@strav/social 0.4.31 → 1.0.0-alpha.24

package/src/drivers/line/line_driver.ts

@@ -0,0 +1,310 @@
+/**
+ * `LineSocialDriver` — Line Login v2.1 implementation.
+ *
+ * Line is SEA-load-bearing: dominant chat + login in Thailand
+ * and Japan, growing across SEA more generally. Strav defaults
+ * to Line as the primary social adapter; Google + Facebook
+ * round out the international + global-reach options.
+ *
+ * Line specifics worth knowing:
+ *
+ *   - **Scopes**: `profile` (always free), `openid` (free —
+ *     returns an id_token), `email` (requires Line approval on
+ *     the channel, then granted per-user via the consent screen).
+ *   - **PKCE**: supported, not required.
+ *   - **Email**: only available by decoding the id_token JWT
+ *     when `openid email` was both requested AND granted. Line
+ *     does NOT include email on the `/v2/profile` REST response.
+ *   - **id_token verification**: the driver decodes JWT claims
+ *     for the `email` field but does NOT verify the JWS
+ *     signature. The token arrives over TLS direct from Line's
+ *     token endpoint, so the trust boundary is the same as the
+ *     access token. Apps that want signature verification
+ *     against Line's JWKS run it themselves or use the
+ *     `/oauth2/v2.1/verify` endpoint via `driver.client`.
+ *   - **No locale field on profile** — apps that need it pass
+ *     `ui_locales` on authorize and store the app-side choice
+ *     alongside the user record.
+ *
+ * Token / refresh / revoke all use the standard OAuth2 endpoints.
+ */
+
+import type { OAuthTokens, SocialProfile } from '../../dto/index.ts'
+import type { SocialCapability } from '../../social_capabilities.ts'
+import type {
+  AuthorizeInput,
+  AuthorizeResult,
+  ExchangeInput,
+  RefreshInput,
+  SocialDriver,
+} from '../../social_driver.ts'
+import {
+  InvalidTokenError,
+  OAuthExchangeError,
+  SocialProviderError,
+  StateMismatchError,
+} from '../../social_error.ts'
+import { codeChallengeFor, randomCodeVerifier, randomState } from '../../pkce.ts'
+import { LINE_ENDPOINTS, type LineProviderConfig } from './line_config.ts'
+
+const PROVIDER = 'line'
+
+const CAPS: readonly SocialCapability[] = [
+  'openid', 'pkce.support',
+  'profile.id', 'profile.email', 'profile.emailVerified',
+  'profile.name', 'profile.avatar',
+  // No `profile.locale` — Line doesn't return locale on the profile API.
+  'tokens.exchange', 'tokens.refresh', 'tokens.revoke', 'tokens.introspect',
+  'scopes.discoverable',
+]
+
+const SCOPES: readonly string[] = ['openid', 'profile', 'email']
+
+export interface LineDriverOptions {
+  instanceName: string
+  config: LineProviderConfig
+}
+
+interface TokenResponse {
+  access_token: string
+  expires_in: number
+  id_token?: string
+  refresh_token?: string
+  scope?: string
+  token_type: string
+}
+
+interface ProfileResponse {
+  userId: string
+  displayName: string
+  pictureUrl?: string
+  statusMessage?: string
+}
+
+interface JwtPayload {
+  email?: string
+  email_verified?: boolean
+  name?: string
+  picture?: string
+  sub?: string
+  [k: string]: unknown
+}
+
+export class LineSocialDriver implements SocialDriver {
+  readonly name = PROVIDER
+  readonly instanceName: string
+  readonly capabilities: ReadonlySet<SocialCapability> = new Set(CAPS)
+  readonly availableScopes = SCOPES
+
+  private readonly config: LineProviderConfig
+  private readonly fetchFn: typeof fetch
+  private readonly endpoints: { authorize: string; token: string; profile: string; revoke: string; verify: string }
+
+  constructor(options: LineDriverOptions) {
+    this.instanceName = options.instanceName
+    this.config = options.config
+    this.fetchFn = options.config.fetch ?? fetch
+    this.endpoints = { ...LINE_ENDPOINTS, ...(options.config.endpoints ?? {}) }
+  }
+
