@oglofus/auth 1.0.1 → 1.1.1

package/README.md

@@ -8,8 +8,8 @@ Type-safe, plugin-first authentication core for TypeScript applications.
 - Strongly typed register/authenticate payloads inferred from enabled plugins.
 - Path-based issue model (`{ message, path }`) for field-level error mapping.
 - Built-in methods: password, email OTP, magic link, OAuth2, passkey.
-- Built-in domain plugins: two-factor auth (TOTP/recovery), organizations/RBAC.
-- Framework-agnostic core (works with Next.js, SvelteKit, Workers, Node servers).
+- Built-in domain plugins: two-factor auth (TOTP/recovery code), organizations/RBAC.
+- Framework-agnostic core for TypeScript apps running in Node-compatible server environments.
 
 ## Install
 
@@ -29,6 +29,7 @@ Optional for app-level integrations:
 
 - `arctic` for OAuth providers in your app code.
 - `@oslojs/otp` if you need direct OTP utilities in your app (the library already uses it internally for TOTP).
+- `stripe` if you use the Stripe billing plugin.
 
 ## Quick Start (Password)
 
@@ -87,10 +88,20 @@ const loggedIn = await auth.authenticate({
 - `method(pluginMethod)` for plugin-specific APIs
 - `verifySecondFactor(input, request?)`
 - `completeProfile(input, request?)`
-- `setActiveOrganization(sessionId, organizationId, request?)`
 - `validateSession(sessionId, request?)`
 - `signOut(sessionId, request?)`
 
+Organization session switching is exposed by the organizations plugin API:
+
+```ts
+const orgApi = auth.method("organizations");
+await orgApi.setActiveOrganization({
+  sessionId: "session_123",
+  organizationId: "org_123",
+});
+await orgApi.setActiveOrganization({ sessionId: "session_123" }); // clear
+```
+
 ## Result and Error Shape
 
 All operations return structured results.
@@ -117,15 +128,9 @@ You can build issues with helpers:
 ```ts
 import { createIssue, createIssueFactory } from "@oglofus/auth";
 
-const issue = createIssueFactory<{ email: string; profile: unknown }>([
-  "email",
-  "profile",
-] as const);
+const issue = createIssueFactory<{ email: string; profile: unknown }>(["email", "profile"] as const);
 issue.email("Email is required");
-issue.$path(
-  ["profile", { key: "addresses" }, { index: 0 }, "city"],
-  "City is required",
-);
+issue.$path(["profile", { key: "addresses" }, { index: 0 }, "city"], "City is required");
 createIssue("Generic failure");
 ```
 
@@ -154,19 +159,19 @@ createIssue("Generic failure");
 ### OAuth2 (Arctic)
 
 - Method: `"oauth2"`
-- Uses provider clients with `validateAuthorizationCode(...)` (Arctic-compatible).
+- Uses provider exchange callbacks. Arctic clients can be wrapped with `arcticAuthorizationCodeExchange(...)`.
 - Supports profile completion when required fields are missing.
 
 ```ts
 import { Google } from "arctic";
-import { oauth2Plugin } from "@oglofus/auth";
+import { arcticAuthorizationCodeExchange, oauth2Plugin } from "@oglofus/auth";
 
 const google = new Google(process.env.GOOGLE_CLIENT_ID!, process.env.GOOGLE_CLIENT_SECRET!, process.env.GOOGLE_REDIRECT_URI!);
 
 oauth2Plugin<AppUser, "google", "given_name" | "family_name">({
   providers: {
     google: {
-      client: google,
+      exchangeAuthorizationCode: arcticAuthorizationCodeExchange(google),
       resolveProfile: async ({ tokens }) => {
         const res = await fetch("https://openidconnect.googleapis.com/v1/userinfo", {
           headers: { Authorization: `Bearer ${tokens.accessToken()}` },
@@ -201,6 +206,7 @@ const result = await auth.authenticate({
   authorizationCode: "code-from-callback",
   redirectUri: process.env.GOOGLE_REDIRECT_URI!,
   codeVerifier: "pkce-code-verifier",
+  idempotencyKey: "oauth-state",
 });
 ```
 
