@tinyrack/tinyauth-server 0.0.7

package/dist/middleware/auth.js

@@ -0,0 +1,123 @@
+import { createMiddleware } from 'hono/factory';
+import { e, TinyAuthError } from "../schemas/error.js";
+export const verifyAuth = (options) => createMiddleware(async (c, next) => {
+    const services = c.var.services;
+    const sessionHelper = c.var.session;
+    const session = sessionHelper.get('user');
+    if (!session) {
+        if (options?.optional) {
+            c.set('verifiedUser', undefined);
+            await next();
+            return;
+        }
+        throw new e.Unauthorized.Error();
+    }
+    try {
+        const userEntity = await services.mikro.user.findBySub(session.sub);
+        c.set('verifiedUser', {
+            user: userEntity,
+            authenticatedAt: session.authenticated_at,
+        });
+    }
+    catch (err) {
+        if (err instanceof TinyAuthError && err.code === 'USER_NOT_FOUND') {
+            sessionHelper.clearAuthSessions();
+            if (options?.optional) {
+                c.set('verifiedUser', undefined);
+                await next();
+                return;
+            }
+            throw new e.Unauthorized.Error();
+        }
+        throw err;
+    }
+    await next();
+});
+export const verifyPending2FAUser = (options) => createMiddleware(async (c, next) => {
+    const services = c.var.services;
+    const sessionHelper = c.var.session;
+    const session = sessionHelper.get('pending2FAUser');
+    if (!session) {
+        if (options?.optional) {
+            c.set('verifiedPending2FAUser', undefined);
+            await next();
+            return;
+        }
+        throw new e.Unauthorized.Error();
+    }
+    try {
+        const userEntity = await services.mikro.user.findBySub(session.sub);
+        c.set('verifiedPending2FAUser', {
+            user: userEntity,
+            authenticatedAt: session.authenticated_at,
+        });
+    }
+    catch (err) {
+        if (err instanceof TinyAuthError && err.code === 'USER_NOT_FOUND') {
+            sessionHelper.clearAuthSessions();
+            if (options?.optional) {
+                c.set('verifiedPending2FAUser', undefined);
+                await next();
+                return;
+            }
+            throw new e.Unauthorized.Error();
+        }
+        throw err;
+    }
+    await next();
+});
+export const verifyPending2FASetupUser = (options) => createMiddleware(async (c, next) => {
+    const services = c.var.services;
+    const sessionHelper = c.var.session;
+    const session = sessionHelper.get('pending2FASetup');
+    if (!session) {
+        if (options?.optional) {
+            c.set('verifiedPending2FASetupUser', undefined);
+            await next();
+            return;
+        }
+        throw new e.Unauthorized.Error();
+    }
+    try {
+        const userEntity = await services.mikro.user.findBySub(session.sub);
+        c.set('verifiedPending2FASetupUser', { user: userEntity });
+    }
+    catch (err) {
+        if (err instanceof TinyAuthError && err.code === 'USER_NOT_FOUND') {
+            sessionHelper.clearAuthSessions();
+            if (options?.optional) {
+                c.set('verifiedPending2FASetupUser', undefined);
+                await next();
+                return;
+            }
+            throw new e.Unauthorized.Error();
+        }
+        throw err;
+    }
+    await next();
+});
+export const verifyPasskeyChallenge = () => createMiddleware(async (c, next) => {
+    const sessionHelper = c.var.session;
+    const challenge = sessionHelper.get('passkey_challenge');
+    if (!challenge) {
+        throw new e.PasskeyChallengeNotFound.Error();
+    }
+    sessionHelper.set('passkey_challenge', undefined);
+    c.set('verifiedPasskeyChallenge', challenge);
+    await next();
+});
+export const verifyOAuth = (options) => createMiddleware(async (c, next) => {
+    const sessionHelper = c.var.session;
+    const oauth = sessionHelper.get('oauth');
+    if (!oauth) {
+        if (options?.optional) {
+            c.set('verifiedOAuth', undefined);
+            await next();
+            return;
+        }
+        throw new e.OAuthSessionExpired.Error();
+    }
+    c.set('verifiedOAuth', oauth);
+    await next();
+});
+//# sourceMappingURL=auth.js.map

