@parsrun/auth 0.2.6 → 0.2.9

package/dist/{index-kATaLVps.d.ts → index-ZRaviVhS.d.ts}

@@ -2,10 +2,696 @@ import { T as TokenPair, d as JwtPayload, J as JwtManager } from './jwt-manager-
 import * as hono_types from 'hono/types';
 import { Context, MiddlewareHandler, Hono } from 'hono';
 import { K as KVStorage } from './types-DSjafxJ4.js';
-import { h as AuthAdapter, u as AdapterTenant, v as AdapterMembership, l as TenantResolutionStrategy, i as ParsAuthConfig, a as ProviderInfo, r as AdapterUser, s as AdapterSession } from './base-BI-SilX-.js';
-import { R as RequestOTPInput, d as RequestOTPResult } from './index-DC7A0IbX.js';
+import { A as AuthProvider, b as AuthInput, c as AuthResult, a as ProviderInfo, T as TwoFactorProvider, e as TwoFactorSetupResult, h as AuthAdapter, u as AdapterTenant, v as AdapterMembership, l as TenantResolutionStrategy, i as ParsAuthConfig, r as AdapterUser, s as AdapterSession } from './base-DbUdEGJ4.js';
+import { R as RequestOTPInput, d as RequestOTPResult } from './index-Bcldwbx0.js';
 import { f as PermissionPattern } from './authorization-By1Xp8Za.js';
 
+/**
+ * Password Provider
+ * Traditional password-based authentication
+ * DISABLED BY DEFAULT - use passwordless methods when possible
+ */
+
+/**
+ * Password configuration
+ */
+interface PasswordConfig {
+    /** Minimum password length (default: 8) */
+    minLength?: number;
+    /** Maximum password length (default: 128) */
+    maxLength?: number;
+    /** Require uppercase letter (default: true) */
+    requireUppercase?: boolean;
+    /** Require lowercase letter (default: true) */
+    requireLowercase?: boolean;
+    /** Require number (default: true) */
+    requireNumber?: boolean;
+    /** Require special character (default: false) */
+    requireSpecial?: boolean;
+    /** Bcrypt cost factor (default: 12) */
+    bcryptCost?: number;
+    /** Password hash function (for custom implementations) */
+    hashPassword?: (password: string) => Promise<string>;
+    /** Password verify function (for custom implementations) */
+    verifyPassword?: (password: string, hash: string) => Promise<boolean>;
+}
+/**
+ * Password validation result
+ */
+interface PasswordValidationResult {
+    valid: boolean;
+    errors: string[];
+}
+/**
+ * Password strength levels
+ */
+type PasswordStrength = 'weak' | 'fair' | 'strong' | 'very-strong';
+/**
+ * Password Provider
+ * WARNING: This provider is disabled by default.
+ * Consider using passwordless authentication (OTP, Magic Link, OAuth) for better security.
