@mantajs/core 0.1.7 → 0.2.0-beta.1

package/dist/auth/auth-module-service.js

@@ -0,0 +1,210 @@
+// AuthModuleService — manages auth identities, provider identities, and delegates to providers.
+// ISO Medusa V2's AuthModuleService interface.
+import { MantaError } from '../errors/manta-error.js';
+export class AuthModuleService {
+    authIdentityRepo;
+    providerIdentityRepo;
+    providers = new Map();
+    cache;
+    constructor(deps) {
+        this.authIdentityRepo = deps.authIdentityRepository;
+        this.providerIdentityRepo = deps.providerIdentityRepository;
+        this.cache = deps.cache;
+    }
+    // --- Provider management ---
+    registerProvider(id, provider) {
+        this.providers.set(id, provider);
+    }
+    getProvider(id) {
+        const provider = this.providers.get(id);
+        if (!provider)
+            throw new MantaError('NOT_FOUND', `Auth provider "${id}" not registered`);
+        return provider;
+    }
+    // --- Authentication ---
+    async authenticate(provider, data) {
+        const authProvider = this.getProvider(provider);
+        return authProvider.authenticate(data, this.createProviderService(provider));
+    }
+    async register(provider, data) {
+        const authProvider = this.getProvider(provider);
+        return authProvider.register(data, this.createProviderService(provider));
+    }
+    async update(provider, data) {
+        const authProvider = this.getProvider(provider);
+        if (!authProvider.update) {
+            return { success: false, error: `Provider "${provider}" does not support updates` };
+        }
+        return authProvider.update(data, this.createProviderService(provider));
+    }
+    async validateCallback(provider, data) {
+        const authProvider = this.getProvider(provider);
+        if (!authProvider.validateCallback) {
+            return { success: false, error: `Provider "${provider}" does not support callbacks` };
+        }
+        return authProvider.validateCallback(data, this.createProviderService(provider));
+    }
+    // --- AuthIdentity CRUD ---
+    async createAuthIdentity(data) {
+        const [created] = (await this.authIdentityRepo.create([
+            {
+                app_metadata: data.app_metadata ?? {},
+            },
+        ]));
+        return created;
+    }
+    async retrieveAuthIdentity(id) {
+        const results = (await this.authIdentityRepo.find({ where: { id } }));
+        if (results.length === 0)
+            throw new MantaError('NOT_FOUND', `AuthIdentity "${id}" not found`);
+        // Load provider identities
+        const providerIdentities = (await this.providerIdentityRepo.find({
+            where: { auth_identity_id: id },
+        }));
+        return { ...results[0], provider_identities: providerIdentities };
+    }
+    async updateAuthIdentity(id, data) {
+        const [updated] = (await this.authIdentityRepo.update([{ id, ...data }]));
+        return updated;
+    }
+    // --- JWT ---
+    async generateToken(payload, secret, expiresIn = '7d') {
+        // Simple JWT: header.payload.signature
+        const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url');
+        const now = Math.floor(Date.now() / 1000);
+        const exp = now + parseExpiry(expiresIn);
+        const body = Buffer.from(JSON.stringify({
+            ...payload,
+            iat: now,
+            exp,
+        })).toString('base64url');
+        const { createHmac } = await import('node:crypto');
+        const signature = createHmac('sha256', secret).update(`${header}.${body}`).digest('base64url');
+        return `${header}.${body}.${signature}`;
+    }
+    async verifyToken(token, secret) {
+        const parts = token.split('.');
+        if (parts.length !== 3)
+            throw new MantaError('UNAUTHORIZED', 'Invalid token format');
+        const [header, body, signature] = parts;
+        // Verify signature
+        const { createHmac, timingSafeEqual } = await import('node:crypto');
+        const expected = createHmac('sha256', secret).update(`${header}.${body}`).digest('base64url');
+        const sigBuffer = Buffer.from(signature, 'base64url');
+        const expectedBuffer = Buffer.from(expected, 'base64url');
+        if (sigBuffer.length !== expectedBuffer.length || !timingSafeEqual(sigBuffer, expectedBuffer)) {
+            throw new MantaError('UNAUTHORIZED', 'Invalid token signature');
+        }
+        // Decode payload
+        const payload = JSON.parse(Buffer.from(body, 'base64url').toString());
+        // Check expiry
+        if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+            throw new MantaError('UNAUTHORIZED', 'Token expired');
+        }
+        return payload;
+    }
+    // --- Session management via ICachePort ---
+    async createSession(authContext, options) {
+        if (!this.cache)
+            throw new MantaError('INVALID_STATE', 'Cache not configured for sessions');
+        const sessionId = crypto.randomUUID();
+        const ttl = options?.ttl ?? 86400;
+        const expiresAt = new Date(Date.now() + ttl * 1000);
+        await this.cache.set(`session:${sessionId}`, authContext, ttl);
+        return { sessionId, expiresAt };
+    }
+    async verifySession(sessionId) {
+        if (!this.cache)
+            return null;
+        const data = await this.cache.get(`session:${sessionId}`);
+        return data ?? null;
+    }
+    async destroySession(sessionId) {
+        if (!this.cache)
+            return;
+        await this.cache.invalidate(`session:${sessionId}`);
+    }
+    // --- Internal: create provider service for delegation ---
+    createProviderService(_provider) {
+        const self = this;
+        return {
+            async create(data) {
+                // Create AuthIdentity + ProviderIdentity
+                const authIdentity = await self.createAuthIdentity({});
+                await self.providerIdentityRepo.create([
+                    {
+                        entity_id: data.entity_id,
+                        provider: data.provider,
+                        auth_identity_id: authIdentity.id,
+                        user_metadata: data.user_metadata ?? {},
+                        provider_metadata: data.provider_metadata ?? {},
+                    },
+                ]);
+                return authIdentity;
+            },
+            async update(entity_id, provider, data) {
+                const existing = await this.retrieve(entity_id, provider);
+                if (!existing)
+                    throw new MantaError('NOT_FOUND', `ProviderIdentity not found`);
+                await self.providerIdentityRepo.update([
+                    {
+                        id: existing.id,
+                        ...data,
+                    },
+                ]);
+                return existing.auth_identity;
+            },
+            async retrieve(entity_id, provider) {
+                const results = (await self.providerIdentityRepo.find({
+                    where: { entity_id, provider },
+                }));
+                if (results.length === 0)
+                    return null;
+                const pi = results[0];
+                const ai = (await self.authIdentityRepo.find({ where: { id: pi.auth_identity_id } }));
+                const identity = ai[0] ?? { id: pi.auth_identity_id };
+                return {
+                    id: pi.id,
+                    provider_metadata: pi.provider_metadata,
+                    auth_identity: {
+                        id: identity.id,
+                        app_metadata: identity.app_metadata,
+                    },
+                };
+            },
+            async setState(key, value) {
+                if (self.cache) {
+                    await self.cache.set(`auth_state:${key}`, value, 600); // 10 min TTL
+                }
+            },
+            async getState(key) {
+                if (!self.cache)
+                    return null;
+                const data = await self.cache.get(`auth_state:${key}`);
+                if (data)
+                    await self.cache.invalidate(`auth_state:${key}`); // one-time use
+                return data;
+            },
+        };
+    }
+}
+function parseExpiry(expiry) {
+    const match = expiry.match(/^(\d+)([smhd])$/);
+    if (!match)
+        return 3600; // default 1h
+    const [, num, unit] = match;
+    const n = Number.parseInt(num, 10);
+    switch (unit) {
+        case 's':
+            return n;
+        case 'm':
+            return n * 60;
+        case 'h':
+            return n * 3600;
+        case 'd':
+            return n * 86400;
+        default:
+            return 3600;
+    }
+}
+//# sourceMappingURL=auth-module-service.js.map

