@nauth-toolkit/nestjs 0.1.18 → 0.1.22

package/dist/interceptors/cookie-token.interceptor.js

@@ -8,18 +8,13 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param = (this && this.__param) || function (paramIndex, decorator) {
-    return function (target, key) { decorator(target, key, paramIndex); }
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CookieTokenInterceptor = void 0;
 const common_1 = require("@nestjs/common");
 const core_1 = require("@nestjs/core");
 const operators_1 = require("rxjs/operators");
-const core_2 = require("@nauth-toolkit/core");
-const internal_1 = require("@nauth-toolkit/core/internal");
 const token_delivery_decorator_1 = require("../decorators/token-delivery.decorator");
-const csrf_service_1 = require("../services/csrf.service");
+const token_delivery_http_service_1 = require("../services/token-delivery-http.service");
 /**
  * Cookie Token Interceptor
  *
@@ -37,56 +32,33 @@ const csrf_service_1 = require("../services/csrf.service");
  * It does nothing in other contexts (e.g., WebSocket, GraphQL).
  */
 let CookieTokenInterceptor = class CookieTokenInterceptor {
-    config;
-    jwtService;
+    tokenDeliveryHttp;
     reflector;
-    csrfService;
-    constructor(config, jwtService, reflector, csrfService) {
-        this.config = config;
-        this.jwtService = jwtService;
+    constructor(tokenDeliveryHttp, reflector) {
+        this.tokenDeliveryHttp = tokenDeliveryHttp;
         this.reflector = reflector;
-        this.csrfService = csrfService;
     }
     intercept(context, next) {
         // Only operate in HTTP context
         if (context.getType() !== 'http') {
             return next.handle();
         }
-        const deliveryConfig = this.config.tokenDelivery;
         const http = context.switchToHttp();
         const req = http.getRequest();
         const res = http.getResponse();
         // Determine effective delivery for this request
         const routeMode = this.reflector.get(token_delivery_decorator_1.TOKEN_DELIVERY_KEY, context.getHandler());
-        const method = deliveryConfig?.method || 'json';
-        // Validate route-level delivery mode against global configuration
-        if (routeMode === 'cookies') {
-            // Route requests cookies - config must allow cookies (cookies or hybrid)
-            if (method === 'json') {
-                throw new core_2.NAuthException(core_2.AuthErrorCode.COOKIES_NOT_ALLOWED, "Route-level cookie delivery requested, but tokenDelivery.method is 'json' (cookies disabled)");
-            }
-            // method === 'cookies' or 'hybrid' - both allow cookies, so OK
-        }
-        else if (routeMode === 'json') {
-            // Route requests JSON - config must allow JSON (json or hybrid)
-            if (method === 'cookies') {
-                throw new core_2.NAuthException(core_2.AuthErrorCode.BEARER_NOT_ALLOWED, "Route-level JSON delivery requested, but tokenDelivery.method is 'cookies' (JSON/Bearer tokens disabled)");
-            }
-            // method === 'json' or 'hybrid' - both allow JSON, so OK
-        }
-        let effective = 'json';
-        if (routeMode) {
-            effective = routeMode;
-        }
-        else if (method === 'hybrid') {
-            effective = (0, core_2.resolveDeliveryForRequest)(req, deliveryConfig?.hybridPolicy);
-        }
-        else if (method === 'cookies') {
-            effective = 'cookies';
-        }
-        else {
-            effective = 'json';
-        }
+        const effective = this.tokenDeliveryHttp.resolveEffectiveDelivery(req, routeMode);
+        // ============================================================================
+        // Expose route-level delivery decision to downstream handlers
+        // ============================================================================
+        // Social redirect endpoints (and other framework-neutral handlers) may need to
+        // know the route-level delivery override in hybrid deployments. Provider callbacks
+        // often omit `Origin`, so the only deterministic signal is the route itself.
+        //
+        // We store it on the request object using a non-enumerable-ish private-ish key.
+        // Frameworks tolerate extra properties on the request object (Express/Fastify).
+        req.__nauthRouteDelivery = routeMode;
         return next.handle().pipe((0, operators_1.map)((data) => {
             // ============================================================================
             // Safety: Only process object responses
@@ -105,102 +77,18 @@ let CookieTokenInterceptor = class CookieTokenInterceptor {
             if (!hasAccessToken && !hasDeviceTokenOnly) {
                 return responseData;
             }
-            // Smart default cookie options
-            const opt = deliveryConfig?.cookieOptions;
-            // Cookie domain handling:
-            // - undefined: Cookie set for exact host:port (e.g., localhost:3000)
-            //   For cross-port requests (localhost:4200 → localhost:3000), cookies work IF:
-            //   - Frontend sends withCredentials: true
-            //   - Backend CORS allows credentials
-            //   - SameSite allows cross-site requests (e.g., 'lax' or 'none')
-            //
-            // - 'localhost' or '.localhost': Some browsers accept this, others reject it
-            //   Modern browsers generally allow 'localhost' without domain attribute
-            //
-            // - '.example.com': For production cross-subdomain sharing
-            //   Allows cookies set by api.example.com to be sent from app.example.com
-            const cookieOptions = {
-                httpOnly: true,
-                secure: opt?.secure !== false, // default true
-                sameSite: (opt?.sameSite || 'strict'),
-                path: opt?.path || '/',
-            };
-            // Include domain if provided (browsers handle localhost differently - some accept, some reject)
-            // For cross-port testing (like Cognito), omitting domain works with sameSite: 'lax' or 'none'
-            if (opt?.domain) {
-                cookieOptions.domain = opt.domain;
-            }
