@owox/idp-protocol 0.4.0

package/dist/types/cli.js

@@ -0,0 +1 @@
+export {};

package/dist/types/config.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Configuration for the IDP provider
+ */
+export interface IdpConfig {
+    /**
+     * Base URL for the IDP provider
+     */
+    baseUrl: string;
+    /**
+     * Additional provider-specific configuration
+     */
+    [key: string]: unknown;
+}
+//# sourceMappingURL=config.d.ts.map

package/dist/types/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB"}

package/dist/types/config.js

@@ -0,0 +1 @@
+export {};

package/dist/types/errors.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Base error class for the IDP protocol
+ */
+export declare class IdpError extends Error {
+    code: string;
+    statusCode: number;
+    constructor(message: string, code: string, statusCode?: number);
+}
+/**
+ * Authentication error
+ */
+export declare class AuthenticationError extends IdpError {
+    constructor(message?: string);
+}
+/**
+ * Authorization error
+ */
+export declare class AuthorizationError extends IdpError {
+    constructor(message?: string);
+}
+/**
+ * Token expired error
+ */
+export declare class TokenExpiredError extends IdpError {
+    constructor(message?: string);
+}
+/**
+ * Invalid token error
+ */
+export declare class InvalidTokenError extends IdpError {
+    constructor(message?: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/types/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/types/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,qBAAa,QAAS,SAAQ,KAAK;IAGxB,IAAI,EAAE,MAAM;IACZ,UAAU,EAAE,MAAM;gBAFzB,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,UAAU,GAAE,MAAY;CAKlC;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,QAAQ;gBACnC,OAAO,GAAE,MAAgC;CAGtD;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,QAAQ;gBAClC,OAAO,GAAE,MAAmC;CAGzD;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,QAAQ;gBACjC,OAAO,GAAE,MAA4B;CAGlD;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,QAAQ;gBACjC,OAAO,GAAE,MAAwB;CAG9C"}

package/dist/types/errors.js

@@ -0,0 +1,45 @@
+/**
+ * Base error class for the IDP protocol
+ */
+export class IdpError extends Error {
+    code;
+    statusCode;
+    constructor(message, code, statusCode = 400) {
+        super(message);
+        this.code = code;
+        this.statusCode = statusCode;
+        this.name = 'IdpError';
+    }
+}
+/**
+ * Authentication error
+ */
+export class AuthenticationError extends IdpError {
+    constructor(message = 'Authentication failed') {
+        super(message, 'AUTHENTICATION_ERROR', 401);
+    }
+}
+/**
+ * Authorization error
+ */
+export class AuthorizationError extends IdpError {
+    constructor(message = 'Insufficient permissions') {
+        super(message, 'AUTHORIZATION_ERROR', 403);
+    }
+}
+/**
+ * Token expired error
+ */
+export class TokenExpiredError extends IdpError {
+    constructor(message = 'Token has expired') {
+        super(message, 'TOKEN_EXPIRED', 401);
+    }
+}
+/**
+ * Invalid token error
+ */
+export class InvalidTokenError extends IdpError {
+    constructor(message = 'Invalid token') {
+        super(message, 'INVALID_TOKEN', 401);
+    }
+}

package/dist/types/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Main types export - organized by category
+ */
+export * from './provider.js';
+export * from './models.js';
+export * from './config.js';
+export * from './errors.js';
+export * from './cli.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,cAAc,eAAe,CAAC;AAG9B,cAAc,aAAa,CAAC;AAG5B,cAAc,aAAa,CAAC;AAG5B,cAAc,aAAa,CAAC;AAG5B,cAAc,UAAU,CAAC"}

package/dist/types/index.js

@@ -0,0 +1,13 @@
+/**
+ * Main types export - organized by category
+ */
+// Core provider interface
+export * from './provider.js';
+// Domain models
+export * from './models.js';
+// Configuration
+export * from './config.js';
+// Error classes
+export * from './errors.js';
+// CLI commands
+export * from './cli.js';

