@parsrun/auth 0.1.0

package/dist/security/index.d.ts

@@ -0,0 +1,301 @@
+import { K as KVStorage } from '../types-DSjafxJ4.js';
+export { b as AuthorizationContext, A as AuthorizationGuard, e as AuthorizationRequirements, d as AuthorizationResult, f as PermissionPattern, P as Permissions, R as Roles, T as TenantMembershipInfo, a as authorize, c as createAuthorizationGuard } from '../authorization-By1Xp8Za.js';
+
+/**
+ * Rate Limiting
+ * Uses KVStorage interface for multi-runtime support
+ */
+
+/**
+ * Rate limit configuration
+ */
+interface RateLimitConfig {
+    /** Time window in seconds */
+    windowSeconds: number;
+    /** Max requests per window */
+    maxRequests: number;
+    /** Key prefix for rate limit entries */
+    keyPrefix?: string;
+}
+/**
+ * Rate limit result
+ */
+interface RateLimitResult {
+    /** Whether the request is allowed */
+    allowed: boolean;
+    /** Remaining requests in current window */
+    remaining: number;
+    /** When the window resets */
+    resetAt: Date;
+    /** Milliseconds until retry is allowed (if not allowed) */
+    retryAfterMs?: number;
+}
+/**
+ * Rate Limiter using KVStorage
+ */
+declare class RateLimiter {
+    private storage;
+    private config;
+    constructor(storage: KVStorage, config: RateLimitConfig);
+    /**
+     * Get storage key for rate limit entry
+     */
+    private getKey;
+    /**
+     * Check and consume rate limit
+     */
+    check(identifier: string): Promise<RateLimitResult>;
+    /**
+     * Get current rate limit status without consuming
+     */
+    status(identifier: string): Promise<RateLimitResult | null>;
+    /**
+     * Reset rate limit for an identifier
+     */
+    reset(identifier: string): Promise<void>;
+    /**
+     * Check rate limit without consuming (peek)
+     */
+    peek(identifier: string): Promise<RateLimitResult>;
+}
+/**
+ * Create a rate limiter
+ */
+declare function createRateLimiter(storage: KVStorage, config: RateLimitConfig): RateLimiter;
+/**
+ * Common rate limit configurations
+ */
+declare const RateLimitPresets: {
+    /** Login attempts: 5 per 15 minutes */
+    readonly login: {
+        readonly windowSeconds: number;
+        readonly maxRequests: 5;
+        readonly keyPrefix: "login:";
+    };
+    /** OTP requests: 5 per 15 minutes */
+    readonly otp: {
+        readonly windowSeconds: number;
+        readonly maxRequests: 5;
+        readonly keyPrefix: "otp:";
+    };
+    /** Magic link requests: 3 per 10 minutes */
+    readonly magicLink: {
+        readonly windowSeconds: number;
+        readonly maxRequests: 3;
+        readonly keyPrefix: "magic:";
+    };
+    /** Password reset: 3 per hour */
+    readonly passwordReset: {
+        readonly windowSeconds: number;
+        readonly maxRequests: 3;
+        readonly keyPrefix: "pwreset:";
+    };
+    /** API general: 100 per minute */
+    readonly api: {
+        readonly windowSeconds: 60;
+        readonly maxRequests: 100;
+        readonly keyPrefix: "api:";
+    };
+    /** Registration: 5 per hour per IP */
+    readonly registration: {
+        readonly windowSeconds: number;
+        readonly maxRequests: 5;
+        readonly keyPrefix: "register:";
+    };
+    /** 2FA attempts: 5 per 5 minutes */
+    readonly twoFactor: {
+        readonly windowSeconds: number;
+        readonly maxRequests: 5;
+        readonly keyPrefix: "2fa:";
+    };
+};
+
+/**
+ * CSRF Protection
+ * Double-Submit Cookie Pattern with KVStorage support
+ */
+
+/**
+ * CSRF configuration
+ */
+interface CsrfConfig {
+    /** Token expiry in seconds (default: 3600 = 1 hour) */
+    expiresIn?: number;
+    /** Header name for CSRF token (default: 'x-csrf-token') */
+    headerName?: string;
+    /** Cookie name for CSRF token (default: 'csrf') */
+    cookieName?: string;
+    /** Token byte length (default: 32) */
+    tokenLength?: number;
+}
+/**
+ * CSRF token pair
+ */
+interface CsrfTokenPair {
+    /** Plain token (for client) */
+    token: string;
+    /** Hashed token (for server storage/cookie) */
+    hash: string;
+}
+/**
+ * CSRF Manager
+ */
+declare class CsrfManager {
+    private storage;
+    private config;
+    constructor(storage: KVStorage, config?: CsrfConfig);
+    /**
+     * Generate a cryptographically secure CSRF token
+     */
+    generateToken(): string;
+    /**
+     * Hash a CSRF token for storage
+     */
