@nuraly/lumenjs 0.1.3 → 0.1.4

package/dist/auth/middleware.js

@@ -0,0 +1,89 @@
+import { parseSessionCookie, decryptSession, encryptSession, createSessionCookie, shouldRefreshSession } from './session.js';
+/**
+ * Create Connect middleware that parses the session cookie and attaches req.nkAuth.
+ * Works with both OIDC and native auth sessions — the cookie format is identical.
+ *
+ * Behavior:
+ * 1. Skip non-page requests (/@, /node_modules, static files with `.`)
+ * 2. Check Bearer token (mobile/API clients)
+ * 3. Parse + decrypt session cookie → attach req.nkAuth
+ * 4. Refresh OIDC tokens if expiring within 5 minutes
+ * 5. Always call next() — never blocks the middleware chain
+ */
+export function createAuthMiddleware(config, db) {
+    return async (req, res, next) => {
+        const url = req.url || '';
+        // Skip non-page requests
+        if (url.startsWith('/@') || url.startsWith('/node_modules') || url.includes('.')) {
+            return next();
+        }
+        req.nkAuth = null;
+        // 1. Check bearer token first (mobile apps)
+        const authHeader = req.headers.authorization;
+        if (authHeader?.startsWith('Bearer ')) {
+            try {
+                const { verifyAccessToken } = await import('./token.js');
+                const user = verifyAccessToken(authHeader.slice(7), config.session.secret);
+                if (user) {
+                    req.nkAuth = { user, session: { accessToken: authHeader.slice(7), expiresAt: 0, user } };
+                    return next();
+                }
+            }
+            catch { /* Invalid token — fall through to cookie auth */ }
+        }
+        // 2. Fall back to cookie-based session (browsers)
+        const cookieHeader = req.headers.cookie;
+        if (!cookieHeader)
+            return next();
+        const sessionCookie = parseSessionCookie(cookieHeader, config.session.cookieName);
+        if (!sessionCookie)
+            return next();
+        const session = await decryptSession(sessionCookie, config.session.secret);
+        if (!session)
+            return next();
+        req.nkAuth = { user: session.user, session };
+        // 3. Check if session was revoked via logout-all
+        if (db && session.createdAt && session.user?.sub) {
+            try {
+                const { getSessionsRevokedAt } = await import('./native-auth.js');
+                const revokedAt = await getSessionsRevokedAt(db, session.user.sub);
+                if (revokedAt && session.createdAt <= revokedAt) {
+                    req.nkAuth = null;
+                    return next();
+                }
+            }
+            catch { /* Revocation check failed — deny access (fail closed) */
+                req.nkAuth = null;
+                return next();
+            }
+        }
+        // 4. Refresh OIDC tokens if about to expire (native sessions don't expire the same way)
+        if (shouldRefreshSession(session) && session.refreshToken && session.provider !== 'native') {
+            const oidc = config.providers.find(p => p.type === 'oidc' && p.name === session.provider);
+            if (oidc) {
+                try {
+                    const { discoverProvider, refreshTokens, extractUser } = await import('./oidc-client.js');
+                    const metadata = await discoverProvider(oidc.issuer);
+                    const tokens = await refreshTokens(metadata, oidc.clientId, oidc.clientSecret, session.refreshToken);
+                    const user = extractUser(tokens.id_token || session.idToken || '', undefined);
+                    user.provider = oidc.name;
+                    const newSession = {
+                        accessToken: tokens.access_token,
+                        refreshToken: tokens.refresh_token || session.refreshToken,
+                        idToken: tokens.id_token || session.idToken,
+                        expiresAt: Math.floor(Date.now() / 1000) + tokens.expires_in,
+                        user,
+                        provider: oidc.name,
+                        createdAt: session.createdAt ?? Math.floor(Date.now() / 1000),
+                    };
+                    const encrypted = await encryptSession(newSession, config.session.secret);
+                    const cookie = createSessionCookie(config.session.cookieName, encrypted, config.session.maxAge, config.session.secure);
+                    res.setHeader('Set-Cookie', cookie);
+                    req.nkAuth = { user: newSession.user, session: newSession };
+                }
+                catch { /* OIDC token refresh failed — keep existing session */ }
+            }
+        }
+        next();
+    };
+}

