@seamless-auth/express 0.1.2 → 0.3.0

package/README.md

@@ -14,6 +14,7 @@ This package:
 - Manages signed, HttpOnly session cookies
 - Enforces authentication and authorization in your API
 - Handles all API ↔ Auth Server communication via short-lived service tokens
+- Establishes the initializer surface for adopter-supplied auth messaging
 
 > **npm:** https://www.npmjs.com/package/@seamless-auth/express  
 > **Docs:** https://docs.seamlessauth.com  
@@ -149,9 +150,26 @@ Routes include:
   registrationCookieName?: string;
   refreshCookieName?: string;
   preAuthCookieName?: string;
+  messaging?: {
+    email?: EmailTransport;
+    sms?: SmsTransport;
+    handlers?: Partial<AuthMessagingHandlers>;
+    overrides?: AuthMessageOverrides;
+  };
 }
 ```
 
+`messaging` is the initializer-facing contract for adopter-supplied auth messaging capabilities.
+
+When `messaging` is provided, `@seamless-auth/express` requests external-delivery payloads from the upstream auth server for auth-message flows and completes delivery locally through the configured transports or handlers.
+
+This currently applies to:
+
+- OTP email
+- OTP SMS
+- magic-link email
+- bootstrap invite email
+
 ---
 
 ### `requireAuth(options?)`

package/dist/createServer.d.ts

@@ -0,0 +1,78 @@
+import { Router } from "express";
+import type { SeamlessAuthMessagingOptions } from "./messaging";
+export type SeamlessAuthServerOptions = {
+    authServerUrl: string;
+    cookieSecret: string;
+    serviceSecret: string;
+    issuer: string;
+    audience: string;
+    jwksKid?: string;
+    cookieDomain?: string;
+    accessCookieName?: string;
+    registrationCookieName?: string;
+    refreshCookieName?: string;
+    preAuthCookieName?: string;
+    messaging?: SeamlessAuthMessagingOptions;
+};
+export interface SeamlessAuthUser {
+    id: string;
+    sub: string;
+    roles: string[];
+    email: string;
+    phone: string;
+    iat?: number;
+    exp?: number;
+}
+/**
+ * Creates an Express Router that proxies all authentication traffic to a Seamless Auth server.
+ *
+ * This helper wires your API backend to a Seamless Auth instance running in
+ * "server mode." It automatically forwards login, registration, WebAuthn,
+ * logout, token refresh, and session validation routes to the auth server
+ * and handles all cookie management required for a seamless login flow.
+ *
+ * ### Responsibilities
+ * - Proxies all `/auth/*` routes to the upstream Seamless Auth server
+ * - Manages `access`, `registration`, `pre-auth`, and `refresh` cookies
+ * - Normalizes cookie settings for cross-domain or same-domain deployments
+ * - Ensures authentication routes behave consistently across environments
+ * - Provides shared middleware for auth flows
+ *
+ * ### Cookie Types
+ * - **accessCookie** – long-lived session cookie for authenticated API requests
+ * - **registrationCookie** – ephemeral cookie used during registration and OTP/WebAuthn flows
+ * - **preAuthCookie** – short-lived cookie used during login initiation
+ * - **refreshCookie** – opaque refresh token cookie used to rotate session tokens
+ *
+ * All cookie names and their domains may be customized via the `opts` parameter.
