@seamless-auth/core 0.1.0

package/LICENSE

@@ -0,0 +1,79 @@
+GNU AFFERO GENERAL PUBLIC LICENSE
+Version 3, 19 November 2007
+
+Copyright (C) 2007 Free Software Foundation, Inc.
+<https://fsf.org/>
+Everyone is permitted to copy and distribute verbatim copies
+of this license document, but changing it is not allowed.
+
+This license is identical to the GNU General Public License, except that it also
+ensures that software running as a network service makes its source code
+available to users.
+
+---
+
+TERMS AND CONDITIONS
+
+0. Definitions.
+
+“This License” refers to version 3 of the GNU Affero General Public License.
+
+“Copyright” also means copyright-like laws that apply to other kinds of works,
+such as semiconductor masks.
+
+The “Program” refers to any copyrightable work licensed under this License.
+Each licensee is addressed as “you”.
+
+To “modify” a work means to copy from or adapt all or part of the work in a
+fashion requiring copyright permission, other than the making of an exact copy.
+
+To “propagate” a work means to do anything with it that, without permission,
+would make you directly or secondarily liable for infringement under applicable
+copyright law, except executing it on a computer or modifying a private copy.
+
+To “convey” a work means any kind of propagation that enables other parties to
+make or receive copies.
+
+An interactive user interface displays “Appropriate Legal Notices” to the extent
+that it includes a convenient and prominently visible feature that displays an
+appropriate copyright notice, and tells the user that there is no warranty for
+the work (except to the extent that warranties are provided), that licensees may
+convey the work under this License, and how to view a copy of this License.
+
+---
+
+13. Remote Network Interaction; Use with the GNU General Public License.
+
+Notwithstanding any other provision of this License, if you modify the Program,
+your modified version must prominently offer all users interacting with it
+remotely through a computer network an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source from a
+network server at no charge, through some standard or customary means of
+facilitating copying of software.
+
+---
+
+15. Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER
+PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
+EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+---
+
+16. Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
+COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS
+PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
+INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE
+THE PROGRAM.
+
+---
+
+END OF TERMS AND CONDITIONS
+
+You should have received a copy of the GNU Affero General Public License along
+with this program. If not, see <https://www.gnu.org/licenses/>.

package/LICENSE.md

@@ -0,0 +1,26 @@
+# License
+
+Seamless Auth Server - Core ("@seamless-auth/core") is licensed under the **GNU Affero General Public License v3.0 (AGPL-3.0-only)**.
+
+- SPDX: `AGPL-3.0-only`
+
+## What this means (high level)
+
+- You are free to **use**, **modify**, and **self-host** this software.
+- If you **modify** this software and **run it as a network service** (for example, hosting it for others to use), you must **make the complete corresponding source code of your modified version available** to users of that service, under the AGPL.
+
+This summary is not legal advice and does not replace the license text.
+
+## Full license text
+
+The full license text is available here:
+
+- https://www.gnu.org/licenses/agpl-3.0.html
+
+You should include a copy of the AGPLv3 license in your distribution. If this repository does not contain the full license text yet, add it as `LICENSE` or `LICENSE.txt` (recommended), and keep this `LICENSE.md` as the human-friendly summary.
+
+## Commercial licensing
+
+If you would like to embed Seamless Auth API into a proprietary product, redistribute it under different terms, or offer it as a managed service without AGPL obligations, commercial licensing may be available.
+
+Contact: support@seamlessauth.com

package/README.md

@@ -0,0 +1,141 @@
+# @seamless-auth/core
+
+[![npm version](https://img.shields.io/npm/v/@seamless-auth/core.svg)](https://www.npmjs.com/package/@seamless-auth/core)
+[![license](https://img.shields.io/badge/license-AGPL--3.0-blue)](#license "License")
+
+### Seamless Auth – Core
+
+`@seamless-auth/core` contains the **framework-agnostic authentication logic** that powers the Seamless Auth ecosystem.
+
+It is designed to be:
+
+- deterministic
+- auditable
+- testable
+- independent of any web framework
+
+If you are building a custom adapter (Express, Fastify, Next.js, Hono, etc.), this is the package you integrate with.
+
+---
+
+## What This Package Is
+
+- Core authentication state machine
+- Cookie validation and refresh logic
+- Service-token–based API ↔ Auth Server communication
+- Stateless, cryptographically verifiable flows
+
+This package **does not**:
+
+- depend on Express or any framework
+- read environment variables
+- set cookies or headers directly
+- manage HTTP requests or responses
+
+---
+
+## Who Should Use This
+
+You should use `@seamless-auth/core` if:
+
+- You are building a backend adapter
+- You want full control over your HTTP layer
+- You are integrating Seamless Auth into a non-Express runtime
+- You want to audit or extend authentication behavior
+
+If you are using Express, you probably want:
+
+```
+@seamless-auth/express
+```
+
+---
+
+## Design Principles
+
+- **Explicit trust boundaries**  
+   Browser cookies are never forwarded upstream.
+
+- **Stateless by default**  
+   All session data is encoded and signed.
+
+- **Short-lived assertions**  
+   Service tokens are minimal and ephemeral.
+
+- **No hidden magic**  
+   All inputs are explicit.
+
+---
+
+## Core Concepts
+
+### Identity States
+
+- **Unauthenticated**
+- **Pre-authenticated** (OTP / WebAuthn in progress)
+- **Authenticated** (access cookie issued)
+
+Core helpers enforce transitions between these states.
+
+---
+
+## Public API (Overview)
+
+Key exports include:
+
+- `ensureCookies(...)` – validates and refreshes session cookies
+- `refreshAccessToken(...)` – rotates expired access sessions
+- `verifyCookieJwt(...)` – verifies signed cookie payloads
+- `createServiceToken(...)` – creates short-lived M2M assertions
+
+These functions return **descriptive results**, not HTTP responses.
+
+---
+
+## Example (Adapter Pseudocode)
+
+```ts
+const result = await ensureCookies(
+  { path, cookies },
+  {
+    authServerUrl,
+    cookieSecret,
+    serviceSecret,
+    issuer,
+    audience,
+    keyId,
+    accessCookieName,
+    refreshCookieName,
+    preAuthCookieName,
+  },
+);
+
+if (result.setCookies) {
+  // adapter applies cookies
+}
+
+if (result.type === "error") {
+  // adapter sends HTTP error
+}
+```
+
+---
+
+## Testing
+
+All logic in this package is tested against compiled output (`dist/`),
+ensuring behavior matches production runtime exactly.
+
+---
+
+## License
+
+**AGPL-3.0-only** © 2026 Fells Code LLC
+
+This license ensures:
+
+- transparency of security-critical code
+- freedom to self-host and modify
+- sustainability of the managed service offering
+
+See [`LICENSE`](./LICENSE) for details.