-            // Derive expiry strictly from JWT claims (no fallback)
-            // We decode here (signature already trusted as tokens are freshly issued);
-            // full validation and blacklist checks happen in the AuthGuard on subsequent requests.
-            let accessTokenMaxAgeMs = 0;
-            if (hasAccessToken && responseData.accessToken) {
-                const accessPayload = this.jwtService.decodeToken(responseData.accessToken);
-                if (!accessPayload?.exp) {
-                    throw new core_2.NAuthException(core_2.AuthErrorCode.TOKEN_INVALID, 'Access token missing or invalid exp claim; refusing to set cookies');
-                }
-                const accessExpSeconds = accessPayload.exp;
-                accessTokenMaxAgeMs = Math.max(0, accessExpSeconds * 1000 - Date.now());
-                if (accessTokenMaxAgeMs <= 0) {
-                    throw new core_2.NAuthException(core_2.AuthErrorCode.TOKEN_INVALID, 'Access token already expired; refusing to set cookies');
-                }
-            }
-            const setCookie = (name, value, options) => {
-                if (res && typeof res.cookie === 'function') {
-                    res.cookie(name, value, options);
-                }
-                else if (res && typeof res.setCookie === 'function') {
-                    res.setCookie(name, value, options);
-                }
-            };
             // Set cookies only when effective is 'cookies'
             if (effective === 'cookies' && hasAccessToken && responseData.accessToken) {
-                const accessTokenCookieName = (0, core_2.getAccessTokenCookieName)(this.config);
-                setCookie(accessTokenCookieName, responseData.accessToken, {
-                    ...cookieOptions,
-                    maxAge: accessTokenMaxAgeMs,
+                this.tokenDeliveryHttp.setAuthCookies(res, {
+                    accessToken: responseData.accessToken,
+                    refreshToken: typeof responseData.refreshToken === 'string' ? responseData.refreshToken : undefined,
+                    deviceToken: typeof responseData.deviceToken === 'string' ? responseData.deviceToken : undefined,
                 });
+                this.tokenDeliveryHttp.setCsrfCookie(res, responseData.accessToken);
             }
-            if (typeof responseData.refreshToken === 'string' && responseData.refreshToken && effective === 'cookies') {
-                const refreshPayload = this.jwtService.decodeToken(responseData.refreshToken);
-                if (!refreshPayload?.exp) {
-                    throw new core_2.NAuthException(core_2.AuthErrorCode.TOKEN_INVALID, 'Refresh token missing or invalid exp claim; refusing to set cookies');
-                }
-                const refreshExpSeconds = refreshPayload.exp;
-                const refreshTokenMaxAgeMs = Math.max(0, refreshExpSeconds * 1000 - Date.now());
-                if (refreshTokenMaxAgeMs <= 0) {
-                    throw new core_2.NAuthException(core_2.AuthErrorCode.TOKEN_INVALID, 'Refresh token already expired; refusing to set cookies');
-                }
-                const refreshTokenCookieName = (0, core_2.getRefreshTokenCookieName)(this.config);
-                setCookie(refreshTokenCookieName, responseData.refreshToken, {
-                    ...cookieOptions,
-                    maxAge: refreshTokenMaxAgeMs,
-                });
-            }
-            // Set device token cookie for trusted device feature (web)
-            // Only set cookie when deviceToken is present and effective is cookies
-            // (hybrid mode may resolve to cookies for web origins)
-            if (typeof responseData.deviceToken === 'string' && responseData.deviceToken && effective === 'cookies') {
-                const rememberDeviceDays = this.config.mfa?.rememberDeviceDays || 30;
-                const deviceTokenMaxAgeMs = rememberDeviceDays * 24 * 60 * 60 * 1000; // Convert days to milliseconds
-                const deviceTokenCookieName = (0, core_2.getDeviceTokenCookieName)(this.config);
-                setCookie(deviceTokenCookieName, responseData.deviceToken, {
-                    ...cookieOptions,
-                    maxAge: deviceTokenMaxAgeMs,
-                });
-            }
-            // Set CSRF token cookie when using cookie-based token delivery
-            // CSRF token is required for state-changing requests to prevent CSRF attacks
-            if (effective === 'cookies' && this.csrfService && this.config.security?.csrf) {
-                const csrfToken = this.csrfService.generateToken();
-                const csrfCookieName = this.csrfService.getCookieName();
-                const csrfCookieOptions = this.csrfService.getCookieOptions();
-                // Use same max age as access token for CSRF cookie
-                // This ensures CSRF token expires when access token expires
-                setCookie(csrfCookieName, csrfToken, {
-                    ...csrfCookieOptions,
-                    maxAge: accessTokenMaxAgeMs > 0 ? accessTokenMaxAgeMs : undefined,
-                });
+            else if (effective === 'cookies' && hasDeviceTokenOnly && responseData.deviceToken) {
+                // trust-device endpoint: cookie only
+                this.tokenDeliveryHttp.setDeviceTokenCookie(res, responseData.deviceToken);
             }
             // Strip tokens, deviceToken, and expiration fields only when effective is cookies (strict web path)
             // Expiration is managed by cookie maxAge, so these fields are not needed
@@ -220,9 +108,7 @@ let CookieTokenInterceptor = class CookieTokenInterceptor {
 exports.CookieTokenInterceptor = CookieTokenInterceptor;
 exports.CookieTokenInterceptor = CookieTokenInterceptor = __decorate([
     (0, common_1.Injectable)(),
-    __param(0, (0, common_1.Inject)('NAUTH_CONFIG')),
-    __metadata("design:paramtypes", [Object, internal_1.JwtService,
-        core_1.Reflector,
-        csrf_service_1.CsrfService])
+    __metadata("design:paramtypes", [token_delivery_http_service_1.TokenDeliveryHttpService,
+        core_1.Reflector])
 ], CookieTokenInterceptor);
 //# sourceMappingURL=cookie-token.interceptor.js.map

