@owox/idp-owox-better-auth 0.18.0

package/dist/services/core/user-context-service.d.ts

@@ -0,0 +1,23 @@
+import { Payload } from '@owox/idp-protocol';
+import { Logger } from '@owox/internal-helpers';
+import { OwoxTokenFacade } from '../../facades/owox-token-facade.js';
+import type { DatabaseStore } from '../../store/database-store.js';
+import type { DatabaseAccount, DatabaseUser } from '../../types/database-models.js';
+export interface UserContext {
+    payload: Payload;
+    user: DatabaseUser;
+    account: DatabaseAccount;
+}
+/**
+ * Responsible for resolving Better Auth user/account from any JWT token
+ * (access or refresh) that contains an email claim.
+ */
+export declare class UserContextService {
+    private readonly store;
+    private readonly tokenFacade;
+    private readonly logger?;
+    constructor(store: DatabaseStore, tokenFacade: OwoxTokenFacade, logger?: Logger | undefined);
+    resolveFromToken(token: string): Promise<UserContext>;
+    private normalizeEmail;
+}
+//# sourceMappingURL=user-context-service.d.ts.map

package/dist/services/core/user-context-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-context-service.d.ts","sourceRoot":"","sources":["../../../src/services/core/user-context-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAEhD,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AACrE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAEpF,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,YAAY,CAAC;IACnB,OAAO,EAAE,eAAe,CAAC;CAC1B;AAED;;;GAGG;AACH,qBAAa,kBAAkB;IAE3B,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAFP,KAAK,EAAE,aAAa,EACpB,WAAW,EAAE,eAAe,EAC5B,MAAM,CAAC,EAAE,MAAM,YAAA;IAG5B,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IA2C3D,OAAO,CAAC,cAAc;CAIvB"}

package/dist/services/core/user-context-service.js

@@ -0,0 +1,54 @@
+import { AuthenticationException } from '../../core/exceptions.js';
+/**
+ * Responsible for resolving Better Auth user/account from any JWT token
+ * (access or refresh) that contains an email claim.
+ */
+export class UserContextService {
+    store;
+    tokenFacade;
+    logger;
+    constructor(store, tokenFacade, logger) {
+        this.store = store;
+        this.tokenFacade = tokenFacade;
+        this.logger = logger;
+    }
+    async resolveFromToken(token) {
+        const payload = await this.tokenFacade.parseToken(token);
+        if (!payload || !payload.email) {
+            throw new AuthenticationException('Invalid token payload: email is missing');
+        }
+        const normalizedEmail = this.normalizeEmail(payload.email);
+        if (!normalizedEmail) {
+            throw new AuthenticationException('Invalid token payload: email is malformed', {
+                context: { email: payload.email },
+            });
+        }
+        const user = await this.store.getUserByEmail(normalizedEmail);
+        if (!user) {
+            throw new AuthenticationException('User not found in Better Auth DB', {
+                context: { email: normalizedEmail },
+            });
+        }
+        if (user.emailVerified !== true) {
+            throw new AuthenticationException('User email is not verified in Better Auth DB', {
+                context: { email: normalizedEmail, userId: user.id, emailVerified: user.emailVerified },
+            });
+        }
+        const account = await this.store.getAccountByUserId(user.id);
+        if (!account) {
+            throw new AuthenticationException('Account not found for user', {
+                context: { userId: user.id, email: normalizedEmail },
+            });
+        }
+        this.logger?.debug?.('Resolved user context from token', {
+            email: normalizedEmail,
+            userId: user.id,
+            accountId: account.accountId,
+        });
+        return { payload, user, account };
+    }
+    normalizeEmail(email) {
+        const normalized = email.trim().toLowerCase();
+        return normalized.length > 0 ? normalized : null;
+    }
+}