@@ -208,12 +214,15 @@ const result = await auth.authenticate({
 
 - Method: `"passkey"`
 - Register + authenticate supported.
+- The package consumes already-verified passkey results; it does not perform raw WebAuthn attestation/assertion verification.
+- Verify WebAuthn with `@simplewebauthn/server` or equivalent first, then pass the verified result into `auth.register(...)` / `auth.authenticate(...)`.
 - Config: `requiredProfileFields`, `passkeys` adapter.
 
 ### Two-Factor (Domain Plugin)
 
 - Method: `"two_factor"`
 - Adds post-primary verification (`TWO_FACTOR_REQUIRED`).
+- This release supports `totp` and `recovery_code`.
 - Uses `@oslojs/otp` internally for TOTP verification and enrollment URI generation.
 - Plugin API:
   - `beginTotpEnrollment(userId)`
@@ -226,6 +235,14 @@ const result = await auth.authenticate({
 - Multi-tenant orgs, memberships, role inheritance, feature/limit entitlements, invites.
 - Validates role topology on startup (default role, owner role presence, inheritance cycles).
 
+### Stripe (Domain Plugin)
+
+- Method: `"stripe"`
+- User and organization subscriptions with typed billing subjects.
+- Checkout session creation, billing portal sessions, webhook verification, local subscription snapshots.
+- Plan-level features and limits, trial tracking, and organization entitlement merge support.
+- Requires the `stripe` package in your application.
+
 ## Account Discovery
 
 Use `discover(...)` to support login/register routing logic before full auth:
@@ -243,6 +260,8 @@ See ready-to-copy integrations:
 - [`examples/sveltekit-email-otp`](./examples/sveltekit-email-otp)
 - [`examples/oauth2-google-arctic`](./examples/oauth2-google-arctic)
 - [`examples/two-factor-totp-oslo`](./examples/two-factor-totp-oslo)
+- [`examples/stripe-user-billing`](./examples/stripe-user-billing)
+- [`examples/stripe-organization-billing`](./examples/stripe-organization-billing)
 
 ## Scripts
 

package/dist/core/auth.d.ts

@@ -1,6 +1,6 @@
-import { type AuthResult, type OperationResult } from "../types/results.js";
-import type { AuthConfig, AuthenticateInputFromPlugins, AuthPublicApi, AnyPlugin, PluginApiMap, PluginMethodsWithApi, RegisterInputFromPlugins } from "../types/plugins.js";
 import type { AuthRequestContext, CompleteProfileInput, DiscoverAccountDecision, DiscoverAccountInput, TwoFactorVerifyInput, UserBase } from "../types/model.js";
+import type { AnyPlugin, AuthConfig, AuthPublicApi, AuthenticateInputFromPlugins, PluginApiMap, PluginMethodsWithApi, RegisterInputFromPlugins } from "../types/plugins.js";
+import { type AuthResult, type OperationResult } from "../types/results.js";
 export declare class OglofusAuth<U extends UserBase, P extends readonly AnyPlugin<U>[]> implements AuthPublicApi<U, P> {
     private readonly config;
     private readonly pluginMap;
@@ -13,10 +13,6 @@ export declare class OglofusAuth<U extends UserBase, P extends readonly AnyPlugi
     method<M extends PluginMethodsWithApi<P>>(method: M): PluginApiMap<P>[M];
     verifySecondFactor(input: TwoFactorVerifyInput, request?: AuthRequestContext): Promise<AuthResult<U>>;
     completeProfile(input: CompleteProfileInput<U>, request?: AuthRequestContext): Promise<AuthResult<U>>;
-    setActiveOrganization(sessionId: string, organizationId: string, request?: AuthRequestContext): Promise<OperationResult<{
-        sessionId: string;
-        activeOrganizationId: string;
-    }>>;
     validateSession(sessionId: string, _request?: AuthRequestContext): Promise<{
         ok: true;
         userId: string;
@@ -25,10 +21,15 @@ export declare class OglofusAuth<U extends UserBase, P extends readonly AnyPlugi
     }>;
     signOut(sessionId: string, request?: AuthRequestContext): Promise<void>;
     private normalizeAuthInput;
+    private persistCompletedProfile;
     private makeContext;
     private createSession;
     private getAuthMethodPlugin;
     private tryGetTwoFactorApi;
+    private resolveRateLimitPolicy;
+    private consumeRateLimit;
+    private makeRateLimitKey;
+    private getRateLimitIdentity;
     private runValidator;
     private validatePlugins;
     private assertAcyclicRoleInheritance;

