@soapjs/soap-auth 0.1.1 → 0.3.0

package/build/strategies/oauth2/oauth2.strategy.js

@@ -6,85 +6,163 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.OAuth2Strategy = void 0;
 const axios_1 = __importDefault(require("axios"));
 const errors_1 = require("../../errors");
-const token_based_auth_strategy_1 = require("../token-based-auth.strategy");
 const oauth2_tools_1 = require("./oauth2.tools");
-class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy {
+const base_auth_strategy_1 = require("../base-auth.strategy");
+class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
     config;
-    accessTokenConfig;
-    refreshTokenConfig;
     session;
     logger;
-    constructor(config, accessTokenConfig, refreshTokenConfig, session, logger) {
-        super(config, accessTokenConfig, refreshTokenConfig, session, logger);
+    constructor(config, session, logger) {
+        super(config, session, logger);
         this.config = config;
-        this.accessTokenConfig = accessTokenConfig;
-        this.refreshTokenConfig = refreshTokenConfig;
         this.session = session;
         this.logger = logger;
         this.config.scope = this.config.scope ?? "email";
     }
+    async logout(context) {
+        try {
+            await this.storeAccessToken("", context);
+            await this.storeRefreshToken("", context);
+            if (this.config.endpoints.logoutUrl) {
+                this.logger?.info("Redirecting to OAuth2 logout endpoint.");
+                this.redirectUser(context, this.config.endpoints.logoutUrl);
+            }
+        }
+        catch (error) {
+            this.logger?.error("Logout failed:", error);
+            throw new Error("Logout failed.");
+        }
+    }
+    async getCredentialsForPasswordGrant(context) {
+        if (this.config.credentials?.extractCredentials) {
+            return this.config.credentials.extractCredentials(context);
+        }
+        else if (typeof context === "object" && "body" in context) {
+            const body = context.body;
+            if (body.username && body.password) {
+                return {
+                    identifier: body.username,
+                    password: body.password,
+                };
+            }
+        }
+        throw new Error("Missing credentials for password grant.");
+    }
+    retrieveAccessToken(context) {
+        if (this.config.accessToken?.retrieve) {
+            return this.config.accessToken.retrieve(context);
+        }
+        if (typeof context === "object" && "headers" in context) {
+            const authHeader = context.headers?.authorization;
+            if (authHeader?.startsWith("Bearer ")) {
+                return authHeader.split(" ")[1];
+            }
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            return context.cookies?.access_token;
+        }
+        return undefined;
+    }
+    retrieveRefreshToken(context) {
+        if (this.config.refreshToken?.retrieve) {
+            return this.config.refreshToken.retrieve(context);
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            return context.cookies?.refresh_token;
+        }
+        return undefined;
+    }
+    storeAccessToken(token, context) {
+        if (this.config.accessToken?.persistence?.store) {
+            return this.config.accessToken.persistence.store(token, context, this.config.accessToken.issuer.options.expiresIn);
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            context.cookies.set("access_token", token, { httpOnly: true });
+        }
+    }
+    storeRefreshToken(token, context) {
+        if (this.config.refreshToken?.persistence?.store) {
+            return this.config.refreshToken.persistence.store(token, context, this.config.refreshToken.issuer.options.expiresIn);
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            context.cookies.set("refresh_token", token, { httpOnly: true });
+        }
+    }
+    embedAccessToken(token, context) {
+        if (this.config.accessToken?.embed) {
+            this.config.accessToken.embed(context, token);
+        }
+        else if (typeof context === "object" && "response" in context) {
+            context.response.setHeader("Authorization", `Bearer ${token}`);
+        }
+    }
+    embedRefreshToken(token, context) {
+        if (this.config.refreshToken?.embed) {