package/dist/services/middleware/middleware-service.d.ts

@@ -0,0 +1,19 @@
+import { type NextFunction, type Request, type Response } from 'express';
+import { IdpOwoxConfig } from '../../config/idp-owox-config.js';
+import type { DatabaseStore } from '../../store/database-store.js';
+import { PkceFlowOrchestrator } from '../auth/pkce-flow-orchestrator.js';
+import { PageService } from '../rendering/page-service.js';
+/**
+ * Express middleware handlers for starting PKCE and fast-path sign-in.
+ */
+export declare class MiddlewareService {
+    private readonly pageService;
+    private readonly idpOwoxConfig;
+    private readonly store;
+    private readonly pkceFlowOrchestrator;
+    constructor(pageService: PageService, idpOwoxConfig: IdpOwoxConfig, store: DatabaseStore, pkceFlowOrchestrator: PkceFlowOrchestrator);
+    idpStartMiddleware(req: Request, res: Response): Promise<void>;
+    signInMiddleware(req: Request, res: Response, _next: NextFunction): Promise<void | Response>;
+    signUpMiddleware(req: Request, res: Response, _next: NextFunction): Promise<void | Response>;
+}
+//# sourceMappingURL=middleware-service.d.ts.map

package/dist/services/middleware/middleware-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware-service.d.ts","sourceRoot":"","sources":["../../../src/services/middleware/middleware-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEzE,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAIhE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAInE,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAE3D;;GAEG;AACH,qBAAa,iBAAiB;IAE1B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,oBAAoB;gBAHpB,WAAW,EAAE,WAAW,EACxB,aAAa,EAAE,aAAa,EAC5B,KAAK,EAAE,aAAa,EACpB,oBAAoB,EAAE,oBAAoB;IAGvD,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IA2B9D,gBAAgB,CACpB,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC;IAoBrB,gBAAgB,CACpB,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC;CAG5B"}

package/dist/services/middleware/middleware-service.js

@@ -0,0 +1,62 @@
+import ms from 'ms';
+import { SOURCE } from '../../core/constants.js';
+import { logger } from '../../core/logger.js';
+import { generatePkce, generateState } from '../../core/pkce.js';
+import { buildAuthRequestContext } from '../../types/auth-request-context.js';
+import { buildPlatformEntryUrl } from '../../utils/platform-redirect-builder.js';
+import { extractPlatformParams } from '../../utils/request-utils.js';
+/**
+ * Express middleware handlers for starting PKCE and fast-path sign-in.
+ */
+export class MiddlewareService {
+    pageService;
+    idpOwoxConfig;
+    store;
+    pkceFlowOrchestrator;
+    constructor(pageService, idpOwoxConfig, store, pkceFlowOrchestrator) {
+        this.pageService = pageService;
+        this.idpOwoxConfig = idpOwoxConfig;
+        this.store = store;
+        this.pkceFlowOrchestrator = pkceFlowOrchestrator;
+    }
+    async idpStartMiddleware(req, res) {
+        try {
+            await this.store.initialize();
+            const { codeVerifier, codeChallenge } = await generatePkce();
+            const state = generateState();
+            const expiresAt = new Date(Date.now() + ms('1m'));
+            await this.store.saveAuthState(state, codeVerifier, expiresAt);
+            const { redirectTo, appRedirectTo, projectId } = extractPlatformParams(req);
+            const platformUrl = buildPlatformEntryUrl({
+                authUrl: this.idpOwoxConfig.idpConfig.platformSignInUrl,
+                defaultSource: SOURCE.APP,
+                params: { redirectTo, appRedirectTo, projectId },
+                allowedRedirectOrigins: this.idpOwoxConfig.idpConfig.allowedRedirectOrigins,
+            });
+            platformUrl.searchParams.set('state', state);
+            platformUrl.searchParams.set('codeChallenge', codeChallenge);
+            platformUrl.searchParams.set('clientId', this.idpOwoxConfig.idpConfig.clientId);
+            return res.redirect(platformUrl.toString());
+        }
+        catch (error) {
+            logger.error('Failed to start IDP flow', {}, error);
+            res.status(500).end('Failed to start IDP flow');
+        }
+    }
+    async signInMiddleware(req, res, _next) {
+        const context = buildAuthRequestContext(req);
+        if (context.state && context.refreshToken) {
+            const fastRedirect = await this.pkceFlowOrchestrator.completeWithIdentityRefreshToken(context.refreshToken, context.platformParams, req, res);
+            if (fastRedirect) {
+                logger.info('Fast-path completeAuthFlow redirectUrl', {
+                    redirectUrl: fastRedirect.toString(),
+                });
+                return res.redirect(fastRedirect.toString());
+            }
+        }
+        return this.pageService.signInPage.bind(this.pageService)(req, res);
+    }
+    async signUpMiddleware(req, res, _next) {
+        return this.pageService.signUpPage.bind(this.pageService)(req, res);
+    }
+}