package/dist/core/auth.js

@@ -1,7 +1,7 @@
 import { AuthError } from "../errors/index.js";
-import { errorOperation, errorResult, successOperation, successResult, } from "../types/results.js";
-import { DEFAULT_SESSION_TTL_SECONDS, addSeconds, createId, normalizeEmailDefault, now, } from "./utils.js";
 import { createIssue } from "../issues/index.js";
+import { errorOperation, errorResult, successOperation, successResult, } from "../types/results.js";
+import { DEFAULT_SESSION_TTL_SECONDS, addSeconds, createId, deterministicTokenHash, normalizeEmailDefault, now, } from "./utils.js";
 const hasEmail = (value) => typeof value === "object" && value !== null && "email" in value && typeof value.email === "string";
 const toAuthError = (error) => {
     if (error instanceof AuthError) {
@@ -9,6 +9,14 @@ const toAuthError = (error) => {
     }
     return new AuthError("INTERNAL_ERROR", "Internal error.", 500);
 };
+const DEFAULT_RATE_LIMIT_POLICIES = {
+    discover: { limit: 10, windowSeconds: 60 },
+    register: { limit: 5, windowSeconds: 300 },
+    authenticate: { limit: 10, windowSeconds: 300 },
+    emailOtpRequest: { limit: 3, windowSeconds: 300 },
+    magicLinkRequest: { limit: 3, windowSeconds: 300 },
+    otpVerify: { limit: 10, windowSeconds: 300 },
+};
 export class OglofusAuth {
     config;
     pluginMap = new Map();
@@ -18,18 +26,30 @@ export class OglofusAuth {
         this.config = config;
         this.normalizeEmail = config.normalize?.email ?? normalizeEmailDefault;
         this.validatePlugins();
+        const getPluginApi = (method) => {
+            if (!this.apiMap.has(method)) {
+                return null;
+            }
+            return this.apiMap.get(method);
+        };
         for (const plugin of config.plugins) {
             this.pluginMap.set(plugin.method, plugin);
             if (plugin.createApi) {
                 this.apiMap.set(plugin.method, plugin.createApi({
                     adapters: this.config.adapters,
                     now,
+                    security: this.config.security,
+                    getPluginApi,
                 }));
             }
         }
     }
     async discover(input, request) {
         const email = this.normalizeEmail(input.email);
+        const rateLimitError = await this.consumeRateLimit("discover", email, request);
+        if (rateLimitError) {
+            return errorOperation(rateLimitError);
+        }
         const mode = this.config.accountDiscovery?.mode ?? "private";
         if (mode === "private") {
             return successOperation({
@@ -83,6 +103,17 @@ export class OglofusAuth {
             return errorResult(new AuthError("METHOD_DISABLED", `Method ${method} is disabled.`, 400));
         }
         const normalized = this.normalizeAuthInput(input);
+        const rateLimitError = await this.consumeRateLimit("authenticate", this.getRateLimitIdentity(normalized), request);
+        if (rateLimitError) {
+            await this.writeAudit({
+                action: "authenticate",
+                method,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: rateLimitError.code,
+            });
+            return errorResult(rateLimitError);
+        }
         const validated = this.runValidator(plugin.validators?.authenticate, normalized);
         if (!validated.ok) {
             return validated.result;
@@ -145,6 +176,17 @@ export class OglofusAuth {
             return errorResult(new AuthError("METHOD_NOT_REGISTERABLE", `Method ${method} does not support register.`, 400));
         }
         const normalized = this.normalizeAuthInput(input);
+        const rateLimitError = await this.consumeRateLimit("register", this.getRateLimitIdentity(normalized), request);
+        if (rateLimitError) {
+            await this.writeAudit({
+                action: "register",
+                method,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: rateLimitError.code,
+            });
+            return errorResult(rateLimitError);
+        }
         const validated = this.runValidator(plugin.validators?.register, normalized);
         if (!validated.ok) {
             return validated.result;
@@ -195,6 +237,16 @@ export class OglofusAuth {
         }
         const record = await pending.findById(input.pendingProfileId);