package/dist/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,OAAO,EAAE,CAAC,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AA0BvD,MAAM,CAAC,MAAM,UAAU,GAAG,CAAmC,OAE5D,EAAE,EAAE,CACH,gBAAgB,CAIb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IACnB,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAChC,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IACpC,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE,SAAkB,CAAC,CAAC;YAC1C,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QACD,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpE,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE;YACpB,IAAI,EAAE,UAAU;YAChB,eAAe,EAAE,OAAO,CAAC,gBAAgB;SAC1C,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,aAAa,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;YAClE,aAAa,CAAC,iBAAiB,EAAE,CAAC;YAClC,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;gBACtB,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE,SAAkB,CAAC,CAAC;gBAC1C,MAAM,IAAI,EAAE,CAAC;gBACb,OAAO;YACT,CAAC;YACD,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QACnC,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAUL,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAElC,OAED,EAAE,EAAE,CACH,gBAAgB,CAIb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IACnB,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAChC,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IACpC,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IACpD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,CAAC,CAAC,GAAG,CAAC,wBAAwB,EAAE,SAAkB,CAAC,CAAC;YACpD,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QACD,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpE,CAAC,CAAC,GAAG,CAAC,wBAAwB,EAAE;YAC9B,IAAI,EAAE,UAAU;YAChB,eAAe,EAAE,OAAO,CAAC,gBAAgB;SAC1C,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,aAAa,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;YAClE,aAAa,CAAC,iBAAiB,EAAE,CAAC;YAClC,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;gBACtB,CAAC,CAAC,GAAG,CAAC,wBAAwB,EAAE,SAAkB,CAAC,CAAC;gBACpD,MAAM,IAAI,EAAE,CAAC;gBACb,OAAO;YACT,CAAC;YACD,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QACnC,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAUL,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAEvC,OAED,EAAE,EAAE,CACH,gBAAgB,CAIb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IACnB,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAChC,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IACpC,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACrD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,CAAC,CAAC,GAAG,CAAC,6BAA6B,EAAE,SAAkB,CAAC,CAAC;YACzD,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QACD,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpE,CAAC,CAAC,GAAG,CAAC,6BAA6B,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,aAAa,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;YAClE,aAAa,CAAC,iBAAiB,EAAE,CAAC;YAClC,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;gBACtB,CAAC,CAAC,GAAG,CAAC,6BAA6B,EAAE,SAAkB,CAAC,CAAC;gBACzD,MAAM,IAAI,EAAE,CAAC;gBACb,OAAO;YACT,CAAC;YACD,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QACnC,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAQL,MAAM,CAAC,MAAM,sBAAsB,GAAG,GAAG,EAAE,CACzC,gBAAgB,CAGb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IACnB,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IACpC,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACzD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,CAAC,CAAC,wBAAwB,CAAC,KAAK,EAAE,CAAC;IAC/C,CAAC;IACD,aAAa,CAAC,GAAG,CAAC,mBAAmB,EAAE,SAAS,CAAC,CAAC;IAClD,CAAC,CAAC,GAAG,CAAC,0BAA0B,EAAE,SAAS,CAAC,CAAC;IAC7C,MAAM,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAUL,MAAM,CAAC,MAAM,WAAW,GAAG,CAAmC,OAE7D,EAAE,EAAE,CACH,gBAAgB,CAGb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IACnB,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IACpC,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,CAAC,CAAC,GAAG,CAAC,eAAe,EAAE,SAAkB,CAAC,CAAC;YAC3C,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QACD,MAAM,IAAI,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;IAC1C,CAAC;IACD,CAAC,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;IAC9B,MAAM,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC"}

package/dist/middleware/logger.d.ts

@@ -0,0 +1,18 @@
+import type pino from 'pino';
+/**
+ * Hono env type that declares the `logger` context variable.
+ */
+export type LoggerEnv = {
+    Variables: {
+        logger: pino.Logger;
+    };
+};
+/**
+ * Create the pino logging middleware for Hono.
+ *
+ * Provides:
+ * - Automatic request/response logging (method, path, status, duration)
+ * - Per-request `c.var.logger` child logger with request ID
+ */
+export declare function loggerMiddleware(rootLogger: pino.Logger): import("hono").MiddlewareHandler<LoggerEnv, string, {}, Response>;
+//# sourceMappingURL=logger.d.ts.map

