@tyravel/auth 0.1.0

package/dist/oauth.js

@@ -0,0 +1,178 @@
+import { randomBytes } from 'node:crypto';
+import { QueryBuilder } from '@tyravel/database';
+export class GithubOAuthDriver {
+    config;
+    name = 'github';
+    constructor(config) {
+        this.config = config;
+    }
+    authorizationUrl(state) {
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            redirect_uri: this.config.redirectUri,
+            scope: (this.config.scopes ?? ['user:email']).join(' '),
+            state,
+        });
+        return `https://github.com/login/oauth/authorize?${params}`;
+    }
+    async exchangeCode(code) {
+        const tokenRes = await fetch('https://github.com/login/oauth/access_token', {
+            method: 'POST',
+            headers: {
+                accept: 'application/json',
+                'content-type': 'application/json',
+            },
+            body: JSON.stringify({
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+                code,
+                redirect_uri: this.config.redirectUri,
+            }),
+        });
+        const tokenJson = (await tokenRes.json());
+        if (!tokenJson.access_token) {
+            throw new Error(tokenJson.error ?? 'OAuth token exchange failed');
+        }
+        const userRes = await fetch('https://api.github.com/user', {
+            headers: {
+                authorization: `Bearer ${tokenJson.access_token}`,
+                accept: 'application/json',
+                'user-agent': 'tyravel-auth',
+            },
+        });
+        const user = (await userRes.json());
+        return {
+            id: String(user.id),
+            email: user.email ?? null,
+            name: user.name ?? user.login ?? null,
+            avatar: user.avatar_url ?? null,
+        };
+    }
+}
+export class GoogleOAuthDriver {
+    config;
+    name = 'google';
+    constructor(config) {
+        this.config = config;
+    }
+    authorizationUrl(state) {
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            redirect_uri: this.config.redirectUri,
+            response_type: 'code',
+            scope: (this.config.scopes ?? ['openid', 'email', 'profile']).join(' '),
+            state,
+            access_type: 'online',
+        });
+        return `https://accounts.google.com/o/oauth2/v2/auth?${params}`;
+    }
+    async exchangeCode(code) {
+        const tokenRes = await fetch('https://oauth2.googleapis.com/token', {
+            method: 'POST',
+            headers: { 'content-type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+                code,
+                grant_type: 'authorization_code',
+                redirect_uri: this.config.redirectUri,
+            }),
+        });
+        const tokenJson = (await tokenRes.json());
+        if (!tokenJson.access_token) {
+            throw new Error(tokenJson.error ?? 'OAuth token exchange failed');
+        }
+        const userRes = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
+            headers: { authorization: `Bearer ${tokenJson.access_token}` },
+        });
+        const user = (await userRes.json());
+        return {
+            id: user.id,
+            email: user.email ?? null,
+            name: user.name ?? null,
+            avatar: user.picture ?? null,
+        };
+    }
+}
+export class OAuthManager {
+    connection;
+    accountsTable;
+    userModel;
+    drivers = new Map();
+    constructor(providers, connection, accountsTable, userModel) {
+        this.connection = connection;
+        this.accountsTable = accountsTable;
+        this.userModel = userModel;
+        for (const [name, config] of Object.entries(providers)) {
+            if (name === 'github') {
+                this.drivers.set(name, new GithubOAuthDriver(config));
+            }
+            else if (name === 'google') {
+                this.drivers.set(name, new GoogleOAuthDriver(config));
+            }
+        }
+    }
+    createState() {
+        return randomBytes(24).toString('base64url');
+    }
+    redirectUrl(provider, state) {
+        const driver = this.drivers.get(provider);
+        if (!driver) {
+            throw new Error(`OAuth provider not configured: ${provider}`);
+        }
+        return driver.authorizationUrl(state);
+    }
+    async handleCallback(provider, code) {
+        const driver = this.drivers.get(provider);
+        if (!driver) {
+            throw new Error(`OAuth provider not configured: ${provider}`);
+        }
+        return driver.exchangeCode(code);
+    }
+    async findOrCreateUser(provider, profile) {
+        const existing = await new QueryBuilder(this.connection, this.accountsTable)
+            .where('provider', provider)
+            .where('provider_user_id', profile.id)
+            .first();
+        if (existing) {
+            const user = await this.userModel.find(existing.user_id);
+            if (user) {
+                return user;
+            }
+        }
+        const ModelClass = this.userModel;
+        let user = null;
+        if (profile.email) {
+            user = (await ModelClass.query()
+                .where('email', profile.email)
+                .firstModel());
+        }
+        if (!user) {
+            const now = Math.floor(Date.now() / 1000);
+            const inserted = await ModelClass.query().insert({
+                name: profile.name ?? 'User',
+                email: profile.email ?? `${provider}-${profile.id}@oauth.local`,
+                password: randomBytes(32).toString('hex'),
+                created_at: now,
+                updated_at: now,
+            });
+            user = (await ModelClass.find(inserted));
+        }
+        const linked = await new QueryBuilder(this.connection, this.accountsTable)
+            .where('provider', provider)
+            .where('provider_user_id', profile.id)
+            .first();
+        if (!linked) {
+            await new QueryBuilder(this.connection, this.accountsTable).insert({
+                user_id: Number(user.getAuthIdentifier()),
+                provider,
+                provider_user_id: profile.id,
+                email: profile.email,
+                avatar: profile.avatar,
+                created_at: Math.floor(Date.now() / 1000),
+            });
+        }
+        return user;
+    }
+}
+//# sourceMappingURL=oauth.js.map

