@strapi/core 0.0.0-experimental.864696ab15724578c0d6eea176c168b29a039255 → 0.0.0-experimental.8a41bddd1fbbac61aa43a961ea1ff74ac586cf55

package/dist/services/server/routing.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"routing.mjs","sources":["../../../src/services/server/routing.ts"],"sourcesContent":["import Router from '@koa/router';\nimport { has } from 'lodash/fp';\nimport { yup } from '@strapi/utils';\nimport type { Core } from '@strapi/types';\n\nimport createEndpointComposer from './compose-endpoint';\n\nconst policyOrMiddlewareSchema = yup.lazy((value) => {\n  if (typeof value === 'string') {\n    return yup.string().required();\n  }\n\n  if (typeof value === 'function') {\n    return yup.mixed().isFunction();\n  }\n\n  return yup.object({\n    name: yup.string().required(),\n    options: yup.object().notRequired(), // any options\n  });\n});\n\nconst routeSchema = yup.object({\n  method: yup.string().oneOf(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'ALL']).required(),\n  path: yup.string().required(),\n  handler: yup.lazy((value) => {\n    if (typeof value === 'string') {\n      return yup.string().required();\n    }\n\n    if (Array.isArray(value)) {\n      return yup.array().required();\n    }\n\n    return yup.mixed().isFunction().required();\n  }),\n  config: yup\n    .object({\n      auth: yup.lazy((value) => {\n        if (value === false) {\n          return yup.boolean().required();\n        }\n\n        return yup.object({\n          scope: yup.array().of(yup.string()).required(),\n        });\n      }),\n      policies: yup\n        .array()\n        // FIXME: fixed in yup v1\n        .of(policyOrMiddlewareSchema as any)\n        .notRequired(),\n      middlewares: yup\n        .array()\n        // FIXME: fixed in yup v1\n        .of(policyOrMiddlewareSchema as any)\n        .notRequired(),\n    })\n    .notRequired(),\n});\n\nconst validateRouteConfig = (routeConfig: Core.RouteInput) => {\n  try {\n    return routeSchema.validateSync(routeConfig, {\n      strict: true,\n      abortEarly: false,\n      stripUnknown: true,\n    });\n  } catch (error) {\n    if (error instanceof yup.ValidationError) {\n      throw new Error(`Invalid route config ${error.message}`);\n    }\n  }\n};\n\nconst createRouteManager = (strapi: Core.Strapi, opts: { type?: string } = {}) => {\n  const { type } = opts;\n\n  const composeEndpoint = createEndpointComposer(strapi);\n\n  const createRoute = (route: Core.RouteInput, router: Router) => {\n    validateRouteConfig(route);\n\n    // NOTE: the router type is used to tag controller actions and for authentication / authorization so we need to pass this info down to the route level\n    const routeWithInfo = Object.assign(route, {\n      info: {\n        ...(route.info ?? {}),\n        type: type || 'api',\n      },\n    });\n\n    composeEndpoint(routeWithInfo, { router });\n  };\n\n  const addRoutes = (routes: Core.Router | Core.RouteInput[], router: Router) => {\n    if (Array.isArray(routes)) {\n      routes.forEach((route) => createRoute(route, router));\n    } else if (routes.routes) {\n      const subRouter = new Router({ prefix: routes.prefix });\n\n      routes.routes.forEach((route) => {\n        const hasPrefix = has('prefix', route.config);\n        createRoute(route, hasPrefix ? router : subRouter);\n      });\n\n      return router.use(subRouter.routes(), subRouter.allowedMethods());\n    }\n  };\n\n  return {\n    addRoutes,\n  };\n};\n\nexport { validateRouteConfig, createRouteManager };\n"],"names":["policyOrMiddlewareSchema","yup","lazy","value","string","required","mixed","isFunction","object","name","options","notRequired","routeSchema","method","oneOf","path","handler","Array","isArray","array","config","auth","boolean","scope","of","policies","middlewares","validateRouteConfig","routeConfig","validateSync","strict","abortEarly","stripUnknown","error","ValidationError","Error","message","createRouteManager","strapi","opts","type","composeEndpoint","createEndpointComposer","createRoute","route","router","routeWithInfo","Object","assign","info","addRoutes","routes","forEach","subRouter","Router","prefix","hasPrefix","has","use","allowedMethods"],"mappings":";;;;;AAOA,MAAMA,wBAA2BC,GAAAA,GAAAA,CAAIC,IAAI,CAAC,CAACC,KAAAA,GAAAA;IACzC,IAAI,OAAOA,UAAU,QAAU,EAAA;QAC7B,OAAOF,GAAAA,CAAIG,MAAM,EAAA,CAAGC,QAAQ,EAAA;AAC9B;IAEA,IAAI,OAAOF,UAAU,UAAY,EAAA;QAC/B,OAAOF,GAAAA,CAAIK,KAAK,EAAA,CAAGC,UAAU,EAAA;AAC/B;IAEA,OAAON,GAAAA,CAAIO,MAAM,CAAC;QAChBC,IAAMR,EAAAA,GAAAA,CAAIG,MAAM,EAAA,CAAGC,QAAQ,EAAA;QAC3BK,OAAST,EAAAA,GAAAA,CAAIO,MAAM,EAAA,CAAGG,WAAW;AACnC,KAAA,CAAA;AACF,CAAA,CAAA;AAEA,MAAMC,WAAAA,GAAcX,GAAIO,CAAAA,MAAM,CAAC;AAC7BK,IAAAA,MAAAA,EAAQZ,GAAIG,CAAAA,MAAM,EAAGU,CAAAA,KAAK,CAAC;AAAC,QAAA,KAAA;AAAO,QAAA,MAAA;AAAQ,QAAA,KAAA;AAAO,QAAA,OAAA;AAAS,QAAA,QAAA;AAAU,QAAA;AAAM,KAAA,CAAA,CAAET,QAAQ,EAAA;IACrFU,IAAMd,EAAAA,GAAAA,CAAIG,MAAM,EAAA,CAAGC,QAAQ,EAAA;IAC3BW,OAASf,EAAAA,GAAAA,CAAIC,IAAI,CAAC,CAACC,KAAAA,GAAAA;QACjB,IAAI,OAAOA,UAAU,QAAU,EAAA;YAC7B,OAAOF,GAAAA,CAAIG,MAAM,EAAA,CAAGC,QAAQ,EAAA;AAC9B;QAEA,IAAIY,KAAAA,CAAMC,OAAO,CAACf,KAAQ,CAAA,EAAA;YACxB,OAAOF,GAAAA,CAAIkB,KAAK,EAAA,CAAGd,QAAQ,EAAA;AAC7B;AAEA,QAAA,OAAOJ,GAAIK,CAAAA,KAAK,EAAGC,CAAAA,UAAU,GAAGF,QAAQ,EAAA;AAC1C,KAAA,CAAA;IACAe,MAAQnB,EAAAA,GAAAA,CACLO,MAAM,CAAC;QACNa,IAAMpB,EAAAA,GAAAA,CAAIC,IAAI,CAAC,CAACC,KAAAA,GAAAA;AACd,YAAA,IAAIA,UAAU,KAAO,EAAA;gBACnB,OAAOF,GAAAA,CAAIqB,OAAO,EAAA,CAAGjB,QAAQ,EAAA;AAC/B;YAEA,OAAOJ,GAAAA,CAAIO,MAAM,CAAC;gBAChBe,KAAOtB,EAAAA,GAAAA,CAAIkB,KAAK,EAAGK,CAAAA,EAAE,CAACvB,GAAIG,CAAAA,MAAM,IAAIC,QAAQ;AAC9C,aAAA,CAAA;AACF,SAAA,CAAA;QACAoB,QAAUxB,EAAAA,GAAAA,CACPkB,KAAK,EACN;SACCK,EAAE,CAACxB,0BACHW,WAAW,EAAA;QACde,WAAazB,EAAAA,GAAAA,CACVkB,KAAK,EACN;SACCK,EAAE,CAACxB,0BACHW,WAAW;AAChB,KAAA,CAAA,CACCA,WAAW;AAChB,CAAA,CAAA;AAEA,MAAMgB,sBAAsB,CAACC,WAAAA,GAAAA;IAC3B,IAAI;QACF,OAAOhB,WAAAA,CAAYiB,YAAY,CAACD,WAAa,EAAA;YAC3CE,MAAQ,EAAA,IAAA;YACRC,UAAY,EAAA,KAAA;YACZC,YAAc,EAAA;AAChB,SAAA,CAAA;AACF,KAAA,CAAE,OAAOC,KAAO,EAAA;QACd,IAAIA,KAAAA,YAAiBhC,GAAIiC,CAAAA,eAAe,EAAE;YACxC,MAAM,IAAIC,MAAM,CAAC,qBAAqB,EAAEF,KAAMG,CAAAA,OAAO,CAAC,CAAC,CAAA;AACzD;AACF;AACF;AAEA,MAAMC,kBAAqB,GAAA,CAACC,MAAqBC,EAAAA,IAAAA,GAA0B,EAAE,GAAA;IAC3E,MAAM,EAAEC,IAAI,EAAE,GAAGD,IAAAA;AAEjB,IAAA,MAAME,kBAAkBC,sBAAuBJ,CAAAA,MAAAA,CAAAA;IAE/C,MAAMK,WAAAA,GAAc,CAACC,KAAwBC,EAAAA,MAAAA,GAAAA;QAC3ClB,mBAAoBiB,CAAAA,KAAAA,CAAAA;;AAGpB,QAAA,MAAME,aAAgBC,GAAAA,MAAAA,CAAOC,MAAM,CAACJ,KAAO,EAAA;YACzCK,IAAM,EAAA;AACJ,gBAAA,GAAIL,KAAMK,CAAAA,IAAI,IAAI,EAAE;AACpBT,gBAAAA,IAAAA,EAAMA,IAAQ,IAAA;AAChB;AACF,SAAA,CAAA;AAEAC,QAAAA,eAAAA,CAAgBK,aAAe,EAAA;AAAED,YAAAA;AAAO,SAAA,CAAA;AAC1C,KAAA;IAEA,MAAMK,SAAAA,GAAY,CAACC,MAAyCN,EAAAA,MAAAA,GAAAA;QAC1D,IAAI5B,KAAAA,CAAMC,OAAO,CAACiC,MAAS,CAAA,EAAA;AACzBA,YAAAA,MAAAA,CAAOC,OAAO,CAAC,CAACR,KAAAA,GAAUD,YAAYC,KAAOC,EAAAA,MAAAA,CAAAA,CAAAA;SACxC,MAAA,IAAIM,MAAOA,CAAAA,MAAM,EAAE;YACxB,MAAME,SAAAA,GAAY,IAAIC,MAAO,CAAA;AAAEC,gBAAAA,MAAAA,EAAQJ,OAAOI;AAAO,aAAA,CAAA;AAErDJ,YAAAA,MAAAA,CAAOA,MAAM,CAACC,OAAO,CAAC,CAACR,KAAAA,GAAAA;AACrB,gBAAA,MAAMY,SAAYC,GAAAA,GAAAA,CAAI,QAAUb,EAAAA,KAAAA,CAAMxB,MAAM,CAAA;gBAC5CuB,WAAYC,CAAAA,KAAAA,EAAOY,YAAYX,MAASQ,GAAAA,SAAAA,CAAAA;AAC1C,aAAA,CAAA;AAEA,YAAA,OAAOR,OAAOa,GAAG,CAACL,UAAUF,MAAM,EAAA,EAAIE,UAAUM,cAAc,EAAA,CAAA;AAChE;AACF,KAAA;IAEA,OAAO;AACLT,QAAAA;AACF,KAAA;AACF;;;;"}
+{"version":3,"file":"routing.mjs","sources":["../../../src/services/server/routing.ts"],"sourcesContent":["import Router from '@koa/router';\nimport { has } from 'lodash/fp';\nimport { yup } from '@strapi/utils';\nimport type { Core } from '@strapi/types';\n\nimport createEndpointComposer from './compose-endpoint';\n\nconst policyOrMiddlewareSchema = yup.lazy((value) => {\n  if (typeof value === 'string') {\n    return yup.string().required();\n  }\n\n  if (typeof value === 'function') {\n    return yup.mixed().isFunction();\n  }\n\n  return yup.object({\n    name: yup.string().required(),\n    options: yup.object().notRequired(), // any options\n  });\n});\n\nconst routeSchema = yup.object({\n  