package/dist/middleware/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/middleware/logger.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE;QACT,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC;KACrB,CAAC;CACH,CAAC;AAWF;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,qEAwBvD"}

package/dist/middleware/logger.js

@@ -0,0 +1,38 @@
+import { createMiddleware } from 'hono/factory';
+/**
+ * Determine the pino log level for a response status code.
+ */
+function levelForStatus(status) {
+    if (status >= 500)
+        return 'error';
+    if (status >= 400)
+        return 'warn';
+    return 'info';
+}
+/**
+ * Create the pino logging middleware for Hono.
+ *
+ * Provides:
+ * - Automatic request/response logging (method, path, status, duration)
+ * - Per-request `c.var.logger` child logger with request ID
+ */
+export function loggerMiddleware(rootLogger) {
+    return createMiddleware(async (c, next) => {
+        const reqId = crypto.randomUUID();
+        const child = rootLogger.child({ reqId });
+        c.set('logger', child);
+        const start = performance.now();
+        await next();
+        const responseTime = Math.round(performance.now() - start);
+        const path = c.req.path;
+        const status = c.res.status;
+        const level = levelForStatus(status);
+        const msg = `${c.req.method} ${path} ${status}`;
+        child[level]({
+            req: { method: c.req.method, url: path },
+            res: { status },
+            responseTime,
+        }, msg);
+    });
+}
+//# sourceMappingURL=logger.js.map

package/dist/middleware/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/middleware/logger.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAYhD;;GAEG;AACH,SAAS,cAAc,CAAC,MAAc;IACpC,IAAI,MAAM,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC;IAClC,IAAI,MAAM,IAAI,GAAG;QAAE,OAAO,MAAM,CAAC;IACjC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAuB;IACtD,OAAO,gBAAgB,CAAY,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACnD,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1C,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEvB,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;QAE3D,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;QACxB,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;QAC5B,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,IAAI,MAAM,EAAE,CAAC;QAEhD,KAAK,CAAC,KAAK,CAAC,CACV;YACE,GAAG,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE;YACxC,GAAG,EAAE,EAAE,MAAM,EAAE;YACf,YAAY;SACb,EACD,GAAG,CACJ,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/mikro-orm.d.ts

@@ -0,0 +1,3 @@
+import type { ServicesEnv } from './services.ts';
+export declare const mikroOrmMiddleware: import("hono").MiddlewareHandler<ServicesEnv, string, {}, Response>;
+//# sourceMappingURL=mikro-orm.d.ts.map

package/dist/middleware/mikro-orm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mikro-orm.d.ts","sourceRoot":"","sources":["../../src/middleware/mikro-orm.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAEjD,eAAO,MAAM,kBAAkB,qEAS9B,CAAC"}

package/dist/middleware/mikro-orm.js

@@ -0,0 +1,11 @@
+import { RequestContext } from '@mikro-orm/core';
+import { createMiddleware } from 'hono/factory';
+export const mikroOrmMiddleware = createMiddleware(async (c, next) => {
+    const services = c.var.services;
+    await new Promise((resolve, reject) => {
+        RequestContext.create(services.mikro.orm.em, () => {
+            next().then(resolve).catch(reject);
+        });
+    });
+});
+//# sourceMappingURL=mikro-orm.js.map

package/dist/middleware/mikro-orm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mikro-orm.js","sourceRoot":"","sources":["../../src/middleware/mikro-orm.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGhD,MAAM,CAAC,MAAM,kBAAkB,GAAG,gBAAgB,CAChD,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IAChB,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAChC,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,EAAE;YAChD,IAAI,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CACF,CAAC"}

package/dist/middleware/services.d.ts

@@ -0,0 +1,8 @@
+import type { ServiceContainer } from '../services/container.ts';
+export type ServicesEnv = {
+    Variables: {
+        services: ServiceContainer;
+    };
+};
+export declare function servicesMiddleware(services: ServiceContainer): import("hono").MiddlewareHandler<ServicesEnv, string, {}, Response>;
+//# sourceMappingURL=services.d.ts.map