package/dist/auth/native-auth.d.ts

@@ -0,0 +1,73 @@
+import type { AuthUser, NativeProvider } from './types.js';
+/**
+ * Hash a password using scrypt (Node.js built-in, no dependencies).
+ */
+export declare function hashPassword(password: string): Promise<string>;
+/**
+ * Verify a password against a stored hash.
+ */
+export declare function verifyPassword(password: string, hash: string): Promise<boolean>;
+/** DB interface — subset of LumenDb */
+interface Db {
+    all<T = any>(sql: string, ...params: any[]): Promise<T[]>;
+    get<T = any>(sql: string, ...params: any[]): Promise<T | undefined>;
+    run(sql: string, ...params: any[]): Promise<{
+        changes: number;
+        lastInsertRowid: number | bigint;
+    }>;
+    exec(sql: string): Promise<void>;
+}
+/**
+ * Ensure the native auth users table exists.
+ */
+export declare function ensureUsersTable(db: Db): Promise<void>;
+/**
+ * Register a new user with email/password.
+ */
+export declare function registerUser(db: Db, email: string, password: string, name?: string, provider?: NativeProvider): Promise<AuthUser>;
+/**
+ * Authenticate a user with email/password.
+ */
+export declare function authenticateUser(db: Db, email: string, password: string): Promise<AuthUser | null>;
+/**
+ * Find a user by email (for account linking with OIDC).
+ */
+export declare function findUserByEmail(db: Db, email: string): Promise<AuthUser | null>;
+/**
+ * Create or link a native user from OIDC claims (account linking by email).
+ * Only links to existing native accounts if the OIDC provider has verified the email.
+ */
+export declare function linkOidcUser(db: Db, oidcUser: AuthUser): Promise<AuthUser>;
+/**
+ * Generate an HMAC-signed email verification token.
+ * Format: userId.expiry.signature (base64url)
+ */
+export declare function generateVerificationToken(userId: string, secret: string, ttlSeconds?: number): string;
+/**
+ * Verify and decode an email verification token.
+ * Returns userId or null if invalid/expired.
+ */
+export declare function verifyVerificationToken(token: string, secret: string): string | null;
+/** Mark a user's email as verified. */
+export declare function verifyUserEmail(db: Db, userId: string): Promise<boolean>;
+/** Check if a user's email is verified. */
+export declare function isEmailVerified(db: Db, userId: string): Promise<boolean>;
+/**
+ * Generate an HMAC-signed password reset token.
+ * Includes a hash of the current password hash so the token auto-invalidates
+ * after the password is changed (single-use without server state).
+ */
+export declare function generateResetToken(userId: string, secret: string, ttlSeconds?: number, currentPasswordHash?: string): string;
+/** Verify a password reset token. Returns userId or null. */
+export declare function verifyResetToken(token: string, secret: string, currentPasswordHash?: string): string | null;
+/** Decode the userId from a reset token payload without verifying. */
+export declare function decodeResetTokenUserId(token: string): string | null;
+/** Update a user's password. */
+export declare function updatePassword(db: Db, userId: string, newPassword: string, minLength?: number): Promise<void>;
+/** Find a user by email. Returns { id, email, name } or null. */
+export declare function findUserIdByEmail(db: Db, email: string): Promise<string | null>;
+/** Set sessions_revoked_at to now, invalidating all sessions created before this moment. */
+export declare function revokeAllSessions(db: Db, userId: string): Promise<void>;
+/** Get the epoch-seconds timestamp of the last logout-all, or null if never revoked. */
+export declare function getSessionsRevokedAt(db: Db, userId: string): Promise<number | null>;
+export {};