method: yup.string().oneOf(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'ALL']).required(),\n  path: yup.string().required(),\n  handler: yup.lazy((value) => {\n    if (typeof value === 'string') {\n      return yup.string().required();\n    }\n\n    if (Array.isArray(value)) {\n      return yup.array().required();\n    }\n\n    return yup.mixed().isFunction().required();\n  }),\n  request: yup\n    .object({\n      params: yup.object().notRequired(),\n      query: yup.object().notRequired(),\n      body: yup.object().notRequired(),\n    })\n    .notRequired(),\n  response: yup.object().notRequired(),\n  config: yup\n    .object({\n      auth: yup.lazy((value) => {\n        if (value === false) {\n          return yup.boolean().required();\n        }\n\n        return yup.object({\n          scope: yup.array().of(yup.string()).required(),\n        });\n      }),\n      policies: yup\n        .array()\n        // FIXME: fixed in yup v1\n        .of(policyOrMiddlewareSchema as any)\n        .notRequired(),\n      middlewares: yup\n        .array()\n        // FIXME: fixed in yup v1\n        .of(policyOrMiddlewareSchema as any)\n        .notRequired(),\n    })\n    .notRequired(),\n});\n\nconst validateRouteConfig = (routeConfig: Core.RouteInput) => {\n  try {\n    return routeSchema.validateSync(routeConfig, {\n      strict: true,\n      abortEarly: false,\n      stripUnknown: true,\n    });\n  } catch (error) {\n    if (error instanceof yup.ValidationError) {\n      throw new Error(`Invalid route config ${error.message}`);\n    }\n  }\n};\n\nconst createRouteManager = (strapi: Core.Strapi, opts: { type?: string } = {}) => {\n  const { type } = opts;\n\n  const composeEndpoint = createEndpointComposer(strapi);\n\n  const createRoute = (route: Core.RouteInput, router: Router) => {\n    validateRouteConfig(route);\n\n    // NOTE: the router type is used to tag controller actions and for authentication / authorization so we need to pass this info down to the route level\n    const routeWithInfo = Object.assign(route, {\n      info: {\n        ...(route.info ?? {}),\n        type: type ?? 'api',\n      },\n    });\n\n    composeEndpoint(routeWithInfo, { router });\n  };\n\n  const addRoutes = (routes: Core.Router | Core.RouteInput[], router: Router) => {\n    if (Array.isArray(routes)) {\n      routes.forEach((route) => createRoute(route, router));\n    } else if (routes.routes) {\n      const subRouter = new Router({ prefix: routes.prefix });\n\n      routes.routes.forEach((route) => {\n        const hasPrefix = has('prefix', route.config);\n        createRoute(route, hasPrefix ? router : subRouter);\n      });\n\n      return router.use(subRouter.routes(), subRouter.allowedMethods());\n    }\n  };\n\n  return {\n    addRoutes,\n  };\n};\n\nexport { validateRouteConfig, createRouteManager };\n"],"names":["policyOrMiddlewareSchema","yup","lazy","value","string","required","mixed","isFunction","object","name","options","notRequired","routeSchema","method","oneOf","path","handler","Array","isArray","array","request","params","query","body","response","config","auth","boolean","scope","of","policies","middlewares","validateRouteConfig","routeConfig","validateSync","strict","abortEarly","stripUnknown","error","ValidationError","Error","message","createRouteManager","strapi","opts","type","composeEndpoint","createEndpointComposer","createRoute","route","router","routeWithInfo","Object","assign","info","addRoutes","routes","forEach","subRouter","Router","prefix","hasPrefix","has","use","allowedMethods"],"mappings":";;;;;AAOA,MAAMA,wBAA2BC,GAAAA,GAAAA,CAAIC,IAAI,CAAC,CAACC,KAAAA,GAAAA;IACzC,IAAI,OAAOA,UAAU,QAAU,EAAA;QAC7B,OAAOF,GAAAA,CAAIG,MAAM,EAAA,CAAGC,QAAQ,EAAA;AAC9B;IAEA,IAAI,OAAOF,UAAU,UAAY,EAAA;QAC/B,OAAOF,GAAAA,CAAIK,KAAK,EAAA,CAAGC,UAAU,EAAA;AAC/B;IAEA,OAAON,GAAAA,CAAIO,MAAM,CAAC;QAChBC,IAAMR,EAAAA,GAAAA,CAAIG,MAAM,EAAA,CAAGC,QAAQ,EAAA;QAC3BK,OAAST,EAAAA,GAAAA,CAAIO,MAAM,EAAA,CAAGG,WAAW;AACnC,KAAA,CAAA;AACF,CAAA,CAAA;AAEA,MAAMC,WAAAA,GAAcX,GAAIO,CAAAA,MAAM,CAAC;AAC7BK,IAAAA,MAAAA,EAAQZ,GAAIG,CAAAA,MAAM,EAAGU,CAAAA,KAAK,CAAC;AAAC,QAAA,KAAA;AAAO,QAAA,MAAA;AAAQ,QAAA,KAAA;AAAO,QAAA,OAAA;AAAS,QAAA,QAAA;AAAU,QAAA;AAAM,KAAA,CAAA,CAAET,QAAQ,EAAA;IACrFU,IAAMd,EAAAA,GAAAA,CAAIG,MAAM,EAAA,CAAGC,QAAQ,EAAA;IAC3BW,OAASf,EAAAA,GAAAA,CAAIC,IAAI,CAAC,CAACC,KAAAA,GAAAA;QACjB,IAAI,OAAOA,UAAU,QAAU,EAAA;YAC7B,OAAOF,GAAAA,CAAIG,MAAM,EAAA,CAAGC,QAAQ,EAAA;AAC9B;QAEA,IAAIY,KAAAA,CAAMC,OAAO,CAACf,KAAQ,CAAA,EAAA;YACxB,OAAOF,GAAAA,CAAIkB,KAAK,EAAA,CAAGd,QAAQ,EAAA;AAC7B;AAEA,QAAA,OAAOJ,GAAIK,CAAAA,KAAK,EAAGC,CAAAA,UAAU,GAAGF,QAAQ,EAAA;AAC1C,KAAA,CAAA;IACAe,OAASnB,EAAAA,GAAAA,CACNO,MAAM,CAAC;QACNa,MAAQpB,EAAAA,GAAAA,CAAIO,MAAM,EAAA,CAAGG,WAAW,EAAA;QAChCW,KAAOrB,EAAAA,GAAAA,CAAIO,MAAM,EAAA,CAAGG,WAAW,EAAA;QAC/BY,IAAMtB,EAAAA,GAAAA,CAAIO,MAAM,EAAA,CAAGG,WAAW;AAChC,KAAA,CAAA,CACCA,WAAW,EAAA;IACda,QAAUvB,EAAAA,GAAAA,CAAIO,MAAM,EAAA,CAAGG,WAAW,EAAA;IAClCc,MAAQxB,EAAAA,GAAAA,CACLO,MAAM,CAAC;QACNkB,IAAMzB,EAAAA,GAAAA,CAAIC,IAAI,CAAC,CAACC,KAAAA,GAAAA;AACd,YAAA,IAAIA,UAAU,KAAO,EAAA;gBACnB,OAAOF,GAAAA,CAAI0B,OAAO,EAAA,CAAGtB,QAAQ,EAAA;AAC/B;YAEA,OAAOJ,GAAAA,CAAIO,MAAM,CAAC;gBAChBoB,KAAO3B,EAAAA,GAAAA,CAAIkB,KAAK,EAAGU,CAAAA,EAAE,CAAC5B,GAAIG,CAAAA,MAAM,IAAIC,QAAQ;AAC9C,aAAA,CAAA;AACF,SAAA,CAAA;QACAyB,QAAU7B,EAAAA,GAAAA,CACPkB,KAAK,EACN;SACCU,EAAE,CAAC7B,0BACHW,WAAW,EAAA;QACdoB,WAAa9B,EAAAA,GAAAA,CACVkB,KAAK,EACN;SACCU,EAAE,CAAC7B,0BACHW,WAAW;AAChB,KAAA,CAAA,CACCA,WAAW;AAChB,CAAA,CAAA;AAEA,MAAMqB,sBAAsB,CAACC,WAAAA,GAAAA;IAC3B,IAAI;QACF,OAAOrB,WAAAA,CAAYsB,YAAY,CAACD,WAAa,EAAA;YAC3CE,MAAQ,EAAA,IAAA;YACRC,UAAY,EAAA,KAAA;YACZC,YAAc,EAAA;AAChB,SAAA,CAAA;AACF,KAAA,CAAE,OAAOC,KAAO,EAAA;QACd,IAAIA,KAAAA,YAAiBrC,GAAIsC,CAAAA,eAAe,EAAE;YACxC,MAAM,IAAIC,MAAM,CAAC,qBAAqB,EAAEF,KAAMG,CAAAA,OAAO,CAAC,CAAC,CAAA;AACzD;AACF;AACF;AAEA,MAAMC,kBAAqB,GAAA,CAACC,MAAqBC,EAAAA,IAAAA,GAA0B,EAAE,GAAA;IAC3E,MAAM,EAAEC,IAAI,EAAE,GAAGD,IAAAA;AAEjB,IAAA,MAAME,kBAAkBC,sBAAuBJ,CAAAA,MAAAA,CAAAA;IAE/C,MAAMK,WAAAA,GAAc,CAACC,KAAwBC,EAAAA,MAAAA,GAAAA;QAC3ClB,mBAAoBiB,CAAAA,KAAAA,CAAAA;;AAGpB,QAAA,MAAME,aAAgBC,GAAAA,MAAAA,CAAOC,MAAM,CAACJ,KAAO,EAAA;YACzCK,IAAM,EAAA;AACJ,gBAAA,GAAIL,KAAMK,CAAAA,IAAI,IAAI,EAAE;AACpBT,gBAAAA,IAAAA,EAAMA,IAAQ,IAAA;AAChB;AACF,SAAA,CAAA;AAEAC,QAAAA,eAAAA,CAAgBK,aAAe,EAAA;AAAED,YAAAA;AAAO,SAAA,CAAA;AAC1C,KAAA;IAEA,MAAMK,SAAAA,GAAY,CAACC,MAAyCN,EAAAA,MAAAA,GAAAA;QAC1D,IAAIjC,KAAAA,CAAMC,OAAO,CAACsC,MAAS,CAAA,EAAA;AACzBA,YAAAA,MAAAA,CAAOC,OAAO,CAAC,CAACR,KAAAA,GAAUD,YAAYC,KAAOC,EAAAA,MAAAA,CAAAA,CAAAA;SACxC,MAAA,IAAIM,MAAOA,CAAAA,MAAM,EAAE;YACxB,MAAME,SAAAA,GAAY,IAAIC,MAAO,CAAA;AAAEC,gBAAAA,MAAAA,EAAQJ,OAAOI;AAAO,aAAA,CAAA;AAErDJ,YAAAA,MAAAA,CAAOA,MAAM,CAACC,OAAO,CAAC,CAACR,KAAAA,GAAAA;AACrB,gBAAA,MAAMY,SAAYC,GAAAA,GAAAA,CAAI,QAAUb,EAAAA,KAAAA,CAAMxB,MAAM,CAAA;gBAC5CuB,WAAYC,CAAAA,KAAAA,EAAOY,YAAYX,MAASQ,GAAAA,SAAAA,CAAAA;AAC1C,aAAA,CAAA;AAEA,YAAA,OAAOR,OAAOa,GAAG,CAACL,UAAUF,MAAM,EAAA,EAAIE,UAAUM,cAAc,EAAA,CAAA;AAChE;AACF,KAAA;IAEA,OAAO;AACLT,QAAAA;AACF,KAAA;AACF;;;;"}

package/dist/services/session-manager.d.ts

@@ -0,0 +1,160 @@
+import type { Database } from '@strapi/database';
+export interface SessionProvider {
+    create(session: SessionData): Promise<SessionData>;
+    findBySessionId(sessionId: string): Promise<SessionData | null>;
+    updateBySessionId(sessionId: string, data: Partial<SessionData>): Promise<void>;
+    deleteBySessionId(sessionId: string): Promise<void>;
+    deleteExpired(): Promise<void>;
+    deleteBy(criteria: {
+        userId?: string;
+        origin?: string;
+        deviceId?: string;
+    }): Promise<void>;
+}
+export interface SessionData {
+    id?: string;
+    userId: string;
+    sessionId: string;
+    deviceId?: string;
+    origin: string;
+    childId?: string | null;
+    type?: 'refresh' | 'session';
+    status?: 'active' | 'rotated' | 'revoked';
+    expiresAt: Date;
+    absoluteExpiresAt?: Date | null;
+    createdAt?: Date;
+    updatedAt?: Date;
+}
+export interface RefreshTokenPayload {
+    userId: string;
+    sessionId: string;