package/dist/middleware/services.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../src/middleware/services.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAEjE,MAAM,MAAM,WAAW,GAAG;IAAE,SAAS,EAAE;QAAE,QAAQ,EAAE,gBAAgB,CAAA;KAAE,CAAA;CAAE,CAAC;AAExE,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,gBAAgB,uEAK5D"}

package/dist/middleware/services.js

@@ -0,0 +1,8 @@
+import { createMiddleware } from 'hono/factory';
+export function servicesMiddleware(services) {
+    return createMiddleware(async (c, next) => {
+        c.set('services', services);
+        await next();
+    });
+}
+//# sourceMappingURL=services.js.map

package/dist/middleware/services.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"services.js","sourceRoot":"","sources":["../../src/middleware/services.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAKhD,MAAM,UAAU,kBAAkB,CAAC,QAA0B;IAC3D,OAAO,gBAAgB,CAAc,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACrD,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QAC5B,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/session.d.ts

@@ -0,0 +1,63 @@
+export type SessionEnv = {
+    Variables: {
+        session: SessionHelper;
+    };
+};
+export interface SessionData {
+    /**
+     * Fully authenticated user session.
+     * Set after successful login (password, OAuth, passkey) and 2FA verification.
+     * Cleared when entering pending 2FA states or on logout.
+     */
+    user?: {
+        sub: string;
+        authenticated_at: number;
+    };
+    /**
+     * Intermediate session for users who have passed primary authentication
+     * (e.g., password) but still need to complete 2FA (TOTP) verification.
+     * Promoted to `user` session after successful 2FA, or cleared on failure.
+     */
+    pending2FAUser?: {
+        sub: string;
+        authenticated_at: number;
+    };
+    /**
+     * Intermediate session for users who have registered but need to set up
+     * 2FA (TOTP) before their account is fully activated.
+     * Promoted to `user` session after successful TOTP setup.
+     */
+    pending2FASetup?: {
+        sub: string;
+    };
+    /**
+     * Temporary state for external OAuth provider flows (social login/register/link).
+     * Stored when redirecting to the OAuth provider (authorize endpoint) and
+     * consumed when the provider redirects back (callback endpoint).
+     * Contains CSRF state, PKCE verifier, provider ID, flow mode, and return URL.
+     */
+    oauth?: {
+        state: string;
+        codeVerifier: string;
+        providerId: string;
+        mode: 'login' | 'register' | 'link';
+        returnUrl?: string | undefined;
+    };
+    /**
+     * WebAuthn/passkey challenge string for passkey registration and authentication.
+     * Set when generating passkey options and validated during passkey verification.
+     * Cleared after successful verification.
+     */
+    passkey_challenge?: string;
+}
+export interface SessionHelper {
+    get<K extends keyof SessionData>(key: K): SessionData[K];
+    set<K extends keyof SessionData>(key: K, value: SessionData[K]): void;
+    delete(): void;
+    setUserSession(userSub: string, authenticatedAt?: number): void;
+    setPending2FASession(userSub: string, authenticatedAt?: number): void;
+    setPending2FASetupSession(userSub: string): void;
+    clearAuthSessions(): void;
+}
+export declare function sessionMiddleware(cookieSecret: string, isSecure: boolean): import("hono").MiddlewareHandler<SessionEnv, string, {}, Response>;
+//# sourceMappingURL=session.d.ts.map

package/dist/middleware/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/middleware/session.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,UAAU,GAAG;IAAE,SAAS,EAAE;QAAE,OAAO,EAAE,aAAa,CAAA;KAAE,CAAA;CAAE,CAAC;AAEnE,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,IAAI,CAAC,EAAE;QACL,GAAG,EAAE,MAAM,CAAC;QACZ,gBAAgB,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;;OAIG;IACH,cAAc,CAAC,EAAE;QACf,GAAG,EAAE,MAAM,CAAC;QACZ,gBAAgB,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;;OAIG;IACH,eAAe,CAAC,EAAE;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF;;;;;OAKG;IACH,KAAK,CAAC,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;QACpC,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;KAChC,CAAC;IACF;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,CAAC,CAAC,SAAS,MAAM,WAAW,EAAE,GAAG,EAAE,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IACzD,GAAG,CAAC,CAAC,SAAS,MAAM,WAAW,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IACtE,MAAM,IAAI,IAAI,CAAC;IACf,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChE,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtE,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACjD,iBAAiB,IAAI,IAAI,CAAC;CAC3B;AAED,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,sEA0FxE"}

