@parsrun/auth 0.2.6 → 0.2.10

package/dist/index.d.ts

@@ -1,87 +1,20 @@
-import { A as AuthProvider, b as AuthInput, c as AuthResult, a as ProviderInfo, T as TwoFactorProvider, e as TwoFactorSetupResult, h as AuthAdapter, i as ParsAuthConfig } from './base-BI-SilX-.js';
-export { t as AdapterAuthMethod, v as AdapterMembership, s as AdapterSession, u as AdapterTenant, r as AdapterUser, q as AuthCallbacks, C as CookieConfig, y as CreateAuthMethodInput, z as CreateMembershipInput, x as CreateSessionInput, w as CreateUserInput, j as CsrfConfig, J as JwtConfig, M as MagicLinkConfig, O as OAuthProvider, o as OAuthProviderConfig, f as OAuthUserInfo, g as OtpConfig, n as PasswordConfig, P as ProviderType, p as SecurityConfig, S as SessionConfig, k as TenantConfig, l as TenantResolutionStrategy, m as TotpConfig, V as VerifyInput, d as VerifyResult, W as WebAuthnConfig, D as defaultConfig, E as mergeConfig, F as validateConfig } from './base-BI-SilX-.js';
-import { P as ParsAuthEngine } from './index-kATaLVps.js';
-export { t as AcceptInvitationInput, u as AcceptInvitationResult, X as AdapterAuthContext, k as AddMemberInput, A as AuthContext, Z as AuthResponse, Q as AuthVariables, Y as CookieOptions, C as CreateTenantInput, W as HonoAdapterConfig, p as InvitationConfig, q as InvitationRecord, I as InvitationService, v as InvitationStatusResult, M as MultiStrategyTenantResolver, R as RefreshTokenResult, r as SendInvitationInput, s as SendInvitationResult, d as SessionInfo, S as SignInInput, a as SignInResult, b as SignUpInput, c as SignUpResult, i as TenantManager, h as TenantResolutionResult, T as TenantResolver, g as TenantResolverConfig, m as TenantWithMembers, l as UpdateMemberInput, U as UpdateTenantInput, n as UserTenantMembership, V as VerifyTokenResult, B as createAuthCookies, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, o as createInvitationService, D as createLogoutCookies, f as createMultiStrategyResolver, x as createOptionalAuthMiddleware, j as createTenantManager, e as createTenantResolver, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from './index-kATaLVps.js';
+import { h as AuthAdapter, i as ParsAuthConfig } from './base-DbUdEGJ4.js';
+export { t as AdapterAuthMethod, v as AdapterMembership, s as AdapterSession, u as AdapterTenant, r as AdapterUser, q as AuthCallbacks, b as AuthInput, A as AuthProvider, c as AuthResult, C as CookieConfig, y as CreateAuthMethodInput, z as CreateMembershipInput, x as CreateSessionInput, w as CreateUserInput, j as CsrfConfig, J as JwtConfig, M as MagicLinkConfig, O as OAuthProvider, o as OAuthProviderConfig, f as OAuthUserInfo, g as OtpConfig, n as PasswordConfig, a as ProviderInfo, P as ProviderType, p as SecurityConfig, S as SessionConfig, k as TenantConfig, l as TenantResolutionStrategy, m as TotpConfig, T as TwoFactorProvider, e as TwoFactorSetupResult, V as VerifyInput, d as VerifyResult, W as WebAuthnConfig, D as defaultConfig, E as mergeConfig, F as validateConfig } from './base-DbUdEGJ4.js';
+import { O as OAuthProvider, G as GoogleConfig, a as OAuthTokens, b as OAuthUserInfo, c as GitHubConfig, M as MicrosoftConfig, A as AppleConfig, P as ParsAuthEngine } from './index-ZRaviVhS.js';
+export { y as AcceptInvitationInput, z as AcceptInvitationResult, ay as AdapterAuthContext, p as AddMemberInput, d as AuthContext, aA as AuthResponse, aw as AuthVariables, a8 as AuthenticationOptions, ab as AuthenticatorData, aa as ClientDataJSON, az as CookieOptions, C as CreateTenantInput, ax as HonoAdapterConfig, u as InvitationConfig, v as InvitationRecord, I as InvitationService, B as InvitationStatusResult, W as MagicLinkProvider, Y as MagicLinkProviderConfig, i as MultiStrategyTenantResolver, L as OAuthCallbackResult, J as OAuthConfig, K as OAuthFlowResult, D as OAuthManager, Q as OAuthProviderName, N as OAuthState, ac as PasswordProvider, ae as PasswordProviderConfig, ag as PasswordStrength, af as PasswordValidationResult, R as RefreshTokenResult, a7 as RegistrationOptions, w as SendInvitationInput, x