@spfn/auth 0.2.0-beta.59 → 0.2.0-beta.60

package/dist/nextjs/api.js

@@ -1,8 +1,253 @@
 // src/nextjs/api.ts
 import { registerInterceptors } from "@spfn/core/nextjs/server";
 
-// src/nextjs/interceptors/login-register.ts
-import { generateKeyPair, sealSession, getSessionTtl, COOKIE_NAMES, authLogger } from "@spfn/auth/server";
+// src/server/lib/crypto.ts
+import crypto2 from "crypto";
+import jwt from "jsonwebtoken";
+function generateKeyPairES256() {
+  const keyId = crypto2.randomUUID();
+  const { privateKey, publicKey } = crypto2.generateKeyPairSync("ec", {
+    namedCurve: "P-256",
+    // ES256
+    publicKeyEncoding: {
+      type: "spki",
+      format: "der"
+    },
+    privateKeyEncoding: {
+      type: "pkcs8",
+      format: "der"
+    }
+  });
+  const privateKeyB64 = privateKey.toString("base64");
+  const publicKeyB64 = publicKey.toString("base64");
+  const fingerprint = crypto2.createHash("sha256").update(publicKey).digest("hex");
+  return {
+    privateKey: privateKeyB64,
+    publicKey: publicKeyB64,
+    keyId,
+    fingerprint,
+    algorithm: "ES256"
+  };
+}
+function generateKeyPairRS256() {
+  const keyId = crypto2.randomUUID();
+  const { privateKey, publicKey } = crypto2.generateKeyPairSync("rsa", {
+    modulusLength: 2048,
+    publicKeyEncoding: {
+      type: "spki",
+      format: "der"
+    },
+    privateKeyEncoding: {
+      type: "pkcs8",
+      format: "der"
+    }
+  });
+  const privateKeyB64 = privateKey.toString("base64");
+  const publicKeyB64 = publicKey.toString("base64");
+  const fingerprint = crypto2.createHash("sha256").update(publicKey).digest("hex");
+  return {
+    privateKey: privateKeyB64,
+    publicKey: publicKeyB64,
+    keyId,
+    fingerprint,
+    algorithm: "RS256"
+  };
+}
+function generateKeyPair(algorithm = "ES256") {
+  return algorithm === "ES256" ? generateKeyPairES256() : generateKeyPairRS256();
+}
+function generateClientToken(payload, privateKeyB64, algorithm, options) {
+  try {
+    const privateKeyDER = Buffer.from(privateKeyB64, "base64");
+    const privateKeyObject = crypto2.createPrivateKey({
+      key: privateKeyDER,
+      format: "der",
+      type: "pkcs8"
+    });
+    const privateKeyPEM = privateKeyObject.export({
+      type: "pkcs8",
+      format: "pem"
+    });
+    const signOptions = {
+      algorithm,
+      issuer: options?.issuer || "spfn-client",
+      expiresIn: options?.expiresIn ?? "15m"
+      // Default to 15 minutes
+    };
+    return jwt.sign(payload, privateKeyPEM, signOptions);
+  } catch (error) {
+    throw new Error(
+      `Failed to generate client token: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+
+// src/server/lib/session.ts
+import * as jose from "jose";
+import { env } from "@spfn/auth/config";
+import { env as coreEnv } from "@spfn/core/config";
+
+// src/server/logger.ts
+import { logger as rootLogger } from "@spfn/core/logger";
+var authLogger = {
+  plugin: rootLogger.child("@spfn/auth:plugin"),
+  middleware: rootLogger.child("@spfn/auth:middleware"),
+  interceptor: {
+    general: rootLogger.child("@spfn/auth:interceptor:general"),
+    login: rootLogger.child("@spfn/auth:interceptor:login"),
+    keyRotation: rootLogger.child("@spfn/auth:interceptor:key-rotation"),
+    oauth: rootLogger.child("@spfn/auth:interceptor:oauth")
+  },
+  session: rootLogger.child("@spfn/auth:session"),
+  service: rootLogger.child("@spfn/auth:service"),
+  setup: rootLogger.child("@spfn/auth:setup"),
+  email: rootLogger.child("@spfn/auth:email"),
+  sms: rootLogger.child("@spfn/auth:sms")
+};
+
+// src/server/lib/session.ts
+async function getSessionSecretKey() {
+  const secret = env.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(secret);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+async function getSecretFingerprint() {