package/dist/services/middleware/request-handler-service.d.ts

@@ -0,0 +1,18 @@
+import { type Express, type Request as ExpressRequest } from 'express';
+import { PkceFlowOrchestrator } from '../auth/pkce-flow-orchestrator.js';
+import { createBetterAuthConfig } from '../../config/idp-better-auth-config.js';
+/**
+ * Proxies Better Auth requests and completes social login flow.
+ */
+export declare class RequestHandlerService {
+    private readonly auth;
+    private readonly pkceFlowOrchestrator;
+    private static readonly AUTH_ROUTE_PREFIX;
+    constructor(auth: Awaited<ReturnType<typeof createBetterAuthConfig>>, pkceFlowOrchestrator: PkceFlowOrchestrator);
+    setupBetterAuthHandler(expressApp: Express): void;
+    private getSessionTokenFromResponse;
+    private escapeRegex;
+    private tryCompleteAuthFlow;
+    convertExpressToFetchRequest(req: ExpressRequest): Request;
+}
+//# sourceMappingURL=request-handler-service.d.ts.map

package/dist/services/middleware/request-handler-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-handler-service.d.ts","sourceRoot":"","sources":["../../../src/services/middleware/request-handler-service.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,OAAO,IAAI,cAAc,EAG/B,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,EAAE,sBAAsB,EAAE,MAAM,wCAAwC,CAAC;AAKhF;;GAEG;AACH,qBAAa,qBAAqB;IAI9B,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,oBAAoB;IAJvC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAuB;gBAG7C,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC,EACxD,oBAAoB,EAAE,oBAAoB;IAG7D,sBAAsB,CAAC,UAAU,EAAE,OAAO,GAAG,IAAI;IA6BjD,OAAO,CAAC,2BAA2B;IA0BnC,OAAO,CAAC,WAAW;YAIL,mBAAmB;IAqBjC,4BAA4B,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO;CAuD3D"}