package/dist/auth/native-auth.js

@@ -0,0 +1,293 @@
+import crypto from 'node:crypto';
+const SALT_LENGTH = 16;
+const KEY_LENGTH = 64;
+const SCRYPT_COST = 16384;
+/**
+ * Hash a password using scrypt (Node.js built-in, no dependencies).
+ */
+export async function hashPassword(password) {
+    const salt = crypto.randomBytes(SALT_LENGTH);
+    return new Promise((resolve, reject) => {
+        crypto.scrypt(password, salt, KEY_LENGTH, { N: SCRYPT_COST }, (err, derivedKey) => {
+            if (err)
+                reject(err);
+            else
+                resolve(`${salt.toString('hex')}:${derivedKey.toString('hex')}`);
+        });
+    });
+}
+/**
+ * Verify a password against a stored hash.
+ */
+export async function verifyPassword(password, hash) {
+    const [saltHex, keyHex] = hash.split(':');
+    if (!saltHex || !keyHex)
+        return false;
+    const salt = Buffer.from(saltHex, 'hex');
+    return new Promise((resolve, reject) => {
+        crypto.scrypt(password, salt, KEY_LENGTH, { N: SCRYPT_COST }, (err, derivedKey) => {
+            if (err)
+                reject(err);
+            else
+                resolve(crypto.timingSafeEqual(derivedKey, Buffer.from(keyHex, 'hex')));
+        });
+    });
+}
+/**
+ * Ensure the native auth users table exists.
+ */
+export async function ensureUsersTable(db) {
+    await db.exec(`CREATE TABLE IF NOT EXISTS _nk_auth_users (
+    id TEXT PRIMARY KEY,
+    email TEXT NOT NULL UNIQUE,
+    name TEXT,
+    password_hash TEXT NOT NULL,
+    email_verified INTEGER NOT NULL DEFAULT 0,
+    roles TEXT NOT NULL DEFAULT '[]',
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+  )`);
+    // Add email_verified column if table already exists without it
+    try {
+        await db.exec('ALTER TABLE _nk_auth_users ADD COLUMN email_verified INTEGER NOT NULL DEFAULT 0');
+    }
+    catch { }
+    ;
+    // Add sessions_revoked_at column for logout-all support
+    try {
+        await db.exec('ALTER TABLE _nk_auth_users ADD COLUMN sessions_revoked_at TEXT');
+    }
+    catch { }
+    ;
+}
+/**
+ * Register a new user with email/password.
+ */
+export async function registerUser(db, email, password, name, provider) {
+    // Basic email format validation
+    if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+        throw new Error('Invalid email address');
+    }
+    const MAX_PASSWORD_LENGTH = 128;
+    const minLength = provider?.minPasswordLength ?? 8;
+    if (password.length < minLength) {
+        throw new Error(`Password must be at least ${minLength} characters`);
+    }
+    if (password.length > MAX_PASSWORD_LENGTH) {
+        throw new Error(`Password must be at most ${MAX_PASSWORD_LENGTH} characters`);
+    }
+    const existing = await db.get('SELECT id FROM _nk_auth_users WHERE email = ?', email);
+    if (existing) {
+        throw new Error('Email already registered');
+    }
+    const id = crypto.randomUUID();
+    const hash = await hashPassword(password);
+    await db.run('INSERT INTO _nk_auth_users (id, email, name, password_hash) VALUES (?, ?, ?, ?)', id, email, name || null, hash);
+    return {
+        sub: id,
+        email,
+        name,
+        roles: [],
+        provider: 'native',
+    };
+}
+/**
+ * Authenticate a user with email/password.
+ */
+export async function authenticateUser(db, email, password) {
+    const row = await db.get('SELECT * FROM _nk_auth_users WHERE email = ?', email);
+    if (!row)
+        return null;
+    const valid = await verifyPassword(password, row.password_hash);
+    if (!valid)
+        return null;
+    let roles = [];
+    try {
+        roles = JSON.parse(row.roles);
+    }
+    catch { }
+    return {
+        sub: row.id,
+        email: row.email,
+        name: row.name,
+        roles,
+        provider: 'native',
+    };
+}
+/**
+ * Find a user by email (for account linking with OIDC).
+ */
+export async function findUserByEmail(db, email) {
+    const row = await db.get('SELECT * FROM _nk_auth_users WHERE email = ?', email);
+    if (!row)
+        return null;
+    let roles = [];
+    try {
+        roles = JSON.parse(row.roles);
+    }
+    catch { }
+    return {
+        sub: row.id,
+        email: row.email,
+        name: row.name,
+        roles,
+        provider: 'native',
+    };
+}
+/**
+ * Create or link a native user from OIDC claims (account linking by email).
+ * Only links to existing native accounts if the OIDC provider has verified the email.
+ */
+export async function linkOidcUser(db, oidcUser) {
+    if (!oidcUser.email)
+        return oidcUser;
+    const existing = await db.get('SELECT * FROM _nk_auth_users WHERE email = ?', oidcUser.email);
+    if (existing) {
+        // Only link if the OIDC provider has verified the email — prevents account takeover
+        if (!oidcUser.email_verified) {
+            return oidcUser;
+        }
+        // Merge roles from both sources
+        let nativeRoles = [];
+        try {
+            nativeRoles = JSON.parse(existing.roles);
+        }
+        catch { }
+        const mergedRoles = [...new Set([...nativeRoles, ...(oidcUser.roles || [])])];
+        return {
+            ...oidcUser,
+            sub: existing.id,
+            roles: mergedRoles,
+        };
+    }
+    // Auto-create native user record from OIDC
+    const id = crypto.randomUUID();
+    const roles = JSON.stringify(oidcUser.roles || []);
+    await db.run(`INSERT INTO _nk_auth_users (id, email, name, password_hash, roles) VALUES (?, ?, ?, '', ?)`, id, oidcUser.email, oidcUser.name || null, roles);
+    return { ...oidcUser, sub: id };
+}