+            return this.config.refreshToken.embed(context, token);
+        }
+        else if (typeof context === "object" && "cookies" in context) {
+            context.cookies.set("refresh_token", token, { httpOnly: true });
+        }
+    }
+    async isTokenExpired(token) {
+        try {
+            const parts = token.split(".");
+            if (parts.length !== 3) {
+                this.logger?.warn("Non-JWT token provided, cannot determine expiration.");
+                return false;
+            }
+            const decoded = JSON.parse(Buffer.from(parts[1], "base64").toString());
+            if (!decoded.exp)
+                return false;
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch (error) {
+            this.logger?.warn("Failed to decode token:", error);
+            return false;
+        }
+    }
     async authenticate(context) {
         try {
             let user;
             let refreshToken;
-            let accessToken = await this.accessTokenConfig.retrieve?.(context);
+            let accessToken = await this.retrieveAccessToken(context);
             if (!accessToken) {
                 this.logger?.info("No access token found, checking for refresh token.");
-                refreshToken = await this.refreshTokenConfig?.retrieve?.(context);
+                refreshToken = await this.retrieveRefreshToken(context);
                 if (refreshToken) {
                     this.logger?.info("Found refresh token, attempting to refresh access token.");
                     const newTokens = await this.refreshAccessToken(context);
                     accessToken = newTokens.accessToken;
-                    this.accessTokenConfig.embed?.(context, accessToken);
+                    this.embedAccessToken(accessToken, context);
                     if (newTokens.refreshToken) {
                         refreshToken = newTokens.refreshToken;
-                        this.refreshTokenConfig?.embed?.(context, newTokens.refreshToken);
+                        this.embedRefreshToken(newTokens.refreshToken, context);
                     }
                 }
                 else {
                     this.logger?.info("No refresh token found, attempting authentication using grant type.");
-                    switch (this.config.grantType) {
-                        case "authorization_code":
-                            const authorizationCode = this.extractAuthorizationCode(context);
-                            this.verifyAuthorizationCode(context, authorizationCode);
-                            const tokenResult = await this.exchangeCodeForToken(context, authorizationCode);
-                            accessToken = tokenResult.accessToken;
-                            refreshToken = tokenResult.refreshToken;
-                            break;
-                        case "client_credentials":
-                            this.logger?.info("Using client credentials grant.");
-                            const clientCredResult = await this.exchangeClientCredentials();
-                            accessToken = clientCredResult.accessToken;
-                            break;
-                        case "password":
-                            this.logger?.info("Using password grant.");
-                            if (!this.config.credentials) {
-                                throw new Error("Missing credentials for password grant.");
-                            }
-                            const passwordResult = await this.exchangePasswordGrant();
-                            accessToken = passwordResult.accessToken;
-                            break;
-                        default:
-                            throw new Error(`Unsupported grant type: ${this.config.grantType}`);
-                    }
-                    this.accessTokenConfig.embed?.(context, accessToken);
+                    const tokens = await this.processOAuthFlow(context);
+                    accessToken = tokens.accessToken;
+                    refreshToken = tokens.refreshToken;
+                    this.embedAccessToken(accessToken, context);
                     if (refreshToken) {
-                        this.refreshTokenConfig?.embed?.(context, refreshToken);
+                        this.embedRefreshToken(refreshToken, context);
                     }
                 }
             }
