@peterbud/nuxt-aegis 1.1.0-alpha

package/dist/runtime/server/routes/password/reset-verify.get.js

@@ -0,0 +1,50 @@
+import { defineEventHandler, getQuery, createError, sendRedirect } from "h3";
+import { useRuntimeConfig } from "#imports";
+import { createLogger } from "../../utils/logger.js";
+import { validateAndIncrementAttempts, retrieveAndDeleteMagicCode } from "../../utils/magicCodeStore.js";
+import { createResetSession } from "../../utils/resetSessionStore.js";
+const logger = createLogger("PasswordResetVerify");
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const passwordConfig = config.nuxtAegis?.providers?.password;
+  if (!passwordConfig) {
+    throw createError({
+      statusCode: 404,
+      message: "Password provider is not configured"
+    });
+  }
+  const query = getQuery(event);
+  const code = query.code;
+  if (!code) {
+    throw createError({
+      statusCode: 400,
+      message: "Verification code is required"
+    });
+  }
+  const magicCodeData = await validateAndIncrementAttempts(code);
+  if (!magicCodeData) {
+    throw createError({
+      statusCode: 400,
+      message: "Invalid or expired code"
+    });
+  }
+  if (magicCodeData.type !== "reset") {
+    throw createError({
+      statusCode: 400,
+      message: "Invalid code type"
+    });
+  }
+  const { email } = magicCodeData;
+  try {
+    const sessionId = await createResetSession(email);
+    await retrieveAndDeleteMagicCode(code);
+    const redirectUrl = `/reset-password?session=${sessionId}`;
+    return await sendRedirect(event, redirectUrl, 302);
+  } catch (error) {
+    logger.error("Reset verification failed", error);
+    throw createError({
+      statusCode: 500,
+      message: "Verification failed"
+    });
+  }
+});

package/dist/runtime/server/routes/refresh.post.d.ts

@@ -0,0 +1,8 @@
+import type { RefreshResponse } from '../../types/index.js';
+/**
+ * POST /auth/refresh
+ * Refresh endpoint to obtain new access tokens
+ * Rejects refresh requests for impersonated sessions
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<RefreshResponse>>;
+export default _default;

