@peterbud/nuxt-aegis 1.1.0-alpha

package/dist/runtime/server/utils/jwt.js

@@ -0,0 +1,77 @@
+import { decodeJwt, jwtVerify, SignJWT } from "jose";
+import { filterReservedClaims, validateClaimTypes } from "./customClaims.js";
+import { createLogger } from "./logger.js";
+const logger = createLogger("JWT");
+function validateTokenSize(payload) {
+  if (process.env.NODE_ENV === "production") {
+    return;
+  }
+  const payloadString = JSON.stringify(payload);
+  const sizeInBytes = payloadString.length;
+  const thresholdBytes = 1024;
+  if (sizeInBytes > thresholdBytes) {
+    logger.warn(
+      `Token payload size (${sizeInBytes} bytes) exceeds recommended threshold (${thresholdBytes} bytes). Consider reducing the payload size by removing unnecessary claims or using references instead of large values. Large tokens can impact performance and may be rejected by some systems.`
+    );
+  }
+}
+export async function generateToken(payload, config, customClaims) {
+  if (!config.secret) {
+    throw new Error("Token secret is required");
+  }
+  const secret = new TextEncoder().encode(config.secret);
+  const expiresIn = config.expiresIn || "1h";
+  let safeClaims = {};
+  if (customClaims) {
+    const filtered = filterReservedClaims(customClaims);
+    safeClaims = validateClaimTypes(filtered);
+  }
+  const finalPayload = { ...payload, ...safeClaims };
+  validateTokenSize(finalPayload);
+  let jwt = new SignJWT(finalPayload).setProtectedHeader({ alg: config.algorithm || "HS256" }).setIssuedAt().setSubject(payload.sub);
+  if (config.issuer) {
+    jwt = jwt.setIssuer(config.issuer);
+  }
+  if (config.audience) {
+    jwt = jwt.setAudience(config.audience);
+  }
+  if (typeof expiresIn === "number") {
+    jwt = jwt.setExpirationTime(Math.floor(Date.now() / 1e3) + expiresIn);
+  } else {
+    jwt = jwt.setExpirationTime(expiresIn);
+  }
+  return await jwt.sign(secret);
+}
+export async function updateTokenWithClaims(token, claims, config) {
+  if (!config.secret) {
+    throw new Error("Token secret is required");
+  }
+  const secret = new TextEncoder().encode(config.secret);
+  const { payload } = await jwtVerify(token, secret);
+  const updatedPayload = {
+    ...payload,
+    ...claims,
+    sub: payload.sub
+  };
+  return await generateToken(updatedPayload, config);
+}
+export async function verifyToken(token, secret, checkExpiration = true) {
+  if (!token || !secret) {
+    return null;
+  }
+  try {
+    const secretKey = new TextEncoder().encode(secret);
+    if (checkExpiration) {
+      const { payload } = await jwtVerify(token, secretKey);
+      return payload;
+    } else {
+      const payload = decodeJwt(token);
+      const beforeExpiry = new Date((payload.exp || Date.now()) - 1e3);
+      await jwtVerify(token, secretKey, { currentDate: beforeExpiry });
+      return payload;
+    }
+  } catch {
+    logger.error("Token verification failed");
+    return null;
+  }
+}

package/dist/runtime/server/utils/logger.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Logger instance for consistent logging across server-side code
+ */
+export interface Logger {
+    debug: (message: string, ...args: unknown[]) => void;
+    info: (message: string, ...args: unknown[]) => void;
+    warn: (message: string, ...args: unknown[]) => void;
+    error: (message: string, ...args: unknown[]) => void;
+    security: (message: string, ...args: unknown[]) => void;
+}
+/**
+ * Create a logger instance with a specific context
+ * Respects the logging configuration from runtime config
+ *
+ * @param context - Context identifier for log messages (e.g., 'Auth', 'JWT', 'OAuth')
+ * @returns Logger instance with debug, info, warn, error, and security methods
+ */
+export declare function createLogger(context: string): Logger;