+  const key = await getSessionSecretKey();
+  const hash = await crypto.subtle.digest("SHA-256", key.buffer);
+  const hex = Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return hex.slice(0, 8);
+}
+async function sealSession(data, ttl = 60 * 60 * 24 * 7) {
+  const secret = await getSessionSecretKey();
+  const result = await new jose.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
+  if (coreEnv.NODE_ENV !== "production") {
+    const fingerprint = await getSecretFingerprint();
+    authLogger.session.debug(`Sealed session`, {
+      secretFingerprint: fingerprint,
+      resultLength: result.length,
+      resultPrefix: result.slice(0, 20)
+    });
+  }
+  return result;
+}
+async function unsealSession(jwt2) {
+  try {
+    const secret = await getSessionSecretKey();
+    const { payload } = await jose.jwtDecrypt(jwt2, secret, {
+      issuer: "spfn-auth",
+      audience: "spfn-client"
+    });
+    return payload.data;
+  } catch (err) {
+    if (err instanceof jose.errors.JWTExpired) {
+      throw new Error("Session expired");
+    }
+    if (err instanceof jose.errors.JWEDecryptionFailed) {
+      if (coreEnv.NODE_ENV !== "production") {
+        const fingerprint = await getSecretFingerprint();
+        authLogger.session.warn(`JWE decryption failed`, {
+          secretFingerprint: fingerprint,
+          jwtLength: jwt2.length,
+          jwtPrefix: jwt2.slice(0, 20),
+          jwtSuffix: jwt2.slice(-10)
+        });
+      }
+      throw new Error("Invalid session");
+    }
+    if (err instanceof jose.errors.JWTClaimValidationFailed) {
+      throw new Error("Session validation failed");
+    }
+    throw new Error("Failed to unseal session");
+  }
+}
+async function getSessionInfo(jwt2) {
+  const secret = await getSessionSecretKey();
+  try {
+    const { payload } = await jose.jwtDecrypt(jwt2, secret);
+    return {
+      issuedAt: new Date(payload.iat * 1e3),
+      expiresAt: new Date(payload.exp * 1e3),
+      issuer: payload.iss || "",
+      audience: Array.isArray(payload.aud) ? payload.aud[0] : payload.aud || ""
+    };
+  } catch (err) {
+    if (coreEnv.NODE_ENV !== "production") {
+      authLogger.session.warn("Failed to get session info:", err instanceof Error ? err.message : "Unknown error");
+    }
+    return null;
+  }
+}
+async function shouldRefreshSession(jwt2, thresholdHours = 24) {
+  const info = await getSessionInfo(jwt2);
+  if (!info) {
+    return true;
+  }
+  const hoursRemaining = (info.expiresAt.getTime() - Date.now()) / (1e3 * 60 * 60);
+  return hoursRemaining < thresholdHours;
+}
+
+// src/server/lib/config.ts
+import { env as env2 } from "@spfn/auth/config";
+function getCookieSuffix() {
+  const port = process.env.PORT;
+  return port ? `_${port}` : "";
+}
+var COOKIE_NAMES = {
+  /** Encrypted session data (userId, privateKey, keyId, algorithm) */
+  get SESSION() {
+    return `spfn_session${getCookieSuffix()}`;
+  },
+  /** Current key ID (for key rotation) */
+  get SESSION_KEY_ID() {
+    return `spfn_session_key_id${getCookieSuffix()}`;
+  },
+  /** Pending OAuth session (privateKey, keyId, algorithm) - temporary during OAuth flow */
+  get OAUTH_PENDING() {
+    return `spfn_oauth_pending${getCookieSuffix()}`;
+  }
+};
+function parseDuration(duration) {
+  if (typeof duration === "number") {
+    return duration;
+  }
+  const match = duration.match(/^(\d+)([dhms]?)$/);
+  if (!match) {
+    throw new Error(`Invalid duration format: ${duration}. Use format like '30d', '12h', '45m', '3600s', or plain number.`);
+  }
+  const value = parseInt(match[1], 10);
+  const unit = match[2] || "s";
+  switch (unit) {
+    case "d":