+ */
+declare class PasswordProvider implements AuthProvider {
+    readonly name = "password";
+    readonly type: "password";
+    private storage;
+    private config;
+    private _enabled;
+    constructor(storage: KVStorage, config?: PasswordConfig);
+    get enabled(): boolean;
+    /**
+     * Enable the password provider
+     * Must be explicitly called to enable password authentication
+     */
+    enable(): void;
+    /**
+     * Disable the password provider
+     */
+    disable(): void;
+    /**
+     * Validate password against policy
+     */
+    validatePassword(password: string): PasswordValidationResult;
+    /**
+     * Check password strength
+     */
+    checkStrength(password: string): PasswordStrength;
+    /**
+     * Hash a password
+     * Uses Web Crypto API for PBKDF2 (bcrypt alternative for edge runtime)
+     */
+    hashPassword(password: string): Promise<string>;
+    /**
+     * Verify a password against a hash
+     */
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    /**
+     * Authenticate with password (implements AuthProvider)
+     */
+    authenticate(input: AuthInput): Promise<AuthResult>;
+    /**
+     * Store password hash for a user
+     */
+    setPassword(userId: string, password: string): Promise<{
+        success: boolean;
+        errors?: string[];
+    }>;
+    /**
+     * Verify password for a user
+     */
+    verifyUserPassword(userId: string, password: string): Promise<boolean>;
+    /**
+     * Check if user has password set
+     */
+    hasPassword(userId: string): Promise<boolean>;
+    /**
+     * Remove password for a user (switch to passwordless)
+     */
+    removePassword(userId: string): Promise<void>;
+    /**
+     * Get provider info
+     */
+    getInfo(): ProviderInfo;
+    /**
+     * Constant-time comparison to prevent timing attacks
+     */
+    private constantTimeEquals;
+}
+/**
+ * Create Password provider
+ */
+declare function createPasswordProvider(storage: KVStorage, config?: PasswordConfig): PasswordProvider;
+
+/**
+ * Magic Link Provider
+ * Passwordless email authentication via secure links
+ */
+
+/**
+ * Magic Link configuration
+ */
+interface MagicLinkConfig {
+    /** Base URL for magic links (e.g., https://app.example.com) */
+    baseUrl: string;
+    /** Path for callback (default: /auth/magic-link/callback) */
+    callbackPath?: string;
+    /** Token expiration in seconds (default: 900 = 15 minutes) */
+    expiresIn?: number;
+    /** Token length in bytes (default: 32) */
+    tokenLength?: number;
+    /** Email sender function */
+    send: (email: string, url: string, expiresIn: number) => Promise<void>;
+}
+/**
+ * Send magic link result
+ */
+interface SendMagicLinkResult {
+    success: boolean;
+    expiresAt?: Date;
+    error?: string;
+}
+/**
+ * Verify magic link result
+ */
+interface VerifyMagicLinkResult {
+    success: boolean;
+    email?: string;
+    tenantId?: string;
+    redirectUrl?: string;
+    error?: string;
+}
+/**
+ * Magic Link Provider
+ */
+declare class MagicLinkProvider implements AuthProvider {
+    readonly name = "magic-link";
+    readonly type: "magic-link";
+    private storage;
+    private config;
+    private _enabled;
+    constructor(storage: KVStorage, config: MagicLinkConfig);
+    get enabled(): boolean;
+    /**
+     * Send magic link to email
+     */
+    sendMagicLink(email: string, options?: {
+        tenantId?: string;
+        redirectUrl?: string;
+    }): Promise<SendMagicLinkResult>;
+    /**
+     * Verify magic link token
+     */
+    verifyMagicLink(token: string): Promise<VerifyMagicLinkResult>;
+    /**
+     * Authenticate with magic link token (implements AuthProvider)
+     */
+    authenticate(input: AuthInput): Promise<AuthResult>;
+    /**
+     * Get provider info
+     */
+    getInfo(): ProviderInfo;
+    /**