package/dist/auth/auth-module-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-module-service.js","sourceRoot":"","sources":["../../src/auth/auth-module-service.ts"],"names":[],"mappings":"AAAA,gGAAgG;AAChG,+CAA+C;AAE/C,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAoCrD,MAAM,OAAO,iBAAiB;IACpB,gBAAgB,CAAa;IAC7B,oBAAoB,CAAa;IACjC,SAAS,GAAG,IAAI,GAAG,EAAyB,CAAA;IAC5C,KAAK,CAAiC;IAE9C,YAAY,IAA2B;QACrC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,sBAAsB,CAAA;QACnD,IAAI,CAAC,oBAAoB,GAAG,IAAI,CAAC,0BAA0B,CAAA;QAC3D,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAA;IACzB,CAAC;IAED,8BAA8B;IAE9B,gBAAgB,CAAC,EAAU,EAAE,QAAuB;QAClD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAA;IAClC,CAAC;IAED,WAAW,CAAC,EAAU;QACpB,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACvC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,UAAU,CAAC,WAAW,EAAE,kBAAkB,EAAE,kBAAkB,CAAC,CAAA;QACxF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,yBAAyB;IAEzB,KAAK,CAAC,YAAY,CAAC,QAAgB,EAAE,IAAyB;QAC5D,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAA;QAC/C,OAAO,YAAY,CAAC,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAA;IAC9E,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,QAAgB,EAAE,IAAyB;QACxD,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAA;QAC/C,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAA;IAC1E,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,IAA6B;QAC1D,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAA;QAC/C,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,QAAQ,4BAA4B,EAAE,CAAA;QACrF,CAAC;QACD,OAAO,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAA;IACxE,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,QAAgB,EAAE,IAAyB;QAChE,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAA;QAC/C,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;YACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,QAAQ,8BAA8B,EAAE,CAAA;QACvF,CAAC;QACD,OAAO,YAAY,CAAC,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAA;IAClF,CAAC;IAED,4BAA4B;IAE5B,KAAK,CAAC,kBAAkB,CAAC,IAAgD;QACvE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC;YACpD;gBACE,YAAY,EAAE,IAAI,CAAC,YAAY,IAAI,EAAE;aACtC;SACF,CAAC,CAAsB,CAAA;QACxB,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,EAAU;QACnC,MAAM,OAAO,GAAG,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAsB,CAAA;QAC1F,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,IAAI,UAAU,CAAC,WAAW,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAA;QAC7F,2BAA2B;QAC3B,MAAM,kBAAkB,GAAG,CAAC,MAAM,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC;YAC/D,KAAK,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE;SAChC,CAAC,CAA0B,CAAA;QAC5B,OAAO,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,CAAA;IACnE,CAAC;IAED,KAAK,CAAC,kBAAkB,CACtB,EAAU,EACV,IAEC;QAED,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAsB,CAAA;QAC9F,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,cAAc;IAEd,KAAK,CAAC,aAAa,CACjB,OAKC,EACD,MAAc,EACd,SAAS,GAAG,IAAI;QAEhB,uCAAuC;QACvC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;QAC9F,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QACzC,MAAM,GAAG,GAAG,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;QACxC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CACtB,IAAI,CAAC,SAAS,CAAC;YACb,GAAG,OAAO;YACV,GAAG,EAAE,GAAG;YACR,GAAG;SACJ,CAAC,CACH,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;QAEvB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;QAClD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;QAE9F,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,SAAS,EAAE,CAAA;IACzC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,MAAc;QAC7C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,IAAI,UAAU,CAAC,cAAc,EAAE,sBAAsB,CAAC,CAAA;QAEpF,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,CAAC,GAAG,KAAK,CAAA;QAEvC,mBAAmB;QACnB,MAAM,EAAE,UAAU,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;QACnE,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;QAE7F,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAA;QACrD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;QACzD,IAAI,SAAS,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC;YAC9F,MAAM,IAAI,UAAU,CAAC,cAAc,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC;QAED,iBAAiB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAA;QAErE,eAAe;QACf,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YAC/D,MAAM,IAAI,UAAU,CAAC,cAAc,EAAE,eAAe,CAAC,CAAA;QACvD,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,4CAA4C;IAE5C,KAAK,CAAC,aAAa,CACjB,WAAwB,EACxB,OAAwB;QAExB,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,mCAAmC,CAAC,CAAA;QAC3F,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;QACrC,MAAM,GAAG,GAAG,OAAO,EAAE,GAAG,IAAI,KAAK,CAAA;QACjC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,IAAI,CAAC,CAAA;QACnD,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,SAAS,EAAE,EAAE,WAAW,EAAE,GAAG,CAAC,CAAA;QAC9D,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,CAAA;IACjC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAC5B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,SAAS,EAAE,CAAC,CAAA;QACzD,OAAQ,IAAoB,IAAI,IAAI,CAAA;IACtC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,SAAiB;QACpC,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAM;QACvB,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,SAAS,EAAE,CAAC,CAAA;IACrD,CAAC;IAED,2DAA2D;IAEnD,qBAAqB,CAAC,SAAiB;QAC7C,MAAM,IAAI,GAAG,IAAI,CAAA;QACjB,OAAO;YACL,KAAK,CAAC,MAAM,CAAC,IAAI;gBACf,yCAAyC;gBACzC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,EAAE,CAAC,CAAA;gBACtD,MAAM,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC;oBACrC;wBACE,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,gBAAgB,EAAE,YAAY,CAAC,EAAE;wBACjC,aAAa,EAAE,IAAI,CAAC,aAAa,IAAI,EAAE;wBACvC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,IAAI,EAAE;qBAChD;iBACF,CAAC,CAAA;gBACF,OAAO,YAAsE,CAAA;YAC/E,CAAC;YAED,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,EAAE,IAAI;gBACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAA;gBACzD,IAAI,CAAC,QAAQ;oBAAE,MAAM,IAAI,UAAU,CAAC,WAAW,EAAE,4BAA4B,CAAC,CAAA;gBAC9E,MAAM,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC;oBACrC;wBACE,EAAE,EAAE,QAAQ,CAAC,EAAE;wBACf,GAAG,IAAI;qBACR;iBACF,CAAC,CAAA;gBACF,OAAO,QAAQ,CAAC,aAAuE,CAAA;YACzF,CAAC;YAED,KAAK,CAAC,QAAQ,CAAC,SAAS,EAAE,QAAQ;gBAChC,MAAM,OAAO,GAAG,CAAC,MAAM,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC;oBACpD,KAAK,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAA0B,CAAA;gBAC5B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,IAAI,CAAA;gBACrC,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAA;gBACrB,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAsB,CAAA;gBAC1G,MAAM,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,gBAAgB,EAAE,CAAA;gBACrD,OAAO;oBACL,EAAE,EAAE,EAAE,CAAC,EAAE;oBACT,iBAAiB,EAAE,EAAE,CAAC,iBAAwD;oBAC9E,aAAa,EAAE;wBACb,EAAE,EAAE,QAAQ,CAAC,EAAE;wBACf,YAAY,EAAG,QAA+C,CAAC,YAElD;qBACd;iBACF,CAAA;YACH,CAAC;YAED,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAE,KAAK;gBACvB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;oBACf,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA,CAAC,aAAa;gBACrE,CAAC;YACH,CAAC;YAED,KAAK,CAAC,QAAQ,CAAC,GAAG;gBAChB,IAAI,CAAC,IAAI,CAAC,KAAK;oBAAE,OAAO,IAAI,CAAA;gBAC5B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,GAAG,EAAE,CAAC,CAAA;gBACtD,IAAI,IAAI;oBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,cAAc,GAAG,EAAE,CAAC,CAAA,CAAC,eAAe;gBAC1E,OAAO,IAAsC,CAAA;YAC/C,CAAC;SACF,CAAA;IACH,CAAC;CACF;AAED,SAAS,WAAW,CAAC,MAAc;IACjC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA,CAAC,aAAa;IACrC,MAAM,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,KAAK,CAAA;IAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;IAClC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,GAAG;YACN,OAAO,CAAC,CAAA;QACV,KAAK,GAAG;YACN,OAAO,CAAC,GAAG,EAAE,CAAA;QACf,KAAK,GAAG;YACN,OAAO,CAAC,GAAG,IAAI,CAAA;QACjB,KAAK,GAAG;YACN,OAAO,CAAC,GAAG,KAAK,CAAA;QAClB;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,7 @@
+export { AuthModuleService, type AuthModuleServiceDeps } from './auth-module-service.js';
+export { type AuthenticateOptions, extractAuthContext } from './middleware.js';
+export { AuthIdentity, ProviderIdentity } from './models/auth-identity.js';
+export { EmailpassAuthProvider } from './providers/emailpass.js';
+export type { AuthenticationInput, AuthenticationResponse, IAuthIdentityProviderService, IAuthProvider, } from './providers/types.js';
+export type { AuthContext } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,qBAAqB,EAAE,MAAM,0BAA0B,CAAA;AACxF,OAAO,EAAE,KAAK,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AAC9E,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAA;AAChE,YAAY,EACV,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,EAC5B,aAAa,GACd,MAAM,sBAAsB,CAAA;AAC7B,YAAY,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA"}