+ *
+ * ### Example
+ * ```ts
+ * app.use("/auth", createSeamlessAuthServer({
+ *   authServerUrl: "https://identifier.seamlessauth.com",
+ *   cookieDomain: "mycompany.com",
+ *   cookieSecret: "someLongRandomValue"
+ *   serviceSecret: "someLongRandomValueToo"
+ *   jwksKid: "dev-main"
+ *   accessCookieName: "sa_access",
+ *   registrationCookieName: "sa_registration",
+ *   refreshCookieName: "sa_refresh",
+ * }));
+ * ```
+ *
+ * @param opts - Configuration options for the Seamless Auth proxy:
+ *   - `authServerUrl` — Base URL of your Seamless Auth instance (required)
+ *   - `cookieSecret` — The value to encode your cookies secrets with (required)
+ *   - `serviceSecret` - An machine to machine shared secret that matches your auth servers (required)
+ *   - `jwksKid` - The active jwks KID
+ *   - `cookieDomain` — Domain attribute applied to all auth cookies
+ *   - `accessCookieName` — Name of the session access cookie
+ *   - `registrationCookieName` — Name of the ephemeral registration cookie
+ *   - `refreshCookieName` — Name of the refresh token cookie
+ *   - `preAuthCookieName` — Name of the cookie used during login initiation
+ *   - `messaging` — Optional auth-messaging transports, handlers, and overrides
+ *
+ * @returns An Express `Router` preconfigured with all Seamless Auth routes.
+ */
+export declare function createSeamlessAuthServer(opts: SeamlessAuthServerOptions): Router;
+//# sourceMappingURL=createServer.d.ts.map

package/dist/createServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createServer.d.ts","sourceRoot":"","sources":["../src/createServer.ts"],"names":[],"mappings":"AAAA,OAAgB,EAAqB,MAAM,EAAE,MAAM,SAAS,CAAC;AAI7D,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAqDhE,MAAM,MAAM,yBAAyB,GAAG;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,4BAA4B,CAAC;CAC1C,CAAC;AAEF,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,yBAAyB,GAC9B,MAAM,CAkPR"}

package/dist/getSeamlessUser.d.ts

@@ -0,0 +1,4 @@
+import type { Request } from "express";
+import { SeamlessAuthServerOptions } from "./createServer";
+export declare function getSeamlessUser(req: Request, opts: SeamlessAuthServerOptions): Promise<any>;
+//# sourceMappingURL=getSeamlessUser.d.ts.map

package/dist/getSeamlessUser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSeamlessUser.d.ts","sourceRoot":"","sources":["../src/getSeamlessUser.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAMvC,OAAO,EAAE,yBAAyB,EAAE,MAAM,gBAAgB,CAAC;AAE3D,wBAAsB,eAAe,CACnC,GAAG,EAAE,OAAO,EACZ,IAAI,EAAE,yBAAyB,gBAUhC"}

package/dist/handlers/admin.d.ts

@@ -0,0 +1,14 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare const getUsers: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const createUser: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const deleteUser: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const updateUser: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const getUserDetail: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const getUserAnomalies: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const getAuthEvents: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const getCredentialCount: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const listAllSessions: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const listUserSessions: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+export declare const revokeAllUserSessions: (req: Request, res: Response, opts: SeamlessAuthServerOptions) => Promise<Response<any, Record<string, any>>>;
+//# sourceMappingURL=admin.d.ts.map

package/dist/handlers/admin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.d.ts","sourceRoot":"","sources":["../../src/handlers/admin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAgB5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAS5D,eAAO,MAAM,QAAQ,GACnB,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAQ9B,CAAC;AAEJ,eAAO,MAAM,UAAU,GACrB,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAS9B,CAAC;AAEJ,eAAO,MAAM,UAAU,GACrB,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAQ9B,CAAC;AAEJ,eAAO,MAAM,UAAU,GACrB,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAS9B,CAAC;AAEJ,eAAO,MAAM,aAAa,GACxB,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAQ9B,CAAC;AAEJ,eAAO,MAAM,gBAAgB,GAC3B,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAQ9B,CAAC;AAEJ,eAAO,MAAM,aAAa,GACxB,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAS9B,CAAC;AAEJ,eAAO,MAAM,kBAAkB,GAC7B,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAQ9B,CAAC;AAEJ,eAAO,MAAM,eAAe,GAC1B,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAS9B,CAAC;AAEJ,eAAO,MAAM,gBAAgB,GAC3B,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAQ9B,CAAC;AAEJ,eAAO,MAAM,qBAAqB,GAChC,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,yBAAyB,gDAQ9B,CAAC"}

package/dist/handlers/bootstrapAdmininvite.d.ts

@@ -0,0 +1,4 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function bootstrapAdminInvite(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+//# sourceMappingURL=bootstrapAdmininvite.d.ts.map

