@schemavaults/auth-server-sdk 0.22.80 → 0.22.82

package/dist/cli.cjs

@@ -89,7 +89,7 @@ var init_resolve_codegen_templates_directory = __esm({
 
 // src/NextjsAppDirectoryPlugin/codegen-marker.ts
 function getCodegenMarkerComment() {
-  const version = true ? "0.22.80" : "unknown";
+  const version = true ? "0.22.82" : "unknown";
   return `${CODEGEN_MARKER_PREFIX}${version}`;
 }
 function hasCodegenMarker(firstLine) {
@@ -331,7 +331,7 @@ async function main() {
     return;
   }
   if (args.includes("--version") || args.includes("-v")) {
-    console.log(`${PACKAGE_NAME}@${"0.22.80"}`);
+    console.log(`${PACKAGE_NAME}@${"0.22.82"}`);
     return;
   }
   const command = args.find((arg) => !arg.startsWith("-")) ?? "codegen";

package/dist/route_guards/route-guard-factory.d.ts

@@ -3,14 +3,59 @@ import type { InitRouteGuardCheckOptions } from "./init_route_guard_check_option
 import type { PotentiallyValidTokenSource } from "@schemavaults/auth-common";
 import { type ApiServerId, type SchemaVaultsAppEnvironment } from "@schemavaults/app-definitions";
 import { type IJwtKeyManager } from "../JwtKeyManager";
+/**
+ * Constructor options for {@link RouteGuardFactory}.
+ */
 export interface RouteGuardFactoryInitOptions {
+    /**
+     * The deployment environment (e.g. `development`, `staging`, `production`)
+     * the factory is operating in. Used to validate the `iss`/audience of
+     * incoming JWTs against the expected auth server for that environment.
+     */
     environment: SchemaVaultsAppEnvironment;
+    /**
+     * The JWT key manager used to fetch the signing keys needed to verify
+     * tokens.
+     *
+     * - **Required** when {@link RouteGuardFactoryInitOptions.is_auth_server} is
+     *   `true` (the auth server must supply its own local key manager).
+     * - **Optional** for resource servers: when omitted, a
+     *   {@link RemoteJwtKeyManager} is created that loads keys remotely from the
+     *   auth server (resolved via `getSchemaVaultsAuthServerUri()`).
+     */
     jwt_keys_manager?: IJwtKeyManager;
+    /**
+     * Set to `true` only when this factory runs inside the auth server itself.
+     * When `true`, a {@link RouteGuardFactoryInitOptions.jwt_keys_manager} must
+     * be provided. Defaults to `false` (i.e. a remote resource server).
+     */
     is_auth_server?: boolean;
+    /**
+     * When `true`, the factory and the guards it creates emit verbose
+     * `console.log` diagnostics. Defaults to `false`.
+     */
     debug?: boolean;
 }
 declare const GUARD_TYPES: readonly ["authenticated", "admin"];
 type RouteGuardType = (typeof GUARD_TYPES)[number];
+/**
+ * Factory for constructing {@link IRouteGuard} instances that protect API
+ * routes and server components.
+ *
+ * A guard verifies the caller's identity (and, depending on the guard type,
+ * their privileges) before a protected handler runs. The factory exposes
+ * several entry points depending on what you already have in hand:
+ *
+ * - {@link RouteGuardFactory.createGuardFromOptions} — you already have a
+ *   decoded user (no token verification performed).
+ * - {@link RouteGuardFactory.createGuardFromTokenSources} — you have one or
+ *   more raw tokens to verify.
+ * - {@link RouteGuardFactory.createGuardFromAuthHeader} — you have a raw HTTP
+ *   `Authorization` header value to parse and verify.
+ *
+ * Guard types currently supported: `"authenticated"` (any signed-in user) and
+ * `"admin"` (signed-in users with admin privileges).
