@nuraly/lumenjs 0.1.3 → 0.2.0

package/dist/auth/routes/totp.js

@@ -0,0 +1,232 @@
+import { sendJson, readBody } from './utils.js';
+import { encryptSession, createSessionCookie, decryptSession } from '../session.js';
+import { encryptTotpSecret, decryptTotpSecret, saveTotpSecret, enableTotp, disableTotp, getTotpState, } from '../native-auth.js';
+function parseCookies(req) {
+    const cookies = {};
+    const header = req.headers.cookie || '';
+    for (const part of header.split(';')) {
+        const [k, ...v] = part.trim().split('=');
+        if (k)
+            cookies[k.trim()] = decodeURIComponent(v.join('='));
+    }
+    return cookies;
+}
+/**
+ * POST /__nk_auth/totp/setup
+ * Generates a new TOTP secret for the authenticated user and returns a QR code.
+ */
+export async function handleTotpSetup(config, req, res, db) {
+    const user = req.nkAuth?.user;
+    if (!user?.sub) {
+        sendJson(res, 401, { error: 'Not authenticated' });
+        return true;
+    }
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    try {
+        const { authenticator } = await import('otplib');
+        const QRCode = await import('qrcode');
+        const secret = authenticator.generateSecret();
+        const appName = config.totp?.appName || 'Nuraly';
+        const otpauthUri = authenticator.keyuri(user.email || user.sub, appName, secret);
+        const qrDataUrl = await QRCode.default.toDataURL(otpauthUri);
+        const encrypted = await encryptTotpSecret(secret, config.session.secret);
+        await saveTotpSecret(db, user.sub, encrypted);
+        sendJson(res, 200, { qrDataUrl, otpauthUri });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Setup failed' });
+    }
+    return true;
+}
+/**
+ * POST /__nk_auth/totp/verify-setup
+ * Confirms setup by verifying the first 6-digit code and enables TOTP.
+ */
+export async function handleTotpVerifySetup(config, req, res, db) {
+    const user = req.nkAuth?.user;
+    if (!user?.sub) {
+        sendJson(res, 401, { error: 'Not authenticated' });
+        return true;
+    }
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    let body;
+    try {
+        body = JSON.parse(await readBody(req));
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid JSON' });
+        return true;
+    }
+    const { code } = body;
+    if (!code) {
+        sendJson(res, 400, { error: 'Code required' });
+        return true;
+    }
+    try {
+        const { authenticator } = await import('otplib');
+        const state = await getTotpState(db, user.sub);
+        if (!state.encryptedSecret) {
+            sendJson(res, 400, { error: 'No pending TOTP setup' });
+            return true;
+        }
+        const secret = await decryptTotpSecret(state.encryptedSecret, config.session.secret);
+        const valid = authenticator.check(code, secret);
+        if (!valid) {
+            sendJson(res, 400, { error: 'Invalid code — check your authenticator app and try again' });
+            return true;
+        }
+        await enableTotp(db, user.sub);
+        sendJson(res, 200, { ok: true });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Verification failed' });
+    }
+    return true;
+}
+/**
+ * POST /__nk_auth/totp/disable
+ * Disables TOTP after verifying a valid code.
+ */
+export async function handleTotpDisable(config, req, res, db) {
+    const user = req.nkAuth?.user;
+    if (!user?.sub) {
+        sendJson(res, 401, { error: 'Not authenticated' });
+        return true;
+    }
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    let body;
+    try {
+        body = JSON.parse(await readBody(req));
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid JSON' });
+        return true;
+    }
+    const { code } = body;
+    if (!code) {
+        sendJson(res, 400, { error: 'Code required' });
+        return true;
+    }
+    try {
+        const { authenticator } = await import('otplib');
+        const state = await getTotpState(db, user.sub);
+        if (!state.totpEnabled || !state.encryptedSecret) {
+            sendJson(res, 400, { error: '2FA is not enabled' });
+            return true;
+        }
+        const secret = await decryptTotpSecret(state.encryptedSecret, config.session.secret);