package/dist/authFetch.d.ts

@@ -0,0 +1,8 @@
+export interface AuthFetchOptions {
+    method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+    headers?: Record<string, string>;
+    body?: unknown;
+    authorization?: string;
+}
+export declare function authFetch(url: string, options: AuthFetchOptions): Promise<Response>;
+//# sourceMappingURL=authFetch.d.ts.map

package/dist/authFetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authFetch.d.ts","sourceRoot":"","sources":["../src/authFetch.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAC;IACpD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,wBAAsB,SAAS,CAC7B,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,QAAQ,CAAC,CAYnB"}

package/dist/authFetch.js

@@ -0,0 +1,13 @@
+export async function authFetch(url, options) {
+    const headers = {
+        "Content-Type": "application/json",
+        ...options.headers,
+        ...(options.authorization ? { Authorization: options.authorization } : {}),
+    };
+    return fetch(url, {
+        method: options.method,
+        headers,
+        body: options.body ? JSON.stringify(options.body) : undefined,
+    });
+}
+//# sourceMappingURL=authFetch.js.map

package/dist/authFetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authFetch.js","sourceRoot":"","sources":["../src/authFetch.ts"],"names":[],"mappings":"AAWA,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,GAAW,EACX,OAAyB;IAEzB,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;QAClC,GAAG,OAAO,CAAC,OAAO;QAClB,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3E,CAAC;IAEF,OAAO,KAAK,CAAC,GAAG,EAAE;QAChB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO;QACP,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;KAC9D,CAAC,CAAC;AACL,CAAC"}

package/dist/createServiceToken.d.ts

@@ -0,0 +1,10 @@
+export interface ServiceTokenOptions {
+    issuer: string;
+    audience: string;
+    subject: string;
+    refreshToken?: string;
+    serviceSecret: string;
+    keyId: string;
+}
+export declare function createServiceToken(opts: ServiceTokenOptions): string;
+//# sourceMappingURL=createServiceToken.d.ts.map

package/dist/createServiceToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createServiceToken.d.ts","sourceRoot":"","sources":["../src/createServiceToken.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,mBAAmB,GAAG,MAAM,CAgBpE"}

package/dist/createServiceToken.js

@@ -0,0 +1,15 @@
+import jwt from "jsonwebtoken";
+export function createServiceToken(opts) {
+    return jwt.sign({
+        iss: opts.issuer,
+        aud: opts.audience,
+        sub: opts.subject,
+        refreshToken: opts.refreshToken,
+        iat: Math.floor(Date.now() / 1000),
+    }, opts.serviceSecret, {
+        expiresIn: "60s",
+        algorithm: "HS256",
+        keyid: opts.keyId,
+    });
+}
+//# sourceMappingURL=createServiceToken.js.map

package/dist/createServiceToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createServiceToken.js","sourceRoot":"","sources":["../src/createServiceToken.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAW/B,MAAM,UAAU,kBAAkB,CAAC,IAAyB;IAC1D,OAAO,GAAG,CAAC,IAAI,CACb;QACE,GAAG,EAAE,IAAI,CAAC,MAAM;QAChB,GAAG,EAAE,IAAI,CAAC,QAAQ;QAClB,GAAG,EAAE,IAAI,CAAC,OAAO;QACjB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;KACnC,EACD,IAAI,CAAC,aAAa,EAClB;QACE,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,OAAO;QAClB,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CACF,CAAC;AACJ,CAAC"}

package/dist/ensureCookies.d.ts

@@ -0,0 +1,42 @@
+export interface EnsureCookiesInput {
+    path: string;
+    cookies: Record<string, string | undefined>;
+}
+export interface CookiePayload {
+    sub: string;
+    token?: string;
+    refreshToken?: string;
+    roles?: string[];
+}
+export interface CookieInstruction {
+    name: string;
+    value: CookiePayload;
+    ttl: number;
+    domain?: string;
+}
+export interface EnsureCookiesResult {
+    type: "ok" | "error";
+    status?: number;
+    error?: string;
+    user?: {
+        sub: string;
+        roles?: string[];
+    };
+    setCookies?: CookieInstruction[];
+    clearCookies?: string[];
+}
+export interface EnsureCookiesOptions {
+    authServerUrl: string;
+    cookieDomain?: string;
+    accessCookieName: string;
+    registrationCookieName: string;
+    refreshCookieName: string;
+    preAuthCookieName: string;
+    cookieSecret: string;
+    serviceSecret: string;
+    issuer: string;
+    audience: string;
+    keyId: string;
+}
+export declare function ensureCookies(input: EnsureCookiesInput, opts: EnsureCookiesOptions): Promise<EnsureCookiesResult>;
+//# sourceMappingURL=ensureCookies.d.ts.map

package/dist/ensureCookies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ensureCookies.d.ts","sourceRoot":"","sources":["../src/ensureCookies.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAC7C;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,aAAa,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE;QACL,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,UAAU,CAAC,EAAE,iBAAiB,EAAE,CAAC;IACjC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;CACf;AA4BD,wBAAsB,aAAa,CACjC,KAAK,EAAE,kBAAkB,EACzB,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC,mBAAmB,CAAC,CAsG9B"}