+ */
 export declare class RouteGuardFactory {
     private readonly jwt_keys_manager;
     private readonly environment;
@@ -18,9 +63,79 @@ export declare class RouteGuardFactory {
     private readonly is_auth_server;
     constructor({ environment, ...opts }: RouteGuardFactoryInitOptions);
     private static isValidRouteGuardType;
+    /**
+     * Construct a guard directly from an already-resolved user/options object,
+     * without performing any token verification.
+     *
+     * Prefer {@link RouteGuardFactory.createGuardFromTokenSources} or
+     * {@link RouteGuardFactory.createGuardFromAuthHeader} unless you have already
+     * decoded and trust the user yourself.
+     *
+     * @param type - Which guard to build: `"authenticated"` or `"admin"`.
+     * @param opts - The resolved check options (notably the decoded `user`).
+     * @returns The constructed {@link IRouteGuard}.
+     * @throws {Error} If `type` is not a recognized guard type.
+     */
     static createGuardFromOptions(type: RouteGuardType, opts: InitRouteGuardCheckOptions): IRouteGuard;
+    /**
+     * Instance-level convenience wrapper around the static
+     * {@link RouteGuardFactory.createGuardFromOptions}.
+     *
+     * @param type - Which guard to build: `"authenticated"` or `"admin"`.
+     * @param opts - The resolved check options (notably the decoded `user`).
+     * @returns The constructed {@link IRouteGuard}.
+     * @throws {Error} If `type` is not a recognized guard type.
+     */
     createGuardFromOptions(type: RouteGuardType, opts: InitRouteGuardCheckOptions): IRouteGuard;
+    /**
+     * Verify one or more raw tokens and, on success, construct the requested
+     * guard for the decoded user.
+     *
+     * Each entry in `token_sources` is a candidate token (e.g. an access token
+     * pulled from a header or cookie); they are decoded/verified via the
+     * configured JWT key manager and the first valid one resolves the user.
+     *
+     * @param type - Which guard to build: `"authenticated"` or `"admin"`.
+     * @param token_sources - Candidate tokens to verify. Pass the **raw token
+     *   strings only** — do not include a `"Bearer "` prefix here (see
+     *   {@link RouteGuardFactory.createGuardFromAuthHeader} if you have a full
+     *   `Authorization` header).
+     * @param jwt_audience - The expected JWT audience (`aud`), i.e. the
+     *   {@link ApiServerId} of the resource server the token must be scoped to.
+     * @returns The constructed {@link IRouteGuard}.
+     * @throws {TypeError} If `jwt_audience` is not a valid API server ID.
+     * @throws {Error} If no JWT key manager is available, or none of the tokens
+     *   verify successfully.
+     */
     createGuardFromTokenSources(type: RouteGuardType, token_sources: readonly PotentiallyValidTokenSource[], jwt_audience: ApiServerId): Promise<IRouteGuard>;
+    /**
+     * Parse a raw HTTP `Authorization` header, verify the bearer token it
+     * carries, and construct the requested guard for the decoded user.
+     *
+     * @param type - Which guard to build: `"authenticated"` or `"admin"`.
+     * @param authHeader - The **full `Authorization` header value, including the
+     *   `"Bearer "` prefix** — e.g. `"Bearer eyJhbGci..."`, exactly as read from
+     *   `request.headers.get("authorization")`. The prefix is stripped
+     *   internally before the token is verified; passing a bare token (without
+     *   the prefix) will throw. `null` is accepted (and rejected) so callers can
+     *   forward a missing header directly.
+     * @param jwt_audience - The expected JWT audience (`aud`), i.e. the
+     *   {@link ApiServerId} of the resource server the token must be scoped to.
+     * @returns The constructed {@link IRouteGuard}.
+     * @throws {Error} If `authHeader` is missing/empty or does not start with the
+     *   `"Bearer "` prefix.
+     * @throws {Error} If the extracted token fails verification (propagated from
+     *   {@link RouteGuardFactory.createGuardFromTokenSources}).