+        const valid = authenticator.check(code, secret);
+        if (!valid) {
+            sendJson(res, 400, { error: 'Invalid code' });
+            return true;
+        }
+        await disableTotp(db, user.sub);
+        sendJson(res, 200, { ok: true });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Failed to disable 2FA' });
+    }
+    return true;
+}
+/**
+ * POST /__nk_auth/totp/challenge
+ * Exchanges a pending-2FA cookie + valid TOTP code for a full session cookie.
+ */
+export async function handleTotpChallenge(config, req, res, db) {
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    const cookies = parseCookies(req);
+    const pendingEncrypted = cookies['nk-totp-pending'];
+    if (!pendingEncrypted) {
+        sendJson(res, 401, { error: 'No pending 2FA session' });
+        return true;
+    }
+    let body;
+    try {
+        body = JSON.parse(await readBody(req));
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid JSON' });
+        return true;
+    }
+    const { code } = body;
+    if (!code) {
+        sendJson(res, 400, { error: 'Code required' });
+        return true;
+    }
+    try {
+        // Decrypt and validate the pending session
+        const pending = await decryptSession(pendingEncrypted, config.session.secret);
+        if (!pending || !pending.accessToken.startsWith('totp-pending:')) {
+            sendJson(res, 401, { error: 'Invalid pending session' });
+            return true;
+        }
+        if (pending.expiresAt < Math.floor(Date.now() / 1000)) {
+            sendJson(res, 401, { error: '2FA session expired — please log in again' });
+            return true;
+        }
+        const userId = pending.accessToken.slice('totp-pending:'.length);
+        // Fetch full user row
+        const row = await db.get('SELECT * FROM _nk_auth_users WHERE id = ?', userId);
+        if (!row) {
+            sendJson(res, 401, { error: 'User not found' });
+            return true;
+        }
+        // Verify TOTP code
+        const { authenticator } = await import('otplib');
+        if (!row.totp_enabled || !row.totp_secret) {
+            sendJson(res, 400, { error: '2FA not enabled for this account' });
+            return true;
+        }
+        const secret = await decryptTotpSecret(row.totp_secret, config.session.secret);
+        const valid = authenticator.check(code, secret);
+        if (!valid) {
+            sendJson(res, 400, { error: 'Invalid code — check your authenticator app and try again' });
+            return true;
+        }
+        // Build full user object
+        let roles = [];
+        try {
+            roles = JSON.parse(row.roles);
+        }
+        catch { }
+        const user = { sub: row.id, email: row.email, name: row.name, roles, provider: 'native' };
+        // Issue full session cookie
+        const sessionData = {
+            accessToken: `native:${user.sub}`,
+            expiresAt: Math.floor(Date.now() / 1000) + config.session.maxAge,
+            user,
+            provider: 'native',
+            createdAt: Math.floor(Date.now() / 1000),
+        };
+        const encrypted = await encryptSession(sessionData, config.session.secret);
+        const sessionCookie = createSessionCookie(config.session.cookieName, encrypted, config.session.maxAge, config.session.secure);
+        // Clear the pending cookie
+        const clearPending = `nk-totp-pending=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax${config.session.secure ? '; Secure' : ''}`;
+        const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+        const returnTo = url.searchParams.get('returnTo') || config.routes.postLogin;
+        if (req.headers.accept?.includes('application/json')) {
+            res.writeHead(200, { 'Content-Type': 'application/json', 'Set-Cookie': [sessionCookie, clearPending] });
+            res.end(JSON.stringify({ user, returnTo }));
+        }
+        else {
+            res.writeHead(302, { Location: returnTo, 'Set-Cookie': [sessionCookie, clearPending] });
+            res.end();
+        }
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Challenge failed' });
+    }
+    return true;
+}