package/dist/middleware/session.js

@@ -0,0 +1,89 @@
+import { deleteCookie, getCookie, setCookie } from 'hono/cookie';
+import { createMiddleware } from 'hono/factory';
+import { decrypt, encrypt } from "../lib/crypto.js";
+export function sessionMiddleware(cookieSecret, isSecure) {
+    return createMiddleware(async (c, next) => {
+        const cookieValue = getCookie(c, 'session');
+        let sessionData = {};
+        if (cookieValue) {
+            const decrypted = await decrypt(cookieValue, cookieSecret);
+            if (decrypted) {
+                try {
+                    // Cast is acceptable: we encrypt/decrypt our own
+                    // SessionData, so the parsed shape is trusted.
+                    sessionData = JSON.parse(decrypted);
+                }
+                catch {
+                    sessionData = {};
+                }
+            }
+        }
+        let changed = false;
+        const data = new Proxy(sessionData, {
+            set(target, prop, value) {
+                changed = true;
+                return Reflect.set(target, prop, value);
+            },
+            deleteProperty(target, prop) {
+                changed = true;
+                return Reflect.deleteProperty(target, prop);
+            },
+        });
+        c.set('session', {
+            get(key) {
+                return data[key];
+            },
+            set(key, value) {
+                data[key] = value;
+            },
+            delete() {
+                for (const key of Object.keys(data)) {
+                    Reflect.deleteProperty(data, key);
+                }
+            },
+            setUserSession(userSub, authenticatedAt) {
+                delete data.pending2FAUser;
+                delete data.pending2FASetup;
+                data.user = {
+                    sub: userSub,
+                    authenticated_at: authenticatedAt ?? Math.floor(Date.now() / 1000),
+                };
+            },
+            setPending2FASession(userSub, authenticatedAt) {
+                delete data.user;
+                delete data.pending2FASetup;
+                data.pending2FAUser = {
+                    sub: userSub,
+                    authenticated_at: authenticatedAt ?? Math.floor(Date.now() / 1000),
+                };
+            },
+            setPending2FASetupSession(userSub) {
+                delete data.user;
+                delete data.pending2FAUser;
+                data.pending2FASetup = { sub: userSub };
+            },
+            clearAuthSessions() {
+                delete data.user;
+                delete data.pending2FAUser;
+                delete data.pending2FASetup;
+            },
+        });
+        await next();
+        if (changed) {
+            const hasData = Object.values(sessionData).some((v) => v !== undefined);
+            if (hasData) {
+                const encrypted = await encrypt(JSON.stringify(sessionData), cookieSecret);
+                setCookie(c, 'session', encrypted, {
+                    path: '/',
+                    httpOnly: true,
+                    secure: isSecure,
+                    sameSite: 'Lax',
+                });
+            }
+            else {
+                deleteCookie(c, 'session', { path: '/' });
+            }
+        }
+    });
+}
+//# sourceMappingURL=session.js.map