package/dist/interceptors/cookie-token.interceptor.js.map

@@ -1 +1 @@
-{"version":3,"file":"cookie-token.interceptor.js","sourceRoot":"","sources":["../../src/interceptors/cookie-token.interceptor.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAAoG;AACpG,uCAAyC;AAEzC,8CAAqC;AACrC,8CAU6B;AAC7B,2DAA0D;AAC1D,qFAA2F;AAC3F,2DAAuD;AAEvD;;;;;;;;;;;;;;;GAeG;AAEI,IAAM,sBAAsB,GAA5B,MAAM,sBAAsB;IAGd;IACA;IACA;IACA;IALnB,YAEmB,MAAmB,EACnB,UAAsB,EACtB,SAAoB,EACpB,WAAyB;QAHzB,WAAM,GAAN,MAAM,CAAa;QACnB,eAAU,GAAV,UAAU,CAAY;QACtB,cAAS,GAAT,SAAS,CAAW;QACpB,gBAAW,GAAX,WAAW,CAAc;IACzC,CAAC;IAEJ,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,+BAA+B;QAC/B,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,MAAM,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,MAAM,cAAc,GAAoC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;QAClF,MAAM,IAAI,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;QAGpC,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAkB,CAAC;QAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAmB,CAAC;QAEhD,gDAAgD;QAChD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAgB,6CAAkB,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QAC9F,MAAM,MAAM,GAAG,cAAc,EAAE,MAAM,IAAI,MAAM,CAAC;QAEhD,kEAAkE;QAClE,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,yEAAyE;YACzE,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,mBAAmB,EACjC,8FAA8F,CAC/F,CAAC;YACJ,CAAC;YACD,+DAA+D;QACjE,CAAC;aAAM,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YAChC,gEAAgE;YAChE,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,kBAAkB,EAChC,0GAA0G,CAC3G,CAAC;YACJ,CAAC;YACD,yDAAyD;QAC3D,CAAC;QAED,IAAI,SAAS,GAAuB,MAAM,CAAC;QAC3C,IAAI,SAAS,EAAE,CAAC;YACd,SAAS,GAAG,SAAS,CAAC;QACxB,CAAC;aAAM,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,SAAS,GAAG,IAAA,gCAAyB,EAAC,GAAG,EAAE,cAAc,EAAE,YAAY,CAAC,CAAC;QAC3E,CAAC;aAAM,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YAChC,SAAS,GAAG,SAAS,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,MAAM,CAAC;QACrB,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CACvB,IAAA,eAAG,EAAC,CAAC,IAAa,EAAE,EAAE;YACpB,+EAA+E;YAC/E,wCAAwC;YACxC,+EAA+E;YAC/E,8EAA8E;YAC9E,2EAA2E;YAC3E,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,MAAM,YAAY,GAAG,IAAwB,CAAC;YAC9C,MAAM,MAAM,GAAG,IAA+B,CAAC;YAE/C,8DAA8D;YAC9D,MAAM,kBAAkB,GACtB,aAAa,IAAI,MAAM,IAAI,CAAC,CAAC,aAAa,IAAI,MAAM,CAAC,IAAI,OAAO,YAAY,CAAC,WAAW,KAAK,QAAQ,CAAC;YACxG,MAAM,cAAc,GAClB,aAAa,IAAI,MAAM,IAAI,OAAO,YAAY,CAAC,WAAW,KAAK,QAAQ,IAAI,CAAC,CAAC,YAAY,CAAC,WAAW,CAAC;YAExG,4DAA4D;YAC5D,IAAI,CAAC,cAAc,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC3C,OAAO,YAAY,CAAC;YACtB,CAAC;YAED,+BAA+B;YAC/B,MAAM,GAAG,GAAG,cAAc,EAAE,aAAa,CAAC;YAE1C,0BAA0B;YAC1B,qEAAqE;YACrE,gFAAgF;YAChF,2CAA2C;YAC3C,sCAAsC;YACtC,kEAAkE;YAClE,EAAE;YACF,6EAA6E;YAC7E,yEAAyE;YACzE,EAAE;YACF,2DAA2D;YAC3D,0EAA0E;YAC1E,MAAM,aAAa,GAMf;gBACF,QAAQ,EAAE,IAAa;gBACvB,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,KAAK,EAAE,eAAe;gBAC9C,QAAQ,EAAE,CAAC,GAAG,EAAE,QAAQ,IAAI,QAAQ,CAA8B;gBAClE,IAAI,EAAE,GAAG,EAAE,IAAI,IAAI,GAAG;aACvB,CAAC;YAEF,gGAAgG;YAChG,8FAA8F;YAC9F,IAAI,GAAG,EAAE,MAAM,EAAE,CAAC;gBAChB,aAAa,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;YACpC,CAAC;YAED,uDAAuD;YACvD,2EAA2E;YAC3E,uFAAuF;YACvF,IAAI,mBAAmB,GAAG,CAAC,CAAC;YAC5B,IAAI,cAAc,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC/C,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;gBAC5E,IAAI,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC;oBACxB,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,aAAa,EAC3B,oEAAoE,CACrE,CAAC;gBACJ,CAAC;gBACD,MAAM,gBAAgB,GAAG,aAAa,CAAC,GAAa,CAAC;gBACrD,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,gBAAgB,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;gBACxE,IAAI,mBAAmB,IAAI,CAAC,EAAE,CAAC;oBAC7B,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,aAAa,EAC3B,uDAAuD,CACxD,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,MAAM,SAAS,GAAG,CAAC,IAAY,EAAE,KAAa,EAAE,OAAgC,EAAE,EAAE;gBAClF,IAAI,GAAG,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;oBAC5C,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;gBACnC,CAAC;qBAAM,IAAI,GAAG,IAAI,OAAO,GAAG,CAAC,SAAS,KAAK,UAAU,EAAE,CAAC;oBACtD,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC,CAAC;YAEF,+CAA+C;YAC/C,IAAI,SAAS,KAAK,SAAS,IAAI,cAAc,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1E,MAAM,qBAAqB,GAAG,IAAA,+BAAwB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACpE,SAAS,CAAC,qBAAqB,EAAE,YAAY,CAAC,WAAW,EAAE;oBACzD,GAAG,aAAa;oBAChB,MAAM,EAAE,mBAAmB;iBAC5B,CAAC,CAAC;YACL,CAAC;YAED,IAAI,OAAO,YAAY,CAAC,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,YAAY,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC1G,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;gBAC9E,IAAI,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC;oBACzB,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,aAAa,EAC3B,qEAAqE,CACtE,CAAC;gBACJ,CAAC;gBACD,MAAM,iBAAiB,GAAG,cAAc,CAAC,GAAa,CAAC;gBACvD,MAAM,oBAAoB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