@originals/auth 1.5.0

package/dist/server/email-auth.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Turnkey Email Authentication Service
+ * Implements email-based authentication using Turnkey's OTP flow
+ */
+import { Turnkey } from '@turnkey/sdk-server';
+import type { EmailAuthSession, InitiateAuthResult, VerifyAuthResult } from '../types';
+/**
+ * Session storage interface for pluggable session management
+ */
+export interface SessionStorage {
+    get(sessionId: string): EmailAuthSession | undefined;
+    set(sessionId: string, session: EmailAuthSession): void;
+    delete(sessionId: string): void;
+    cleanup(): void;
+}
+/**
+ * Create an in-memory session storage
+ * For production, consider using Redis or a database
+ */
+export declare function createInMemorySessionStorage(): SessionStorage;
+/**
+ * Initiate email authentication using Turnkey OTP
+ * Sends a 6-digit OTP code to the user's email
+ */
+export declare function initiateEmailAuth(email: string, turnkeyClient: Turnkey, sessionStorage?: SessionStorage): Promise<InitiateAuthResult>;
+/**
+ * Verify email authentication code using Turnkey OTP
+ */
+export declare function verifyEmailAuth(sessionId: string, code: string, turnkeyClient: Turnkey, sessionStorage?: SessionStorage): Promise<VerifyAuthResult>;
+/**
+ * Check if a session is verified
+ */
+export declare function isSessionVerified(sessionId: string, sessionStorage?: SessionStorage): boolean;
+/**
+ * Clean up a session after successful login
+ */
+export declare function cleanupSession(sessionId: string, sessionStorage?: SessionStorage): void;
+/**
+ * Get session data
+ */
+export declare function getSession(sessionId: string, sessionStorage?: SessionStorage): EmailAuthSession | undefined;
+//# sourceMappingURL=email-auth.d.ts.map

package/dist/server/email-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-auth.d.ts","sourceRoot":"","sources":["../../src/server/email-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAG9C,OAAO,KAAK,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAMvF;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS,CAAC;IACrD,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,gBAAgB,GAAG,IAAI,CAAC;IACxD,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,IAAI,IAAI,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,4BAA4B,IAAI,cAAc,CA2B7D;AAmBD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,OAAO,EACtB,cAAc,CAAC,EAAE,cAAc,GAC9B,OAAO,CAAC,kBAAkB,CAAC,CA2D7B;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,OAAO,EACtB,cAAc,CAAC,EAAE,cAAc,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAqD3B;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,cAAc,GAC9B,OAAO,CAYT;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,cAAc,GAC9B,IAAI,CAGN;AAED;;GAEG;AACH,wBAAgB,UAAU,CACxB,SAAS,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,cAAc,GAC9B,gBAAgB,GAAG,SAAS,CAa9B"}

package/dist/server/email-auth.js

@@ -0,0 +1,187 @@
+/**
+ * Turnkey Email Authentication Service
+ * Implements email-based authentication using Turnkey's OTP flow
+ */
+import { sha256 } from '@noble/hashes/sha2.js';
+import { bytesToHex } from '@noble/hashes/utils.js';
+import { getOrCreateTurnkeySubOrg } from './turnkey-client';
+// Session timeout (15 minutes to match Turnkey OTP)
+const SESSION_TIMEOUT = 15 * 60 * 1000;
+/**
+ * Create an in-memory session storage
+ * For production, consider using Redis or a database
+ */
+export function createInMemorySessionStorage() {
+    const sessions = new Map();
+    // Start cleanup interval
+    const cleanupInterval = setInterval(() => {
+        const now = Date.now();
+        for (const [sessionId, session] of sessions.entries()) {
+            if (now - session.timestamp > SESSION_TIMEOUT) {
+                sessions.delete(sessionId);
+            }
+        }
+    }, 60 * 1000);
+    // Keep the interval from preventing process exit
+    if (cleanupInterval.unref) {
+        cleanupInterval.unref();
+    }
+    return {
+        get: (sessionId) => sessions.get(sessionId),
+        set: (sessionId, session) => sessions.set(sessionId, session),
+        delete: (sessionId) => sessions.delete(sessionId),
+        cleanup: () => {
+            clearInterval(cleanupInterval);
+            sessions.clear();
+        },
+    };
+}
+// Default session storage
