@joethebigbuddy/auth 0.0.1

package/dist/lib/core/create-auth-module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-auth-module.js","sourceRoot":"","sources":["../../../src/lib/core/create-auth-module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAiBlD,SAAS,WAAW,CAClB,OAAoB,EACpB,OAAsB,EACtB,aAAqB,EACrB,oBAA0B,EAC1B,WAAqB,EACrB,QAAc;IAEd,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,EAAE;QACrB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC;QACzB,WAAW;QACX,SAAS,EAAE,OAAO,CAAC,EAAE;QACrB,aAAa;QACb,QAAQ;QACR,SAAS,EAAE,oBAAoB;QAC/B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,SAAoC,EACpC,OAAgC;IAEhC,MAAM,MAAM,GAAG,uBAAuB,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;IAC5C,MAAM,aAAa,GAAG,IAAI,oBAAoB,CAAC;QAC7C,GAAG,OAAO,CAAC,aAAa;QACxB,MAAM;KACP,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC;QACxC,MAAM;QACN,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,MAAM;KACP,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC;QACpC,MAAM;QACN,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,MAAM;KACP,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAElD,KAAK,UAAU,mBAAmB,CAAC,MAAuD,EAAE,SAAiB,EAAE,SAAiB;QAC9H,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,cAAc;YAC9B,SAAS;YACT,SAAS;YACT,KAAK,EAAE,MAAM,CAAC,YAAY;YAC1B,QAAQ,EAAE,KAAK,EAAE;YACjB,SAAS,EAAE,MAAM,CAAC,qBAAqB;YACvC,UAAU,EAAE,IAAI;YAChB,SAAS,EAAE,IAAI;YACf,iBAAiB,EAAE,IAAI;SACxB,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,KAAK,CAAC,KAAiB;QACpC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACxE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,mBAAmB,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,CAAC;QAC9E,CAAC;QAED,MAAM,WAAW,GAAG,iBAAiB,CAAC,MAAM,EAAE;YAC5C,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,aAAa,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC9D,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,EAAE;YAC7D,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;SACzB,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;QAC7E,MAAM,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,MAAM,mBAAmB,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;QAEhG,WAAW,CAAC,IAAI,CAAC,iBAAiB,EAAE;YAClC,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,cAAc,EAAE,MAAM,CAAC,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO;YACP,OAAO;YACP,MAAM;YACN,SAAS,EAAE,WAAW,CACpB,OAAO,EACP,OAAO,EACP,MAAM,CAAC,aAAa,EACpB,MAAM,CAAC,oBAAoB,EAC3B,WAAW,EACX,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,qBAAqB,GAAG,IAAI,CAAC,CACtF;SACF,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,OAAO,CAAC,KAAmB;QACxC,MAAM,MAAM,GAAG,YAAY,CAAC,kBAAkB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACnE,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEvE,IACE,CAAC,cAAc;YACf,cAAc,CAAC,KAAK,KAAK,KAAK,CAAC,YAAY;YAC3C,cAAc,CAAC,SAAS;YACxB,cAAc,CAAC,UAAU;YACzB,cAAc,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,KAAK,EAAE,CAAC,OAAO,EAAE,EACvD,CAAC;YACD,MAAM,IAAI,iBAAiB,CAAC,0CAA0C,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACrE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC1E,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,iBAAiB,CAAC,wCAAwC,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,WAAW,GAAG,aAAa,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;QAE7E,MAAM,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC;YACnC,GAAG,cAAc;YACjB,UAAU,EAAE,KAAK,EAAE;YACnB,SAAS,EAAE,KAAK,EAAE;YAClB,iBAAiB,EAAE,MAAM,CAAC,cAAc;SACzC,CAAC,CAAC;QACH,MAAM,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,MAAM,mBAAmB,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;QAEhG,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE;YAC/B,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,sBAAsB,EAAE,cAAc,CAAC,OAAO;YAC9C,kBAAkB,EAAE,MAAM,CAAC,cAAc;SAC1C,CAAC,CAAC;QAEH,OAAO;YACL,OAAO;YACP,OAAO;YACP,MAAM;YACN,SAAS,EAAE,WAAW,CACpB,OAAO,EACP,OAAO,EACP,MAAM,CAAC,aAAa,EACpB,MAAM,CAAC,oBAAoB,EAC3B,WAAW,EACX,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,qBAAqB,GAAG,IAAI,CAAC,CACtF;SACF,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,SAAiB;QAC5C,MAAM,OAAO,CAAC,iBAAiB,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,cAAc,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,UAAU,oBAAoB,CAAC,YAAoB;QACtD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,YAAY,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;YAC7D,MAAM,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;IACH,CAAC;IAED,KAAK,UAAU,SAAS,CAAC,SAAiB;QACxC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QACxE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,OAAO,CAAC,iBAAiB,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,cAAc,CAAC,2BAA2B,CAAC,SAAS,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,UAAU,uBAAuB,CAAC,KAAa;QAClD,MAAM,MAAM,GAAG,YAAY,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACrD,MAAM,cAAc,CAAC,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAErD,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,GAAG;YACrB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,MAAM,CAAC,GAAG;YACrB,aAAa,EAAE,MAAM,CAAC,GAAG;YACzB,QAAQ,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;YACrC,SAAS,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;YACtC,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,UAAU,CAAC,SAAiB;QACzC,OAAO,cAAc,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,SAAiB;QAC3C,OAAO,cAAc,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,UAAU,SAAS,CACtB,SAAwB,EACxB,WAAqC,EACrC,QAAkB;QAElB,OAAO,aAAa,CAAC,SAAS,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;IACnE,CAAC;IAED,OAAO;QACL,MAAM;QACN,KAAK;QACL,OAAO;QACP,aAAa;QACb,oBAAoB;QACpB,SAAS;QACT,uBAAuB;QACvB,UAAU;QACV,YAAY;QACZ,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/lib/core/defaults.d.ts