package/dist/handlers/bootstrapAdmininvite.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrapAdmininvite.d.ts","sourceRoot":"","sources":["../../src/handlers/bootstrapAdmininvite.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAG5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DAsBhC"}

package/dist/handlers/finishLogin.d.ts

@@ -0,0 +1,6 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function finishLogin(req: Request & {
+    cookiePayload?: any;
+}, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+//# sourceMappingURL=finishLogin.d.ts.map

package/dist/handlers/finishLogin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"finishLogin.d.ts","sourceRoot":"","sources":["../../src/handlers/finishLogin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAI5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,WAAW,CAC/B,GAAG,EAAE,OAAO,GAAG;IAAE,aAAa,CAAC,EAAE,GAAG,CAAA;CAAE,EACtC,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DA+ChC"}

package/dist/handlers/finishRegister.d.ts

@@ -0,0 +1,6 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function finishRegister(req: Request & {
+    cookiePayload?: any;
+}, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+//# sourceMappingURL=finishRegister.d.ts.map

package/dist/handlers/finishRegister.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"finishRegister.d.ts","sourceRoot":"","sources":["../../src/handlers/finishRegister.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAI5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAG5D,wBAAsB,cAAc,CAClC,GAAG,EAAE,OAAO,GAAG;IAAE,aAAa,CAAC,EAAE,GAAG,CAAA;CAAE,EACtC,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DAkEhC"}

package/dist/handlers/internalMetrics.d.ts

@@ -0,0 +1,9 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function getAuthEventSummary(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+export declare function getAuthEventTimeseries(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+export declare function getLoginStats(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+export declare function getSecurityAnomalies(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+export declare function getDashboardMetrics(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+export declare function getGroupedEventSummary(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+//# sourceMappingURL=internalMetrics.d.ts.map

package/dist/handlers/internalMetrics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"internalMetrics.d.ts","sourceRoot":"","sources":["../../src/handlers/internalMetrics.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAW5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAS5D,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAWhC;AAED,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAWhC;AAED,wBAAsB,aAAa,CACjC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAUhC;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAUhC;AAED,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAUhC;AAED,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAUhC"}

package/dist/handlers/login.d.ts

@@ -0,0 +1,4 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function login(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+//# sourceMappingURL=login.d.ts.map

package/dist/handlers/login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/handlers/login.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAG5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,KAAK,CACzB,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DA4ChC"}

package/dist/handlers/logout.d.ts

@@ -0,0 +1,4 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function logout(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<void>;
+//# sourceMappingURL=logout.d.ts.map

package/dist/handlers/logout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../src/handlers/logout.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAG5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,MAAM,CAC1B,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,iBAYhC"}

package/dist/handlers/me.d.ts

@@ -0,0 +1,6 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function me(req: Request & {
+    cookiePayload?: any;
+}, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+//# sourceMappingURL=me.d.ts.map

package/dist/handlers/me.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../src/handlers/me.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAI5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,EAAE,CACtB,GAAG,EAAE,OAAO,GAAG;IAAE,aAAa,CAAC,EAAE,GAAG,CAAA;CAAE,EACtC,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DAoBhC"}

package/dist/handlers/pollMagicLinkConfirmation.d.ts

@@ -0,0 +1,6 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function pollMagicLinkConfirmation(req: Request & {
+    cookiePayload?: any;
+}, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+//# sourceMappingURL=pollMagicLinkConfirmation.d.ts.map