+      return value * 24 * 60 * 60;
+    case "h":
+      return value * 60 * 60;
+    case "m":
+      return value * 60;
+    case "s":
+      return value;
+    default:
+      throw new Error(`Unknown duration unit: ${unit}`);
+  }
+}
+var globalConfig = {
+  sessionTtl: "7d"
+  // Default: 7 days
+};
+function getSessionTtl(override) {
+  if (override !== void 0) {
+    return parseDuration(override);
+  }
+  if (globalConfig.sessionTtl !== void 0) {
+    return parseDuration(globalConfig.sessionTtl);
+  }
+  const envTtl = env2.SPFN_AUTH_SESSION_TTL;
+  if (envTtl) {
+    return parseDuration(envTtl);
+  }
+  return 7 * 24 * 60 * 60;
+}
 
 // src/nextjs/interceptors/cookie-options.ts
 function resolveSecure() {
@@ -91,7 +336,6 @@ var loginRegisterInterceptor = {
 };
 
 // src/nextjs/interceptors/general-auth.ts
-import { unsealSession, sealSession as sealSession2, shouldRefreshSession, generateClientToken, getSessionTtl as getSessionTtl2, COOKIE_NAMES as COOKIE_NAMES2, authLogger as authLogger2 } from "@spfn/auth/server";
 function requiresAuth(path) {
   const publicPaths = [
     /^\/_auth\/login$/,
@@ -111,18 +355,18 @@ var generalAuthInterceptor = {
   method: ["GET", "POST", "PUT", "PATCH", "DELETE"],
   request: async (ctx, next) => {
     if (!requiresAuth(ctx.path)) {
-      authLogger2.interceptor.general.debug(`Public path, skipping auth: ${ctx.path}`);
+      authLogger.interceptor.general.debug(`Public path, skipping auth: ${ctx.path}`);
       await next();
       return;
     }
     const cookieNames = Array.from(ctx.cookies.keys());
-    authLogger2.interceptor.general.debug("Available cookies:", {
+    authLogger.interceptor.general.debug("Available cookies:", {
       cookieNames,
       totalCount: cookieNames.length,
-      lookingFor: COOKIE_NAMES2.SESSION
+      lookingFor: COOKIE_NAMES.SESSION
     });
-    const sessionCookie = ctx.cookies.get(COOKIE_NAMES2.SESSION);
-    authLogger2.interceptor.general.debug("Request", {
+    const sessionCookie = ctx.cookies.get(COOKIE_NAMES.SESSION);
+    authLogger.interceptor.general.debug("Request", {
       method: ctx.method,
       path: ctx.path,
       hasSession: !!sessionCookie,
@@ -131,19 +375,19 @@ var generalAuthInterceptor = {
       sessionSuffix: sessionCookie?.slice(-10) ?? ""
     });
     if (!sessionCookie) {
-      authLogger2.interceptor.general.debug("No session cookie, proceeding without auth");
+      authLogger.interceptor.general.debug("No session cookie, proceeding without auth");
       await next();
       return;
     }
     try {
       const session = await unsealSession(sessionCookie);
-      authLogger2.interceptor.general.debug("Session valid", {
+      authLogger.interceptor.general.debug("Session valid", {
         userId: session.userId,
         keyId: session.keyId
       });
       const needsRefresh = await shouldRefreshSession(sessionCookie, 24);
       if (needsRefresh) {
-        authLogger2.interceptor.general.debug("Session needs refresh (within 24h of expiry)");
+        authLogger.interceptor.general.debug("Session needs refresh (within 24h of expiry)");
         ctx.metadata.refreshSession = true;
         ctx.metadata.sessionData = session;
       }
@@ -157,7 +401,7 @@ var generalAuthInterceptor = {
         session.algorithm,
         { expiresIn: "15m" }
       );
-      authLogger2.interceptor.general.debug("Generated JWT token (expires in 15m)");
+      authLogger.interceptor.general.debug("Generated JWT token (expires in 15m)");
       ctx.headers["Authorization"] = `Bearer ${token}`;
       ctx.headers["X-Key-Id"] = session.keyId;
       ctx.metadata.userId = session.userId;
@@ -166,31 +410,31 @@ var generalAuthInterceptor = {
       const err = error;