,iBAAiB,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;gBAChF,IAAI,oBAAoB,IAAI,CAAC,EAAE,CAAC;oBAC9B,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,aAAa,EAC3B,wDAAwD,CACzD,CAAC;gBACJ,CAAC;gBACD,MAAM,sBAAsB,GAAG,IAAA,gCAAyB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACtE,SAAS,CAAC,sBAAsB,EAAE,YAAY,CAAC,YAAY,EAAE;oBAC3D,GAAG,aAAa;oBAChB,MAAM,EAAE,oBAAoB;iBAC7B,CAAC,CAAC;YACL,CAAC;YAED,2DAA2D;YAC3D,uEAAuE;YACvE,uDAAuD;YACvD,IAAI,OAAO,YAAY,CAAC,WAAW,KAAK,QAAQ,IAAI,YAAY,CAAC,WAAW,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBACxG,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,kBAAkB,IAAI,EAAE,CAAC;gBACrE,MAAM,mBAAmB,GAAG,kBAAkB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,+BAA+B;gBACrG,MAAM,qBAAqB,GAAG,IAAA,+BAAwB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACpE,SAAS,CAAC,qBAAqB,EAAE,YAAY,CAAC,WAAW,EAAE;oBACzD,GAAG,aAAa;oBAChB,MAAM,EAAE,mBAAmB;iBAC5B,CAAC,CAAC;YACL,CAAC;YAED,+DAA+D;YAC/D,6EAA6E;YAC7E,IAAI,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC;gBAC9E,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;gBACnD,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;gBACxD,MAAM,iBAAiB,GAAG,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC;gBAE9D,mDAAmD;gBACnD,4DAA4D;gBAC5D,SAAS,CAAC,cAAc,EAAE,SAAS,EAAE;oBACnC,GAAG,iBAAiB;oBACpB,MAAM,EAAE,mBAAmB,GAAG,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAS;iBAClE,CAAC,CAAC;YACL,CAAC;YAED,oGAAoG;YACpG,yEAAyE;YACzE,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5B,IAAI,kBAAkB,EAAE,CAAC;oBACvB,6EAA6E;oBAC7E,OAAO,EAAE,CAAC;gBACZ,CAAC;gBACD,MAAM,QAAQ,GAAG,YAA+B,CAAC;gBACjD,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,GAAG,SAAS,EAAE,GACzG,QAAQ,CAAC;gBACX,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,OAAO,YAAY,CAAC;QACtB,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;CACF,CAAA;AAhOY,wDAAsB;iCAAtB,sBAAsB;IADlC,IAAA,mBAAU,GAAE;IAGR,WAAA,IAAA,eAAM,EAAC,cAAc,CAAC,CAAA;6CAEM,qBAAU;QACX,gBAAS;QACN,0BAAW;GANjC,sBAAsB,CAgOlC"}
+{"version":3,"file":"cookie-token.interceptor.js","sourceRoot":"","sources":["../../src/interceptors/cookie-token.interceptor.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAA4F;AAC5F,uCAAyC;AAEzC,8CAAqC;AAErC,qFAA2F;AAC3F,yFAAmF;AAEnF;;;;;;;;;;;;;;;GAeG;AAEI,IAAM,sBAAsB,GAA5B,MAAM,sBAAsB;IAEd;IACA;IAFnB,YACmB,iBAA2C,EAC3C,SAAoB;QADpB,sBAAiB,GAAjB,iBAAiB,CAA0B;QAC3C,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEJ,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,+BAA+B;QAC/B,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,MAAM,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,MAAM,IAAI,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;QAGpC,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAkB,CAAC;QAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAmB,CAAC;QAEhD,gDAAgD;QAChD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAgB,6CAAkB,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QAC9F,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,wBAAwB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAElF,+EAA+E;QAC/E,8DAA8D;QAC9D,+EAA+E;QAC/E,+EAA+E;QAC/E,mFAAmF;QACnF,6EAA6E;QAC7E,EAAE;QACF,gFAAgF;QAChF,gFAAgF;QAC/E,GAA+B,CAAC,oBAAoB,GAAG,SAAS,CAAC;QAElE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CACvB,IAAA,eAAG,EAAC,CAAC,IAAa,EAAE,EAAE;YACpB,+EAA+E;YAC/E,wCAAwC;YACxC,+EAA+E;YAC/E,8EAA8E;YAC9E,2EAA2E;YAC3E,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,MAAM,YAAY,GAAG,IAAwB,CAAC;YAC9C,MAAM,MAAM,GAAG,IAA+B,CAAC;YAE/C,8DAA8D;YAC9D,MAAM,kBAAkB,GACtB,aAAa,IAAI,MAAM,IAAI,CAAC,CAAC,aAAa,IAAI,MAAM,CAAC,IAAI,OAAO,YAAY,CAAC,WAAW,KAAK,QAAQ,CAAC;YACxG,MAAM,cAAc,GAClB,aAAa,IAAI,MAAM,IAAI,OAAO,YAAY,CAAC,WAAW,KAAK,QAAQ,IAAI,CAAC,CAAC,YAAY,CAAC,WAAW,CAAC;YAExG,4DAA4D;YAC5D,IAAI,CAAC,cAAc,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC3C,OAAO,YAAY,CAAC;YACtB,CAAC;YAED,+CAA+C;YAC/C,IAAI,SAAS,KAAK,SAAS,IAAI,cAAc,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1E,IAAI,CAAC,iBAAiB,CAAC,cAAc,CAAC,GAAG,EAAE;oBACzC,WAAW,EAAE,YAAY,CAAC,WAAW;oBACrC,YAAY,EAAE,OAAO,YAAY,CAAC,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;oBACnG,WAAW,EAAE,OAAO,YAAY,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;iBACjG,CAAC,CAAC;gBACH,IAAI,CAAC,iBAAiB,CAAC,aAAa,CAAC,GAAG,EAAE,YAAY,CAAC,WAAW,CAAC,CAAC;YACtE,CAAC;iBAAM,IAAI,SAAS,KAAK,SAAS,IAAI,kBAAkB,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC;gBACrF,qCAAqC;gBACrC,IAAI,CAAC,iBAAiB,CAAC,oBAAoB,CAAC,GAAG,EAAE,YAAY,CAAC,WAAW,CAAC,CAAC;YAC7E,CAAC;YAED,oGAAoG;YACpG,yEAAyE;YACzE,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5B,IAAI,kBAAkB,EAAE,CAAC;oBACvB,6EAA6E;oBAC7E,OAAO,EAAE,CAAC;gBACZ,CAAC;gBACD,MAAM,QAAQ,GAAG,YAA+B,CAAC;gBACjD,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,GAAG,SAAS,EAAE,GACzG,QAAQ,CAAC;gBACX,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,OAAO,YAAY,CAAC;QACtB,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;CACF,CAAA;AAxFY,wDAAsB;iCAAtB,sBAAsB;IADlC,IAAA,mBAAU,GAAE;qCAG2B,sDAAwB;QAChC,gBAAS;GAH5B,sBAAsB,CAwFlC"}