package/dist/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAyBjD,MAAM,OAAO,iBAAiB;IAGC;IAFpB,IAAI,GAAG,QAAQ,CAAC;IAEzB,YAA6B,MAA2B;QAA3B,WAAM,GAAN,MAAM,CAAqB;IAAG,CAAC;IAE5D,gBAAgB,CAAC,KAAa;QAC5B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACrC,KAAK,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YACvD,KAAK;SACN,CAAC,CAAC;QACH,OAAO,4CAA4C,MAAM,EAAE,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY;QAC7B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,6CAA6C,EAAE;YAC1E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,MAAM,EAAE,kBAAkB;gBAC1B,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;gBACvC,IAAI;gBACJ,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;aACtC,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8C,CAAC;QACvF,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,KAAK,IAAI,6BAA6B,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,6BAA6B,EAAE;YACzD,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,SAAS,CAAC,YAAY,EAAE;gBACjD,MAAM,EAAE,kBAAkB;gBAC1B,YAAY,EAAE,cAAc;aAC7B;SACF,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAMjC,CAAC;QAEF,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI;YACzB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI;YACrC,MAAM,EAAE,IAAI,CAAC,UAAU,IAAI,IAAI;SAChC,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,iBAAiB;IAGC;IAFpB,IAAI,GAAG,QAAQ,CAAC;IAEzB,YAA6B,MAA2B;QAA3B,WAAM,GAAN,MAAM,CAAqB;IAAG,CAAC;IAE5D,gBAAgB,CAAC,KAAa;QAC5B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACrC,aAAa,EAAE,MAAM;YACrB,KAAK,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YACvE,KAAK;YACL,WAAW,EAAE,QAAQ;SACtB,CAAC,CAAC;QACH,OAAO,gDAAgD,MAAM,EAAE,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY;QAC7B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;YAClE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;gBACvC,IAAI;gBACJ,UAAU,EAAE,oBAAoB;gBAChC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;aACtC,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8C,CAAC;QACvF,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,KAAK,IAAI,6BAA6B,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,+CAA+C,EAAE;YAC3E,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,SAAS,CAAC,YAAY,EAAE,EAAE;SAC/D,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAKjC,CAAC;QAEF,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI;YACzB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI;YACvB,MAAM,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI;SAC7B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,YAAY;IAKJ;IACA;IACA;IANF,OAAO,GAAG,IAAI,GAAG,EAAuB,CAAC;IAE1D,YACE,SAA8C,EAC7B,UAA8B,EAC9B,aAAqB,EACrB,SAA+B;QAF/B,eAAU,GAAV,UAAU,CAAoB;QAC9B,kBAAa,GAAb,aAAa,CAAQ;QACrB,cAAS,GAAT,SAAS,CAAsB;QAEhD,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YACvD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACtB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC;YACxD,CAAC;iBAAM,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC;IAED,WAAW;QACT,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/C,CAAC;IAED,WAAW,CAAC,QAAgB,EAAE,KAAa;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,kCAAkC,QAAQ,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,OAAO,MAAM,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,QAAgB,EAAE,IAAY;QACjD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,kCAAkC,QAAQ,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,OAAO,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,QAAgB,EAChB,OAAyB;QAEzB,MAAM,QAAQ,GAAG,MAAM,IAAI,YAAY,CAAkB,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC;aAC1F,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC;aAC3B,KAAK,CAAC,kBAAkB,EAAE,OAAO,CAAC,EAAE,CAAC;aACrC,KAAK,EAAE,CAAC;QAEX,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,IAAI,GAAG,MAAO,IAAI,CAAC,SAAiE,CAAC,IAAI,CAC7F,QAAQ,CAAC,OAAO,CACjB,CAAC;YACF,IAAI,IAAI,EAAE,CAAC;gBACT,OAAO,IAAkC,CAAC;YAC5C,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,SAAgE,CAAC;QACzF,IAAI,IAAI,GAA2B,IAAI,CAAC;QAExC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,IAAI,GAAG,CAAC,MAAM,UAAU,CAAC,KAAK,EAAE;iBAC7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC;iBAC7B,UAAU,EAAE,CAA2B,CAAC;QAC7C,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC;gBAC/C,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,MAAM;gBAC5B,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,GAAG,QAAQ,IAAI,OAAO,CAAC,EAAE,cAAc;gBAC/D,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;gBACzC,UAAU,EAAE,GAAG;gBACf,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;YAEH,IAAI,GAAG,CAAC,MAAM,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAA+B,CAAC;QACzE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,YAAY,CAAkB,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC;aACxF,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC;aAC3B,KAAK,CAAC,kBAAkB,EAAE,OAAO,CAAC,EAAE,CAAC;aACrC,KAAK,EAAE,CAAC;QAEX,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;gBACjE,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACzC,QAAQ;gBACR,gBAAgB,EAAE,OAAO,CAAC,EAAE;gBAC5B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;aAC1C,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/oauth.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=oauth.test.d.ts.map