         if (!record || record.consumedAt || record.expiresAt.getTime() <= now().getTime()) {
+            await this.writeAudit({
+                action: "complete_profile",
+                method: "complete_profile",
+                requestId: request?.requestId,
+                success: false,
+                errorCode: "PROFILE_COMPLETION_EXPIRED",
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
             return errorResult(new AuthError("PROFILE_COMPLETION_EXPIRED", "Profile completion has expired.", 400));
         }
         const missingIssues = [];
@@ -205,12 +257,18 @@ export class OglofusAuth {
             }
         }
         if (missingIssues.length > 0) {
+            await this.writeAudit({
+                action: "complete_profile",
+                method: record.sourceMethod,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: "INVALID_INPUT",
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
             return errorResult(new AuthError("INVALID_INPUT", "Missing required profile fields.", 400, missingIssues), missingIssues);
         }
-        const consumed = await pending.consume(input.pendingProfileId);
-        if (!consumed) {
-            return errorResult(new AuthError("PROFILE_COMPLETION_EXPIRED", "Profile completion has expired.", 400));
-        }
         const email = record.email ? this.normalizeEmail(record.email) : undefined;
         const merged = {
             ...record.prefill,
@@ -220,44 +278,94 @@ export class OglofusAuth {
         if (merged.emailVerified === undefined) {
             merged.emailVerified = false;
         }
-        let user;
-        if (email) {
-            const existing = await this.config.adapters.users.findByEmail(email);
-            if (existing) {
-                user = await this.config.adapters.users.update(existing.id, merged);
+        const plugin = this.getAuthMethodPlugin(record.sourceMethod);
+        if (record.continuation && (!plugin || !plugin.completePendingProfile)) {
+            const error = new AuthError("PLUGIN_MISCONFIGURED", `Pending profile for '${record.sourceMethod}' cannot be completed by the current plugin set.`, 500);
+            await this.writeAudit({
+                action: "complete_profile",
+                method: record.sourceMethod,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: error.code,
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
+            return errorResult(error);
+        }
+        const ctx = this.makeContext(request);
+        let finalizedUserId;
+        const finalize = async () => {
+            const persisted = await this.persistCompletedProfile(email, merged);
+            if (!persisted.ok) {
+                return persisted;
             }
-            else {
-                user = await this.config.adapters.users.create(merged);
+            finalizedUserId = persisted.user.id;
+            if (plugin?.completePendingProfile) {
+                const continuation = await plugin.completePendingProfile(ctx, {
+                    record,
+                    user: persisted.user,
+                });
+                if (!continuation.ok) {
+                    return { ok: false, error: continuation.error };
+                }
             }
+            const consumed = await pending.consume(input.pendingProfileId);
+            if (!consumed) {
+                return {
+                    ok: false,
+                    error: new AuthError("PROFILE_COMPLETION_EXPIRED", "Profile completion has expired.", 400),
+                };
+            }
+            return { ok: true, user: persisted.user };
+        };
+        let finalized;
+        try {
+            finalized = this.config.adapters.withTransaction
+                ? await this.config.adapters.withTransaction(finalize)
+                : await finalize();
         }
-        else {
-            user = await this.config.adapters.users.create(merged);
-        }
-        const sessionId = await this.createSession(user.id);
-        return successResult(user, sessionId);
-    }
-    async setActiveOrganization(sessionId, organizationId, request) {
-        const session = await this.config.adapters.sessions.findById(sessionId);
-        if (!session) {
-            return errorOperation(new AuthError("SESSION_NOT_FOUND", "Session not found.", 404));