+let defaultSessionStorage = null;
+function getDefaultSessionStorage() {
+    if (!defaultSessionStorage) {
+        defaultSessionStorage = createInMemorySessionStorage();
+    }
+    return defaultSessionStorage;
+}
+/**
+ * Generate a random session ID
+ */
+function generateSessionId() {
+    return `session_${Date.now()}_${Math.random().toString(36).substring(2, 15)}`;
+}
+/**
+ * Initiate email authentication using Turnkey OTP
+ * Sends a 6-digit OTP code to the user's email
+ */
+export async function initiateEmailAuth(email, turnkeyClient, sessionStorage) {
+    const storage = sessionStorage ?? getDefaultSessionStorage();
+    // Validate email format
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(email)) {
+        throw new Error('Invalid email format');
+    }
+    console.log(`\n🚀 Initiating email auth for: ${email}`);
+    // Step 1: Get or create Turnkey sub-organization
+    const subOrgId = await getOrCreateTurnkeySubOrg(email, turnkeyClient);
+    // Step 2: Send OTP via Turnkey
+    console.log(`📨 Sending OTP to ${email} via Turnkey...`);
+    // Generate a unique user identifier for rate limiting
+    const data = new TextEncoder().encode(email);
+    const hash = sha256(data);
+    const userIdentifier = bytesToHex(hash);
+    const otpResult = await turnkeyClient.apiClient().initOtp({
+        otpType: 'OTP_TYPE_EMAIL',
+        contact: email,
+        userIdentifier: userIdentifier,
+        appName: 'Originals',
+        otpLength: 6,
+        alphanumeric: false,
+    });
+    const otpId = otpResult.otpId;
+    if (!otpId) {
+        throw new Error('Failed to initiate OTP - no OTP ID returned');
+    }
+    console.log(`✅ OTP sent! OTP ID: ${otpId}`);
+    // Create auth session
+    const sessionId = generateSessionId();
+    storage.set(sessionId, {
+        email,
+        subOrgId,
+        otpId,
+        timestamp: Date.now(),
+        verified: false,
+    });
+    console.log('='.repeat(60));
+    console.log(`📧 Check ${email} for the verification code!`);
+    console.log(`   Session ID: ${sessionId}`);
+    console.log(`   Valid for: 15 minutes`);
+    console.log('='.repeat(60) + '\n');
+    return {
+        sessionId,
+        message: 'Verification code sent to your email. Check your inbox!',
+    };
+}
+/**
+ * Verify email authentication code using Turnkey OTP
+ */
+export async function verifyEmailAuth(sessionId, code, turnkeyClient, sessionStorage) {
+    const storage = sessionStorage ?? getDefaultSessionStorage();
+    const session = storage.get(sessionId);
+    if (!session) {
+        throw new Error('Invalid or expired session');
+    }
+    // Check if session has expired
+    if (Date.now() - session.timestamp > SESSION_TIMEOUT) {
+        storage.delete(sessionId);
+        throw new Error('Session expired. Please request a new code.');
+    }
+    if (!session.otpId) {
+        throw new Error('OTP ID not found in session');
+    }
+    if (!session.subOrgId) {
+        throw new Error('Sub-organization ID not found');
+    }
+    console.log(`\n🔐 Verifying OTP for session ${sessionId}...`);
+    try {
+        // Verify the OTP code with Turnkey
+        const verifyResult = await turnkeyClient.apiClient().verifyOtp({
+            otpId: session.otpId,
+            otpCode: code,
+            expirationSeconds: '900', // 15 minutes
+        });
+        if (!verifyResult.verificationToken) {
+            throw new Error('OTP verification failed - no verification token returned');
+        }
+        console.log(`✅ OTP verified successfully!`);
+        // Mark session as verified
+        session.verified = true;
+        storage.set(sessionId, session);
+        return {
+            verified: true,
+            email: session.email,
+            subOrgId: session.subOrgId,
+        };
+    }
+    catch (error) {
+        console.error('❌ OTP verification failed:', error);
+        throw new Error(`Invalid verification code: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+/**
+ * Check if a session is verified
+ */
+export function isSessionVerified(sessionId, sessionStorage) {
+    const storage = sessionStorage ?? getDefaultSessionStorage();
+    const session = storage.get(sessionId);
+    if (!session)
+        return false;
+    if (Date.now() - session.timestamp > SESSION_TIMEOUT) {