package/dist/runtime/server/utils/logger.js

@@ -0,0 +1,49 @@
+import { consola } from "consola";
+import { useRuntimeConfig } from "#imports";
+export function createLogger(context) {
+  const prefix = `[Nuxt Aegis][${context}]`;
+  const config = useRuntimeConfig();
+  const loggingConfig = config.nuxtAegis?.logging;
+  const level = loggingConfig?.level || "info";
+  if (level === "debug") {
+    consola.level = 4;
+  }
+  return {
+    debug: (message, ...args) => {
+      consola.debug(prefix, message, ...args);
+    },
+    info: (message, ...args) => {
+      const config2 = useRuntimeConfig();
+      const loggingConfig2 = config2.nuxtAegis?.logging;
+      const level2 = loggingConfig2?.level || "info";
+      if (level2 !== "silent" && level2 !== "error" && level2 !== "warn") {
+        consola.info(prefix, message, ...args);
+      }
+    },
+    warn: (message, ...args) => {
+      const config2 = useRuntimeConfig();
+      const loggingConfig2 = config2.nuxtAegis?.logging;
+      const level2 = loggingConfig2?.level || "info";
+      if (level2 !== "silent" && level2 !== "error") {
+        consola.warn(prefix, message, ...args);
+      }
+    },
+    error: (message, ...args) => {
+      const config2 = useRuntimeConfig();
+      const loggingConfig2 = config2.nuxtAegis?.logging;
+      const level2 = loggingConfig2?.level || "info";
+      if (level2 !== "silent") {
+        consola.error(prefix, message, ...args);
+      }
+    },
+    security: (message, ...args) => {
+      const config2 = useRuntimeConfig();
+      const loggingConfig2 = config2.nuxtAegis?.logging;
+      const level2 = loggingConfig2?.level || "info";
+      const securityEnabled = loggingConfig2?.security === true || level2 === "debug";
+      if (securityEnabled && level2 !== "silent") {
+        consola.warn(`[Nuxt Aegis Security][${context}]`, message, ...args);
+      }
+    }
+  };
+}

package/dist/runtime/server/utils/magicCodeStore.d.ts

@@ -0,0 +1,27 @@
+export interface MagicCodeData {
+    email: string;
+    type: 'register' | 'login' | 'reset';
+    hashedPassword?: string;
+    attempts: number;
+    maxAttempts: number;
+    createdAt: number;
+    expiresAt: number;
+    [key: string]: unknown;
+}
+/**
+ * Generate a 6-digit magic code
+ */
+export declare function generateMagicCode(): string;
+/**
+ * Store a magic code
+ */
+export declare function storeMagicCode(email: string, type: 'register' | 'login' | 'reset', data: Omit<MagicCodeData, 'attempts' | 'createdAt' | 'expiresAt' | 'email' | 'type'>, ttl?: number, // 10 minutes
+maxAttempts?: number): Promise<string>;
+/**
+ * Validate and increment attempts for a magic code
+ */
+export declare function validateAndIncrementAttempts(code: string): Promise<MagicCodeData | null>;
+/**
+ * Retrieve and delete a magic code
+ */
+export declare function retrieveAndDeleteMagicCode(code: string): Promise<MagicCodeData | null>;

package/dist/runtime/server/utils/magicCodeStore.js

@@ -0,0 +1,66 @@
+import { randomInt } from "node:crypto";
+import { useStorage } from "#imports";
+import { createLogger } from "./logger.js";
+const logger = createLogger("MagicCode");
+export function generateMagicCode() {
+  return randomInt(1e5, 999999).toString();
+}
+export async function storeMagicCode(email, type, data, ttl = 600, maxAttempts = 5) {
+  const storage = useStorage();
+  const normalizedEmail = email.toLowerCase();
+  const code = generateMagicCode();
+  const now = Date.now();
+  const lookupKey = `magic-lookup:${normalizedEmail}:${type}`;
+  const existingCode = await storage.getItem(lookupKey);
+  if (existingCode) {
+    await storage.removeItem(`magic:${existingCode}`);
+  }
+  const magicCodeData = {
+    ...data,
+    email: normalizedEmail,
+    type,
+    attempts: 0,
+    maxAttempts,
+    createdAt: now,
+    expiresAt: now + ttl * 1e3
+  };
+  await storage.setItem(`magic:${code}`, magicCodeData);
+  await storage.setItem(lookupKey, code);
+  logger.debug(`Magic code stored for ${normalizedEmail} (${type})`);
+  return code;
+}
+export async function validateAndIncrementAttempts(code) {
+  const storage = useStorage();
+  const key = `magic:${code}`;
+  const data = await storage.getItem(key);
+  if (!data) {
+    return null;
+  }
+  if (Date.now() > data.expiresAt) {
+    await storage.removeItem(key);
+    const lookupKey = `magic-lookup:${data.email}:${data.type}`;
+    await storage.removeItem(lookupKey);
+    return null;
+  }
+  if (data.attempts >= data.maxAttempts) {
+    await storage.removeItem(key);
+    const lookupKey = `magic-lookup:${data.email}:${data.type}`;
+    await storage.removeItem(lookupKey);
+    return null;
+  }
+  data.attempts++;
+  await storage.setItem(key, data);
+  return data;
+}
+export async function retrieveAndDeleteMagicCode(code) {
+  const storage = useStorage();
+  const key = `magic:${code}`;
+  const data = await storage.getItem(key);
+  if (!data) {
+    return null;
+  }
+  await storage.removeItem(key);
+  const lookupKey = `magic-lookup:${data.email}:${data.type}`;
+  await storage.removeItem(lookupKey);
+  return data;
+}