package/dist/middleware/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/middleware/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AA8DpD,MAAM,UAAU,iBAAiB,CAAC,YAAoB,EAAE,QAAiB;IACvE,OAAO,gBAAgB,CAAa,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACpD,MAAM,WAAW,GAAG,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QAE5C,IAAI,WAAW,GAAgB,EAAE,CAAC;QAClC,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;YAC3D,IAAI,SAAS,EAAE,CAAC;gBACd,IAAI,CAAC;oBACH,iDAAiD;oBACjD,+CAA+C;oBAC/C,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAgB,CAAC;gBACrD,CAAC;gBAAC,MAAM,CAAC;oBACP,WAAW,GAAG,EAAE,CAAC;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,IAAI,GAAgB,IAAI,KAAK,CAAC,WAAW,EAAE;YAC/C,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK;gBACrB,OAAO,GAAG,IAAI,CAAC;gBACf,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;YAC1C,CAAC;YACD,cAAc,CAAC,MAAM,EAAE,IAAI;gBACzB,OAAO,GAAG,IAAI,CAAC;gBACf,OAAO,OAAO,CAAC,cAAc,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YAC9C,CAAC;SACF,CAAC,CAAC;QAEH,CAAC,CAAC,GAAG,CAAC,SAAS,EAAE;YACf,GAAG,CAA8B,GAAM;gBACrC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;YACnB,CAAC;YACD,GAAG,CAA8B,GAAM,EAAE,KAAqB;gBAC5D,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACpB,CAAC;YACD,MAAM;gBACJ,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACpC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;YACD,cAAc,CAAC,OAAe,EAAE,eAAwB;gBACtD,OAAO,IAAI,CAAC,cAAc,CAAC;gBAC3B,OAAO,IAAI,CAAC,eAAe,CAAC;gBAC5B,IAAI,CAAC,IAAI,GAAG;oBACV,GAAG,EAAE,OAAO;oBACZ,gBAAgB,EAAE,eAAe,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;iBACnE,CAAC;YACJ,CAAC;YACD,oBAAoB,CAAC,OAAe,EAAE,eAAwB;gBAC5D,OAAO,IAAI,CAAC,IAAI,CAAC;gBACjB,OAAO,IAAI,CAAC,eAAe,CAAC;gBAC5B,IAAI,CAAC,cAAc,GAAG;oBACpB,GAAG,EAAE,OAAO;oBACZ,gBAAgB,EAAE,eAAe,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;iBACnE,CAAC;YACJ,CAAC;YACD,yBAAyB,CAAC,OAAe;gBACvC,OAAO,IAAI,CAAC,IAAI,CAAC;gBACjB,OAAO,IAAI,CAAC,cAAc,CAAC;gBAC3B,IAAI,CAAC,eAAe,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;YAC1C,CAAC;YACD,iBAAiB;gBACf,OAAO,IAAI,CAAC,IAAI,CAAC;gBACjB,OAAO,IAAI,CAAC,cAAc,CAAC;gBAC3B,OAAO,IAAI,CAAC,eAAe,CAAC;YAC9B,CAAC;SACF,CAAC,CAAC;QAEH,MAAM,IAAI,EAAE,CAAC;QAEb,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;YACxE,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,SAAS,GAAG,MAAM,OAAO,CAC7B,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,EAC3B,YAAY,CACb,CAAC;gBACF,SAAS,CAAC,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE;oBACjC,IAAI,EAAE,GAAG;oBACT,QAAQ,EAAE,IAAI;oBACd,MAAM,EAAE,QAAQ;oBAChB,QAAQ,EAAE,KAAK;iBAChB,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,CAAC,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/trusted-proxy-guard.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Creates a trusted proxy guard middleware.
+ * Only applies IP filtering when trust_proxy is
+ * string or array.
+ */
+export declare function trustedProxyGuard(trustProxy: boolean | number | string | string[]): import("hono").MiddlewareHandler<any, string, {}, Response>;
+//# sourceMappingURL=trusted-proxy-guard.d.ts.map

package/dist/middleware/trusted-proxy-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-proxy-guard.d.ts","sourceRoot":"","sources":["../../src/middleware/trusted-proxy-guard.ts"],"names":[],"mappings":"AAKA;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,+DAuCjD"}