+  async authorize(input: AuthorizeInput): Promise<AuthorizeResult> {
+    const state = input.state ?? randomState()
+    // PKCE: Line supports but doesn't require. We default to
+    // including it (defence in depth for callback hijacking on
+    // mobile + SPA flows; harmless on server-side flows). Apps
+    // that explicitly pass `codeVerifier: undefined` opt out by
+    // sending `extra.no_pkce: '1'`.
+    const optOut = input.extra?.no_pkce === '1'
+    const codeVerifier = optOut
+      ? undefined
+      : input.codeVerifier ?? randomCodeVerifier()
+    const challenge = codeVerifier ? await codeChallengeFor(codeVerifier) : undefined
+
+    const scopes = input.scopes ?? ['profile']
+    const params = new URLSearchParams({
+      response_type: 'code',
+      client_id: this.config.clientId,
+      redirect_uri: input.redirectUri,
+      scope: scopes.join(' '),
+      state,
+      ...(challenge ? { code_challenge: challenge, code_challenge_method: 'S256' } : {}),
+      ...(this.config.uiLocales ? { ui_locales: this.config.uiLocales } : {}),
+      ...(input.extra ?? {}),
+    })
+    // Don't leak the framework helper through to Line.
+    params.delete('no_pkce')
+
+    return {
+      url: `${this.endpoints.authorize}?${params.toString()}`,
+      state,
+      ...(codeVerifier ? { codeVerifier } : {}),
+    }
+  }
+
+  async exchange(input: ExchangeInput): Promise<OAuthTokens> {
+    if (input.expectedState !== undefined && input.state !== input.expectedState) {
+      throw new StateMismatchError()
+    }
+    const body = new URLSearchParams({
+      grant_type: 'authorization_code',
+      code: input.code,
+      redirect_uri: input.redirectUri,
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret,
+      ...(input.codeVerifier ? { code_verifier: input.codeVerifier } : {}),
+    })
+    const res = await this.fetchFn(this.endpoints.token, {
+      method: 'POST',
+      headers: { 'content-type': 'application/x-www-form-urlencoded' },
+      body,
+    })
+    if (!res.ok) {
+      const text = await res.text()
+      throw new OAuthExchangeError(
+        `LineSocialDriver.exchange: token endpoint returned ${res.status}.`,
+        { context: { status: res.status, body: text } },
+      )
+    }
+    const json = (await res.json()) as TokenResponse
+    return this.toOAuthTokens(json)
+  }
+
+  async profile(accessToken: string): Promise<SocialProfile> {
+    const res = await this.fetchFn(this.endpoints.profile, {
+      headers: { authorization: `Bearer ${accessToken}` },
+    })
+    if (res.status === 401) {
+      throw new InvalidTokenError('LineSocialDriver.profile: access token rejected.')
+    }
+    if (!res.ok) {
+      const text = await res.text()
+      throw new SocialProviderError(
+        `LineSocialDriver.profile: profile endpoint returned ${res.status}.`,
+        { provider: PROVIDER, operation: 'profile', context: { status: res.status, body: text } },
+      )
+    }
+    const p = (await res.json()) as ProfileResponse
+    return {
+      id: p.userId,
+      provider: PROVIDER,
+      ...(p.displayName ? { name: p.displayName } : {}),
+      ...(p.pictureUrl ? { avatarUrl: p.pictureUrl } : {}),
+      // Email is NOT on /v2/profile. Apps that need it decoded the
+      // id_token at exchange time and stored it on the user record.
+      metadata: p.statusMessage ? { statusMessage: p.statusMessage } : {},
+      raw: p,
+    }
+  }
+
+  async refresh(input: RefreshInput): Promise<OAuthTokens> {
+    const body = new URLSearchParams({
+      grant_type: 'refresh_token',
+      refresh_token: input.refreshToken,
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret,
+    })
+    const res = await this.fetchFn(this.endpoints.token, {
+      method: 'POST',
+      headers: { 'content-type': 'application/x-www-form-urlencoded' },