+     * Request magic link (for use in auth routes)
+     */
+    requestMagicLink(email: string, options?: {
+        tenantId?: string;
+        redirectUrl?: string;
+    }): Promise<SendMagicLinkResult>;
+}
+/**
+ * Create Magic Link provider
+ */
+declare function createMagicLinkProvider(storage: KVStorage, config: MagicLinkConfig): MagicLinkProvider;
+
+/**
+ * TOTP Provider (Time-based One-Time Password)
+ * RFC 6238 compliant, Google Authenticator compatible
+ */
+
+/**
+ * TOTP Configuration
+ */
+interface TOTPConfig {
+    /** Issuer name (your app name) */
+    issuer: string;
+    /** Hash algorithm (default: SHA1 for compatibility) */
+    algorithm?: 'SHA1' | 'SHA256' | 'SHA512';
+    /** Number of digits (default: 6) */
+    digits?: 6 | 8;
+    /** Time period in seconds (default: 30) */
+    period?: number;
+    /** Time window for drift tolerance (default: 1) */
+    window?: number;
+    /** Number of backup codes (default: 10) */
+    backupCodeCount?: number;
+    /** Encryption key for storing secrets */
+    encryptionKey?: string;
+}
+/**
+ * TOTP setup result
+ */
+interface TOTPSetupData {
+    /** Base32 encoded secret */
+    secret: string;
+    /** QR code URL */
+    qrCodeUrl: string;
+    /** Backup codes */
+    backupCodes: string[];
+    /** otpauth:// URI */
+    otpauthUri: string;
+}
+/**
+ * TOTP verify result
+ */
+interface TOTPVerifyResult {
+    valid: boolean;
+    usedBackupCode?: boolean;
+}
+/**
+ * TOTP Provider
+ */
+declare class TOTPProvider implements TwoFactorProvider {
+    readonly name = "totp";
+    readonly type: "totp";
+    private storage;
+    private config;
+    private _enabled;
+    constructor(storage: KVStorage, config: TOTPConfig);
+    get enabled(): boolean;
+    /**
+     * Setup TOTP for a user
+     * Note: Use setupWithEmail for full setup including QR code URL
+     */
+    setup(userId: string): Promise<TwoFactorSetupResult>;
+    /**
+     * Setup TOTP for a user with email for QR code label
+     */
+    setupWithEmail(userId: string, userEmail: string): Promise<TwoFactorSetupResult & {
+        qrCodeUrl: string;
+        otpauthUri: string;
+    }>;
+    /**
+     * Verify TOTP and activate 2FA (for TwoFactorProvider interface)
+     */
+    verifySetup(userId: string, token: string): Promise<boolean>;
+    /**
+     * Verify TOTP during login (for TwoFactorProvider interface)
+     */
+    verifyLogin(userId: string, code: string): Promise<boolean>;
+    /**
+     * Authenticate (for AuthProvider interface)
+     */
+    authenticate(_input: AuthInput): Promise<AuthResult>;
+    /**
+     * Verify TOTP token
+     */
+    verifyCode(userId: string, token: string): Promise<TOTPVerifyResult>;
+    /**
+     * Disable TOTP for user
+     */
+    disable(userId: string): Promise<void>;
+    /**
+     * Regenerate backup codes
+     */
+    regenerateBackupCodes(userId: string): Promise<string[]>;
+    /**
+     * Get remaining backup codes count
+     */
+    getBackupCodesCount(userId: string): Promise<number>;
+    /**
+     * Check if TOTP is enabled for user
+     */
+    isEnabled(userId: string): Promise<boolean>;
+    /**
+     * Generate current TOTP (for testing)
+     */
+    generateCurrent(userId: string): Promise<string>;
+    /**
+     * Get provider info
+     */
+    getInfo(): ProviderInfo;
+    /**
+     * Create otpauth URI for QR code
+     */
+    private createOtpauthUri;
+}
+/**
+ * Create TOTP provider
+ */
+declare function createTOTPProvider(storage: KVStorage, config: TOTPConfig): TOTPProvider;
+
+/**
+ * WebAuthn Provider (Passkeys)
+ * FIDO2 passwordless authentication
+ */
+
+/**
+ * WebAuthn Configuration
+ */
+interface WebAuthnConfig {
+    /** Relying Party name (your app name) */
+    rpName: string;
+    /** Relying Party ID (domain without protocol) */
+    rpId: string;
