@nwire/auth 0.7.0

package/dist/identity.d.ts

@@ -0,0 +1,85 @@
+/**
+ * `IdpAdapter` — the contract every authentication backend implements.
+ *
+ * Adapter packages (`@nwire/auth-better-auth`, `@nwire/auth-logto`,
+ * `@nwire/auth-passport`, …) provide an instance of this interface. The
+ * `identityPlugin` registers it on the container and wires the HTTP layer
+ * to call `verifyToken` on each request.
+ *
+ * Actions the adapter MUST support (everything else is optional):
+ *   - `verifyToken(token)` — resolve a bearer/session token to a User
+ *   - `signIn(credentials)` — credentialed login
+ *   - `signOut(token)` — invalidate token / session
+ *
+ * Optional flows depend on the IdP's capabilities — gracefully degrade.
+ */
+import type { PluginDefinition } from "@nwire/forge";
+import type { User } from "./user.js";
+/**
+ * Sub-shape: tokens the adapter mints on sign-in or refresh. Most adapters
+ * return a JWT + refresh token; OIDC adapters add an ID token; session
+ * adapters return a session ID. `expiresAt` is the access token's expiry.
+ */
+export interface AuthTokens {
+    readonly accessToken: string;
+    readonly refreshToken?: string;
+    readonly idToken?: string;
+    readonly expiresAt?: number;
+    readonly tokenType?: "Bearer" | "Cookie";
+}
+export interface SignInInput {
+    readonly email?: string;
+    readonly password?: string;
+    /** Adapter-specific extras — magic links, social provider id, MFA codes, etc. */
+    readonly extras?: Record<string, any>;
+}
+export interface RegisterInput {
+    readonly email: string;
+    readonly password?: string;
+    readonly name?: string;
+    readonly extras?: Record<string, any>;
+}
+export interface IdpAdapter {
+    /**
+     * Verify a token (bearer / session ID) and return the User it identifies.
+     * Return `null` for "token doesn't resolve to a user" (expired, revoked,
+     * malformed). Throw only for adapter-level failures (IdP unreachable).
+     */
+    verifyToken(token: string): Promise<User | null>;
+    /** Credentialed sign-in. Returns User + token bundle. */
+    signIn(input: SignInInput): Promise<{
+        user: User;
+        tokens: AuthTokens;
+    }>;
+    /** Invalidate the session/token. */
+    signOut(token: string): Promise<void>;
+    /** Refresh an access token using a refresh token. Optional. */
+    refresh?(refreshToken: string): Promise<AuthTokens>;
+    /** Register a new user. Optional — IdP-backed apps usually don't expose this. */
+    register?(input: RegisterInput): Promise<{
+        user: User;
+        tokens?: AuthTokens;
+    }>;
+    /** Begin password reset flow (send email). Optional. */
+    requestPasswordReset?(email: string): Promise<void>;
+    /** Complete password reset flow (consume reset token + new password). Optional. */
+    resetPassword?(resetToken: string, newPassword: string): Promise<void>;
+    /** Verify an email-confirmation token. Optional. */
+    verifyEmail?(verificationToken: string): Promise<void>;
+    /** Adapter shutdown — close pools, flush caches, etc. */
+    shutdown?(): Promise<void>;
+}
+export interface IdentityPluginOptions {
+    /** The adapter implementing the IdP behaviors. */
+    readonly adapter: IdpAdapter;
+    /** Container token the adapter is registered under. Default: `"idp"`. */
+    readonly name?: string;
+}
+/**
+ * Identity plugin — registers the adapter on the container. HTTP-level
+ * token extraction (Authorization header, session cookie, etc.) lives in
+ * each adapter's wire integration (`adapter.applyToWire(koa)` is the
+ * usual hook).