@@ -0,0 +1,4 @@
+import type { AuthModuleConfig } from '../types.js';
+export declare function createDefaultAuthConfig(overrides?: Partial<AuthModuleConfig>): AuthModuleConfig;
+export declare function validateAuthModuleConfig(config: AuthModuleConfig): void;
+//# sourceMappingURL=defaults.d.ts.map

package/dist/lib/core/defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../../src/lib/core/defaults.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAcpD,wBAAgB,uBAAuB,CAAC,SAAS,GAAE,OAAO,CAAC,gBAAgB,CAAM,GAAG,gBAAgB,CAYnG;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI,CA4BvE"}

package/dist/lib/core/defaults.js

@@ -0,0 +1,50 @@
+import { ConfigurationError } from '../errors.js';
+const defaultConfig = {
+    issuer: '@joethebigbuddy/auth',
+    audience: 'authenticated-client',
+    accessTokenTtlSeconds: 15 * 60,
+    refreshTokenTtlSeconds: 7 * 24 * 60 * 60,
+    sessionTtlSeconds: 7 * 24 * 60 * 60,
+    allowSessionExtension: true,
+    signing: {
+        algorithm: 'HS256',
+    },
+};
+export function createDefaultAuthConfig(overrides = {}) {
+    const config = {
+        ...defaultConfig,
+        ...overrides,
+        signing: {
+            ...defaultConfig.signing,
+            ...overrides.signing,
+        },
+    };
+    validateAuthModuleConfig(config);
+    return config;
+}
+export function validateAuthModuleConfig(config) {
+    if (!config.issuer) {
+        throw new ConfigurationError('Auth issuer is required');
+    }
+    if (!config.audience) {
+        throw new ConfigurationError('Auth audience is required');
+    }
+    for (const [name, value] of [
+        ['accessTokenTtlSeconds', config.accessTokenTtlSeconds],
+        ['refreshTokenTtlSeconds', config.refreshTokenTtlSeconds],
+        ['sessionTtlSeconds', config.sessionTtlSeconds],
+    ]) {
+        if (!Number.isFinite(value) || value <= 0) {
+            throw new ConfigurationError(`${name} must be a positive number`);
+        }
+    }
+    if (config.signing.algorithm === 'HS256' && !config.signing.secret) {
+        throw new ConfigurationError('HS256 signing requires a secret');
+    }
+    if (config.signing.algorithm === 'RS256') {
+        if (!config.signing.privateKey || !config.signing.publicKey) {
+            throw new ConfigurationError('RS256 signing requires both privateKey and publicKey');
+        }
+    }
+}
+//# sourceMappingURL=defaults.js.map