as SendInvitationResult, Z as SendMagicLinkResult, h as SessionInfo, S as SignInInput, e as SignInResult, f as SignUpInput, g as SignUpResult, $ as TOTPProvider, a1 as TOTPProviderConfig, a2 as TOTPSetupData, a3 as TOTPVerifyResult, n as TenantManager, m as TenantResolutionResult, T as TenantResolver, l as TenantResolverConfig, r as TenantWithMembers, q as UpdateMemberInput, U as UpdateTenantInput, s as UserTenantMembership, _ as VerifyMagicLinkResult, V as VerifyTokenResult, a9 as WebAuthnCredential, a4 as WebAuthnProvider, a6 as WebAuthnProviderConfig, al as createAuthCookies, ah as createAuthMiddleware, aj as createAuthRoutes, ak as createHonoAuth, t as createInvitationService, am as createLogoutCookies, X as createMagicLinkProvider, k as createMultiStrategyResolver, E as createOAuthManager, ai as createOptionalAuthMiddleware, ad as createPasswordProvider, a0 as createTOTPProvider, o as createTenantManager, j as createTenantResolver, a5 as createWebAuthnProvider, F as generatePKCE, H as generateState, as as requireAdmin, au as requireAll, av as requireAny, ap as requireAnyPermission, at as requireOwnerOrPermission, ao as requirePermission, an as requireRole, aq as requireTenant, ar as requireTenantAccess } from './index-ZRaviVhS.js';
 export { ProviderRegistry } from './providers/index.js';
-export { e as OTPConfig, a as OTPManager, O as OTPProvider, f as OTPRecord, g as RateLimitCheck, R as RequestOTPInput, d as RequestOTPResult, S as StoreOTPResult, V as VerifyOTPResult, b as createOTPManager, c as createOTPProvider } from './index-DC7A0IbX.js';
-import { K as KVStorage } from './types-DSjafxJ4.js';
-export { C as CloudflareKVConfig, D as DenoKVConfig, M as MemoryConfig, R as RedisConfig, S as StorageConfig, a as StorageType } from './types-DSjafxJ4.js';
+export { e as OTPConfig, a as OTPManager, O as OTPProvider, f as OTPRecord, g as RateLimitCheck, R as RequestOTPInput, d as RequestOTPResult, S as StoreOTPResult, V as VerifyOTPResult, b as createOTPManager, c as createOTPProvider } from './index-Bcldwbx0.js';
 export { a as JwtError, J as JwtManager, b as JwtManagerConfig, d as JwtPayload, K as KeyRotationResult, T as TokenPair, c as createJwtManager, e as extractBearerToken, p as parseDuration } from './jwt-manager-CH8H0kmm.js';
 export { BlocklistConfig, SessionBlocklist, TokenBlocklist, createSessionBlocklist, createTokenBlocklist } from './session/index.js';
 export { MemoryStorage, StorageKeys, createMemoryStorage, createStorage, createStorageSync } from './storage/index.js';
 export { CsrfManager, CsrfConfig as CsrfManagerConfig, CsrfTokenPair, CsrfUtils, DefaultLockoutConfig, LockoutConfig, LockoutManager, LockoutStatus, RateLimitConfig, RateLimitPresets, RateLimitResult, RateLimiter, createCsrfManager, createLockoutManager, createRateLimiter } from './security/index.js';
 export { b as AuthorizationContext, A as AuthorizationGuard, e as AuthorizationRequirements, d as AuthorizationResult, f as PermissionPattern, P as Permissions, R as Roles, T as TenantMembershipInfo, a as authorize, c as createAuthorizationGuard } from './authorization-By1Xp8Za.js';
+import { K as KVStorage } from './types-DSjafxJ4.js';
+export { C as CloudflareKVConfig, D as DenoKVConfig, M as MemoryConfig, R as RedisConfig, S as StorageConfig, a as StorageType } from './types-DSjafxJ4.js';
 import 'hono/types';
 import 'hono';
 import 'jose';
 
-/**
- * OAuth Types
- */
-interface OAuthUserInfo {
-    /** Provider-specific user ID */
-    id: string;
-    /** User email */
-    email: string;
-    /** Display name */
-    name?: string;
-    /** Avatar URL */
-    avatarUrl?: string;
-    /** Whether email is verified */
-    emailVerified: boolean;
-    /** Raw provider response */
-    raw: Record<string, unknown>;
-}
-interface OAuthTokens {
-    accessToken: string;
-    refreshToken?: string;
-    expiresIn?: number;
-    idToken?: string;
-    tokenType?: string;
-    scope?: string;
-}
-interface OAuthProviderConfig {
-    clientId: string;
-    clientSecret: string;