package/dist/auth/index.js

@@ -0,0 +1,5 @@
+export { AuthModuleService } from './auth-module-service.js';
+export { extractAuthContext } from './middleware.js';
+export { AuthIdentity, ProviderIdentity } from './models/auth-identity.js';
+export { EmailpassAuthProvider } from './providers/emailpass.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAA8B,MAAM,0BAA0B,CAAA;AACxF,OAAO,EAA4B,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AAC9E,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAA"}

package/dist/auth/middleware.d.ts

@@ -0,0 +1,19 @@
+import type { AuthModuleService } from './auth-module-service.js';
+import type { AuthContext } from './types.js';
+export interface AuthenticateOptions {
+    allowUnregistered?: boolean;
+    allowUnauthenticated?: boolean;
+    logger?: {
+        warn: (msg: string) => void;
+    };
+}
+/**
+ * Extract auth context from a request.
+ * Checks Bearer token first, then session cookie.
+ *
+ * @param actorType - Expected actor type ("user", "customer", "*" for any)
+ * @param authTypes - Allowed auth methods: "bearer", "session", or array
+ * @param options - Allow unregistered/unauthenticated access
+ */
+export declare function extractAuthContext(headers: Record<string, string | undefined>, sessionId: string | undefined, authService: AuthModuleService, jwtSecret: string, actorType: string, authTypes?: string | string[], options?: AuthenticateOptions): Promise<AuthContext | null>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAA;AACjE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAE7C,MAAM,WAAW,mBAAmB;IAClC,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAC9B,MAAM,CAAC,EAAE;QAAE,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAA;CACzC;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EAC3C,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,WAAW,EAAE,iBAAiB,EAC9B,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,MAAM,GAAG,MAAM,EAA0B,EACpD,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAG7B"}

