@nik2208/node-auth 1.1.0 → 1.1.1

package/dist/index.d.ts

@@ -2,9 +2,15 @@ export { AuthConfigurator } from './auth-configurator';
 export type { IUserStore } from './interfaces/user-store.interface';
 export type { ITokenStore } from './interfaces/token-store.interface';
 export type { IAuthStrategy } from './interfaces/auth-strategy.interface';
+export type { IUserMetadataStore } from './interfaces/user-metadata-store.interface';
+export type { IRolesPermissionsStore } from './interfaces/roles-permissions-store.interface';
+export type { ISessionStore } from './interfaces/session-store.interface';
+export type { ITenantStore } from './interfaces/tenant-store.interface';
 export type { BaseUser } from './models/user.model';
 export type { TokenPair, AccessTokenPayload } from './models/token.model';
 export type { AuthConfig } from './models/auth-config.model';
+export type { SessionInfo } from './models/session.model';
+export type { Tenant } from './models/tenant.model';
 export { AuthError } from './models/errors';
 export { BaseAuthStrategy } from './abstract/base-auth-strategy.abstract';
 export { BaseOAuthStrategy } from './abstract/base-oauth-strategy.abstract';
@@ -22,4 +28,6 @@ export type { MailerConfig } from './models/auth-config.model';
 export { createAuthMiddleware } from './middleware/auth.middleware';
 export { createAuthRouter } from './router/auth.router';
 export type { RouterOptions } from './router/auth.router';
+export { createAdminRouter } from './router/admin.router';
+export type { AdminOptions } from './router/admin.router';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD,YAAY,EAAE,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,YAAY,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAC;AACtE,YAAY,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AAE1E,YAAY,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1E,YAAY,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,wCAAwC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,yCAAyC,CAAC;AAE5E,OAAO,EAAE,aAAa,EAAE,MAAM,mCAAmC,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,6CAA6C,CAAC;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,uCAAuC,CAAC;AAErE,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,YAAY,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAE/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD,YAAY,EAAE,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,YAAY,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAC;AACtE,YAAY,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AAC1E,YAAY,EAAE,kBAAkB,EAAE,MAAM,4CAA4C,CAAC;AACrF,YAAY,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AAC7F,YAAY,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AAC1E,YAAY,EAAE,YAAY,EAAE,MAAM,qCAAqC,CAAC;AAExE,YAAY,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1E,YAAY,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAC7D,YAAY,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,YAAY,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,wCAAwC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,yCAAyC,CAAC;AAE5E,OAAO,EAAE,aAAa,EAAE,MAAM,mCAAmC,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,6CAA6C,CAAC;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,uCAAuC,CAAC;AAErE,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,YAAY,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAE/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,YAAY,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createAuthRouter = exports.createAuthMiddleware = exports.MailerService = exports.SmsService = exports.PasswordService = exports.TokenService = exports.TotpStrategy = exports.SmsStrategy = exports.MagicLinkStrategy = exports.GithubStrategy = exports.GoogleStrategy = exports.LocalStrategy = exports.BaseOAuthStrategy = exports.BaseAuthStrategy = exports.AuthError = exports.AuthConfigurator = void 0;
+exports.createAdminRouter = exports.createAuthRouter = exports.createAuthMiddleware = exports.MailerService = exports.SmsService = exports.PasswordService = exports.TokenService = exports.TotpStrategy = exports.SmsStrategy = exports.MagicLinkStrategy = exports.GithubStrategy = exports.GoogleStrategy = exports.LocalStrategy = exports.BaseOAuthStrategy = exports.BaseAuthStrategy = exports.AuthError = exports.AuthConfigurator = void 0;
 var auth_configurator_1 = require("./auth-configurator");
 Object.defineProperty(exports, "AuthConfigurator", { enumerable: true, get: function () { return auth_configurator_1.AuthConfigurator; } });
 var errors_1 = require("./models/errors");
@@ -33,4 +33,6 @@ var auth_middleware_1 = require("./middleware/auth.middleware");
 Object.defineProperty(exports, "createAuthMiddleware", { enumerable: true, get: function () { return auth_middleware_1.createAuthMiddleware; } });
 var auth_router_1 = require("./router/auth.router");
 Object.defineProperty(exports, "createAuthRouter", { enumerable: true, get: function () { return auth_router_1.createAuthRouter; } });
+var admin_router_1 = require("./router/admin.router");
+Object.defineProperty(exports, "createAdminRouter", { enumerable: true, get: function () { return admin_router_1.createAdminRouter; } });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,yDAAuD;AAA9C,qHAAA,gBAAgB,OAAA;AASzB,0CAA4C;AAAnC,mGAAA,SAAS,OAAA;AAElB,sFAA0E;AAAjE,+HAAA,gBAAgB,OAAA;AACzB,wFAA4E;AAAnE,iIAAA,iBAAiB,OAAA;AAE1B,oEAAkE;AAAzD,+GAAA,aAAa,OAAA;AACtB,sEAAoE;AAA3D,iHAAA,cAAc,OAAA;AACvB,sEAAoE;AAA3D,iHAAA,cAAc,OAAA;AACvB,mFAAgF;AAAvE,wHAAA,iBAAiB,OAAA;AAC1B,8DAA4D;AAAnD,2GAAA,WAAW,OAAA;AACpB,uEAAqE;AAA5D,6GAAA,YAAY,OAAA;AAErB,0DAAwD;AAA/C,6GAAA,YAAY,OAAA;AACrB,gEAA8D;AAArD,mHAAA,eAAe,OAAA;AACxB,sDAAoD;AAA3C,yGAAA,UAAU,OAAA;AACnB,4DAA0D;AAAjD,+GAAA,aAAa,OAAA;AAGtB,gEAAoE;AAA3D,uHAAA,oBAAoB,OAAA;AAC7B,oDAAwD;AAA/C,+GAAA,gBAAgB,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,yDAAuD;AAA9C,qHAAA,gBAAgB,OAAA;AAezB,0CAA4C;AAAnC,mGAAA,SAAS,OAAA;AAElB,sFAA0E;AAAjE,+HAAA,gBAAgB,OAAA;AACzB,wFAA4E;AAAnE,iIAAA,iBAAiB,OAAA;AAE1B,oEAAkE;AAAzD,+GAAA,aAAa,OAAA;AACtB,sEAAoE;AAA3D,iHAAA,cAAc,OAAA;AACvB,sEAAoE;AAA3D,iHAAA,cAAc,OAAA;AACvB,mFAAgF;AAAvE,wHAAA,iBAAiB,OAAA;AAC1B,8DAA4D;AAAnD,2GAAA,WAAW,OAAA;AACpB,uEAAqE;AAA5D,6GAAA,YAAY,OAAA;AAErB,0DAAwD;AAA/C,6GAAA,YAAY,OAAA;AACrB,gEAA8D;AAArD,mHAAA,eAAe,OAAA;AACxB,sDAAoD;AAA3C,yGAAA,UAAU,OAAA;AACnB,4DAA0D;AAAjD,+GAAA,aAAa,OAAA;AAGtB,gEAAoE;AAA3D,uHAAA,oBAAoB,OAAA;AAC7B,oDAAwD;AAA/C,+GAAA,gBAAgB,OAAA;AAEzB,sDAA0D;AAAjD,iHAAA,iBAAiB,OAAA"}