package/dist/oauth.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.test.d.ts","sourceRoot":"","sources":["../src/oauth.test.ts"],"names":[],"mappings":""}

package/dist/oauth.test.js

@@ -0,0 +1,17 @@
+import { describe, expect, it } from 'vitest';
+import { GithubOAuthDriver } from './oauth.js';
+describe('OAuth drivers', () => {
+    it('builds GitHub authorize URL with state', () => {
+        const driver = new GithubOAuthDriver({
+            clientId: 'cid',
+            clientSecret: 'secret',
+            redirectUri: 'http://localhost/callback',
+            scopes: ['user:email'],
+        });
+        const url = new URL(driver.authorizationUrl('state-123'));
+        expect(url.hostname).toBe('github.com');
+        expect(url.searchParams.get('client_id')).toBe('cid');
+        expect(url.searchParams.get('state')).toBe('state-123');
+    });
+});
+//# sourceMappingURL=oauth.test.js.map

package/dist/oauth.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.test.js","sourceRoot":"","sources":["../src/oauth.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE/C,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,MAAM,GAAG,IAAI,iBAAiB,CAAC;YACnC,QAAQ,EAAE,KAAK;YACf,YAAY,EAAE,QAAQ;YACtB,WAAW,EAAE,2BAA2B;YACxC,MAAM,EAAE,CAAC,YAAY,CAAC;SACvB,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC,CAAC;QAC1D,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/password-reset-broker.d.ts

@@ -0,0 +1,20 @@
+import type { DatabaseConnection } from '@tyravel/database';
+import type { PasswordBrokerConfig } from './types.js';
+import type { UserProvider } from './user-provider.js';
+export declare class PasswordResetBroker {
+    private readonly connection;
+    private readonly config;
+    private readonly provider;
+    private readonly hasher;
+    constructor(connection: DatabaseConnection, config: PasswordBrokerConfig, provider: UserProvider);
+    sendResetLink(email: string): Promise<string>;
+    reset(input: {
+        email: string;
+        token: string;
+        password: string;
+    }): Promise<void>;
+    private tokenValid;
+    private hashToken;
+    private issueDummyToken;
+}
+//# sourceMappingURL=password-reset-broker.d.ts.map