+// ── Email Verification ──────────────────────────────────────────
+/**
+ * Generate an HMAC-signed email verification token.
+ * Format: userId.expiry.signature (base64url)
+ */
+export function generateVerificationToken(userId, secret, ttlSeconds = 86400) {
+    const expiry = Math.floor(Date.now() / 1000) + ttlSeconds;
+    const payload = `${userId}.${expiry}`;
+    const sig = crypto.createHmac('sha256', secret).update(payload).digest('base64url');
+    return `${Buffer.from(payload).toString('base64url')}.${sig}`;
+}
+/**
+ * Verify and decode an email verification token.
+ * Returns userId or null if invalid/expired.
+ */
+export function verifyVerificationToken(token, secret) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 2)
+            return null;
+        const payload = Buffer.from(parts[0], 'base64url').toString('utf8');
+        const expectedSig = crypto.createHmac('sha256', secret).update(payload).digest('base64url');
+        if (!crypto.timingSafeEqual(Buffer.from(parts[1]), Buffer.from(expectedSig)))
+            return null;
+        const [userId, expiryStr] = payload.split('.');
+        if (parseInt(expiryStr) < Math.floor(Date.now() / 1000))
+            return null;
+        return userId;
+    }
+    catch {
+        return null;
+    }
+}
+/** Mark a user's email as verified. */
+export async function verifyUserEmail(db, userId) {
+    const result = await db.run('UPDATE _nk_auth_users SET email_verified = 1, updated_at = datetime("now") WHERE id = ?', userId);
+    return result.changes > 0;
+}
+/** Check if a user's email is verified. */
+export async function isEmailVerified(db, userId) {
+    const row = await db.get('SELECT email_verified FROM _nk_auth_users WHERE id = ?', userId);
+    return row?.email_verified === 1;
+}
+// ── Password Reset ──────────────────────────────────────────────
+/**
+ * Generate an HMAC-signed password reset token.
+ * Includes a hash of the current password hash so the token auto-invalidates
+ * after the password is changed (single-use without server state).
+ */
+export function generateResetToken(userId, secret, ttlSeconds = 3600, currentPasswordHash) {
+    const expiry = Math.floor(Date.now() / 1000) + ttlSeconds;
+    // Include a fingerprint of the current password hash to invalidate on change
+    const pwFingerprint = currentPasswordHash
+        ? crypto.createHash('sha256').update(currentPasswordHash).digest('hex').slice(0, 8)
+        : '';
+    const payload = `${userId}.${expiry}.${pwFingerprint}`;
+    const sig = crypto.createHmac('sha256', secret).update(payload).digest('base64url');
+    return `${Buffer.from(payload).toString('base64url')}.${sig}`;
+}
+/** Verify a password reset token. Returns userId or null. */
+export function verifyResetToken(token, secret, currentPasswordHash) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 2)
+            return null;
+        const payload = Buffer.from(parts[0], 'base64url').toString('utf8');
+        const expectedSig = crypto.createHmac('sha256', secret).update(payload).digest('base64url');
+        if (!crypto.timingSafeEqual(Buffer.from(parts[1]), Buffer.from(expectedSig)))
+            return null;
+        const segments = payload.split('.');
+        const [userId, expiryStr] = segments;
+        const pwFingerprint = segments[2] || '';
+        if (parseInt(expiryStr) < Math.floor(Date.now() / 1000))
+            return null;
+        // Verify password hasn't changed since token was issued
+        if (pwFingerprint && currentPasswordHash) {
+            const currentFingerprint = crypto.createHash('sha256').update(currentPasswordHash).digest('hex').slice(0, 8);
+            if (pwFingerprint !== currentFingerprint)
+                return null;
+        }
+        return userId;
+    }
+    catch {
+        return null;
+    }
+}
+/** Decode the userId from a reset token payload without verifying. */
+export function decodeResetTokenUserId(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 2)
+            return null;
+        const payload = Buffer.from(parts[0], 'base64url').toString('utf8');
+        return payload.split('.')[0] || null;
+    }
+    catch {
+        return null;
+    }
+}
+/** Update a user's password. */
+export async function updatePassword(db, userId, newPassword, minLength = 8) {
+    if (newPassword.length < minLength)
+        throw new Error(`Password must be at least ${minLength} characters`);
+    if (newPassword.length > 128)
+        throw new Error('Password must be at most 128 characters');
+    const hash = await hashPassword(newPassword);
+    await db.run('UPDATE _nk_auth_users SET password_hash = ?, updated_at = datetime("now") WHERE id = ?', hash, userId);
+}
+/** Find a user by email. Returns { id, email, name } or null. */
+export async function findUserIdByEmail(db, email) {
+    const row = await db.get('SELECT id FROM _nk_auth_users WHERE email = ?', email);
+    return row?.id || null;
+}
+// ── Session Revocation (Logout All) ─────────────────────────────
+/** Set sessions_revoked_at to now, invalidating all sessions created before this moment. */
+export async function revokeAllSessions(db, userId) {
+    await db.run('UPDATE _nk_auth_users SET sessions_revoked_at = datetime("now") WHERE id = ?', userId);
+}
+/** Get the epoch-seconds timestamp of the last logout-all, or null if never revoked. */
+export async function getSessionsRevokedAt(db, userId) {
+    const row = await db.get('SELECT sessions_revoked_at FROM _nk_auth_users WHERE id = ?', userId);
+    if (!row?.sessions_revoked_at)
+        return null;
+    return Math.floor(new Date(row.sessions_revoked_at + 'Z').getTime() / 1000);
+}