+ */
+export declare function identityPlugin(options: IdentityPluginOptions): PluginDefinition;
+//# sourceMappingURL=identity.d.ts.map

package/dist/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAErD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAEnC;;;;GAIG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,GAAG,QAAQ,CAAC;CAC1C;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,iFAAiF;IAEjF,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAEvB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,UAAU;IACzB;;;;OAIG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IAEjD,yDAAyD;IACzD,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,MAAM,EAAE,UAAU,CAAA;KAAE,CAAC,CAAC;IAExE,oCAAoC;IACpC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtC,+DAA+D;IAC/D,OAAO,CAAC,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAEpD,iFAAiF;IACjF,QAAQ,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,MAAM,CAAC,EAAE,UAAU,CAAA;KAAE,CAAC,CAAC;IAE9E,wDAAwD;IACxD,oBAAoB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEpD,mFAAmF;IACnF,aAAa,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvE,oDAAoD;IACpD,WAAW,CAAC,CAAC,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvD,yDAAyD;IACzD,QAAQ,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B;AAED,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,QAAQ,CAAC,OAAO,EAAE,UAAU,CAAC;IAC7B,yEAAyE;IACzE,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,qBAAqB,GAAG,gBAAgB,CAU/E"}

package/dist/identity.js

@@ -0,0 +1,35 @@
+/**
+ * `IdpAdapter` — the contract every authentication backend implements.
+ *
+ * Adapter packages (`@nwire/auth-better-auth`, `@nwire/auth-logto`,
+ * `@nwire/auth-passport`, …) provide an instance of this interface. The
+ * `identityPlugin` registers it on the container and wires the HTTP layer
+ * to call `verifyToken` on each request.
+ *
+ * Actions the adapter MUST support (everything else is optional):
+ *   - `verifyToken(token)` — resolve a bearer/session token to a User
+ *   - `signIn(credentials)` — credentialed login
+ *   - `signOut(token)` — invalidate token / session
+ *
+ * Optional flows depend on the IdP's capabilities — gracefully degrade.
+ */
+import { definePlugin } from "@nwire/forge";
+/**
+ * Identity plugin — registers the adapter on the container. HTTP-level
+ * token extraction (Authorization header, session cookie, etc.) lives in
+ * each adapter's wire integration (`adapter.applyToWire(koa)` is the
+ * usual hook).
+ */
+export function identityPlugin(options) {
+    const name = options.name ?? "idp";
+    return definePlugin("identity", {
+        register: (container) => {
+            container.register(name, options.adapter);
+        },
+        shutdown: async () => {
+            if (options.adapter.shutdown)
+                await options.adapter.shutdown();
+        },
+    });
+}
+//# sourceMappingURL=identity.js.map

package/dist/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAwE5C;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,OAA8B;IAC3D,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC;IACnC,OAAO,YAAY,CAAC,UAAU,EAAE;QAC9B,QAAQ,EAAE,CAAC,SAAS,EAAE,EAAE;YACtB,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5C,CAAC;QACD,QAAQ,EAAE,KAAK,IAAI,EAAE;YACnB,IAAI,OAAO,CAAC,OAAO,CAAC,QAAQ;gBAAE,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACjE,CAAC;KACF,CAAC,CAAC;AACL,CAAC"}

package/dist/resolvers.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Canonical auth resolvers — every adapter inherits these. The resolver
+ * body looks up the IdpAdapter on the container and delegates; adapters
+ * never re-implement HTTP shape, only the business logic.