+        storage.delete(sessionId);
+        return false;
+    }
+    return session.verified;
+}
+/**
+ * Clean up a session after successful login
+ */
+export function cleanupSession(sessionId, sessionStorage) {
+    const storage = sessionStorage ?? getDefaultSessionStorage();
+    storage.delete(sessionId);
+}
+/**
+ * Get session data
+ */
+export function getSession(sessionId, sessionStorage) {
+    const storage = sessionStorage ?? getDefaultSessionStorage();
+    const session = storage.get(sessionId);
+    if (!session)
+        return undefined;
+    // Check if expired
+    if (Date.now() - session.timestamp > SESSION_TIMEOUT) {
+        storage.delete(sessionId);
+        return undefined;
+    }
+    return session;
+}
+//# sourceMappingURL=email-auth.js.map

package/dist/server/email-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-auth.js","sourceRoot":"","sources":["../../src/server/email-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAEpD,OAAO,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAE5D,oDAAoD;AACpD,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAYvC;;;GAGG;AACH,MAAM,UAAU,4BAA4B;IAC1C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA4B,CAAC;IAErD,yBAAyB;IACzB,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACtD,IAAI,GAAG,GAAG,OAAO,CAAC,SAAS,GAAG,eAAe,EAAE,CAAC;gBAC9C,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC,EAAE,EAAE,GAAG,IAAI,CAAC,CAAC;IAEd,iDAAiD;IACjD,IAAI,eAAe,CAAC,KAAK,EAAE,CAAC;QAC1B,eAAe,CAAC,KAAK,EAAE,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,GAAG,EAAE,CAAC,SAAiB,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC;QACnD,GAAG,EAAE,CAAC,SAAiB,EAAE,OAAyB,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC;QACvF,MAAM,EAAE,CAAC,SAAiB,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC;QACzD,OAAO,EAAE,GAAG,EAAE;YACZ,aAAa,CAAC,eAAe,CAAC,CAAC;YAC/B,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,0BAA0B;AAC1B,IAAI,qBAAqB,GAA0B,IAAI,CAAC;AAExD,SAAS,wBAAwB;IAC/B,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC3B,qBAAqB,GAAG,4BAA4B,EAAE,CAAC;IACzD,CAAC;IACD,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB;IACxB,OAAO,WAAW,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;AAChF,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,aAAsB,EACtB,cAA+B;IAE/B,MAAM,OAAO,GAAG,cAAc,IAAI,wBAAwB,EAAE,CAAC;IAE7D,wBAAwB;IACxB,MAAM,UAAU,GAAG,4BAA4B,CAAC;IAChD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,mCAAmC,KAAK,EAAE,CAAC,CAAC;IAExD,iDAAiD;IACjD,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;IAEtE,+BAA+B;IAC/B,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,iBAAiB,CAAC,CAAC;IAEzD,sDAAsD;IACtD,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1B,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAExC,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,CAAC,OAAO,CAAC;QACxD,OAAO,EAAE,gBAAgB;QACzB,OAAO,EAAE,KAAK;QACd,cAAc,EAAE,cAAc;QAC9B,OAAO,EAAE,WAAW;QACpB,SAAS,EAAE,CAAC;QACZ,YAAY,EAAE,KAAK;KACpB,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC;IAE9B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,EAAE,CAAC,CAAC;IAE5C,sBAAsB;IACtB,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE;QACrB,KAAK;QACL,QAAQ;QACR,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,QAAQ,EAAE,KAAK;KAChB,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,6BAA6B,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,kBAAkB,SAAS,EAAE,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IAEnC,OAAO;QACL,SAAS;QACT,OAAO,EAAE,yDAAyD;KACnE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,SAAiB,EACjB,IAAY,EACZ,aAAsB,EACtB,cAA+B;IAE/B,MAAM,OAAO,GAAG,cAAc,IAAI,wBAAwB,EAAE,CAAC;IAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEvC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,+BAA+B;IAC/B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,GAAG,eAAe,EAAE,CAAC;QACrD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,kCAAkC,SAAS,KAAK,CAAC,CAAC;IAE9D,IAAI,CAAC;QACH,mCAAmC;QACnC,MAAM,YAAY,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,CAAC,SAAS,CAAC;YAC7D,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,OAAO,EAAE,IAAI;YACb,iBAAiB,EAAE,KAAK,EAAE,aAAa;SACxC,CAAC,CAAC;QAEH,IAAI,CAAC,YAAY,CAAC,iBAAiB,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC9E,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAE5C,2BAA2B;QAC3B,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAEhC,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CACb,8BAA8B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACvF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAiB,EACjB,cAA+B;IAE/B,MAAM,OAAO,GAAG,cAAc,IAAI,wBAAwB,EAAE,CAAC;IAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEvC,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,GAAG,eAAe,EAAE,CAAC;QACrD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,OAAO,CAAC,QAAQ,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAiB,EACjB,cAA+B;IAE/B,MAAM,OAAO,GAAG,cAAc,IAAI,wBAAwB,EAAE,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CACxB,SAAiB,EACjB,cAA+B;IAE/B,MAAM,OAAO,GAAG,cAAc,IAAI,wBAAwB,EAAE,CAAC;IAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEvC,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAE/B,mBAAmB;IACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,GAAG,eAAe,EAAE,CAAC;QACrD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC1B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/server/index.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Server-side authentication utilities
+ *
+ * @example
+ * ```typescript
+ * import {
+ *   createAuthMiddleware,
+ *   initiateEmailAuth,
+ *   verifyEmailAuth,
+ *   signToken,
+ *   verifyToken,
+ *   createTurnkeyClient,
+ *   TurnkeyWebVHSigner
+ * } from '@originals/auth/server';
+ * ```
+ */
+export { createTurnkeyClient, getOrCreateTurnkeySubOrg } from './turnkey-client';
+export { initiateEmailAuth, verifyEmailAuth, isSessionVerified, cleanupSession, getSession, type SessionStorage, createInMemorySessionStorage, } from './email-auth';
+export { signToken, verifyToken, getAuthCookieConfig, getClearAuthCookieConfig, } from './jwt';
+export { createAuthMiddleware } from './middleware';
+export { TurnkeyWebVHSigner, createTurnkeySigner } from './turnkey-signer';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AACjF,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,KAAK,cAAc,EACnB,4BAA4B,GAC7B,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,SAAS,EACT,WAAW,EACX,mBAAmB,EACnB,wBAAwB,GACzB,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/server/index.js

@@ -0,0 +1,22 @@
+/**
+ * Server-side authentication utilities
+ *
+ * @example
+ * ```typescript
+ * import {
+ *   createAuthMiddleware,
+ *   initiateEmailAuth,
+ *   verifyEmailAuth,
+ *   signToken,
+ *   verifyToken,
+ *   createTurnkeyClient,
+ *   TurnkeyWebVHSigner
+ * } from '@originals/auth/server';
+ * ```
+ */
+export { createTurnkeyClient, getOrCreateTurnkeySubOrg } from './turnkey-client';
+export { initiateEmailAuth, verifyEmailAuth, isSessionVerified, cleanupSession, getSession, createInMemorySessionStorage, } from './email-auth';
+export { signToken, verifyToken, getAuthCookieConfig, getClearAuthCookieConfig, } from './jwt';
+export { createAuthMiddleware } from './middleware';
+export { TurnkeyWebVHSigner, createTurnkeySigner } from './turnkey-signer';
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AACjF,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,UAAU,EAEV,4BAA4B,GAC7B,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,SAAS,EACT,WAAW,EACX,mBAAmB,EACnB,wBAAwB,GACzB,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/server/jwt.d.ts

@@ -0,0 +1,49 @@
+/**
+ * JWT Authentication Module
+ * Implements secure token issuance and validation with HTTP-only cookies
+ */
+import type { TokenPayload, AuthCookieConfig } from '../types';
+/**
+ * Sign a JWT token for a user
+ * @param subOrgId - Turnkey sub-organization ID (stable identifier)
+ * @param email - User email (metadata)
+ * @param sessionToken - Optional Turnkey session token for user authentication
+ * @param options - Additional options
+ * @returns Signed JWT token string
+ */
+export declare function signToken(subOrgId: string, email: string, sessionToken?: string, options?: {
+    secret?: string;
+    expiresIn?: number;
+    issuer?: string;
+    audience?: string;
+}): string;
+/**
+ * Verify and decode a JWT token
+ * @param token - JWT token string
+ * @param options - Additional options
+ * @returns Decoded token payload
+ * @throws Error if token is invalid or expired
+ */
+export declare function verifyToken(token: string, options?: {
+    secret?: string;