-    redirectUri: string;
-    scopes?: string[];
-}
-interface GoogleConfig extends OAuthProviderConfig {
-}
-interface GitHubConfig extends OAuthProviderConfig {
-}
-interface MicrosoftConfig extends OAuthProviderConfig {
-    tenantId?: string;
-}
-interface AppleConfig {
-    clientId: string;
-    teamId: string;
-    keyId: string;
-    privateKey: string;
-    redirectUri: string;
-    scopes?: string[];
-}
-interface OAuthProvider {
-    readonly name: string;
-    getAuthorizationUrl(state: string, codeChallenge?: string): Promise<string>;
-    exchangeCode(code: string, codeVerifier?: string): Promise<OAuthTokens>;
-    getUserInfo(accessToken: string): Promise<OAuthUserInfo>;
-    /**
-     * Refresh access token using refresh token
-     * Not all providers support refresh tokens
-     */
-    refreshToken?(refreshToken: string): Promise<OAuthTokens>;
-}
-type OAuthProviderName = 'google' | 'github' | 'microsoft' | 'apple';
-interface OAuthState {
-    state: string;
-    provider: OAuthProviderName;
-    codeVerifier?: string;
-    tenantId?: string;
-    redirectUrl?: string;
-    expiresAt: Date;
-}
-
 /**
  * Google OAuth Provider
  */
@@ -156,625 +89,6 @@ declare class AppleProvider implements OAuthProvider {
     private base64UrlEncode;
 }
 
-/**
- * OAuth Provider
- * Manages OAuth2 authentication flows with PKCE support
- */
-
-/**
- * OAuth configuration
- */
-interface OAuthConfig {
-    google?: GoogleConfig;
-    github?: GitHubConfig;
-    microsoft?: MicrosoftConfig;
-    apple?: AppleConfig;
-}
-/**
- * OAuth flow result
- */
-interface OAuthFlowResult {
-    authorizationUrl: string;
-    state: string;
-}
-/**
- * OAuth callback result
- */
-interface OAuthCallbackResult {
-    userInfo: OAuthUserInfo;
-    tokens: OAuthTokens;
-    tenantId?: string;
-    redirectUrl?: string;
-}
-/**
- * Generate PKCE code verifier and challenge
- */
-declare function generatePKCE(): Promise<{
-    codeVerifier: string;
-    codeChallenge: string;
-}>;
-/**
- * Generate secure random state
- */
-declare function generateState(): string;
-/**
- * OAuth Manager
- * Handles OAuth flows with state management via KVStorage
- */
-declare class OAuthManager {
-    private storage;
-    private providers;
-    private stateExpirySeconds;
-    constructor(storage: KVStorage, config: OAuthConfig, options?: {
-        stateExpirySeconds?: number;
-    });
-    /**
-     * Get available providers
-     */
-    getAvailableProviders(): OAuthProviderName[];
-    /**
-     * Check if a provider is configured
-     */
-    hasProvider(name: string): boolean;
-    /**
-     * Get a provider by name
-     */
-    getProvider(name: string): OAuthProvider | undefined;
-    /**
-     * Start OAuth flow - returns authorization URL
-     */
-    startFlow(providerName: OAuthProviderName, options?: {
-        tenantId?: string;
-        redirectUrl?: string;
-    }): Promise<OAuthFlowResult>;
-    /**
-     * Handle OAuth callback
-     */
-    handleCallback(providerName: OAuthProviderName, code: string, state: string): Promise<OAuthCallbackResult>;
-    /**
-     * Refresh OAuth tokens (if supported by provider)
-     */
-    refreshTokens(providerName: OAuthProviderName, refreshToken: string): Promise<OAuthTokens>;
-    /**
-     * Check if provider supports token refresh
-     */
-    supportsRefresh(providerName: OAuthProviderName): boolean;
-}
-/**
- * Create OAuth manager
- */
-declare function createOAuthManager(storage: KVStorage, config: OAuthConfig, options?: {
-    stateExpirySeconds?: number;
-}): OAuthManager;
-
-/**
- * Magic Link Provider
- * Passwordless email authentication via secure links
- */
-
-/**
- * Magic Link configuration
- */
-interface MagicLinkConfig {
-    /** Base URL for magic links (e.g., https://app.example.com) */
-    baseUrl: string;
-    /** Path for callback (default: /auth/magic-link/callback) */
-    callbackPath?: string;
-    /** Token expiration in seconds (default: 900 = 15 minutes) */
-    expiresIn?: number;