+    /** Full origin (e.g., https://example.com) */
+    origin: string;
+    /** Timeout in milliseconds (default: 60000) */
+    timeout?: number;
+    /** Attestation preference (default: none) */
+    attestation?: 'none' | 'indirect' | 'direct';
+    /** User verification preference (default: preferred) */
+    userVerification?: 'required' | 'preferred' | 'discouraged';
+}
+/**
+ * Registration options returned to client
+ */
+interface RegistrationOptions {
+    challenge: string;
+    rp: {
+        name: string;
+        id: string;
+    };
+    user: {
+        id: string;
+        name: string;
+        displayName: string;
+    };
+    pubKeyCredParams: Array<{
+        type: 'public-key';
+        alg: number;
+    }>;
+    timeout: number;
+    attestation: 'none' | 'indirect' | 'direct';
+    authenticatorSelection: {
+        authenticatorAttachment?: 'platform' | 'cross-platform';
+        residentKey: 'required' | 'preferred' | 'discouraged';
+        userVerification: 'required' | 'preferred' | 'discouraged';
+    };
+    excludeCredentials: Array<{
+        id: string;
+        type: 'public-key';
+        transports?: string[];
+    }>;
+}
+/**
+ * Authentication options returned to client
+ */
+interface AuthenticationOptions {
+    challenge: string;
+    timeout: number;
+    rpId: string;
+    allowCredentials: Array<{
+        id: string;
+        type: 'public-key';
+        transports?: string[];
+    }>;
+    userVerification: 'required' | 'preferred' | 'discouraged';
+}
+/**
+ * Registration response from client
+ */
+interface RegistrationResponse {
+    id: string;
+    rawId: string;
+    type: 'public-key';
+    response: {
+        clientDataJSON: string;
+        attestationObject: string;
+        transports?: string[];
+    };
+}
+/**
+ * Authentication response from client
+ */
+interface AuthenticationResponse {
+    id: string;
+    rawId: string;
+    type: 'public-key';
+    response: {
+        clientDataJSON: string;
+        authenticatorData: string;
+        signature: string;
+        userHandle?: string;
+    };
+}
+/**
+ * Client data JSON structure
+ */
+interface ClientDataJSON {
+    type: 'webauthn.create' | 'webauthn.get';
+    challenge: string;
+    origin: string;
+    crossOrigin?: boolean;
+}
+/**
+ * Authenticator data structure
+ */
+interface AuthenticatorData {
+    rpIdHash: Uint8Array;
+    flags: {
+        userPresent: boolean;
+        userVerified: boolean;
+        attestedCredentialData: boolean;
+        extensionDataIncluded?: boolean;
+    };
+    signCount: number;
+    attestedCredentialData?: {
+        aaguid: Uint8Array;
+        credentialId: Uint8Array;
+        publicKey: Uint8Array;
+    };
+}
+/**
+ * Stored credential (exported as WebAuthnCredential)
+ */
+interface WebAuthnCredential {
+    id: string;
+    credentialId: string;
+    userId: string;
+    publicKey: string;
+    counter: number;
+    transports: string[];
+    name: string;
+    deviceType?: string;
+    createdAt: string;
+    lastUsedAt?: string;
+}
+/**
+ * WebAuthn Provider
+ */
+declare class WebAuthnProvider implements TwoFactorProvider {
+    readonly name = "webauthn";
+    readonly type: "webauthn";
+    private storage;
+    private config;
+    private _enabled;
+    constructor(storage: KVStorage, config: WebAuthnConfig);
+    get enabled(): boolean;
+    /**
+     * Generate registration options
+     */
+    generateRegistrationOptions(userId: string, userName: string, userDisplayName: string, authenticatorType?: 'platform' | 'cross-platform'): Promise<RegistrationOptions>;
+    /**
+     * Verify registration response
+     */
+    verifyRegistration(response: RegistrationResponse, challenge: string, credentialName?: string): Promise<{
+        success: boolean;
+        credentialId?: string;
+        error?: string;
+    }>;
+    /**
+     * Generate authentication options