+    issuer?: string;
+    audience?: string;
+}): TokenPayload;
+/**
+ * Generate a secure cookie configuration for authentication tokens
+ * @param token - JWT token to set in cookie
+ * @param options - Cookie options
+ * @returns Cookie configuration object
+ */
+export declare function getAuthCookieConfig(token: string, options?: {
+    cookieName?: string;
+    maxAge?: number;
+    secure?: boolean;
+}): AuthCookieConfig;
+/**
+ * Get cookie configuration for logout (clears the auth cookie)
+ * @param cookieName - Name of the cookie to clear
+ * @returns Cookie configuration for clearing
+ */
+export declare function getClearAuthCookieConfig(cookieName?: string): AuthCookieConfig;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/server/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/server/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAgB/D;;;;;;;GAOG;AACH,wBAAgB,SAAS,CACvB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,YAAY,CAAC,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE;IACR,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,MAAM,CAuBR;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;IACR,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,YAAY,CAuBd;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,GACA,gBAAgB,CAclB;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,gBAAgB,CAc9E"}

package/dist/server/jwt.js

@@ -0,0 +1,113 @@
+/**
+ * JWT Authentication Module
+ * Implements secure token issuance and validation with HTTP-only cookies
+ */
+import jwt from 'jsonwebtoken';
+// 7 days in seconds
+const DEFAULT_JWT_EXPIRES_IN = 7 * 24 * 60 * 60;
+/**
+ * Get JWT secret from config or environment
+ */
+function getJwtSecret(configSecret) {
+    const secret = configSecret ?? process.env.JWT_SECRET;
+    if (!secret) {
+        throw new Error('JWT_SECRET environment variable is required');
+    }
+    return secret;
+}
+/**
+ * Sign a JWT token for a user
+ * @param subOrgId - Turnkey sub-organization ID (stable identifier)
+ * @param email - User email (metadata)
+ * @param sessionToken - Optional Turnkey session token for user authentication
+ * @param options - Additional options
+ * @returns Signed JWT token string
+ */
+export function signToken(subOrgId, email, sessionToken, options) {
+    if (!subOrgId) {
+        throw new Error('Sub-organization ID is required for token signing');
+    }
+    const secret = getJwtSecret(options?.secret);
+    const payload = {
+        sub: subOrgId,
+        email,
+    };
+    if (sessionToken) {
+        payload.sessionToken = sessionToken;
+    }
+    const signOptions = {
+        expiresIn: options?.expiresIn ?? DEFAULT_JWT_EXPIRES_IN,
+        issuer: options?.issuer ?? 'originals-auth',
+        audience: options?.audience ?? 'originals-api',
+    };
+    return jwt.sign(payload, secret, signOptions);
+}
+/**
+ * Verify and decode a JWT token
+ * @param token - JWT token string
+ * @param options - Additional options
+ * @returns Decoded token payload
+ * @throws Error if token is invalid or expired
+ */
+export function verifyToken(token, options) {
+    const secret = getJwtSecret(options?.secret);
+    try {
+        const payload = jwt.verify(token, secret, {
+            issuer: options?.issuer ?? 'originals-auth',
+            audience: options?.audience ?? 'originals-api',
+        });
+        if (!payload.sub) {
+            throw new Error('Token missing sub-organization ID');
+        }
+        return payload;
+    }
+    catch (error) {
+        if (error instanceof jwt.TokenExpiredError) {
+            throw new Error('Token has expired');
+        }
+        if (error instanceof jwt.JsonWebTokenError) {
+            throw new Error('Invalid token');
+        }
+        throw error;
+    }
+}
+/**
+ * Generate a secure cookie configuration for authentication tokens
+ * @param token - JWT token to set in cookie
+ * @param options - Cookie options
+ * @returns Cookie configuration object
+ */
+export function getAuthCookieConfig(token, options) {
+    const isProduction = process.env.NODE_ENV === 'production';
+    return {
+        name: options?.cookieName ?? 'auth_token',
+        value: token,
+        options: {
+            httpOnly: true, // Cannot be accessed by JavaScript (XSS protection)