package/dist/runtime/server/utils/mockCodeStore.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Mock Authorization Code Storage
+ *
+ * Simulates OAuth provider's authorization code storage and validation.
+ * This is NOT the Aegis authorization CODE - this simulates the provider's code.
+ *
+ * Stores temporary authorization codes that are:
+ * - Single-use (deleted after exchange)
+ * - Short-lived (expire after 60 seconds)
+ * - Associated with selected user persona
+ *
+ * DEVELOPMENT/TEST ONLY - Not available in production
+ */
+interface MockAuthCode {
+    code: string;
+    /** Selected user persona identifier from mockUsers config */
+    userId: string;
+    clientId: string;
+    redirectUri: string;
+    createdAt: number;
+    expiresAt: number;
+}
+/**
+ * Generate a cryptographically random mock authorization code
+ */
+export declare function generateMockCode(): string;
+/**
+ * Store a mock authorization code with expiration
+ *
+ * @param data - Code data object
+ * @param data.code - Authorization code string
+ * @param data.userId - User persona identifier
+ * @param data.clientId - OAuth client ID
+ * @param data.redirectUri - OAuth redirect URI
+ */
+export declare function storeMockCode(data: {
+    code: string;
+    userId: string;
+    clientId: string;
+    redirectUri: string;
+}): void;
+/**
+ * Retrieve and delete a mock authorization code (single-use enforcement)
+ *
+ * @param code - Authorization code to retrieve
+ * @returns Code data if valid and not expired, null otherwise
+ */
+export declare function retrieveAndDeleteMockCode(code: string): MockAuthCode | null;
+/**
+ * Cleanup expired mock codes (maintenance)
+ *
+ * @returns Number of codes cleaned up
+ */
+export declare function cleanupExpiredMockCodes(): number;
+/**
+ * Get count of active mock codes (for debugging)
+ */
+export declare function getMockCodeCount(): number;
+/**
+ * Clear all mock codes (for testing)
+ */
+export declare function clearAllMockCodes(): void;
+/**
+ * Store a mock access token with user mapping
+ * Allows userinfo endpoint to retrieve the correct user
+ *
+ * @param token - Access token string
+ * @param userId - User persona identifier
+ */
+export declare function storeMockToken(token: string, userId: string): void;
+/**
+ * Get user ID for a mock access token
+ *
+ * @param token - Access token string
+ * @returns User persona identifier or null if token not found
+ */
+export declare function getUserForMockToken(token: string): string | null;
+/**
+ * Clear expired mock tokens (maintenance)
+ * Tokens older than 2 hours are removed
+ *
+ * @returns Number of tokens cleaned up
+ */
+export declare function cleanupExpiredMockTokens(): number;
+/**
+ * Clear all mock tokens (for testing)
+ */
+export declare function clearAllMockTokens(): void;
+export {};