package/dist/auth/routes/utils.d.ts

@@ -0,0 +1,7 @@
+import type { IncomingMessage, ServerResponse } from 'http';
+export declare function readBody(req: IncomingMessage, maxSize?: number): Promise<string>;
+export declare function sendJson(res: ServerResponse, status: number, data: any): void;
+/** Check if request wants token-based auth (mobile) -- only with explicit ?mode=token */
+export declare function isTokenMode(url: URL, _req: IncomingMessage): boolean;
+/** Validate returnTo is a safe relative path (prevents open redirect). */
+export declare function safeReturnTo(returnTo: string | null, fallback: string): string;

package/dist/auth/routes/utils.js

@@ -0,0 +1,35 @@
+const MAX_BODY_SIZE = 64 * 1024; // 64 KB — sufficient for auth payloads
+export function readBody(req, maxSize = MAX_BODY_SIZE) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        req.on('data', (c) => {
+            size += c.length;
+            if (size > maxSize) {
+                req.destroy();
+                reject(new Error('Request body too large'));
+                return;
+            }
+            chunks.push(c);
+        });
+        req.on('end', () => resolve(Buffer.concat(chunks).toString()));
+        req.on('error', reject);
+    });
+}
+export function sendJson(res, status, data) {
+    res.writeHead(status, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify(data));
+}
+/** Check if request wants token-based auth (mobile) -- only with explicit ?mode=token */
+export function isTokenMode(url, _req) {
+    return url.searchParams.get('mode') === 'token';
+}
+/** Validate returnTo is a safe relative path (prevents open redirect). */
+export function safeReturnTo(returnTo, fallback) {
+    if (!returnTo)
+        return fallback;
+    // Must start with / and must not start with // (protocol-relative URL)
+    if (returnTo.startsWith('/') && !returnTo.startsWith('//'))
+        return returnTo;
+    return fallback;
+}

package/dist/auth/routes/verify.d.ts

@@ -0,0 +1,3 @@
+import type { ServerResponse } from 'http';
+import type { ResolvedAuthConfig } from '../types.js';
+export declare function handleVerifyEmail(config: ResolvedAuthConfig, url: URL, res: ServerResponse, db?: any): Promise<boolean>;

package/dist/auth/routes/verify.js

@@ -0,0 +1,26 @@
+export async function handleVerifyEmail(config, url, res, db) {
+    const token = url.searchParams.get('token');
+    // If no DB or no token, redirect to verify page which shows proper UI
+    if (!db || !token) {
+        res.writeHead(302, { Location: `/auth/verify${token ? '?token=' + encodeURIComponent(token) : '?error=missing'}` });
+        res.end();
+        return true;
+    }
+    const { verifyVerificationToken, verifyUserEmail } = await import('../native-auth.js');
+    const userId = verifyVerificationToken(token, config.session.secret);
+    if (!userId) {
+        res.writeHead(302, { Location: '/auth/verify?error=invalid' });
+        res.end();
+        return true;
+    }
+    const verified = await verifyUserEmail(db, userId);
+    if (!verified) {
+        res.writeHead(302, { Location: '/auth/verify?error=not_found' });
+        res.end();
+        return true;
+    }
+    // Redirect to login page with success message
+    res.writeHead(302, { Location: `${config.routes.loginPage}?verified=true` });
+    res.end();
+    return true;
+}

package/dist/auth/routes.d.ts

@@ -0,0 +1,8 @@
+import type { IncomingMessage, ServerResponse } from 'http';
+import type { ResolvedAuthConfig } from './types.js';
+/**
+ * Handle auth routes (login, callback, logout, signup, me).
+ * Supports both OIDC and native auth.
+ * Returns true if the request was handled.
+ */
+export declare function handleAuthRoutes(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, db?: any): Promise<boolean>;