package/dist/runtime/server/routes/refresh.post.js

@@ -0,0 +1,102 @@
+import { defineEventHandler, getCookie, createError } from "h3";
+import { generateToken, verifyToken } from "../utils/jwt.js";
+import {
+  generateAndStoreRefreshToken,
+  hashRefreshToken,
+  getRefreshTokenData,
+  revokeRefreshToken
+} from "../utils/refreshToken.js";
+import { setRefreshTokenCookie } from "../utils/cookies.js";
+import { processCustomClaims } from "../utils/customClaims.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig(event);
+  const cookieConfig = config.nuxtAegis?.tokenRefresh?.cookie;
+  const tokenConfig = config.nuxtAegis?.token;
+  const tokenRefreshConfig = config.nuxtAegis?.tokenRefresh;
+  if (!tokenConfig || !tokenConfig.secret) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Token configuration is missing"
+    });
+  }
+  const cookieName = cookieConfig?.cookieName || "nuxt-aegis-refresh";
+  const refreshToken = getCookie(event, cookieName);
+  if (!refreshToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No refresh token found"
+    });
+  }
+  try {
+    const authHeader = event.node.req.headers.authorization;
+    if (authHeader?.startsWith("Bearer ")) {
+      const token = authHeader.substring(7);
+      const currentToken = await verifyToken(token, tokenConfig.secret, false);
+      if (currentToken?.impersonation) {
+        throw createError({
+          statusCode: 403,
+          statusMessage: "Forbidden",
+          message: "Cannot refresh impersonated session. Please call unimpersonate to restore your original session."
+        });
+      }
+    }
+    const hashedRefreshToken = hashRefreshToken(refreshToken);
+    const storedRefreshToken = await getRefreshTokenData(hashedRefreshToken, event);
+    const isRevoked = storedRefreshToken?.isRevoked || false;
+    const isExpired = storedRefreshToken?.expiresAt ? Date.now() > storedRefreshToken.expiresAt : true;
+    if (!storedRefreshToken || isRevoked || isExpired) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: "Unauthorized",
+        message: "Invalid or expired refresh token"
+      });
+    }
+    const providerUserInfo = storedRefreshToken.providerUserInfo;
+    const provider = storedRefreshToken.provider;
+    let customClaims = {};
+    const providerConfig = config.nuxtAegis?.providers?.[provider];
+    if (providerConfig && "customClaims" in providerConfig) {
+      const customClaimsConfig = providerConfig.customClaims;
+      if (customClaimsConfig) {
+        customClaims = await processCustomClaims(providerUserInfo, customClaimsConfig);
+      }
+    }
+    const payload = {
+      sub: String(providerUserInfo.sub || providerUserInfo.email || providerUserInfo.id || ""),
+      email: providerUserInfo.email,
+      name: providerUserInfo.name,
+      picture: providerUserInfo.picture,
+      provider
+      // Include provider name in JWT payload
+    };
+    const newToken = await generateToken(payload, tokenConfig, customClaims);
+    const newRefreshToken = await generateAndStoreRefreshToken(
+      providerUserInfo,
+      // RS-2: Store complete OAuth provider user data
+      provider,
+      // Store provider name
+      tokenRefreshConfig,
+      hashedRefreshToken,
+      // Pass previous token hash for rotation tracking
+      event
+    );
+    if (newRefreshToken) {
+      setRefreshTokenCookie(event, newRefreshToken, cookieConfig);
+    }
+    await revokeRefreshToken(hashedRefreshToken, event);
+    return {
+      success: true,
+      message: "Token refreshed successfully",
+      accessToken: newToken
+    };
+  } catch {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "Token refresh failed"
+    });
+  }
+});

package/dist/runtime/server/routes/token.post.d.ts

@@ -0,0 +1,28 @@
+import type { TokenExchangeResponse } from '../../types/index.js';
+/**
+ * POST /auth/token
+ * Token Exchange Endpoint - Authorization CODE to JWT Tokens
+ *
+ * This endpoint implements the second step of the OAuth 2.0 authorization code flow.
+ * It exchanges a short-lived authorization CODE for application-specific JWT tokens.
+ *
+ * Flow:
+ * 1. Accept authorization CODE from request body
+ * 2. Validate CODE exists in server-side key-value store
+ * 3. Retrieve and delete CODE atomically (single-use enforcement)
+ * 4. Generate JWT access token and refresh token
+ * 5. Return access token in JSON response body
+ * 6. Set refresh token as HttpOnly, Secure cookie
+ *
+ * Security:
+ * - Single-use CODE enforcement via immediate deletion
+ * - Generic 401 error for invalid/expired/reused CODEs
+ * - No specific failure reasons revealed to prevent information leakage
+ *
+ * @returns TokenExchangeResponse with access token and metadata
+ * @throws 400 Bad Request if CODE is missing from request body
+ * @throws 401 Unauthorized if CODE is invalid, expired, or already used (EH-4: Generic error)
+ * @throws 500 Internal Server Error if token generation fails
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<TokenExchangeResponse>>;
+export default _default;