package/dist/runtime/server/utils/mockCodeStore.js

@@ -0,0 +1,71 @@
+const mockCodes = /* @__PURE__ */ new Map();
+const mockTokens = /* @__PURE__ */ new Map();
+export function generateMockCode() {
+  const randomBytes = crypto.getRandomValues(new Uint8Array(16));
+  const randomHex = Array.from(randomBytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `mock_code_${randomHex}_${Date.now()}`;
+}
+export function storeMockCode(data) {
+  const now = Date.now();
+  mockCodes.set(data.code, {
+    ...data,
+    createdAt: now,
+    expiresAt: now + 6e4
+    // 60 seconds - standard OAuth code lifetime
+  });
+}
+export function retrieveAndDeleteMockCode(code) {
+  const codeData = mockCodes.get(code);
+  if (!codeData) {
+    return null;
+  }
+  if (Date.now() > codeData.expiresAt) {
+    mockCodes.delete(code);
+    return null;
+  }
+  mockCodes.delete(code);
+  return codeData;
+}
+export function cleanupExpiredMockCodes() {
+  const now = Date.now();
+  let cleaned = 0;
+  for (const [code, data] of mockCodes.entries()) {
+    if (now > data.expiresAt) {
+      mockCodes.delete(code);
+      cleaned++;
+    }
+  }
+  return cleaned;
+}
+export function getMockCodeCount() {
+  return mockCodes.size;
+}
+export function clearAllMockCodes() {
+  mockCodes.clear();
+}
+export function storeMockToken(token, userId) {
+  mockTokens.set(token, {
+    token,
+    userId,
+    createdAt: Date.now()
+  });
+}
+export function getUserForMockToken(token) {
+  const tokenData = mockTokens.get(token);
+  return tokenData?.userId || null;
+}
+export function cleanupExpiredMockTokens() {
+  const now = Date.now();
+  const maxAge = 2 * 60 * 60 * 1e3;
+  let cleaned = 0;
+  for (const [token, data] of mockTokens.entries()) {
+    if (now - data.createdAt > maxAge) {
+      mockTokens.delete(token);
+      cleaned++;
+    }
+  }
+  return cleaned;
+}
+export function clearAllMockTokens() {
+  mockTokens.clear();
+}

package/dist/runtime/server/utils/password.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Normalize email address
+ */
+export declare function normalizeEmail(email: string): string;
+/**
+ * Validate email format
+ */
+export declare function validateEmailFormat(email: string): {
+    valid: boolean;
+    error?: string;
+};
+/**
+ * Hash a password using scrypt
+ */
+export declare function hashPassword(password: string): Promise<string>;
+/**
+ * Verify a password against a hash
+ */
+export declare function verifyPassword(password: string, hash: string): Promise<boolean>;
+/**
+ * Validate password strength
+ */
+export declare function validatePasswordStrength(password: string, policy?: {
+    minLength?: number;
+    requireUppercase?: boolean;
+    requireLowercase?: boolean;
+    requireNumber?: boolean;
+    requireSpecial?: boolean;
+}): boolean | string[];
+/**
+ * Obfuscate magic code for logging
+ */
+export declare function obfuscateMagicCode(code: string): string;

package/dist/runtime/server/utils/password.js

@@ -0,0 +1,48 @@
+import { scrypt, randomBytes, timingSafeEqual } from "node:crypto";
+import { promisify } from "node:util";
+const scryptAsync = promisify(scrypt);
+export function normalizeEmail(email) {
+  return email.trim().toLowerCase();
+}
+export function validateEmailFormat(email) {
+  const emailRegex = /^[^\s@]+@[^\s@][^\s.@]*\.[^\s@]+$/;
+  if (!emailRegex.test(email)) {
+    return { valid: false, error: "Invalid email format" };
+  }
+  return { valid: true };
+}
+export async function hashPassword(password) {
+  const salt = randomBytes(16).toString("hex");
+  const derivedKey = await scryptAsync(password, salt, 64);
+  return `${salt}:${derivedKey.toString("hex")}`;
+}
+export async function verifyPassword(password, hash) {
+  const [salt, key] = hash.split(":");
+  if (!salt || !key) return false;
+  const keyBuffer = Buffer.from(key, "hex");
+  const derivedKey = await scryptAsync(password, salt, 64);
+  return timingSafeEqual(keyBuffer, derivedKey);
+}
+export function validatePasswordStrength(password, policy = {}) {
+  const errors = [];
+  const minLength = policy.minLength ?? 8;
+  if (password.length < minLength) {
+    errors.push(`Password must be at least ${minLength} characters long`);
+  }
+  if (policy.requireUppercase && !/[A-Z]/.test(password)) {
+    errors.push("Password must contain at least one uppercase letter");
+  }
+  if (policy.requireLowercase && !/[a-z]/.test(password)) {
+    errors.push("Password must contain at least one lowercase letter");
+  }
+  if (policy.requireNumber && !/\d/.test(password)) {
+    errors.push("Password must contain at least one number");
+  }
+  if (policy.requireSpecial && !/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
+    errors.push("Password must contain at least one special character");
+  }
+  return errors.length === 0 ? true : errors;
+}
+export function obfuscateMagicCode(code) {
+  return code.slice(-2).padStart(code.length, "*");
+}