package/dist/interfaces/roles-permissions-store.interface.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Optional store for role-based access control (RBAC).
+ *
+ * Implement this interface to assign roles to users, attach fine-grained
+ * permissions to roles, and perform permission checks.  All tenant-aware
+ * methods accept an optional `tenantId` parameter so the same interface
+ * works for both single-tenant and multi-tenant applications.
+ *
+ * @example
+ * ```typescript
+ * import { IRolesPermissionsStore } from 'node-auth';
+ *
+ * export class MyRbacStore implements IRolesPermissionsStore {
+ *   async addRoleToUser(userId, role, tenantId?) { ... }
+ *   async removeRoleFromUser(userId, role, tenantId?) { ... }
+ *   async getRolesForUser(userId, tenantId?) { ... }
+ *   async createRole(role, permissions?) { ... }
+ *   async deleteRole(role) { ... }
+ *   async addPermissionToRole(role, permission) { ... }
+ *   async removePermissionFromRole(role, permission) { ... }
+ *   async getPermissionsForRole(role) { ... }
+ *   async getPermissionsForUser(userId, tenantId?) { ... }
+ *   async userHasPermission(userId, permission, tenantId?) { ... }
+ * }
+ * ```
+ */
+export interface IRolesPermissionsStore {
+    /**
+     * Assign `role` to the given user.
+     * When `tenantId` is provided the assignment is scoped to that tenant.
+     */
+    addRoleToUser(userId: string, role: string, tenantId?: string): Promise<void>;
+    /**
+     * Remove `role` from the given user.
+     * When `tenantId` is provided only the tenant-scoped assignment is removed.
+     */
+    removeRoleFromUser(userId: string, role: string, tenantId?: string): Promise<void>;
+    /**
+     * Return the list of roles assigned to the given user.
+     * When `tenantId` is provided only roles scoped to that tenant are returned.
+     */
+    getRolesForUser(userId: string, tenantId?: string): Promise<string[]>;
+    /**
+     * Create a new role, optionally pre-loading it with a set of permissions.
+     * Idempotent — calling it on an existing role should not throw.
+     */
+    createRole(role: string, permissions?: string[]): Promise<void>;
+    /**
+     * Delete a role and all its permission assignments.
+     * User ↔ role assignments for this role should also be removed.
+     */
+    deleteRole(role: string): Promise<void>;
+    /**
+     * Add `permission` to `role`.
+     * Idempotent — adding an already-assigned permission should not throw.
+     */
+    addPermissionToRole(role: string, permission: string): Promise<void>;
+    /**
+     * Remove `permission` from `role`.
+     */
+    removePermissionFromRole(role: string, permission: string): Promise<void>;
+    /**
+     * Return all permissions assigned to `role`.
+     */
+    getPermissionsForRole(role: string): Promise<string[]>;
+    /**
+     * Return all permissions the user has, aggregated across all their roles.
+     * When `tenantId` is provided only roles scoped to that tenant are considered.
+     */
+    getPermissionsForUser(userId: string, tenantId?: string): Promise<string[]>;
+    /**
+     * Check whether the user has a specific permission (across any of their roles).
+     * When `tenantId` is provided only roles scoped to that tenant are checked.
+     */
+    userHasPermission(userId: string, permission: string, tenantId?: string): Promise<boolean>;
+    /**
+     * Return all role names defined in the store.
+     * Used by the optional admin router to display the roles & permissions table.
+     */
+    getAllRoles?(): Promise<string[]>;
+}
+//# sourceMappingURL=roles-permissions-store.interface.d.ts.map