package/dist/handlers/pollMagicLinkConfirmation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pollMagicLinkConfirmation.d.ts","sourceRoot":"","sources":["../../src/handlers/pollMagicLinkConfirmation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAI5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,yBAAyB,CAC7C,GAAG,EAAE,OAAO,GAAG;IAAE,aAAa,CAAC,EAAE,GAAG,CAAA;CAAE,EACtC,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DAgDhC"}

package/dist/handlers/register.d.ts

@@ -0,0 +1,4 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function register(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+//# sourceMappingURL=register.d.ts.map

package/dist/handlers/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/handlers/register.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAI5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,QAAQ,CAC5B,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DAqDhC"}

package/dist/handlers/requestMagicLink.d.ts

@@ -0,0 +1,7 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function requestMagicLink(req: Request & {
+    cookiePayload?: any;
+    user?: any;
+}, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+//# sourceMappingURL=requestMagicLink.d.ts.map

package/dist/handlers/requestMagicLink.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"requestMagicLink.d.ts","sourceRoot":"","sources":["../../src/handlers/requestMagicLink.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAI5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,OAAO,GAAG;IAAE,aAAa,CAAC,EAAE,GAAG,CAAC;IAAC,IAAI,CAAC,EAAE,GAAG,CAAA;CAAE,EAClD,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAyBhC"}

package/dist/handlers/requestOtp.d.ts

@@ -0,0 +1,7 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function requestOtp(req: Request & {
+    cookiePayload?: any;
+    user?: any;
+}, res: Response, opts: SeamlessAuthServerOptions, kind: "email" | "phone"): Promise<Response<any, Record<string, any>>>;
+//# sourceMappingURL=requestOtp.d.ts.map

package/dist/handlers/requestOtp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"requestOtp.d.ts","sourceRoot":"","sources":["../../src/handlers/requestOtp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAI5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,UAAU,CAC9B,GAAG,EAAE,OAAO,GAAG;IAAE,aAAa,CAAC,EAAE,GAAG,CAAC;IAAC,IAAI,CAAC,EAAE,GAAG,CAAA;CAAE,EAClD,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,EAC/B,IAAI,EAAE,OAAO,GAAG,OAAO,+CA0BxB"}

package/dist/handlers/sessions.d.ts

@@ -0,0 +1,6 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function listSessions(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+export declare function revokeSession(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+export declare function revokeAllSessions(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>>>;
+//# sourceMappingURL=sessions.d.ts.map

package/dist/handlers/sessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../src/handlers/sessions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAQ5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAS5D,wBAAsB,YAAY,CAChC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAUhC;AAED,wBAAsB,aAAa,CACjC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAUhC;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,+CAUhC"}

package/dist/handlers/systemConfig.d.ts

@@ -0,0 +1,6 @@
+import { Request, Response } from "express";
+import { SeamlessAuthServerOptions } from "../createServer";
+export declare function getAvailableRoles(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+export declare function getSystemConfigAdmin(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+export declare function updateSystemConfig(req: Request, res: Response, opts: SeamlessAuthServerOptions): Promise<Response<any, Record<string, any>> | undefined>;
+//# sourceMappingURL=systemConfig.d.ts.map

package/dist/handlers/systemConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"systemConfig.d.ts","sourceRoot":"","sources":["../../src/handlers/systemConfig.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAQ5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DAchC;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DAchC;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,yBAAyB,2DAehC"}

package/dist/index.d.ts

@@ -1,197 +1,9 @@
-import { Router, Request, Response, NextFunction, RequestHandler } from 'express';
-
-type SeamlessAuthServerOptions = {
-    authServerUrl: string;
-    cookieSecret: string;
-    serviceSecret: string;
-    issuer: string;
-    audience: string;
-    jwksKid?: string;
-    cookieDomain?: string;
-    accessCookieName?: string;
-    registrationCookieName?: string;
-    refreshCookieName?: string;
-    preAuthCookieName?: string;
-};
-interface SeamlessAuthUser {
-    id: string;
-    sub: string;
-    roles: string[];
-    email: string;
-    phone: string;
-    iat?: number;
-    exp?: number;
-}
-/**
- * Creates an Express Router that proxies all authentication traffic to a Seamless Auth server.