package/dist/runtime/server/utils/refreshToken.d.ts

@@ -0,0 +1,74 @@
+import type { H3Event } from 'h3';
+import type { RefreshTokenData, TokenRefreshConfig, EncryptionConfig } from '../../types/index.js';
+/**
+ * Hash a refresh token using SHA-256
+ * @param token - The refresh token to hash
+ * @returns The hashed token as a hex string
+ */
+export declare function hashRefreshToken(token: string): string;
+/**
+ * Encrypt data using AES-256-GCM
+ * @param data - Data to encrypt
+ * @param key - Encryption key (must be 32 bytes for AES-256)
+ * @returns Encrypted data as base64 string with IV prepended
+ */
+export declare function encryptData(data: unknown, key: string): string;
+/**
+ * Decrypt data using AES-256-GCM
+ * @param encrypted - Encrypted data as base64 string
+ * @param key - Encryption key (must be 32 bytes for AES-256)
+ * @returns Decrypted data
+ */
+export declare function decryptData(encrypted: string, key: string): unknown;
+/**
+ * Get encryption config from runtime config
+ * @param event - H3 event (optional, for server context)
+ * @returns Encryption configuration
+ */
+export declare function getEncryptionConfig(event?: H3Event): EncryptionConfig;
+/**
+ * Store refresh token data in persistent storage
+ * Handles encryption transparently if enabled
+ * @param tokenHash - Hashed refresh token (used as storage key)
+ * @param data - Refresh token data to store
+ * @param event - H3 event for runtime config access
+ */
+export declare function storeRefreshTokenData(tokenHash: string, data: RefreshTokenData, event?: H3Event): Promise<void>;
+/**
+ * Retrieve refresh token data from persistent storage
+ * Handles decryption transparently if enabled
+ * @param tokenHash - Hashed refresh token (storage key)
+ * @param event - H3 event for runtime config access
+ * @returns Refresh token data or null if not found
+ */
+export declare function getRefreshTokenData(tokenHash: string, event?: H3Event): Promise<RefreshTokenData | null>;
+/**
+ * Delete refresh token data from storage
+ * @param tokenHash - Hashed refresh token (storage key)
+ */
+export declare function deleteRefreshTokenData(tokenHash: string): Promise<void>;
+/**
+ * Revoke a refresh token (mark as revoked without deleting)
+ * @param tokenHash - Hashed refresh token (storage key)
+ * @param event - H3 event for runtime config access
+ */
+export declare function revokeRefreshToken(tokenHash: string, event?: H3Event): Promise<void>;
+/**
+ * Generates a refresh token and stores it with user data
+ *
+ * @param providerUserInfo - Complete OAuth provider user data
+ * @param provider - Provider name (e.g., 'google', 'github', 'microsoft', 'auth0')
+ * @param config - Token refresh configuration
+ * @param previousTokenHash - Hash of previous refresh token for rotation tracking
+ * @param event - H3Event for Nitro storage access
+ * @returns The generated refresh token string
+ */
+export declare function generateAndStoreRefreshToken(providerUserInfo: Record<string, unknown>, provider: string, config: TokenRefreshConfig, previousTokenHash?: string, event?: H3Event): Promise<string | undefined>;
+/**
+ * Delete all refresh tokens for a specific user
+ * Used during password change or account deletion
+ * @param email - User email to match
+ * @param exceptTokenHash - Optional token hash to preserve (e.g. current session)
+ * @param event - H3 event for runtime config access
+ */
+export declare function deleteUserRefreshTokens(email: string, exceptTokenHash?: string, event?: H3Event): Promise<void>;