package/dist/interfaces/roles-permissions-store.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles-permissions-store.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/roles-permissions-store.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,WAAW,sBAAsB;IAKrC;;;OAGG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9E;;;OAGG;IACH,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnF;;;OAGG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAMtE;;;OAGG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhE;;;OAGG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAMxC;;;OAGG;IACH,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAErE;;OAEG;IACH,wBAAwB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1E;;OAEG;IACH,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAMvD;;;OAGG;IACH,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE5E;;;OAGG;IACH,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3F;;;OAGG;IACH,WAAW,CAAC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;CACnC"}

package/dist/interfaces/roles-permissions-store.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=roles-permissions-store.interface.js.map

package/dist/interfaces/roles-permissions-store.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles-permissions-store.interface.js","sourceRoot":"","sources":["../../src/interfaces/roles-permissions-store.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/session-store.interface.d.ts

@@ -0,0 +1,82 @@
+import { SessionInfo } from '../models/session.model';
+/**
+ * Optional store for device-aware session management.
+ *
+ * Implement this interface when you need to give users visibility into
+ * (and control over) their active sessions — similar to "Manage devices"
+ * screens in modern applications.
+ *
+ * Each session is identified by an opaque `sessionHandle` (e.g. a UUID or a
+ * hex token) that is independent of the JWT.  This lets you list, inspect,
+ * and revoke individual sessions without invalidating all tokens at once.
+ *
+ * @example
+ * ```typescript
+ * import { ISessionStore } from 'node-auth';
+ *
+ * export class MySessionStore implements ISessionStore {
+ *   async createSession(info) {
+ *     const handle = crypto.randomUUID();
+ *     await db('sessions').insert({ handle, ...info });
+ *     return { sessionHandle: handle, ...info };
+ *   }
+ *   async getSession(handle) {
+ *     return db('sessions').where({ handle }).first() ?? null;
+ *   }
+ *   async getSessionsForUser(userId) {
+ *     return db('sessions').where({ userId });
+ *   }
+ *   async updateSessionLastActive(handle) {
+ *     await db('sessions').where({ handle }).update({ lastActiveAt: new Date() });
+ *   }
+ *   async revokeSession(handle) {
+ *     await db('sessions').where({ handle }).delete();
+ *   }
+ *   async revokeAllSessionsForUser(userId) {
+ *     await db('sessions').where({ userId }).delete();
+ *   }
+ * }
+ * ```
+ */
+export interface ISessionStore {
+    /**
+     * Persist a new session and return it with the generated `sessionHandle`.
+     */
+    createSession(info: Omit<SessionInfo, 'sessionHandle'>): Promise<SessionInfo>;
+    /**
+     * Retrieve a session by its handle.
+     * Returns `null` when the session does not exist or has expired.
+     */
+    getSession(sessionHandle: string): Promise<SessionInfo | null>;
+    /**
+     * Return all active sessions for the given user.
+     * When `tenantId` is provided only sessions belonging to that tenant are
+     * returned.
+     */
+    getSessionsForUser(userId: string, tenantId?: string): Promise<SessionInfo[]>;
+    /**
+     * Bump the `lastActiveAt` timestamp for the given session.
+     * Call this on every authenticated request to keep session activity up to date.
+     */
+    updateSessionLastActive(sessionHandle: string): Promise<void>;
+    /**
+     * Invalidate (delete) a single session.
+     * The associated JWT will still be technically valid until it expires, so
+     * you should also call `tokenService.clearTokenCookies()` on the response.
+     */
+    revokeSession(sessionHandle: string): Promise<void>;
+    /**
+     * Invalidate all sessions for the given user (e.g. "log out everywhere").
+     * When `tenantId` is provided only sessions for that tenant are revoked.
+     */
+    revokeAllSessionsForUser(userId: string, tenantId?: string): Promise<void>;
+    /**
+     * Return all active sessions across all users.
+     * Used by the optional admin router to display the sessions table.
+     *
+     * @param limit  Maximum number of records to return.
+     * @param offset Zero-based offset for pagination.
+     */
+    getAllSessions?(limit: number, offset: number): Promise<SessionInfo[]>;
+}
+//# sourceMappingURL=session-store.interface.d.ts.map

package/dist/interfaces/session-store.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/session-store.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,aAAa,CACX,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,GACvC,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;OAGG;IACH,UAAU,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAE/D;;;;OAIG;IACH,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAE9E;;;OAGG;IACH,uBAAuB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9D;;;;OAIG;IACH,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEpD;;;OAGG;IACH,wBAAwB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3E;;;;;;OAMG;IACH,cAAc,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;CACxE"}

package/dist/interfaces/session-store.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=session-store.interface.js.map

package/dist/interfaces/session-store.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.interface.js","sourceRoot":"","sources":["../../src/interfaces/session-store.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/tenant-store.interface.d.ts