+            secure: options?.secure ?? isProduction, // HTTPS only in production
+            sameSite: 'strict', // CSRF protection
+            maxAge: options?.maxAge ?? 7 * 24 * 60 * 60 * 1000, // 7 days in milliseconds
+            path: '/', // Available for all routes
+        },
+    };
+}
+/**
+ * Get cookie configuration for logout (clears the auth cookie)
+ * @param cookieName - Name of the cookie to clear
+ * @returns Cookie configuration for clearing
+ */
+export function getClearAuthCookieConfig(cookieName) {
+    const isProduction = process.env.NODE_ENV === 'production';
+    return {
+        name: cookieName ?? 'auth_token',
+        value: '',
+        options: {
+            httpOnly: true,
+            secure: isProduction,
+            sameSite: 'strict',
+            maxAge: 0, // Expire immediately
+            path: '/',
+        },
+    };
+}
+//# sourceMappingURL=jwt.js.map

package/dist/server/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/server/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,GAAG,MAAM,cAAc,CAAC;AAG/B,oBAAoB;AACpB,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAEhD;;GAEG;AACH,SAAS,YAAY,CAAC,YAAqB;IACzC,MAAM,MAAM,GAAG,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IACtD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CACvB,QAAgB,EAChB,KAAa,EACb,YAAqB,EACrB,OAKC;IAED,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAE7C,MAAM,OAAO,GAA4B;QACvC,GAAG,EAAE,QAAQ;QACb,KAAK;KACN,CAAC;IAEF,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,CAAC,YAAY,GAAG,YAAY,CAAC;IACtC,CAAC;IAED,MAAM,WAAW,GAAoB;QACnC,SAAS,EAAE,OAAO,EAAE,SAAS,IAAI,sBAAsB;QACvD,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,gBAAgB;QAC3C,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,eAAe;KAC/C,CAAC;IAEF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,KAAa,EACb,OAIC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE;YACxC,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,gBAAgB;YAC3C,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,eAAe;SAC/C,CAAiB,CAAC;QAEnB,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QACD,IAAI,KAAK,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;QACnC,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAa,EACb,OAIC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAE3D,OAAO;QACL,IAAI,EAAE,OAAO,EAAE,UAAU,IAAI,YAAY;QACzC,KAAK,EAAE,KAAK;QACZ,OAAO,EAAE;YACP,QAAQ,EAAE,IAAI,EAAE,oDAAoD;YACpE,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,YAAY,EAAE,2BAA2B;YACpE,QAAQ,EAAE,QAAQ,EAAE,kBAAkB;YACtC,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,yBAAyB;YAC7E,IAAI,EAAE,GAAG,EAAE,2BAA2B;SACvC;KACF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,UAAmB;IAC1D,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAE3D,OAAO;QACL,IAAI,EAAE,UAAU,IAAI,YAAY;QAChC,KAAK,EAAE,EAAE;QACT,OAAO,EAAE;YACP,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,YAAY;YACpB,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,CAAC,EAAE,qBAAqB;YAChC,IAAI,EAAE,GAAG;SACV;KACF,CAAC;AACJ,CAAC"}

package/dist/server/middleware.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Express authentication middleware factory
+ */
+import type { Request, Response, NextFunction } from 'express';
+import type { AuthMiddlewareOptions } from '../types';
+/**
+ * Create an authentication middleware for Express
+ *
+ * @example
+ * ```typescript
+ * import { createAuthMiddleware } from '@originals/auth/server';
+ *
+ * const authenticateUser = createAuthMiddleware({
+ *   getUserByTurnkeyId: async (turnkeyId) => {
+ *     return db.query.users.findFirst({
+ *       where: eq(users.turnkeySubOrgId, turnkeyId)
+ *     });
+ *   },
+ *   createUser: async (turnkeyId, email, temporaryDid) => {
+ *     return db.insert(users).values({
+ *       turnkeySubOrgId: turnkeyId,
+ *       email,
+ *       did: temporaryDid,
+ *     }).returning().then(rows => rows[0]);
+ *   }
+ * });
+ *
+ * app.get('/api/protected', authenticateUser, (req, res) => {
+ *   res.json({ user: req.user });
+ * });
+ * ```
+ */
+export declare function createAuthMiddleware(options: AuthMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void | Response>;
+/**
+ * Optional authentication middleware - doesn't fail if not authenticated
+ * Attaches user to request if valid token exists, otherwise continues without user
+ */