package/dist/auth/middleware.js

@@ -0,0 +1,61 @@
+// authenticate() middleware — ISO Medusa V2
+// Extracts auth context from JWT (Bearer) or session (cookie), sets req.auth_context.
+import { MantaError } from '../errors/manta-error.js';
+/**
+ * Extract auth context from a request.
+ * Checks Bearer token first, then session cookie.
+ *
+ * @param actorType - Expected actor type ("user", "customer", "*" for any)
+ * @param authTypes - Allowed auth methods: "bearer", "session", or array
+ * @param options - Allow unregistered/unauthenticated access
+ */
+export function extractAuthContext(headers, sessionId, authService, jwtSecret, actorType, authTypes = ['bearer', 'session'], options) {
+    const types = Array.isArray(authTypes) ? authTypes : [authTypes];
+    return _extractAuthContext(headers, sessionId, authService, jwtSecret, actorType, types, options);
+}
+async function _extractAuthContext(headers, sessionId, authService, jwtSecret, actorType, authTypes, options) {
+    let authContext = null;
+    // 1. Try Bearer token
+    if (authTypes.includes('bearer')) {
+        const authHeader = headers.authorization || headers.Authorization;
+        if (authHeader?.startsWith('Bearer ')) {
+            const token = authHeader.slice(7);
+            try {
+                const payload = await authService.verifyToken(token, jwtSecret);
+                authContext = {
+                    id: payload.id,
+                    type: payload.type,
+                    auth_identity_id: payload.auth_identity_id,
+                    metadata: payload.metadata,
+                };
+            }
+            catch (err) {
+                options?.logger?.warn(`[auth] Bearer token verification failed: ${err.message}`);
+            }
+        }
+    }
+    // 2. Try session
+    if (!authContext && authTypes.includes('session') && sessionId) {
+        const sessionData = await authService.verifySession(sessionId);
+        if (sessionData) {
+            authContext = sessionData;
+        }
+    }
+    // 3. Decide
+    if (authContext?.id) {
+        // Fully authenticated
+        if (actorType !== '*' && authContext.type !== actorType) {
+            throw new MantaError('UNAUTHORIZED', `Actor type "${authContext.type}" not allowed for "${actorType}"`);
+        }
+        return authContext;
+    }
+    if (authContext?.auth_identity_id && options?.allowUnregistered) {
+        // Has auth identity but no id yet (registered with provider, not linked to user)
+        return authContext;
+    }
+    if (options?.allowUnauthenticated) {
+        return null;
+    }
+    throw new MantaError('UNAUTHORIZED', 'Authentication required');
+}
+//# sourceMappingURL=middleware.js.map

package/dist/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,sFAAsF;AAEtF,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAUrD;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAA2C,EAC3C,SAA6B,EAC7B,WAA8B,EAC9B,SAAiB,EACjB,SAAiB,EACjB,YAA+B,CAAC,QAAQ,EAAE,SAAS,CAAC,EACpD,OAA6B;IAE7B,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;IAChE,OAAO,mBAAmB,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA;AACnG,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,OAA2C,EAC3C,SAA6B,EAC7B,WAA8B,EAC9B,SAAiB,EACjB,SAAiB,EACjB,SAAmB,EACnB,OAA6B;IAE7B,IAAI,WAAW,GAAuB,IAAI,CAAA;IAE1C,sBAAsB;IACtB,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,aAAa,CAAA;QACjE,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;YACjC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;gBAC/D,WAAW,GAAG;oBACZ,EAAE,EAAE,OAAO,CAAC,EAAY;oBACxB,IAAI,EAAE,OAAO,CAAC,IAA2B;oBACzC,gBAAgB,EAAE,OAAO,CAAC,gBAA0B;oBACpD,QAAQ,EAAE,OAAO,CAAC,QAAmC;iBACtD,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,4CAA6C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;YAC7F,CAAC;QACH,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,IAAI,CAAC,WAAW,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,EAAE,CAAC;QAC/D,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;QAC9D,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,GAAG,WAAqC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,YAAY;IACZ,IAAI,WAAW,EAAE,EAAE,EAAE,CAAC;QACpB,sBAAsB;QACtB,IAAI,SAAS,KAAK,GAAG,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACxD,MAAM,IAAI,UAAU,CAAC,cAAc,EAAE,eAAe,WAAW,CAAC,IAAI,sBAAsB,SAAS,GAAG,CAAC,CAAA;QACzG,CAAC;QACD,OAAO,WAAW,CAAA;IACpB,CAAC;IAED,IAAI,WAAW,EAAE,gBAAgB,IAAI,OAAO,EAAE,iBAAiB,EAAE,CAAC;QAChE,iFAAiF;QACjF,OAAO,WAAW,CAAA;IACpB,CAAC;IAED,IAAI,OAAO,EAAE,oBAAoB,EAAE,CAAC;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,IAAI,UAAU,CAAC,cAAc,EAAE,yBAAyB,CAAC,CAAA;AACjE,CAAC"}

package/dist/auth/models/auth-identity.d.ts

@@ -0,0 +1,11 @@
+export declare const AuthIdentity: import("../../index.js").DmlEntity<{
+    app_metadata: import("../../dml/properties/base.js").NullableApi<any>;
+}>;
+export declare const ProviderIdentity: import("../../index.js").DmlEntity<{
+    entity_id: import("../../dml/properties/base.js").TextApi;
+    provider: import("../../dml/properties/base.js").TextApi;
+    auth_identity_id: import("../../dml/properties/base.js").TextApi;
+    user_metadata: import("../../dml/properties/base.js").NullableApi<any>;
+    provider_metadata: import("../../dml/properties/base.js").NullableApi<any>;
+}>;
+//# sourceMappingURL=auth-identity.d.ts.map

package/dist/auth/models/auth-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-identity.d.ts","sourceRoot":"","sources":["../../../src/auth/models/auth-identity.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,YAAY;;EAEvB,CAAA;AAEF,eAAO,MAAM,gBAAgB;;;;;;EAM3B,CAAA"}

package/dist/auth/models/auth-identity.js

@@ -0,0 +1,12 @@
+import { field, model } from '../../dml/model.js';
+export const AuthIdentity = model.define('AuthIdentity', {
+    app_metadata: field.json().nullable(),
+});
+export const ProviderIdentity = model.define('ProviderIdentity', {
+    entity_id: field.text(),
+    provider: field.text().index(),
+    auth_identity_id: field.text().index(),
+    user_metadata: field.json().nullable(),
+    provider_metadata: field.json().nullable(),
+});
+//# sourceMappingURL=auth-identity.js.map