package/dist/lib/core/defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.js","sourceRoot":"","sources":["../../../src/lib/core/defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGlD,MAAM,aAAa,GAAqB;IACtC,MAAM,EAAE,sBAAsB;IAC9B,QAAQ,EAAE,sBAAsB;IAChC,qBAAqB,EAAE,EAAE,GAAG,EAAE;IAC9B,sBAAsB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;IACxC,iBAAiB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;IACnC,qBAAqB,EAAE,IAAI;IAC3B,OAAO,EAAE;QACP,SAAS,EAAE,OAAO;KACnB;CACF,CAAC;AAEF,MAAM,UAAU,uBAAuB,CAAC,YAAuC,EAAE;IAC/E,MAAM,MAAM,GAAqB;QAC/B,GAAG,aAAa;QAChB,GAAG,SAAS;QACZ,OAAO,EAAE;YACP,GAAG,aAAa,CAAC,OAAO;YACxB,GAAG,SAAS,CAAC,OAAO;SACrB;KACF,CAAC;IAEF,wBAAwB,CAAC,MAAM,CAAC,CAAC;IACjC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,MAAwB;IAC/D,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,IAAI,kBAAkB,CAAC,yBAAyB,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI;QAC1B,CAAC,uBAAuB,EAAE,MAAM,CAAC,qBAAqB,CAAC;QACvD,CAAC,wBAAwB,EAAE,MAAM,CAAC,sBAAsB,CAAC;QACzD,CAAC,mBAAmB,EAAE,MAAM,CAAC,iBAAiB,CAAC;KACvC,EAAE,CAAC;QACX,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,kBAAkB,CAAC,GAAG,IAAI,4BAA4B,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,KAAK,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACnE,MAAM,IAAI,kBAAkB,CAAC,iCAAiC,CAAC,CAAC;IAClE,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;QACzC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YAC5D,MAAM,IAAI,kBAAkB,CAAC,sDAAsD,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/lib/core/logger.d.ts

@@ -0,0 +1,4 @@
+import type { LoggerPort } from '../ports.js';
+export declare const noopLogger: LoggerPort;
+export declare function withLoggerContext(logger: LoggerPort, fields: Record<string, unknown>): LoggerPort;
+//# sourceMappingURL=logger.d.ts.map

package/dist/lib/core/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../../src/lib/core/logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAY9C,eAAO,MAAM,UAAU,EAAE,UAA6B,CAAC;AAEvD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU,CAEjG"}

package/dist/lib/core/logger.js

@@ -0,0 +1,14 @@
+class NoopLogger {
+    debug() { }
+    info() { }
+    warn() { }
+    error() { }
+    child() {
+        return this;
+    }
+}
+export const noopLogger = new NoopLogger();
+export function withLoggerContext(logger, fields) {
+    return logger.child ? logger.child(fields) : logger;
+}
+//# sourceMappingURL=logger.js.map

package/dist/lib/core/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../../src/lib/core/logger.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU;IACd,KAAK,KAAU,CAAC;IAChB,IAAI,KAAU,CAAC;IACf,IAAI,KAAU,CAAC;IACf,KAAK,KAAU,CAAC;IAChB,KAAK;QACH,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,MAAM,CAAC,MAAM,UAAU,GAAe,IAAI,UAAU,EAAE,CAAC;AAEvD,MAAM,UAAU,iBAAiB,CAAC,MAAkB,EAAE,MAA+B;IACnF,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;AACtD,CAAC"}

package/dist/lib/core/session-service.d.ts

@@ -0,0 +1,33 @@
+import type { Clock, IdGenerator, LoggerPort, SessionStore } from '../ports.js';
+import type { AuthModuleConfig, SessionRecord } from '../types.js';
+export interface SessionServiceOptions {
+    config: Pick<AuthModuleConfig, 'sessionTtlSeconds' | 'allowSessionExtension'>;
+    sessionStore: SessionStore;
+    clock?: Clock;
+    generateId?: IdGenerator;
+    logger?: LoggerPort;
+}
+export declare class SessionService {
+    private readonly sessionTtlMs;
+    private readonly allowSessionExtension;
+    private readonly sessionStore;
+    private readonly clock;
+    private readonly generateId;
+    private readonly logger;
+    constructor(options: SessionServiceOptions);
+    createSession(subjectId: string, context?: {
+        ipAddress?: string;
+        userAgent?: string;
+        metadata?: Record<string, unknown>;
+    }): Promise<SessionRecord>;
+    getSession(sessionId: string): Promise<SessionRecord | null>;
+    assertActiveSession(sessionId: string, options?: {
+        touch?: boolean;
+    }): Promise<SessionRecord>;
+    touchSession(sessionOrId: SessionRecord | string): Promise<SessionRecord>;
+    revokeSession(sessionId: string): Promise<void>;
+    revokeAllSessionsForSubject(subjectId: string): Promise<number>;
+    listSessionsForSubject(subjectId: string): Promise<SessionRecord[]>;
+    private isInactive;
+}
+//# sourceMappingURL=session-service.d.ts.map