-    /** Token length in bytes (default: 32) */
-    tokenLength?: number;
-    /** Email sender function */
-    send: (email: string, url: string, expiresIn: number) => Promise<void>;
-}
-/**
- * Send magic link result
- */
-interface SendMagicLinkResult {
-    success: boolean;
-    expiresAt?: Date;
-    error?: string;
-}
-/**
- * Verify magic link result
- */
-interface VerifyMagicLinkResult {
-    success: boolean;
-    email?: string;
-    tenantId?: string;
-    redirectUrl?: string;
-    error?: string;
-}
-/**
- * Magic Link Provider
- */
-declare class MagicLinkProvider implements AuthProvider {
-    readonly name = "magic-link";
-    readonly type: "magic-link";
-    private storage;
-    private config;
-    private _enabled;
-    constructor(storage: KVStorage, config: MagicLinkConfig);
-    get enabled(): boolean;
-    /**
-     * Send magic link to email
-     */
-    sendMagicLink(email: string, options?: {
-        tenantId?: string;
-        redirectUrl?: string;
-    }): Promise<SendMagicLinkResult>;
-    /**
-     * Verify magic link token
-     */
-    verifyMagicLink(token: string): Promise<VerifyMagicLinkResult>;
-    /**
-     * Authenticate with magic link token (implements AuthProvider)
-     */
-    authenticate(input: AuthInput): Promise<AuthResult>;
-    /**
-     * Get provider info
-     */
-    getInfo(): ProviderInfo;
-    /**
-     * Request magic link (for use in auth routes)
-     */
-    requestMagicLink(email: string, options?: {
-        tenantId?: string;
-        redirectUrl?: string;
-    }): Promise<SendMagicLinkResult>;
-}
-/**
- * Create Magic Link provider
- */
-declare function createMagicLinkProvider(storage: KVStorage, config: MagicLinkConfig): MagicLinkProvider;
-
-/**
- * TOTP Provider (Time-based One-Time Password)
- * RFC 6238 compliant, Google Authenticator compatible
- */
-
-/**
- * TOTP Configuration
- */
-interface TOTPConfig {
-    /** Issuer name (your app name) */
-    issuer: string;
-    /** Hash algorithm (default: SHA1 for compatibility) */
-    algorithm?: 'SHA1' | 'SHA256' | 'SHA512';
-    /** Number of digits (default: 6) */
-    digits?: 6 | 8;
-    /** Time period in seconds (default: 30) */
-    period?: number;
-    /** Time window for drift tolerance (default: 1) */
-    window?: number;
-    /** Number of backup codes (default: 10) */
-    backupCodeCount?: number;
-    /** Encryption key for storing secrets */
-    encryptionKey?: string;
-}
-/**
- * TOTP setup result
- */
-interface TOTPSetupData {
-    /** Base32 encoded secret */
-    secret: string;
-    /** QR code URL */
-    qrCodeUrl: string;
-    /** Backup codes */
-    backupCodes: string[];
-    /** otpauth:// URI */
-    otpauthUri: string;
-}
-/**
- * TOTP verify result
- */
-interface TOTPVerifyResult {
-    valid: boolean;
-    usedBackupCode?: boolean;
-}
-/**
- * TOTP Provider
- */
-declare class TOTPProvider implements TwoFactorProvider {
-    readonly name = "totp";
-    readonly type: "totp";
-    private storage;
-    private config;
-    private _enabled;
-    constructor(storage: KVStorage, config: TOTPConfig);
-    get enabled(): boolean;
-    /**
-     * Setup TOTP for a user
-     * Note: Use setupWithEmail for full setup including QR code URL
-     */
-    setup(userId: string): Promise<TwoFactorSetupResult>;
-    /**
-     * Setup TOTP for a user with email for QR code label
-     */
-    setupWithEmail(userId: string, userEmail: string): Promise<TwoFactorSetupResult & {
-        qrCodeUrl: string;
-        otpauthUri: string;
-    }>;
-    /**
-     * Verify TOTP and activate 2FA (for TwoFactorProvider interface)
-     */
-    verifySetup(userId: string, token: string): Promise<boolean>;
-    /**
-     * Verify TOTP during login (for TwoFactorProvider interface)
-     */
-    verifyLogin(userId: string, code: string): Promise<boolean>;
-    /**
-     * Authenticate (for AuthProvider interface)
-     */
-    authenticate(_input: AuthInput): Promise<AuthResult>;
-    /**
-     * Verify TOTP token