+      body,
+    })
+    if (res.status === 400 || res.status === 401) {
+      const text = await res.text()
+      throw new InvalidTokenError(
+        `LineSocialDriver.refresh: refresh token rejected.`,
+        { context: { status: res.status, body: text } },
+      )
+    }
+    if (!res.ok) {
+      const text = await res.text()
+      throw new SocialProviderError(
+        `LineSocialDriver.refresh: token endpoint returned ${res.status}.`,
+        { provider: PROVIDER, operation: 'refresh', context: { status: res.status, body: text } },
+      )
+    }
+    return this.toOAuthTokens((await res.json()) as TokenResponse)
+  }
+
+  async revoke(token: string): Promise<void> {
+    const body = new URLSearchParams({
+      access_token: token,
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret,
+    })
+    const res = await this.fetchFn(this.endpoints.revoke, {
+      method: 'POST',
+      headers: { 'content-type': 'application/x-www-form-urlencoded' },
+      body,
+    })
+    if (!res.ok) {
+      const text = await res.text()
+      throw new SocialProviderError(
+        `LineSocialDriver.revoke: revoke endpoint returned ${res.status}.`,
+        { provider: PROVIDER, operation: 'revoke', context: { status: res.status, body: text } },
+      )
+    }
+  }
+
+  // ─── Internals ────────────────────────────────────────────────────────
+
+  private toOAuthTokens(t: TokenResponse): OAuthTokens {
+    const expiresAt =
+      typeof t.expires_in === 'number'
+        ? new Date(Date.now() + t.expires_in * 1000)
+        : undefined
+    const tokens: OAuthTokens = {
+      accessToken: t.access_token,
+      ...(t.refresh_token ? { refreshToken: t.refresh_token } : {}),
+      ...(t.id_token ? { idToken: t.id_token } : {}),
+      ...(expiresAt ? { expiresAt } : {}),
+      ...(t.scope ? { scope: t.scope } : {}),
+      tokenType: t.token_type ?? 'Bearer',
+      raw: t,
+    }
+    return tokens
+  }
+}
+
+/**
+ * Extract `email` from a Line id_token. Returns the email
+ * string when present, `null` when the id_token has no email
+ * claim (typical when `email` scope wasn't requested or
+ * granted), and throws when the token is structurally invalid.
+ *
+ * Apps that need the email at signup time decode the id_token
+ * right after `exchange()`. The framework deliberately keeps
+ * this as a side helper rather than auto-decoding inside
+ * `exchange()` — the OIDC id_token has many claims; surfacing
+ * email-only matches the most common app need, anything else
+ * stays on `tokens.idToken` for apps to parse themselves.
+ *
+ * **Security note**: this does NOT verify the JWS signature.
+ * The id_token arrives over TLS direct from Line's token
+ * endpoint in the same response as the access token; trusting
+ * the payload at that point has the same posture as trusting
+ * the access token. Apps that want full verification call
+ * Line's `/oauth2/v2.1/verify` endpoint with the id_token.
+ */
+export function emailFromLineIdToken(idToken: string): string | null {
+  const segments = idToken.split('.')
+  if (segments.length !== 3) {
+    throw new InvalidTokenError('emailFromLineIdToken: id_token does not have 3 segments.')
+  }
+  const payload = decodeJwtSegment(segments[1]!)
+  return typeof payload.email === 'string' ? payload.email : null
+}
+
+function decodeJwtSegment(segment: string): JwtPayload {
+  // base64url → base64 → string
+  const pad = segment.length % 4
+  const padded = pad === 0 ? segment : `${segment}${'='.repeat(4 - pad)}`
+  const b64 = padded.replace(/-/g, '+').replace(/_/g, '/')
+  try {
+    const json = atob(b64)
+    return JSON.parse(json) as JwtPayload
+  } catch (cause) {
+    throw new InvalidTokenError('decodeJwtSegment: failed to parse JWT segment.', {
+      cause,
+    })
+  }
+}