- *
- * This helper wires your API backend to a Seamless Auth instance running in
- * "server mode." It automatically forwards login, registration, WebAuthn,
- * logout, token refresh, and session validation routes to the auth server
- * and handles all cookie management required for a seamless login flow.
- *
- * ### Responsibilities
- * - Proxies all `/auth/*` routes to the upstream Seamless Auth server
- * - Manages `access`, `registration`, `pre-auth`, and `refresh` cookies
- * - Normalizes cookie settings for cross-domain or same-domain deployments
- * - Ensures authentication routes behave consistently across environments
- * - Provides shared middleware for auth flows
- *
- * ### Cookie Types
- * - **accessCookie** – long-lived session cookie for authenticated API requests
- * - **registrationCookie** – ephemeral cookie used during registration and OTP/WebAuthn flows
- * - **preAuthCookie** – short-lived cookie used during login initiation
- * - **refreshCookie** – opaque refresh token cookie used to rotate session tokens
- *
- * All cookie names and their domains may be customized via the `opts` parameter.
- *
- * ### Example
- * ```ts
- * app.use("/auth", createSeamlessAuthServer({
- *   authServerUrl: "https://identifier.seamlessauth.com",
- *   cookieDomain: "mycompany.com",
- *   cookieSecret: "someLongRandomValue"
- *   serviceSecret: "someLongRandomValueToo"
- *   jwksKid: "dev-main"
- *   accessCookieName: "sa_access",
- *   registrationCookieName: "sa_registration",
- *   refreshCookieName: "sa_refresh",
- * }));
- * ```
- *
- * @param opts - Configuration options for the Seamless Auth proxy:
- *   - `authServerUrl` — Base URL of your Seamless Auth instance (required)
- *   - `cookieSecret` — The value to encode your cookies secrets with (required)
- *   - `serviceSecret` - An machine to machine shared secret that matches your auth servers (required)
- *   - `jwksKid` - The active jwks KID
- *   - `cookieDomain` — Domain attribute applied to all auth cookies
- *   - `accessCookieName` — Name of the session access cookie
- *   - `registrationCookieName` — Name of the ephemeral registration cookie
- *   - `refreshCookieName` — Name of the refresh token cookie
- *   - `preAuthCookieName` — Name of the cookie used during login initiation
- *
- * @returns An Express `Router` preconfigured with all Seamless Auth routes.
- */
-declare function createSeamlessAuthServer(opts: SeamlessAuthServerOptions): Router;
-
-interface RequireAuthOptions {
-    cookieName?: string;
-    cookieSecret: string;
-}
-/**
- * Express middleware that enforces authentication using Seamless Auth cookies.
- *
- * This guard verifies the signed access cookie generated by the Seamless Auth
- * server. If the access cookie is valid and unexpired, the decoded session
- * payload is attached to `req.user` and the request proceeds.
- *
- * If the access cookie is expired or missing *but* a valid refresh cookie is
- * present, the middleware automatically attempts a silent token refresh using
- * the Seamless Auth server. When successful, new session cookies are issued and
- * the request continues with an updated `req.user`.
- *
- * If neither the access token nor refresh token can validate the session,
- * the middleware returns a 401 Unauthorized error and prevents further
- * route execution.
- *
- * ### Responsibilities
- * - Validates the Seamless Auth session access cookie
- * - Attempts refresh-token–based session renewal when necessary
- * - Populates `req.user` with the verified session payload
- * - Handles all cookie rewriting during refresh flows
- * - Acts as a request-level authentication guard for API routes
- *
- * ### Cookie Parameters
- * - **cookieName** — Name of the access cookie that holds the signed session JWT
- * - **refreshCookieName** — Name of the refresh cookie used for silent token refresh
- * - **cookieDomain** — Domain or path value applied to issued cookies
- *
- * ### Example
- * ```ts
- * // Protect a route
- * app.get("/api/me", requireAuth(), (req, res) => {
- *   res.json({ user: req.user });
- * });
- *
- * // Custom cookie names (if your Seamless Auth server uses overrides)
- * app.use(
- *   "/internal",
- *   requireAuth("sa_access", "sa_refresh", "mycompany.com"),
- *   internalRouter
- * );
- * ```
- *
- * @param cookieName - The access cookie name. Defaults to `"seamless-access"`.