package/dist/types/models.d.ts

@@ -0,0 +1,24 @@
+/**
+ * The roles that are supported by the IDP.
+ */
+export type Role = 'admin' | 'editor' | 'viewer';
+/**
+ * Standardized token payload that all IDP implementations must return when introspecting their native tokens.
+ */
+export interface Payload {
+    userId: string;
+    projectId: string;
+    email?: string;
+    fullName?: string;
+    avatar?: string;
+    roles?: Role[];
+    projectTitle?: string;
+}
+/**
+ * Authentication result from IDP callback
+ */
+export interface AuthResult {
+    accessToken: string;
+    refreshToken?: string;
+}
+//# sourceMappingURL=models.d.ts.map

package/dist/types/models.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../../src/types/models.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEjD;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAElB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC;IAEf,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB"}

package/dist/types/models.js

@@ -0,0 +1 @@
+export {};

package/dist/types/provider.d.ts

@@ -0,0 +1,63 @@
+import { Payload, AuthResult } from './models.js';
+import { NextFunction, Request, Response } from 'express';
+/**
+ * Simplified IDP Provider interface.
+ */
+export interface IdpProvider {
+    /**
+     * Sign in middleware. This method is used to handle the sign in request and use response to send the sign in response.
+     * <br/>
+     * If the IDP implementation does not support sign in, this method should call the `next()` function.
+     */
+    signInMiddleware(req: Request, res: Response, next: NextFunction): Promise<void | Response>;
+    /**
+     * Sign out middleware. This method is used to handle the sign out request and use response to send the sign out response.
+     * <br/>
+     * If the IDP implementation does not support sign out, this method should call the `next()` function.
+     */
+    signOutMiddleware(req: Request, res: Response, next: NextFunction): Promise<void | Response>;
+    /**
+     * Access token middleware. This method is used to handle the access token request and use response to send the access token response.
+     * <br/>
+     * If the IDP implementation does not support access token, this method should call the `next()` function.
+     */
+    accessTokenMiddleware(req: Request, res: Response, next: NextFunction): Promise<void | Response>;
+    /**
+     * User api middleware. This method is used to handle the user request and use response to send the user response.
+     * <br/>
+     * If the IDP implementation does not support user, this method should call the `next()` function.
+     */
+    userApiMiddleware(req: Request, res: Response, next: NextFunction): Promise<Response<Payload>>;
+    /**
+     * Introspect a token
+     * @param token - The token to introspect
+     * @returns The token payload
+     */
+    introspectToken(token: string): Promise<Payload | null>;
+    /**
+     * Parse a token
+     * @param token - The token to parse
+     * @returns The token payload
+     */
+    parseToken(token: string): Promise<Payload | null>;
+    /**
+     * Refresh a token
+     * @param refreshToken - The refresh token to use for the refresh
+     * @returns The authentication result
+     */
+    refreshToken(refreshToken: string): Promise<AuthResult>;
+    /**
+     * Revoke a token. In different IDP implementations, this may have different token types.
+     * @param token - The token to revoke
+     */
+    revokeToken(token: string): Promise<void>;
+    /**
+     * Initialize the IDP. Create resources, connect to databases, etc.
+     */
+    initialize(): Promise<void>;
+    /**
+     * Shutdown the IDP, close all connections and release resources
+     */
+    shutdown(): Promise<void>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/dist/types/provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../src/types/provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE1D;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,gBAAgB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAC;IAE5F;;;;OAIG;IACH,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAC;IAE7F;;;;OAIG;IACH,qBAAqB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAC;IAEjG;;;;OAIG;IACH,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAE/F;;;;OAIG;IACH,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAExD;;;;OAIG;IACH,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAEnD;;;;OAIG;IACH,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAExD;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1C;;OAEG;IACH,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5B;;OAEG;IACH,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B"}

