,OAAO,GAAiC;QAC5C,GAAG,MAAM;QACT,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE;QACvC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI;QACtE,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI;KACpE,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,KAAa;IACnD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAiC,CAAC;IAClE,OAAO;QACL,GAAG,OAAO;QACV,QAAQ,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;QACpC,SAAS,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;QACtC,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI;QACpE,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI;KAClE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAW;IACvC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC"}

package/dist/lib/core/authorization-service.d.ts

@@ -0,0 +1,21 @@
+import type { AuthPrincipal, AuthSubject, AuthorizationDecision, AuthorizationRequirement, Permission, PolicyHandler, Role, RoleDefinition } from '../types.js';
+import type { LoggerPort } from '../ports.js';
+export interface AuthorizationServiceOptions {
+    roles?: Record<Role, RoleDefinition>;
+    policies?: Record<string, PolicyHandler>;
+    logger?: LoggerPort;
+}
+export declare class AuthorizationService {
+    private readonly roles;
+    private readonly policies;
+    private readonly logger;
+    constructor(options?: AuthorizationServiceOptions);
+    addRole(role: Role, definition: RoleDefinition): void;
+    addPolicy(name: string, policy: PolicyHandler): void;
+    resolvePermissions(subject: Pick<AuthSubject, 'roles' | 'permissions'>): Permission[];
+    authorize(principal: AuthPrincipal, requirement: AuthorizationRequirement, resource?: unknown): Promise<AuthorizationDecision>;
+    assertAuthorized(principal: AuthPrincipal, requirement: AuthorizationRequirement, resource?: unknown): Promise<void>;
+    private resolveRolePermissions;
+    private evaluatePolicy;
+}
+//# sourceMappingURL=authorization-service.d.ts.map

package/dist/lib/core/authorization-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../../src/lib/core/authorization-service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,aAAa,EACb,WAAW,EAEX,qBAAqB,EACrB,wBAAwB,EACxB,UAAU,EACV,aAAa,EACb,IAAI,EACJ,cAAc,EACf,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,MAAM,WAAW,2BAA2B;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACrC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACzC,MAAM,CAAC,EAAE,UAAU,CAAC;CACrB;AAED,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAmC;IACzD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoC;IAC7D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;gBAExB,OAAO,GAAE,2BAAgC;IAYrD,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,cAAc,GAAG,IAAI;IAIrD,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,IAAI;IAIpD,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,OAAO,GAAG,aAAa,CAAC,GAAG,UAAU,EAAE;IAY/E,SAAS,CACb,SAAS,EAAE,aAAa,EACxB,WAAW,EAAE,wBAAwB,EACrC,QAAQ,CAAC,EAAE,OAAO,GACjB,OAAO,CAAC,qBAAqB,CAAC;IAoE3B,gBAAgB,CACpB,SAAS,EAAE,aAAa,EACxB,WAAW,EAAE,wBAAwB,EACrC,QAAQ,CAAC,EAAE,OAAO,GACjB,OAAO,CAAC,IAAI,CAAC;IAOhB,OAAO,CAAC,sBAAsB;YAqBhB,cAAc;CAY7B"}