-        }
-        const organizationsApi = this.apiMap.get("organizations");
-        if (!organizationsApi) {
-            return errorOperation(new AuthError("METHOD_DISABLED", "organizations plugin is not enabled.", 400));
-        }
-        const memberships = await organizationsApi.listMemberships({ userId: session.userId }, request);
-        if (!memberships.ok) {
-            return memberships;
+        catch (error) {
+            const authError = toAuthError(error);
+            await this.writeAudit({
+                action: "complete_profile",
+                method: record.sourceMethod,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: authError.code,
+                userId: finalizedUserId,
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
+            return errorResult(authError);
         }
-        const active = memberships.data.memberships.find((membership) => membership.organizationId === organizationId && membership.status === "active");
-        if (!active) {
-            return errorOperation(new AuthError("MEMBERSHIP_FORBIDDEN", "No active membership for organization.", 403));
+        if (!finalized.ok) {
+            await this.writeAudit({
+                action: "complete_profile",
+                method: record.sourceMethod,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: finalized.error.code,
+                userId: finalizedUserId,
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
+            return errorResult(finalized.error);
         }
-        await this.config.adapters.sessions.setActiveOrganization(sessionId, organizationId);
-        return successOperation({
-            sessionId,
-            activeOrganizationId: organizationId,
+        const sessionId = await this.createSession(finalized.user.id);
+        await this.writeAudit({
+            action: "complete_profile",
+            method: record.sourceMethod,
+            requestId: request?.requestId,
+            success: true,
+            userId: finalized.user.id,
+            meta: {
+                pendingProfileId: input.pendingProfileId,
+            },
         });
+        return successResult(finalized.user, sessionId);
     }
     async validateSession(sessionId, _request) {
         const session = await this.config.adapters.sessions.findById(sessionId);
@@ -289,11 +397,32 @@ export class OglofusAuth {
             email: this.normalizeEmail(input.email),
         };
     }
+    async persistCompletedProfile(email, merged) {
+        if (email) {
+            const existing = await this.config.adapters.users.findByEmail(email);
+            if (existing) {
+                const updated = await this.config.adapters.users.update(existing.id, merged);
+                if (!updated) {
+                    return { ok: false, error: new AuthError("USER_NOT_FOUND", "User not found.", 404) };
+                }
+                return { ok: true, user: updated };
+            }
+        }
+        const created = await this.config.adapters.users.create(merged);
+        return { ok: true, user: created };
+    }
     makeContext(request) {
         return {
             adapters: this.config.adapters,
             now,
+            security: this.config.security,
             request,
+            getPluginApi: (method) => {
+                if (!this.apiMap.has(method)) {
+                    return null;
+                }
+                return this.apiMap.get(method);
+            },
         };
     }
     async createSession(userId) {
@@ -322,6 +451,66 @@ export class OglofusAuth {
         }
         return api;
     }
+    resolveRateLimitPolicy(scope) {
+        if (!this.config.adapters.rateLimiter) {
+            return null;
+        }
+        return this.config.security?.rateLimits?.[scope] ?? DEFAULT_RATE_LIMIT_POLICIES[scope];
+    }
+    async consumeRateLimit(scope, identity, request) {
+        const policy = this.resolveRateLimitPolicy(scope);
+        if (!policy || !this.config.adapters.rateLimiter) {
+            return null;
+        }
+        const result = await this.config.adapters.rateLimiter.consume(this.makeRateLimitKey(scope, identity, request), policy.limit, policy.windowSeconds);
+        if (result.allowed) {
+            return null;
+        }