-     */
-    verifyCode(userId: string, token: string): Promise<TOTPVerifyResult>;
-    /**
-     * Disable TOTP for user
-     */
-    disable(userId: string): Promise<void>;
-    /**
-     * Regenerate backup codes
-     */
-    regenerateBackupCodes(userId: string): Promise<string[]>;
-    /**
-     * Get remaining backup codes count
-     */
-    getBackupCodesCount(userId: string): Promise<number>;
-    /**
-     * Check if TOTP is enabled for user
-     */
-    isEnabled(userId: string): Promise<boolean>;
-    /**
-     * Generate current TOTP (for testing)
-     */
-    generateCurrent(userId: string): Promise<string>;
-    /**
-     * Get provider info
-     */
-    getInfo(): ProviderInfo;
-    /**
-     * Create otpauth URI for QR code
-     */
-    private createOtpauthUri;
-}
-/**
- * Create TOTP provider
- */
-declare function createTOTPProvider(storage: KVStorage, config: TOTPConfig): TOTPProvider;
-
-/**
- * WebAuthn Provider (Passkeys)
- * FIDO2 passwordless authentication
- */
-
-/**
- * WebAuthn Configuration
- */
-interface WebAuthnConfig {
-    /** Relying Party name (your app name) */
-    rpName: string;
-    /** Relying Party ID (domain without protocol) */
-    rpId: string;
-    /** Full origin (e.g., https://example.com) */
-    origin: string;
-    /** Timeout in milliseconds (default: 60000) */
-    timeout?: number;
-    /** Attestation preference (default: none) */
-    attestation?: 'none' | 'indirect' | 'direct';
-    /** User verification preference (default: preferred) */
-    userVerification?: 'required' | 'preferred' | 'discouraged';
-}
-/**
- * Registration options returned to client
- */
-interface RegistrationOptions {
-    challenge: string;
-    rp: {
-        name: string;
-        id: string;
-    };
-    user: {
-        id: string;
-        name: string;
-        displayName: string;
-    };
-    pubKeyCredParams: Array<{
-        type: 'public-key';
-        alg: number;
-    }>;
-    timeout: number;
-    attestation: 'none' | 'indirect' | 'direct';
-    authenticatorSelection: {
-        authenticatorAttachment?: 'platform' | 'cross-platform';
-        residentKey: 'required' | 'preferred' | 'discouraged';
-        userVerification: 'required' | 'preferred' | 'discouraged';
-    };
-    excludeCredentials: Array<{
-        id: string;
-        type: 'public-key';
-        transports?: string[];
-    }>;
-}
-/**
- * Authentication options returned to client
- */
-interface AuthenticationOptions {
-    challenge: string;
-    timeout: number;
-    rpId: string;
-    allowCredentials: Array<{
-        id: string;
-        type: 'public-key';
-        transports?: string[];
-    }>;
-    userVerification: 'required' | 'preferred' | 'discouraged';
-}
-/**
- * Registration response from client
- */
-interface RegistrationResponse {
-    id: string;
-    rawId: string;
-    type: 'public-key';
-    response: {
-        clientDataJSON: string;
-        attestationObject: string;
-        transports?: string[];
-    };
-}
-/**
- * Authentication response from client
- */
-interface AuthenticationResponse {
-    id: string;
-    rawId: string;
-    type: 'public-key';
-    response: {
-        clientDataJSON: string;
-        authenticatorData: string;
-        signature: string;
-        userHandle?: string;
-    };
-}
-/**
- * Client data JSON structure
- */
-interface ClientDataJSON {
-    type: 'webauthn.create' | 'webauthn.get';
-    challenge: string;
-    origin: string;
-    crossOrigin?: boolean;
-}
-/**
- * Authenticator data structure
- */
-interface AuthenticatorData {
-    rpIdHash: Uint8Array;
-    flags: {
-        userPresent: boolean;
-        userVerified: boolean;
-        attestedCredentialData: boolean;
-        extensionDataIncluded?: boolean;
-    };
-    signCount: number;
-    attestedCredentialData?: {
-        aaguid: Uint8Array;
-        credentialId: Uint8Array;
-        publicKey: Uint8Array;
-    };
-}
-/**
- * Stored credential (exported as WebAuthnCredential)
- */