+    type: 'refresh';
+    exp: number;
+    iat: number;
+}
+export interface AccessTokenPayload {
+    userId: string;
+    sessionId: string;
+    type: 'access';
+    exp: number;
+    iat: number;
+}
+export type TokenPayload = RefreshTokenPayload | AccessTokenPayload;
+export interface ValidateRefreshTokenResult {
+    isValid: boolean;
+    userId?: string;
+    sessionId?: string;
+    error?: 'invalid_token' | 'token_expired' | 'session_not_found' | 'session_expired' | 'wrong_token_type';
+}
+export interface SessionManagerConfig {
+    jwtSecret: string;
+    accessTokenLifespan: number;
+    maxRefreshTokenLifespan: number;
+    idleRefreshTokenLifespan: number;
+    maxSessionLifespan: number;
+    idleSessionLifespan: number;
+}
+declare class OriginSessionManager {
+    private sessionManager;
+    private origin;
+    constructor(sessionManager: SessionManager, origin: string);
+    generateRefreshToken(userId: string, deviceId: string | undefined, options?: {
+        type?: 'refresh' | 'session';
+    }): Promise<{
+        token: string;
+        sessionId: string;
+        absoluteExpiresAt: string;
+    }>;
+    generateAccessToken(refreshToken: string): Promise<{
+        token: string;
+    } | {
+        error: string;
+    }>;
+    rotateRefreshToken(refreshToken: string): Promise<{
+        token: string;
+        sessionId: string;
+        absoluteExpiresAt: string;
+        type: 'refresh' | 'session';
+    } | {
+        error: string;
+    }>;
+    validateAccessToken(token: string): {
+        isValid: true;
+        payload: AccessTokenPayload;
+    } | {
+        isValid: false;
+        payload: null;
+    };
+    validateRefreshToken(token: string): Promise<ValidateRefreshTokenResult>;
+    invalidateRefreshToken(userId: string, deviceId?: string): Promise<void>;
+    /**
+     * Returns true when a session exists and is not expired for this origin.
+     * If the session exists but is expired, it will be deleted as part of this check.
+     */
+    isSessionActive(sessionId: string): Promise<boolean>;
+}
+declare class SessionManager {
+    private provider;
+    private originConfigs;
+    private cleanupInvocationCounter;
+    private readonly cleanupEveryCalls;
+    constructor(provider: SessionProvider);
+    /**
+     * Define configuration for a specific origin
+     */
+    defineOrigin(origin: string, config: SessionManagerConfig): void;
+    /**
+     * Check if an origin is defined
+     */
+    hasOrigin(origin: string): boolean;
+    /**
+     * Get configuration for a specific origin, throw error if not defined
+     */
+    private getConfigForOrigin;
+    generateSessionId(): string;
+    private maybeCleanupExpired;
+    /**
+     * Get the cleanup every calls threshold
+     */
+    get cleanupThreshold(): number;
+    generateRefreshToken(userId: string, deviceId: string | undefined, origin: string, options?: {
+        type?: 'refresh' | 'session';
+    }): Promise<{
+        token: string;
+        sessionId: string;
+        absoluteExpiresAt: string;
+    }>;
+    validateAccessToken(token: string, origin: string): {
+        isValid: true;
+        payload: AccessTokenPayload;
+    } | {
+        isValid: false;
+        payload: null;
+    };
+    validateRefreshToken(token: string, origin: string): Promise<ValidateRefreshTokenResult>;
+    invalidateRefreshToken(origin: string, userId: string, deviceId?: string): Promise<void>;
+    generateAccessToken(refreshToken: string, origin: string): Promise<{
+        token: string;
+    } | {
+        error: string;
+    }>;
+    rotateRefreshToken(refreshToken: string, origin: string): Promise<{
+        token: string;
+        sessionId: string;
+        absoluteExpiresAt: string;
+        type: 'refresh' | 'session';
+    } | {
+        error: string;
+    }>;
+    /**
+     * Returns true when a session exists and is not expired.
+     * If the session exists but is expired, it will be deleted as part of this check.