package/dist/runtime/server/routes/token.post.js

@@ -0,0 +1,90 @@
+import { defineEventHandler, readBody, createError } from "h3";
+import { retrieveAndDeleteAuthCode } from "../utils/authCodeStore.js";
+import { useRuntimeConfig } from "#imports";
+import { generateAuthTokens } from "../utils/auth.js";
+import { setRefreshTokenCookie } from "../utils/cookies.js";
+import { createLogger } from "../utils/logger.js";
+const logger = createLogger("TokenExchange");
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event);
+  if (!body?.code) {
+    logger.security("Token exchange attempted without authorization code", {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      event: "TOKEN_EXCHANGE_MISSING_CODE",
+      severity: "warning"
+    });
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Bad Request",
+      message: "Missing authorization code"
+    });
+  }
+  const authCodeData = await retrieveAndDeleteAuthCode(body.code);
+  if (!authCodeData) {
+    logger.security("Token exchange failed - invalid authorization code", {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      event: "TOKEN_EXCHANGE_INVALID_CODE",
+      codePrefix: `${body.code.substring(0, 8)}...`,
+      severity: "warning"
+    });
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "Invalid or expired authorization code"
+    });
+  }
+  try {
+    const { accessToken, refreshToken } = await generateAuthTokens(
+      event,
+      authCodeData.providerUserInfo,
+      authCodeData.provider,
+      authCodeData.customClaims
+    );
+    if (refreshToken) {
+      const cookieConfig = useRuntimeConfig(event).nuxtAegis?.tokenRefresh?.cookie;
+      setRefreshTokenCookie(event, refreshToken, cookieConfig);
+    }
+    const tokenConfig = useRuntimeConfig(event).nuxtAegis?.token;
+    const expiresIn = tokenConfig?.expiresIn;
+    let expiresInSeconds;
+    if (expiresIn) {
+      if (typeof expiresIn === "number") {
+        expiresInSeconds = expiresIn;
+      } else if (typeof expiresIn === "string") {
+        const match = expiresIn.match(/^(\d+)([smhd])$/);
+        if (match && match[1] && match[2]) {
+          const value = Number.parseInt(match[1], 10);
+          const unit = match[2];
+          const multipliers = { s: 1, m: 60, h: 3600, d: 86400 };
+          const multiplier = multipliers[unit];
+          if (multiplier !== void 0) {
+            expiresInSeconds = value * multiplier;
+          }
+        }
+      }
+    }
+    const response = {
+      accessToken,
+      tokenType: "Bearer",
+      expiresIn: expiresInSeconds
+    };
+    logger.security("JWT tokens generated successfully", {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      event: "TOKEN_GENERATION_SUCCESS",
+      expiresIn: expiresInSeconds
+    });
+    return response;
+  } catch (error) {
+    logger.error("Token generation error", {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      event: "TOKEN_GENERATION_ERROR",
+      error: import.meta.dev ? error : "Error details hidden in production",
+      severity: "error"
+    });
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Failed to generate authentication tokens"
+    });
+  }
+});

package/dist/runtime/server/routes/unimpersonate.post.d.ts

@@ -0,0 +1,16 @@
+/**
+ * POST /auth/unimpersonate
+ * Ends impersonation and restores the original user session
+ *
+ * Response:
+ * - accessToken: string - JWT for restored original session
+ * - Sets refresh token cookie for normal session
+ *
+ * Requirements:
+ * - Impersonation feature must be enabled
+ * - Current session must be impersonated
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    accessToken: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/unimpersonate.post.js