package/dist/lib/core/authorization-service.js

@@ -0,0 +1,125 @@
+import { AuthorizationError } from '../errors.js';
+import { noopLogger } from './logger.js';
+export class AuthorizationService {
+    roles = new Map();
+    policies = new Map();
+    logger;
+    constructor(options = {}) {
+        this.logger = options.logger ?? noopLogger;
+        for (const [role, definition] of Object.entries(options.roles ?? {})) {
+            this.roles.set(role, definition);
+        }
+        for (const [name, policy] of Object.entries(options.policies ?? {})) {
+            this.policies.set(name, policy);
+        }
+    }
+    addRole(role, definition) {
+        this.roles.set(role, definition);
+    }
+    addPolicy(name, policy) {
+        this.policies.set(name, policy);
+    }
+    resolvePermissions(subject) {
+        const resolved = new Set(subject.permissions ?? []);
+        for (const role of subject.roles) {
+            for (const permission of this.resolveRolePermissions(role, new Set())) {
+                resolved.add(permission);
+            }
+        }
+        return Array.from(resolved).sort();
+    }
+    async authorize(principal, requirement, resource) {
+        if (requirement.roles?.length) {
+            const hasRole = requirement.roles.some((role) => principal.roles.includes(role));
+            if (!hasRole) {
+                return {
+                    allowed: false,
+                    reason: 'missing_roles',
+                    missingRoles: requirement.roles.filter((role) => !principal.roles.includes(role)),
+                };
+            }
+        }
+        if (requirement.allOf?.length) {
+            const missingPermissions = requirement.allOf.filter((permission) => !principal.permissions.includes(permission));
+            if (missingPermissions.length > 0) {
+                return {
+                    allowed: false,
+                    reason: 'missing_permissions',
+                    missingPermissions,
+                };
+            }
+        }
+        if (requirement.anyOf?.length) {
+            const hasAnyPermission = requirement.anyOf.some((permission) => principal.permissions.includes(permission));
+            if (!hasAnyPermission) {
+                return {
+                    allowed: false,
+                    reason: 'missing_permissions',
+                    missingPermissions: [...requirement.anyOf],
+                };
+            }
+        }
+        if (requirement.noneOf?.length) {
+            const conflictingPermissions = requirement.noneOf.filter((permission) => principal.permissions.includes(permission));
+            if (conflictingPermissions.length > 0) {
+                return {
+                    allowed: false,
+                    reason: 'missing_permissions',
+                    missingPermissions: conflictingPermissions,
+                };
+            }
+        }
+        if (requirement.policy) {
+            const allowed = await this.evaluatePolicy(requirement.policy, {
+                principal,
+                resource,
+            });
+            if (!allowed) {
+                this.logger.warn('Authorization policy denied access', {
+                    subjectId: principal.subjectId,
+                    sessionId: principal.sessionId,
+                    policy: typeof requirement.policy === 'string' ? requirement.policy : 'inline',
+                });
+                return {
+                    allowed: false,
+                    reason: 'policy_denied',
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    async assertAuthorized(principal, requirement, resource) {
+        const decision = await this.authorize(principal, requirement, resource);
+        if (!decision.allowed) {
+            throw new AuthorizationError('Access denied');
+        }
+    }
+    resolveRolePermissions(role, visited) {
+        if (visited.has(role)) {
+            return [];
+        }
+        visited.add(role);
+        const definition = this.roles.get(role);
+        if (!definition) {
+            return [];
+        }
+        const permissions = new Set(definition.permissions ?? []);
+        for (const inheritedRole of definition.inherits ?? []) {
+            for (const permission of this.resolveRolePermissions(inheritedRole, visited)) {
+                permissions.add(permission);
+            }
+        }
+        return Array.from(permissions);
+    }
+    async evaluatePolicy(policy, context) {
+        if (typeof policy === 'function') {
+            return policy(context);
+        }
+        const handler = this.policies.get(policy);
+        if (!handler) {
+            return false;
+        }
+        return handler(context);
+    }
+}
+//# sourceMappingURL=authorization-service.js.map

package/dist/lib/core/authorization-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-service.js","sourceRoot":"","sources":["../../../src/lib/core/authorization-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAoBzC,MAAM,OAAO,oBAAoB;IACd,KAAK,GAAG,IAAI,GAAG,EAAwB,CAAC;IACxC,QAAQ,GAAG,IAAI,GAAG,EAAyB,CAAC;IAC5C,MAAM,CAAa;IAEpC,YAAY,UAAuC,EAAE;QACnD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;QAE3C,KAAK,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,CAAC;YACrE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QACnC,CAAC;QAED,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;YACpE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,CAAC,IAAU,EAAE,UAA0B;QAC5C,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACnC,CAAC;IAED,SAAS,CAAC,IAAY,EAAE,MAAqB;QAC3C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,kBAAkB,CAAC,OAAmD;QACpE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAa,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAEhE,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,IAAI,GAAG,EAAE,CAAC,EAAE,CAAC;gBACtE,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,SAAS,CACb,SAAwB,EACxB,WAAqC,EACrC,QAAkB;QAElB,IAAI,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YACjF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,eAAe;oBACvB,YAAY,EAAE,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;iBAClF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;YAC9B,MAAM,kBAAkB,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;YACjH,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,qBAAqB;oBAC7B,kBAAkB;iBACnB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;YAC9B,MAAM,gBAAgB,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,SAAS,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;YAC5G,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,qBAAqB;oBAC7B,kBAAkB,EAAE,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC;iBAC3C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;YAC/B,MAAM,sBAAsB,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,SAAS,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;YACrH,IAAI,sBAAsB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtC,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,qBAAqB;oBAC7B,kBAAkB,EAAE,sBAAsB;iBAC3C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,MAAM,EAAE;gBAC5D,SAAS;gBACT,QAAQ;aACT,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;oBACrD,SAAS,EAAE,SAAS,CAAC,SAAS;oBAC9B,SAAS,EAAE,SAAS,CAAC,SAAS;oBAC9B,MAAM,EAAE,OAAO,WAAW,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;iBAC/E,CAAC,CAAC;gBAEH,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,eAAe;iBACxB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,SAAwB,EACxB,WAAqC,EACrC,QAAkB;QAElB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QACxE,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtB,MAAM,IAAI,kBAAkB,CAAC,eAAe,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAEO,sBAAsB,CAAC,IAAU,EAAE,OAAkB;QAC3D,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClB,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,GAAG,CAAa,UAAU,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QACtE,KAAK,MAAM,aAAa,IAAI,UAAU,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;YACtD,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,sBAAsB,CAAC,aAAa,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC7E,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACjC,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,MAA8B,EAAE,OAA6B;QACxF,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;YACjC,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC;IAC1B,CAAC;CACF"}