package/dist/lib/core/session-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-service.d.ts","sourceRoot":"","sources":["../../../src/lib/core/session-service.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChF,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEnE,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,IAAI,CAAC,gBAAgB,EAAE,mBAAmB,GAAG,uBAAuB,CAAC,CAAC;IAC9E,YAAY,EAAE,YAAY,CAAC;IAC3B,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,UAAU,CAAC,EAAE,WAAW,CAAC;IACzB,MAAM,CAAC,EAAE,UAAU,CAAC;CACrB;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAU;IAChD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAc;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;gBAExB,OAAO,EAAE,qBAAqB;IASpC,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE;QACP,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAC/B,GACL,OAAO,CAAC,aAAa,CAAC;IAsBnB,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAa5D,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAO,GAAG,OAAO,CAAC,aAAa,CAAC;IAmBjG,YAAY,CAAC,WAAW,EAAE,aAAa,GAAG,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAkBzE,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAK/C,2BAA2B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAM/D,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAMzE,OAAO,CAAC,UAAU;CAGnB"}

package/dist/lib/core/session-service.js

@@ -0,0 +1,96 @@
+import { randomUUID } from 'node:crypto';
+import { SessionExpiredError } from '../errors.js';
+import { noopLogger } from './logger.js';
+export class SessionService {
+    sessionTtlMs;
+    allowSessionExtension;
+    sessionStore;
+    clock;
+    generateId;
+    logger;
+    constructor(options) {
+        this.sessionTtlMs = options.config.sessionTtlSeconds * 1000;
+        this.allowSessionExtension = options.config.allowSessionExtension;
+        this.sessionStore = options.sessionStore;
+        this.clock = options.clock ?? (() => new Date());
+        this.generateId = options.generateId ?? randomUUID;
+        this.logger = options.logger ?? noopLogger;
+    }
+    async createSession(subjectId, context = {}) {
+        const now = this.clock();
+        const session = {
+            id: this.generateId(),
+            subjectId,
+            createdAt: now,
+            expiresAt: new Date(now.getTime() + this.sessionTtlMs),
+            lastSeenAt: now,
+            ipAddress: context.ipAddress,
+            userAgent: context.userAgent,
+            revokedAt: null,
+            metadata: context.metadata,
+        };
+        await this.sessionStore.create(session);
+        this.logger.info('Session created', {
+            subjectId,
+            sessionId: session.id,
+        });
+        return session;
+    }
+    async getSession(sessionId) {
+        const session = await this.sessionStore.get(sessionId);
+        if (!session) {
+            return null;
+        }
+        if (this.isInactive(session, this.clock())) {
+            return null;
+        }
+        return session;
+    }
+    async assertActiveSession(sessionId, options = {}) {
+        const session = await this.sessionStore.get(sessionId);
+        const now = this.clock();
+        if (!session || this.isInactive(session, now)) {
+            if (session) {
+                await this.revokeSession(session.id);
+            }
+            throw new SessionExpiredError();
+        }
+        if (options.touch !== false) {
+            return this.touchSession(session);
+        }
+        return session;
+    }
+    async touchSession(sessionOrId) {
+        const session = typeof sessionOrId === 'string'
+            ? await this.assertActiveSession(sessionOrId, { touch: false })
+            : sessionOrId;
+        const now = this.clock();
+        const updated = {
+            ...session,
+            lastSeenAt: now,
+            expiresAt: this.allowSessionExtension
+                ? new Date(now.getTime() + this.sessionTtlMs)
+                : session.expiresAt,
+        };
+        await this.sessionStore.update(updated);
+        return updated;
+    }
+    async revokeSession(sessionId) {
+        await this.sessionStore.delete(sessionId);
+        this.logger.info('Session revoked', { sessionId });
+    }
+    async revokeAllSessionsForSubject(subjectId) {
+        const count = await this.sessionStore.deleteBySubject(subjectId);
+        this.logger.info('All sessions revoked for subject', { subjectId, count });
+        return count;
+    }
+    async listSessionsForSubject(subjectId) {
+        const now = this.clock();
+        const sessions = await this.sessionStore.listBySubject(subjectId);
+        return sessions.filter((session) => !this.isInactive(session, now));
+    }
+    isInactive(session, now) {
+        return Boolean(session.revokedAt) || session.expiresAt.getTime() <= now.getTime();
+    }
+}
+//# sourceMappingURL=session-service.js.map