-interface WebAuthnCredential {
-    id: string;
-    credentialId: string;
-    userId: string;
-    publicKey: string;
-    counter: number;
-    transports: string[];
-    name: string;
-    deviceType?: string;
-    createdAt: string;
-    lastUsedAt?: string;
-}
-/**
- * WebAuthn Provider
- */
-declare class WebAuthnProvider implements TwoFactorProvider {
-    readonly name = "webauthn";
-    readonly type: "webauthn";
-    private storage;
-    private config;
-    private _enabled;
-    constructor(storage: KVStorage, config: WebAuthnConfig);
-    get enabled(): boolean;
-    /**
-     * Generate registration options
-     */
-    generateRegistrationOptions(userId: string, userName: string, userDisplayName: string, authenticatorType?: 'platform' | 'cross-platform'): Promise<RegistrationOptions>;
-    /**
-     * Verify registration response
-     */
-    verifyRegistration(response: RegistrationResponse, challenge: string, credentialName?: string): Promise<{
-        success: boolean;
-        credentialId?: string;
-        error?: string;
-    }>;
-    /**
-     * Generate authentication options
-     */
-    generateAuthenticationOptions(userId?: string): Promise<AuthenticationOptions>;
-    /**
-     * Verify authentication response
-     */
-    verifyAuthentication(response: AuthenticationResponse, challenge: string): Promise<{
-        success: boolean;
-        userId?: string;
-        credentialId?: string;
-        error?: string;
-    }>;
-    /**
-     * Get user's credentials
-     */
-    getUserCredentials(userId: string): Promise<WebAuthnCredential[]>;
-    /**
-     * Remove a credential
-     */
-    removeCredential(userId: string, credentialId: string): Promise<boolean>;
-    /**
-     * Check if user has any passkeys
-     */
-    hasPasskeys(userId: string): Promise<boolean>;
-    /**
-     * Setup (for TwoFactorProvider interface)
-     */
-    setup(userId: string): Promise<TwoFactorSetupResult>;
-    /**
-     * Verify setup (for TwoFactorProvider interface)
-     */
-    verifySetup(userId: string, _code: string): Promise<boolean>;
-    /**
-     * Verify login (for TwoFactorProvider interface)
-     */
-    verifyLogin(userId: string, _code: string): Promise<boolean>;
-    /**
-     * Disable 2FA for user
-     */
-    disable(userId: string): Promise<void>;
-    /**
-     * Authenticate (for AuthProvider interface)
-     */
-    authenticate(_input: AuthInput): Promise<AuthResult>;
-    /**
-     * Get provider info
-     */
-    getInfo(): ProviderInfo;
-}
-/**
- * Create WebAuthn provider
- */
-declare function createWebAuthnProvider(storage: KVStorage, config: WebAuthnConfig): WebAuthnProvider;
-
-/**
- * Password Provider
- * Traditional password-based authentication
- * DISABLED BY DEFAULT - use passwordless methods when possible
- */
-
-/**
- * Password configuration
- */
-interface PasswordConfig {
-    /** Minimum password length (default: 8) */
-    minLength?: number;
-    /** Maximum password length (default: 128) */
-    maxLength?: number;
-    /** Require uppercase letter (default: true) */
-    requireUppercase?: boolean;
-    /** Require lowercase letter (default: true) */
-    requireLowercase?: boolean;
-    /** Require number (default: true) */
-    requireNumber?: boolean;
-    /** Require special character (default: false) */
-    requireSpecial?: boolean;
-    /** Bcrypt cost factor (default: 12) */
-    bcryptCost?: number;
-    /** Password hash function (for custom implementations) */
-    hashPassword?: (password: string) => Promise<string>;
-    /** Password verify function (for custom implementations) */
-    verifyPassword?: (password: string, hash: string) => Promise<boolean>;
-}
-/**
- * Password validation result
- */
-interface PasswordValidationResult {
-    valid: boolean;
-    errors: string[];
-}
-/**
- * Password strength levels
- */
-type PasswordStrength = 'weak' | 'fair' | 'strong' | 'very-strong';
-/**
- * Password Provider
- * WARNING: This provider is disabled by default.