package/dist/services/middleware/request-handler-service.js

@@ -0,0 +1,131 @@
+import { BETTER_AUTH_SESSION_COOKIE } from '../../core/constants.js';
+import { logger } from '../../core/logger.js';
+import { extractPlatformParams } from '../../utils/request-utils.js';
+/**
+ * Proxies Better Auth requests and completes social login flow.
+ */
+export class RequestHandlerService {
+    auth;
+    pkceFlowOrchestrator;
+    static AUTH_ROUTE_PREFIX = '/auth/better-auth';
+    constructor(auth, pkceFlowOrchestrator) {
+        this.auth = auth;
+        this.pkceFlowOrchestrator = pkceFlowOrchestrator;
+    }
+    setupBetterAuthHandler(expressApp) {
+        expressApp.use(async (req, res, next) => {
+            if (!req.path.startsWith(RequestHandlerService.AUTH_ROUTE_PREFIX)) {
+                return next();
+            }
+            try {
+                const fetchRequest = this.convertExpressToFetchRequest(req);
+                const response = await this.auth.handler(fetchRequest);
+                const redirected = await this.tryCompleteAuthFlow(req, response, res);
+                if (redirected) {
+                    return;
+                }
+                response.headers.forEach((value, key) => {
+                    res.set(key, value);
+                });
+                res.status(response.status);
+                const body = await response.text();
+                res.send(body);
+            }
+            catch (error) {
+                logger.error('Auth handler error', { path: req.path }, error);
+                res.status(500).json({ error: 'Internal server error' });
+            }
+        });
+    }
+    getSessionTokenFromResponse(response) {
+        const rawHeaders = [];
+        const getSetCookieFn = response.headers
+            .getSetCookie;
+        const getSetCookie = typeof getSetCookieFn === 'function'
+            ? getSetCookieFn.bind(response.headers)
+            : undefined;
+        if (typeof getSetCookie === 'function') {
+            rawHeaders.push(...getSetCookie());
+        }
+        const header = response.headers.get('set-cookie');
+        if (header) {
+            rawHeaders.push(...header.split(/,(?=[^;]+=[^;]+)/g));
+        }
+        const cookieName = this.escapeRegex(BETTER_AUTH_SESSION_COOKIE);
+        for (const h of rawHeaders) {
+            const match = h.match(new RegExp(`${cookieName}=([^;]+)`));
+            if (match && match[1]) {
+                return decodeURIComponent(match[1]);
+            }
+        }
+        return null;
+    }
+    escapeRegex(value) {
+        return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    }
+    async tryCompleteAuthFlow(req, response, res) {
+        const sessionToken = this.getSessionTokenFromResponse(response);
+        if (!sessionToken)
+            return false;
+        const redirectUrl = await this.pkceFlowOrchestrator.completeWithSocialSessionToken(sessionToken, extractPlatformParams(req), req, res);
+        if (redirectUrl) {
+            res.redirect(redirectUrl.toString());
+            return true;
+        }
+        return false;
+    }
+    convertExpressToFetchRequest(req) {
+        try {
+            const url = `${req.protocol}://${req.get('host')}${req.originalUrl}`;
+            const method = req.method.toUpperCase();
+            const headers = new Headers();
+            for (const [key, value] of Object.entries(req.headers)) {
+                if (!value)
+                    continue;
+                if (Array.isArray(value)) {
+                    headers.set(key, value.join(', '));
+                }
+                else {
+                    headers.set(key, String(value));
+                }
+            }
+            let body = null;
+            if (method !== 'GET' && method !== 'HEAD') {
+                const rawBody = req.body;
+                if (rawBody !== undefined && rawBody !== null) {
+                    if (Buffer.isBuffer(rawBody)) {
+                        body = rawBody;
+                    }
+                    else if (typeof rawBody === 'string') {
+                        body = rawBody;
+                    }
+                    else {
+                        body = JSON.stringify(rawBody);
+                        if (!headers.has('content-type')) {
+                            headers.set('content-type', 'application/json');
+                        }
+                    }
+                    // Ensure content-length matches the rebuilt payload (or let fetch set it)
+                    headers.delete('content-length');
+                    if (typeof body === 'string') {
+                        headers.set('content-length', Buffer.byteLength(body).toString());
+                    }
+                    else if (Buffer.isBuffer(body)) {
+                        headers.set('content-length', body.byteLength.toString());
+                    }
+                }
+            }
+            const fetchBody = body === null ? null : typeof body === 'string' ? body : new Uint8Array(body);
+            const fetchRequest = new Request(url, {
+                method,
+                headers,
+                body: fetchBody ?? undefined,
+            });
+            return fetchRequest;
+        }
+        catch (error) {
+            logger.error('Failed to convert Express request to Fetch request', {}, error);
+            throw new Error('Failed to convert request format');
+        }
+    }
+}

package/dist/services/rendering/page-service.d.ts

@@ -0,0 +1,11 @@
+import { type Express, type Request as ExpressRequest, type Response as ExpressResponse } from 'express';
+/**
+ * Renders static auth pages and persists platform context.
+ */
+export declare class PageService {
+    private persistPlatformContext;
+    signInPage(req: ExpressRequest, res: ExpressResponse): Promise<void>;
+    signUpPage(req: ExpressRequest, res: ExpressResponse): Promise<void>;
+    registerRoutes(express: Express): void;
+}
+//# sourceMappingURL=page-service.d.ts.map

package/dist/services/rendering/page-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"page-service.d.ts","sourceRoot":"","sources":["../../../src/services/rendering/page-service.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,OAAO,IAAI,cAAc,EAC9B,KAAK,QAAQ,IAAI,eAAe,EACjC,MAAM,SAAS,CAAC;AAMjB;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,sBAAsB;IAMxB,UAAU,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAKpE,UAAU,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAK1E,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI;CAIvC"}