             else if (accessToken && (await this.isTokenExpired(accessToken))) {
                 this.logger?.info("Access token expired, attempting refresh.");
-                refreshToken = await this.refreshTokenConfig?.retrieve?.(context);
+                refreshToken = await this.retrieveRefreshToken(context);
                 if (!refreshToken) {
                     throw new errors_1.MissingTokenError("Refresh");
                 }
                 const newTokens = await this.refreshAccessToken(context);
                 accessToken = newTokens.accessToken;
-                this.accessTokenConfig.embed?.(context, accessToken);
+                this.embedAccessToken(accessToken, context);
                 if (newTokens.refreshToken && newTokens.refreshToken !== refreshToken) {
                     refreshToken = newTokens.refreshToken;
-                    this.refreshTokenConfig?.embed?.(context, newTokens.refreshToken);
+                    this.embedRefreshToken(newTokens.refreshToken, context);
                 }
             }
             if (!accessToken) {
@@ -92,6 +170,7 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             }
             user = await this.retrieveUser(accessToken);
             if (!user) {
+                this.logger?.error("User retrieval failed: No user found for access token.");
                 throw new errors_1.UserNotFoundError();
             }
             await this.isAuthorized(user);
@@ -102,6 +181,29 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             throw new errors_1.AuthError(error, "OAuth2 authentication failed.");
         }
     }
+    async processOAuthFlow(context) {
+        if (this.config.grantType === "authorization_code") {
+            const authorizationCode = this.extractAuthorizationCode(context);
+            this.verifyAuthorizationCode(context, authorizationCode);
+            const tokenResult = await this.exchangeCodeForToken(context, authorizationCode);
+            return tokenResult;
+        }
+        if (this.config.grantType === "client_credentials") {
+            this.logger?.info("Using client credentials grant.");
+            const clientCredResult = await this.exchangeClientCredentials();
+            return { accessToken: clientCredResult.accessToken };
+        }
+        if (this.config.grantType === "password") {
+            this.logger?.info("Using password grant.");
+            const credentials = await this.getCredentialsForPasswordGrant(context);
+            if (!credentials) {
+                throw new Error("Missing credentials for password grant.");
+            }
+            const passwordResult = await this.exchangePasswordGrant(credentials.identifier, credentials.password);
+            return { accessToken: passwordResult.accessToken };
+        }
+        throw new Error(`Unsupported grant type: ${this.config.grantType}`);
+    }
     verifyAuthorizationCode(context, code) {
         if (!code) {
             this.logger?.warn("Authorization code missing, redirecting user.");
@@ -185,7 +287,7 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             const response = await axios_1.default.get(this.config.endpoints.userInfoUrl, {
                 headers: { Authorization: `Bearer ${accessToken}` },
             });
-            return (await this.config.validateUser?.(response.data)) || null;
+            return (await this.config.user.validateUser(response.data)) || null;
         }
         catch (error) {
             this.logger?.error("Failed to fetch user information:", error);
@@ -200,22 +302,22 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
         });
         return { accessToken: response.data.access_token };
     }
-    async exchangePasswordGrant() {
-        if (!this.config.credentials) {
+    async exchangePasswordGrant(username, password) {
+        if (!username || !password) {
             throw new Error("Missing credentials for password grant.");
         }
         const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
             grant_type: "password",
             client_id: this.config.clientId,
             client_secret: this.config.clientSecret,
-            username: this.config.credentials.username,
-            password: this.config.credentials.password,
+            username,
+            password,
         });