package/dist/auth/models/auth-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-identity.js","sourceRoot":"","sources":["../../../src/auth/models/auth-identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAA;AAEjD,MAAM,CAAC,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC,cAAc,EAAE;IACvD,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE;IAC/D,SAAS,EAAE,KAAK,CAAC,IAAI,EAAE;IACvB,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE;IAC9B,gBAAgB,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE;IACtC,aAAa,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;IACtC,iBAAiB,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;CAC3C,CAAC,CAAA"}

package/dist/auth/providers/emailpass.d.ts

@@ -0,0 +1,7 @@
+import type { AuthenticationInput, AuthenticationResponse, IAuthIdentityProviderService, IAuthProvider } from './types.js';
+export declare class EmailpassAuthProvider implements IAuthProvider {
+    register(data: AuthenticationInput, authIdentityService: IAuthIdentityProviderService): Promise<AuthenticationResponse>;
+    authenticate(data: AuthenticationInput, authIdentityService: IAuthIdentityProviderService): Promise<AuthenticationResponse>;
+    update(data: Record<string, unknown>, authIdentityService: IAuthIdentityProviderService): Promise<AuthenticationResponse>;
+}
+//# sourceMappingURL=emailpass.d.ts.map

package/dist/auth/providers/emailpass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailpass.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/emailpass.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,EAC5B,aAAa,EACd,MAAM,YAAY,CAAA;AA0BnB,qBAAa,qBAAsB,YAAW,aAAa;IACnD,QAAQ,CACZ,IAAI,EAAE,mBAAmB,EACzB,mBAAmB,EAAE,4BAA4B,GAChD,OAAO,CAAC,sBAAsB,CAAC;IA2B5B,YAAY,CAChB,IAAI,EAAE,mBAAmB,EACzB,mBAAmB,EAAE,4BAA4B,GAChD,OAAO,CAAC,sBAAsB,CAAC;IA8B5B,MAAM,CACV,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,mBAAmB,EAAE,4BAA4B,GAChD,OAAO,CAAC,sBAAsB,CAAC;CAuBnC"}

package/dist/auth/providers/emailpass.js

@@ -0,0 +1,94 @@
+// Emailpass auth provider — ISO Medusa's @medusajs/auth-emailpass
+// Handles email/password registration and authentication.
+import { randomBytes, scryptSync, timingSafeEqual } from 'node:crypto';
+/**
+ * Hash a password using scrypt (no bcrypt dependency needed).
+ * Format: salt:hash (both hex-encoded).
+ */
+async function hashPassword(password) {
+    const salt = randomBytes(16).toString('hex');
+    const hash = scryptSync(password, salt, 64).toString('hex');
+    return `${salt}:${hash}`;
+}
+/**
+ * Compare a password against a stored hash.
+ */
+async function comparePassword(password, storedHash) {
+    const [salt, hash] = storedHash.split(':');
+    if (!salt || !hash)
+        return false;
+    const derived = scryptSync(password, salt, 64).toString('hex');
+    // Timing-safe comparison
+    const hashBuffer = Buffer.from(hash, 'hex');
+    const derivedBuffer = Buffer.from(derived, 'hex');
+    if (hashBuffer.length !== derivedBuffer.length)
+        return false;
+    return timingSafeEqual(hashBuffer, derivedBuffer);
+}
+export class EmailpassAuthProvider {
+    async register(data, authIdentityService) {
+        const { email, password } = data.body;
+        if (!email || !password) {
+            return { success: false, error: 'Email and password are required' };
+        }
+        // Check if already registered
+        const existing = await authIdentityService.retrieve(email, 'emailpass');
+        if (existing) {
+            return { success: false, error: 'Identity already exists for this email' };
+        }
+        // Hash password
+        const hashedPassword = await hashPassword(password);
+        // Create auth identity + provider identity
+        const authIdentity = await authIdentityService.create({
+            entity_id: email,
+            provider: 'emailpass',
+            provider_metadata: { password: hashedPassword },
+            user_metadata: { email },
+        });
+        return { success: true, authIdentity };
+    }
+    async authenticate(data, authIdentityService) {
+        const { email, password } = data.body;
+        if (!email || !password) {
+            return { success: false, error: 'Email and password are required' };
+        }
+        // Find provider identity
+        const providerIdentity = await authIdentityService.retrieve(email, 'emailpass');
+        if (!providerIdentity) {
+            return { success: false, error: 'Invalid email or password' };
+        }
+        // Compare password
+        const storedHash = providerIdentity.provider_metadata?.password;
+        if (!storedHash) {
+            return { success: false, error: 'Invalid email or password' };
+        }
+        const isValid = await comparePassword(password, storedHash);
+        if (!isValid) {
+            return { success: false, error: 'Invalid email or password' };
+        }
+        return {
+            success: true,
+            authIdentity: providerIdentity.auth_identity,
+        };
+    }
+    async update(data, authIdentityService) {
+        const email = typeof data.email === 'string' ? data.email : undefined;
+        const password = typeof data.password === 'string' ? data.password : undefined;
+        if (!email || !password) {
+            return { success: false, error: 'Email and password are required' };
+        }
+        const existing = await authIdentityService.retrieve(email, 'emailpass');
+        if (!existing) {
+            return { success: false, error: 'Invalid email or password' };
+        }
+        const hashedPassword = await hashPassword(password);
+        const authIdentity = await authIdentityService.update(email, 'emailpass', {
+            provider_metadata: {
+                ...(existing.provider_metadata ?? {}),
+                password: hashedPassword,
+            },
+        });
+        return { success: true, authIdentity };
+    }
+}
+//# sourceMappingURL=emailpass.js.map