       const msg = err.message.toLowerCase();
       if (msg.includes("expired") || msg.includes("invalid")) {
-        authLogger2.interceptor.general.warn("Session expired or invalid", {
+        authLogger.interceptor.general.warn("Session expired or invalid", {
           message: err.message,
           cookieLength: sessionCookie.length,
           cookiePrefix: sessionCookie.slice(0, 20),
           cookieSuffix: sessionCookie.slice(-10)
         });
-        authLogger2.interceptor.general.debug("Marking session for cleanup");
+        authLogger.interceptor.general.debug("Marking session for cleanup");
         ctx.metadata.clearSession = true;
         ctx.metadata.sessionValid = false;
       } else {
-        authLogger2.interceptor.general.error("Failed to process session", err);
+        authLogger.interceptor.general.error("Failed to process session", err);
       }
     }
     await next();
   },
   response: async (ctx, next) => {
     if (ctx.response.status === 401 && ctx.metadata.sessionValid) {
-      authLogger2.interceptor.general.warn("Backend returned 401, clearing session");
+      authLogger.interceptor.general.warn("Backend returned 401, clearing session");
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION,
+        name: COOKIE_NAMES.SESSION,
         value: "",
         options: { maxAge: 0, path: "/" }
       });
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION_KEY_ID,
+        name: COOKIE_NAMES.SESSION_KEY_ID,
         value: "",
         options: { maxAge: 0, path: "/" }
       });
@@ -199,7 +443,7 @@ var generalAuthInterceptor = {
     }
     if (ctx.metadata.clearSession) {
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION,
+        name: COOKIE_NAMES.SESSION,
         value: "",
         options: {
           maxAge: 0,
@@ -207,7 +451,7 @@ var generalAuthInterceptor = {
         }
       });
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION_KEY_ID,
+        name: COOKIE_NAMES.SESSION_KEY_ID,
         value: "",
         options: {
           maxAge: 0,
@@ -217,10 +461,10 @@ var generalAuthInterceptor = {
     } else if (ctx.metadata.refreshSession && ctx.response.status === 200) {
       try {
         const sessionData = ctx.metadata.sessionData;
-        const ttl = getSessionTtl2();
-        const sealed = await sealSession2(sessionData, ttl);
+        const ttl = getSessionTtl();
+        const sealed = await sealSession(sessionData, ttl);
         ctx.setCookies.push({
-          name: COOKIE_NAMES2.SESSION,
+          name: COOKIE_NAMES.SESSION,
           value: sealed,
           options: {
             httpOnly: true,
@@ -231,7 +475,7 @@ var generalAuthInterceptor = {
           }
         });
         ctx.setCookies.push({
-          name: COOKIE_NAMES2.SESSION_KEY_ID,
+          name: COOKIE_NAMES.SESSION_KEY_ID,
           value: sessionData.keyId,
           options: {
             httpOnly: true,
@@ -241,18 +485,18 @@ var generalAuthInterceptor = {
             path: "/"
           }
         });
-        authLogger2.interceptor.general.info("Session refreshed", {
+        authLogger.interceptor.general.info("Session refreshed", {
           userId: sessionData.userId,
           sealedLength: sealed.length,
           sealedPrefix: sealed.slice(0, 20)
         });
       } catch (error) {
         const err = error;
-        authLogger2.interceptor.general.error("Failed to refresh session", err);
+        authLogger.interceptor.general.error("Failed to refresh session", err);
       }
     } else if (ctx.path === "/_auth/logout" && ctx.response.ok) {
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION,
+        name: COOKIE_NAMES.SESSION,
         value: "",
         options: {