         return { accessToken: response.data.access_token };
     }
     async refreshAccessToken(context) {
         try {
-            const refreshToken = await this.refreshTokenConfig?.retrieve?.(context);
+            const refreshToken = await this.retrieveRefreshToken(context);
             if (!refreshToken) {
                 throw new errors_1.MissingTokenError("Refresh");
             }
@@ -225,13 +327,20 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
                 client_secret: this.config.clientSecret,
                 refresh_token: refreshToken,
             });
+            if (response.status !== 200 || !response.data.access_token) {
+                throw new Error("Failed to refresh token");
+            }
             const refreshedTokens = {
                 accessToken: response.data.access_token,
                 refreshToken: response.data.refresh_token,
             };
-            await this.accessTokenConfig.embed?.(context, refreshedTokens.accessToken);
+            await this.storeAccessToken(refreshedTokens.accessToken, context);
+            if (refreshedTokens.refreshToken) {
+                await this.storeRefreshToken(refreshedTokens.refreshToken, context);
+            }
+            await this.embedAccessToken(refreshedTokens.accessToken, context);
             if (refreshedTokens.refreshToken) {
-                await this.refreshTokenConfig?.embed?.(context, refreshedTokens.refreshToken);
+                await this.embedRefreshToken(refreshedTokens.refreshToken, context);
             }
             return refreshedTokens;
         }

package/build/strategies/oauth2/oauth2.types.d.ts

@@ -1,29 +1,21 @@
-import { TokenBasedAuthStrategyConfig, TokenConfig } from "../../types";
+import { CredentailsConfig, PKCEConfig, TokenAuthStrategyConfig } from "../../types";
 export interface OAuth2Endpoints {
     authorizationUrl: string;
     tokenUrl: string;
     userInfoUrl?: string;
     introspectionUrl?: string;
     revocationUrl?: string;
+    logoutUrl?: string;
 }
-export interface OAuth2StrategyConfig<TContext = unknown, TUser = unknown> extends TokenBasedAuthStrategyConfig<TContext, TUser> {
+export interface OAuth2StrategyConfig<TContext = unknown, TUser = unknown> extends TokenAuthStrategyConfig<TContext, TUser> {
     clientId: string;
     clientSecret: string;
     redirectUri: string;
-    scope?: string;
-    grantType: "authorization_code" | "client_credentials" | "password" | "refresh_token";
+    scope?: string | string[];
+    audience?: string;
+    responseType?: "code" | "token" | "id_token" | string;
+    grantType: "authorization_code" | "client_credentials" | "password" | "refresh_token" | string;
     endpoints: OAuth2Endpoints;
-    validateUser?: (tokenPayload: any) => Promise<TUser | null>;
-    credentials?: {
-        username: string;
-        password: string;
-    };
+    credentials?: CredentailsConfig<TContext>;
     pkce?: PKCEConfig<TContext>;
-    accessToken?: TokenConfig;
-    refreshToken?: TokenConfig;
-}
-export interface PKCEConfig<TContext> {
-    generateCodeVerifier?: () => string;
-    storeCodeVerifier?: (context: TContext, codeVerifier: string) => void;
-    retrieveCodeVerifier?: (context: TContext) => string | null;
 }

package/build/strategies/token-auth.strategy.d.ts

@@ -0,0 +1,25 @@
+import * as Soap from "@soapjs/soap";
+import { AuthResult, TokenAuthStrategyConfig } from "../types";
+import { BaseAuthStrategy } from "./base-auth.strategy";
+import { SessionHandler } from "../session/session-handler";
+export declare abstract class TokenAuthStrategy<TContext = unknown, TUser = unknown> extends BaseAuthStrategy<TContext, TUser> {
+    protected config: TokenAuthStrategyConfig<TContext, TUser>;
+    protected session?: SessionHandler;
+    protected logger?: Soap.Logger;
+    constructor(config: TokenAuthStrategyConfig<TContext, TUser>, session?: SessionHandler, logger?: Soap.Logger);
+    protected abstract retrieveAccessToken(context: TContext): Promise<string | undefined>;
+    protected abstract retrieveRefreshToken(context: TContext): Promise<string | undefined>;
+    protected abstract verifyAccessToken(token: string): Promise<any>;
+    protected abstract verifyRefreshToken(token: string): Promise<any>;
+    protected abstract generateAccessToken(payload: any): Promise<string>;