+ *
+ * Apps mount whichever subset they need:
+ *
+ *   import { SignIn, SignOut, Register, Me } from "@nwire/auth";
+ *   rest.mount([
+ *     [SignIn,   post("/auth/sign-in")],
+ *     [SignOut,  post("/auth/sign-out")],
+ *     [Register, post("/auth/register")],
+ *     [Me,       get("/auth/me")],
+ *   ]);
+ */
+import { z } from "zod";
+export declare const SignIn: import("@nwire/forge").ResolverDefinition<undefined, undefined, z.ZodObject<{
+    email: z.ZodEmail;
+    password: z.ZodString;
+}, z.core.$strip>, {
+    email: string;
+    password: string;
+}>;
+export declare const SignOut: import("@nwire/forge").ResolverDefinition<undefined, undefined, z.ZodObject<{
+    token: z.ZodString;
+}, z.core.$strip>, {
+    token: string;
+}>;
+export declare const Refresh: import("@nwire/forge").ResolverDefinition<undefined, undefined, z.ZodObject<{
+    refreshToken: z.ZodString;
+}, z.core.$strip>, {
+    refreshToken: string;
+}>;
+export declare const Register: import("@nwire/forge").ResolverDefinition<undefined, undefined, z.ZodObject<{
+    email: z.ZodEmail;
+    password: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, {
+    email: string;
+    password: string;
+    name?: string | undefined;
+}>;
+export declare const RequestPasswordReset: import("@nwire/forge").ResolverDefinition<undefined, undefined, z.ZodObject<{
+    email: z.ZodEmail;
+}, z.core.$strip>, {
+    email: string;
+}>;
+export declare const ResetPassword: import("@nwire/forge").ResolverDefinition<undefined, undefined, z.ZodObject<{
+    resetToken: z.ZodString;
+    newPassword: z.ZodString;
+}, z.core.$strip>, {
+    resetToken: string;
+    newPassword: string;
+}>;
+export declare const VerifyEmail: import("@nwire/forge").ResolverDefinition<undefined, undefined, z.ZodObject<{
+    verificationToken: z.ZodString;
+}, z.core.$strip>, {
+    verificationToken: string;
+}>;
+export declare const Me: import("@nwire/forge").ResolverDefinition<undefined, undefined, z.ZodObject<{
+    token: z.ZodString;
+}, z.core.$strip>, {
+    token: string;
+}>;
+//# sourceMappingURL=resolvers.d.ts.map

package/dist/resolvers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../src/resolvers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAoCxB,eAAO,MAAM,MAAM;;;;;;EAejB,CAAC;AAEH,eAAO,MAAM,OAAO;;;;EAYlB,CAAC;AAEH,eAAO,MAAM,OAAO;;;;EAalB,CAAC;AAEH,eAAO,MAAM,QAAQ;;;;;;;;EA0BnB,CAAC;AAEH,eAAO,MAAM,oBAAoB;;;;EAa/B,CAAC;AAEH,eAAO,MAAM,aAAa;;;;;;EAgBxB,CAAC;AAEH,eAAO,MAAM,WAAW;;;;EAatB,CAAC;AAEH,eAAO,MAAM,EAAE;;;;EAab,CAAC"}

package/dist/resolvers.js

@@ -0,0 +1,181 @@
+/**
+ * Canonical auth resolvers — every adapter inherits these. The resolver
+ * body looks up the IdpAdapter on the container and delegates; adapters
+ * never re-implement HTTP shape, only the business logic.