package/dist/auth/providers/emailpass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailpass.js","sourceRoot":"","sources":["../../../src/auth/providers/emailpass.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,0DAA0D;AAE1D,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAQtE;;;GAGG;AACH,KAAK,UAAU,YAAY,CAAC,QAAgB;IAC1C,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC5C,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC3D,OAAO,GAAG,IAAI,IAAI,IAAI,EAAE,CAAA;AAC1B,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAAC,QAAgB,EAAE,UAAkB;IACjE,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA;IAChC,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC9D,yBAAyB;IACzB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IAC3C,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IACjD,IAAI,UAAU,CAAC,MAAM,KAAK,aAAa,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IAC5D,OAAO,eAAe,CAAC,UAAU,EAAE,aAAa,CAAC,CAAA;AACnD,CAAC;AAED,MAAM,OAAO,qBAAqB;IAChC,KAAK,CAAC,QAAQ,CACZ,IAAyB,EACzB,mBAAiD;QAEjD,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,IAA6C,CAAA;QAE9E,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAA;QACrE,CAAC;QAED,8BAA8B;QAC9B,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,CAAA;QACvE,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAA;QAC5E,CAAC;QAED,gBAAgB;QAChB,MAAM,cAAc,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAA;QAEnD,2CAA2C;QAC3C,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,MAAM,CAAC;YACpD,SAAS,EAAE,KAAK;YAChB,QAAQ,EAAE,WAAW;YACrB,iBAAiB,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE;YAC/C,aAAa,EAAE,EAAE,KAAK,EAAE;SACzB,CAAC,CAAA;QAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,CAAA;IACxC,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,IAAyB,EACzB,mBAAiD;QAEjD,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,IAA6C,CAAA;QAE9E,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAA;QACrE,CAAC;QAED,yBAAyB;QACzB,MAAM,gBAAgB,GAAG,MAAM,mBAAmB,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,CAAA;QAC/E,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAA;QAC/D,CAAC;QAED,mBAAmB;QACnB,MAAM,UAAU,GAAI,gBAAgB,CAAC,iBAA4C,EAAE,QAAQ,CAAA;QAC3F,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAA;QAC/D,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;QAC3D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAA;QAC/D,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,YAAY,EAAE,gBAAgB,CAAC,aAAa;SAC7C,CAAA;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CACV,IAA6B,EAC7B,mBAAiD;QAEjD,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAA;QACrE,MAAM,QAAQ,GAAG,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAA;QAE9E,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAA;QACrE,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,CAAA;QACvE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAA;QAC/D,CAAC;QAED,MAAM,cAAc,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAA;QACnD,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE;YACxE,iBAAiB,EAAE;gBACjB,GAAG,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,CAAC;gBACrC,QAAQ,EAAE,cAAc;aACzB;SACF,CAAC,CAAA;QAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,CAAA;IACxC,CAAC;CACF"}