+    protected abstract generateRefreshToken(payload: any): Promise<string>;
+    protected abstract storeAccessToken(token: string, context: TContext): Promise<void>;
+    protected abstract storeRefreshToken(token: string, context: TContext): Promise<void>;
+    protected abstract embedAccessToken(token: string, context: TContext): void;
+    protected abstract embedRefreshToken(token: string, context: TContext): void;
+    authenticate(context: TContext): Promise<AuthResult<TUser>>;
+    rotateTokens(context: TContext): Promise<{
+        accessToken: string;
+        refreshToken?: string;
+    }>;
+}

package/build/strategies/token-auth.strategy.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenAuthStrategy = void 0;
+const base_auth_strategy_1 = require("./base-auth.strategy");
+const errors_1 = require("../errors");
+class TokenAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy {
+    config;
+    session;
+    logger;
+    constructor(config, session, logger) {
+        super(config, session, logger);
+        this.config = config;
+        this.session = session;
+        this.logger = logger;
+    }
+    async authenticate(context) {
+        try {
+            let accessToken = await this.retrieveAccessToken(context);
+            let refreshToken;
+            await this.checkRateLimit(context);
+            if (accessToken) {
+                try {
+                    const decoded = await this.verifyAccessToken(accessToken);
+                    const user = await this.config.user.getUserData(decoded);
+                    if (!user)
+                        throw new errors_1.UserNotFoundError();
+                    await this.isAuthorized(user);
+                    return { user, tokens: { accessToken } };
+                }
+                catch (error) {
+                    this.logger?.warn("Access token is invalid or expired, trying refresh token...");
+                }
+            }
+            refreshToken = await this.retrieveRefreshToken(context);
+            if (!refreshToken)
+                throw new errors_1.MissingTokenError("Refresh");
+            const newTokens = await this.rotateTokens(context);
+            accessToken = newTokens.accessToken;
+            refreshToken = newTokens.refreshToken;
+            if (!accessToken)
+                throw new errors_1.MissingTokenError("Access");
+            const decoded = await this.verifyAccessToken(accessToken);
+            const user = await this.config.user.getUserData(decoded);
+            if (!user)
+                throw new errors_1.UserNotFoundError();
+            await this.isAuthorized(user);
+            return { user, tokens: { accessToken, refreshToken } };
+        }
+        catch (error) {
+            this.logger?.error("Authentication failed:", error);
+            throw new errors_1.AuthError(error, "Authentication failed.");
+        }
+    }
+    async rotateTokens(context) {
+        try {
+            const refreshToken = await this.retrieveRefreshToken(context);
+            if (!refreshToken)
+                throw new errors_1.MissingTokenError("Refresh");
+            const payload = await this.verifyRefreshToken(refreshToken);
+            if (!payload)
+                throw new errors_1.InvalidTokenError("Refresh");
+            const newAccessToken = await this.generateAccessToken(payload);
+            let newRefreshToken = await this.generateRefreshToken(payload);
+            await this.storeAccessToken(newAccessToken, context);
+            if (newRefreshToken) {
+                await this.storeRefreshToken(newRefreshToken, context);
+            }
+            this.embedAccessToken(newAccessToken, context);
+            this.embedRefreshToken(newRefreshToken, context);
+            return { accessToken: newAccessToken, refreshToken: newRefreshToken };
+        }
+        catch (error) {
+            this.logger?.error("Token rotation failed:", error);
+            throw new errors_1.InvalidTokenError("Refresh");
+        }
+    }
+}
+exports.TokenAuthStrategy = TokenAuthStrategy;

package/build/tools/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./session.tools";
+export * from "./token.tools";
+export * from "./tools";

package/build/tools/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./session.tools"), exports);
+__exportStar(require("./token.tools"), exports);