           maxAge: 0,
@@ -260,7 +504,7 @@ var generalAuthInterceptor = {
         }
       });
       ctx.setCookies.push({
-        name: COOKIE_NAMES2.SESSION_KEY_ID,
+        name: COOKIE_NAMES.SESSION_KEY_ID,
         value: "",
         options: {
           maxAge: 0,
@@ -273,19 +517,18 @@ var generalAuthInterceptor = {
 };
 
 // src/nextjs/interceptors/key-rotation.ts
-import { generateKeyPair as generateKeyPair2, unsealSession as unsealSession2, sealSession as sealSession3, generateClientToken as generateClientToken2, getSessionTtl as getSessionTtl3, COOKIE_NAMES as COOKIE_NAMES3, authLogger as authLogger3 } from "@spfn/auth/server";
 var keyRotationInterceptor = {
   pathPattern: "/_auth/keys/rotate",
   method: "POST",
   request: async (ctx, next) => {
-    const sessionCookie = ctx.cookies.get(COOKIE_NAMES3.SESSION);
+    const sessionCookie = ctx.cookies.get(COOKIE_NAMES.SESSION);
     if (!sessionCookie) {
       await next();
       return;
     }
     try {
-      const currentSession = await unsealSession2(sessionCookie);
-      const newKeyPair = generateKeyPair2("ES256");
+      const currentSession = await unsealSession(sessionCookie);
+      const newKeyPair = generateKeyPair("ES256");
       if (!ctx.body) {
         ctx.body = {};
       }
@@ -298,7 +541,7 @@ var keyRotationInterceptor = {
       console.log("publicKey:", newKeyPair.publicKey);
       console.log("keyId:", newKeyPair.keyId);
       console.log("fingerprint:", newKeyPair.fingerprint);
-      const token = generateClientToken2(
+      const token = generateClientToken(
         {
           userId: currentSession.userId,
           keyId: currentSession.keyId,
@@ -317,7 +560,7 @@ var keyRotationInterceptor = {
       ctx.metadata.userId = currentSession.userId;
     } catch (error) {
       const err = error;
-      authLogger3.interceptor.keyRotation.error("Failed to prepare key rotation", err);
+      authLogger.interceptor.keyRotation.error("Failed to prepare key rotation", err);
     }
     await next();
   },
@@ -327,21 +570,21 @@ var keyRotationInterceptor = {
       return;
     }
     if (!ctx.metadata.newPrivateKey || !ctx.metadata.userId) {
-      authLogger3.interceptor.keyRotation.error("Missing key rotation metadata");
+      authLogger.interceptor.keyRotation.error("Missing key rotation metadata");
       await next();
       return;
     }
     try {
-      const ttl = getSessionTtl3();
+      const ttl = getSessionTtl();
       const newSessionData = {
         userId: ctx.metadata.userId,
         privateKey: ctx.metadata.newPrivateKey,
         keyId: ctx.metadata.newKeyId,
         algorithm: ctx.metadata.newAlgorithm
       };
-      const sealed = await sealSession3(newSessionData, ttl);
+      const sealed = await sealSession(newSessionData, ttl);
       ctx.setCookies.push({
-        name: COOKIE_NAMES3.SESSION,
+        name: COOKIE_NAMES.SESSION,
         value: sealed,
         options: {
           httpOnly: true,
@@ -352,7 +595,7 @@ var keyRotationInterceptor = {
         }
       });
       ctx.setCookies.push({
-        name: COOKIE_NAMES3.SESSION_KEY_ID,
+        name: COOKIE_NAMES.SESSION_KEY_ID,
         value: ctx.metadata.newKeyId,
         options: {
           httpOnly: true,
@@ -364,36 +607,50 @@ var keyRotationInterceptor = {
       });
     } catch (error) {
       const err = error;
-      authLogger3.interceptor.keyRotation.error("Failed to update session after rotation", err);
+      authLogger.interceptor.keyRotation.error("Failed to update session after rotation", err);
     }
     await next();
   }
 };
 
-// src/nextjs/interceptors/oauth.ts
-import {
-  generateKeyPair as generateKeyPair3,
-  createOAuthState,
-  sealSession as sealSession5,