package/dist/auth/oidc-client.d.ts

@@ -0,0 +1,17 @@
+import type { OIDCMetadata, TokenSet, AuthUser } from './types.js';
+export declare function discoverProvider(issuer: string): Promise<OIDCMetadata>;
+export declare function generateCodeVerifier(): string;
+export declare function generateCodeChallenge(verifier: string): string;
+export declare function buildAuthorizationUrl(metadata: OIDCMetadata, clientId: string, redirectUri: string, scopes: string[], state: string, codeVerifier: string): string;
+export declare function exchangeCode(metadata: OIDCMetadata, clientId: string, clientSecret: string | undefined, code: string, redirectUri: string, codeVerifier: string): Promise<TokenSet>;
+export declare function refreshTokens(metadata: OIDCMetadata, clientId: string, clientSecret: string | undefined, refreshToken: string): Promise<TokenSet>;
+export declare function fetchUserInfo(metadata: OIDCMetadata, accessToken: string): Promise<Record<string, any>>;
+export declare function decodeJwtPayload(token: string): Record<string, any>;
+/**
+ * Validate basic ID token claims (iss, aud, exp) after decoding.
+ * Note: Full JWKS signature verification is not yet implemented.
+ * The token is received directly from the provider's token endpoint over TLS,
+ * which provides transport-level trust, but does not satisfy OIDC §3.1.3.7.
+ */
+export declare function validateIdTokenClaims(claims: Record<string, any>, issuer: string, clientId: string): void;
+export declare function extractUser(idToken: string, userInfo?: Record<string, any>): AuthUser;