package/src/drivers/line/line_provider.ts

@@ -0,0 +1,34 @@
+/**
+ * `LineSocialProvider` — `ServiceProvider` that registers the
+ * Line driver factory on the `SocialManager`.
+ *
+ * List AFTER `SocialProvider` in `bootstrap/providers.ts`. The
+ * factory is invoked lazily on first `social.use(name)`; misconfigured
+ * Line credentials surface on first use, not at boot. Apps that
+ * want fail-fast call `social.use('line')` from their own `boot()`.
+ */
+
+import { type Application, ServiceProvider } from '@strav/kernel'
+import { SocialConfigError } from '../../social_error.ts'
+import { SocialManager } from '../../social_manager.ts'
+import type { LineProviderConfig } from './line_config.ts'
+import { LineSocialDriver } from './line_driver.ts'
+
+export class LineSocialProvider extends ServiceProvider {
+  override readonly name = 'social-line'
+  override readonly dependencies = ['social']
+
+  override register(app: Application): void {
+    const manager = app.resolve(SocialManager)
+    manager.extend('line', ({ instanceName, config }) => {
+      const cfg = config as LineProviderConfig
+      if (!cfg.clientId || !cfg.clientSecret) {
+        throw new SocialConfigError(
+          `LineSocialProvider: \`clientId\` and \`clientSecret\` are required for provider "${instanceName}".`,
+          { context: { instanceName } },
+        )
+      }
+      return new LineSocialDriver({ instanceName, config: cfg })
+    })
+  }
+}