package/dist/ensureCookies.js

@@ -0,0 +1,116 @@
+import { verifyCookieJwt } from "./verifyCookieJwt.js";
+import { refreshAccessToken } from "./refreshAccessToken.js";
+const COOKIE_REQUIREMENTS = {
+    "/webAuthn/login/finish": { name: "preAuthCookieName", required: true },
+    "/webAuthn/login/start": { name: "preAuthCookieName", required: true },
+    "/webAuthn/register/start": {
+        name: "registrationCookieName",
+        required: true,
+    },
+    "/webAuthn/register/finish": {
+        name: "registrationCookieName",
+        required: true,
+    },
+    "/otp/verify-email-otp": {
+        name: "registrationCookieName",
+        required: true,
+    },
+    "/otp/verify-phone-otp": {
+        name: "registrationCookieName",
+        required: true,
+    },
+    "/logout": { name: "accessCookieName", required: true },
+    "/users/me": { name: "accessCookieName", required: true },
+};
+export async function ensureCookies(input, opts) {
+    const match = Object.entries(COOKIE_REQUIREMENTS).find(([path]) => input.path.startsWith(path));
+    if (!match) {
+        return { type: "ok" };
+    }
+    const [, { name, required }] = match;
+    const cookieName = opts[name];
+    if (!cookieName) {
+        return {
+            type: "error",
+            status: 400,
+            error: "Missing required cookie",
+        };
+    }
+    const cookieValue = input.cookies[cookieName];
+    const refreshCookie = input.cookies[opts.refreshCookieName];
+    if (required && !cookieValue) {
+        if (!refreshCookie) {
+            return {
+                type: "error",
+                status: 400,
+                error: `Missing required cookie "${cookieName}"`,
+            };
+        }
+        const refreshed = await refreshAccessToken(refreshCookie, {
+            authServerUrl: opts.authServerUrl,
+            cookieSecret: opts.cookieSecret,
+            serviceSecret: opts.serviceSecret,
+            issuer: opts.issuer,
+            audience: opts.audience,
+            keyId: opts.keyId,
+        });
+        if (!refreshed?.token) {
+            return {
+                type: "error",
+                status: 401,
+                error: "Refresh failed",
+                clearCookies: [
+                    cookieName,
+                    opts.registrationCookieName,
+                    opts.refreshCookieName,
+                ],
+            };
+        }
+        return {
+            type: "ok",
+            user: {
+                sub: refreshed.sub,
+                roles: refreshed.roles,
+            },
+            setCookies: [
+                {
+                    name: cookieName,
+                    value: {
+                        sub: refreshed.sub,
+                        roles: refreshed.roles,
+                    },
+                    ttl: refreshed.ttl,
+                    domain: opts.cookieDomain,
+                },
+                {
+                    name: opts.refreshCookieName,
+                    value: {
+                        sub: refreshed.sub,
+                        refreshToken: refreshed.refreshToken,
+                    },
+                    ttl: refreshed.refreshTtl,
+                    domain: opts.cookieDomain,
+                },
+            ],
+        };
+    }
+    if (cookieValue) {
+        const payload = verifyCookieJwt(cookieValue, opts.cookieSecret);
+        if (!payload) {
+            return {
+                type: "error",
+                status: 401,
+                error: `Invalid or expired ${cookieName} cookie`,
+            };
+        }
+        return {
+            type: "ok",
+            user: {
+                sub: payload.sub,
+                roles: payload.roles,
+            },
+        };
+    }
+    return { type: "ok" };
+}
+//# sourceMappingURL=ensureCookies.js.map

package/dist/ensureCookies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ensureCookies.js","sourceRoot":"","sources":["../src/ensureCookies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AA+C7D,MAAM,mBAAmB,GAGrB;IACF,wBAAwB,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,IAAI,EAAE;IACvE,uBAAuB,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,IAAI,EAAE;IACtE,0BAA0B,EAAE;QAC1B,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,IAAI;KACf;IACD,2BAA2B,EAAE;QAC3B,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,IAAI;KACf;IACD,uBAAuB,EAAE;QACvB,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,IAAI;KACf;IACD,uBAAuB,EAAE;QACvB,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,IAAI;KACf;IACD,SAAS,EAAE,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,IAAI,EAAE;IACvD,WAAW,EAAE,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,IAAI,EAAE;CAC1D,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAyB,EACzB,IAA0B;IAE1B,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAChE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAC5B,CAAC;IAEF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,GAAG,KAAK,CAAC;IACrC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IAE9B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO;YACL,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,GAAG;YACX,KAAK,EAAE,yBAAyB;SACjC,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC9C,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE5D,IAAI,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7B,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO;gBACL,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,GAAG;gBACX,KAAK,EAAE,4BAA4B,UAAU,GAAG;aACjD,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,aAAa,EAAE;YACxD,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;YACtB,OAAO;gBACL,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,GAAG;gBACX,KAAK,EAAE,gBAAgB;gBACvB,YAAY,EAAE;oBACZ,UAAU;oBACV,IAAI,CAAC,sBAAsB;oBAC3B,IAAI,CAAC,iBAAiB;iBACvB;aACF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,IAAI,EAAE,IAAI;YACV,IAAI,EAAE;gBACJ,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,KAAK,EAAE,SAAS,CAAC,KAAK;aACvB;YACD,UAAU,EAAE;gBACV;oBACE,IAAI,EAAE,UAAU;oBAChB,KAAK,EAAE;wBACL,GAAG,EAAE,SAAS,CAAC,GAAG;wBAClB,KAAK,EAAE,SAAS,CAAC,KAAK;qBACvB;oBACD,GAAG,EAAE,SAAS,CAAC,GAAG;oBAClB,MAAM,EAAE,IAAI,CAAC,YAAY;iBAC1B;gBACD;oBACE,IAAI,EAAE,IAAI,CAAC,iBAAiB;oBAC5B,KAAK,EAAE;wBACL,GAAG,EAAE,SAAS,CAAC,GAAG;wBAClB,YAAY,EAAE,SAAS,CAAC,YAAY;qBACrC;oBACD,GAAG,EAAE,SAAS,CAAC,UAAU;oBACzB,MAAM,EAAE,IAAI,CAAC,YAAY;iBAC1B;aACF;SACF,CAAC;IACJ,CAAC;IAED,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,GAAG;gBACX,KAAK,EAAE,sBAAsB,UAAU,SAAS;aACjD,CAAC;QACJ,CAAC;QAED,OAAO;YACL,IAAI,EAAE,IAAI;YACV,IAAI,EAAE;gBACJ,GAAG,EAAE,OAAO,CAAC,GAAa;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAA6B;aAC7C;SACF,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC"}