+     *
+     * @example
+     * ```ts
+     * const guard = await factory.createGuardFromAuthHeader(
+     *   "authenticated",
+     *   request.headers.get("authorization"), // "Bearer eyJ..."
+     *   "my-api-server-id",
+     * );
+     * ```
+     */
     createGuardFromAuthHeader(type: RouteGuardType, authHeader: string | null, jwt_audience: string): Promise<IRouteGuard>;
 }
 export default RouteGuardFactory;

package/dist/route_guards/route-guard-factory.js

@@ -17,6 +17,24 @@ const GUARDS = {
     authenticated: (opts) => new AuthenticationRequiredRouteGuard(opts),
     admin: (opts) => new AdminRequiredRouteGuard(opts),
 };
+/**
+ * Factory for constructing {@link IRouteGuard} instances that protect API
+ * routes and server components.
+ *
+ * A guard verifies the caller's identity (and, depending on the guard type,
+ * their privileges) before a protected handler runs. The factory exposes
+ * several entry points depending on what you already have in hand:
+ *
+ * - {@link RouteGuardFactory.createGuardFromOptions} — you already have a
+ *   decoded user (no token verification performed).
+ * - {@link RouteGuardFactory.createGuardFromTokenSources} — you have one or
+ *   more raw tokens to verify.
+ * - {@link RouteGuardFactory.createGuardFromAuthHeader} — you have a raw HTTP
+ *   `Authorization` header value to parse and verify.
+ *
+ * Guard types currently supported: `"authenticated"` (any signed-in user) and
+ * `"admin"` (signed-in users with admin privileges).
+ */
 export class RouteGuardFactory {
     jwt_keys_manager;
     environment;
@@ -54,6 +72,19 @@ export class RouteGuardFactory {
             return false;
         return validGuardTypeSchema.safeParse(type).success;
     }
+    /**
+     * Construct a guard directly from an already-resolved user/options object,
+     * without performing any token verification.
+     *
+     * Prefer {@link RouteGuardFactory.createGuardFromTokenSources} or
+     * {@link RouteGuardFactory.createGuardFromAuthHeader} unless you have already
+     * decoded and trust the user yourself.
+     *
+     * @param type - Which guard to build: `"authenticated"` or `"admin"`.
+     * @param opts - The resolved check options (notably the decoded `user`).
+     * @returns The constructed {@link IRouteGuard}.
+     * @throws {Error} If `type` is not a recognized guard type.
+     */
     static createGuardFromOptions(type, opts) {
         if (!RouteGuardFactory.isValidRouteGuardType(type)) {
             throw new Error(`Invalid route guard type, should be one of: ${GUARD_TYPES.join(", ")}`);
@@ -62,9 +93,38 @@ export class RouteGuardFactory {
         const GUARD = GUARD_LOADER(opts);
         return GUARD;
     }
+    /**
+     * Instance-level convenience wrapper around the static
+     * {@link RouteGuardFactory.createGuardFromOptions}.
+     *
+     * @param type - Which guard to build: `"authenticated"` or `"admin"`.
+     * @param opts - The resolved check options (notably the decoded `user`).
+     * @returns The constructed {@link IRouteGuard}.
+     * @throws {Error} If `type` is not a recognized guard type.
+     */
     createGuardFromOptions(type, opts) {
         return RouteGuardFactory.createGuardFromOptions(type, opts);
     }
+    /**
+     * Verify one or more raw tokens and, on success, construct the requested
+     * guard for the decoded user.
+     *
+     * Each entry in `token_sources` is a candidate token (e.g. an access token
+     * pulled from a header or cookie); they are decoded/verified via the
+     * configured JWT key manager and the first valid one resolves the user.
+     *
+     * @param type - Which guard to build: `"authenticated"` or `"admin"`.