+     */
+    isSessionActive(sessionId: string, origin: string): Promise<boolean>;
+}
+declare const createDatabaseProvider: (db: Database, contentType: string) => SessionProvider;
+declare const createSessionManager: ({ db, }: {
+    db: Database;
+}) => SessionManager & ((origin: string) => OriginSessionManager);
+export { createSessionManager, createDatabaseProvider };
+//# sourceMappingURL=session-manager.d.ts.map

package/dist/services/session-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-manager.d.ts","sourceRoot":"","sources":["../../src/services/session-manager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAGjD,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IACnD,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAChE,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChF,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5F;AAED,MAAM,WAAW,WAAW;IAC1B,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAExB,IAAI,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;IAC7B,MAAM,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAC;IAC1C,SAAS,EAAE,IAAI,CAAC;IAChB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,MAAM,YAAY,GAAG,mBAAmB,GAAG,kBAAkB,CAAC;AAEpE,MAAM,WAAW,0BAA0B;IACzC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EACF,eAAe,GACf,eAAe,GACf,mBAAmB,GACnB,iBAAiB,GACjB,kBAAkB,CAAC;CACxB;AAqDD,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,uBAAuB,EAAE,MAAM,CAAC;IAChC,wBAAwB,EAAE,MAAM,CAAC;IACjC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED,cAAM,oBAAoB;IAEtB,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,MAAM;gBADN,cAAc,EAAE,cAAc,EAC9B,MAAM,EAAE,MAAM;IAGlB,oBAAoB,CACxB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,OAAO,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,SAAS,GAAG,SAAS,CAAA;KAAE,GACzC,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IAIrE,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAIzF,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CACnD;QACE,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,IAAI,EAAE,SAAS,GAAG,SAAS,CAAC;KAC7B,GACD;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CACpB;IAID,mBAAmB,CACjB,KAAK,EAAE,MAAM,GACZ;QAAE,OAAO,EAAE,IAAI,CAAC;QAAC,OAAO,EAAE,kBAAkB,CAAA;KAAE,GAAG;QAAE,OAAO,EAAE,KAAK,CAAC;QAAC,OAAO,EAAE,IAAI,CAAA;KAAE;IAI/E,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAIxE,sBAAsB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9E;;;OAGG;IACG,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAG3D;AAED,cAAM,cAAc;IAClB,OAAO,CAAC,QAAQ,CAAkB;IAGlC,OAAO,CAAC,aAAa,CAAgD;IAGrE,OAAO,CAAC,wBAAwB,CAAa;IAE7C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAc;gBAEpC,QAAQ,EAAE,eAAe;IAIrC;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,oBAAoB,GAAG,IAAI;IAIhE;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAIlC;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAU1B,iBAAiB,IAAI,MAAM;YAIb,mBAAmB;IASjC;;OAEG;IACH,IAAI,gBAAgB,IAAI,MAAM,CAE7B;IAEK,oBAAoB,CACxB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,SAAS,GAAG,SAAS,CAAA;KAAE,GACzC,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IA0D3E,mBAAmB,CACjB,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb;QAAE,OAAO,EAAE,IAAI,CAAC;QAAC,OAAO,EAAE,kBAAkB,CAAA;KAAE,GAAG;QAAE,OAAO,EAAE,KAAK,CAAC;QAAC,OAAO,EAAE,IAAI,CAAA;KAAE;IAwB/E,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAyDxF,sBAAsB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxF,mBAAmB,CACvB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IA4B3C,kBAAkB,CACtB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CACN;QACE,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,IAAI,EAAE,SAAS,GAAG,SAAS,CAAC;KAC7B,GACD;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CACpB;IAwID;;;OAGG;IACG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAmB3E;AAED,QAAA,MAAM,sBAAsB,OAAQ,QAAQ,eAAe,MAAM,KAAG,eAEnE,CAAC;AAEF,QAAA,MAAM,oBAAoB,YAEvB;IACD,EAAE,EAAE,QAAQ,CAAC;CACd,KAAG,cAAc,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,KAAK,oBAAoB,CA8B7D,CAAC;AAEF,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,CAAC"}

package/dist/services/session-manager.js

@@ -0,0 +1,476 @@
+'use strict';
+
+var crypto = require('crypto');
+var jwt = require('jsonwebtoken');
+var constants = require('../constants.js');
+
+class DatabaseSessionProvider {
+    async create(session) {
+        const result = await this.db.query(this.contentType).create({
+            data: session
+        });
+        return result;
+    }
+    async findBySessionId(sessionId) {
+        const result = await this.db.query(this.contentType).findOne({
+            where: {
+                sessionId
+            }
+        });
+        return result;
+    }
+    async updateBySessionId(sessionId, data) {
+        await this.db.query(this.contentType).update({
+            where: {
+                sessionId
+            },
+            data
+        });
+    }
+    async deleteBySessionId(sessionId) {
+        await this.db.query(this.contentType).delete({
+            where: {
+                sessionId
+            }
+        });
+    }
+    async deleteExpired() {
+        await this.db.query(this.contentType).deleteMany({
+            where: {
+                absoluteExpiresAt: {
+                    $lt: new Date()
+                }
+            }
+        });
+    }
+    async deleteBy(criteria) {
+        await this.db.query(this.contentType).deleteMany({
+            where: {
+                ...criteria.userId ? {
+                    userId: criteria.userId
+                } : {},
+                ...criteria.origin ? {
+                    origin: criteria.origin
+                } : {},
+                ...criteria.deviceId ? {
+                    deviceId: criteria.deviceId
+                } : {}
+            }
+        });
+    }
+    constructor(db, contentType){
+        this.db = db;
+        this.contentType = contentType;
+    }
+}
+class OriginSessionManager {
+    async generateRefreshToken(userId, deviceId, options) {
+        return this.sessionManager.generateRefreshToken(userId, deviceId, this.origin, options);
+    }
+    async generateAccessToken(refreshToken) {
+        return this.sessionManager.generateAccessToken(refreshToken, this.origin);
+    }
+    async rotateRefreshToken(refreshToken) {
+        return this.sessionManager.rotateRefreshToken(refreshToken, this.origin);
+    }
+    validateAccessToken(token) {
+        return this.sessionManager.validateAccessToken(token, this.origin);
+    }
+    async validateRefreshToken(token) {
+        return this.sessionManager.validateRefreshToken(token, this.origin);
+    }
+    async invalidateRefreshToken(userId, deviceId) {
+        return this.sessionManager.invalidateRefreshToken(this.origin, userId, deviceId);
+    }
+    /**
+   * Returns true when a session exists and is not expired for this origin.
+   * If the session exists but is expired, it will be deleted as part of this check.