package/dist/getSeamlessUser.d.ts

@@ -0,0 +1,7 @@
+export interface GetSeamlessUserOptions {
+    authServerUrl: string;
+    cookieSecret: string;
+    cookieName?: string;
+}
+export declare function getSeamlessUser<T = any>(cookies: Record<string, string | undefined>, opts: GetSeamlessUserOptions): Promise<T | null>;
+//# sourceMappingURL=getSeamlessUser.d.ts.map

package/dist/getSeamlessUser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSeamlessUser.d.ts","sourceRoot":"","sources":["../src/getSeamlessUser.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,sBAAsB;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,eAAe,CAAC,CAAC,GAAG,GAAG,EAC3C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EAC3C,IAAI,EAAE,sBAAsB,GAC3B,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAiBnB"}

package/dist/getSeamlessUser.js

@@ -0,0 +1,19 @@
+import { authFetch } from "./authFetch.js";
+import { verifyCookieJwt } from "./verifyCookieJwt.js";
+export async function getSeamlessUser(cookies, opts) {
+    const cookieName = opts.cookieName ?? "seamless-access";
+    const token = cookies[cookieName];
+    if (!token)
+        return null;
+    const payload = verifyCookieJwt(token, opts.cookieSecret);
+    if (!payload)
+        return null;
+    const response = await authFetch(`${opts.authServerUrl}/users/me`, {
+        method: "GET",
+    });
+    if (!response.ok)
+        return null;
+    const data = await response.json();
+    return data.user ?? null;
+}
+//# sourceMappingURL=getSeamlessUser.js.map

package/dist/getSeamlessUser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSeamlessUser.js","sourceRoot":"","sources":["../src/getSeamlessUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAQvD,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAA2C,EAC3C,IAA4B;IAE5B,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,iBAAiB,CAAC;IACxD,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAElC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,OAAO,GAAG,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1D,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,aAAa,WAAW,EAAE;QACjE,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAE9B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,OAAO,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;AAC3B,CAAC"}

package/dist/handlers/finishLogin.d.ts

@@ -0,0 +1,24 @@
+import type { CookiePayload } from "../ensureCookies.js";
+export interface FinishLoginInput {
+    body: unknown;
+    authorization?: string;
+}
+export interface FinishLoginOptions {
+    authServerUrl: string;
+    cookieDomain?: string;
+    accessCookieName: string;
+    refreshCookieName: string;
+}
+export interface FinishLoginResult {
+    status: number;
+    body?: unknown;
+    error?: string;
+    setCookies?: {
+        name: string;
+        value: CookiePayload;
+        ttl: number;
+        domain?: string;
+    }[];
+}
+export declare function finishLoginHandler(input: FinishLoginInput, opts: FinishLoginOptions): Promise<FinishLoginResult>;
+//# sourceMappingURL=finishLogin.d.ts.map

package/dist/handlers/finishLogin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"finishLogin.d.ts","sourceRoot":"","sources":["../../src/handlers/finishLogin.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGzD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,OAAO,CAAC;IACd,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,aAAa,CAAC;QACrB,GAAG,EAAE,MAAM,CAAC;QACZ,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,EAAE,CAAC;CACL;AAED,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,gBAAgB,EACvB,IAAI,EAAE,kBAAkB,GACvB,OAAO,CAAC,iBAAiB,CAAC,CAqD5B"}

package/dist/handlers/finishLogin.js

@@ -0,0 +1,48 @@
+import { authFetch } from "../authFetch.js";
+import { verifySignedAuthResponse } from "../verifySignedAuthResponse.js";
+export async function finishLoginHandler(input, opts) {
+    const up = await authFetch(`${opts.authServerUrl}/webAuthn/login/finish`, {
+        method: "POST",
+        body: input.body,
+        authorization: input.authorization,
+    });
+    const data = await up.json();
+    if (!up.ok) {
+        return {
+            status: up.status,
+            error: data,
+        };
+    }
+    const verifiedAccessToken = await verifySignedAuthResponse(data.token, opts.authServerUrl);
+    if (!verifiedAccessToken) {
+        throw new Error("Invalid signed response from Auth Server");
+    }
+    if (verifiedAccessToken.sub !== data.sub) {
+        throw new Error("Signature mismatch with data payload");
+    }
+    return {
+        status: 200,
+        body: data,
+        setCookies: [
+            {
+                name: opts.accessCookieName,
+                value: {
+                    sub: data.sub,
+                    roles: data.roles,
+                },
+                ttl: data.ttl,
+                domain: opts.cookieDomain,
+            },
+            {
+                name: opts.refreshCookieName,
+                value: {
+                    sub: data.sub,
+                    refreshToken: data.refreshToken,
+                },
+                ttl: data.refreshTtl,
+                domain: opts.cookieDomain,
+            },
+        ],
+    };
+}
+//# sourceMappingURL=finishLogin.js.map

package/dist/handlers/finishLogin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"finishLogin.js","sourceRoot":"","sources":["../../src/handlers/finishLogin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AA0B1E,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAuB,EACvB,IAAwB;IAExB,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,aAAa,wBAAwB,EAAE;QACxE,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,aAAa,EAAE,KAAK,CAAC,aAAa;KACnC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;IAE7B,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACX,OAAO;YACL,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,KAAK,EAAE,IAAI;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,mBAAmB,GAAG,MAAM,wBAAwB,CACxD,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,aAAa,CACnB,CAAC;IAEF,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,mBAAmB,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO;QACL,MAAM,EAAE,GAAG;QACX,IAAI,EAAE,IAAI;QACV,UAAU,EAAE;YACV;gBACE,IAAI,EAAE,IAAI,CAAC,gBAAgB;gBAC3B,KAAK,EAAE;oBACL,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,KAAK,EAAE,IAAI,CAAC,KAAK;iBAClB;gBACD,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,MAAM,EAAE,IAAI,CAAC,YAAY;aAC1B;YACD;gBACE,IAAI,EAAE,IAAI,CAAC,iBAAiB;gBAC5B,KAAK,EAAE;oBACL,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,YAAY,EAAE,IAAI,CAAC,YAAY;iBAChC;gBACD,GAAG,EAAE,IAAI,CAAC,UAAU;gBACpB,MAAM,EAAE,IAAI,CAAC,YAAY;aAC1B;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/handlers/finishRegister.d.ts