package/dist/middleware/trusted-proxy-guard.js

@@ -0,0 +1,34 @@
+import { createMiddleware } from 'hono/factory';
+import { isTrustedProxy } from "../lib/ip-utils.js";
+import { e } from "../schemas/error.js";
+/**
+ * Creates a trusted proxy guard middleware.
+ * Only applies IP filtering when trust_proxy is
+ * string or array.
+ */
+export function trustedProxyGuard(trustProxy) {
+    const requiresFiltering = typeof trustProxy === 'string' || Array.isArray(trustProxy);
+    if (!requiresFiltering) {
+        // No filtering needed, pass through
+        return createMiddleware(async (_c, next) => {
+            await next();
+        });
+    }
+    return createMiddleware(async (c, next) => {
+        // Access raw Node.js socket for remote address
+        // @hono/node-server provides connInfo via env
+        const connInfo = c.env?.connInfo;
+        const remoteAddress = connInfo?.remote?.address ??
+            // Fallback: try to get from raw node request
+            c.env?.incoming?.socket?.remoteAddress;
+        if (!remoteAddress) {
+            throw new e.UntrustedProxy.Error();
+        }
+        const isTrusted = isTrustedProxy(remoteAddress, trustProxy);
+        if (!isTrusted) {
+            throw new e.UntrustedProxy.Error();
+        }
+        await next();
+    });
+}
+//# sourceMappingURL=trusted-proxy-guard.js.map

package/dist/middleware/trusted-proxy-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-proxy-guard.js","sourceRoot":"","sources":["../../src/middleware/trusted-proxy-guard.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAExC;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,UAAgD;IAEhD,MAAM,iBAAiB,GACrB,OAAO,UAAU,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAE9D,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,oCAAoC;QACpC,OAAO,gBAAgB,CAAC,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE;YACzC,MAAM,IAAI,EAAE,CAAC;QACf,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxC,+CAA+C;QAC/C,8CAA8C;QAC9C,MAAM,QAAQ,GAAI,CAAC,CAAC,GAA+B,EAAE,QAAQ,CAAC;QAC9D,MAAM,aAAa,GACjB,QAAQ,EAAE,MAAM,EAAE,OAAO;YACzB,6CAA6C;YAE3C,CAAC,CAAC,GAKH,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,CAAC;QAErC,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QAED,MAAM,SAAS,GAAG,cAAc,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QAE5D,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/repositories/email-verification.repository.d.ts

@@ -0,0 +1,18 @@
+import { EntityRepository } from '@mikro-orm/core';
+import type { IEmailVerificationEntity } from '../entities/email-verification.entity.ts';
+export declare class EmailVerificationRepository extends EntityRepository<IEmailVerificationEntity> {
+    /**
+     * Generate and store a new email verification token
+     * @returns The created verification entity with token
+     */
+    generateToken(params: {
+        userSub: string;
+        expiresInHours?: number;
+    }): Promise<IEmailVerificationEntity>;
+    /**
+     * Verify a token and mark it as used
+     * @returns The verified entity with user populated, or null if invalid
+     */
+    verifyToken(token: string): Promise<IEmailVerificationEntity | null>;
+}
+//# sourceMappingURL=email-verification.repository.d.ts.map

package/dist/repositories/email-verification.repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-verification.repository.d.ts","sourceRoot":"","sources":["../../src/repositories/email-verification.repository.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAO,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,0CAA0C,CAAC;AAGzF,qBAAa,2BAA4B,SAAQ,gBAAgB,CAAC,wBAAwB,CAAC;IACzF;;;OAGG;IACG,aAAa,CAAC,MAAM,EAAE;QAC1B,OAAO,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IA0BrC;;;OAGG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC;CAuB3E"}

package/dist/repositories/email-verification.repository.js

@@ -0,0 +1,47 @@
+import { EntityRepository, ref } from '@mikro-orm/core';
+import { UserEntity } from "../entities/user.entity.js";
+export class EmailVerificationRepository extends EntityRepository {
+    /**
+     * Generate and store a new email verification token
+     * @returns The created verification entity with token
+     */
+    async generateToken(params) {
+        const token = crypto.randomUUID();
+        const expiresInHours = params.expiresInHours || 24;
+        const expiresAt = new Date(Date.now() + expiresInHours * 60 * 60 * 1000);
+        const previousTokens = await this.find({
+            user: ref(UserEntity, params.userSub),
+            verified: false,
+        });
+        for (const prevToken of previousTokens) {
+            prevToken.expiresAt = new Date(); // Expire immediately
+        }
+        const entity = this.create({
+            user: params.userSub,
+            token,
+            expiresAt,
+        });
+        this.getEntityManager().persist(entity);
+        return entity;
+    }
+    /**
+     * Verify a token and mark it as used
+     * @returns The verified entity with user populated, or null if invalid
+     */
+    async verifyToken(token) {
+        const entity = await this.findOne({ token, verified: false }, { populate: ['user'] });
+        if (!entity) {
+            return null;
+        }
+        // Check if expired
+        if (entity.expiresAt < new Date()) {
+            return null;
+        }
+        // Mark as verified
+        entity.verified = true;
+        entity.verifiedAt = new Date();
+        await this.getEntityManager().flush();
+        return entity;
+    }
+}
+//# sourceMappingURL=email-verification.repository.js.map