package/dist/types/provider.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@owox/idp-protocol",
+  "version": "0.4.0",
+  "type": "module",
+  "author": "OWOX",
+  "license": "ELv2",
+  "description": "Identity Provider protocol contracts and interfaces for OWOX Data Marts",
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=22.16.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "clean": "rimraf dist",
+    "test": "jest",
+    "lint": "eslint . --config ./eslint.config.js",
+    "lint:fix": "eslint . --fix --config ./eslint.config.js",
+    "format": "prettier --write \"**/*.{ts,js,json,md}\"",
+    "format:check": "prettier --check \"**/*.{ts,js,json,md}\"",
+    "typecheck": "tsc --noEmit",
+    "prepack": "npm run build",
+    "prepublishOnly": "npm audit && npm run lint && npm run typecheck"
+  },
+  "keywords": [
+    "idp",
+    "authentication",
+    "owox"
+  ],
+  "peerDependencies": {
+    "express": "^5"
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.0",
+    "@types/node": "^22.10.7",
+    "typescript": "^5.7.3"
+  },
+  "files": [
+    "dist",
+    "src"
+  ],
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "require": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts"
+}

package/src/index.ts

@@ -0,0 +1,8 @@
+// Core types and interfaces
+export * from './types/index.js';
+
+// Provider implementations (only NULL provider)
+export * from './providers/index.js';
+
+// Middleware
+export * from './middleware/index.js';

package/src/middleware/index.ts

@@ -0,0 +1 @@
+export * from './protocol-middleware.js';

package/src/middleware/protocol-middleware.ts

@@ -0,0 +1,178 @@
+import { IdpProvider } from '../types/provider.js';
+import { Express, Request, Response, NextFunction } from 'express';
+
+/**
+ * The routes that are supported by the protocol middleware.
+ */
+export enum ProtocolRoute {
+  SIGN_IN = '/sign-in',
+  SIGN_OUT = '/sign-out',
+  ACCESS_TOKEN = '/access-token',
+  USER = '/api/user',
+}
+
+/**
+ * The options for the protocol middleware.
+ * @property basePath - The base path for the protoc    ol middleware.
+ * @property routes - The routes that are supported by the protocol middleware.
+ * @example
+ * {
+ *   basePath: '/',
+ *   routes: {
+ *     signIn: '/signin', // override the default sign in route
+ *     signOut: '/signout', // override the default sign out route
+ *     accessToken: '/accesstoken', // override the default access token route
+ *     user: '/api/userinfo', // override the default user route
+ *   },
+ * }
+ */
+export interface IdpProtocolMiddlewareOptions {
+  basePath?: string;
+  routes?: {
+    signIn?: string;
+    signOut?: string;
+    accessToken?: string;
+    user?: string;
+  };
+}
+
+type MiddlewareHandler = (
+  req: Request,
+  res: Response,
+  next: NextFunction
+) => Promise<void | Response>;
+
+/**
+ * The protocol middleware for the IDP.
+ * @param provider - The provider to use for the middleware.
+ * @param options - The options for the middleware.
+ * @example // Register the middleware with the default routes
+ * const idpProtocolMiddleware = new IdpProtocolMiddleware(provider);
+ * idpProtocolMiddleware.register(app);
+ *
+ * @example // Override the default routes
+ * const app = express();
+ * const middlewareOptions: IdpProtocolMiddlewareOptions = {
+ *   basePath: '/',
+ *   routes: {
+ *     signIn: '/signin',
+ *     signOut: '/signout',
+ *     accessToken: '/accesstoken',
+ *     user: '/api/userinfo',
+ *   }
+ * };
+ * const idpProtocolMiddleware = new IdpProtocolMiddleware(provider, middlewareOptions);
+ * idpProtocolMiddleware.register(app);
+ */