+export declare function createOptionalAuthMiddleware(options: AuthMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/server/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE/D,OAAO,KAAK,EAAE,qBAAqB,EAAkC,MAAM,UAAU,CAAC;AAEtF;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,qBAAqB,GAC7B,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAqD/E;AAED;;;GAGG;AACH,wBAAgB,4BAA4B,CAC1C,OAAO,EAAE,qBAAqB,GAC7B,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAkCpE"}

package/dist/server/middleware.js

@@ -0,0 +1,110 @@
+/**
+ * Express authentication middleware factory
+ */
+import { verifyToken } from './jwt';
+/**
+ * Create an authentication middleware for Express
+ *
+ * @example
+ * ```typescript
+ * import { createAuthMiddleware } from '@originals/auth/server';
+ *
+ * const authenticateUser = createAuthMiddleware({
+ *   getUserByTurnkeyId: async (turnkeyId) => {
+ *     return db.query.users.findFirst({
+ *       where: eq(users.turnkeySubOrgId, turnkeyId)
+ *     });
+ *   },
+ *   createUser: async (turnkeyId, email, temporaryDid) => {
+ *     return db.insert(users).values({
+ *       turnkeySubOrgId: turnkeyId,
+ *       email,
+ *       did: temporaryDid,
+ *     }).returning().then(rows => rows[0]);
+ *   }
+ * });
+ *
+ * app.get('/api/protected', authenticateUser, (req, res) => {
+ *   res.json({ user: req.user });
+ * });
+ * ```
+ */
+export function createAuthMiddleware(options) {
+    const cookieName = options.cookieName ?? 'auth_token';
+    return async (req, res, next) => {
+        try {
+            // Get JWT token from HTTP-only cookie
+            const token = req.cookies?.[cookieName];
+            if (!token) {
+                return res.status(401).json({ error: 'Not authenticated' });
+            }
+            // Verify JWT token
+            const payload = verifyToken(token, { secret: options.jwtSecret });
+            const turnkeySubOrgId = payload.sub;
+            const email = payload.email;
+            // Check if user already exists
+            let user = await options.getUserByTurnkeyId(turnkeySubOrgId);
+            // If user doesn't exist and createUser is provided, create user
+            if (!user && options.createUser) {
+                console.log(`Creating user record for ${email}...`);
+                // Use temporary DID as placeholder until user creates real DID
+                const temporaryDid = `temp:turnkey:${turnkeySubOrgId}`;
+                user = await options.createUser(turnkeySubOrgId, email, temporaryDid);
+                console.log(`✅ User created: ${email}`);
+                console.log(`   Turnkey sub-org ID: ${turnkeySubOrgId}`);
+                console.log(`   Temporary DID: ${temporaryDid}`);
+            }
+            if (!user) {
+                return res.status(401).json({ error: 'User not found' });
+            }
+            // Add user info to request
+            req.user = {
+                id: user.id,
+                turnkeySubOrgId,
+                email,
+                did: user.did,
+                sessionToken: payload.sessionToken,
+            };
+            next();
+        }
+        catch (error) {
+            console.error('Authentication error:', error);
+            return res.status(401).json({ error: 'Invalid or expired token' });
+        }
+    };
+}
+/**
+ * Optional authentication middleware - doesn't fail if not authenticated
+ * Attaches user to request if valid token exists, otherwise continues without user
+ */
+export function createOptionalAuthMiddleware(options) {
+    const cookieName = options.cookieName ?? 'auth_token';
+    return async (req, res, next) => {
+        try {
+            const token = req.cookies?.[cookieName];
+            if (!token) {
+                next();
+                return;
+            }
+            const payload = verifyToken(token, { secret: options.jwtSecret });
+            const turnkeySubOrgId = payload.sub;
+            const email = payload.email;
+            const user = await options.getUserByTurnkeyId(turnkeySubOrgId);
+            if (user) {
+                req.user = {
+                    id: user.id,
+                    turnkeySubOrgId,
+                    email,
+                    did: user.did,
+                    sessionToken: payload.sessionToken,
+                };