@@ -0,0 +1,65 @@
+import { defineEventHandler, createError, getHeader, setCookie } from "h3";
+import { verifyToken } from "../utils/jwt.js";
+import { endImpersonation } from "../utils/impersonation.js";
+import { useRuntimeConfig } from "#imports";
+import { createLogger } from "../utils/logger.js";
+const logger = createLogger("Unimpersonate");
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  if (!config.nuxtAegis?.impersonation?.enabled) {
+    throw createError({
+      statusCode: 404,
+      message: "Impersonation feature is not enabled"
+    });
+  }
+  try {
+    const authHeader = getHeader(event, "authorization");
+    if (!authHeader?.startsWith("Bearer ")) {
+      throw createError({
+        statusCode: 401,
+        message: "Authentication required"
+      });
+    }
+    const token = authHeader.substring(7);
+    const tokenConfig = config.nuxtAegis?.token;
+    if (!tokenConfig?.secret) {
+      throw createError({
+        statusCode: 500,
+        message: "Token configuration is missing"
+      });
+    }
+    const currentToken = await verifyToken(token, tokenConfig.secret);
+    if (!currentToken) {
+      throw createError({
+        statusCode: 401,
+        message: "Invalid or expired token"
+      });
+    }
+    const { accessToken, refreshTokenId } = await endImpersonation(currentToken, event);
+    const cookieConfig = config.nuxtAegis?.tokenRefresh?.cookie;
+    const cookieName = cookieConfig?.cookieName || "nuxt-aegis-refresh";
+    setCookie(event, cookieName, refreshTokenId, {
+      httpOnly: true,
+      secure: cookieConfig?.secure ?? true,
+      sameSite: cookieConfig?.sameSite || "lax",
+      path: cookieConfig?.path || "/",
+      maxAge: cookieConfig?.maxAge,
+      domain: cookieConfig?.domain
+    });
+    logger.security("Impersonation ended", {
+      originalUser: currentToken.impersonation?.originalUserId,
+      wasImpersonating: currentToken.sub
+    });
+    return { accessToken };
+  } catch (error) {
+    logger.error("Unimpersonate failed:", error);
+    const err = error;
+    if (err.statusCode) {
+      throw error;
+    }
+    throw createError({
+      statusCode: 500,
+      message: err.message || "Failed to end impersonation"
+    });
+  }
+});

package/dist/runtime/server/tsconfig.json

@@ -0,0 +1,3 @@
+{
+  "extends": "../../../.nuxt/tsconfig.server.json",
+}

package/dist/runtime/server/utils/auth.d.ts

@@ -0,0 +1,94 @@
+import type { H3Event } from 'h3';
+import type { TokenPayload } from '../../types/index.js';
+/**
+ * Generate authentication tokens from user data with optional custom claims
+ * This is the recommended way to generate tokens after successful OAuth authentication
+ *
+ * @param event - H3Event object
+ * @param providerUserInfo - Complete user object from the OAuth provider (will be stored with refresh token)
+ * @param provider - Provider name (e.g., 'google', 'github', 'microsoft', 'auth0')
+ * @param customClaims - Optional custom claims to add to the JWT (already processed)
+ * @returns Object containing accessToken and refreshToken
+ *
+ * @example
+ * ```typescript
+ * const tokens = await generateAuthTokens(event, providerUserInfo, 'google', {
+ *   role: 'admin',
+ *   permissions: ['read', 'write'],
+ * })
+ * ```
+ */
+export declare function generateAuthTokens(event: H3Event, providerUserInfo: Record<string, unknown>, provider: string, customClaims?: Record<string, unknown>): Promise<{
+    accessToken: string;
+    refreshToken?: string;
+}>;
+/**
+ * Ensures the event has an authenticated user and narrows the type
+ * Returns the event with narrowed context type for better type inference
+ *
+ * @param event - H3Event object
+ * @returns Event with guaranteed user context
+ * @throws 401 Unauthorized if user is not authenticated
+ *
+ * @example
+ * ```typescript
+ * export default defineEventHandler((event) => {
+ *   const authedEvent = requireAuth(event)
+ *   // TypeScript knows authedEvent.context.user is defined
+ *   return { userId: authedEvent.context.user.sub }
+ * })
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // With custom claims typing
+ * interface MyTokenPayload extends TokenPayload {
+ *   role: string
+ *   permissions: string[]
+ * }
+ *
+ * export default defineEventHandler((event) => {
+ *   const authedEvent = requireAuth<MyTokenPayload>(event)
+ *   // TypeScript knows about role and permissions
+ *   return { role: authedEvent.context.user.role }
+ * })
+ * ```
+ */
+export declare function requireAuth<T extends TokenPayload = TokenPayload>(event: H3Event): H3Event & {
+    context: {
+        user: T;
+    };
+};
+/**
+ * Get the authenticated user from the event context
+ * This is a convenience function that combines requireAuth and context extraction
+ *
+ * @param event - H3Event object
+ * @returns The authenticated user payload
+ * @throws 401 Unauthorized if user is not authenticated
+ *
+ * @example
+ * ```typescript
+ * export default defineEventHandler((event) => {
+ *   const user = getAuthUser(event)
+ *   // TypeScript knows user is defined
+ *   return { userId: user.sub, email: user.email }
+ * })
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // With custom claims typing
+ * interface MyTokenPayload extends TokenPayload {
+ *   role: string
+ *   permissions: string[]
+ * }
+ *
+ * export default defineEventHandler((event) => {
+ *   const user = getAuthUser<MyTokenPayload>(event)
+ *   // TypeScript knows about role and permissions
+ *   return { role: user.role, permissions: user.permissions }
+ * })
+ * ```
+ */
+export declare function getAuthUser<T extends TokenPayload = TokenPayload>(event: H3Event): T;