@@ -0,0 +1,23 @@
+import type { CookiePayload } from "../ensureCookies.js";
+export interface FinishRegisterInput {
+    authorization?: string;
+    body: unknown;
+}
+export interface FinishRegisterOptions {
+    authServerUrl: string;
+    cookieDomain?: string;
+    accessCookieName: string;
+    refreshCookieName: string;
+}
+export interface FinishRegisterResult {
+    status: number;
+    error?: unknown;
+    setCookies?: {
+        name: string;
+        value: CookiePayload;
+        ttl: number;
+        domain?: string;
+    }[];
+}
+export declare function finishRegisterHandler(input: FinishRegisterInput, opts: FinishRegisterOptions): Promise<FinishRegisterResult>;
+//# sourceMappingURL=finishRegister.d.ts.map

package/dist/handlers/finishRegister.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"finishRegister.d.ts","sourceRoot":"","sources":["../../src/handlers/finishRegister.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGzD,MAAM,WAAW,mBAAmB;IAClC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,aAAa,CAAC;QACrB,GAAG,EAAE,MAAM,CAAC;QACZ,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,EAAE,CAAC;CACL;AAED,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,mBAAmB,EAC1B,IAAI,EAAE,qBAAqB,GAC1B,OAAO,CAAC,oBAAoB,CAAC,CAoD/B"}

package/dist/handlers/finishRegister.js

@@ -0,0 +1,47 @@
+import { authFetch } from "../authFetch.js";
+import { verifySignedAuthResponse } from "../verifySignedAuthResponse.js";
+export async function finishRegisterHandler(input, opts) {
+    const up = await authFetch(`${opts.authServerUrl}/webAuthn/register/finish`, {
+        method: "POST",
+        body: input.body,
+        authorization: input.authorization,
+    });
+    const data = await up.json();
+    if (!up.ok) {
+        return {
+            status: up.status,
+            error: data,
+        };
+    }
+    const verified = await verifySignedAuthResponse(data.token, opts.authServerUrl);
+    if (!verified) {
+        throw new Error("Invalid signed response from Auth Server");
+    }
+    if (verified.sub !== data.sub) {
+        throw new Error("Signature mismatch with data payload");
+    }
+    return {
+        status: 204,
+        setCookies: [
+            {
+                name: opts.accessCookieName,
+                value: {
+                    sub: data.sub,
+                    roles: data.roles,
+                },
+                ttl: data.ttl,
+                domain: opts.cookieDomain,
+            },
+            {
+                name: opts.refreshCookieName,
+                value: {
+                    sub: data.sub,
+                    refreshToken: data.refreshToken,
+                },
+                ttl: data.refreshTtl,
+                domain: opts.cookieDomain,
+            },
+        ],
+    };
+}
+//# sourceMappingURL=finishRegister.js.map

package/dist/handlers/finishRegister.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"finishRegister.js","sourceRoot":"","sources":["../../src/handlers/finishRegister.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAyB1E,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAA0B,EAC1B,IAA2B;IAE3B,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,aAAa,2BAA2B,EAAE;QAC3E,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,aAAa,EAAE,KAAK,CAAC,aAAa;KACnC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;IAE7B,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACX,OAAO;YACL,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,KAAK,EAAE,IAAI;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAC7C,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,aAAa,CACnB,CAAC;IAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,QAAQ,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO;QACL,MAAM,EAAE,GAAG;QACX,UAAU,EAAE;YACV;gBACE,IAAI,EAAE,IAAI,CAAC,gBAAgB;gBAC3B,KAAK,EAAE;oBACL,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,KAAK,EAAE,IAAI,CAAC,KAAK;iBAClB;gBACD,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,MAAM,EAAE,IAAI,CAAC,YAAY;aAC1B;YACD;gBACE,IAAI,EAAE,IAAI,CAAC,iBAAiB;gBAC5B,KAAK,EAAE;oBACL,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,YAAY,EAAE,IAAI,CAAC,YAAY;iBAChC;gBACD,GAAG,EAAE,IAAI,CAAC,UAAU;gBACpB,MAAM,EAAE,IAAI,CAAC,YAAY;aAC1B;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/handlers/login.d.ts

@@ -0,0 +1,21 @@
+import type { CookiePayload } from "../ensureCookies.js";
+export interface LoginInput {
+    body: unknown;
+}
+export interface LoginOptions {
+    authServerUrl: string;
+    cookieDomain?: string;
+    preAuthCookieName: string;
+}
+export interface LoginResult {
+    status: number;
+    error?: string;
+    setCookies?: {
+        name: string;
+        value: CookiePayload;
+        ttl: number;
+        domain?: string;
+    }[];
+}
+export declare function loginHandler(input: LoginInput, opts: LoginOptions): Promise<LoginResult>;
+//# sourceMappingURL=login.d.ts.map

package/dist/handlers/login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/handlers/login.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGzD,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,aAAa,CAAC;QACrB,GAAG,EAAE,MAAM,CAAC;QACZ,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,EAAE,CAAC;CACL;AAED,wBAAsB,YAAY,CAChC,KAAK,EAAE,UAAU,EACjB,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,WAAW,CAAC,CAuCtB"}