package/src/drivers/mock_driver.ts

@@ -0,0 +1,170 @@
+/**
+ * `MockDriver` — in-memory reference implementation. Used by
+ * unit tests + as the canonical contract example for new
+ * adapters.
+ *
+ * Round-trips tokens + profiles through plain Maps. PKCE +
+ * state verification mirror what real drivers enforce so apps
+ * exercising the full flow against the mock catch bugs in
+ * their state handling before they hit a real provider.
+ *
+ * Capabilities: full by default — every flag declared. Tests
+ * that exercise `ProviderUnsupportedError` paths construct the
+ * mock with a narrowed `capabilities` set.
+ */
+
+import { ulid } from '@strav/kernel'
+import {
+  InvalidTokenError,
+  OAuthExchangeError,
+  StateMismatchError,
+} from '../social_error.ts'
+import type { OAuthTokens, SocialProfile } from '../dto/index.ts'
+import type { SocialCapability } from '../social_capabilities.ts'
+import { codeChallengeFor, randomCodeVerifier, randomState } from '../pkce.ts'
+import type {
+  AuthorizeInput,
+  AuthorizeResult,
+  ExchangeInput,
+  RefreshInput,
+  SocialDriver,
+} from '../social_driver.ts'
+
+const ALL_CAPS: readonly SocialCapability[] = [
+  'openid', 'pkce.support',
+  'profile.id', 'profile.email', 'profile.emailVerified',
+  'profile.name', 'profile.avatar', 'profile.locale',
+  'tokens.exchange', 'tokens.refresh', 'tokens.revoke', 'tokens.introspect',
+  'scopes.discoverable',
+]
+
+export interface MockDriverOptions {
+  instanceName?: string
+  capabilities?: ReadonlySet<SocialCapability>
+  /** Profile returned by `profile(accessToken)` calls. Tests override to assert specific shapes. */
+  profileFor?(accessToken: string): SocialProfile
+}
+
+interface PendingFlow {
+  state: string
+  codeVerifier?: string
+  scopes: readonly string[]
+  redirectUri: string
+}
+
+export class MockDriver implements SocialDriver {
+  readonly name = 'mock'
+  readonly instanceName: string
+  readonly capabilities: ReadonlySet<SocialCapability>
+  readonly availableScopes: readonly string[] = ['openid', 'profile', 'email']
+
+  private readonly pending = new Map<string, PendingFlow>()
+  private readonly issuedTokens = new Map<string, { code: string; refreshToken: string }>()
+  private readonly profileForFn: (accessToken: string) => SocialProfile
+
+  constructor(options: MockDriverOptions = {}) {
+    this.instanceName = options.instanceName ?? 'mock'
+    this.capabilities = options.capabilities ?? new Set(ALL_CAPS)
+    this.profileForFn =
+      options.profileFor ??
+      ((token: string): SocialProfile => ({
+        id: `mock_${token.slice(0, 8)}`,
+        provider: this.name,
+        email: `${token.slice(0, 6)}@mock.test`,
+        emailVerified: true,
+        name: 'Mock User',
+        avatarUrl: 'https://mock.test/avatar.png',
+        locale: 'en',
+        metadata: {},
+        raw: { mock: true },
+      }))
+  }
+
+  async authorize(input: AuthorizeInput): Promise<AuthorizeResult> {
+    const state = input.state ?? randomState()
+    const codeVerifier =
+      input.codeVerifier ??
+      (this.capabilities.has('pkce.support') ? randomCodeVerifier() : undefined)
+    const challenge = codeVerifier ? await codeChallengeFor(codeVerifier) : undefined
+    this.pending.set(state, {
+      state,
+      ...(codeVerifier ? { codeVerifier } : {}),
+      scopes: input.scopes ?? ['profile'],
+      redirectUri: input.redirectUri,
+    })
+    const params = new URLSearchParams({
+      response_type: 'code',
+      client_id: 'mock_client',
+      redirect_uri: input.redirectUri,
+      scope: (input.scopes ?? ['profile']).join(' '),
+      state,
+      ...(challenge ? { code_challenge: challenge, code_challenge_method: 'S256' } : {}),
+      ...(input.extra ?? {}),
+    })
+    return {
+      url: `https://mock.test/oauth/authorize?${params.toString()}`,
+      state,
+      ...(codeVerifier ? { codeVerifier } : {}),
+    }
+  }
+
+  async exchange(input: ExchangeInput): Promise<OAuthTokens> {
+    if (input.expectedState !== undefined && input.state !== input.expectedState) {
+      throw new StateMismatchError()
+    }
+    const flow = input.state ? this.pending.get(input.state) : undefined
+    if (!flow) {
+      throw new OAuthExchangeError('MockDriver: no pending authorize for this state.')
+    }
+    if (flow.codeVerifier && flow.codeVerifier !== input.codeVerifier) {
+      throw new OAuthExchangeError('MockDriver: PKCE verifier mismatch.')
+    }
+    this.pending.delete(input.state!)
+    const accessToken = `mock_at_${ulid()}`
+    const refreshToken = `mock_rt_${ulid()}`
+    this.issuedTokens.set(accessToken, { code: input.code, refreshToken })
+    return {
+      accessToken,
+      refreshToken,
+      ...(flow.scopes.includes('openid') ? { idToken: `mock_id_${ulid()}` } : {}),
+      expiresAt: new Date(Date.now() + 3600 * 1000),
+      scope: flow.scopes.join(' '),
+      tokenType: 'Bearer',
+      raw: { mock: true, code: input.code },
+    }
+  }
+
+  async profile(accessToken: string): Promise<SocialProfile> {
+    if (!this.issuedTokens.has(accessToken)) {
+      throw new InvalidTokenError(`MockDriver.profile: unknown access token.`)
+    }
+    return this.profileForFn(accessToken)
+  }
+
+  async refresh(input: RefreshInput): Promise<OAuthTokens> {
+    // Find the access token whose refresh token matches.
+    const found = [...this.issuedTokens.entries()].find(
+      ([, v]) => v.refreshToken === input.refreshToken,
+    )
+    if (!found) {
+      throw new InvalidTokenError('MockDriver.refresh: unknown refresh token.')
+    }
+    // Rotate.
+    this.issuedTokens.delete(found[0])
+    const accessToken = `mock_at_${ulid()}`
+    const newRefresh = `mock_rt_${ulid()}`
+    this.issuedTokens.set(accessToken, { code: found[1].code, refreshToken: newRefresh })
+    return {
+      accessToken,
+      refreshToken: newRefresh,
+      expiresAt: new Date(Date.now() + 3600 * 1000),
+      scope: (input.scopes ?? []).join(' '),
+      tokenType: 'Bearer',
+      raw: { mock: true },
+    }
+  }
+
+  async revoke(token: string): Promise<void> {
+    this.issuedTokens.delete(token)
+  }
+}