package/dist/services/rendering/page-service.js

@@ -0,0 +1,26 @@
+import { ProtocolRoute } from '@owox/idp-protocol';
+import { TemplateService } from '../rendering/template-service.js';
+import { extractPlatformParams, persistPlatformContext } from '../../utils/request-utils.js';
+const AUTH_BASE_PATH = '/auth';
+/**
+ * Renders static auth pages and persists platform context.
+ */
+export class PageService {
+    persistPlatformContext(req, res) {
+        const state = typeof req.query?.state === 'string' ? req.query.state : undefined;
+        const params = extractPlatformParams(req);
+        persistPlatformContext(req, res, { state, params });
+    }
+    async signInPage(req, res) {
+        this.persistPlatformContext(req, res);
+        res.send(TemplateService.renderSignIn());
+    }
+    async signUpPage(req, res) {
+        this.persistPlatformContext(req, res);
+        res.send(TemplateService.renderSignUp());
+    }
+    registerRoutes(express) {
+        const signInPath = `${AUTH_BASE_PATH}${ProtocolRoute.SIGN_IN}`;
+        express.get(AUTH_BASE_PATH, (_req, res) => res.redirect(signInPath));
+    }
+}

package/dist/services/rendering/template-service.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Loads and renders EJS templates for auth pages with layout composition.
+ */
+export declare class TemplateService {
+    private static getTemplatePath;
+    private static loadTemplate;
+    /**
+     * Renders an EJS template with layout composition.
+     * @param pagePath - Path to page template (e.g., 'pages/sign-in.ejs')
+     * @param layoutPath - Path to layout template (e.g., 'layouts/auth.ejs')
+     * @param data - Data to pass to templates
+     */
+    private static renderWithLayout;
+    static renderSignIn(): string;
+    static renderSignUp(): string;
+}
+//# sourceMappingURL=template-service.d.ts.map

package/dist/services/rendering/template-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"template-service.d.ts","sourceRoot":"","sources":["../../../src/services/rendering/template-service.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAC,eAAe;IAqB9B,OAAO,CAAC,MAAM,CAAC,YAAY;IAK3B;;;;;OAKG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAsBjB,YAAY,IAAI,MAAM;WAOtB,YAAY,IAAI,MAAM;CAMrC"}

package/dist/services/rendering/template-service.js

@@ -0,0 +1,52 @@
+import ejs from 'ejs';
+import { existsSync, readFileSync } from 'fs';
+import { dirname, join } from 'path';
+import { fileURLToPath } from 'url';
+/**
+ * Loads and renders EJS templates for auth pages with layout composition.
+ */
+export class TemplateService {
+    static getTemplatePath(templateName) {
+        const currentDir = dirname(fileURLToPath(import.meta.url));
+        const distPath = join(currentDir, '..', '..', 'resources', 'templates', templateName);
+        if (existsSync(distPath)) {
+            return distPath;
+        }
+        const srcPath = join(currentDir, '..', '..', '..', 'src', 'resources', 'templates', templateName);
+        return srcPath;
+    }
+    static loadTemplate(templateName) {
+        const templatePath = this.getTemplatePath(templateName);
+        return readFileSync(templatePath, 'utf-8');
+    }
+    /**
+     * Renders an EJS template with layout composition.
+     * @param pagePath - Path to page template (e.g., 'pages/sign-in.ejs')
+     * @param layoutPath - Path to layout template (e.g., 'layouts/auth.ejs')
+     * @param data - Data to pass to templates
+     */
+    static renderWithLayout(pagePath, layoutPath, data) {
+        // 1. Load and render page content
+        const pageTemplate = this.loadTemplate(pagePath);
+        const pageContent = ejs.render(pageTemplate, data, {
+            filename: this.getTemplatePath(pagePath),
+        });
+        // 2. Load and render layout with page content injected
+        const layoutTemplate = this.loadTemplate(layoutPath);
+        return ejs.render(layoutTemplate, { ...data, body: pageContent }, {
+            filename: this.getTemplatePath(layoutPath),
+        });
+    }
+    static renderSignIn() {
+        return this.renderWithLayout('pages/sign-in.ejs', 'layouts/auth.ejs', {
+            pageTitle: 'Sign In - OWOX Data Marts',
+            heading: 'Sign in to OWOX using your Google account',
+        });
+    }
+    static renderSignUp() {
+        return this.renderWithLayout('pages/sign-up.ejs', 'layouts/auth.ejs', {
+            pageTitle: 'Sign Up - OWOX Data Marts',
+            heading: 'Sign up to OWOX using your Google account',
+        });
+    }
+}