+     */
+    generateAuthenticationOptions(userId?: string): Promise<AuthenticationOptions>;
+    /**
+     * Verify authentication response
+     */
+    verifyAuthentication(response: AuthenticationResponse, challenge: string): Promise<{
+        success: boolean;
+        userId?: string;
+        credentialId?: string;
+        error?: string;
+    }>;
+    /**
+     * Get user's credentials
+     */
+    getUserCredentials(userId: string): Promise<WebAuthnCredential[]>;
+    /**
+     * Remove a credential
+     */
+    removeCredential(userId: string, credentialId: string): Promise<boolean>;
+    /**
+     * Check if user has any passkeys
+     */
+    hasPasskeys(userId: string): Promise<boolean>;
+    /**
+     * Setup (for TwoFactorProvider interface)
+     */
+    setup(userId: string): Promise<TwoFactorSetupResult>;
+    /**
+     * Verify setup (for TwoFactorProvider interface)
+     */
+    verifySetup(userId: string, _code: string): Promise<boolean>;
+    /**
+     * Verify login (for TwoFactorProvider interface)
+     */
+    verifyLogin(userId: string, _code: string): Promise<boolean>;
+    /**
+     * Disable 2FA for user
+     */
+    disable(userId: string): Promise<void>;
+    /**
+     * Authenticate (for AuthProvider interface)
+     */
+    authenticate(_input: AuthInput): Promise<AuthResult>;
+    /**
+     * Get provider info
+     */
+    getInfo(): ProviderInfo;
+}
+/**
+ * Create WebAuthn provider
+ */
+declare function createWebAuthnProvider(storage: KVStorage, config: WebAuthnConfig): WebAuthnProvider;
+
+/**
+ * OAuth Types
+ */
+interface OAuthUserInfo {
+    /** Provider-specific user ID */
+    id: string;
+    /** User email */
+    email: string;
+    /** Display name */
+    name?: string;
+    /** Avatar URL */
+    avatarUrl?: string;
+    /** Whether email is verified */
+    emailVerified: boolean;
+    /** Raw provider response */
+    raw: Record<string, unknown>;
+}
+interface OAuthTokens {
+    accessToken: string;
+    refreshToken?: string;
+    expiresIn?: number;
+    idToken?: string;
+    tokenType?: string;
+    scope?: string;
+}
+interface OAuthProviderConfig {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scopes?: string[];
+}
+interface GoogleConfig extends OAuthProviderConfig {
+}
+interface GitHubConfig extends OAuthProviderConfig {
+}
+interface MicrosoftConfig extends OAuthProviderConfig {
+    tenantId?: string;
+}
+interface AppleConfig {
+    clientId: string;
+    teamId: string;
+    keyId: string;
+    privateKey: string;
+    redirectUri: string;
+    scopes?: string[];
+}
+interface OAuthProvider {
+    readonly name: string;
+    getAuthorizationUrl(state: string, codeChallenge?: string): Promise<string>;
+    exchangeCode(code: string, codeVerifier?: string): Promise<OAuthTokens>;
+    getUserInfo(accessToken: string): Promise<OAuthUserInfo>;
+    /**
+     * Refresh access token using refresh token
+     * Not all providers support refresh tokens
+     */
+    refreshToken?(refreshToken: string): Promise<OAuthTokens>;
+}
+type OAuthProviderName = 'google' | 'github' | 'microsoft' | 'apple';
+interface OAuthState {
+    state: string;
+    provider: OAuthProviderName;
+    codeVerifier?: string;
+    tenantId?: string;
+    redirectUrl?: string;
+    expiresAt: Date;
+}
+
+/**
+ * OAuth Provider
+ * Manages OAuth2 authentication flows with PKCE support
+ */
+
+/**
+ * OAuth configuration
+ */
+interface OAuthConfig {
+    google?: GoogleConfig;
+    github?: GitHubConfig;
+    microsoft?: MicrosoftConfig;
+    apple?: AppleConfig;
+}
+/**
+ * OAuth flow result
+ */
+interface OAuthFlowResult {
+    authorizationUrl: string;
+    state: string;
+}
+/**
+ * OAuth callback result
+ */
+interface OAuthCallbackResult {
+    userInfo: OAuthUserInfo;
+    tokens: OAuthTokens;
+    tenantId?: string;
+    redirectUrl?: string;