package/dist/handlers/login.js

@@ -0,0 +1,34 @@
+import { authFetch } from "../authFetch.js";
+import { verifySignedAuthResponse } from "../verifySignedAuthResponse.js";
+export async function loginHandler(input, opts) {
+    const up = await authFetch(`${opts.authServerUrl}/login`, {
+        method: "POST",
+        body: input.body,
+    });
+    const data = await up.json();
+    if (!up.ok) {
+        return {
+            status: up.status,
+            error: data,
+        };
+    }
+    const verified = await verifySignedAuthResponse(data.token, opts.authServerUrl);
+    if (!verified) {
+        throw new Error("Invalid signed response from Auth Server");
+    }
+    if (verified.sub !== data.sub) {
+        throw new Error("Signature mismatch with data payload");
+    }
+    return {
+        status: 204,
+        setCookies: [
+            {
+                name: opts.preAuthCookieName,
+                value: { sub: data.sub, token: data.token },
+                ttl: data.ttl,
+                domain: opts.cookieDomain,
+            },
+        ],
+    };
+}
+//# sourceMappingURL=login.js.map

package/dist/handlers/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/handlers/login.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAuB1E,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAAiB,EACjB,IAAkB;IAElB,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,aAAa,QAAQ,EAAE;QACxD,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;IAE7B,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACX,OAAO;YACL,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,KAAK,EAAE,IAAI;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAC7C,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,aAAa,CACnB,CAAC;IAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,QAAQ,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO;QACL,MAAM,EAAE,GAAG;QACX,UAAU,EAAE;YACV;gBACE,IAAI,EAAE,IAAI,CAAC,iBAAiB;gBAC5B,KAAK,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE;gBAC3C,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,MAAM,EAAE,IAAI,CAAC,YAAY;aAC1B;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/handlers/logout.d.ts

@@ -0,0 +1,12 @@
+export interface LogoutOptions {
+    authServerUrl: string;
+    accessCookieName: string;
+    registrationCookieName: string;
+    refreshCookieName: string;
+}
+export interface LogoutResult {
+    status: number;
+    clearCookies: string[];
+}
+export declare function logoutHandler(opts: LogoutOptions): Promise<LogoutResult>;
+//# sourceMappingURL=logout.d.ts.map

package/dist/handlers/logout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../src/handlers/logout.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,wBAAsB,aAAa,CACjC,IAAI,EAAE,aAAa,GAClB,OAAO,CAAC,YAAY,CAAC,CAavB"}

package/dist/handlers/logout.js

@@ -0,0 +1,15 @@
+import { authFetch } from "../authFetch.js";
+export async function logoutHandler(opts) {
+    await authFetch(`${opts.authServerUrl}/logout`, {
+        method: "GET",
+    });
+    return {
+        status: 204,
+        clearCookies: [
+            opts.accessCookieName,
+            opts.registrationCookieName,
+            opts.refreshCookieName,
+        ],
+    };
+}
+//# sourceMappingURL=logout.js.map

package/dist/handlers/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/handlers/logout.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAc5C,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAmB;IAEnB,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,aAAa,SAAS,EAAE;QAC9C,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,GAAG;QACX,YAAY,EAAE;YACZ,IAAI,CAAC,gBAAgB;YACrB,IAAI,CAAC,sBAAsB;YAC3B,IAAI,CAAC,iBAAiB;SACvB;KACF,CAAC;AACJ,CAAC"}

package/dist/handlers/me.d.ts

@@ -0,0 +1,16 @@
+export interface MeOptions {
+    authServerUrl: string;
+    preAuthCookieName: string;
+    authorization?: string;
+}
+export interface MeResult {
+    status: number;
+    body?: {
+        user: unknown;
+        credentials?: unknown;
+    };
+    error?: string;
+    clearCookies?: string[];
+}
+export declare function meHandler(opts: MeOptions): Promise<MeResult>;
+//# sourceMappingURL=me.d.ts.map

package/dist/handlers/me.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../src/handlers/me.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,SAAS;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE;QACL,IAAI,EAAE,OAAO,CAAC;QACd,WAAW,CAAC,EAAE,OAAO,CAAC;KACvB,CAAC;IACF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,wBAAsB,SAAS,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAyBlE"}

package/dist/handlers/me.js

@@ -0,0 +1,25 @@
+import { authFetch } from "../authFetch.js";
+export async function meHandler(opts) {
+    const up = await authFetch(`${opts.authServerUrl}/users/me`, {
+        method: "GET",
+        authorization: opts.authorization,
+    });
+    const data = await up.json();
+    const clearCookies = [opts.preAuthCookieName];
+    if (!data?.user) {
+        return {
+            status: 401,
+            error: "unauthenticated",
+            clearCookies,
+        };
+    }
+    return {
+        status: 200,
+        body: {
+            user: data.user,
+            credentials: data.credentials,
+        },
+        clearCookies,
+    };
+}
+//# sourceMappingURL=me.js.map

package/dist/handlers/me.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"me.js","sourceRoot":"","sources":["../../src/handlers/me.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAkB5C,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAe;IAC7C,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,aAAa,WAAW,EAAE;QAC3D,MAAM,EAAE,KAAK;QACb,aAAa,EAAE,IAAI,CAAC,aAAa;KAClC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;IAC7B,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE9C,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;QAChB,OAAO;YACL,MAAM,EAAE,GAAG;YACX,KAAK,EAAE,iBAAiB;YACxB,YAAY;SACb,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,GAAG;QACX,IAAI,EAAE;YACJ,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B;QACD,YAAY;KACb,CAAC;AACJ,CAAC"}

package/dist/handlers/register.d.ts

@@ -0,0 +1,22 @@
+import type { CookiePayload } from "../ensureCookies.js";
+export interface RegisterInput {
+    body: unknown;
+}
+export interface RegisterOptions {
+    authServerUrl: string;
+    cookieDomain?: string;
+    registrationCookieName: string;
+}
+export interface RegisterResult {
+    status: number;
+    body?: unknown;
+    error?: unknown;
+    setCookies?: {
+        name: string;
+        value: CookiePayload;
+        ttl: number;
+        domain?: string;
+    }[];
+}
+export declare function registerHandler(input: RegisterInput, opts: RegisterOptions): Promise<RegisterResult>;
+//# sourceMappingURL=register.d.ts.map

package/dist/handlers/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/handlers/register.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,aAAa,CAAC;QACrB,GAAG,EAAE,MAAM,CAAC;QACZ,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,EAAE,CAAC;CACL;AAED,wBAAsB,eAAe,CACnC,KAAK,EAAE,aAAa,EACpB,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,cAAc,CAAC,CA2BzB"}