package/dist/social/google-provider.d.ts

@@ -0,0 +1,35 @@
+import { Profile, ProviderLogger, SocialProvider, SocialUser } from './social-provider.js';
+export type GoogleProviderOptions = {
+    clientId?: string;
+    clientSecret?: string;
+    redirectURI?: string;
+    prompt?: string;
+    accessType?: string;
+    logger?: ProviderLogger;
+};
+/**
+ * Maps Google OAuth profile data into the app user format.
+ */
+export declare class GoogleProvider implements SocialProvider {
+    private readonly opts;
+    providerId: string;
+    constructor(opts: GoogleProviderOptions);
+    private validate;
+    private selectAccountId;
+    buildConfig(): {
+        clientId: string | undefined;
+        clientSecret: string | undefined;
+        redirectURI: string | undefined;
+        prompt: string;
+        accessType: string;
+        mapProfileToUser: (profile: Record<string, unknown>) => {
+            id: string;
+            email: string | null;
+            name: string | null;
+            image: string | null;
+            emailVerified: boolean;
+        };
+    };
+    mapProfile(profile: Profile): SocialUser;
+}
+//# sourceMappingURL=google-provider.d.ts.map

package/dist/social/google-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google-provider.d.ts","sourceRoot":"","sources":["../../src/social/google-provider.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAE3F,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB,CAAC;AAEF;;GAEG;AACH,qBAAa,cAAe,YAAW,cAAc;IAGvC,OAAO,CAAC,QAAQ,CAAC,IAAI;IAF1B,UAAU,SAAY;gBAEA,IAAI,EAAE,qBAAqB;IAIxD,OAAO,CAAC,QAAQ;IAShB,OAAO,CAAC,eAAe;IAKvB,WAAW;;;;;;oCAOqB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;;;;;IAQvD,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,UAAU;CA8BzC"}

package/dist/social/google-provider.js

@@ -0,0 +1,55 @@
+import { LogLevel } from '@owox/internal-helpers';
+/**
+ * Maps Google OAuth profile data into the app user format.
+ */
+export class GoogleProvider {
+    opts;
+    providerId = 'google';
+    constructor(opts) {
+        this.opts = opts;
+        this.validate();
+    }
+    validate() {
+        const missing = ['clientId', 'clientSecret'].filter(key => !this.opts[key]);
+        if (missing.length) {
+            throw new Error(`[google] Missing required secrets: ${missing.join(', ')}`);
+        }
+    }
+    selectAccountId(profile) {
+        const p = profile;
+        return p.sub ? String(p.sub) : '';
+    }
+    buildConfig() {
+        return {
+            clientId: this.opts.clientId,
+            clientSecret: this.opts.clientSecret,
+            redirectURI: this.opts.redirectURI,
+            prompt: this.opts.prompt ?? 'select_account',
+            accessType: this.opts.accessType ?? 'offline',
+            mapProfileToUser: (profile) => {
+                const mapped = this.mapProfile(profile);
+                const { accountId, ...user } = mapped;
+                return { ...user, id: accountId };
+            },
+        };
+    }
+    mapProfile(profile) {
+        this.opts.logger?.log(LogLevel.INFO, `${this.providerId}-profile`, { profile });
+        const p = profile;
+        const accountId = this.selectAccountId(p);
+        if (!accountId) {
+            throw new Error('[google] Unable to resolve accountId (sub is missing)');
+        }
+        const email = p.email ?? null;
+        if (!email) {
+            throw new Error('[google] Email is required in profile');
+        }
+        return {
+            accountId,
+            email,
+            name: p.name ?? p.given_name ?? null,
+            image: p.picture ?? null,
+            emailVerified: Boolean(p.email_verified),
+        };
+    }
+}

package/dist/social/social-provider.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Shared types and contracts for social auth providers.
+ */
+import { LogLevel } from '@owox/internal-helpers';
+export type Profile = Record<string, unknown>;
+export type SocialUser = {
+    accountId: string;
+    email: string | null;
+    name: string | null;
+    image: string | null;
+    emailVerified: boolean;
+};
+export type ProviderLogger = {
+    log: (level: LogLevel, message: string, meta?: Record<string, unknown>) => void;
+};
+/**
+ * Defines how a social provider maps a profile to a user object.
+ */
+export interface SocialProvider {
+    providerId: string;
+    mapProfile(profile: Profile): SocialUser;
+}
+//# sourceMappingURL=social-provider.d.ts.map