+__exportStar(require("./tools"), exports);

package/build/types.d.ts

@@ -36,21 +36,22 @@ export type Credentials = {
     [key: string]: unknown;
 };
 export interface AuthResultConfig<TContext = unknown, TUser = unknown> {
-    onSuccess?: (context: AuthSuccessContext<TUser, TContext>) => Promise<void> | void;
-    onFailure?: (context: AuthFailureContext<TContext>) => Promise<void> | void;
+    onSuccess?: (action: string, context: AuthSuccessContext<TUser, TContext>) => Promise<void> | void;
+    onFailure?: (action: string, context: AuthFailureContext<TContext>) => Promise<void> | void;
 }
 export interface SecurityConfig {
     maxFailedLoginAttempts?: number;
     lockoutDuration?: number;
     notifyOnLockout?: (account: any) => Promise<void>;
 }
-export interface BaseAuthStrategyConfig<TContext = unknown, TUser = unknown> {
+export interface BaseAuthStrategyConfig<TContext = unknown, TUser = unknown> extends AuthResultConfig<TContext, TUser> {
     mfa?: MfaConfig<TUser, TContext>;
     session?: SessionConfig;
     role?: RoleAuthorizationConfig<TUser>;
     rateLimit?: RateLimitConfig;
     security?: SecurityConfig;
     lock?: AccountLockConfig<TContext>;
+    failedAttempts?: FailedAttemptsConfig;
 }
 export interface AuditLoggingConfig<TContext = unknown> {
     logAttempt?: (userId: string, success: boolean, context?: TContext) => Promise<void>;
@@ -77,54 +78,58 @@ export interface PasswordPolicyConfig {
     getLastPasswordChange?: (identifier: string) => Date;
     forcePasswordChangeOnFirstLogin?: boolean;
     passwordExpirationDays?: number;
+    isPasswordChangeRequired?: (identifier: string) => Promise<boolean>;
+    generateResetToken?: (identifier: string) => Promise<string>;
+    sendResetEmail?: (identifier: string, token: string) => Promise<void>;
+    validateResetToken?: (token: string) => Promise<boolean>;
+    updatePassword?: (identifier: string, newPassword: string) => Promise<void>;
 }
-export interface CredentialBasedAuthStrategyConfig<TContext = unknown, TUser = unknown> extends BaseAuthStrategyConfig<TContext, TUser> {
+export interface UserConfig {
+    getUserData: (payload: any) => Promise<any>;
+    validateUser?: (payload: any) => Promise<any>;
+}
+export interface CredentailsConfig<TContext = any> {
+    extractCredentials: <TCredentials = {
+        identifier: string;
+        password: string;
+    }>(context: TContext) => TCredentials;
+    verifyCredentials: (identifier: string, password: string) => Promise<boolean>;
+}
+export interface FailedAttemptsConfig {
+    incrementFailedAttempts?: (identifier: string, ...rest: unknown[]) => Promise<void>;
+    resetFailedAttempts?: (identifier: string, ...rest: unknown[]) => Promise<void>;
+    getFailedAttempts?: (identifier: string, ...rest: unknown[]) => Promise<number>;
+}
+export interface CredentialAuthStrategyConfig<TContext = unknown, TUser = unknown> extends BaseAuthStrategyConfig<TContext, TUser> {
     passwordPolicy?: PasswordPolicyConfig;
     audit?: AuditLoggingConfig<TContext>;
-    logout: {} & AuthResultConfig<TContext, TUser>;
-    login: {
-        extractCredentials: (context: TContext) => Promise<{
-            identifier: string;
-            password: string;
-        }>;
-        retrieveUserData: (identifier: string) => Promise<TUser | null>;
-        verifyUserCredentials: (identifier: string, password: string) => Promise<boolean>;
-        incrementFailedAttempts?: (identifier: string) => Promise<void>;
-        resetFailedAttempts?: (identifier: string) => Promise<void>;
-        getFailedAttempts?: (identifier: string) => Promise<number>;
-    } & AuthResultConfig<TContext, TUser>;
-    passwordReset?: {
-        generateResetToken?: (identifier: string) => Promise<string>;
-        sendResetEmail?: (identifier: string, token: string) => Promise<void>;
-        validateResetToken?: (token: string) => Promise<boolean>;
-        updatePassword?: (identifier: string, newPassword: string) => Promise<void>;
-    } & AuthResultConfig<TContext, TUser>;
-}
-export interface TokenBasedAuthStrategyConfig<TContext = unknown, TUser = unknown> extends BaseAuthStrategyConfig<TContext, TUser> {
-    rotation?: TokenRotationConfig<TUser>;
-    login: {
-        retrieveUserData: (identifier: string) => Promise<TUser | null>;
-    } & AuthResultConfig<TContext, TUser>;