+        return new AuthError("RATE_LIMITED", "Too many requests.", 429, [], result.retryAfterSeconds === undefined ? undefined : { retryAfterSeconds: result.retryAfterSeconds });
+    }
+    makeRateLimitKey(scope, identity, request) {
+        if (!request?.ip) {
+            return `${scope}:identity:${identity}`;
+        }
+        return `${scope}:ip:${request.ip}:identity:${identity}`;
+    }
+    getRateLimitIdentity(input) {
+        if (hasEmail(input)) {
+            return this.normalizeEmail(input.email);
+        }
+        if (!input || typeof input !== "object") {
+            return "anonymous";
+        }
+        const record = input;
+        if (typeof record.challengeId === "string" && record.challengeId.length > 0) {
+            return `challenge:${record.challengeId}`;
+        }
+        if (typeof record.pendingAuthId === "string" && record.pendingAuthId.length > 0) {
+            return `pending:${record.pendingAuthId}`;
+        }
+        if (typeof record.token === "string" && record.token.length > 0) {
+            return `token:${deterministicTokenHash(record.token, "rate-limit:magic-link")}`;
+        }
+        if (typeof record.provider === "string" && record.provider.length > 0) {
+            return `provider:${record.provider}`;
+        }
+        const authentication = record.authentication;
+        if (authentication &&
+            typeof authentication === "object" &&
+            typeof authentication.credentialId === "string") {
+            return `credential:${String(authentication.credentialId)}`;
+        }
+        const registration = record.registration;
+        if (registration &&
+            typeof registration === "object" &&
+            typeof registration.credentialId === "string") {
+            return `credential:${String(registration.credentialId)}`;
+        }
+        if (typeof record.method === "string" && record.method.length > 0) {
+            return `method:${record.method}`;
+        }
+        return "anonymous";
+    }
     runValidator(validator, input) {
         if (!validator) {
             return { ok: true, input: input };
@@ -343,6 +532,7 @@ export class OglofusAuth {
         const methods = new Set();
         let twoFactorCount = 0;
         let organizationsCount = 0;
+        let stripeCount = 0;
         for (const plugin of this.config.plugins) {
             if (methods.has(plugin.method)) {
                 throw new AuthError("PLUGIN_METHOD_CONFLICT", `Plugin method conflict for '${plugin.method}'.`, 500);
@@ -354,6 +544,9 @@ export class OglofusAuth {
             if (plugin.method === "organizations") {
                 organizationsCount += 1;
             }
+            if (plugin.method === "stripe") {
+                stripeCount += 1;
+            }
             if (plugin.kind === "auth_method") {
                 if (plugin.supports.register && !plugin.register) {
                     throw new AuthError("PLUGIN_MISCONFIGURED", `Plugin '${plugin.method}' declares register support but no register handler.`, 500);
@@ -375,11 +568,17 @@ export class OglofusAuth {
         if (organizationsCount > 1) {
             throw new AuthError("PLUGIN_MISCONFIGURED", "At most one organizations plugin is allowed.", 500);
         }
+        if (stripeCount > 1) {
+            throw new AuthError("PLUGIN_MISCONFIGURED", "At most one stripe plugin is allowed.", 500);
+        }
         if ((this.config.accountDiscovery?.mode ?? "private") === "explicit" && !this.config.adapters.identity) {
             throw new AuthError("PLUGIN_MISCONFIGURED", "identity adapter is required when accountDiscovery.mode is explicit.", 500);
         }
+        const orgPlugin = this.config.plugins.find((plugin) => plugin.method === "organizations");
+        if (orgPlugin && !orgPlugin.__organizationConfig?.handlers?.organizationSessions) {
+            throw new AuthError("PLUGIN_MISCONFIGURED", "organizations plugin requires handlers.organizationSessions.", 500);
+        }
         if (this.config.validateConfigOnStart) {
-            const orgPlugin = this.config.plugins.find((plugin) => plugin.method === "organizations");
             const roleConfig = orgPlugin?.__organizationConfig?.handlers?.roles;
             const defaultRole = orgPlugin?.__organizationConfig?.handlers?.defaultRole;
             if (roleConfig && defaultRole) {