package/dist/auth/routes.js

@@ -0,0 +1,124 @@
+import { sendJson } from './routes/utils.js';
+import { handleNativeLogin, handleOidcLogin } from './routes/login.js';
+import { handleNativeSignup } from './routes/signup.js';
+import { handleOidcCallback } from './routes/oidc-callback.js';
+import { handleLogout, handleLogoutAll } from './routes/logout.js';
+import { handleVerifyEmail } from './routes/verify.js';
+import { handleForgotPassword, handleResetPassword, handleChangePassword } from './routes/password.js';
+import { handleTokenRefresh, handleTokenRevoke } from './routes/token.js';
+import { handleTotpSetup, handleTotpVerifySetup, handleTotpDisable, handleTotpChallenge } from './routes/totp.js';
+/**
+ * Validate Origin header on POST requests to prevent CSRF.
+ * Returns true if the request is safe to proceed.
+ */
+function checkOrigin(req, url) {
+    if (req.method !== 'POST')
+        return true;
+    const origin = req.headers.origin || req.headers.referer;
+    if (!origin)
+        return true; // Allow requests without Origin (non-browser clients)
+    try {
+        const originUrl = new URL(origin);
+        // Direct match
+        if (originUrl.origin === url.origin)
+            return true;
+        // Behind reverse proxy: check X-Forwarded-Host
+        const fwdHost = req.headers['x-forwarded-host']?.split(',')[0]?.trim();
+        if (fwdHost && originUrl.host === fwdHost)
+            return true;
+        // Match hostname only (ignore port differences from proxy)
+        if (originUrl.hostname === url.hostname)
+            return true;
+        return false;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Handle auth routes (login, callback, logout, signup, me).
+ * Supports both OIDC and native auth.
+ * Returns true if the request was handled.
+ */
+export async function handleAuthRoutes(config, req, res, db) {
+    const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+    const pathname = url.pathname;
+    const routes = config.routes;
+    // CSRF check: verify Origin header on POST requests
+    if (req.method === 'POST' && !checkOrigin(req, url)) {
+        sendJson(res, 403, { error: 'Origin mismatch — possible CSRF' });
+        return true;
+    }
+    // ── Login (GET) — redirect to OIDC or show available methods ──
+    // /__nk_auth/login/<provider> — specific provider
+    // /__nk_auth/login — default provider or first OIDC
+    if (pathname.startsWith(routes.login)) {
+        const providerName = pathname.slice(routes.login.length + 1) || undefined; // e.g. "keycloak"
+        // Native login via POST
+        if (req.method === 'POST') {
+            return handleNativeLogin(config, req, res, url, db);
+        }
+        // OIDC login
+        return handleOidcLogin(config, res, url, providerName);
+    }
+    // ── Signup (POST) — native registration ───────────────────────
+    if (pathname === routes.signup && req.method === 'POST') {
+        return handleNativeSignup(config, req, res, db);
+    }
+    // ── Callback — OIDC code exchange ─────────────────────────────
+    if (pathname === routes.callback) {
+        return handleOidcCallback(config, req, res, url, db);
+    }
+    // ── Logout ────────────────────────────────────────────────────
+    if (pathname === routes.logout) {
+        return handleLogout(config, req, res, url, db);
+    }
+    // ── Logout All — invalidate all sessions across devices ──────
+    if (pathname === '/__nk_auth/logout-all' && req.method === 'POST') {
+        return handleLogoutAll(config, req, res, db);
+    }
+    // ── Me — return current user ──────────────────────────────────
+    if (pathname === '/__nk_auth/me') {
+        const user = req.nkAuth?.user ?? null;
+        sendJson(res, 200, user);
+        return true;
+    }
+    // ── Verify email ───────────────────────────────────────────────
+    if (pathname === '/__nk_auth/verify-email' && req.method === 'GET') {
+        return handleVerifyEmail(config, url, res, db);
+    }
+    // ── Forgot password (request reset) ───────────────────────────
+    if (pathname === '/__nk_auth/forgot-password' && req.method === 'POST') {
+        return handleForgotPassword(config, req, res, db);
+    }
+    // ── Reset password (with token) ───────────────────────────────
+    if (pathname === '/__nk_auth/reset-password' && req.method === 'POST') {
+        return handleResetPassword(config, req, res, db);
+    }
+    // ── Change password (authenticated) ──────────────────────────
+    if (pathname === '/__nk_auth/change-password' && req.method === 'POST') {
+        return handleChangePassword(config, req, res, db);
+    }
+    // ── Refresh — exchange refresh token for new access token ─────
+    if (pathname === '/__nk_auth/refresh' && req.method === 'POST') {
+        return handleTokenRefresh(config, req, res, db);
+    }
+    // ── Revoke — invalidate refresh token (mobile logout) ─────────
+    if (pathname === '/__nk_auth/revoke' && req.method === 'POST') {
+        return handleTokenRevoke(req, res, db);
+    }
+    // ── TOTP 2FA ──────────────────────────────────────────────────
+    if (pathname === '/__nk_auth/totp/setup' && req.method === 'POST') {
+        return handleTotpSetup(config, req, res, db);
+    }
+    if (pathname === '/__nk_auth/totp/verify-setup' && req.method === 'POST') {
+        return handleTotpVerifySetup(config, req, res, db);
+    }
+    if (pathname === '/__nk_auth/totp/disable' && req.method === 'POST') {
+        return handleTotpDisable(config, req, res, db);
+    }
+    if (pathname === '/__nk_auth/totp/challenge' && req.method === 'POST') {
+        return handleTotpChallenge(config, req, res, db);
+    }
+    return false;
+}