package/src/drivers/unsupported.ts

@@ -0,0 +1,17 @@
+/**
+ * `unsupported(provider, operation, reason?)` — drivers stub
+ * out methods they can't fulfil. Returns a function that
+ * throws `ProviderUnsupportedError` synchronously.
+ */
+
+import { ProviderUnsupportedError } from '../social_error.ts'
+
+export function unsupported(
+  provider: string,
+  operation: string,
+  reason?: string,
+): (...args: unknown[]) => never {
+  return () => {
+    throw new ProviderUnsupportedError(provider, operation, reason ? { reason } : {})
+  }
+}

package/src/dto/index.ts

@@ -0,0 +1,4 @@
+/** Barrel for the social DTOs. */
+
+export type { OAuthTokens } from './oauth_tokens.ts'
+export type { SocialProfile } from './social_profile.ts'

package/src/dto/oauth_tokens.ts

@@ -0,0 +1,26 @@
+/**
+ * `OAuthTokens` — normalized token payload from a successful
+ * code exchange or refresh. Apps persist these against their
+ * user record (encrypted via `@strav/kernel`'s cipher).
+ *
+ * `idToken` is set only for OIDC providers (Google, Line as
+ * OpenID Connect). Plain-OAuth2 providers (Facebook) leave it
+ * undefined.
+ *
+ * `expiresAt` is provider-derived (`expires_in` seconds → wall
+ * clock). Drivers compute it at exchange time so apps don't
+ * need to track when the call was made.
+ */
+
+export interface OAuthTokens {
+  accessToken: string
+  /** Available only when the user granted offline access (Google) or the provider issues refresh tokens by default (Line). */
+  refreshToken?: string
+  /** OIDC id_token (JWT). Present on `openid` flows. Apps that already trust the access token usually ignore this. */
+  idToken?: string
+  expiresAt?: Date
+  /** Space-separated scope string the provider granted (may be narrower than what was requested). */
+  scope?: string
+  tokenType: string
+  raw: unknown
+}

package/src/dto/social_profile.ts

@@ -0,0 +1,37 @@
+/**
+ * `SocialProfile` — normalized user-info shape across providers.
+ * The native provider object is on `.raw`; apps reach there for
+ * fields the framework doesn't normalize (Line's `pictureUrl`
+ * vs Google's `picture` collapse to `avatarUrl`; Line's
+ * `displayName` collapses to `name`).
+ *
+ * Provider divergence the framework intentionally surfaces:
+ *
+ *   - `email` is optional. Line gives it only when the `email`
+ *     scope is requested AND the user accepts; Facebook gives it
+ *     only if the app is approved for `email`. Apps that need it
+ *     check capability AND check `profile.email`.
+ *
+ *   - `emailVerified` is true only when the provider asserts it.
+ *     Google + Line always assert; Facebook never does — apps
+ *     verify themselves.
+ *
+ *   - `id` is the provider-native subject id. Globally unique
+ *     within the provider's namespace, not across providers.
+ *     The `(provider, id)` pair is what `social_account` rows
+ *     key on (slice 8.5).
+ */
+
+export interface SocialProfile {
+  /** Provider-native user id (`sub` in OIDC, `userId` in Line, `id` in Facebook). */
+  id: string
+  /** Driver name — `'line'` / `'google'` / `'facebook'`. */
+  provider: string
+  email?: string
+  emailVerified?: boolean
+  name?: string
+  avatarUrl?: string
+  locale?: string
+  metadata: Record<string, unknown>
+  raw: unknown
+}