package/dist/core/utils.d.ts

@@ -6,6 +6,7 @@ export declare const createId: () => string;
 export declare const createToken: (size?: number) => string;
 export declare const createNumericCode: (length?: number) => string;
 export declare const secretHash: (value: string, salt?: string) => string;
+export declare const deterministicTokenHash: (value: string, namespace: string) => string;
 export declare const secretVerify: (value: string, encoded: string) => boolean;
 export declare const cloneWithout: <T extends Record<string, unknown>, K extends readonly (keyof T)[]>(input: T, keys: K) => Omit<T, K[number]>;
 export declare const ensureRecord: (value: unknown) => value is Record<string, unknown>;

package/dist/core/utils.js

@@ -1,4 +1,4 @@
-import { pbkdf2Sync, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
+import { createHash, pbkdf2Sync, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 export const DEFAULT_SESSION_TTL_SECONDS = 60 * 60 * 24 * 30;
 export const normalizeEmailDefault = (value) => value.trim().toLowerCase();
 export const now = () => new Date();
@@ -18,6 +18,7 @@ export const secretHash = (value, salt = randomBytes(16).toString("hex")) => {
     const derived = pbkdf2Sync(value, salt, 120_000, 32, "sha256").toString("hex");
     return `${salt}:${derived}`;
 };
+export const deterministicTokenHash = (value, namespace) => createHash("sha256").update(namespace).update(":").update(value).digest("hex");
 export const secretVerify = (value, encoded) => {
     const [salt, hash] = encoded.split(":");
     if (!salt || !hash) {

package/dist/core/validators.js

@@ -1,5 +1,5 @@
-import { createIssue } from "../issues/index.js";
 import { AuthError } from "../errors/index.js";
+import { createIssue } from "../issues/index.js";
 export const ensureFields = (source, fields, basePath = []) => {
     const issues = fields
         .filter((field) => {