package/dist/lib/core/create-auth-module.d.ts

@@ -0,0 +1,3 @@
+import type { AuthModule, AuthModuleConfig, CreateAuthModuleOptions } from '../types.js';
+export declare function createAuthModule(overrides: Partial<AuthModuleConfig>, options: CreateAuthModuleOptions): AuthModule;
+//# sourceMappingURL=create-auth-module.d.ts.map

package/dist/lib/core/create-auth-module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-auth-module.d.ts","sourceRoot":"","sources":["../../../src/lib/core/create-auth-module.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,UAAU,EACV,gBAAgB,EAKhB,uBAAuB,EAOxB,MAAM,aAAa,CAAC;AAuBrB,wBAAgB,gBAAgB,CAC9B,SAAS,EAAE,OAAO,CAAC,gBAAgB,CAAC,EACpC,OAAO,EAAE,uBAAuB,GAC/B,UAAU,CAqMZ"}

package/dist/lib/core/create-auth-module.js

@@ -0,0 +1,177 @@
+import { AuthenticationError, InvalidTokenError } from '../errors.js';
+import { noopLogger, withLoggerContext } from './logger.js';
+import { AuthorizationService } from './authorization-service.js';
+import { createDefaultAuthConfig } from './defaults.js';
+import { SessionService } from './session-service.js';
+import { TokenService } from './token-service.js';
+function toPrincipal(subject, session, accessTokenId, accessTokenExpiresAt, permissions, issuedAt) {
+    return {
+        subjectId: subject.id,
+        login: subject.login,
+        roles: [...subject.roles],
+        permissions,
+        sessionId: session.id,
+        accessTokenId,
+        issuedAt,
+        expiresAt: accessTokenExpiresAt,
+        attributes: subject.attributes,
+    };
+}
+export function createAuthModule(overrides, options) {
+    const config = createDefaultAuthConfig(overrides);
+    const logger = options.logger ?? noopLogger;
+    const authorization = new AuthorizationService({
+        ...options.authorization,
+        logger,
+    });
+    const sessionService = new SessionService({
+        config,
+        sessionStore: options.sessionStore,
+        clock: options.clock,
+        generateId: options.generateId,
+        logger,
+    });
+    const tokenService = new TokenService({
+        config,
+        clock: options.clock,
+        generateId: options.generateId,
+        logger,
+    });
+    const clock = options.clock ?? (() => new Date());
+    async function createRefreshRecord(tokens, sessionId, subjectId) {
+        return {
+            tokenId: tokens.refreshTokenId,
+            sessionId,
+            subjectId,
+            token: tokens.refreshToken,
+            issuedAt: clock(),
+            expiresAt: tokens.refreshTokenExpiresAt,
+            consumedAt: null,
+            revokedAt: null,
+            replacedByTokenId: null,
+        };
+    }
+    async function login(input) {
+        const subject = await options.identityProvider.verifyCredentials(input);
+        if (!subject) {
+            throw new AuthenticationError('Invalid credentials', 'INVALID_CREDENTIALS');
+        }
+        const childLogger = withLoggerContext(logger, {
+            subjectId: subject.id,
+            login: subject.login,
+        });
+        const permissions = authorization.resolvePermissions(subject);
+        const session = await sessionService.createSession(subject.id, {
+            ipAddress: input.ipAddress,
+            userAgent: input.userAgent,
+            metadata: input.metadata,
+        });
+        const tokens = tokenService.issueTokenPair(subject, session.id, permissions);
+        await options.refreshTokenStore.save(await createRefreshRecord(tokens, session.id, subject.id));
+        childLogger.info('Login succeeded', {
+            sessionId: session.id,
+            accessTokenId: tokens.accessTokenId,
+            refreshTokenId: tokens.refreshTokenId,
+        });
+        return {
+            subject,
+            session,
+            tokens,
+            principal: toPrincipal(subject, session, tokens.accessTokenId, tokens.accessTokenExpiresAt, permissions, new Date(tokens.accessTokenExpiresAt.getTime() - config.accessTokenTtlSeconds * 1000)),