package/dist/lib/core/session-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-service.js","sourceRoot":"","sources":["../../../src/lib/core/session-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAYzC,MAAM,OAAO,cAAc;IACR,YAAY,CAAS;IACrB,qBAAqB,CAAU;IAC/B,YAAY,CAAe;IAC3B,KAAK,CAAQ;IACb,UAAU,CAAc;IACxB,MAAM,CAAa;IAEpC,YAAY,OAA8B;QACxC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,iBAAiB,GAAG,IAAI,CAAC;QAC5D,IAAI,CAAC,qBAAqB,GAAG,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC;QAClE,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACzC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,UAAU,CAAC;QACnD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,SAAiB,EACjB,UAII,EAAE;QAEN,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAkB;YAC7B,EAAE,EAAE,IAAI,CAAC,UAAU,EAAE;YACrB,SAAS;YACT,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,YAAY,CAAC;YACtD,UAAU,EAAE,GAAG;YACf,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC;QAEF,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE;YAClC,SAAS;YACT,SAAS,EAAE,OAAO,CAAC,EAAE;SACtB,CAAC,CAAC;QACH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,SAAiB,EAAE,UAA+B,EAAE;QAC5E,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAEzB,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;YAC9C,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACvC,CAAC;YAED,MAAM,IAAI,mBAAmB,EAAE,CAAC;QAClC,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACpC,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,WAAmC;QACpD,MAAM,OAAO,GAAG,OAAO,WAAW,KAAK,QAAQ;YAC7C,CAAC,CAAC,MAAM,IAAI,CAAC,mBAAmB,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;YAC/D,CAAC,CAAC,WAAW,CAAC;QAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAkB;YAC7B,GAAG,OAAO;YACV,UAAU,EAAE,GAAG;YACf,SAAS,EAAE,IAAI,CAAC,qBAAqB;gBACnC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,YAAY,CAAC;gBAC7C,CAAC,CAAC,OAAO,CAAC,SAAS;SACtB,CAAC;QAEF,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACxC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,2BAA2B,CAAC,SAAiB;QACjD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QACjE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,SAAiB;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QAClE,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;IACtE,CAAC;IAEO,UAAU,CAAC,OAAsB,EAAE,GAAS;QAClD,OAAO,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;IACpF,CAAC;CACF"}

package/dist/lib/core/token-service.d.ts

@@ -0,0 +1,22 @@
+import type { Clock, IdGenerator, LoggerPort } from '../ports.js';
+import type { AccessTokenClaims, AuthModuleConfig, AuthSubject, AuthTokens, Permission, RefreshTokenClaims } from '../types.js';
+export interface TokenServiceOptions {
+    config: AuthModuleConfig;
+    clock?: Clock;
+    generateId?: IdGenerator;
+    logger?: LoggerPort;
+}
+export declare class TokenService {
+    private readonly config;
+    private readonly clock;
+    private readonly generateId;
+    private readonly logger;
+    constructor(options: TokenServiceOptions);
+    issueTokenPair(subject: AuthSubject, sessionId: string, permissions: Permission[]): AuthTokens;
+    verifyAccessToken(token: string): AccessTokenClaims;
+    verifyRefreshToken(token: string): RefreshTokenClaims;
+    private verify;
+    private getSigningKey;
+    private getVerificationKey;
+}
+//# sourceMappingURL=token-service.d.ts.map

package/dist/lib/core/token-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-service.d.ts","sourceRoot":"","sources":["../../../src/lib/core/token-service.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,UAAU,EACV,UAAU,EACV,kBAAkB,EACnB,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,gBAAgB,CAAC;IACzB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,UAAU,CAAC,EAAE,WAAW,CAAC;IACzB,MAAM,CAAC,EAAE,UAAU,CAAC;CACrB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAmB;IAC1C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAc;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;gBAExB,OAAO,EAAE,mBAAmB;IAOxC,cAAc,CAAC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,UAAU;IAkE9F,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,iBAAiB;IAQnD,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,kBAAkB;IAQrD,OAAO,CAAC,MAAM;IAgBd,OAAO,CAAC,aAAa;IAQrB,OAAO,CAAC,kBAAkB;CAO3B"}