-    logout: {} & AuthResultConfig<TContext, TUser>;
-}
-export interface TokenRotationConfig<TUser = unknown> {
-    maxRotations?: number;
-    storeUsedTokens?: boolean;
-    getRefreshToken?: (user: TUser) => Promise<string>;
-    rotateToken?: (refreshToken: string) => Promise<{
-        accessToken: string;
-        refreshToken: string;
-    }>;
-    onTokenRotated?: (user: TUser, newTokens: {
-        accessToken: string;
-        refreshToken: string;
-    }) => Promise<void>;
-    onTokenRotationFailure?: (user: TUser, error: Error) => Promise<void>;
+    credentials?: CredentailsConfig<TContext>;
+    user?: UserConfig;
+    routes?: {
+        login?: AuthRouteConfig;
+        logout?: AuthRouteConfig;
+        resetPassword?: AuthRouteConfig;
+    };
+}
+export type AuthRouteConfig = {
+    path?: string;
+    method?: string;
+};
+export interface TokenAuthStrategyConfig<TContext = unknown, TUser = unknown> extends BaseAuthStrategyConfig<TContext, TUser> {
+    user?: UserConfig;
+    routes: {
+        login?: AuthRouteConfig;
+        logout?: AuthRouteConfig;
+        refresh?: AuthRouteConfig;
+        [key: string]: AuthRouteConfig;
+    };
+    accessToken?: TokenConfig<TContext>;
+    refreshToken?: TokenConfig<TContext>;
 }
 export interface AccountLockConfig<TContext = unknown> {
     logFailedAttempt?: (account: any, context?: TContext) => Promise<void>;
-    lockAccount?: (account: any, ...args: unknown[]) => Promise<void>;
-    isAccountLocked?: (account: any, ...args: unknown[]) => Promise<boolean>;
+    lockAccount?: (account: any) => Promise<void>;
+    isAccountLocked?: (account: any, context?: TContext) => Promise<boolean>;
 }
 export interface RateLimitConfig {
     checkRateLimit?: (...args: unknown[]) => Promise<boolean>;
@@ -159,7 +164,7 @@ export type AuthResult<TUser, TSessionData = unknown> = {
 };
 export interface AuthStrategy<TContext = unknown, TUser = unknown> {
     init?(...args: unknown[]): Promise<void>;
-    authenticate(context?: TContext, ...args: unknown[]): Promise<AuthResult<TUser>>;
+    authenticate(context?: TContext, ...args: unknown[]): Promise<AuthResult<TUser> | null>;
     authorize?(user: any, action: string, resource?: string): Promise<boolean>;
     refresh?(refreshToken: string): Promise<string>;
     logout?(context?: TContext): Promise<void>;
@@ -230,18 +235,43 @@ export interface StorageContext {
     encrypt?: (data: string) => Promise<string> | string;
     decrypt?: (data: string) => Promise<string> | string;
 }
-export interface TokenConfig {
+export interface TokenIssuerConfig {
     secretKey: string;
-    expiresIn: string | number;
-    audience?: string | string[];
-    issuer?: string | string[];
-    subject?: string;
-    tokenType?: string;
+    options: {
+        expiresIn: string | number;
+        audience?: string | string[];
+        issuer?: string | string[];
+        subject?: string;
+        [option: string]: unknown;
+    };
     generate?: (payload: any) => string;
+}
+export interface TokenVerifierConfig {
+    options: {
+        [option: string]: unknown;
+    };
     verify?: (token: string) => Promise<any>;
-    store?: (token: string, data: any, expiresIn: number) => Promise<void>;
-    retrieve?: (context: any) => Promise<string | null>;
-    remove?: (context: any) => Promise<void>;
-    embed?: (context: any, token: string) => void;
-    rotate?: (oldToken: string) => Promise<string>;
+}
+export interface TokenPersistenceConfig {
+    store?: (token: string, data: any, expiresIn: string | number) => Promise<void>;
+    read?: (...args: any[]) => Promise<string | null>;
+    remove?: (...args: any[]) => Promise<void>;
+}
+export interface TokenConfig<TContext = any> {
+    embed?: (context: TContext, token: string) => void;
+    retrieve?: (context: TContext) => Promise<string | null>;
+    rotation?: TokenRotationConfig;
+    issuer?: TokenIssuerConfig;
+    verifier?: TokenVerifierConfig;
+    persistence?: TokenPersistenceConfig;
+    additional?: Record<string, unknown>;
+}
+export interface TokenRotationConfig {
+    maxRotations?: number;
+    rotateToken?: (token: string) => Promise<string>;
+}
+export interface PKCEConfig<TContext> {
+    generateCodeVerifier?: () => string;
+    storeCodeVerifier?: (context: TContext, codeVerifier: string) => void;
+    retrieveCodeVerifier?: (context: TContext) => string | null;
 }