package/dist/interceptors/index.d.ts

@@ -1,3 +1,3 @@
-export * from './client-info.interceptor';
+export * from './nauth-context.interceptor';
 export * from './cookie-token.interceptor';
 //# sourceMappingURL=index.d.ts.map

package/dist/interceptors/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/interceptors/index.ts"],"names":[],"mappings":"AAAA,cAAc,2BAA2B,CAAC;AAC1C,cAAc,4BAA4B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/interceptors/index.ts"],"names":[],"mappings":"AAAA,cAAc,6BAA6B,CAAC;AAC5C,cAAc,4BAA4B,CAAC"}

package/dist/interceptors/index.js

@@ -14,6 +14,6 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./client-info.interceptor"), exports);
+__exportStar(require("./nauth-context.interceptor"), exports);
 __exportStar(require("./cookie-token.interceptor"), exports);
 //# sourceMappingURL=index.js.map

package/dist/interceptors/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/interceptors/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,4DAA0C;AAC1C,6DAA2C"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/interceptors/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8DAA4C;AAC5C,6DAA2C"}

package/dist/interceptors/nauth-context.interceptor.d.ts

@@ -0,0 +1,27 @@
+import { NestInterceptor, ExecutionContext, CallHandler } from '@nestjs/common';
+import { Observable } from 'rxjs';
+/**
+ * NAuth Context Interceptor
+ *
+ * Re-enters the AsyncLocalStorage context that was initialized by NAuthContextGuard.
+ * This ensures controllers and services run inside the same request-scoped context.
+ *
+ * **Why This is Needed:**
+ * - Guards and interceptors run in separate execution contexts
+ * - AsyncLocalStorage context from the guard is not automatically available to controllers
+ * - This interceptor restores the context using `ContextStorage.enterStore()`
+ *
+ * **Pattern:**
+ * - Mirrors the core FastifyAdapter pattern for context restoration
+ * - Works with both Express and Fastify adapters
+ *
+ * @example
+ * ```typescript
+ * // Registered globally in AuthModule as APP_INTERCEPTOR
+ * // No manual usage required - runs automatically for all HTTP requests
+ * ```
+ */
+export declare class NAuthContextInterceptor implements NestInterceptor {
+    intercept(context: ExecutionContext, next: CallHandler): Observable<unknown>;
+}
+//# sourceMappingURL=nauth-context.interceptor.d.ts.map