@@ -0,0 +1,97 @@
+import { Tenant } from '../models/tenant.model';
+/**
+ * Optional store for multi-tenant applications.
+ *
+ * Implement this interface when your application serves multiple independent
+ * tenants (organisations, workspaces, teams, etc.) and you need to isolate
+ * users, data, and configuration per tenant.
+ *
+ * The interface covers three concerns:
+ *  1. **Tenant CRUD** — create, read, update and delete tenants.
+ *  2. **User ↔ Tenant association** — which users belong to which tenant.
+ *  3. **Per-tenant auth config** — optional overrides such as allowed auth
+ *     methods, custom OAuth clients, or token lifetimes per tenant.
+ *
+ * @example
+ * ```typescript
+ * import { ITenantStore } from 'node-auth';
+ *
+ * export class MyTenantStore implements ITenantStore {
+ *   async createTenant(data) {
+ *     const id = slugify(data.name);
+ *     await db('tenants').insert({ id, ...data });
+ *     return { id, ...data };
+ *   }
+ *   async getTenantById(id) {
+ *     return db('tenants').where({ id }).first() ?? null;
+ *   }
+ *   async getAllTenants() {
+ *     return db('tenants').select();
+ *   }
+ *   async updateTenant(id, data) {
+ *     await db('tenants').where({ id }).update(data);
+ *   }
+ *   async deleteTenant(id) {
+ *     await db('tenants').where({ id }).delete();
+ *   }
+ *   async associateUserWithTenant(userId, tenantId) {
+ *     await db('tenant_users').insert({ userId, tenantId });
+ *   }
+ *   async disassociateUserFromTenant(userId, tenantId) {
+ *     await db('tenant_users').where({ userId, tenantId }).delete();
+ *   }
+ *   async getTenantsForUser(userId) {
+ *     return db('tenant_users').join('tenants', ...).where({ userId });
+ *   }
+ *   async getUsersForTenant(tenantId) {
+ *     return db('tenant_users').where({ tenantId }).pluck('userId');
+ *   }
+ * }
+ * ```
+ */
+export interface ITenantStore {
+    /**
+     * Create a new tenant.  The `id` is generated by the implementation
+     * (e.g. a UUID or a URL-safe slug derived from `name`).
+     */
+    createTenant(data: Omit<Tenant, 'id'>): Promise<Tenant>;
+    /**
+     * Fetch a tenant by its unique identifier.
+     * Returns `null` when no tenant with that ID exists.
+     */
+    getTenantById(id: string): Promise<Tenant | null>;
+    /**
+     * Return all tenants.  For large deployments consider adding pagination
+     * in your own implementation.
+     */
+    getAllTenants(): Promise<Tenant[]>;
+    /**
+     * Partially update a tenant's fields.
+     * Only the fields present in `data` are changed.
+     */
+    updateTenant(id: string, data: Partial<Omit<Tenant, 'id'>>): Promise<void>;
+    /**
+     * Permanently delete a tenant and all its associated data.
+     * This should also remove all user ↔ tenant associations for the tenant.
+     */
+    deleteTenant(id: string): Promise<void>;
+    /**
+     * Add `userId` as a member of `tenantId`.
+     * Idempotent — calling it when the association already exists should not throw.
+     */
+    associateUserWithTenant(userId: string, tenantId: string): Promise<void>;
+    /**
+     * Remove `userId` from `tenantId`.
+     * No-op when the association does not exist.
+     */
+    disassociateUserFromTenant(userId: string, tenantId: string): Promise<void>;
+    /**
+     * Return all tenants the given user belongs to.
+     */
+    getTenantsForUser(userId: string): Promise<Tenant[]>;
+    /**
+     * Return the IDs of all users that belong to the given tenant.
+     */
+    getUsersForTenant(tenantId: string): Promise<string[]>;
+}
+//# sourceMappingURL=tenant-store.interface.d.ts.map

package/dist/interfaces/tenant-store.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-store.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/tenant-store.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAEhD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AACH,MAAM,WAAW,YAAY;IAK3B;;;OAGG;IACH,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAExD;;;OAGG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAElD;;;OAGG;IACH,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAEnC;;;OAGG;IACH,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3E;;;OAGG;IACH,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAMxC;;;OAGG;IACH,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzE;;;OAGG;IACH,0BAA0B,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5E;;OAEG;IACH,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAErD;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;CACxD"}

package/dist/interfaces/tenant-store.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=tenant-store.interface.js.map

package/dist/interfaces/tenant-store.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-store.interface.js","sourceRoot":"","sources":["../../src/interfaces/tenant-store.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/user-metadata-store.interface.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Optional store for arbitrary per-user metadata.
+ *
+ * Implement this interface when you need to attach project-specific data to
+ * users without extending `BaseUser` (e.g. preferences, profile fields,
+ * feature flags, or any other key/value pairs).
+ *
+ * The interface is intentionally generic — your database schema can store
+ * metadata as a JSON column, a separate key-value table, or any other way
+ * that suits your project.
+ *
+ * @example
+ * ```typescript
+ * import { IUserMetadataStore } from 'node-auth';
+ *
+ * export class MyUserMetadataStore implements IUserMetadataStore {
+ *   async getMetadata(userId: string) {
+ *     const row = await db.from('user_metadata').where({ userId }).first();
+ *     return row?.data ?? {};
+ *   }
+ *   async updateMetadata(userId: string, metadata: Record<string, unknown>) {
+ *     await db('user_metadata')
+ *       .insert({ userId, data: JSON.stringify(metadata) })
+ *       .onConflict('userId')
+ *       .merge();
+ *   }
+ *   async clearMetadata(userId: string) {
+ *     await db('user_metadata').where({ userId }).delete();
+ *   }
+ * }
+ * ```
+ */
+export interface IUserMetadataStore {
+    /**
+     * Retrieve all metadata for the given user.
+     * Returns an empty object when no metadata exists.
+     */
+    getMetadata(userId: string): Promise<Record<string, unknown>>;
+    /**
+     * Merge (shallow-patch) the provided key/value pairs into the user's
+     * existing metadata.  Fields not present in `metadata` are left untouched.
+     */
+    updateMetadata(userId: string, metadata: Record<string, unknown>): Promise<void>;
+    /**
+     * Delete all metadata for the given user.
+     * Useful when a user account is deleted.
+     */
+    clearMetadata(userId: string): Promise<void>;
+}
+//# sourceMappingURL=user-metadata-store.interface.d.ts.map