+            }
+            next();
+        }
+        catch {
+            // Token invalid or expired, continue without user
+            next();
+        }
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/server/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,OAAO,CAAC;AAGpC;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAA8B;IAE9B,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC;IAEtD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAA4B,EAAE;QACzF,IAAI,CAAC;YACH,sCAAsC;YACtC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC;YAExC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC9D,CAAC;YAED,mBAAmB;YACnB,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;YAClE,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC;YACpC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;YAE5B,+BAA+B;YAC/B,IAAI,IAAI,GAAoB,MAAM,OAAO,CAAC,kBAAkB,CAAC,eAAe,CAAC,CAAC;YAE9E,gEAAgE;YAChE,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBAChC,OAAO,CAAC,GAAG,CAAC,4BAA4B,KAAK,KAAK,CAAC,CAAC;gBAEpD,+DAA+D;gBAC/D,MAAM,YAAY,GAAG,gBAAgB,eAAe,EAAE,CAAC;gBAEvD,IAAI,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,eAAe,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC;gBAEtE,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;gBACxC,OAAO,CAAC,GAAG,CAAC,0BAA0B,eAAe,EAAE,CAAC,CAAC;gBACzD,OAAO,CAAC,GAAG,CAAC,qBAAqB,YAAY,EAAE,CAAC,CAAC;YACnD,CAAC;YAED,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAC3D,CAAC;YAED,2BAA2B;YAC1B,GAAsC,CAAC,IAAI,GAAG;gBAC7C,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,eAAe;gBACf,KAAK;gBACL,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,YAAY,EAAE,OAAO,CAAC,YAAY;aACnC,CAAC;YAEF,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;YAC9C,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;QACrE,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,4BAA4B,CAC1C,OAA8B;IAE9B,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC;IAEtD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAC9E,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC;YAExC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,IAAI,EAAE,CAAC;gBACP,OAAO;YACT,CAAC;YAED,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;YAClE,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC;YACpC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;YAE5B,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,kBAAkB,CAAC,eAAe,CAAC,CAAC;YAE/D,IAAI,IAAI,EAAE,CAAC;gBACR,GAAsC,CAAC,IAAI,GAAG;oBAC7C,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,eAAe;oBACf,KAAK;oBACL,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,YAAY,EAAE,OAAO,CAAC,YAAY;iBACnC,CAAC;YACJ,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,MAAM,CAAC;YACP,kDAAkD;YAClD,IAAI,EAAE,CAAC;QACT,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/turnkey-client.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Server-side Turnkey client utilities
+ */
+import { Turnkey } from '@turnkey/sdk-server';
+export interface TurnkeyClientConfig {
+    /** Turnkey API base URL (default: https://api.turnkey.com) */
+    apiBaseUrl?: string;
+    /** Turnkey API public key */
+    apiPublicKey: string;
+    /** Turnkey API private key */
+    apiPrivateKey: string;
+    /** Default organization ID */
+    organizationId: string;
+}
+/**
+ * Create a Turnkey server client
+ */
+export declare function createTurnkeyClient(config?: Partial<TurnkeyClientConfig>): Turnkey;
+/**
+ * Get or create a Turnkey sub-organization for a user
+ * Creates sub-org with email-only root user and required wallet accounts
+ */
+export declare function getOrCreateTurnkeySubOrg(email: string, turnkeyClient: Turnkey): Promise<string>;
+//# sourceMappingURL=turnkey-client.d.ts.map

package/dist/server/turnkey-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"turnkey-client.d.ts","sourceRoot":"","sources":["../../src/server/turnkey-client.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAE9C,MAAM,WAAW,mBAAmB;IAClC,8DAA8D;IAC9D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6BAA6B;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,8BAA8B;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,8BAA8B;IAC9B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,GAAG,OAAO,CAqBlF;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,OAAO,GACrB,OAAO,CAAC,MAAM,CAAC,CAkGjB"}