package/dist/lib/core/token-service.js

@@ -0,0 +1,111 @@
+import { randomUUID } from 'node:crypto';
+import jwt from 'jsonwebtoken';
+import { InvalidTokenError } from '../errors.js';
+import { noopLogger } from './logger.js';
+export class TokenService {
+    config;
+    clock;
+    generateId;
+    logger;
+    constructor(options) {
+        this.config = options.config;
+        this.clock = options.clock ?? (() => new Date());
+        this.generateId = options.generateId ?? randomUUID;
+        this.logger = options.logger ?? noopLogger;
+    }
+    issueTokenPair(subject, sessionId, permissions) {
+        const issuedAt = Math.floor(this.clock().getTime() / 1000);
+        const accessTokenId = this.generateId();
+        const refreshTokenId = this.generateId();
+        const accessToken = jwt.sign({
+            sub: subject.id,
+            sid: sessionId,
+            login: subject.login,
+            roles: subject.roles,
+            permissions,
+            typ: 'access',
+            jti: accessTokenId,
+            iat: issuedAt,
+            attributes: subject.attributes,
+        }, this.getSigningKey(), {
+            algorithm: this.config.signing.algorithm,
+            issuer: this.config.issuer,
+            audience: this.config.audience,
+            expiresIn: this.config.accessTokenTtlSeconds,
+            noTimestamp: true,
+        });
+        const refreshToken = jwt.sign({
+            sub: subject.id,
+            sid: sessionId,
+            typ: 'refresh',
+            jti: refreshTokenId,
+            iat: issuedAt,
+        }, this.getSigningKey(), {
+            algorithm: this.config.signing.algorithm,
+            issuer: this.config.issuer,
+            audience: this.config.audience,
+            expiresIn: this.config.refreshTokenTtlSeconds,
+            noTimestamp: true,
+        });
+        const accessTokenExpiresAt = new Date((issuedAt + this.config.accessTokenTtlSeconds) * 1000);
+        const refreshTokenExpiresAt = new Date((issuedAt + this.config.refreshTokenTtlSeconds) * 1000);
+        this.logger.info('Token pair issued', {
+            subjectId: subject.id,
+            sessionId,
+            accessTokenId,
+            refreshTokenId,
+        });
+        return {
+            accessToken,
+            refreshToken,
+            tokenType: 'Bearer',
+            accessTokenExpiresAt,
+            refreshTokenExpiresAt,
+            accessTokenId,
+            refreshTokenId,
+        };
+    }
+    verifyAccessToken(token) {
+        const payload = this.verify(token);
+        if (payload.typ !== 'access' || !payload.login || !payload.sid) {
+            throw new InvalidTokenError('Invalid access token');
+        }
+        return payload;
+    }
+    verifyRefreshToken(token) {
+        const payload = this.verify(token);
+        if (payload.typ !== 'refresh' || !payload.sid) {
+            throw new InvalidTokenError('Invalid refresh token');
+        }
+        return payload;
+    }
+    verify(token) {
+        try {
+            return jwt.verify(token, this.getVerificationKey(), {
+                algorithms: [this.config.signing.algorithm],
+                issuer: this.config.issuer,
+                audience: this.config.audience,
+                clockTimestamp: Math.floor(this.clock().getTime() / 1000),
+            });
+        }
+        catch (error) {
+            this.logger.warn('Token verification failed', {
+                err: error,
+            });
+            throw new InvalidTokenError();
+        }
+    }
+    getSigningKey() {
+        if (this.config.signing.algorithm === 'RS256') {
+            return this.config.signing.privateKey;
+        }
+        return this.config.signing.secret;
+    }
+    getVerificationKey() {
+        if (this.config.signing.algorithm === 'RS256') {
+            return this.config.signing.publicKey;
+        }
+        return this.config.signing.secret;
+    }
+}
+//# sourceMappingURL=token-service.js.map