package/dist/interfaces/user-metadata-store.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-metadata-store.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/user-metadata-store.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAE9D;;;OAGG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjF;;;OAGG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9C"}

package/dist/interfaces/user-metadata-store.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=user-metadata-store.interface.js.map

package/dist/interfaces/user-metadata-store.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-metadata-store.interface.js","sourceRoot":"","sources":["../../src/interfaces/user-metadata-store.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/user-store.interface.d.ts

@@ -19,5 +19,46 @@ export interface IUserStore<U extends BaseUser = BaseUser> {
      * Required to support the POST /auth/magic-link/verify endpoint.
      */
     findByMagicLinkToken?(token: string): Promise<U | null>;
+    /**
+     * Set (or clear) the email-verification token and its expiry.
+     * Required to support POST /auth/send-verification-email and GET /auth/verify-email.
+     */
+    updateEmailVerificationToken?(userId: string, token: string | null, expiry: Date | null): Promise<void>;
+    /**
+     * Mark the user's primary email as verified (or unverified).
+     * Required to support GET /auth/verify-email.
+     */
+    updateEmailVerified?(userId: string, isVerified: boolean): Promise<void>;
+    /**
+     * Find a user by their email-verification token.
+     * Required to support GET /auth/verify-email.
+     */
+    findByEmailVerificationToken?(token: string): Promise<U | null>;
+    /**
+     * Store the pending new email address together with a confirmation token
+     * and expiry.  Set all three to `null` to cancel an in-progress change.
+     * Required to support POST /auth/change-email/request and
+     * POST /auth/change-email/confirm.
+     */
+    updateEmailChangeToken?(userId: string, pendingEmail: string | null, token: string | null, expiry: Date | null): Promise<void>;
+    /**
+     * Commit the pending email change: overwrite the user's primary email with
+     * `newEmail` and clear the change-token fields.
+     * Required to support POST /auth/change-email/confirm.
+     */
+    updateEmail?(userId: string, newEmail: string): Promise<void>;
+    /**
+     * Find a user by their email-change confirmation token.
+     * Required to support POST /auth/change-email/confirm.
+     */
+    findByEmailChangeToken?(token: string): Promise<U | null>;
+    /**
+     * Return a paginated list of users.
+     * Used by the optional admin router to display the users table.
+     *
+     * @param limit  Maximum number of records to return.
+     * @param offset Zero-based offset for pagination.
+     */
+    listUsers?(limit: number, offset: number): Promise<U[]>;
 }
 //# sourceMappingURL=user-store.interface.d.ts.map

package/dist/interfaces/user-store.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user-store.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/user-store.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAEhD,MAAM,WAAW,UAAU,CAAC,CAAC,SAAS,QAAQ,GAAG,QAAQ;IACvD,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC9C,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACxC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACrC,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3F,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtE,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvE,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/F,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvF;;;OAGG;IACH,gBAAgB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAEpD;;;OAGG;IACH,oBAAoB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;CACzD"}
+{"version":3,"file":"user-store.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/user-store.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAEhD,MAAM,WAAW,UAAU,CAAC,CAAC,SAAS,QAAQ,GAAG,QAAQ;IACvD,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC9C,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACxC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACrC,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3F,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtE,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvE,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/F,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvF;;;OAGG;IACH,gBAAgB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAEpD;;;OAGG;IACH,oBAAoB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAIxD;;;OAGG;IACH,4BAA4B,CAAC,CAC3B,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,MAAM,EAAE,IAAI,GAAG,IAAI,GAClB,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;OAGG;IACH,mBAAmB,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzE;;;OAGG;IACH,4BAA4B,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAIhE;;;;;OAKG;IACH,sBAAsB,CAAC,CACrB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GAAG,IAAI,EAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,MAAM,EAAE,IAAI,GAAG,IAAI,GAClB,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;OAIG;IACH,WAAW,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9D;;;OAGG;IACH,sBAAsB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAI1D;;;;;;OAMG;IACH,SAAS,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC;CACzD"}