+ *
+ * Apps mount whichever subset they need:
+ *
+ *   import { SignIn, SignOut, Register, Me } from "@nwire/auth";
+ *   rest.mount([
+ *     [SignIn,   post("/auth/sign-in")],
+ *     [SignOut,  post("/auth/sign-out")],
+ *     [Register, post("/auth/register")],
+ *     [Me,       get("/auth/me")],
+ *   ]);
+ */
+import { z } from "zod";
+import { defineResource, defineResolver, response, NotFound } from "@nwire/forge";
+const UserPublic = defineResource("User", {
+    schema: z.object({
+        id: z.string(),
+        email: z.string().optional(),
+        name: z.string().optional(),
+        roles: z.array(z.string()).readonly().optional(),
+        tenant: z.string().optional(),
+    }),
+});
+const TokensPublic = defineResource("AuthTokens", {
+    schema: z.object({
+        accessToken: z.string(),
+        refreshToken: z.string().optional(),
+        idToken: z.string().optional(),
+        expiresAt: z.number().optional(),
+        tokenType: z.enum(["Bearer", "Cookie"]).optional(),
+    }),
+});
+const SignInResult = defineResource("SignInResult", {
+    schema: z.object({
+        user: UserPublic.schema,
+        tokens: TokensPublic.schema,
+    }),
+});
+const ok202 = response(202);
+const ok200User = response(200, UserPublic);
+const ok200SignIn = response(200, SignInResult);
+const ok200Tokens = response(200, TokensPublic);
+export const SignIn = defineResolver({
+    operation: "auth.SignIn",
+    version: 1,
+    status: "active",
+    summary: "Authenticate with email + password",
+    body: z.object({
+        email: z.email(),
+        password: z.string().min(1),
+    }),
+    returns: [ok200SignIn],
+    errors: [],
+}).use(async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    const result = await idp.signIn({ email: input.email, password: input.password });
+    return ok200SignIn(result);
+});
+export const SignOut = defineResolver({
+    operation: "auth.SignOut",
+    version: 1,
+    status: "active",
+    summary: "Invalidate the current session/token",
+    body: z.object({ token: z.string() }),
+    returns: [ok202],
+    errors: [],
+}).use(async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    await idp.signOut(input.token);
+    return ok202();
+});
+export const Refresh = defineResolver({
+    operation: "auth.Refresh",
+    version: 1,
+    status: "active",
+    summary: "Exchange a refresh token for a new access token",
+    body: z.object({ refreshToken: z.string() }),
+    returns: [ok200Tokens],
+    errors: [],
+}).use(async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    if (!idp.refresh)
+        throw NotFound.with({ operation: "auth.Refresh", reason: "not supported by adapter" });
+    const tokens = await idp.refresh(input.refreshToken);
+    return ok200Tokens(tokens);
+});
+export const Register = defineResolver({
+    operation: "auth.Register",
+    version: 1,
+    status: "active",
+    summary: "Create a new account",
+    body: z.object({
+        email: z.email(),
+        password: z.string().min(8),
+        name: z.string().optional(),
+    }),
+    returns: [ok200SignIn],
+    errors: [],
+}).use(async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    if (!idp.register)
+        throw NotFound.with({ operation: "auth.Register", reason: "not supported by adapter" });
+    const result = await idp.register({
+        email: input.email,
+        password: input.password,
+        name: input.name,
+    });
+    // Some adapters don't mint tokens on register (e.g. email-verification first).
+    // Surface a minimal SignInResult so the shape stays consistent.
+    return ok200SignIn({
+        user: result.user,
+        tokens: result.tokens ?? { accessToken: "" },
+    });
+});
+export const RequestPasswordReset = defineResolver({
+    operation: "auth.RequestPasswordReset",
+    version: 1,
+    status: "active",
+    summary: "Send a password-reset email",
+    body: z.object({ email: z.email() }),
+    returns: [ok202],
+    errors: [],
+}).use(async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    if (!idp.requestPasswordReset)
+        throw NotFound.with({ operation: "auth.RequestPasswordReset" });
+    await idp.requestPasswordReset(input.email);
+    return ok202();
+});
+export const ResetPassword = defineResolver({