- * @param refreshCookieName - The refresh cookie name used for session rotation. Defaults to `"seamless-refresh"`.
- * @param cookieDomain - Domain or path used when rewriting cookies. Defaults to `"/"`.
- *
- * @returns An Express middleware function that enforces Seamless Auth
- *          authentication on incoming requests.
- */
-interface RequireAuthOptions {
-    cookieName?: string;
-    cookieSecret: string;
-}
-/**
- * Express middleware that enforces authentication
- * using an already-issued Seamless Auth access cookie.
- *
- * NOTE:
- * - This middleware does NOT attempt token refresh.
- * - Refresh is handled upstream by ensureCookies().
- */
-declare function requireAuth(opts: RequireAuthOptions): (req: Request, res: Response, next: NextFunction) => void;
-
-/**
- * Express middleware that enforces role-based authorization for Seamless Auth.
- *
- * This middleware assumes `requireAuth()` has already:
- * - authenticated the request
- * - populated `req.user` with the authenticated session payload
- *
- * `requireRole` performs **authorization only**. It does not inspect cookies,
- * verify tokens, or read environment variables.
- *
- * If any of the required roles are present on the user, access is granted.
- * Otherwise, a 403 Forbidden response is returned.
- *
- *  * ### Example
- * ```ts
- * // Require a single role
- * app.get("/admin/users",
- *   requireAuth(),
- *   requireRole("admin"),
- *   (req, res) => {
- *     res.send("Welcome admin!");
- *   }
- * );
- *
- * // Allow any of multiple roles
- * app.post("/settings",
- *   requireAuth(),
- *   requireRole(["admin", "supervisor"]),
- *   updateSettingsHandler
- * );
- *
- * @param requiredRoles - A role or list of roles required to access the route
- */
-declare function requireRole(requiredRoles: string | string[]): RequestHandler;
-
-interface EnsureCookiesMiddlewareOptions {
-    authServerUrl: string;
-    cookieDomain?: string;
-    accessCookieName: string;
-    registrationCookieName: string;
-    refreshCookieName: string;
-    preAuthCookieName: string;
-    cookieSecret: string;
-    serviceSecret: string;
-    issuer: string;
-    audience: string;
-    keyId: string;
-}
-declare function createEnsureCookiesMiddleware(opts: EnsureCookiesMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
-
-declare function getSeamlessUser(req: Request, opts: SeamlessAuthServerOptions): Promise<any>;
-
-export { type SeamlessAuthServerOptions, type SeamlessAuthUser, createEnsureCookiesMiddleware, createSeamlessAuthServer as default, getSeamlessUser, requireAuth, requireRole };
+import { createSeamlessAuthServer, SeamlessAuthServerOptions, SeamlessAuthUser } from "./createServer";
+export { SeamlessAuthServerOptions, SeamlessAuthUser };
+export type { AuthMessageOverrides, AuthMessagingHandlers, DeliveryResult, EmailMessage, EmailTransport, SeamlessAuthMessagingOptions, SmsMessage, SmsTransport, } from "./messaging";
+export { requireAuth } from "./middleware/requireAuth";
+export { requireRole } from "./middleware/requireRole";
+export { createEnsureCookiesMiddleware } from "./middleware/ensureCookies";
+export { getSeamlessUser } from "./getSeamlessUser";
+export default createSeamlessAuthServer;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,gBAAgB,EACjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,yBAAyB,EAAE,gBAAgB,EAAE,CAAC;AACvD,YAAY,EACV,oBAAoB,EACpB,qBAAqB,EACrB,cAAc,EACd,YAAY,EACZ,cAAc,EACd,4BAA4B,EAC5B,UAAU,EACV,YAAY,GACb,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,6BAA6B,EAAE,MAAM,4BAA4B,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD,eAAe,wBAAwB,CAAC"}