package/dist/password-reset-broker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset-broker.d.ts","sourceRoot":"","sources":["../src/password-reset-broker.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAI5D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AACvD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AASvD,qBAAa,mBAAmB;IAI5B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAL3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;gBAGpB,UAAU,EAAE,kBAAkB,EAC9B,MAAM,EAAE,oBAAoB,EAC5B,QAAQ,EAAE,YAAY;IAGnC,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuB7C,KAAK,CAAC,KAAK,EAAE;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,IAAI,CAAC;IA0BjB,OAAO,CAAC,UAAU;IASlB,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,eAAe;CAGxB"}

package/dist/password-reset-broker.js

@@ -0,0 +1,68 @@
+import { createHash, randomBytes } from 'node:crypto';
+import { QueryBuilder } from '@tyravel/database';
+import { Hasher } from './hasher.js';
+import { InvalidResetTokenException } from './authorization-exceptions.js';
+export class PasswordResetBroker {
+    connection;
+    config;
+    provider;
+    hasher = new Hasher();
+    constructor(connection, config, provider) {
+        this.connection = connection;
+        this.config = config;
+        this.provider = provider;
+    }
+    async sendResetLink(email) {
+        const user = await this.provider.retrieveByCredentials({ email });
+        if (!user) {
+            return this.issueDummyToken();
+        }
+        const plainToken = randomBytes(32).toString('hex');
+        const hashed = this.hashToken(plainToken);
+        const now = Math.floor(Date.now() / 1000);
+        await new QueryBuilder(this.connection, this.config.table)
+            .where('email', email)
+            .delete();
+        await new QueryBuilder(this.connection, this.config.table).insert({
+            email,
+            token: hashed,
+            created_at: now,
+        });
+        return plainToken;
+    }
+    async reset(input) {
+        const row = await new QueryBuilder(this.connection, this.config.table)
+            .where('email', input.email)
+            .first();
+        if (!row || !this.tokenValid(row, input.token)) {
+            throw new InvalidResetTokenException();
+        }
+        const user = await this.provider.retrieveByCredentials({ email: input.email });
+        if (!user) {
+            throw new InvalidResetTokenException();
+        }
+        const { Model } = await import('@tyravel/database');
+        const ModelClass = user.constructor;
+        const passwordHash = this.hasher.make(input.password);
+        await ModelClass.query()
+            .where('id', user.getAuthIdentifier())
+            .update({ password: passwordHash });
+        await new QueryBuilder(this.connection, this.config.table)
+            .where('email', input.email)
+            .delete();
+    }
+    tokenValid(row, plain) {
+        const ageMinutes = (Math.floor(Date.now() / 1000) - row.created_at) / 60;
+        if (ageMinutes > this.config.expireMinutes) {
+            return false;
+        }
+        return this.hashToken(plain) === row.token;
+    }
+    hashToken(token) {
+        return createHash('sha256').update(token).digest('hex');
+    }
+    issueDummyToken() {
+        return randomBytes(32).toString('hex');
+    }
+}
+//# sourceMappingURL=password-reset-broker.js.map

package/dist/password-reset-broker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset-broker.js","sourceRoot":"","sources":["../src/password-reset-broker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAW3E,MAAM,OAAO,mBAAmB;IAIX;IACA;IACA;IALF,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;IAEvC,YACmB,UAA8B,EAC9B,MAA4B,EAC5B,QAAsB;QAFtB,eAAU,GAAV,UAAU,CAAoB;QAC9B,WAAM,GAAN,MAAM,CAAsB;QAC5B,aAAQ,GAAR,QAAQ,CAAc;IACtC,CAAC;IAEJ,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QAClE,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,CAAC,eAAe,EAAE,CAAC;QAChC,CAAC;QAED,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1C,MAAM,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;aACvD,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC;aACrB,MAAM,EAAE,CAAC;QAEZ,MAAM,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;YAChE,KAAK;YACL,KAAK,EAAE,MAAM;YACb,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAIX;QACC,MAAM,GAAG,GAAG,MAAM,IAAI,YAAY,CAAW,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;aAC7E,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;aAC3B,KAAK,EAAE,CAAC;QAEX,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,0BAA0B,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC/E,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,0BAA0B,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,WAAsC,CAAC;QAC/D,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,UAAU,CAAC,KAAK,EAAE;aACrB,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,iBAAiB,EAAE,CAAC;aACrC,MAAM,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAC;QAEtC,MAAM,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;aACvD,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;aAC3B,MAAM,EAAE,CAAC;IACd,CAAC;IAEO,UAAU,CAAC,GAAa,EAAE,KAAa;QAC7C,MAAM,UAAU,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;QACzE,IAAI,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC3C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,KAAK,CAAC;IAC7C,CAAC;IAEO,SAAS,CAAC,KAAa;QAC7B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;IAEO,eAAe;QACrB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;CACF"}