package/dist/errors/index.d.ts

@@ -1,7 +1,6 @@
-import type { UserBase } from "../types/model.js";
-import type { ProfileCompletionState, TwoFactorRequiredMeta } from "../types/model.js";
 import type { Issue } from "../issues/index.js";
-export type AuthErrorCode = "INVALID_INPUT" | "METHOD_DISABLED" | "METHOD_NOT_REGISTERABLE" | "ACCOUNT_NOT_FOUND" | "ACCOUNT_EXISTS" | "ACCOUNT_EXISTS_WITH_DIFFERENT_METHOD" | "ORGANIZATION_NOT_FOUND" | "MEMBERSHIP_NOT_FOUND" | "MEMBERSHIP_FORBIDDEN" | "ROLE_INVALID" | "ROLE_NOT_ASSIGNABLE" | "ORGANIZATION_INVITE_INVALID" | "ORGANIZATION_INVITE_EXPIRED" | "SEAT_LIMIT_REACHED" | "FEATURE_DISABLED" | "LIMIT_EXCEEDED" | "LAST_OWNER_GUARD" | "SESSION_NOT_FOUND" | "INVALID_CREDENTIALS" | "USER_NOT_FOUND" | "CONFLICT" | "RATE_LIMITED" | "DELIVERY_FAILED" | "EMAIL_NOT_VERIFIED" | "OTP_EXPIRED" | "OTP_INVALID" | "MAGIC_LINK_EXPIRED" | "MAGIC_LINK_INVALID" | "OAUTH2_PROVIDER_DISABLED" | "OAUTH2_EXCHANGE_FAILED" | "PASSKEY_INVALID_ASSERTION" | "PASSKEY_INVALID_ATTESTATION" | "PASSKEY_CHALLENGE_EXPIRED" | "PROFILE_COMPLETION_REQUIRED" | "PROFILE_COMPLETION_EXPIRED" | "TWO_FACTOR_REQUIRED" | "TWO_FACTOR_INVALID" | "TWO_FACTOR_EXPIRED" | "RECOVERY_CODE_INVALID" | "PLUGIN_METHOD_CONFLICT" | "PLUGIN_MISCONFIGURED" | "INTERNAL_ERROR";
+import type { ProfileCompletionState, TwoFactorRequiredMeta, UserBase } from "../types/model.js";
+export type AuthErrorCode = "INVALID_INPUT" | "METHOD_DISABLED" | "METHOD_NOT_REGISTERABLE" | "ACCOUNT_NOT_FOUND" | "ACCOUNT_EXISTS" | "ACCOUNT_EXISTS_WITH_DIFFERENT_METHOD" | "ORGANIZATION_NOT_FOUND" | "MEMBERSHIP_NOT_FOUND" | "MEMBERSHIP_FORBIDDEN" | "ROLE_INVALID" | "ROLE_NOT_ASSIGNABLE" | "ORGANIZATION_INVITE_INVALID" | "ORGANIZATION_INVITE_EXPIRED" | "SEAT_LIMIT_REACHED" | "FEATURE_DISABLED" | "LIMIT_EXCEEDED" | "LAST_OWNER_GUARD" | "SESSION_NOT_FOUND" | "INVALID_CREDENTIALS" | "USER_NOT_FOUND" | "CONFLICT" | "RATE_LIMITED" | "DELIVERY_FAILED" | "EMAIL_NOT_VERIFIED" | "OTP_EXPIRED" | "OTP_INVALID" | "MAGIC_LINK_EXPIRED" | "MAGIC_LINK_INVALID" | "OAUTH2_PROVIDER_DISABLED" | "OAUTH2_EXCHANGE_FAILED" | "PASSKEY_INVALID_ASSERTION" | "PASSKEY_INVALID_ATTESTATION" | "PASSKEY_CHALLENGE_EXPIRED" | "CUSTOMER_NOT_FOUND" | "SUBSCRIPTION_NOT_FOUND" | "SUBSCRIPTION_ALREADY_EXISTS" | "TRIAL_NOT_AVAILABLE" | "STRIPE_WEBHOOK_INVALID" | "PROFILE_COMPLETION_REQUIRED" | "PROFILE_COMPLETION_EXPIRED" | "TWO_FACTOR_REQUIRED" | "TWO_FACTOR_INVALID" | "TWO_FACTOR_EXPIRED" | "RECOVERY_CODE_INVALID" | "PLUGIN_METHOD_CONFLICT" | "PLUGIN_MISCONFIGURED" | "INTERNAL_ERROR";
 export declare class AuthError extends Error {
     readonly code: AuthErrorCode;
     readonly status: number;

package/dist/index.d.ts

@@ -1,6 +1,6 @@
-export * from "./types/index.js";
-export * from "./issues/index.js";
-export * from "./errors/index.js";
-export * from "./core/events.js";
 export * from "./core/auth.js";
+export * from "./core/events.js";
+export * from "./errors/index.js";
+export * from "./issues/index.js";
 export * from "./plugins/index.js";
+export * from "./types/index.js";

package/dist/index.js

@@ -1,6 +1,6 @@
-export * from "./types/index.js";
-export * from "./issues/index.js";
-export * from "./errors/index.js";
-export * from "./core/events.js";
 export * from "./core/auth.js";
+export * from "./core/events.js";
+export * from "./errors/index.js";
+export * from "./issues/index.js";
 export * from "./plugins/index.js";
+export * from "./types/index.js";