- * Consider using passwordless authentication (OTP, Magic Link, OAuth) for better security.
- */
-declare class PasswordProvider implements AuthProvider {
-    readonly name = "password";
-    readonly type: "password";
-    private storage;
-    private config;
-    private _enabled;
-    constructor(storage: KVStorage, config?: PasswordConfig);
-    get enabled(): boolean;
-    /**
-     * Enable the password provider
-     * Must be explicitly called to enable password authentication
-     */
-    enable(): void;
-    /**
-     * Disable the password provider
-     */
-    disable(): void;
-    /**
-     * Validate password against policy
-     */
-    validatePassword(password: string): PasswordValidationResult;
-    /**
-     * Check password strength
-     */
-    checkStrength(password: string): PasswordStrength;
-    /**
-     * Hash a password
-     * Uses Web Crypto API for PBKDF2 (bcrypt alternative for edge runtime)
-     */
-    hashPassword(password: string): Promise<string>;
-    /**
-     * Verify a password against a hash
-     */
-    verifyPassword(password: string, hash: string): Promise<boolean>;
-    /**
-     * Authenticate with password (implements AuthProvider)
-     */
-    authenticate(input: AuthInput): Promise<AuthResult>;
-    /**
-     * Store password hash for a user
-     */
-    setPassword(userId: string, password: string): Promise<{
-        success: boolean;
-        errors?: string[];
-    }>;
-    /**
-     * Verify password for a user
-     */
-    verifyUserPassword(userId: string, password: string): Promise<boolean>;
-    /**
-     * Check if user has password set
-     */
-    hasPassword(userId: string): Promise<boolean>;
-    /**
-     * Remove password for a user (switch to passwordless)
-     */
-    removePassword(userId: string): Promise<void>;
-    /**
-     * Get provider info
-     */
-    getInfo(): ProviderInfo;
-    /**
-     * Constant-time comparison to prevent timing attacks
-     */
-    private constantTimeEquals;
-}
-/**
- * Create Password provider
- */
-declare function createPasswordProvider(storage: KVStorage, config?: PasswordConfig): PasswordProvider;
-
 /**
  * Runtime detection utilities for multi-runtime support
  * Supports: Node.js, Deno, Cloudflare Workers, Bun
@@ -896,13 +210,12 @@ interface DrizzleAuthSchema {
 }
 /**
  * User model
+ * Note: emailVerified/phoneVerified are tracked via auth_methods.verified
  */
 interface DrizzleUser {
     id: string;
     displayName: string | null;
     avatarUrl: string | null;
-    emailVerified: boolean;
-    phoneVerified: boolean;
     twoFactorEnabled: boolean;
     twoFactorSecret: string | null;
     status: string;
@@ -1582,4 +895,4 @@ declare function createEmailVerificationService(storage: KVStorage, config: Emai
  */
 declare function createAuth(config: ParsAuthConfig): ParsAuthEngine;
 