package/dist/personal-access-token-repository.d.ts

@@ -0,0 +1,14 @@
+import type { DatabaseConnection } from '@tyravel/database';
+import type { Authenticatable } from './types.js';
+import type { NewAccessToken } from './types.js';
+export declare class PersonalAccessTokenRepository {
+    private readonly connection;
+    private readonly table;
+    private readonly tokenableType;
+    constructor(connection: DatabaseConnection, table: string, tokenableType?: string);
+    createToken(user: Authenticatable, name: string, abilities?: string[], expiresAt?: Date): Promise<NewAccessToken>;
+    findUserIdByBearerToken(bearer: string, lookupUser: (id: number) => Promise<Authenticatable | null>): Promise<Authenticatable | null>;
+    revokeTokensForUser(userId: number): Promise<void>;
+    private hashToken;
+}
+//# sourceMappingURL=personal-access-token-repository.d.ts.map

package/dist/personal-access-token-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-access-token-repository.d.ts","sourceRoot":"","sources":["../src/personal-access-token-repository.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAcjD,qBAAa,6BAA6B;IAEtC,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAFb,UAAU,EAAE,kBAAkB,EAC9B,KAAK,EAAE,MAAM,EACb,aAAa,SAAU;IAGpC,WAAW,CACf,IAAI,EAAE,eAAe,EACrB,IAAI,EAAE,MAAM,EACZ,SAAS,GAAE,MAAM,EAAU,EAC3B,SAAS,CAAC,EAAE,IAAI,GACf,OAAO,CAAC,cAAc,CAAC;IAmBpB,uBAAuB,CAC3B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,GAC1D,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC;IAsB5B,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOxD,OAAO,CAAC,SAAS;CAGlB"}

package/dist/personal-access-token-repository.js

@@ -0,0 +1,55 @@
+import { createHash, randomBytes } from 'node:crypto';
+import { QueryBuilder } from '@tyravel/database';
+export class PersonalAccessTokenRepository {
+    connection;
+    table;
+    tokenableType;
+    constructor(connection, table, tokenableType = 'users') {
+        this.connection = connection;
+        this.table = table;
+        this.tokenableType = tokenableType;
+    }
+    async createToken(user, name, abilities = ['*'], expiresAt) {
+        const plainTextToken = randomBytes(32).toString('hex');
+        const hashed = this.hashToken(plainTextToken);
+        const now = Math.floor(Date.now() / 1000);
+        await new QueryBuilder(this.connection, this.table).insert({
+            tokenable_type: this.tokenableType,
+            tokenable_id: Number(user.getAuthIdentifier()),
+            name,
+            token: hashed,
+            abilities: JSON.stringify(abilities),
+            last_used_at: null,
+            expires_at: expiresAt ? Math.floor(expiresAt.getTime() / 1000) : null,
+            created_at: now,
+        });
+        return { plainTextToken, name, abilities };
+    }
+    async findUserIdByBearerToken(bearer, lookupUser) {
+        const hashed = this.hashToken(bearer);
+        const row = await new QueryBuilder(this.connection, this.table)
+            .where('token', hashed)
+            .first();
+        if (!row) {
+            return null;
+        }
+        if (row.expires_at !== null && row.expires_at < Math.floor(Date.now() / 1000)) {
+            return null;
+        }
+        const now = Math.floor(Date.now() / 1000);
+        await new QueryBuilder(this.connection, this.table)
+            .where('id', row.id)
+            .update({ last_used_at: now });
+        return lookupUser(row.tokenable_id);
+    }
+    async revokeTokensForUser(userId) {
+        await new QueryBuilder(this.connection, this.table)
+            .where('tokenable_type', this.tokenableType)
+            .where('tokenable_id', userId)
+            .delete();
+    }
+    hashToken(token) {
+        return createHash('sha256').update(token).digest('hex');
+    }
+}
+//# sourceMappingURL=personal-access-token-repository.js.map