+     * @param token_sources - Candidate tokens to verify. Pass the **raw token
+     *   strings only** — do not include a `"Bearer "` prefix here (see
+     *   {@link RouteGuardFactory.createGuardFromAuthHeader} if you have a full
+     *   `Authorization` header).
+     * @param jwt_audience - The expected JWT audience (`aud`), i.e. the
+     *   {@link ApiServerId} of the resource server the token must be scoped to.
+     * @returns The constructed {@link IRouteGuard}.
+     * @throws {TypeError} If `jwt_audience` is not a valid API server ID.
+     * @throws {Error} If no JWT key manager is available, or none of the tokens
+     *   verify successfully.
+     */
     async createGuardFromTokenSources(type, token_sources, jwt_audience) {
         if (this.debug) {
             console.log(`[RouteGuardFactory] Initializing route guard from token sources: `, token_sources);
@@ -85,6 +145,34 @@ export class RouteGuardFactory {
         }
         return this.createGuardFromOptions(type, init_opts);
     }
+    /**
+     * Parse a raw HTTP `Authorization` header, verify the bearer token it
+     * carries, and construct the requested guard for the decoded user.
+     *
+     * @param type - Which guard to build: `"authenticated"` or `"admin"`.
+     * @param authHeader - The **full `Authorization` header value, including the
+     *   `"Bearer "` prefix** — e.g. `"Bearer eyJhbGci..."`, exactly as read from
+     *   `request.headers.get("authorization")`. The prefix is stripped
+     *   internally before the token is verified; passing a bare token (without
+     *   the prefix) will throw. `null` is accepted (and rejected) so callers can
+     *   forward a missing header directly.
+     * @param jwt_audience - The expected JWT audience (`aud`), i.e. the
+     *   {@link ApiServerId} of the resource server the token must be scoped to.
+     * @returns The constructed {@link IRouteGuard}.
+     * @throws {Error} If `authHeader` is missing/empty or does not start with the
+     *   `"Bearer "` prefix.
+     * @throws {Error} If the extracted token fails verification (propagated from
+     *   {@link RouteGuardFactory.createGuardFromTokenSources}).
+     *
+     * @example
+     * ```ts
+     * const guard = await factory.createGuardFromAuthHeader(
+     *   "authenticated",
+     *   request.headers.get("authorization"), // "Bearer eyJ..."
+     *   "my-api-server-id",
+     * );
+     * ```
+     */
     async createGuardFromAuthHeader(type, authHeader, jwt_audience) {
         if (!authHeader || typeof authHeader !== "string") {
             throw new Error("No auth header found");

package/dist/route_guards/route-guard-factory.js.map

@@ -1 +1 @@
-{"version":3,"file":"route-guard-factory.js","sourceRoot":"","sources":["../../src/route_guards/route-guard-factory.ts"],"names":[],"mappings":"AAAA,yBAAyB;AAEzB,OAAO,uBAAuB,MAAM,SAAS,CAAC;AAC9C,OAAO,gCAAgC,MAAM,iBAAiB,CAAC;AAE/D,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAEL,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAuB,MAAM,iBAAiB,CAAC;AAC3E,OAAO,4BAA4B,MAAM,wCAAwC,CAAC;AAClF,OAAO,wBAAwB,MAAM,gCAAgC,CAAC;AAStE,MAAM,WAAW,GAAG;IAClB,eAAe;IACf,OAAO;CAC6B,CAAC;AAGvC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,GAAG,EAAyB,EAAE;IAC5E,OACE,WACD,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEH,MAAM,MAAM,GAAG;IACb,aAAa,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,gCAAgC,CAAC,IAAI,CAAC;IACnE,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC;CAInD,CAAC;AAEF,MAAM,OAAO,iBAAiB;IACX,gBAAgB,CAAiB;IACjC,WAAW,CAA6B;IACxC,KAAK,CAAU;IACf,cAAc,CAAU;IAEzC,YAAmB,EAAE,WAAW,EAAE,GAAG,IAAI,EAAgC;QACvE,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC;QACjC,IACE,OAAO,IAAI,CAAC,cAAc,KAAK,SAAS;YACxC,OAAO,IAAI,CAAC,cAAc,KAAK,WAAW,EAC1C,CAAC;YACD,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,KAAK,CAAC;QAEnD,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,GAAG,CACT,+EAA+E,CAChF,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,MAAM,IAAI,SAAS,CACjB,8EAA8E,CAC/E,CAAC;YACJ,CAAC;YACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,GAAG,CACT,mHAAmH,CACpH,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,gBAAgB,GAAG,IAAI,mBAAmB,CAAC;gBAC9C,eAAe,EAAE,4BAA4B,EAAE;gBAC/C,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,qBAAqB,CAAC,IAAa;QAChD,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC3C,OAAO,oBAAoB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;IACtD,CAAC;IAEM,MAAM,CAAC,sBAAsB,CAClC,IAAoB,EACpB,IAAgC;QAEhC,IAAI,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,+CAA+C,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACxE,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,KAAK,GAAgB,YAAY,CAAC,IAAI,CAAC,CAAC;QAE9C,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,sBAAsB,CAC3B,IAAoB,EACpB,IAAgC;QAEhC,OAAO,iBAAiB,CAAC,sBAAsB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC;IAEM,KAAK,CAAC,2BAA2B,CACtC,IAAoB,EACpB,aAAqD,EACrD,YAAyB;QAEzB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CACT,mEAAmE,EACnE,aAAa,CACd,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,YAA6B,CAAC,CAAC,OAAO,EAAE,CAAC;YACxE,MAAM,IAAI,SAAS,CACjB,6CAA6C,YAAY,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,wBAAwB,CAC7C,IAAI,CAAC,gBAAgB,EACrB,aAAa,EACb,YAAY,EACZ,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,KAAK,CACX,CAAC;QAEF,MAAM,SAAS,GAA+B;YAC5C,IAAI;YACJ,WAAW,EAAE,iBAAiB,EAAE;SACjC,CAAC;QAEF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CACT,8DAA8D,EAC9D,SAAS,CACV,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,SAAS,CAAuB,CAAC;IAC5E,CAAC;IAEM,KAAK,CAAC,yBAAyB,CACpC,IAAoB,EACpB,UAAyB,EACzB,YAAoB;QAEpB,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,YAAY,GAAG,SAAkB,CAAC;QACxC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,KAAK,GAAW,UAAU,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAE5D,OAAO,MAAM,IAAI,CAAC,2BAA2B,CAC3C,IAAI,EACJ;YACE;gBACE,UAAU,EAAE,0BAA0B;gBACtC,KAAK;gBACL,IAAI,EAAE,QAAQ;aACf;SACF,EACD,YAAY,CACb,CAAC;IACJ,CAAC;CACF;AAED,eAAe,iBAAiB,CAAC"}
+{"version":3,"file":"route-guard-factory.js","sourceRoot":"","sources":["../../src/route_guards/route-guard-factory.ts"],"names":[],"mappings":"AAAA,yBAAyB;AAEzB,OAAO,uBAAuB,MAAM,SAAS,CAAC;AAC9C,OAAO,gCAAgC,MAAM,iBAAiB,CAAC;AAE/D,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAEL,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAuB,MAAM,iBAAiB,CAAC;AAC3E,OAAO,4BAA4B,MAAM,wCAAwC,CAAC;AAClF,OAAO,wBAAwB,MAAM,gCAAgC,CAAC;AAoCtE,MAAM,WAAW,GAAG;IAClB,eAAe;IACf,OAAO;CAC6B,CAAC;AAGvC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,GAAG,EAAyB,EAAE;IAC5E,OACE,WACD,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEH,MAAM,MAAM,GAAG;IACb,aAAa,