package/dist/auth/providers/types.d.ts

@@ -0,0 +1,66 @@
+export interface AuthenticationInput {
+    url: string;
+    headers: Record<string, string>;
+    query: Record<string, string>;
+    body: Record<string, unknown>;
+    protocol: string;
+}
+export interface AuthenticationResponse {
+    success: boolean;
+    authIdentity?: {
+        id: string;
+        app_metadata?: Record<string, unknown>;
+    };
+    error?: string;
+    /** Redirect URL for OAuth flows */
+    location?: string;
+}
+/**
+ * Auth provider contract — same as Medusa's AbstractAuthModuleProvider.
+ * Each provider (emailpass, google, github) implements this.
+ */
+export interface IAuthProvider {
+    /** Authenticate an existing identity */
+    authenticate(data: AuthenticationInput, authIdentityService: IAuthIdentityProviderService): Promise<AuthenticationResponse>;
+    /** Register a new identity */
+    register(data: AuthenticationInput, authIdentityService: IAuthIdentityProviderService): Promise<AuthenticationResponse>;
+    /** Handle OAuth callback */
+    validateCallback?(data: AuthenticationInput, authIdentityService: IAuthIdentityProviderService): Promise<AuthenticationResponse>;
+    /** Update provider data (e.g., new OAuth token) */
+    update?(data: Record<string, unknown>, authIdentityService: IAuthIdentityProviderService): Promise<AuthenticationResponse>;
+}
+/**
+ * Service interface passed to auth providers for identity management.
+ * Allows providers to create/update auth identities without knowing the storage layer.
+ */
+export interface IAuthIdentityProviderService {
+    create(data: {
+        entity_id: string;
+        provider: string;
+        user_metadata?: Record<string, unknown>;
+        provider_metadata?: Record<string, unknown>;
+    }): Promise<{
+        id: string;
+        app_metadata?: Record<string, unknown>;
+    }>;
+    update(entity_id: string, provider: string, data: {
+        user_metadata?: Record<string, unknown>;
+        provider_metadata?: Record<string, unknown>;
+    }): Promise<{
+        id: string;
+        app_metadata?: Record<string, unknown>;
+    }>;
+    retrieve(entity_id: string, provider: string): Promise<{
+        id: string;
+        provider_metadata?: Record<string, unknown>;
+        auth_identity: {
+            id: string;
+            app_metadata?: Record<string, unknown>;
+        };
+    } | null>;
+    /** Store temporary state (OAuth state param, PKCE verifier) */
+    setState(key: string, value: Record<string, unknown>): Promise<void>;
+    /** Retrieve and delete state (one-time use) */
+    getState(key: string): Promise<Record<string, unknown> | null>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/providers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/types.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAA;IACX,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC/B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC7B,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAA;IAChB,YAAY,CAAC,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAA;IACrE,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,wCAAwC;IACxC,YAAY,CACV,IAAI,EAAE,mBAAmB,EACzB,mBAAmB,EAAE,4BAA4B,GAChD,OAAO,CAAC,sBAAsB,CAAC,CAAA;IAElC,8BAA8B;IAC9B,QAAQ,CACN,IAAI,EAAE,mBAAmB,EACzB,mBAAmB,EAAE,4BAA4B,GAChD,OAAO,CAAC,sBAAsB,CAAC,CAAA;IAElC,4BAA4B;IAC5B,gBAAgB,CAAC,CACf,IAAI,EAAE,mBAAmB,EACzB,mBAAmB,EAAE,4BAA4B,GAChD,OAAO,CAAC,sBAAsB,CAAC,CAAA;IAElC,mDAAmD;IACnD,MAAM,CAAC,CACL,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,mBAAmB,EAAE,4BAA4B,GAChD,OAAO,CAAC,sBAAsB,CAAC,CAAA;CACnC;AAED;;;GAGG;AACH,MAAM,WAAW,4BAA4B;IAC3C,MAAM,CAAC,IAAI,EAAE;QACX,SAAS,EAAE,MAAM,CAAA;QACjB,QAAQ,EAAE,MAAM,CAAA;QAChB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QACvC,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAC5C,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC,CAAA;IAEnE,MAAM,CACJ,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE;QACJ,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QACvC,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAC5C,GACA,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC,CAAA;IAElE,QAAQ,CACN,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QACT,EAAE,EAAE,MAAM,CAAA;QACV,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QAC3C,aAAa,EAAE;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;SAAE,CAAA;KACtE,GAAG,IAAI,CAAC,CAAA;IAET,+DAA+D;IAC/D,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACpE,+CAA+C;IAC/C,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAA;CAC/D"}

package/dist/auth/providers/types.js

@@ -0,0 +1,3 @@
+// Auth provider interface — ISO Medusa V2's AbstractAuthModuleProvider
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/providers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/auth/providers/types.ts"],"names":[],"mappings":"AAAA,uEAAuE"}

package/dist/auth/types.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Authentication context attached to a request scope.
+ * Propagated through the entire request lifecycle.
+ *
+ * - `id` — the authenticated user's ID (from the user table, e.g. admin_user.id)
+ * - `type` — the context type (from defineUser, e.g. 'admin', 'customer')
+ * - `email` — the user's email (if available in token metadata)
+ */
+export interface AuthContext {
+    /** User ID (from the context's user table, e.g. admin_user.id). */
+    id: string;
+    /** Context type (from defineUser, e.g. 'admin', 'customer'). */
+    type: string;
+    /** User email (from token metadata). */
+    email?: string;
+    /** Internal auth identity ID (for token management). */
+    auth_identity_id?: string;
+    /** Additional metadata from the token. */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Credentials extracted from a request by the HTTP adapter.
+ * Passed to IAuthGateway.authenticate().
+ */
+export interface AuthCredentials {
+    bearer?: string;
+    apiKey?: string;
+    sessionId?: string;
+}
+/**
+ * Options for session creation.
+ */
+export interface SessionOptions {
+    ttl?: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW;IAC1B,mEAAmE;IACnE,EAAE,EAAE,MAAM,CAAA;IACV,gEAAgE;IAChE,IAAI,EAAE,MAAM,CAAA;IACZ,wCAAwC;IACxC,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,0CAA0C;IAC1C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAA;CACb"}

package/dist/auth/types.js

@@ -0,0 +1,3 @@
+// SPEC-049/050 — Auth types
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA,4BAA4B"}