package/dist/personal-access-token-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-access-token-repository.js","sourceRoot":"","sources":["../src/personal-access-token-repository.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAgBjD,MAAM,OAAO,6BAA6B;IAErB;IACA;IACA;IAHnB,YACmB,UAA8B,EAC9B,KAAa,EACb,gBAAgB,OAAO;QAFvB,eAAU,GAAV,UAAU,CAAoB;QAC9B,UAAK,GAAL,KAAK,CAAQ;QACb,kBAAa,GAAb,aAAa,CAAU;IACvC,CAAC;IAEJ,KAAK,CAAC,WAAW,CACf,IAAqB,EACrB,IAAY,EACZ,YAAsB,CAAC,GAAG,CAAC,EAC3B,SAAgB;QAEhB,MAAM,cAAc,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1C,MAAM,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;YACzD,cAAc,EAAE,IAAI,CAAC,aAAa;YAClC,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC9C,IAAI;YACJ,KAAK,EAAE,MAAM;YACb,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;YACpC,YAAY,EAAE,IAAI;YAClB,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI;YACrE,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;QAEH,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,uBAAuB,CAC3B,MAAc,EACd,UAA2D;QAE3D,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,MAAM,IAAI,YAAY,CAAW,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC;aACtE,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC;aACtB,KAAK,EAAE,CAAC;QAEX,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,GAAG,CAAC,UAAU,KAAK,IAAI,IAAI,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YAC9E,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC;aAChD,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;aACnB,MAAM,CAAC,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC,CAAC;QAEjC,OAAO,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,MAAc;QACtC,MAAM,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC;aAChD,KAAK,CAAC,gBAAgB,EAAE,IAAI,CAAC,aAAa,CAAC;aAC3C,KAAK,CAAC,cAAc,EAAE,MAAM,CAAC;aAC7B,MAAM,EAAE,CAAC;IACd,CAAC;IAEO,SAAS,CAAC,KAAa;QAC7B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;CACF"}

package/dist/policy.d.ts

@@ -0,0 +1,3 @@
+export declare abstract class Policy {
+}
+//# sourceMappingURL=policy.d.ts.map

package/dist/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../src/policy.ts"],"names":[],"mappings":"AAAA,8BAAsB,MAAM;CAAG"}

package/dist/policy.js

@@ -0,0 +1,3 @@
+export class Policy {
+}
+//# sourceMappingURL=policy.js.map

package/dist/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../src/policy.ts"],"names":[],"mappings":"AAAA,MAAM,OAAgB,MAAM;CAAG"}

package/dist/session-guard.d.ts

@@ -0,0 +1,26 @@
+import type { TyravelRequest } from '@tyravel/http';
+import type { SessionStore } from './session.js';
+import type { UserProvider } from './user-provider.js';
+import type { Authenticatable, AuthConfig, Guard } from './types.js';
+type WebResponse = globalThis.Response;
+export declare class SessionGuard implements Guard {
+    private readonly provider;
+    private readonly store;
+    private readonly sessionConfig;
+    readonly name: string;
+    private session?;
+    private currentUser;
+    private request?;
+    constructor(name: string, provider: UserProvider, store: SessionStore, sessionConfig: AuthConfig['session']);
+    setRequest(request: TyravelRequest): void;
+    startSession(): Promise<void>;
+    persistSession(response: WebResponse): Promise<WebResponse>;
+    user(): Authenticatable | null;
+    id(): string | number | null;
+    check(): boolean;
+    attempt(credentials: Record<string, string>): Promise<boolean>;
+    login(user: Authenticatable): Promise<void>;
+    logout(): Promise<void>;
+}
+export {};
+//# sourceMappingURL=session-guard.d.ts.map