package/dist/auth/session.d.ts

@@ -0,0 +1,8 @@
+import type { SessionData } from './types.js';
+export declare function deriveKey(secret: string): Buffer;
+export declare function encryptSession(data: SessionData, secret: string): Promise<string>;
+export declare function decryptSession(cookie: string, secret: string): Promise<SessionData | null>;
+export declare function createSessionCookie(name: string, value: string, maxAge: number, secure: boolean): string;
+export declare function clearSessionCookie(name: string): string;
+export declare function parseSessionCookie(cookieHeader: string, name: string): string | undefined;
+export declare function shouldRefreshSession(session: SessionData): boolean;

package/dist/auth/session.js

@@ -0,0 +1,54 @@
+import crypto from 'node:crypto';
+const keyCache = new Map();
+export function deriveKey(secret) {
+    const cached = keyCache.get(secret);
+    if (cached)
+        return cached;
+    const key = Buffer.from(crypto.hkdfSync('sha256', secret, '', 'lumenjs-session', 32));
+    keyCache.set(secret, key);
+    return key;
+}
+export async function encryptSession(data, secret) {
+    const key = deriveKey(secret);
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const plaintext = JSON.stringify(data);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return `${iv.toString('base64url')}.${ciphertext.toString('base64url')}.${tag.toString('base64url')}`;
+}
+export async function decryptSession(cookie, secret) {
+    try {
+        const parts = cookie.split('.');
+        if (parts.length !== 3)
+            return null;
+        const iv = Buffer.from(parts[0], 'base64url');
+        const ciphertext = Buffer.from(parts[1], 'base64url');
+        const tag = Buffer.from(parts[2], 'base64url');
+        const key = deriveKey(secret);
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+        decipher.setAuthTag(tag);
+        const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+        return JSON.parse(plaintext.toString('utf8'));
+    }
+    catch {
+        return null;
+    }
+}
+export function createSessionCookie(name, value, maxAge, secure) {
+    let cookie = `${name}=${value}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${maxAge}`;
+    if (secure)
+        cookie += '; Secure';
+    return cookie;
+}
+export function clearSessionCookie(name) {
+    return `${name}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
+}
+export function parseSessionCookie(cookieHeader, name) {
+    const escapedName = name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${escapedName}=([^;]*)`));
+    return match ? match[1] : undefined;
+}
+export function shouldRefreshSession(session) {
+    return session.expiresAt - Date.now() / 1000 < 300;
+}