+export class IdpProtocolMiddleware {
+  /**
+   * The default base path for the protocol middleware.
+   */
+  public readonly DEFAULT_BASE_PATH = '/auth';
+  private readonly basePath: string;
+  private readonly routes: Required<NonNullable<IdpProtocolMiddlewareOptions['routes']>>;
+
+  /**
+   * The constructor for the protocol middleware.
+   * @param provider - The provider to use for the middleware.
+   * @param options - The options for the middleware.
+   */
+  constructor(
+    private readonly provider: IdpProvider,
+    options: IdpProtocolMiddlewareOptions = {}
+  ) {
+    this.basePath = this.normalizeBasePath(options.basePath ?? this.DEFAULT_BASE_PATH);
+    this.routes = {
+      signIn: options.routes?.signIn ?? ProtocolRoute.SIGN_IN,
+      signOut: options.routes?.signOut ?? ProtocolRoute.SIGN_OUT,
+      accessToken: options.routes?.accessToken ?? ProtocolRoute.ACCESS_TOKEN,
+      user: options.routes?.user ?? ProtocolRoute.USER,
+    };
+
+    this.validateConfiguration();
+  }
+
+  /**
+   * Normalize the base path.
+   * @param path - The path to normalize.
+   * @returns The normalized path.
+   */
+  private normalizeBasePath(path: string): string {
+    if (!path.startsWith('/')) {
+      throw new Error(`Base path must start with '/': ${path}`);
+    }
+    return path.endsWith('/') && path !== '/' ? path.slice(0, -1) : path;
+  }
+
+  /**
+   * Validate the configuration.
+   */
+  private validateConfiguration(): void {
+    const routePaths = Object.values(this.routes);
+    const duplicates = routePaths.filter((path, index) => routePaths.indexOf(path) !== index);
+
+    if (duplicates.length > 0) {
+      throw new Error(`Duplicate route paths detected: ${duplicates.join(', ')}`);
+    }
+
+    routePaths.forEach(path => {
+      if (!path.startsWith('/')) {
+        throw new Error(`Route path must start with '/': ${path}`);
+      }
+    });
+  }
+
+  /**
+   * Create a route handler.
+   * @param handler - The handler to create.
+   * @returns The created handler.
+   */
+  private createRouteHandler(handler: MiddlewareHandler): MiddlewareHandler {
+    return async (req: Request, res: Response, next: NextFunction) => {
+      try {
+        await handler(req, res, next);
+      } catch (error) {
+        next(error);
+      }
+    };
+  }
+
+  /**
+   * Register the protocol middleware routes with the express app.
+   * @param app - The express app to register the routes with.
+   * @example
+   * const app = express();
+   * const idpProtocolMiddleware = new IdpProtocolMiddleware(provider);
+   * idpProtocolMiddleware.register(app);
+   * app.listen(3000);
+   */
+  register(app: Express): void {
+    const routeConfigs = [
+      {
+        path: this.routes.signIn,
+        handler: (req: Request, res: Response, next: NextFunction) =>
+          this.provider.signInMiddleware(req, res, next),
+      },
+      {
+        path: this.routes.signOut,
+        handler: (req: Request, res: Response, next: NextFunction) =>
+          this.provider.signOutMiddleware(req, res, next),
+      },
+      {
+        path: this.routes.accessToken,
+        handler: (req: Request, res: Response, next: NextFunction) =>
+          this.provider.accessTokenMiddleware(req, res, next),
+      },
+      {
+        path: this.routes.user,
+        handler: (req: Request, res: Response, next: NextFunction) =>
+          this.provider.userApiMiddleware(req, res, next),
+      },
+    ];
+
+    routeConfigs.forEach(({ path, handler }) => {
+      const fullPath = `${this.basePath}${path}`;
+      app.all(fullPath, this.createRouteHandler(handler));
+    });
+  }
+}