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,gCAAgC,CAAC,IAAI,CAAC;IACnE,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC;CAInD,CAAC;AAEF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,iBAAiB;IACX,gBAAgB,CAAiB;IACjC,WAAW,CAA6B;IACxC,KAAK,CAAU;IACf,cAAc,CAAU;IAEzC,YAAmB,EAAE,WAAW,EAAE,GAAG,IAAI,EAAgC;QACvE,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC;QACjC,IACE,OAAO,IAAI,CAAC,cAAc,KAAK,SAAS;YACxC,OAAO,IAAI,CAAC,cAAc,KAAK,WAAW,EAC1C,CAAC;YACD,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,KAAK,CAAC;QAEnD,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,GAAG,CACT,+EAA+E,CAChF,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,MAAM,IAAI,SAAS,CACjB,8EAA8E,CAC/E,CAAC;YACJ,CAAC;YACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,GAAG,CACT,mHAAmH,CACpH,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,gBAAgB,GAAG,IAAI,mBAAmB,CAAC;gBAC9C,eAAe,EAAE,4BAA4B,EAAE;gBAC/C,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,qBAAqB,CAAC,IAAa;QAChD,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC3C,OAAO,oBAAoB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;IACtD,CAAC;IAED;;;;;;;;;;;;OAYG;IACI,MAAM,CAAC,sBAAsB,CAClC,IAAoB,EACpB,IAAgC;QAEhC,IAAI,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,+CAA+C,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACxE,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,KAAK,GAAgB,YAAY,CAAC,IAAI,CAAC,CAAC;QAE9C,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;;OAQG;IACI,sBAAsB,CAC3B,IAAoB,EACpB,IAAgC;QAEhC,OAAO,iBAAiB,CAAC,sBAAsB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC;IAED;;;;;;;;;;;;;;;;;;;OAmBG;IACI,KAAK,CAAC,2BAA2B,CACtC,IAAoB,EACpB,aAAqD,EACrD,YAAyB;QAEzB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CACT,mEAAmE,EACnE,aAAa,CACd,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,YAA6B,CAAC,CAAC,OAAO,EAAE,CAAC;YACxE,MAAM,IAAI,SAAS,CACjB,6CAA6C,YAAY,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,wBAAwB,CAC7C,IAAI,CAAC,gBAAgB,EACrB,aAAa,EACb,YAAY,EACZ,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,KAAK,CACX,CAAC;QAEF,MAAM,SAAS,GAA+B;YAC5C,IAAI;YACJ,WAAW,EAAE,iBAAiB,EAAE;SACjC,CAAC;QAEF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CACT,8DAA8D,EAC9D,SAAS,CACV,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,SAAS,CAAuB,CAAC;IAC5E,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACI,KAAK,CAAC,yBAAyB,CACpC,IAAoB,EACpB,UAAyB,EACzB,YAAoB;QAEpB,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,YAAY,GAAG,SAAkB,CAAC;QACxC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,KAAK,GAAW,UAAU,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAE5D,OAAO,MAAM,IAAI,CAAC,2BAA2B,CAC3C,IAAI,EACJ;YACE;gBACE,UAAU,EAAE,0BAA0B;gBACtC,KAAK;gBACL,IAAI,EAAE,QAAQ;aACf;SACF,EACD,YAAY,CACb,CAAC;IACJ,CAAC;CACF;AAED,eAAe,iBAAiB,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@schemavaults/auth-server-sdk",
   "description": "TypeScript SDK for building authenticated endpoints/middlewares for the Auth Server and Resource Servers",
-  "version": "0.22.80",
+  "version": "0.22.82",
   "license": "UNLICENSED",
   "private": false,
   "repository": {
@@ -18,7 +18,7 @@
   },
   "dependencies": {
     "zod": "3.25.8",
-    "@schemavaults/jwt": "0.7.32",
+    "@schemavaults/jwt": "0.7.33",
     "@schemavaults/auth-common": "0.13.1",
     "@schemavaults/app-definitions": "0.7.1"
   },