+    operation: "auth.ResetPassword",
+    version: 1,
+    status: "active",
+    summary: "Consume a reset token + set a new password",
+    body: z.object({
+        resetToken: z.string(),
+        newPassword: z.string().min(8),
+    }),
+    returns: [ok202],
+    errors: [],
+}).use(async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    if (!idp.resetPassword)
+        throw NotFound.with({ operation: "auth.ResetPassword" });
+    await idp.resetPassword(input.resetToken, input.newPassword);
+    return ok202();
+});
+export const VerifyEmail = defineResolver({
+    operation: "auth.VerifyEmail",
+    version: 1,
+    status: "active",
+    summary: "Confirm an email-verification token",
+    body: z.object({ verificationToken: z.string() }),
+    returns: [ok202],
+    errors: [],
+}).use(async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    if (!idp.verifyEmail)
+        throw NotFound.with({ operation: "auth.VerifyEmail" });
+    await idp.verifyEmail(input.verificationToken);
+    return ok202();
+});
+export const Me = defineResolver({
+    operation: "auth.Me",
+    version: 1,
+    status: "active",
+    summary: "Return the User identified by the current Authorization token",
+    body: z.object({ token: z.string() }),
+    returns: [ok200User],
+    errors: [],
+}).use(async ({ input, resolve }) => {
+    const idp = resolve("idp");
+    const user = await idp.verifyToken(input.token);
+    if (!user)
+        throw NotFound.with({ operation: "auth.Me", reason: "token does not resolve to a user" });
+    return ok200User(user);
+});
+//# sourceMappingURL=resolvers.js.map

package/dist/resolvers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolvers.js","sourceRoot":"","sources":["../src/resolvers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAGlF,MAAM,UAAU,GAAG,cAAc,CAAC,MAAM,EAAE;IACxC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,EAAE,EAAM,CAAC,CAAC,MAAM,EAAE;QAClB,KAAK,EAAG,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC7B,IAAI,EAAI,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC7B,KAAK,EAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;QACjD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC9B,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,cAAc,CAAC,YAAY,EAAE;IAChD,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,WAAW,EAAG,CAAC,CAAC,MAAM,EAAE;QACxB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACnC,OAAO,EAAO,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACnC,SAAS,EAAK,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACnC,SAAS,EAAK,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;KACtD,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,cAAc,CAAC,cAAc,EAAE;IAClD,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,IAAI,EAAI,UAAU,CAAC,MAAM;QACzB,MAAM,EAAE,YAAY,CAAC,MAAM;KAC5B,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,KAAK,GAAG,QAAQ,CAAY,GAAG,CAAC,CAAC;AACvC,MAAM,SAAS,GAAK,QAAQ,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;AAC9C,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;AAChD,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;AAEhD,MAAM,CAAC,MAAM,MAAM,GAAG,cAAc,CAAC;IACnC,SAAS,EAAE,aAAa;IACxB,OAAO,EAAI,CAAC;IACZ,MAAM,EAAK,QAAQ;IACnB,OAAO,EAAI,oCAAoC;IAC/C,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QACb,KAAK,EAAK,CAAC,CAAC,KAAK,EAAE;QACnB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KAC5B,CAAC;IACF,OAAO,EAAE,CAAC,WAAW,CAAC;IACtB,MAAM,EAAG,EAAE;CACZ,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAe,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IAClF,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAC7B,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG,cAAc,CAAC;IACpC,SAAS,EAAE,cAAc;IACzB,OAAO,EAAI,CAAC;IACZ,MAAM,EAAK,QAAQ;IACnB,OAAO,EAAI,sCAAsC;IACjD,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;IACrC,OAAO,EAAE,CAAC,KAAK,CAAC;IAChB,MAAM,EAAG,EAAE;CACZ,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAe,CAAC;IACzC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,EAAE,CAAC;AACjB,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG,cAAc,CAAC;IACpC,SAAS,EAAE,cAAc;IACzB,OAAO,EAAI,CAAC;IACZ,MAAM,EAAK,QAAQ;IACnB,OAAO,EAAI,iDAAiD;IAC5D,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;IAC5C,OAAO,EAAE,CAAC,WAAW,CAAC;IACtB,MAAM,EAAG,EAAE;CACZ,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAe,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,OAAO;QAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC,CAAC;IACzG,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACrD,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAC7B,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,QAAQ,GAAG,cAAc,CAAC;IACrC,SAAS,EAAE,eAAe;IAC1B,OAAO,EAAI,CAAC;IACZ,MAAM,EAAK,QAAQ;IACnB,OAAO,EAAI,sBAAsB;IACjC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QACb,KAAK,EAAK,CAAC,CAAC,KAAK,EAAE;QACnB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,IAAI,EAAM,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAChC,CAAC;IACF,OAAO,EAAE,CAAC,WAAW,CAAC;IACtB,MAAM,EAAG,EAAE;CACZ,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAe,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,QAAQ;QAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC3G,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC;QAChC,KAAK,EAAK,KAAK,CAAC,KAAK;QACrB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,IAAI,EAAM,KAAK,CAAC,IAAI;KACrB,CAAC,CAAC;IACH,+EAA+E;IAC/E,gEAAgE;IAChE,OAAO,WAAW,CAAC;QACjB,IAAI,EAAI,MAAM,CAAC,IAAI;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE;KAC7C,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAG,cAAc,CAAC;IACjD,SAAS,EAAE,2BAA2B;IACtC,OAAO,EAAI,CAAC;IACZ,MAAM,EAAK,QAAQ;IACnB,OAAO,EAAI,6BAA6B;IACxC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;IACpC,OAAO,EAAE,CAAC,KAAK,CAAC;IAChB,MAAM,EAAG,EAAE;CACZ,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAe,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,oBAAoB;QAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,2BAA2B,EAAE,CAAC,CAAC;IAC/F,MAAM,GAAG,CAAC,oBAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC5C,OAAO,KAAK,EAAE,CAAC;AACjB,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,aAAa,GAAG,cAAc,CAAC;IAC1C,SAAS,EAAE,oBAAoB;IAC/B,OAAO,EAAI,CAAC;IACZ,MAAM,EAAK,QAAQ;IACnB,OAAO,EAAI,4CAA4C;IACvD,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QACb,UAAU,EAAG,CAAC,CAAC,MAAM,EAAE;QACvB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,CAAC,KAAK,CAAC;IAChB,MAAM,EAAG,EAAE;CACZ,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAe,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,aAAa;QAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,oBAAoB,EAAE,CAAC,CAAC;IACjF,MAAM,GAAG,CAAC,aAAa,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IAC7D,OAAO,KAAK,EAAE,CAAC;AACjB,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,WAAW,GAAG,cAAc,CAAC;IACxC,SAAS,EAAE,kBAAkB;IAC7B,OAAO,EAAI,CAAC;IACZ,MAAM,EAAK,QAAQ;IACnB,OAAO,EAAI,qCAAqC;IAChD,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;IACjD,OAAO,EAAE,CAAC,KAAK,CAAC;IAChB,MAAM,EAAG,EAAE;CACZ,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAe,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,WAAW;QAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAC7E,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC/C,OAAO,KAAK,EAAE,CAAC;AACjB,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,EAAE,GAAG,cAAc,CAAC;IAC/B,SAAS,EAAE,SAAS;IACpB,OAAO,EAAI,CAAC;IACZ,MAAM,EAAK,QAAQ;IACnB,OAAO,EAAI,+DAA+D;IAC1E,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;IACrC,OAAO,EAAE,CAAC,SAAS,CAAC;IACpB,MAAM,EAAG,EAAE;CACZ,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAe,CAAC;IACzC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,CAAC,IAAI;QAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC,CAAC;IACrG,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC;AACzB,CAAC,CAAC,CAAC"}

package/dist/routes.d.ts

@@ -0,0 +1,99 @@
+/**
+ * Auth routes — `{name}Route` + `{name}Handler` pairs for every canonical
+ * identity operation. Mount them on any `httpInterface` directly or via
+ * the `mountAuth(api)` helper:
+ *
+ *   import { httpInterface } from "@nwire/http";
+ *   import { mountAuth, identityPlugin } from "@nwire/auth";
+ *
+ *   const api = mountAuth(httpInterface({ prefix: "/api/v1" }));
+ *   // mounts: POST /auth/sign-in, /sign-out, /refresh, /register,
+ *   //         /request-password-reset, /reset-password, /verify-email,
+ *   //         GET  /auth/me
+ *
+ *   const app = createApp({
+ *     plugins: [identityPlugin({ adapter })],
+ *     ...