+   */ async isSessionActive(sessionId) {
+        return this.sessionManager.isSessionActive(sessionId, this.origin);
+    }
+    constructor(sessionManager, origin){
+        this.sessionManager = sessionManager;
+        this.origin = origin;
+    }
+}
+class SessionManager {
+    /**
+   * Define configuration for a specific origin
+   */ defineOrigin(origin, config) {
+        this.originConfigs.set(origin, config);
+    }
+    /**
+   * Check if an origin is defined
+   */ hasOrigin(origin) {
+        return this.originConfigs.has(origin);
+    }
+    /**
+   * Get configuration for a specific origin, throw error if not defined
+   */ getConfigForOrigin(origin) {
+        const originConfig = this.originConfigs.get(origin);
+        if (originConfig) {
+            return originConfig;
+        }
+        throw new Error(`SessionManager: Origin '${origin}' is not defined. Please define it using defineOrigin('${origin}', config).`);
+    }
+    generateSessionId() {
+        return crypto.randomBytes(16).toString('hex');
+    }
+    async maybeCleanupExpired() {
+        this.cleanupInvocationCounter += 1;
+        if (this.cleanupInvocationCounter >= this.cleanupEveryCalls) {
+            this.cleanupInvocationCounter = 0;
+            await this.provider.deleteExpired();
+        }
+    }
+    /**
+   * Get the cleanup every calls threshold
+   */ get cleanupThreshold() {
+        return this.cleanupEveryCalls;
+    }
+    async generateRefreshToken(userId, deviceId, origin, options) {
+        if (!origin || typeof origin !== 'string') {
+            throw new Error('SessionManager: Origin parameter is required and must be a non-empty string');
+        }
+        await this.maybeCleanupExpired();
+        const config = this.getConfigForOrigin(origin);
+        const sessionId = this.generateSessionId();
+        const tokenType = options?.type ?? 'refresh';
+        const isRefresh = tokenType === 'refresh';
+        const idleLifespan = isRefresh ? config.idleRefreshTokenLifespan : config.idleSessionLifespan;
+        const maxLifespan = isRefresh ? config.maxRefreshTokenLifespan : config.maxSessionLifespan;
+        const now = Date.now();
+        const expiresAt = new Date(now + idleLifespan * 1000);
+        const absoluteExpiresAt = new Date(now + maxLifespan * 1000);
+        // Create the root record first so createdAt can be used for signing.
+        const record = await this.provider.create({
+            userId,
+            sessionId,
+            ...deviceId && {
+                deviceId
+            },
+            origin,
+            childId: null,
+            type: tokenType,
+            status: 'active',
+            expiresAt,
+            absoluteExpiresAt
+        });
+        const issuedAtSeconds = Math.floor(new Date(record.createdAt ?? new Date()).getTime() / 1000);
+        const expiresAtSeconds = Math.floor(new Date(record.expiresAt).getTime() / 1000);
+        const payload = {
+            userId,
+            sessionId,
+            type: 'refresh',
+            iat: issuedAtSeconds,
+            exp: expiresAtSeconds
+        };
+        const token = jwt.sign(payload, config.jwtSecret, {
+            algorithm: constants.DEFAULT_ALGORITHM,
+            noTimestamp: true
+        });
+        return {
+            token,
+            sessionId,
+            absoluteExpiresAt: absoluteExpiresAt.toISOString()
+        };
+    }
+    validateAccessToken(token, origin) {
+        if (!origin || typeof origin !== 'string') {
+            throw new Error('SessionManager: Origin parameter is required and must be a non-empty string');
+        }
+        try {
+            const config = this.getConfigForOrigin(origin);
+            const payload = jwt.verify(token, config.jwtSecret, {
+                algorithms: [
+                    constants.DEFAULT_ALGORITHM
+                ]
+            });
+            // Ensure this is an access token
+            if (!payload || payload.type !== 'access') {
+                return {
+                    isValid: false,
+                    payload: null
+                };
+            }
+            return {
+                isValid: true,
+                payload
+            };
+        } catch (err) {
+            return {
+                isValid: false,
+                payload: null
+            };
+        }
+    }
+    async validateRefreshToken(token, origin) {
+        if (!origin || typeof origin !== 'string') {
+            throw new Error('SessionManager: Origin parameter is required and must be a non-empty string');
+        }
+        try {
+            const config = this.getConfigForOrigin(origin);
+            const verifyOptions = {
+                algorithms: [
+                    constants.DEFAULT_ALGORITHM
+                ]
+            };
+            const payload = jwt.verify(token, config.jwtSecret, verifyOptions);
+            if (payload.type !== 'refresh') {
+                return {
+                    isValid: false
+                };
+            }
+            const session = await this.provider.findBySessionId(payload.sessionId);
+            if (!session) {
+                return {
+                    isValid: false
+                };
+            }
+            const now = new Date();
+            if (new Date(session.expiresAt) <= now) {
+                return {
+                    isValid: false
+                };
+            }
+            // Absolute family expiry check
+            if (session.absoluteExpiresAt && new Date(session.absoluteExpiresAt) <= now) {
+                return {
+                    isValid: false
+                };
+            }
+            // Only 'active' sessions are eligible to create access tokens.
+            if (session.status !== 'active') {
+                return {
+                    isValid: false
+                };
+            }
+            if (session.userId !== payload.userId) {
+                return {
+                    isValid: false
+                };
+            }
+            return {
+                isValid: true,
+                userId: payload.userId,
+                sessionId: payload.sessionId
+            };
+        } catch (error) {
+            if (error instanceof jwt.JsonWebTokenError) {
+                return {
+                    isValid: false
+                };
+            }
+            throw error;
+        }
+    }
+    async invalidateRefreshToken(origin, userId, deviceId) {
+        await this.provider.deleteBy({
+            userId,
+            origin,
+            deviceId
+        });
+    }
+    async generateAccessToken(refreshToken, origin) {
+        if (!origin || typeof origin !== 'string') {
+            throw new Error('SessionManager: Origin parameter is required and must be a non-empty string');
+        }
+        const validation = await this.validateRefreshToken(refreshToken, origin);
+        if (!validation.isValid) {
+            return {
+                error: 'invalid_refresh_token'
+            };
+        }
+        const payload = {
+            userId: String(validation.userId),
+            sessionId: validation.sessionId,
+            type: 'access'
+        };
+        const config = this.getConfigForOrigin(origin);
+        const token = jwt.sign(payload, config.jwtSecret, {
+            algorithm: constants.DEFAULT_ALGORITHM,
+            expiresIn: config.accessTokenLifespan
+        });
+        return {
+            token
+        };
+    }
+    async rotateRefreshToken(refreshToken, origin) {
+        if (!origin || typeof origin !== 'string') {
+            throw new Error('SessionManager: Origin parameter is required and must be a non-empty string');