-  COOKIE_NAMES as COOKIE_NAMES5,
-  getSessionTtl as getSessionTtl5,
-  authLogger as authLogger4
-} from "@spfn/auth/server";
+// src/server/lib/oauth/state.ts
+import * as jose2 from "jose";
+import { env as env3 } from "@spfn/auth/config";
+async function getStateKey() {
+  const secret = env3.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`oauth-state:${secret}`);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+function generateNonce() {
+  const array = new Uint8Array(16);
+  crypto.getRandomValues(array);
+  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createOAuthState(params) {
+  const key = await getStateKey();
+  const state = {
+    returnUrl: params.returnUrl,
+    nonce: generateNonce(),
+    provider: params.provider,
+    publicKey: params.publicKey,
+    keyId: params.keyId,
+    fingerprint: params.fingerprint,
+    algorithm: params.algorithm,
+    metadata: params.metadata
+  };
+  const jwe = await new jose2.EncryptJWT({ state }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime("10m").encrypt(key);
+  return encodeURIComponent(jwe);
+}
 
 // src/nextjs/session-helpers.ts
-import * as jose from "jose";
+import * as jose3 from "jose";
 import { cookies } from "next/headers.js";
-import {
-  sealSession as sealSession4,
-  unsealSession as unsealSession3,
-  COOKIE_NAMES as COOKIE_NAMES4,
-  getSessionTtl as getSessionTtl4,
-  parseDuration
-} from "@spfn/auth/server";
-import { env } from "@spfn/auth/config";
+import { env as env4 } from "@spfn/auth/config";
 import { logger } from "@spfn/core/logger";
 async function getPendingSessionKey() {
-  const secret = env.SPFN_AUTH_SESSION_SECRET;
+  const secret = env4.SPFN_AUTH_SESSION_SECRET;
   const encoder = new TextEncoder();
   const data = encoder.encode(`oauth-pending:${secret}`);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
@@ -401,11 +658,11 @@ async function getPendingSessionKey() {
 }
 async function sealPendingSession(data, ttl = 600) {
   const key = await getPendingSessionKey();
-  return await new jose.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-oauth").encrypt(key);
+  return await new jose3.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-oauth").encrypt(key);
 }
-async function unsealPendingSession(jwt) {
+async function unsealPendingSession(jwt2) {
   const key = await getPendingSessionKey();
-  const { payload } = await jose.jwtDecrypt(jwt, key, {
+  const { payload } = await jose3.jwtDecrypt(jwt2, key, {
     issuer: "spfn-auth",
     audience: "spfn-oauth"
   });
@@ -419,7 +676,7 @@ var oauthUrlInterceptor = {
   request: async (ctx, next) => {
     const provider = ctx.path.split("/")[3];
     const returnUrl = ctx.body?.returnUrl || "/";
-    const keyPair = generateKeyPair3("ES256");
+    const keyPair = generateKeyPair("ES256");
     const state = await createOAuthState({
       provider,
       returnUrl,
@@ -437,7 +694,7 @@ var oauthUrlInterceptor = {
       keyId: keyPair.keyId,
       algorithm: keyPair.algorithm
     };
-    authLogger4.interceptor.oauth?.debug?.("OAuth state created", {
+    authLogger.interceptor.oauth?.debug?.("OAuth state created", {
       provider,
       keyId: keyPair.keyId
     });
@@ -448,7 +705,7 @@ var oauthUrlInterceptor = {
       try {
         const sealed = await sealPendingSession(ctx.metadata.pendingSession);
         ctx.setCookies.push({
-          name: COOKIE_NAMES5.OAUTH_PENDING,
+          name: COOKIE_NAMES.OAUTH_PENDING,
           value: sealed,
           options: {
             httpOnly: true,
@@ -460,12 +717,12 @@ var oauthUrlInterceptor = {
             path: "/"
           }
         });
-        authLogger4.interceptor.oauth?.debug?.("Pending session cookie set", {