package/dist/models/auth-config.model.d.ts

@@ -1,3 +1,4 @@
+import { BaseUser } from './user.model';
 /**
  * Configuration for the built-in HTTP-based mailer transport.
  *
@@ -75,6 +76,17 @@ export interface AuthConfig {
          * When provided, this callback is used instead of `mailer`.
          */
         sendWelcome?: (to: string, data: Record<string, unknown>, lang?: string) => Promise<void>;
+        /**
+         * Override: custom email-verification sender.
+         * When provided, this callback is used instead of `mailer`.
+         */
+        sendVerificationEmail?: (to: string, token: string, link: string, lang?: string) => Promise<void>;
+        /**
+         * Override: custom email-changed notification sender.
+         * Called after the change-email flow completes.
+         * When provided, this callback is used instead of `mailer`.
+         */
+        sendEmailChanged?: (to: string, newEmail: string, lang?: string) => Promise<void>;
     };
     oauth?: {
         google?: {
@@ -92,5 +104,22 @@ export interface AuthConfig {
     twoFactor?: {
         appName?: string;
     };
+    /**
+     * Optional callback to inject custom claims into both the access and refresh JWTs.
+     *
+     * Called with the authenticated/resolved `user` object every time a token pair is
+     * generated.  The object returned by this callback is **merged** on top of the
+     * standard `{ sub, email, role }` claims, so you can add roles, permissions, tenant
+     * IDs, or any other project-specific data.
+     *
+     * @example
+     * ```ts
+     * buildTokenPayload: (user) => ({
+     *   permissions: user.permissions,
+     *   tenantId: user.tenantId,
+     * }),
+     * ```
+     */
+    buildTokenPayload?: (user: BaseUser) => Record<string, unknown>;
 }
 //# sourceMappingURL=auth-config.model.d.ts.map

package/dist/models/auth-config.model.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-config.model.d.ts","sourceRoot":"","sources":["../../src/models/auth-config.model.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,YAAY;IAC3B,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,4BAA4B;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,WAAW,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,aAAa,CAAC,EAAE;QACd,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;QACrC,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,GAAG,CAAC,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,oBAAoB,CAAC,EAAE,MAAM,CAAC;KAC/B,CAAC;IACF,KAAK,CAAC,EAAE;QACN;;;WAGG;QACH,OAAO,CAAC,EAAE,MAAM,CAAC;QAEjB;;;;;WAKG;QACH,MAAM,CAAC,EAAE,YAAY,CAAC;QAEtB;;;WAGG;QACH,aAAa,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE1F;;;WAGG;QACH,iBAAiB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE9F;;;WAGG;QACH,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KAC3F,CAAC;IACF,KAAK,CAAC,EAAE;QACN,MAAM,CAAC,EAAE;YACP,QAAQ,EAAE,MAAM,CAAC;YACjB,YAAY,EAAE,MAAM,CAAC;YACrB,WAAW,EAAE,MAAM,CAAC;YACpB,SAAS,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;QACF,MAAM,CAAC,EAAE;YACP,QAAQ,EAAE,MAAM,CAAC;YACjB,YAAY,EAAE,MAAM,CAAC;YACrB,WAAW,EAAE,MAAM,CAAC;SACrB,CAAC;KACH,CAAC;IACF,SAAS,CAAC,EAAE;QACV,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;CACH"}
+{"version":3,"file":"auth-config.model.d.ts","sourceRoot":"","sources":["../../src/models/auth-config.model.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAExC;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,YAAY;IAC3B,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,4BAA4B;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,WAAW,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,aAAa,CAAC,EAAE;QACd,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;QACrC,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,GAAG,CAAC,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,oBAAoB,CAAC,EAAE,MAAM,CAAC;KAC/B,CAAC;IACF,KAAK,CAAC,EAAE;QACN;;;WAGG;QACH,OAAO,CAAC,EAAE,MAAM,CAAC;QAEjB;;;;;WAKG;QACH,MAAM,CAAC,EAAE,YAAY,CAAC;QAEtB;;;WAGG;QACH,aAAa,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE1F;;;WAGG;QACH,iBAAiB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE9F;;;WAGG;QACH,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE1F;;;WAGG;QACH,qBAAqB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAElG;;;;WAIG;QACH,gBAAgB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KACnF,CAAC;IACF,KAAK,CAAC,EAAE;QACN,MAAM,CAAC,EAAE;YACP,QAAQ,EAAE,MAAM,CAAC;YACjB,YAAY,EAAE,MAAM,CAAC;YACrB,WAAW,EAAE,MAAM,CAAC;YACpB,SAAS,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;QACF,MAAM,CAAC,EAAE;YACP,QAAQ,EAAE,MAAM,CAAC;YACjB,YAAY,EAAE,MAAM,CAAC;YACrB,WAAW,EAAE,MAAM,CAAC;SACrB,CAAC;KACH,CAAC;IACF,SAAS,CAAC,EAAE;QACV,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF;;;;;;;;;;;;;;;OAeG;IACH,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,QAAQ,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjE"}