-export { type AppleConfig, AppleProvider, AuthAdapter, AuthInput, AuthProvider, AuthResult, type AuthenticationOptions, type AuthenticatorData, type ClientDataJSON, type DrizzleAdapterConfig, type DrizzleAuthMethod, type DrizzleAuthSchema, type DrizzleDatabase, type DrizzleEmailVerificationToken, type DrizzleRole, type DrizzleSession, type DrizzleTenant, type DrizzleTenantMembership, type DrizzleUser, type EmailAttachment, type EmailOptions, type EmailProvider, type EmailResult, EmailService, type EmailServiceConfig, type EmailVerificationConfig, EmailVerificationService, type GitHubConfig, GitHubProvider, type GoogleConfig, GoogleProvider, type InvitationEmailOptions, KVStorage, type MagicLinkEmailOptions, MagicLinkProvider, type MagicLinkConfig as MagicLinkProviderConfig, type MicrosoftConfig, MicrosoftProvider, type NetGSMConfig, NetGSMProvider, type OAuthCallbackResult, type OAuthConfig, type OAuthFlowResult, OAuthManager, type OAuthProviderName, type OAuthState, type OAuthTokens, type OAuthUserInfo as OAuthUser, type OTPEmailOptions, type OTPSMSOptions, ParsAuthConfig, ParsAuthEngine, PasswordProvider, type PasswordConfig as PasswordProviderConfig, type PasswordResetEmailOptions, type PasswordStrength, type PasswordValidationResult, ProviderInfo, type RegistrationOptions, type RequestVerificationResult, ResendEmailProvider, type Runtime, type SMSOptions, type SMSProvider, type SMSResult, SMSService, type SMSServiceConfig, type SendMagicLinkResult, TOTPProvider, type TOTPConfig as TOTPProviderConfig, type TOTPSetupData, type TOTPVerifyResult, TwoFactorProvider, TwoFactorSetupResult, type VerificationEmailOptions, type VerificationStatus, type VerifyEmailResult, type VerifyMagicLinkResult, type WebAuthnCredential, WebAuthnProvider, type WebAuthnConfig as WebAuthnProviderConfig, type WelcomeEmailOptions, base64UrlDecode, base64UrlEncode, bytesToHex, createAuth, createDrizzleAdapter, createEmailService, createEmailVerificationService, createMagicLinkProvider, createNetGSMProvider, createOAuthManager, createPasswordProvider, createResendProvider, createSMSService, createTOTPProvider, createWebAuthnProvider, detectRuntime, generatePKCE, generateRandomBase64Url, generateRandomHex, generateState, getEnv, hexToBytes, isBun, isCloudflare, isDeno, isEdge, isNode, randomInt, sha256, sha256Hex, timingSafeEqual, timingSafeEqualBytes };
+export { AppleConfig, AppleProvider, AuthAdapter, type DrizzleAdapterConfig, type DrizzleAuthMethod, type DrizzleAuthSchema, type DrizzleDatabase, type DrizzleEmailVerificationToken, type DrizzleRole, type DrizzleSession, type DrizzleTenant, type DrizzleTenantMembership, type DrizzleUser, type EmailAttachment, type EmailOptions, type EmailProvider, type EmailResult, EmailService, type EmailServiceConfig, type EmailVerificationConfig, EmailVerificationService, GitHubConfig, GitHubProvider, GoogleConfig, GoogleProvider, type InvitationEmailOptions, KVStorage, type MagicLinkEmailOptions, MicrosoftConfig, MicrosoftProvider, type NetGSMConfig, NetGSMProvider, OAuthTokens, OAuthUserInfo as OAuthUser, type OTPEmailOptions, type OTPSMSOptions, ParsAuthConfig, ParsAuthEngine, type PasswordResetEmailOptions, type RequestVerificationResult, ResendEmailProvider, type Runtime, type SMSOptions, type SMSProvider, type SMSResult, SMSService, type SMSServiceConfig, type VerificationEmailOptions, type VerificationStatus, type VerifyEmailResult, type WelcomeEmailOptions, base64UrlDecode, base64UrlEncode, bytesToHex, createAuth, createDrizzleAdapter, createEmailService, createEmailVerificationService, createNetGSMProvider, createResendProvider, createSMSService, detectRuntime, generateRandomBase64Url, generateRandomHex, getEnv, hexToBytes, isBun, isCloudflare, isDeno, isEdge, isNode, randomInt, sha256, sha256Hex, timingSafeEqual, timingSafeEqualBytes };