package/dist/lib/core/token-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-service.js","sourceRoot":"","sources":["../../../src/lib/core/token-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAkBzC,MAAM,OAAO,YAAY;IACN,MAAM,CAAmB;IACzB,KAAK,CAAQ;IACb,UAAU,CAAc;IACxB,MAAM,CAAa;IAEpC,YAAY,OAA4B;QACtC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,UAAU,CAAC;QACnD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;IAC7C,CAAC;IAED,cAAc,CAAC,OAAoB,EAAE,SAAiB,EAAE,WAAyB;QAC/E,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACxC,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAEzC,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAC1B;YACE,GAAG,EAAE,OAAO,CAAC,EAAE;YACf,GAAG,EAAE,SAAS;YACd,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,WAAW;YACX,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,aAAa;YAClB,GAAG,EAAE,QAAQ;YACb,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B,EACD,IAAI,CAAC,aAAa,EAAE,EACpB;YACE,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS;YACxC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,qBAAqB;YAC5C,WAAW,EAAE,IAAI;SAClB,CACF,CAAC;QAEF,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAC3B;YACE,GAAG,EAAE,OAAO,CAAC,EAAE;YACf,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,cAAc;YACnB,GAAG,EAAE,QAAQ;SACd,EACD,IAAI,CAAC,aAAa,EAAE,EACpB;YACE,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS;YACxC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,sBAAsB;YAC7C,WAAW,EAAE,IAAI;SAClB,CACF,CAAC;QAEF,MAAM,oBAAoB,GAAG,IAAI,IAAI,CAAC,CAAC,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7F,MAAM,qBAAqB,GAAG,IAAI,IAAI,CAAC,CAAC,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,GAAG,IAAI,CAAC,CAAC;QAE/F,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE;YACpC,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,SAAS;YACT,aAAa;YACb,cAAc;SACf,CAAC,CAAC;QAEH,OAAO;YACL,WAAW;YACX,YAAY;YACZ,SAAS,EAAE,QAAQ;YACnB,oBAAoB;YACpB,qBAAqB;YACrB,aAAa;YACb,cAAc;SACf,CAAC;IACJ,CAAC;IAED,iBAAiB,CAAC,KAAa;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAsB,CAAC;QACxD,IAAI,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAC/D,MAAM,IAAI,iBAAiB,CAAC,sBAAsB,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,kBAAkB,CAAC,KAAa;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAuB,CAAC;QACzD,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAC9C,MAAM,IAAI,iBAAiB,CAAC,uBAAuB,CAAC,CAAC;QACvD,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,MAAM,CAAC,KAAa;QAC1B,IAAI,CAAC;YACH,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,kBAAkB,EAAE,EAAE;gBAClD,UAAU,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC;gBAC3C,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;gBAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC9B,cAAc,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;aAC1D,CAAmB,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;gBAC5C,GAAG,EAAE,KAAK;aACX,CAAC,CAAC;YACH,MAAM,IAAI,iBAAiB,EAAE,CAAC;QAChC,CAAC;IACH,CAAC;IAEO,aAAa;QACnB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,UAAW,CAAC;QACzC,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAO,CAAC;IACrC,CAAC;IAEO,kBAAkB;QACxB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAU,CAAC;QACxC,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAO,CAAC;IACrC,CAAC;CACF"}

package/dist/lib/errors.d.ts

@@ -0,0 +1,21 @@
+export declare class AuthError extends Error {
+    readonly code: string;
+    readonly statusCode: number;
+    constructor(message: string, code: string, statusCode: number);
+}
+export declare class ConfigurationError extends AuthError {
+    constructor(message: string);
+}
+export declare class AuthenticationError extends AuthError {
+    constructor(message: string, code?: string);
+}
+export declare class AuthorizationError extends AuthError {
+    constructor(message: string, code?: string);
+}
+export declare class InvalidTokenError extends AuthenticationError {
+    constructor(message?: string);
+}
+export declare class SessionExpiredError extends AuthenticationError {
+    constructor(message?: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/lib/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/lib/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;aAGhB,IAAI,EAAE,MAAM;aACZ,UAAU,EAAE,MAAM;gBAFlC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM;CAKrC;AAED,qBAAa,kBAAmB,SAAQ,SAAS;gBACnC,OAAO,EAAE,MAAM;CAG5B;AAED,qBAAa,mBAAoB,SAAQ,SAAS;gBACpC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAA+B;CAGnE;AAED,qBAAa,kBAAmB,SAAQ,SAAS;gBACnC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAA8B;CAGlE;AAED,qBAAa,iBAAkB,SAAQ,mBAAmB;gBAC5C,OAAO,GAAE,MAAwB;CAG9C;AAED,qBAAa,mBAAoB,SAAQ,mBAAmB;gBAC9C,OAAO,GAAE,MAA0B;CAGhD"}