+ *   });
+ *
+ *   // app.runtime registers "idp" on the container; handlers resolve it
+ *   await endpoint("api").serve(app).serve(api).run();
+ *
+ * Each handler reads `idp` from the container (registered by
+ * `identityPlugin`) and delegates the business logic to the adapter.
+ * Apps that want only a subset of operations import individual
+ * `{Route, Handler}` pairs and wire them by hand instead of using
+ * `mountAuth`.
+ */
+import { z } from "zod";
+import { type HttpHandler, type HttpInterface, type RouteBinding } from "@nwire/http";
+declare const SignInBody: z.ZodObject<{
+    email: z.ZodEmail;
+    password: z.ZodString;
+}, z.core.$strip>;
+declare const SignOutBody: z.ZodObject<{
+    token: z.ZodString;
+}, z.core.$strip>;
+declare const RefreshBody: z.ZodObject<{
+    refreshToken: z.ZodString;
+}, z.core.$strip>;
+declare const RegisterBody: z.ZodObject<{
+    email: z.ZodEmail;
+    password: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+declare const RequestPwResetBody: z.ZodObject<{
+    email: z.ZodEmail;
+}, z.core.$strip>;
+declare const ResetPasswordBody: z.ZodObject<{
+    resetToken: z.ZodString;
+    newPassword: z.ZodString;
+}, z.core.$strip>;
+declare const VerifyEmailBody: z.ZodObject<{
+    verificationToken: z.ZodString;
+}, z.core.$strip>;
+declare const MeBody: z.ZodObject<{
+    token: z.ZodString;
+}, z.core.$strip>;
+type SignInInput = z.output<typeof SignInBody>;
+type SignOutInput = z.output<typeof SignOutBody>;
+type RefreshInput = z.output<typeof RefreshBody>;
+type RegisterInput = z.output<typeof RegisterBody>;
+type RequestPwResetInput = z.output<typeof RequestPwResetBody>;
+type ResetPasswordInput = z.output<typeof ResetPasswordBody>;
+type VerifyEmailInput = z.output<typeof VerifyEmailBody>;
+type MeInput = z.output<typeof MeBody>;
+export declare const signInRoute: RouteBinding<SignInInput>;
+export declare const signInHandler: HttpHandler<SignInInput>;
+export declare const signOutRoute: RouteBinding<SignOutInput>;
+export declare const signOutHandler: HttpHandler<SignOutInput>;
+export declare const refreshRoute: RouteBinding<RefreshInput>;
+export declare const refreshHandler: HttpHandler<RefreshInput>;
+export declare const registerRoute: RouteBinding<RegisterInput>;
+export declare const registerHandler: HttpHandler<RegisterInput>;
+export declare const requestPasswordResetRoute: RouteBinding<RequestPwResetInput>;
+export declare const requestPasswordResetHandler: HttpHandler<RequestPwResetInput>;
+export declare const resetPasswordRoute: RouteBinding<ResetPasswordInput>;
+export declare const resetPasswordHandler: HttpHandler<ResetPasswordInput>;
+export declare const verifyEmailRoute: RouteBinding<VerifyEmailInput>;
+export declare const verifyEmailHandler: HttpHandler<VerifyEmailInput>;
+export declare const meRoute: RouteBinding<MeInput>;
+export declare const meHandler: HttpHandler<MeInput>;
+export interface MountAuthOptions {
+    /** Pick which routes to mount. Default — all. */
+    readonly include?: ReadonlyArray<"signIn" | "signOut" | "refresh" | "register" | "requestPasswordReset" | "resetPassword" | "verifyEmail" | "me">;
+}
+/**
+ * Wire every canonical auth route onto the given httpInterface in one
+ * call. Returns the same interface for chaining. Pass `options.include`
+ * to mount only a subset (e.g. an app that doesn't expose registration).