+    hashToken(token: string): Promise<string>;
+    /**
+     * Generate token pair for double-submit pattern
+     */
+    generateTokenPair(): Promise<CsrfTokenPair>;
+    /**
+     * Store CSRF token for a session
+     */
+    storeToken(sessionId: string, token: string): Promise<void>;
+    /**
+     * Verify CSRF token against stored hash
+     */
+    verifyToken(token: string, hash: string): Promise<boolean>;
+    /**
+     * Verify CSRF token for a session
+     */
+    verifyTokenForSession(sessionId: string, token: string): Promise<boolean>;
+    /**
+     * Validate double-submit cookie pattern
+     * Compares CSRF token from header/body against cookie value
+     */
+    validateDoubleSubmit(headerToken: string, cookieToken: string): boolean;
+    /**
+     * Extract CSRF token from request headers or body
+     */
+    extractTokenFromRequest(headers: Record<string, string | undefined>, body?: Record<string, unknown>): string | null;
+    /**
+     * Delete CSRF token for a session
+     */
+    deleteToken(sessionId: string): Promise<void>;
+    /**
+     * Refresh CSRF token for a session
+     */
+    refreshToken(sessionId: string): Promise<CsrfTokenPair>;
+    /**
+     * Get configuration
+     */
+    getConfig(): Required<CsrfConfig>;
+}
+/**
+ * Create CSRF manager
+ */
+declare function createCsrfManager(storage: KVStorage, config?: CsrfConfig): CsrfManager;
+/**
+ * Static CSRF utilities (for stateless double-submit pattern)
+ */
+declare const CsrfUtils: {
+    /**
+     * Generate a CSRF token
+     */
+    generateToken(length?: number): string;
+    /**
+     * Hash a token
+     */
+    hashToken(token: string): Promise<string>;
+    /**
+     * Generate token pair
+     */
+    generateTokenPair(length?: number): Promise<CsrfTokenPair>;
+    /**
+     * Verify token against hash
+     */
+    verifyToken(token: string, hash: string): Promise<boolean>;
+    /**
+     * Validate double-submit pattern
+     */
+    validateDoubleSubmit(headerToken: string, cookieToken: string): boolean;
+};
+
+/**
+ * Account Lockout
+ * Prevents brute force attacks by locking accounts after failed attempts
+ */
+
+/**
+ * Lockout configuration
+ */
+interface LockoutConfig {
+    /** Maximum failed attempts before lockout */
+    maxAttempts: number;
+    /** Lockout duration in seconds */
+    lockoutDuration: number;
+    /** Time window for counting attempts in seconds */
+    attemptWindow: number;
+    /** Key prefix for lockout entries */
+    keyPrefix?: string;
+}
+/**
+ * Lockout status
+ */
+interface LockoutStatus {
+    /** Whether the account is locked */
+    locked: boolean;
+    /** Number of failed attempts */
+    attempts: number;
+    /** Remaining attempts before lockout */
+    remainingAttempts: number;
+    /** When the lockout expires (if locked) */
+    unlocksAt?: Date;
+    /** Seconds until unlock (if locked) */
+    unlocksInSeconds?: number;
+}
+/**
+ * Account Lockout Manager
+ */
+declare class LockoutManager {
+    private storage;
+    private config;
+    constructor(storage: KVStorage, config: LockoutConfig);
+    /**
+     * Get storage key for lockout entry
+     */
+    private getKey;
+    /**
+     * Record a failed attempt
+     */
+    recordFailedAttempt(identifier: string): Promise<LockoutStatus>;
+    /**
+     * Record a successful attempt (clear lockout state)
+     */
+    recordSuccessfulAttempt(identifier: string): Promise<void>;
+    /**
+     * Get current lockout status
+     */
+    getStatus(identifier: string): Promise<LockoutStatus>;
+    /**
+     * Check if account is locked
+     */
+    isLocked(identifier: string): Promise<boolean>;
+    /**
+     * Manually lock an account
+     */
+    lock(identifier: string, durationSeconds?: number): Promise<void>;
+    /**
+     * Manually unlock an account
+     */
+    unlock(identifier: string): Promise<void>;
+}
+/**
+ * Create lockout manager
+ */
+declare function createLockoutManager(storage: KVStorage, config: LockoutConfig): LockoutManager;
+/**
+ * Default lockout configuration
+ */
+declare const DefaultLockoutConfig: LockoutConfig;
+
+export { type CsrfConfig, CsrfManager, type CsrfTokenPair, CsrfUtils, DefaultLockoutConfig, type LockoutConfig, LockoutManager, type LockoutStatus, type RateLimitConfig, RateLimitPresets, type RateLimitResult, RateLimiter, createCsrfManager, createLockoutManager, createRateLimiter };