package/dist/lib/errors.js

@@ -0,0 +1,36 @@
+export class AuthError extends Error {
+    code;
+    statusCode;
+    constructor(message, code, statusCode) {
+        super(message);
+        this.code = code;
+        this.statusCode = statusCode;
+        this.name = new.target.name;
+    }
+}
+export class ConfigurationError extends AuthError {
+    constructor(message) {
+        super(message, 'CONFIGURATION_ERROR', 500);
+    }
+}
+export class AuthenticationError extends AuthError {
+    constructor(message, code = 'AUTHENTICATION_ERROR') {
+        super(message, code, 401);
+    }
+}
+export class AuthorizationError extends AuthError {
+    constructor(message, code = 'AUTHORIZATION_ERROR') {
+        super(message, code, 403);
+    }
+}
+export class InvalidTokenError extends AuthenticationError {
+    constructor(message = 'Invalid token') {
+        super(message, 'INVALID_TOKEN');
+    }
+}
+export class SessionExpiredError extends AuthenticationError {
+    constructor(message = 'Session expired') {
+        super(message, 'SESSION_EXPIRED');
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/lib/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/lib/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,SAAU,SAAQ,KAAK;IAGhB;IACA;IAHlB,YACE,OAAe,EACC,IAAY,EACZ,UAAkB;QAElC,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAQ;QACZ,eAAU,GAAV,UAAU,CAAQ;QAGlC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;IAC9B,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,SAAS;IAC/C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,qBAAqB,EAAE,GAAG,CAAC,CAAC;IAC7C,CAAC;CACF;AAED,MAAM,OAAO,mBAAoB,SAAQ,SAAS;IAChD,YAAY,OAAe,EAAE,OAAe,sBAAsB;QAChE,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5B,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,SAAS;IAC/C,YAAY,OAAe,EAAE,OAAe,qBAAqB;QAC/D,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5B,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,mBAAmB;IACxD,YAAY,UAAkB,eAAe;QAC3C,KAAK,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IAClC,CAAC;CACF;AAED,MAAM,OAAO,mBAAoB,SAAQ,mBAAmB;IAC1D,YAAY,UAAkB,iBAAiB;QAC7C,KAAK,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IACpC,CAAC;CACF"}

package/dist/lib/ports.d.ts

@@ -0,0 +1,32 @@
+import type { AuthSubject, LoginInput, RefreshTokenRecord, SessionRecord } from './types.js';
+export interface IdentityProvider {
+    verifyCredentials(input: LoginInput): Promise<AuthSubject | null>;
+    getSubjectById(subjectId: string): Promise<AuthSubject | null>;
+}
+export interface SessionStore {
+    create(session: SessionRecord): Promise<void>;
+    get(sessionId: string): Promise<SessionRecord | null>;
+    update(session: SessionRecord): Promise<void>;
+    delete(sessionId: string): Promise<void>;
+    deleteBySubject(subjectId: string): Promise<number>;
+    listBySubject(subjectId: string): Promise<SessionRecord[]>;
+}
+export interface RefreshTokenStore {
+    save(record: RefreshTokenRecord): Promise<void>;
+    get(tokenId: string): Promise<RefreshTokenRecord | null>;
+    revoke(tokenId: string): Promise<void>;
+    revokeBySession(sessionId: string): Promise<number>;
+}
+export interface PasswordVerifier {
+    verify(plainText: string, passwordHash: string): Promise<boolean>;
+}
+export interface LoggerPort {
+    debug(message: string, fields?: Record<string, unknown>): void;
+    info(message: string, fields?: Record<string, unknown>): void;
+    warn(message: string, fields?: Record<string, unknown>): void;
+    error(message: string, fields?: Record<string, unknown>): void;
+    child?(fields: Record<string, unknown>): LoggerPort;
+}
+export type Clock = () => Date;
+export type IdGenerator = () => string;
+//# sourceMappingURL=ports.d.ts.map

package/dist/lib/ports.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ports.d.ts","sourceRoot":"","sources":["../../src/lib/ports.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE7F,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAClE,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CAChE;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9C,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IACtD,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9C,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACzC,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACpD,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;CAC5D;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IACzD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACrD;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACnE;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC9D,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC9D,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC/D,KAAK,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU,CAAC;CACrD;AAED,MAAM,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC;AAC/B,MAAM,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC"}

package/dist/lib/ports.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ports.js.map

package/dist/lib/ports.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ports.js","sourceRoot":"","sources":["../../src/lib/ports.ts"],"names":[],"mappings":""}