+        authLogger.interceptor.oauth?.debug?.("Pending session cookie set", {
           keyId: ctx.metadata.pendingSession.keyId
         });
       } catch (error) {
         const err = error;
-        authLogger4.interceptor.oauth?.error?.("Failed to set pending session", err);
+        authLogger.interceptor.oauth?.error?.("Failed to set pending session", err);
       }
     }
     await next();
@@ -477,7 +734,7 @@ function setFinalizeError(ctx, message) {
   ctx.response.statusText = "Unauthorized";
   ctx.response.body = { success: false, message };
   ctx.setCookies.push({
-    name: COOKIE_NAMES5.OAUTH_PENDING,
+    name: COOKIE_NAMES.OAUTH_PENDING,
     value: "",
     options: {
       httpOnly: true,
@@ -496,9 +753,9 @@ var oauthFinalizeInterceptor = {
       await next();
       return;
     }
-    const pendingCookie = ctx.cookies.get(COOKIE_NAMES5.OAUTH_PENDING);
+    const pendingCookie = ctx.cookies.get(COOKIE_NAMES.OAUTH_PENDING);
     if (!pendingCookie) {
-      authLogger4.interceptor.oauth?.warn?.("No pending session cookie found");
+      authLogger.interceptor.oauth?.warn?.("No pending session cookie found");
       setFinalizeError(ctx, "OAuth session expired. Please try again.");
       await next();
       return;
@@ -507,13 +764,13 @@ var oauthFinalizeInterceptor = {
       const pendingSession = await unsealPendingSession(pendingCookie);
       const { userId, keyId } = ctx.response.body || {};
       if (!userId || !keyId) {
-        authLogger4.interceptor.oauth?.error?.("Missing userId or keyId in response");
+        authLogger.interceptor.oauth?.error?.("Missing userId or keyId in response");
         setFinalizeError(ctx, "OAuth finalize failed: missing credentials");
         await next();
         return;
       }
       if (pendingSession.keyId !== keyId) {
-        authLogger4.interceptor.oauth?.error?.("KeyId mismatch", {
+        authLogger.interceptor.oauth?.error?.("KeyId mismatch", {
           expected: pendingSession.keyId,
           received: keyId
         });
@@ -521,15 +778,15 @@ var oauthFinalizeInterceptor = {
         await next();
         return;
       }
-      const ttl = getSessionTtl5();
-      const sessionToken = await sealSession5({
+      const ttl = getSessionTtl();
+      const sessionToken = await sealSession({
         userId,
         privateKey: pendingSession.privateKey,
         keyId: pendingSession.keyId,
         algorithm: pendingSession.algorithm
       }, ttl);
       ctx.setCookies.push({
-        name: COOKIE_NAMES5.SESSION,
+        name: COOKIE_NAMES.SESSION,
         value: sessionToken,
         options: {
           httpOnly: true,
@@ -540,7 +797,7 @@ var oauthFinalizeInterceptor = {
         }
       });
       ctx.setCookies.push({
-        name: COOKIE_NAMES5.SESSION_KEY_ID,
+        name: COOKIE_NAMES.SESSION_KEY_ID,
         value: keyId,
         options: {
           httpOnly: true,
@@ -551,7 +808,7 @@ var oauthFinalizeInterceptor = {
         }
       });
       ctx.setCookies.push({
-        name: COOKIE_NAMES5.OAUTH_PENDING,
+        name: COOKIE_NAMES.OAUTH_PENDING,
         value: "",
         options: {
           httpOnly: true,
@@ -561,13 +818,13 @@ var oauthFinalizeInterceptor = {
           path: "/"
         }
       });
-      authLogger4.interceptor.oauth?.debug?.("OAuth session finalized", {
+      authLogger.interceptor.oauth?.debug?.("OAuth session finalized", {
         userId,
         keyId
       });
     } catch (error) {
       const err = error;
-      authLogger4.interceptor.oauth?.error?.("Failed to finalize OAuth session", err);
+      authLogger.interceptor.oauth?.error?.("Failed to finalize OAuth session", err);
       setFinalizeError(ctx, err.message);
     }
     await next();