package/dist/repositories/email-verification.repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-verification.repository.js","sourceRoot":"","sources":["../../src/repositories/email-verification.repository.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAExD,MAAM,OAAO,2BAA4B,SAAQ,gBAA0C;IACzF;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,MAGnB;QACC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAElC,MAAM,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,EAAE,CAAC;QACnD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAEzE,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC;YACrC,IAAI,EAAE,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC;YACrC,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC;QAEH,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;YACvC,SAAS,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,CAAC,qBAAqB;QACzD,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YACzB,IAAI,EAAE,MAAM,CAAC,OAAO;YACpB,KAAK;YACL,SAAS;SACV,CAAC,CAAC;QAEH,IAAI,CAAC,gBAAgB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAExC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAC/B,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,EAC1B,EAAE,QAAQ,EAAE,CAAC,MAAM,CAAC,EAAE,CACvB,CAAC;QAEF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mBAAmB;QACnB,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mBAAmB;QACnB,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;QACvB,MAAM,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC;QAE/B,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,KAAK,EAAE,CAAC;QAEtC,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/dist/repositories/jwt-key.repository.d.ts

@@ -0,0 +1,49 @@
+import { EntityRepository } from '@mikro-orm/core';
+import { type JwtKeyEntity } from '../entities/jwt-key.entity.ts';
+/**
+ * Repository for JWT Key management
+ *
+ * Handles CRUD operations and queries for RSA key pairs
+ * used in JWT signing and verification.
+ */
+export declare class JwtKeyRepository extends EntityRepository<JwtKeyEntity> {
+    /**
+     * Get the currently active signing key
+     *
+     * @returns Active key with private_key loaded, or null if none exists
+     */
+    getActiveKey(): Promise<JwtKeyEntity | null>;
+    /**
+     * Get all keys valid for token verification (active + previous)
+     *
+     * @returns Array of keys that can verify tokens
+     */
+    getVerificationKeys(): Promise<JwtKeyEntity[]>;
+    /**
+     * Get all keys to expose in JWKS endpoint (public keys only)
+     *
+     * @returns Array of active and previous keys for JWKS
+     */
+    getPublicKeys(): Promise<JwtKeyEntity[]>;
+    /**
+     * Get key by kid for verification
+     *
+     * @param kid - Key ID from JWT header
+     * @returns Key entity or null
+     */
+    getByKid(kid: string): Promise<JwtKeyEntity | null>;
+    /**
+     * Get the next key waiting to be activated
+     *
+     * @returns Next key or null
+     */
+    getNextKey(): Promise<JwtKeyEntity | null>;
+    /**
+     * Get keys that should be retired (past overlap period)
+     *
+     * @param overlapDays - Number of days to keep previous keys
+     * @returns Keys that should be retired
+     */
+    getKeysToRetire(overlapDays: number): Promise<JwtKeyEntity[]>;
+}
+//# sourceMappingURL=jwt-key.repository.d.ts.map

package/dist/repositories/jwt-key.repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-key.repository.d.ts","sourceRoot":"","sources":["../../src/repositories/jwt-key.repository.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,KAAK,YAAY,EAAgB,MAAM,+BAA+B,CAAC;AAEhF;;;;;GAKG;AACH,qBAAa,gBAAiB,SAAQ,gBAAgB,CAAC,YAAY,CAAC;IAClE;;;;OAIG;IACG,YAAY,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAOlD;;;;OAIG;IACG,mBAAmB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;IAMpD;;;;OAIG;IACG,aAAa,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;IAW9C;;;;;OAKG;IACG,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAIzD;;;;OAIG;IACG,UAAU,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAOhD;;;;;OAKG;IACG,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;CASpE"}