package/dist/security/index.js

@@ -0,0 +1,5 @@
+export { CsrfManager, CsrfUtils, DefaultLockoutConfig, LockoutManager, RateLimitPresets, RateLimiter, createCsrfManager, createLockoutManager, createRateLimiter } from '../chunk-YTCPXJR5.js';
+export { AuthorizationGuard, Permissions, Roles, authorize, createAuthorizationGuard } from '../chunk-NK4TJV2W.js';
+import '../chunk-42MGHABB.js';
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}

package/dist/session/index.d.ts

@@ -0,0 +1,117 @@
+export { b as JwtConfig, a as JwtError, J as JwtManager, d as JwtPayload, K as KeyRotationResult, T as TokenPair, c as createJwtManager, e as extractBearerToken, p as parseDuration } from '../jwt-manager-CH8H0kmm.js';
+import { K as KVStorage } from '../types-DSjafxJ4.js';
+import 'jose';
+
+/**
+ * Session Blocklist
+ * Uses KVStorage interface for multi-runtime support
+ * Supports token/session revocation for logout
+ */
+
+/**
+ * Blocklist configuration
+ */
+interface BlocklistConfig {
+    /** Key prefix for blocked sessions */
+    prefix?: string;
+    /** Default TTL in seconds (should match max token lifetime) */
+    defaultTTL?: number;
+}
+/**
+ * Blocklist entry
+ */
+interface BlocklistEntry {
+    /** Session or token ID */
+    id: string;
+    /** When the entry expires */
+    expiresAt: string;
+    /** Why was it blocked */
+    reason?: string;
+    /** When it was blocked */
+    blockedAt: string;
+    /** User ID (for audit) */
+    userId?: string;
+}
+/**
+ * Session Blocklist
+ * Manages blocked/revoked sessions and tokens
+ */
+declare class SessionBlocklist {
+    private storage;
+    constructor(storage: KVStorage, _config?: BlocklistConfig);
+    /**
+     * Get storage key for blocklist entry
+     */
+    private getKey;
+    /**
+     * Block a session (revoke it)
+     */
+    blockSession(sessionId: string, expiresAt: Date, options?: {
+        reason?: string;
+        userId?: string;
+    }): Promise<void>;
+    /**
+     * Check if a session is blocked
+     */
+    isBlocked(sessionId: string): Promise<boolean>;
+    /**
+     * Get blocklist entry details
+     */
+    getEntry(sessionId: string): Promise<BlocklistEntry | null>;
+    /**
+     * Unblock a session (if needed)
+     */
+    unblockSession(sessionId: string): Promise<void>;
+    /**
+     * Block multiple sessions (logout all devices)
+     */
+    blockMultipleSessions(sessions: Array<{
+        id: string;
+        expiresAt: Date;
+        reason?: string;
+        userId?: string;
+    }>): Promise<void>;
+    /**
+     * Block all sessions for a user
+     * Requires session IDs to be provided (from session store)
+     */
+    blockAllUserSessions(userId: string, sessionIds: string[], tokenExpiresAt: Date, reason?: string): Promise<void>;
+}
+/**
+ * Token Blocklist
+ * For revoking individual tokens (separate from sessions)
+ */
+declare class TokenBlocklist {
+    private storage;
+    constructor(storage: KVStorage);
+    /**
+     * Get storage key for token blocklist entry
+     */
+    private getKey;
+    /**
+     * Hash a token for storage (don't store raw tokens)
+     */
+    private hashToken;
+    /**
+     * Block a token
+     */
+    blockToken(token: string, expiresAt: Date, reason?: string): Promise<void>;
+    /**
+     * Check if a token is blocked
+     */
+    isBlocked(token: string): Promise<boolean>;
+    /**
+     * Unblock a token
+     */
+    unblockToken(token: string): Promise<void>;
+}
+/**
+ * Create session blocklist
+ */
+declare function createSessionBlocklist(storage: KVStorage, config?: BlocklistConfig): SessionBlocklist;
+/**
+ * Create token blocklist
+ */
+declare function createTokenBlocklist(storage: KVStorage): TokenBlocklist;
+
+export { type BlocklistConfig, SessionBlocklist, TokenBlocklist, createSessionBlocklist, createTokenBlocklist };