package/src/index.ts

@@ -1,15 +1,62 @@
-export { default, default as SocialManager } from './social_manager.ts'
+// Public API of `@strav/social`.
+//
+// V1: provider-agnostic OAuth/OIDC client — normalized profile +
+// token DTOs + multi-provider routing + state + PKCE helpers.
+// Composes with `@strav/kernel` for the container and
+// `@strav/http` (no direct import; for the eventual route helpers).
+//
+// Drivers ship as subpath imports:
+//   `@strav/social/line`, `@strav/social/google`,
+//   `@strav/social/facebook`. The `MockDriver` in `./drivers`
+//   is for tests + as the reference contract.
+//
+// Account-linking schema lives in `./ledger/`:
+//   - `social_account` tenanted table (tokens encrypted via
+//     kernel's cipher)
+//   - `SocialAccountRepository` with connect / disconnect /
+//     find{ByUser,ByProviderIdentity} helpers
+//   - `applySocialAccountMigration` for the table + composite
+//     unique + user_id index
 
-// Provider
-export { default as SocialProvider } from './social_provider.ts'
-export { default as SocialAccount } from './social_account.ts'
-export { social } from './helpers.ts'
-export { AbstractProvider, SocialError } from './abstract_provider.ts'
-export { GoogleProvider } from './providers/google_provider.ts'
-export { GitHubProvider } from './providers/github_provider.ts'
-export { DiscordProvider } from './providers/discord_provider.ts'
-export { FacebookProvider } from './providers/facebook_provider.ts'
-export { LinkedInProvider } from './providers/linkedin_provider.ts'
-export { LineProvider } from './providers/line_provider.ts'
-export type { SocialUser, SocialConfig, ProviderConfig, TokenResponse } from './types.ts'
-export type { SocialAccountData } from './social_account.ts'
+export type * from './dto/index.ts'
+export { MockDriver, type MockDriverOptions, unsupported } from './drivers/index.ts'
+export {
+  applySocialAccountMigration,
+  type ApplySocialAccountMigrationOptions,
+  type ConnectInput,
+  type DisconnectInput,
+  SocialAccount,
+  SocialAccountAlreadyLinkedError,
+  SocialAccountRepository,
+  socialAccountSchema,
+} from './ledger/index.ts'
+export {
+  codeChallengeFor,
+  randomCodeVerifier,
+  randomState,
+} from './pkce.ts'
+export type { SocialCapability } from './social_capabilities.ts'
+export type {
+  AuthorizeInput,
+  AuthorizeResult,
+  ExchangeInput,
+  RefreshInput,
+  SocialDriver,
+  SocialDriverFactory,
+} from './social_driver.ts'
+export {
+  InvalidTokenError,
+  OAuthExchangeError,
+  ProviderUnsupportedError,
+  SocialConfigError,
+  SocialError,
+  SocialProviderError,
+  StateMismatchError,
+  UnknownProviderError,
+} from './social_error.ts'
+export {
+  SocialManager,
+  type SocialManagerOptions,
+} from './social_manager.ts'
+export { SocialProvider } from './social_provider.ts'
+export type { ProviderConfig, SocialConfig } from './types.ts'