+}
+/**
+ * Generate PKCE code verifier and challenge
+ */
+declare function generatePKCE(): Promise<{
+    codeVerifier: string;
+    codeChallenge: string;
+}>;
+/**
+ * Generate secure random state
+ */
+declare function generateState(): string;
+/**
+ * OAuth Manager
+ * Handles OAuth flows with state management via KVStorage
+ */
+declare class OAuthManager {
+    private storage;
+    private providers;
+    private stateExpirySeconds;
+    constructor(storage: KVStorage, config: OAuthConfig, options?: {
+        stateExpirySeconds?: number;
+    });
+    /**
+     * Get available providers
+     */
+    getAvailableProviders(): OAuthProviderName[];
+    /**
+     * Check if a provider is configured
+     */
+    hasProvider(name: string): boolean;
+    /**
+     * Get a provider by name
+     */
+    getProvider(name: string): OAuthProvider | undefined;
+    /**
+     * Start OAuth flow - returns authorization URL
+     */
+    startFlow(providerName: OAuthProviderName, options?: {
+        tenantId?: string;
+        redirectUrl?: string;
+    }): Promise<OAuthFlowResult>;
+    /**
+     * Handle OAuth callback
+     */
+    handleCallback(providerName: OAuthProviderName, code: string, state: string): Promise<OAuthCallbackResult>;
+    /**
+     * Refresh OAuth tokens (if supported by provider)
+     */
+    refreshTokens(providerName: OAuthProviderName, refreshToken: string): Promise<OAuthTokens>;
+    /**
+     * Check if provider supports token refresh
+     */
+    supportsRefresh(providerName: OAuthProviderName): boolean;
+}
+/**
+ * Create OAuth manager
+ */
+declare function createOAuthManager(storage: KVStorage, config: OAuthConfig, options?: {
+    stateExpirySeconds?: number;
+}): OAuthManager;
+
 /**
  * Tenant Manager
  * CRUD operations for tenants and memberships
@@ -514,6 +1200,8 @@ interface SignInResult {
     tokens?: TokenPair;
     requiresTwoFactor?: boolean;
     twoFactorChallengeId?: string;
+    requiresRedirect?: boolean;
+    redirectUrl?: string;
     error?: string;
     errorCode?: string;
 }
@@ -529,6 +1217,8 @@ interface SignUpInput {
     name?: string;
     /** Avatar URL */
     avatar?: string;
+    /** Whether the auth method should be marked as verified (default: false) */
+    verified?: boolean;
     /** Request metadata */
     metadata?: {
         ipAddress?: string;
@@ -593,6 +1283,7 @@ declare class ParsAuthEngine {
     private tenantManager;
     private tenantResolver?;
     private invitationService?;
+    private oauthManager?;
     constructor(config: ParsAuthConfig);
     /**
      * Initialize the auth engine (async operations)
@@ -763,6 +1454,30 @@ declare class ParsAuthEngine {
      * Get tenant resolver instance
      */
     getTenantResolver(): TenantResolver | undefined;
+    /**
+     * Handle OAuth callback after user authorization
+     */
+    handleOAuthCallback(provider: 'google' | 'github' | 'microsoft' | 'apple', code: string, state: string, metadata?: SignInInput['metadata']): Promise<SignInResult>;
+    /**
+     * Get the OAuth manager
+     */
+    getOAuthManager(): OAuthManager | undefined;
+    /**
+     * Get TOTP provider for 2FA setup
+     */
+    getTOTPProvider(): TOTPProvider | undefined;
+    /**
+     * Get WebAuthn provider for passkey management
+     */
+    getWebAuthnProvider(): WebAuthnProvider | undefined;
+    /**
+     * Get Password provider
+     */
+    getPasswordProvider(): PasswordProvider | undefined;
+    /**
+     * Get Magic Link provider
+     */
+    getMagicLinkProvider(): MagicLinkProvider | undefined;
 }
 
 /**
@@ -1080,4 +1795,4 @@ declare function requireAny(...middlewares: MiddlewareHandler<{
     Variables: AuthVariables;
 }>;
 