package/dist/auth/token.d.ts

@@ -0,0 +1,33 @@
+import type { AuthUser } from './types.js';
+/**
+ * Issue a short-lived access token (HMAC-SHA256 signed, stateless).
+ * Format: base64url(payload).base64url(signature)
+ */
+export declare function issueAccessToken(user: AuthUser, secret: string, ttlSeconds: number): string;
+/**
+ * Verify and decode an access token. Returns the user or null if invalid/expired.
+ */
+export declare function verifyAccessToken(token: string, secret: string): AuthUser | null;
+/**
+ * Generate an opaque refresh token (random bytes, stored hashed in DB).
+ */
+export declare function generateRefreshToken(): string;
+/**
+ * Hash a refresh token for DB storage (SHA-256).
+ */
+export declare function hashRefreshToken(token: string): string;
+interface Db {
+    all<T = any>(sql: string, ...params: any[]): Promise<T[]>;
+    get<T = any>(sql: string, ...params: any[]): Promise<T | undefined>;
+    run(sql: string, ...params: any[]): Promise<{
+        changes: number;
+        lastInsertRowid: number | bigint;
+    }>;
+    exec(sql: string): Promise<void>;
+}
+export declare function ensureRefreshTokenTable(db: Db): Promise<void>;
+export declare function storeRefreshToken(db: Db, token: string, userId: string, ttlSeconds: number): Promise<void>;
+export declare function validateRefreshToken(db: Db, token: string): Promise<string | null>;
+export declare function deleteRefreshToken(db: Db, token: string): Promise<void>;
+export declare function deleteAllRefreshTokens(db: Db, userId: string): Promise<void>;
+export {};

package/dist/auth/token.js

@@ -0,0 +1,90 @@
+import crypto from 'node:crypto';
+/**
+ * Issue a short-lived access token (HMAC-SHA256 signed, stateless).
+ * Format: base64url(payload).base64url(signature)
+ */
+export function issueAccessToken(user, secret, ttlSeconds) {
+    const payload = {
+        sub: user.sub,
+        email: user.email,
+        name: user.name,
+        roles: user.roles || [],
+        provider: user.provider,
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + ttlSeconds,
+    };
+    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signature = crypto.createHmac('sha256', secret).update(payloadB64).digest('base64url');
+    return `${payloadB64}.${signature}`;
+}
+/**
+ * Verify and decode an access token. Returns the user or null if invalid/expired.
+ */
+export function verifyAccessToken(token, secret) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 2)
+            return null;
+        const [payloadB64, signature] = parts;
+        const expectedSig = crypto.createHmac('sha256', secret).update(payloadB64).digest('base64url');
+        if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSig)))
+            return null;
+        const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf8'));
+        if (payload.exp < Math.floor(Date.now() / 1000))
+            return null;
+        return {
+            sub: payload.sub,
+            email: payload.email,
+            name: payload.name,
+            roles: payload.roles || [],
+            provider: payload.provider,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Generate an opaque refresh token (random bytes, stored hashed in DB).
+ */
+export function generateRefreshToken() {
+    return crypto.randomBytes(32).toString('base64url');
+}
+/**
+ * Hash a refresh token for DB storage (SHA-256).
+ */
+export function hashRefreshToken(token) {
+    return crypto.createHash('sha256').update(token).digest('hex');
+}
+export async function ensureRefreshTokenTable(db) {
+    await db.exec(`CREATE TABLE IF NOT EXISTS _nk_auth_refresh_tokens (
+    id SERIAL PRIMARY KEY,
+    token_hash TEXT NOT NULL UNIQUE,
+    user_id TEXT NOT NULL,
+    expires_at TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT NOW()
+  )`);
+}
+export async function storeRefreshToken(db, token, userId, ttlSeconds) {
+    const tokenHash = hashRefreshToken(token);
+    const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
+    await db.run('INSERT INTO _nk_auth_refresh_tokens (token_hash, user_id, expires_at) VALUES (?, ?, ?)', tokenHash, userId, expiresAt);
+}
+export async function validateRefreshToken(db, token) {
+    const tokenHash = hashRefreshToken(token);
+    const row = await db.get('SELECT user_id, expires_at FROM _nk_auth_refresh_tokens WHERE token_hash = ?', tokenHash);
+    if (!row)
+        return null;
+    if (new Date(row.expires_at) < new Date()) {
+        await db.run('DELETE FROM _nk_auth_refresh_tokens WHERE token_hash = ?', tokenHash);
+        return null;
+    }
+    return row.user_id;
+}
+export async function deleteRefreshToken(db, token) {
+    const tokenHash = hashRefreshToken(token);
+    await db.run('DELETE FROM _nk_auth_refresh_tokens WHERE token_hash = ?', tokenHash);
+}
+export async function deleteAllRefreshTokens(db, userId) {
+    await db.run('DELETE FROM _nk_auth_refresh_tokens WHERE user_id = ?', userId);
+}