package/dist/session/index.js

@@ -0,0 +1,4 @@
+export { JwtError, JwtManager, SessionBlocklist, TokenBlocklist, createJwtManager, createSessionBlocklist, createTokenBlocklist, extractBearerToken, parseDuration } from '../chunk-MOG4Y6I7.js';
+import '../chunk-42MGHABB.js';
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/session/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}

package/dist/storage/index.d.ts

@@ -0,0 +1,97 @@
+import { K as KVStorage, M as MemoryConfig, S as StorageConfig } from '../types-DSjafxJ4.js';
+export { C as CloudflareKVConfig, D as DenoKVConfig, c as DenoKv, b as KVNamespace, R as RedisConfig, a as StorageType } from '../types-DSjafxJ4.js';
+
+/**
+ * In-memory KV Storage adapter
+ * Suitable for development, testing, and single-instance deployments
+ */
+
+/**
+ * In-memory storage with TTL support and LRU eviction
+ */
+declare class MemoryStorage implements KVStorage {
+    private cache;
+    private readonly maxSize;
+    private readonly prefix;
+    constructor(config?: MemoryConfig);
+    private getKey;
+    private isExpired;
+    private cleanup;
+    private evictOldest;
+    get<T = unknown>(key: string): Promise<T | null>;
+    set<T = unknown>(key: string, value: T, ttl?: number): Promise<void>;
+    delete(key: string): Promise<void>;
+    has(key: string): Promise<boolean>;
+    getMany<T = unknown>(keys: string[]): Promise<(T | null)[]>;
+    setMany<T = unknown>(entries: Array<[key: string, value: T, ttl?: number]>): Promise<void>;
+    deleteMany(keys: string[]): Promise<void>;
+    keys(pattern?: string): Promise<string[]>;
+    private matchPattern;
+    clear(): Promise<void>;
+    close(): Promise<void>;
+    /**
+     * Get the current size of the cache
+     */
+    get size(): number;
+}
+/**
+ * Create a new memory storage instance
+ */
+declare function createMemoryStorage(config?: MemoryConfig): KVStorage;
+
+/**
+ * Multi-runtime Storage Factory
+ * Auto-detects runtime and creates appropriate storage adapter
+ */
+
+/**
+ * Create a storage adapter based on configuration
+ * Auto-detects runtime if type is not specified
+ *
+ * @example
+ * ```ts
+ * // Auto-detect (uses Deno KV on Deno, CF KV on Workers, Memory otherwise)
+ * const storage = await createStorage();
+ *
+ * // Explicit Redis
+ * const storage = await createStorage({
+ *   type: 'redis',
+ *   redis: { url: 'redis://localhost:6379' }
+ * });
+ *
+ * // Cloudflare KV
+ * const storage = await createStorage({
+ *   type: 'cloudflare-kv',
+ *   cloudflareKv: { binding: env.MY_KV }
+ * });
+ *
+ * // Custom adapter
+ * const storage = await createStorage({
+ *   type: 'custom',
+ *   custom: myCustomAdapter
+ * });
+ * ```
+ */
+declare function createStorage(config?: StorageConfig): Promise<KVStorage>;
+/**
+ * Create storage synchronously (only for memory storage)
+ * Use createStorage() for other adapters
+ */
+declare function createStorageSync(config?: StorageConfig): KVStorage;
+/**
+ * Storage key prefixes for different purposes
+ */
+declare const StorageKeys: {
+    /** OTP storage prefix */
+    readonly otp: (identifier: string, type: string) => string;
+    /** Rate limit storage prefix */
+    readonly rateLimit: (key: string) => string;
+    /** Session blocklist prefix */
+    readonly blocklist: (tokenId: string) => string;
+    /** Magic link token prefix */
+    readonly magicLink: (token: string) => string;
+    /** CSRF token prefix */
+    readonly csrf: (sessionId: string) => string;
+};
+
+export { KVStorage, MemoryConfig, MemoryStorage, StorageConfig, StorageKeys, createMemoryStorage, createStorage, createStorageSync };

package/dist/storage/index.js

@@ -0,0 +1,3 @@
+export { MemoryStorage, StorageKeys, createMemoryStorage, createStorage, createStorageSync } from '../chunk-42MGHABB.js';
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/storage/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}