package/dist/runtime/server/utils/auth.js

@@ -0,0 +1,54 @@
+import { useRuntimeConfig } from "#imports";
+import { createError } from "h3";
+import { generateAndStoreRefreshToken } from "./refreshToken.js";
+import { generateToken } from "./jwt.js";
+export async function generateAuthTokens(event, providerUserInfo, provider, customClaims) {
+  const config = useRuntimeConfig(event);
+  const tokenConfig = config.nuxtAegis?.token;
+  const tokenRefreshConfig = config.nuxtAegis?.tokenRefresh;
+  if (!tokenConfig || !tokenConfig.secret) {
+    throw new Error("Token configuration is missing. Please configure nuxtAegis.token in your nuxt.config.ts");
+  }
+  const payload = {
+    sub: String(providerUserInfo.sub || providerUserInfo.email || providerUserInfo.id || ""),
+    email: providerUserInfo.email,
+    name: providerUserInfo.name,
+    picture: providerUserInfo.picture,
+    provider
+    // Include provider name in JWT payload
+  };
+  const refreshToken = await generateAndStoreRefreshToken(
+    providerUserInfo,
+    // RS-2: Store complete user object
+    provider,
+    // Store provider name for custom claims refresh
+    tokenRefreshConfig,
+    void 0,
+    // No previous token hash for initial auth
+    event
+  );
+  return {
+    accessToken: await generateToken(payload, tokenConfig, customClaims),
+    refreshToken
+  };
+}
+export function requireAuth(event) {
+  if (!event.context.user) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "Authentication required"
+    });
+  }
+  return event;
+}
+export function getAuthUser(event) {
+  if (!event.context.user) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "Authentication required"
+    });
+  }
+  return event.context.user;
+}