+        };
+    }
+    async function refresh(input) {
+        const claims = tokenService.verifyRefreshToken(input.refreshToken);
+        const existingRecord = await options.refreshTokenStore.get(claims.jti);
+        if (!existingRecord ||
+            existingRecord.token !== input.refreshToken ||
+            existingRecord.revokedAt ||
+            existingRecord.consumedAt ||
+            existingRecord.expiresAt.getTime() <= clock().getTime()) {
+            throw new InvalidTokenError('Refresh token is invalid or already used');
+        }
+        const session = await sessionService.assertActiveSession(claims.sid);
+        const subject = await options.identityProvider.getSubjectById(claims.sub);
+        if (!subject) {
+            throw new InvalidTokenError('Refresh token subject no longer exists');
+        }
+        const permissions = authorization.resolvePermissions(subject);
+        const tokens = tokenService.issueTokenPair(subject, session.id, permissions);
+        await options.refreshTokenStore.save({
+            ...existingRecord,
+            consumedAt: clock(),
+            revokedAt: clock(),
+            replacedByTokenId: tokens.refreshTokenId,
+        });
+        await options.refreshTokenStore.save(await createRefreshRecord(tokens, session.id, subject.id));
+        logger.info('Refresh succeeded', {
+            subjectId: subject.id,
+            sessionId: session.id,
+            previousRefreshTokenId: existingRecord.tokenId,
+            nextRefreshTokenId: tokens.refreshTokenId,
+        });
+        return {
+            subject,
+            session,
+            tokens,
+            principal: toPrincipal(subject, session, tokens.accessTokenId, tokens.accessTokenExpiresAt, permissions, new Date(tokens.accessTokenExpiresAt.getTime() - config.accessTokenTtlSeconds * 1000)),
+        };
+    }
+    async function logoutSession(sessionId) {
+        await options.refreshTokenStore.revokeBySession(sessionId);
+        await sessionService.revokeSession(sessionId);
+    }
+    async function logoutByRefreshToken(refreshToken) {
+        try {
+            const claims = tokenService.verifyRefreshToken(refreshToken);
+            await logoutSession(claims.sid);
+        }
+        catch {
+            return;
+        }
+    }
+    async function logoutAll(subjectId) {
+        const sessions = await sessionService.listSessionsForSubject(subjectId);
+        for (const session of sessions) {
+            await options.refreshTokenStore.revokeBySession(session.id);
+        }
+        return sessionService.revokeAllSessionsForSubject(subjectId);
+    }
+    async function authenticateAccessToken(token) {
+        const claims = tokenService.verifyAccessToken(token);
+        await sessionService.assertActiveSession(claims.sid);
+        return {
+            subjectId: claims.sub,
+            login: claims.login,
+            roles: claims.roles,
+            permissions: claims.permissions,
+            sessionId: claims.sid,
+            accessTokenId: claims.jti,
+            issuedAt: new Date(claims.iat * 1000),
+            expiresAt: new Date(claims.exp * 1000),
+            attributes: claims.attributes,
+        };
+    }
+    async function getSession(sessionId) {
+        return sessionService.getSession(sessionId);
+    }
+    async function listSessions(subjectId) {
+        return sessionService.listSessionsForSubject(subjectId);
+    }
+    async function authorize(principal, requirement, resource) {
+        return authorization.authorize(principal, requirement, resource);
+    }
+    return {
+        config,
+        login,
+        refresh,
+        logoutSession,
+        logoutByRefreshToken,
+        logoutAll,
+        authenticateAccessToken,
+        getSession,
+        listSessions,
+        authorize,
+    };
+}
+//# sourceMappingURL=create-auth-module.js.map