+ *
+ *   const api = mountAuth(httpInterface({ prefix: "/api/v1" }));
+ *   // → 8 routes mounted: /auth/sign-in, /sign-out, /refresh, /register, ...
+ *
+ *   // Subset:
+ *   mountAuth(api, { include: ["signIn", "signOut", "me"] });
+ */
+export declare function mountAuth(api: HttpInterface, options?: MountAuthOptions): HttpInterface;
+export {};
+//# sourceMappingURL=routes.d.ts.map

package/dist/routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../src/routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAa,KAAK,WAAW,EAAE,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAwCjG,QAAA,MAAM,UAAU;;;iBAA8D,CAAC;AAC/E,QAAA,MAAM,WAAW;;iBAAkC,CAAC;AACpD,QAAA,MAAM,WAAW;;iBAAyC,CAAC;AAC3D,QAAA,MAAM,YAAY;;;;iBAIhB,CAAC;AACH,QAAA,MAAM,kBAAkB;;iBAAiC,CAAC;AAC1D,QAAA,MAAM,iBAAiB;;;iBAAuE,CAAC;AAC/F,QAAA,MAAM,eAAe;;iBAA8C,CAAC;AACpE,QAAA,MAAM,MAAM;;iBAAkC,CAAC;AAE/C,KAAK,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,UAAU,CAAC,CAAC;AAC/C,KAAK,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,WAAW,CAAC,CAAC;AACjD,KAAK,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,WAAW,CAAC,CAAC;AACjD,KAAK,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,YAAY,CAAC,CAAC;AACnD,KAAK,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC/D,KAAK,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC7D,KAAK,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,eAAe,CAAC,CAAC;AACzD,KAAK,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,MAAM,CAAC,CAAC;AAIvC,eAAO,MAAM,WAAW,EAAE,YAAY,CAAC,WAAW,CAUhD,CAAC;AACH,eAAO,MAAM,aAAa,EAAE,WAAW,CAAC,WAAW,CAIlD,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,YAAY,CAAC,YAAY,CAUlD,CAAC;AACH,eAAO,MAAM,cAAc,EAAE,WAAW,CAAC,YAAY,CAIpD,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,YAAY,CAAC,YAAY,CAUlD,CAAC;AACH,eAAO,MAAM,cAAc,EAAE,WAAW,CAAC,YAAY,CAMpD,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,YAAY,CAAC,aAAa,CAUpD,CAAC;AACH,eAAO,MAAM,eAAe,EAAE,WAAW,CAAC,aAAa,CAatD,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,YAAY,CAAC,mBAAmB,CAavE,CAAC;AACF,eAAO,MAAM,2BAA2B,EAAE,WAAW,CAAC,mBAAmB,CAQxE,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,YAAY,CAAC,kBAAkB,CAU9D,CAAC;AACH,eAAO,MAAM,oBAAoB,EAAE,WAAW,CAAC,kBAAkB,CAKhE,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,YAAY,CAAC,gBAAgB,CAU1D,CAAC;AACH,eAAO,MAAM,kBAAkB,EAAE,WAAW,CAAC,gBAAgB,CAK5D,CAAC;AAEF,eAAO,MAAM,OAAO,EAAE,YAAY,CAAC,OAAO,CAUxC,CAAC;AACH,eAAO,MAAM,SAAS,EAAE,WAAW,CAAC,OAAO,CAM1C,CAAC;AAIF,MAAM,WAAW,gBAAgB;IAC/B,iDAAiD;IACjD,QAAQ,CAAC,OAAO,CAAC,EAAE,aAAa,CAC5B,QAAQ,GACR,SAAS,GACT,SAAS,GACT,UAAU,GACV,sBAAsB,GACtB,eAAe,GACf,aAAa,GACb,IAAI,CACP,CAAC;CACH;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,aAAa,CAkBvF"}