package/dist/models/session.model.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Represents an active user session with optional device/context metadata.
+ *
+ * Implementations of `ISessionStore` use this shape to persist and retrieve
+ * session records. All fields beyond `sessionHandle`, `userId`, `createdAt`,
+ * and `expiresAt` are optional so you only store what you actually need.
+ */
+export interface SessionInfo {
+    /** Unique opaque identifier for this session (e.g. a UUID or a hex token). */
+    sessionHandle: string;
+    /** ID of the user who owns this session. */
+    userId: string;
+    /** Tenant ID — set when multi-tenancy is enabled. */
+    tenantId?: string;
+    /** When the session was created. */
+    createdAt: Date;
+    /** When the session expires. */
+    expiresAt: Date;
+    /** When the session was last used (updated on each authenticated request). */
+    lastActiveAt?: Date;
+    /** User-Agent header from the client that created the session. */
+    userAgent?: string;
+    /** IP address that created the session. */
+    ipAddress?: string;
+    /** Arbitrary session-level data (e.g. device name, geo-location, etc.). */
+    data?: Record<string, unknown>;
+}
+//# sourceMappingURL=session.model.d.ts.map

package/dist/models/session.model.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.model.d.ts","sourceRoot":"","sources":["../../src/models/session.model.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,8EAA8E;IAC9E,aAAa,EAAE,MAAM,CAAC;IACtB,4CAA4C;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,SAAS,EAAE,IAAI,CAAC;IAChB,gCAAgC;IAChC,SAAS,EAAE,IAAI,CAAC;IAChB,8EAA8E;IAC9E,YAAY,CAAC,EAAE,IAAI,CAAC;IACpB,kEAAkE;IAClE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2CAA2C;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC"}

package/dist/models/session.model.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=session.model.js.map

package/dist/models/session.model.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.model.js","sourceRoot":"","sources":["../../src/models/session.model.ts"],"names":[],"mappings":""}

package/dist/models/tenant.model.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Represents a tenant in a multi-tenant application.
+ *
+ * `ITenantStore` implementations use this shape to create and query tenants.
+ * The `config` field can hold arbitrary per-tenant settings (e.g. allowed
+ * OAuth providers, custom branding, feature flags).
+ */
+export interface Tenant {
+    /** Unique identifier for the tenant (e.g. slug, UUID, or subdomain). */
+    id: string;
+    /** Human-readable display name. */
+    name: string;
+    /** Whether the tenant is currently active. Defaults to `true`. */
+    isActive?: boolean;
+    /** Arbitrary per-tenant configuration (allowed auth methods, branding, etc.). */
+    config?: Record<string, unknown>;
+    /** When the tenant was created. */
+    createdAt?: Date;
+}
+//# sourceMappingURL=tenant.model.d.ts.map

package/dist/models/tenant.model.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.model.d.ts","sourceRoot":"","sources":["../../src/models/tenant.model.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,WAAW,MAAM;IACrB,wEAAwE;IACxE,EAAE,EAAE,MAAM,CAAC;IACX,mCAAmC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,kEAAkE;IAClE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,iFAAiF;IACjF,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,mCAAmC;IACnC,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB"}

package/dist/models/tenant.model.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=tenant.model.js.map

package/dist/models/tenant.model.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.model.js","sourceRoot":"","sources":["../../src/models/tenant.model.ts"],"names":[],"mappings":""}

package/dist/models/token.model.d.ts

@@ -8,5 +8,7 @@ export interface AccessTokenPayload {
     role?: string;
     iat?: number;
     exp?: number;
+    /** Any additional custom claims embedded in the JWT. */
+    [key: string]: unknown;
 }
 //# sourceMappingURL=token.model.d.ts.map

package/dist/models/token.model.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token.model.d.ts","sourceRoot":"","sources":["../../src/models/token.model.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd"}
+{"version":3,"file":"token.model.d.ts","sourceRoot":"","sources":["../../src/models/token.model.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB"}