package/dist/runtime/server/utils/refreshToken.js

@@ -0,0 +1,108 @@
+import { createHash, createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+import { useStorage, useRuntimeConfig } from "#imports";
+export function hashRefreshToken(token) {
+  return createHash("sha256").update(token).digest("hex");
+}
+export function encryptData(data, key) {
+  const keyBuffer = Buffer.from(key.padEnd(32, "0").slice(0, 32));
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", keyBuffer, iv);
+  const jsonData = JSON.stringify(data);
+  let encrypted = cipher.update(jsonData, "utf8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag();
+  const combined = Buffer.concat([
+    iv,
+    authTag,
+    Buffer.from(encrypted, "base64")
+  ]);
+  return combined.toString("base64");
+}
+export function decryptData(encrypted, key) {
+  try {
+    const keyBuffer = Buffer.from(key.padEnd(32, "0").slice(0, 32));
+    const combined = Buffer.from(encrypted, "base64");
+    const iv = combined.subarray(0, 12);
+    const authTag = combined.subarray(12, 28);
+    const encryptedData = combined.subarray(28);
+    const decipher = createDecipheriv("aes-256-gcm", keyBuffer, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encryptedData.toString("base64"), "base64", "utf8");
+    decrypted += decipher.final("utf8");
+    return JSON.parse(decrypted);
+  } catch {
+    throw new Error("Failed to decrypt data");
+  }
+}
+export function getEncryptionConfig(event) {
+  const config = event ? useRuntimeConfig(event) : useRuntimeConfig();
+  return config.nuxtAegis?.tokenRefresh?.encryption || { enabled: false };
+}
+export async function storeRefreshTokenData(tokenHash, data, event) {
+  const encryptionConfig = getEncryptionConfig(event);
+  let dataToStore;
+  if (encryptionConfig.enabled) {
+    if (!encryptionConfig.key) {
+      throw new Error("[Nuxt Aegis] Encryption is enabled but no encryption key is configured");
+    }
+    const encrypted = encryptData(data, encryptionConfig.key);
+    dataToStore = { encrypted };
+  } else {
+    dataToStore = data;
+  }
+  await useStorage("refreshTokenStore").setItem(`${tokenHash}`, dataToStore);
+}
+export async function getRefreshTokenData(tokenHash, event) {
+  const encryptionConfig = getEncryptionConfig(event);
+  const storedData = await useStorage("refreshTokenStore").getItem(`${tokenHash}`);
+  if (!storedData) {
+    return null;
+  }
+  if ("encrypted" in storedData && typeof storedData.encrypted === "string") {
+    if (!encryptionConfig.key) {
+      throw new Error("[Nuxt Aegis] Data is encrypted but no encryption key is configured");
+    }
+    return decryptData(storedData.encrypted, encryptionConfig.key);
+  }
+  return storedData;
+}
+export async function deleteRefreshTokenData(tokenHash) {
+  await useStorage("refreshTokenStore").removeItem(`${tokenHash}`);
+}
+export async function revokeRefreshToken(tokenHash, event) {
+  const data = await getRefreshTokenData(tokenHash, event);
+  if (!data) {
+    return;
+  }
+  data.isRevoked = true;
+  await storeRefreshTokenData(tokenHash, data, event);
+}
+export async function generateAndStoreRefreshToken(providerUserInfo, provider, config, previousTokenHash, event) {
+  const refreshToken = randomBytes(32).toString("base64url");
+  const expiresIn = config.cookie?.maxAge || 604800;
+  await storeRefreshTokenData(hashRefreshToken(refreshToken), {
+    sub: String(providerUserInfo.sub || providerUserInfo.email || providerUserInfo.id || ""),
+    expiresAt: Date.now() + expiresIn * 1e3,
+    isRevoked: false,
+    previousTokenHash,
+    providerUserInfo,
+    // Store complete OAuth provider user data
+    provider
+    // Store provider name for custom claims refresh
+  }, event);
+  return refreshToken;
+}
+export async function deleteUserRefreshTokens(email, exceptTokenHash, event) {
+  const storage = useStorage("refreshTokenStore");
+  const keys = await storage.getKeys();
+  const normalizedEmail = email.toLowerCase();
+  for (const key of keys) {
+    if (key === exceptTokenHash) continue;
+    const data = await getRefreshTokenData(key, event);
+    if (!data) continue;
+    const userEmail = data.providerUserInfo?.email?.toLowerCase();
+    if (userEmail === normalizedEmail) {
+      await deleteRefreshTokenData(key);
+    }
+  }
+}

package/dist/runtime/server/utils/resetSessionStore.d.ts

@@ -0,0 +1,12 @@
+export interface ResetSessionData {
+    email: string;
+    expiresAt: number;
+}
+/**
+ * Create a password reset session
+ */
+export declare function createResetSession(email: string, ttl?: number): Promise<string>;
+/**
+ * Validate and delete a password reset session
+ */
+export declare function validateAndDeleteResetSession(sessionId: string): Promise<string | null>;