+        }
+        try {
+            const config = this.getConfigForOrigin(origin);
+            const payload = jwt.verify(refreshToken, config.jwtSecret, {
+                algorithms: [
+                    constants.DEFAULT_ALGORITHM
+                ]
+            });
+            if (!payload || payload.type !== 'refresh') {
+                return {
+                    error: 'invalid_refresh_token'
+                };
+            }
+            const current = await this.provider.findBySessionId(payload.sessionId);
+            if (!current) {
+                return {
+                    error: 'invalid_refresh_token'
+                };
+            }
+            // If parent already has a child, return the same child token
+            if (current.childId) {
+                const child = await this.provider.findBySessionId(current.childId);
+                if (child) {
+                    const childIat = Math.floor(new Date(child.createdAt ?? new Date()).getTime() / 1000);
+                    const childExp = Math.floor(new Date(child.expiresAt).getTime() / 1000);
+                    const childPayload = {
+                        userId: child.userId,
+                        sessionId: child.sessionId,
+                        type: 'refresh',
+                        iat: childIat,
+                        exp: childExp
+                    };
+                    const childToken = jwt.sign(childPayload, config.jwtSecret, {
+                        algorithm: constants.DEFAULT_ALGORITHM,
+                        noTimestamp: true
+                    });
+                    let absoluteExpiresAt;
+                    if (child.absoluteExpiresAt) {
+                        absoluteExpiresAt = typeof child.absoluteExpiresAt === 'string' ? child.absoluteExpiresAt : child.absoluteExpiresAt.toISOString();
+                    } else {
+                        absoluteExpiresAt = new Date(0).toISOString();
+                    }
+                    return {
+                        token: childToken,
+                        sessionId: child.sessionId,
+                        absoluteExpiresAt,
+                        type: child.type ?? 'refresh'
+                    };
+                }
+            }
+            const now = Date.now();
+            const tokenType = current.type ?? 'refresh';
+            const idleLifespan = tokenType === 'refresh' ? config.idleRefreshTokenLifespan : config.idleSessionLifespan;
+            // Enforce idle window since creation of the current token
+            if (current.createdAt && now - new Date(current.createdAt).getTime() > idleLifespan * 1000) {
+                return {
+                    error: 'idle_window_elapsed'
+                };
+            }
+            // Enforce max family window using absoluteExpiresAt
+            const absolute = current.absoluteExpiresAt ? new Date(current.absoluteExpiresAt).getTime() : now;
+            if (absolute <= now) {
+                return {
+                    error: 'max_window_elapsed'
+                };
+            }
+            // Create child token
+            const childSessionId = this.generateSessionId();
+            const childExpiresAt = new Date(now + idleLifespan * 1000);
+            const childRecord = await this.provider.create({
+                userId: current.userId,
+                sessionId: childSessionId,
+                ...current.deviceId && {
+                    deviceId: current.deviceId
+                },
+                origin: current.origin,
+                childId: null,
+                type: tokenType,
+                status: 'active',
+                expiresAt: childExpiresAt,
+                absoluteExpiresAt: current.absoluteExpiresAt ?? new Date(absolute)
+            });
+            const childIat = Math.floor(new Date(childRecord.createdAt ?? new Date()).getTime() / 1000);
+            const childExp = Math.floor(new Date(childRecord.expiresAt).getTime() / 1000);
+            const payloadOut = {
+                userId: current.userId,
+                sessionId: childSessionId,
+                type: 'refresh',
+                iat: childIat,
+                exp: childExp
+            };
+            const childToken = jwt.sign(payloadOut, config.jwtSecret, {
+                algorithm: constants.DEFAULT_ALGORITHM,
+                noTimestamp: true
+            });
+            await this.provider.updateBySessionId(current.sessionId, {
+                status: 'rotated',
+                childId: childSessionId
+            });
+            let absoluteExpiresAt;
+            if (childRecord.absoluteExpiresAt) {
+                absoluteExpiresAt = typeof childRecord.absoluteExpiresAt === 'string' ? childRecord.absoluteExpiresAt : childRecord.absoluteExpiresAt.toISOString();
+            } else {
+                absoluteExpiresAt = new Date(absolute).toISOString();
+            }
+            return {
+                token: childToken,
+                sessionId: childSessionId,
+                absoluteExpiresAt,
+                type: tokenType
+            };
+        } catch  {
+            return {
+                error: 'invalid_refresh_token'
+            };
+        }
+    }
+    /**
+   * Returns true when a session exists and is not expired.
+   * If the session exists but is expired, it will be deleted as part of this check.
+   */ async isSessionActive(sessionId, origin) {
+        const session = await this.provider.findBySessionId(sessionId);
+        if (!session) {
+            return false;
+        }
+        if (session.origin !== origin) {
+            return false;
+        }
+        if (new Date(session.expiresAt) <= new Date()) {
+            // Clean up expired session eagerly
+            await this.provider.deleteBySessionId(sessionId);
+            return false;
+        }
+        return true;
+    }
+    constructor(provider){
+        // Store origin-specific configurations
+        this.originConfigs = new Map();
+        // Run expired cleanup only every N calls to avoid extra queries
+        this.cleanupInvocationCounter = 0;
+        this.cleanupEveryCalls = 50;
+        this.provider = provider;
+    }
+}
+const createDatabaseProvider = (db, contentType)=>{
+    return new DatabaseSessionProvider(db, contentType);
+};
+const createSessionManager = ({ db })=>{
+    const provider = createDatabaseProvider(db, 'admin::session');
+    const sessionManager = new SessionManager(provider);
+    // Add callable functionality
+    const fluentApi = (origin)=>{
+        if (!origin || typeof origin !== 'string') {
+            throw new Error('SessionManager: Origin parameter is required and must be a non-empty string');
+        }
+        return new OriginSessionManager(sessionManager, origin);
+    };
+    // Attach only the public SessionManagerService API to the callable
+    const api = fluentApi;
+    api.generateSessionId = sessionManager.generateSessionId.bind(sessionManager);
+    api.defineOrigin = sessionManager.defineOrigin.bind(sessionManager);
+    api.hasOrigin = sessionManager.hasOrigin.bind(sessionManager);
+    // Note: isSessionActive is origin-scoped and exposed on OriginSessionManager only
+    // Forward the cleanupThreshold getter (used in tests)
+    Object.defineProperty(api, 'cleanupThreshold', {
+        get () {
+            return sessionManager.cleanupThreshold;
+        },
+        enumerable: true
+    });
+    return api;
+};
+
+exports.createDatabaseProvider = createDatabaseProvider;
+exports.createSessionManager = createSessionManager;
+//# sourceMappingURL=session-manager.js.map