package/dist/auth/oidc-client.js

@@ -0,0 +1,123 @@
+import crypto from 'node:crypto';
+const METADATA_TTL_MS = 60 * 60 * 1000; // 1 hour
+const metadataCache = new Map();
+export async function discoverProvider(issuer) {
+    const cached = metadataCache.get(issuer);
+    if (cached && Date.now() - cached.fetchedAt < METADATA_TTL_MS)
+        return cached.metadata;
+    const url = issuer.replace(/\/+$/, '') + '/.well-known/openid-configuration';
+    const res = await fetch(url);
+    if (!res.ok)
+        throw new Error(`OIDC discovery failed: ${res.status} ${res.statusText}`);
+    const metadata = await res.json();
+    metadataCache.set(issuer, { metadata, fetchedAt: Date.now() });
+    return metadata;
+}
+export function generateCodeVerifier() {
+    return crypto.randomBytes(32).toString('base64url');
+}
+export function generateCodeChallenge(verifier) {
+    return crypto.createHash('sha256').update(verifier).digest('base64url');
+}
+export function buildAuthorizationUrl(metadata, clientId, redirectUri, scopes, state, codeVerifier) {
+    const params = new URLSearchParams({
+        response_type: 'code',
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        scope: scopes.join(' '),
+        state,
+        code_challenge: generateCodeChallenge(codeVerifier),
+        code_challenge_method: 'S256',
+    });
+    return `${metadata.authorization_endpoint}?${params}`;
+}
+export async function exchangeCode(metadata, clientId, clientSecret, code, redirectUri, codeVerifier) {
+    const body = new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: clientId,
+        code,
+        redirect_uri: redirectUri,
+        code_verifier: codeVerifier,
+    });
+    if (clientSecret)
+        body.set('client_secret', clientSecret);
+    const res = await fetch(metadata.token_endpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: body.toString(),
+    });
+    if (!res.ok) {
+        const err = await res.text();
+        throw new Error(`Token exchange failed: ${res.status} ${err}`);
+    }
+    return res.json();
+}
+export async function refreshTokens(metadata, clientId, clientSecret, refreshToken) {
+    const body = new URLSearchParams({
+        grant_type: 'refresh_token',
+        client_id: clientId,
+        refresh_token: refreshToken,
+    });
+    if (clientSecret)
+        body.set('client_secret', clientSecret);
+    const res = await fetch(metadata.token_endpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: body.toString(),
+    });
+    if (!res.ok)
+        throw new Error(`Token refresh failed: ${res.status}`);
+    return res.json();
+}
+export async function fetchUserInfo(metadata, accessToken) {
+    const res = await fetch(metadata.userinfo_endpoint, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!res.ok)
+        throw new Error(`UserInfo fetch failed: ${res.status}`);
+    return res.json();
+}
+export function decodeJwtPayload(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        throw new Error('Invalid JWT');
+    const payload = Buffer.from(parts[1], 'base64url').toString('utf8');
+    return JSON.parse(payload);
+}
+/**
+ * Validate basic ID token claims (iss, aud, exp) after decoding.
+ * Note: Full JWKS signature verification is not yet implemented.
+ * The token is received directly from the provider's token endpoint over TLS,
+ * which provides transport-level trust, but does not satisfy OIDC §3.1.3.7.
+ */
+export function validateIdTokenClaims(claims, issuer, clientId) {
+    if (!claims.iss)
+        throw new Error('ID token missing iss claim');
+    if (claims.iss !== issuer) {
+        throw new Error(`ID token issuer mismatch: expected ${issuer}, got ${claims.iss}`);
+    }
+    if (!claims.aud)
+        throw new Error('ID token missing aud claim');
+    const audiences = Array.isArray(claims.aud) ? claims.aud : [claims.aud];
+    if (!audiences.includes(clientId)) {
+        throw new Error(`ID token audience mismatch: expected ${clientId}`);
+    }
+    if (!claims.exp || typeof claims.exp !== 'number')
+        throw new Error('ID token missing exp claim');
+    if (claims.exp < Math.floor(Date.now() / 1000)) {
+        throw new Error('ID token has expired');
+    }
+}
+export function extractUser(idToken, userInfo) {
+    const claims = decodeJwtPayload(idToken);
+    const merged = { ...claims, ...userInfo };
+    return {
+        sub: merged.sub,
+        email: merged.email,
+        name: merged.name || merged.preferred_username,
+        preferred_username: merged.preferred_username,
+        roles: merged.realm_access?.roles || merged.roles || [],
+        email_verified: merged.email_verified,
+        provider: merged.provider,
+    };
+}