package/dist/handlers/register.js

@@ -0,0 +1,27 @@
+import { authFetch } from "../authFetch.js";
+export async function registerHandler(input, opts) {
+    const up = await authFetch(`${opts.authServerUrl}/registration/register`, {
+        method: "POST",
+        body: input.body,
+    });
+    const data = await up.json();
+    if (!up.ok) {
+        return {
+            status: up.status,
+            error: data,
+        };
+    }
+    return {
+        status: 200,
+        body: data,
+        setCookies: [
+            {
+                name: opts.registrationCookieName,
+                value: { sub: data.sub },
+                ttl: data.ttl,
+                domain: opts.cookieDomain,
+            },
+        ],
+    };
+}
+//# sourceMappingURL=register.js.map

package/dist/handlers/register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.js","sourceRoot":"","sources":["../../src/handlers/register.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAyB5C,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAoB,EACpB,IAAqB;IAErB,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,aAAa,wBAAwB,EAAE;QACxE,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;IAE7B,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACX,OAAO;YACL,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,KAAK,EAAE,IAAI;SACZ,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,GAAG;QACX,IAAI,EAAE,IAAI;QACV,UAAU,EAAE;YACV;gBACE,IAAI,EAAE,IAAI,CAAC,sBAAsB;gBACjC,KAAK,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE;gBACxB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,MAAM,EAAE,IAAI,CAAC,YAAY;aAC1B;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+export * from "./authFetch.js";
+export * from "./ensureCookies.js";
+export * from "./verifyCookieJwt.js";
+export * from "./refreshAccessToken.js";
+export * from "./getSeamlessUser.js";
+export * from "./createServiceToken.js";
+export * from "./handlers/login.js";
+export * from "./handlers/finishLogin.js";
+export * from "./handlers/register.js";
+export * from "./handlers/finishRegister.js";
+export * from "./handlers/logout.js";
+export * from "./handlers/me.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AAExC,cAAc,qBAAqB,CAAC;AACpC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC"}

package/dist/index.js

@@ -0,0 +1,13 @@
+export * from "./authFetch.js";
+export * from "./ensureCookies.js";
+export * from "./verifyCookieJwt.js";
+export * from "./refreshAccessToken.js";
+export * from "./getSeamlessUser.js";
+export * from "./createServiceToken.js";
+export * from "./handlers/login.js";
+export * from "./handlers/finishLogin.js";
+export * from "./handlers/register.js";
+export * from "./handlers/finishRegister.js";
+export * from "./handlers/logout.js";
+export * from "./handlers/me.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AAExC,cAAc,qBAAqB,CAAC;AACpC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC"}

package/dist/refreshAccessToken.d.ts

@@ -0,0 +1,17 @@
+export interface RefreshAccessTokenOptions {
+    authServerUrl: string;
+    cookieSecret: string;
+    serviceSecret: string;
+    issuer: string;
+    audience: string;
+    keyId: string;
+}
+export declare function refreshAccessToken(refreshCookie: string, opts: RefreshAccessTokenOptions): Promise<{
+    sub: string;
+    token: string;
+    refreshToken: string;
+    roles: string[];
+    ttl: number;
+    refreshTtl: number;
+} | null>;
+//# sourceMappingURL=refreshAccessToken.d.ts.map

package/dist/refreshAccessToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshAccessToken.d.ts","sourceRoot":"","sources":["../src/refreshAccessToken.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,yBAAyB;IACxC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,wBAAsB,kBAAkB,CACtC,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE,yBAAyB,GAC9B,OAAO,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;CACpB,GAAG,IAAI,CAAC,CAuBR"}

package/dist/refreshAccessToken.js

@@ -0,0 +1,26 @@
+import { authFetch } from "./authFetch.js";
+import { verifyRefreshCookie } from "./verifyRefreshCookie.js";
+import { createServiceToken } from "./createServiceToken.js";
+export async function refreshAccessToken(refreshCookie, opts) {
+    const payload = verifyRefreshCookie(refreshCookie, opts.cookieSecret);
+    if (!payload)
+        return null;
+    const serviceToken = createServiceToken({
+        issuer: opts.issuer,
+        audience: opts.audience,
+        subject: payload.sub,
+        refreshToken: payload.refreshToken,
+        serviceSecret: opts.serviceSecret,
+        keyId: opts.keyId,
+    });
+    const response = await authFetch(`${opts.authServerUrl}/refresh`, {
+        method: "GET",
+        headers: {
+            Authorization: `Bearer ${serviceToken}`,
+        },
+    });
+    if (!response.ok)
+        return null;
+    return response.json();
+}
+//# sourceMappingURL=refreshAccessToken.js.map

package/dist/refreshAccessToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshAccessToken.js","sourceRoot":"","sources":["../src/refreshAccessToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAW7D,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,aAAqB,EACrB,IAA+B;IAS/B,MAAM,OAAO,GAAG,mBAAmB,CAAC,aAAa,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,YAAY,GAAG,kBAAkB,CAAC;QACtC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,OAAO,EAAE,OAAO,CAAC,GAAG;QACpB,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,aAAa,UAAU,EAAE;QAChE,MAAM,EAAE,KAAK;QACb,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,YAAY,EAAE;SACxC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAE9B,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC"}

package/dist/verifyCookieJwt.d.ts

@@ -0,0 +1,3 @@
+import { type JwtPayload } from "jsonwebtoken";
+export declare function verifyCookieJwt<T extends JwtPayload = JwtPayload>(token: string, secret: string): T | null;
+//# sourceMappingURL=verifyCookieJwt.d.ts.map

package/dist/verifyCookieJwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyCookieJwt.d.ts","sourceRoot":"","sources":["../src/verifyCookieJwt.ts"],"names":[],"mappings":"AAAA,OAAY,EAAE,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAEpD,wBAAgB,eAAe,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EAC/D,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,CAAC,GAAG,IAAI,CASV"}

package/dist/verifyCookieJwt.js

@@ -0,0 +1,13 @@
+import jwt, {} from "jsonwebtoken";
+export function verifyCookieJwt(token, secret) {
+    try {
+        return jwt.verify(token, secret, {
+            algorithms: ["HS256"],
+        });
+    }
+    catch {
+        // Intentional no-op
+        return null;
+    }
+}
+//# sourceMappingURL=verifyCookieJwt.js.map

package/dist/verifyCookieJwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyCookieJwt.js","sourceRoot":"","sources":["../src/verifyCookieJwt.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,EAAE,EAAmB,MAAM,cAAc,CAAC;AAEpD,MAAM,UAAU,eAAe,CAC7B,KAAa,EACb,MAAc;IAEd,IAAI,CAAC;QACH,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE;YAC/B,UAAU,EAAE,CAAC,OAAO,CAAC;SACtB,CAAM,CAAC;IACV,CAAC;IAAC,MAAM,CAAC;QACP,oBAAoB;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/verifyRefreshCookie.d.ts