package/dist/interceptors/nauth-context.interceptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nauth-context.interceptor.d.ts","sourceRoot":"","sources":["../../src/interceptors/nauth-context.interceptor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,eAAe,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC5F,OAAO,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAIlC;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBACa,uBAAwB,YAAW,eAAe;IAC7D,SAAS,CAAC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC;CA2B7E"}

package/dist/interceptors/nauth-context.interceptor.js

@@ -0,0 +1,64 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NAuthContextInterceptor = void 0;
+const common_1 = require("@nestjs/common");
+const rxjs_1 = require("rxjs");
+const core_1 = require("@nauth-toolkit/core");
+const nauth_context_guard_1 = require("../guards/nauth-context.guard");
+/**
+ * NAuth Context Interceptor
+ *
+ * Re-enters the AsyncLocalStorage context that was initialized by NAuthContextGuard.
+ * This ensures controllers and services run inside the same request-scoped context.
+ *
+ * **Why This is Needed:**
+ * - Guards and interceptors run in separate execution contexts
+ * - AsyncLocalStorage context from the guard is not automatically available to controllers
+ * - This interceptor restores the context using `ContextStorage.enterStore()`
+ *
+ * **Pattern:**
+ * - Mirrors the core FastifyAdapter pattern for context restoration
+ * - Works with both Express and Fastify adapters
+ *
+ * @example
+ * ```typescript
+ * // Registered globally in AuthModule as APP_INTERCEPTOR
+ * // No manual usage required - runs automatically for all HTTP requests
+ * ```
+ */
+let NAuthContextInterceptor = class NAuthContextInterceptor {
+    intercept(context, next) {
+        // Only operate in HTTP context
+        if (context.getType() !== 'http') {
+            return next.handle();
+        }
+        const request = context.switchToHttp().getRequest();
+        // Get the context store that was created by NAuthContextGuard
+        const store = (0, nauth_context_guard_1.getNAuthContextStore)(request);
+        if (!store) {
+            // No context available - continue without context (shouldn't happen with proper setup)
+            return next.handle();
+        }
+        // Re-enter the context store so controllers/services have access to it
+        return new rxjs_1.Observable((subscriber) => {
+            core_1.ContextStorage.enterStore(store, () => {
+                next.handle().subscribe({
+                    next: (value) => subscriber.next(value),
+                    error: (err) => subscriber.error(err),
+                    complete: () => subscriber.complete(),
+                });
+            });
+        });
+    }
+};
+exports.NAuthContextInterceptor = NAuthContextInterceptor;
+exports.NAuthContextInterceptor = NAuthContextInterceptor = __decorate([
+    (0, common_1.Injectable)()
+], NAuthContextInterceptor);
+//# sourceMappingURL=nauth-context.interceptor.js.map

package/dist/interceptors/nauth-context.interceptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nauth-context.interceptor.js","sourceRoot":"","sources":["../../src/interceptors/nauth-context.interceptor.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAA4F;AAC5F,+BAAkC;AAClC,8CAAqD;AACrD,uEAAqE;AAErE;;;;;;;;;;;;;;;;;;;;GAoBG;AAEI,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IAClC,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,+BAA+B;QAC/B,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,MAAM,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QAEpD,8DAA8D;QAC9D,MAAM,KAAK,GAAG,IAAA,0CAAoB,EAAC,OAAO,CAAC,CAAC;QAE5C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,uFAAuF;YACvF,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,uEAAuE;QACvE,OAAO,IAAI,iBAAU,CAAC,CAAC,UAAU,EAAE,EAAE;YACnC,qBAAc,CAAC,UAAU,CAAC,KAAK,EAAE,GAAG,EAAE;gBACpC,IAAI,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC;oBACtB,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;oBACvC,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC;oBACrC,QAAQ,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE;iBACtC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAA;AA5BY,0DAAuB;kCAAvB,uBAAuB;IADnC,IAAA,mBAAU,GAAE;GACA,uBAAuB,CA4BnC"}