package/src/providers/index.ts

@@ -0,0 +1 @@
+export { NullIdpProvider } from './null-provider.js';

package/src/providers/null-provider.ts

@@ -0,0 +1,71 @@
+import { IdpProvider } from '../types/provider.js';
+import { AuthResult, Payload } from '../types/models.js';
+import { Request, Response, NextFunction } from 'express';
+
+/**
+ * NULL IDP Provider - single user, single project
+ * Used for deployments without user management and development
+ */
+export class NullIdpProvider implements IdpProvider {
+  private defaultPayload: Payload;
+  private defaultAccessToken: string;
+  private defaultRefreshToken: string;
+
+  constructor() {
+    this.defaultPayload = {
+      userId: '0',
+      email: 'admin@localhost',
+      roles: ['admin'],
+      fullName: 'Admin',
+      projectId: '0',
+    };
+    this.defaultAccessToken = 'accessToken';
+    this.defaultRefreshToken = 'refreshToken';
+  }
+
+  async refreshToken(_refreshToken: string): Promise<AuthResult> {
+    return {
+      accessToken: this.defaultAccessToken,
+    };
+  }
+
+  signInMiddleware(_req: Request, _res: Response, _next: NextFunction): Promise<void> {
+    _res.cookie('refreshToken', this.defaultRefreshToken, {
+      httpOnly: true,
+      secure: true,
+      maxAge: 3600000,
+    });
+    return Promise.resolve(_res.redirect('/'));
+  }
+  signOutMiddleware(_req: Request, _res: Response, _next: NextFunction): Promise<void> {
+    _res.clearCookie('refreshToken');
+    return Promise.resolve(_res.redirect('/'));
+  }
+  accessTokenMiddleware(_req: Request, res: Response, _next: NextFunction): Promise<Response> {
+    return Promise.resolve(res.json({ accessToken: this.defaultAccessToken }));
+  }
+
+  userApiMiddleware(_req: Request, res: Response, _next: NextFunction): Promise<Response<Payload>> {
+    return Promise.resolve(res.json(this.defaultPayload));
+  }
+
+  async initialize(): Promise<void> {
+    // Nothing to initialize
+  }
+
+  async shutdown(): Promise<void> {
+    // Nothing to cleanup
+  }
+
+  async introspectToken(_token: string): Promise<Payload | null> {
+    return this.defaultPayload;
+  }
+
+  async parseToken(_token: string): Promise<Payload | null> {
+    return this.defaultPayload;
+  }
+
+  async revokeToken(_token: string): Promise<void> {
+    // No-op for NULL provider
+  }
+}

package/src/types/cli.ts

@@ -0,0 +1,30 @@
+import { Payload } from './models.js';
+
+/**
+ * Commands for adding a user to the IDP by app cli.
+ */
+export interface IdpProviderAddUserCommand {
+  addUser(username: string, password?: string): Promise<AddUserCommandResponse>;
+}
+
+/**
+ * Commands for listing users from the IDP
+ */
+export interface IdpProviderListUsersCommand {
+  listUsers(): Promise<Payload[]>;
+}
+
+/**
+ * Commands for removing a user from the IDP
+ */
+export interface IdpProviderRemoveUserCommand {
+  removeUser(userId: string): Promise<void>;
+}
+
+/**
+ * Response for adding a user to the IDP
+ */
+export interface AddUserCommandResponse {
+  username: string;
+  magicLink?: string;
+}

package/src/types/config.ts

@@ -0,0 +1,14 @@
+/**
+ * Configuration for the IDP provider
+ */
+export interface IdpConfig {
+  /**
+   * Base URL for the IDP provider
+   */
+  baseUrl: string;
+
+  /**
+   * Additional provider-specific configuration
+   */
+  [key: string]: unknown;
+}

package/src/types/errors.ts

@@ -0,0 +1,49 @@
+/**
+ * Base error class for the IDP protocol
+ */
+export class IdpError extends Error {
+  constructor(
+    message: string,
+    public code: string,
+    public statusCode: number = 400
+  ) {
+    super(message);
+    this.name = 'IdpError';
+  }
+}
+
+/**
+ * Authentication error
+ */
+export class AuthenticationError extends IdpError {
+  constructor(message: string = 'Authentication failed') {
+    super(message, 'AUTHENTICATION_ERROR', 401);
+  }
+}
+
+/**
+ * Authorization error
+ */
+export class AuthorizationError extends IdpError {
+  constructor(message: string = 'Insufficient permissions') {
+    super(message, 'AUTHORIZATION_ERROR', 403);
+  }
+}
+
+/**
+ * Token expired error
+ */
+export class TokenExpiredError extends IdpError {
+  constructor(message: string = 'Token has expired') {
+    super(message, 'TOKEN_EXPIRED', 401);
+  }
+}
+
+/**
+ * Invalid token error
+ */
+export class InvalidTokenError extends IdpError {
+  constructor(message: string = 'Invalid token') {
+    super(message, 'INVALID_TOKEN', 401);
+  }
+}

package/src/types/index.ts

@@ -0,0 +1,18 @@
+/**
+ * Main types export - organized by category
+ */
+
+// Core provider interface
+export * from './provider.js';
+
+// Domain models
+export * from './models.js';
+
+// Configuration
+export * from './config.js';
+
+// Error classes
+export * from './errors.js';
+
+// CLI commands
+export * from './cli.js';