@@ -0,0 +1,7 @@
+import { type JwtPayload } from "jsonwebtoken";
+export interface RefreshCookiePayload extends JwtPayload {
+    sub: string;
+    refreshToken: string;
+}
+export declare function verifyRefreshCookie(token: string, cookieSecret: string): RefreshCookiePayload | null;
+//# sourceMappingURL=verifyRefreshCookie.d.ts.map

package/dist/verifyRefreshCookie.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyRefreshCookie.d.ts","sourceRoot":"","sources":["../src/verifyRefreshCookie.ts"],"names":[],"mappings":"AAAA,OAAY,EAAE,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAEpD,MAAM,WAAW,oBAAqB,SAAQ,UAAU;IACtD,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,MAAM,GACnB,oBAAoB,GAAG,IAAI,CAQ7B"}

package/dist/verifyRefreshCookie.js

@@ -0,0 +1,12 @@
+import jwt, {} from "jsonwebtoken";
+export function verifyRefreshCookie(token, cookieSecret) {
+    try {
+        return jwt.verify(token, cookieSecret, {
+            algorithms: ["HS256"],
+        });
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=verifyRefreshCookie.js.map

package/dist/verifyRefreshCookie.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyRefreshCookie.js","sourceRoot":"","sources":["../src/verifyRefreshCookie.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,EAAE,EAAmB,MAAM,cAAc,CAAC;AAOpD,MAAM,UAAU,mBAAmB,CACjC,KAAa,EACb,YAAoB;IAEpB,IAAI,CAAC;QACH,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,YAAY,EAAE;YACrC,UAAU,EAAE,CAAC,OAAO,CAAC;SACtB,CAAyB,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/verifySignedAuthResponse.d.ts

@@ -0,0 +1,2 @@
+export declare function verifySignedAuthResponse<T = any>(token: string, authServerUrl: string): Promise<T | null>;
+//# sourceMappingURL=verifySignedAuthResponse.d.ts.map

package/dist/verifySignedAuthResponse.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifySignedAuthResponse.d.ts","sourceRoot":"","sources":["../src/verifySignedAuthResponse.ts"],"names":[],"mappings":"AAEA,wBAAsB,wBAAwB,CAAC,CAAC,GAAG,GAAG,EACpD,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAenB"}

package/dist/verifySignedAuthResponse.js

@@ -0,0 +1,17 @@
+import { createRemoteJWKSet, jwtVerify } from "jose";
+export async function verifySignedAuthResponse(token, authServerUrl) {
+    try {
+        const jwksUrl = new URL("/.well-known/jwks.json", authServerUrl).toString();
+        const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+        const { payload } = await jwtVerify(token, JWKS, {
+            algorithms: ["RS256"],
+            issuer: authServerUrl,
+        });
+        return payload;
+    }
+    catch (err) {
+        console.error("[SeamlessAuth] Failed to verify signed auth response:", err);
+        return null;
+    }
+}
+//# sourceMappingURL=verifySignedAuthResponse.js.map

package/dist/verifySignedAuthResponse.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifySignedAuthResponse.js","sourceRoot":"","sources":["../src/verifySignedAuthResponse.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAErD,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAa,EACb,aAAqB;IAErB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,wBAAwB,EAAE,aAAa,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC5E,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;QAElD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;YAC/C,UAAU,EAAE,CAAC,OAAO,CAAC;YACrB,MAAM,EAAE,aAAa;SACtB,CAAC,CAAC;QAEH,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,uDAAuD,EAAE,GAAG,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/package.json

@@ -0,0 +1,56 @@
+{
+    "name": "@seamless-auth/core",
+    "version": "0.1.0",
+    "description": "Framework-agnostic core authentication logic for SeamlessAuth",
+    "license": "AGPL-3.0-only",
+    "author": "Fells Code, LLC",
+    "sideEffects": false,
+    "homepage": "https://seamlessauth.com",
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/fells-code/seamless-auth-server/packages/core"
+    },
+    "type": "module",
+    "main": "./dist/index.js",
+    "types": "./dist/index.d.ts",
+    "exports": {
+        ".": {
+            "types": "./dist/index.d.ts",
+            "import": "./dist/index.js"
+        },
+        "./handlers/*": {
+            "types": "./dist/handlers/*.d.ts",
+            "import": "./dist/handlers/*.js"
+        }
+    },
+    "files": [
+        "dist",
+        "LICENSE",
+        "LICENSE.md",
+        "README.md"
+    ],
+    "engines": {
+        "node": ">=18"
+    },
+    "scripts": {
+        "build": "tsc -p tsconfig.json",
+        "clean": "rm -rf dist",
+        "prepublishOnly": "npm run clean && npm run build",
+        "test": "npm run build && NODE_OPTIONS=--experimental-vm-modules jest",
+        "test:watch": "npm run build && NODE_OPTIONS=--experimental-vm-modules jest --watch"
+    },
+    "dependencies": {
+        "jose": "^6.1.3",
+        "jsonwebtoken": "^9.0.2"
+    },
+    "devDependencies": {
+        "@types/jest": "^29.5.14",
+        "@types/jsonwebtoken": "^9.0.10",
+        "jest": "^29.7.0",
+        "ts-node": "^10.9.2",
+        "typescript": "^5.9.3"
+    },
+    "publishConfig": {
+        "access": "public"
+    }
+}