package/dist/services/token-delivery-http.service.d.ts

@@ -0,0 +1,68 @@
+import { NAuthConfig } from '@nauth-toolkit/core';
+import { JwtService } from '@nauth-toolkit/core/internal';
+import { CsrfService } from './csrf.service';
+import type { RouteDelivery } from '../decorators/token-delivery.decorator';
+/**
+ * Token delivery helper for HTTP controllers/interceptors (NestJS)
+ *
+ * Centralizes logic for:
+ * - determining effective token delivery ('cookies' | 'json') in hybrid mode
+ * - setting httpOnly auth cookies (and device token cookie) consistently
+ * - setting CSRF cookie when using cookie-based delivery
+ *
+ * This keeps consumer applications lightweight by letting toolkit controllers
+ * (like social redirect/callback) reuse the same cookie semantics as interceptors.
+ *
+ * @example
+ * ```typescript
+ * const effective = service.resolveEffectiveDelivery(req, undefined);
+ * if (effective === 'cookies') {
+ *   service.setAuthCookies(res, { accessToken, refreshToken });
+ *   service.setCsrfCookie(res, accessToken);
+ * }
+ * ```
+ */
+export declare class TokenDeliveryHttpService {
+    private readonly config;
+    private readonly jwtService;
+    private readonly csrfService?;
+    constructor(config: NAuthConfig, jwtService: JwtService, csrfService?: CsrfService | undefined);
+    /**
+     * Resolve the effective delivery mode for the current request.
+     *
+     * @param req - Framework request object (only `headers.origin` is used in hybrid mode)
+     * @param routeMode - Optional route-level override ('cookies' | 'json')
+     * @returns Effective delivery mode
+     * @throws {NAuthException} If route requests a mode not allowed by global config
+     */
+    resolveEffectiveDelivery(req: unknown, routeMode?: RouteDelivery): 'cookies' | 'json';
+    /**
+     * Set auth cookies on the response.
+     *
+     * @param res - HTTP response object (FastifyReply or Express response)
+     * @param tokens - Tokens to set
+     * @throws {NAuthException} If token exp claims are missing/invalid
+     */
+    setAuthCookies(res: unknown, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        deviceToken?: string;
+    }): void;
+    /**
+     * Set only the device token cookie (used by trust-device endpoint).
+     *
+     * @param res - HTTP response
+     * @param deviceToken - Device token to persist as cookie
+     */
+    setDeviceTokenCookie(res: unknown, deviceToken: string): void;
+    /**
+     * Set CSRF cookie for cookie-based delivery.
+     *
+     * @param res - HTTP response
+     * @param accessToken - Access token used to align CSRF cookie lifetime
+     */
+    setCsrfCookie(res: unknown, accessToken: string): void;
+    private buildCookieOptions;
+    private getSetCookieFn;
+}
+//# sourceMappingURL=token-delivery-http.service.d.ts.map

package/dist/services/token-delivery-http.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-delivery-http.service.d.ts","sourceRoot":"","sources":["../../src/services/token-delivery-http.service.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,WAAW,EAMZ,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wCAAwC,CAAC;AAE5E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBACa,wBAAwB;IAGjC,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAFZ,MAAM,EAAE,WAAW,EACnB,UAAU,EAAE,UAAU,EACtB,WAAW,CAAC,EAAE,WAAW,YAAA;IAG5C;;;;;;;OAOG;IACH,wBAAwB,CAAC,GAAG,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE,aAAa,GAAG,SAAS,GAAG,MAAM;IA0BrF;;;;;;OAMG;IACH,cAAc,CACZ,GAAG,EAAE,OAAO,EACZ,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAC3E,IAAI;IAuCP;;;;;OAKG;IACH,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IAe7D;;;;;OAKG;IACH,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IA0BtD,OAAO,CAAC,kBAAkB;IA0B1B,OAAO,CAAC,cAAc;CAmBvB"}