-export { type VerifyOtpBody as $, type AuthContext$1 as A, createAuthCookies as B, type CreateTenantInput as C, createLogoutCookies as D, requireRole as E, requirePermission as F, requireAnyPermission as G, requireTenant as H, InvitationService as I, requireTenantAccess as J, requireAdmin as K, requireOwnerOrPermission as L, MultiStrategyTenantResolver as M, requireAll as N, requireAny as O, ParsAuthEngine as P, type AuthVariables as Q, type RefreshTokenResult as R, type SignInInput as S, TenantResolver as T, type UpdateTenantInput as U, type VerifyTokenResult as V, type HonoAdapterConfig as W, type AuthContext as X, type CookieOptions as Y, type AuthResponse as Z, type RequestOtpBody as _, type SignInResult as a, type SignInBody as a0, type RefreshBody as a1, type SignUpInput as b, type SignUpResult as c, type SessionInfo as d, createTenantResolver as e, createMultiStrategyResolver as f, type TenantResolverConfig as g, type TenantResolutionResult as h, TenantManager as i, createTenantManager as j, type AddMemberInput as k, type UpdateMemberInput as l, type TenantWithMembers as m, type UserTenantMembership as n, createInvitationService as o, type InvitationConfig as p, type InvitationRecord as q, type SendInvitationInput as r, type SendInvitationResult as s, type AcceptInvitationInput as t, type AcceptInvitationResult as u, type InvitationStatusResult as v, createAuthMiddleware as w, createOptionalAuthMiddleware as x, createAuthRoutes as y, createHonoAuth as z };
+export { TOTPProvider as $, type AppleConfig as A, type InvitationStatusResult as B, type CreateTenantInput as C, OAuthManager as D, createOAuthManager as E, generatePKCE as F, type GoogleConfig as G, generateState as H, InvitationService as I, type OAuthConfig as J, type OAuthFlowResult as K, type OAuthCallbackResult as L, type MicrosoftConfig as M, type OAuthState as N, type OAuthProvider as O, ParsAuthEngine as P, type OAuthProviderName as Q, type RefreshTokenResult as R, type SignInInput as S, TenantResolver as T, type UpdateTenantInput as U, type VerifyTokenResult as V, MagicLinkProvider as W, createMagicLinkProvider as X, type MagicLinkConfig as Y, type SendMagicLinkResult as Z, type VerifyMagicLinkResult as _, type OAuthTokens as a, createTOTPProvider as a0, type TOTPConfig as a1, type TOTPSetupData as a2, type TOTPVerifyResult as a3, WebAuthnProvider as a4, createWebAuthnProvider as a5, type WebAuthnConfig as a6, type RegistrationOptions as a7, type AuthenticationOptions as a8, type WebAuthnCredential as a9, type AuthResponse as aA, type RequestOtpBody as aB, type VerifyOtpBody as aC, type SignInBody as aD, type RefreshBody as aE, type ClientDataJSON as aa, type AuthenticatorData as ab, PasswordProvider as ac, createPasswordProvider as ad, type PasswordConfig as ae, type PasswordValidationResult as af, type PasswordStrength as ag, createAuthMiddleware as ah, createOptionalAuthMiddleware as ai, createAuthRoutes as aj, createHonoAuth as ak, createAuthCookies as al, createLogoutCookies as am, requireRole as an, requirePermission as ao, requireAnyPermission as ap, requireTenant as aq, requireTenantAccess as ar, requireAdmin as as, requireOwnerOrPermission as at, requireAll as au, requireAny as av, type AuthVariables as aw, type HonoAdapterConfig as ax, type AuthContext as ay, type CookieOptions as az, type OAuthUserInfo as b, type GitHubConfig as c, type AuthContext$1 as d, type SignInResult as e, type SignUpInput as f, type SignUpResult as g, type SessionInfo as h, MultiStrategyTenantResolver as i, createTenantResolver as j, createMultiStrategyResolver as k, type TenantResolverConfig as l, type TenantResolutionResult as m, TenantManager as n, createTenantManager as o, type AddMemberInput as p, type UpdateMemberInput as q, type TenantWithMembers as r, type UserTenantMembership as s, createInvitationService as t, type InvitationConfig as u, type InvitationRecord as v, type SendInvitationInput as w, type SendInvitationResult as x, type AcceptInvitationInput as y, type AcceptInvitationResult as z };