package/dist/runtime/server/utils/authCodeStore.d.ts

@@ -0,0 +1,137 @@
+import type { H3Event } from 'h3';
+import type { AuthCodeData } from '../../types/index.js';
+/**
+ * Authorization Code Store Utilities
+ *
+ * Provides server-side storage and management for short-lived authorization CODEs
+ * used in the OAuth 2.0 authorization code flow.
+ *
+ * Flow:
+ * 1. Generate and store authorization CODE after OAuth authentication
+ * 2. Store CODE with user info and provider tokens in memory
+ * 3. Set 60-second expiration (configurable via CF-9)
+ * 4. Retrieve and delete CODE when exchanging for tokens
+ * 5. Ensure single-use by immediate deletion
+ * 6. Automatic cleanup of expired CODEs
+ *
+ * Security Features:
+ * - Cryptographically secure random CODE generation (crypto.randomBytes)
+ * - Single-use enforcement (delete immediately after retrieval)
+ * - Automatic cleanup of expired CODEs
+ * - Validation before allowing token exchange
+ */
+/**
+ * Generate a cryptographically secure authorization code
+ *
+ * @returns A base64url-encoded random authorization code
+ *
+ * @example
+ * ```typescript
+ * const code = generateAuthCode()
+ * // Returns: "X7k9mP2nQ5vL8wR4tY6uZ3bN1cM0dF5g"
+ * ```
+ */
+export declare function generateAuthCode(): string;
+/**
+ * Store authorization code with associated user and provider data
+ * Server-side in-memory key-value store for temporary authorization CODE storage
+ * Associate CODE with user information and provider tokens
+ * Set expiration time of 60 seconds
+ * Store CODE in server-side in-memory key-value store
+ *
+ * @param code - The authorization code to store
+ * @param providerUserInfo - Complete OAuth provider user data
+ * @param providerTokens - Tokens received from OAuth provider
+ * @param providerTokens.access_token - Provider access token
+ * @param providerTokens.refresh_token - Optional provider refresh token
+ * @param providerTokens.id_token - Optional provider ID token
+ * @param providerTokens.expires_in - Optional token expiration time
+ * @param provider - Provider name (e.g., 'google', 'github', 'microsoft', 'auth0')
+ * @param customClaims - Resolved custom claims (already processed from static or callback config)
+ * @param expiresIn - Expiration time in seconds (default: 60)
+ * @param _event - H3Event for Nitro storage access (optional, currently unused)
+ *
+ * @example
+ * ```typescript
+ * await storeAuthCode('X7k9mP...', providerUserInfo, providerTokens, 'google', customClaims)
+ * ```
+ */
+export declare function storeAuthCode(code: string, providerUserInfo: Record<string, unknown>, providerTokens: {
+    access_token: string;
+    refresh_token?: string;
+    id_token?: string;
+    expires_in?: number;
+}, provider: string, customClaims: Record<string, unknown> | undefined, expiresIn?: number, // CS-4: Default 60 seconds
+_event?: H3Event): Promise<void>;
+/**
+ * Validate that an authorization code exists and has not expired
+ *
+ * @param code - The authorization code to validate
+ * @returns The auth code data if valid, null if invalid or expired
+ *
+ * @example
+ * ```typescript
+ * const data = await validateAuthCode('X7k9mP...')
+ * if (!data) {
+ *   throw new Error('Invalid or expired code')
+ * }
+ * ```
+ */
+export declare function validateAuthCode(code: string): Promise<AuthCodeData | null>;
+/**
+ * Retrieve and delete authorization code in a single atomic operation
+ * Immediately delete CODE after successful exchange for single-use enforcement
+ * Prevent CODE reuse by validating existence before deletion
+ * Ensure single-use only
+ * Delete CODE from store after validation
+ *
+ * @param code - The authorization code to retrieve and delete
+ * @returns The auth code data if valid, null if invalid, expired, or already used
+ *
+ * @example
+ * ```typescript
+ * const data = await retrieveAndDeleteAuthCode('X7k9mP...')
+ * if (!data) {
+ *   // Code was invalid, expired, or already used
+ *   throw new Error('Invalid authorization code')
+ * }
+ * // Code is valid and has been consumed (deleted)
+ * ```
+ */
+export declare function retrieveAndDeleteAuthCode(code: string): Promise<AuthCodeData | null>;
+/**
+ * Clean up expired authorization codes from storage
+ * Automatically remove expired CODEs
+ * Support automatic cleanup without blocking requests
+ * Automatic cleanup of expired CODEs
+ *
+ * This function should be called periodically to prevent memory buildup
+ * from expired codes that were never exchanged.
+ *
+ * @returns Number of codes cleaned up
+ *
+ * @example
+ * ```typescript
+ * // Run cleanup periodically
+ * const cleaned = await cleanupExpiredAuthCodes()
+ * console.log(`Cleaned up ${cleaned} expired codes`)
+ * ```
+ */
+export declare function cleanupExpiredAuthCodes(): Promise<number>;
+/**
+ * Get statistics about the authorization code store
+ * Useful for monitoring and debugging
+ *
+ * @returns Statistics object with total, expired, and valid code counts
+ *
+ * @example
+ * ```typescript
+ * const stats = await getAuthCodeStats()
+ * console.log(`Total: ${stats.total}, Valid: ${stats.valid}, Expired: ${stats.expired}`)
+ * ```
+ */
+export declare function getAuthCodeStats(): Promise<{
+    total: number;
+    valid: number;
+    expired: number;
+}>;