package/dist/auth/providers/google.d.ts

@@ -0,0 +1,23 @@
+import type { OIDCProvider } from '../types.js';
+export interface GoogleProviderOptions {
+    clientId: string;
+    clientSecret?: string;
+    /** Extra scopes beyond openid, profile, email. */
+    scopes?: string[];
+}
+/**
+ * Pre-configured Google OIDC provider.
+ *
+ * Google publishes a standard OIDC discovery document at
+ * https://accounts.google.com/.well-known/openid-configuration
+ * so no manual endpoint config is needed.
+ *
+ * @example
+ * // lumenjs.auth.ts
+ * import { googleProvider } from '@nuraly/lumenjs/dist/auth/providers/google.js';
+ * export default {
+ *   providers: [googleProvider({ clientId: process.env.GOOGLE_CLIENT_ID! })],
+ *   session: { secret: process.env.SESSION_SECRET! },
+ * };
+ */
+export declare function googleProvider(opts: GoogleProviderOptions): OIDCProvider;

package/dist/auth/providers/google.js

@@ -0,0 +1,25 @@
+/**
+ * Pre-configured Google OIDC provider.
+ *
+ * Google publishes a standard OIDC discovery document at
+ * https://accounts.google.com/.well-known/openid-configuration
+ * so no manual endpoint config is needed.
+ *
+ * @example
+ * // lumenjs.auth.ts
+ * import { googleProvider } from '@nuraly/lumenjs/dist/auth/providers/google.js';
+ * export default {
+ *   providers: [googleProvider({ clientId: process.env.GOOGLE_CLIENT_ID! })],
+ *   session: { secret: process.env.SESSION_SECRET! },
+ * };
+ */
+export function googleProvider(opts) {
+    return {
+        type: 'oidc',
+        name: 'google',
+        issuer: 'https://accounts.google.com',
+        clientId: opts.clientId,
+        clientSecret: opts.clientSecret,
+        scopes: ['openid', 'profile', 'email', ...(opts.scopes ?? [])],
+    };
+}

package/dist/auth/providers/index.d.ts

@@ -0,0 +1,2 @@
+export { googleProvider } from './google.js';
+export type { GoogleProviderOptions } from './google.js';

package/dist/auth/providers/index.js

@@ -0,0 +1 @@
+export { googleProvider } from './google.js';

package/dist/auth/routes/login.d.ts

@@ -0,0 +1,8 @@
+import type { IncomingMessage, ServerResponse } from 'http';
+import type { ResolvedAuthConfig } from '../types.js';
+/**
+ * Handle OIDC login — redirect to provider's authorization endpoint.
+ * Returns true if handled, false if no OIDC provider found (caller should fall through).
+ */
+export declare function handleOidcLogin(config: ResolvedAuthConfig, res: ServerResponse, url: URL, providerName: string | undefined): Promise<boolean>;
+export declare function handleNativeLogin(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, url: URL, db?: any): Promise<boolean>;