package/dist/social/social-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"social-provider.d.ts","sourceRoot":"","sources":["../../src/social/social-provider.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAElD,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE9C,MAAM,MAAM,UAAU,GAAG;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,aAAa,EAAE,OAAO,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,GAAG,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CACjF,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,UAAU,CAAC;CAC1C"}

package/dist/social/social-provider.js

@@ -0,0 +1 @@
+export {};

package/dist/store/database-store-factory.d.ts

@@ -0,0 +1,8 @@
+import type { DbConfig } from '../config/idp-owox-config.js';
+import type { DatabaseConfig } from '../types/index.js';
+import type { DatabaseStore } from './database-store.js';
+/**
+ * Creates a database store implementation based on config.
+ */
+export declare function createDatabaseStore(database: DatabaseConfig | DbConfig): DatabaseStore;
+//# sourceMappingURL=database-store-factory.d.ts.map

package/dist/store/database-store-factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"database-store-factory.d.ts","sourceRoot":"","sources":["../../src/store/database-store-factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,KAAK,EAAE,cAAc,EAA6B,MAAM,mBAAmB,CAAC;AACnF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAezD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,cAAc,GAAG,QAAQ,GAAG,aAAa,CA2BtF"}

package/dist/store/database-store-factory.js

@@ -0,0 +1,38 @@
+import { MysqlDatabaseStore } from './mysql-database-store.js';
+import { SqliteDatabaseStore } from './sqlite-database-store.js';
+function normalizeConfig(database) {
+    const config = database;
+    if (config.type === 'sqlite' || config.type === 'mysql') {
+        return config;
+    }
+    throw new Error(`Unsupported database config shape: ${database.type ?? 'unknown'}`);
+}
+/**
+ * Creates a database store implementation based on config.
+ */
+export function createDatabaseStore(database) {
+    const normalized = normalizeConfig(database);
+    switch (normalized.type) {
+        case 'sqlite': {
+            const cfg = normalized;
+            if (!cfg.filename) {
+                throw new Error('SQLite filename is required but missing');
+            }
+            const dbPath = cfg.filename;
+            return new SqliteDatabaseStore(dbPath);
+        }
+        case 'mysql': {
+            const cfg = normalized;
+            return new MysqlDatabaseStore({
+                host: cfg.host,
+                user: cfg.user,
+                password: cfg.password,
+                database: cfg.database,
+                port: cfg.port ?? 3306,
+                ssl: cfg.ssl,
+            });
+        }
+        default:
+            throw new Error(`Unsupported database type for store: ${normalized.type}`);
+    }
+}

package/dist/store/database-store.d.ts

@@ -0,0 +1,20 @@
+import { DatabaseAccount, DatabaseOperationResult, DatabaseUser } from '../types/index.js';
+import { StoreResult } from './store-result.js';
+/**
+ * Contract for database operations used by Better Auth and PKCE storage.
+ */
+export interface DatabaseStore {
+    initialize(): Promise<void>;
+    isHealthy(): Promise<boolean>;
+    cleanupExpiredSessions(): Promise<DatabaseOperationResult>;
+    shutdown(): Promise<void>;
+    getAdapter(): Promise<unknown>;
+    getUserById(userId: string): Promise<DatabaseUser | null>;
+    getUserByEmail(email: string): Promise<DatabaseUser | null>;
+    getAccountByUserId(userId: string): Promise<DatabaseAccount | null>;
+    saveAuthState(state: string, codeVerifier: string, expiresAt?: Date | null): Promise<void>;
+    getAuthState(state: string): Promise<StoreResult>;
+    deleteAuthState(state: string): Promise<void>;
+    purgeExpiredAuthStates(): Promise<number>;
+}
+//# sourceMappingURL=database-store.d.ts.map

package/dist/store/database-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"database-store.d.ts","sourceRoot":"","sources":["../../src/store/database-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC3F,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD;;GAEG;AACH,MAAM,WAAW,aAAa;IAE5B,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5B,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9B,sBAAsB,IAAI,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC3D,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAG1B,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAG/B,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;IAC1D,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;IAC5D,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;IAGpE,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3F,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAClD,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9C,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAC3C"}

package/dist/store/database-store.js

@@ -0,0 +1 @@
+export {};