package/dist/services/token-delivery-http.service.js

@@ -0,0 +1,194 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenDeliveryHttpService = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nauth-toolkit/core");
+const internal_1 = require("@nauth-toolkit/core/internal");
+const csrf_service_1 = require("./csrf.service");
+/**
+ * Token delivery helper for HTTP controllers/interceptors (NestJS)
+ *
+ * Centralizes logic for:
+ * - determining effective token delivery ('cookies' | 'json') in hybrid mode
+ * - setting httpOnly auth cookies (and device token cookie) consistently
+ * - setting CSRF cookie when using cookie-based delivery
+ *
+ * This keeps consumer applications lightweight by letting toolkit controllers
+ * (like social redirect/callback) reuse the same cookie semantics as interceptors.
+ *
+ * @example
+ * ```typescript
+ * const effective = service.resolveEffectiveDelivery(req, undefined);
+ * if (effective === 'cookies') {
+ *   service.setAuthCookies(res, { accessToken, refreshToken });
+ *   service.setCsrfCookie(res, accessToken);
+ * }
+ * ```
+ */
+let TokenDeliveryHttpService = class TokenDeliveryHttpService {
+    config;
+    jwtService;
+    csrfService;
+    constructor(config, jwtService, csrfService) {
+        this.config = config;
+        this.jwtService = jwtService;
+        this.csrfService = csrfService;
+    }
+    /**
+     * Resolve the effective delivery mode for the current request.
+     *
+     * @param req - Framework request object (only `headers.origin` is used in hybrid mode)
+     * @param routeMode - Optional route-level override ('cookies' | 'json')
+     * @returns Effective delivery mode
+     * @throws {NAuthException} If route requests a mode not allowed by global config
+     */
+    resolveEffectiveDelivery(req, routeMode) {
+        const method = this.config.tokenDelivery?.method || 'json';
+        // Validate route override against global configuration
+        if (routeMode === 'cookies' && method === 'json') {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.COOKIES_NOT_ALLOWED, "Route-level cookie delivery requested, but tokenDelivery.method is 'json' (cookies disabled)");
+        }
+        if (routeMode === 'json' && method === 'cookies') {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.BEARER_NOT_ALLOWED, "Route-level JSON delivery requested, but tokenDelivery.method is 'cookies' (JSON/Bearer tokens disabled)");
+        }
+        if (routeMode) {
+            return routeMode;
+        }
+        if (method === 'hybrid') {
+            return (0, core_1.resolveDeliveryForRequest)(req, this.config.tokenDelivery?.hybridPolicy);
+        }
+        return method === 'cookies' ? 'cookies' : 'json';
+    }
+    /**
+     * Set auth cookies on the response.
+     *
+     * @param res - HTTP response object (FastifyReply or Express response)
+     * @param tokens - Tokens to set
+     * @throws {NAuthException} If token exp claims are missing/invalid
+     */
+    setAuthCookies(res, tokens) {
+        const deliveryConfig = this.config.tokenDelivery;
+        const opt = deliveryConfig?.cookieOptions;
+        const cookieOptions = this.buildCookieOptions();
+        const setCookie = this.getSetCookieFn(res);
+        // Derive expiry from JWT exp claims (strict)
+        const accessPayload = this.jwtService.decodeToken(tokens.accessToken);
+        if (!accessPayload?.exp) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.TOKEN_INVALID, 'Access token missing exp claim; refusing to set cookies');
+        }
+        const accessMaxAgeMs = Math.max(0, accessPayload.exp * 1000 - Date.now());
+        if (accessMaxAgeMs <= 0) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.TOKEN_INVALID, 'Access token already expired; refusing to set cookies');
+        }
+        const accessTokenCookieName = (0, core_1.getAccessTokenCookieName)(this.config);
+        setCookie(accessTokenCookieName, tokens.accessToken, { ...cookieOptions, maxAge: accessMaxAgeMs });
+        if (typeof tokens.refreshToken === 'string' && tokens.refreshToken) {
+            const refreshPayload = this.jwtService.decodeToken(tokens.refreshToken);
+            if (!refreshPayload?.exp) {
+                throw new core_1.NAuthException(core_1.AuthErrorCode.TOKEN_INVALID, 'Refresh token missing exp claim; refusing to set cookies');
+            }
+            const refreshMaxAgeMs = Math.max(0, refreshPayload.exp * 1000 - Date.now());
+            if (refreshMaxAgeMs <= 0) {
+                throw new core_1.NAuthException(core_1.AuthErrorCode.TOKEN_INVALID, 'Refresh token already expired; refusing to set cookies');
+            }
+            const refreshTokenCookieName = (0, core_1.getRefreshTokenCookieName)(this.config);
+            setCookie(refreshTokenCookieName, tokens.refreshToken, { ...cookieOptions, maxAge: refreshMaxAgeMs });
+        }
+        // Trusted device cookie (optional)
+        if (typeof tokens.deviceToken === 'string' && tokens.deviceToken) {
+            this.setDeviceTokenCookie(res, tokens.deviceToken);
+        }
+    }
+    /**
+     * Set only the device token cookie (used by trust-device endpoint).
+     *
+     * @param res - HTTP response
+     * @param deviceToken - Device token to persist as cookie
+     */
+    setDeviceTokenCookie(res, deviceToken) {
+        const token = typeof deviceToken === 'string' ? deviceToken : '';
+        if (!token) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'deviceToken is required', { field: 'deviceToken' });
+        }
+        const cookieOptions = this.buildCookieOptions();
+        const setCookie = this.getSetCookieFn(res);
+        const rememberDeviceDays = this.config.mfa?.rememberDeviceDays || 30;
+        const deviceTokenMaxAgeMs = rememberDeviceDays * 24 * 60 * 60 * 1000;
+        const deviceTokenCookieName = (0, core_1.getDeviceTokenCookieName)(this.config);
+        setCookie(deviceTokenCookieName, token, { ...cookieOptions, maxAge: deviceTokenMaxAgeMs });
+    }
+    /**
+     * Set CSRF cookie for cookie-based delivery.
+     *
+     * @param res - HTTP response
+     * @param accessToken - Access token used to align CSRF cookie lifetime
+     */
+    setCsrfCookie(res, accessToken) {
+        if (!this.csrfService || !this.config.security?.csrf) {
+            return;
+        }
+        const accessPayload = this.jwtService.decodeToken(accessToken);
+        if (!accessPayload?.exp) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.TOKEN_INVALID, 'Access token missing exp claim; refusing to set CSRF cookie');
+        }
+        const accessMaxAgeMs = Math.max(0, accessPayload.exp * 1000 - Date.now());
+        const csrfToken = this.csrfService.generateToken();
+        const csrfCookieName = this.csrfService.getCookieName();
+        const csrfCookieOptions = this.csrfService.getCookieOptions();
+        const setCookie = this.getSetCookieFn(res);
+        setCookie(csrfCookieName, csrfToken, {
+            ...csrfCookieOptions,
+            maxAge: accessMaxAgeMs > 0 ? accessMaxAgeMs : undefined,
+        });
+    }
+    // ============================================================================
+    // Private helpers
+    // ============================================================================
+    buildCookieOptions() {
+        const opt = this.config.tokenDelivery?.cookieOptions;
+        const cookieOptions = {
+            httpOnly: true,
+            secure: opt?.secure !== false,
+            sameSite: (opt?.sameSite || 'strict'),
+            path: opt?.path || '/',
+        };
+        if (opt?.domain) {
+            cookieOptions.domain = opt.domain;
+        }
+        return cookieOptions;
+    }
+    getSetCookieFn(res) {
+        return (name, value, options) => {
+            const r = res;
+            if (typeof r.cookie === 'function') {
+                r.cookie(name, value, options);
+                return;
+            }
+            if (typeof r.setCookie === 'function') {
+                r.setCookie(name, value, options);
+                return;
+            }
+            throw new core_1.NAuthException(core_1.AuthErrorCode.INTERNAL_ERROR, 'Response does not support setting cookies');
+        };
+    }
+};
+exports.TokenDeliveryHttpService = TokenDeliveryHttpService;
+exports.TokenDeliveryHttpService = TokenDeliveryHttpService = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)('NAUTH_CONFIG')),
+    __metadata("design:paramtypes", [Object, internal_1.JwtService,
+        csrf_service_1.CsrfService])
+], TokenDeliveryHttpService);
+//# sourceMappingURL=token-delivery-http.service.js.map