package/dist/session-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-guard.d.ts","sourceRoot":"","sources":["../src/session-guard.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAGpD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAErE,KAAK,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC;AAMvC,qBAAa,YAAa,YAAW,KAAK;IAQtC,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAThC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,OAAO,CAAC,CAAU;IAC1B,OAAO,CAAC,WAAW,CAAgC;IACnD,OAAO,CAAC,OAAO,CAAC,CAAiB;gBAG/B,IAAI,EAAE,MAAM,EACK,QAAQ,EAAE,YAAY,EACtB,KAAK,EAAE,YAAY,EACnB,aAAa,EAAE,UAAU,CAAC,SAAS,CAAC;IAKvD,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,IAAI;IAInC,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAqB7B,cAAc,CAAC,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IAmBjE,IAAI,IAAI,eAAe,GAAG,IAAI;IAI9B,EAAE,IAAI,MAAM,GAAG,MAAM,GAAG,IAAI;IAI5B,KAAK,IAAI,OAAO;IAIV,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAe9D,KAAK,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAY3C,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;CAS9B"}

package/dist/session-guard.js

@@ -0,0 +1,118 @@
+import { randomBytes } from 'node:crypto';
+import { InvalidCredentialsException } from './exceptions.js';
+import { Session } from './session.js';
+function sessionKey(guard) {
+    return `auth.${guard}.user_id`;
+}
+export class SessionGuard {
+    provider;
+    store;
+    sessionConfig;
+    name;
+    session;
+    currentUser = null;
+    request;
+    constructor(name, provider, store, sessionConfig) {
+        this.provider = provider;
+        this.store = store;
+        this.sessionConfig = sessionConfig;
+        this.name = name;
+    }
+    setRequest(request) {
+        this.request = request;
+    }
+    async startSession() {
+        if (!this.request) {
+            throw new Error('Request not set on guard');
+        }
+        const cookieName = this.sessionConfig.cookie;
+        const existingId = readCookie(this.request, cookieName);
+        const id = existingId ?? randomBytes(32).toString('base64url');
+        const data = await this.store.read(id);
+        this.session = new Session(id, data);
+        this.request.session = this.session;
+        const userId = this.session.get(sessionKey(this.name));
+        if (userId !== undefined) {
+            this.currentUser = await this.provider.retrieveById(userId);
+            this.request.user = this.currentUser;
+        }
+        else if (!this.request.user) {
+            this.request.user = null;
+        }
+    }
+    async persistSession(response) {
+        if (!this.session) {
+            return response;
+        }
+        if (this.session.isDirty()) {
+            await this.store.write(this.session.id, this.session.all(), this.sessionConfig.lifetimeMinutes);
+            this.session.markClean();
+        }
+        const cookieName = this.sessionConfig.cookie;
+        const maxAge = this.sessionConfig.lifetimeMinutes * 60;
+        return withCookie(response, cookieName, this.session.id, maxAge);
+    }
+    user() {
+        return this.currentUser;
+    }
+    id() {
+        return this.currentUser?.getAuthIdentifier() ?? null;
+    }
+    check() {
+        return this.currentUser !== null;
+    }
+    async attempt(credentials) {
+        const user = await this.provider.retrieveByCredentials(credentials);
+        if (!user) {
+            throw new InvalidCredentialsException();
+        }
+        const valid = await this.provider.validateCredentials(user, credentials);
+        if (!valid) {
+            throw new InvalidCredentialsException();
+        }
+        await this.login(user);
+        return true;
+    }
+    async login(user) {
+        this.currentUser = user;
+        if (!this.session) {
+            throw new Error('Session not started');
+        }
+        this.session.put(sessionKey(this.name), user.getAuthIdentifier());
+        if (this.request) {
+            this.request.user = user;
+        }
+    }
+    async logout() {
+        this.currentUser = null;
+        if (this.session) {
+            this.session.forget(sessionKey(this.name));
+        }
+        if (this.request) {
+            this.request.user = null;
+        }
+    }
+}
+function readCookie(request, name) {
+    const header = request.header('cookie');
+    if (!header) {
+        return undefined;
+    }
+    for (const part of header.split(';')) {
+        const [key, ...rest] = part.trim().split('=');
+        if (key === name) {
+            return decodeURIComponent(rest.join('='));
+        }
+    }
+    return undefined;
+}
+function withCookie(response, name, value, maxAge) {
+    const headers = new Headers(response.headers);
+    headers.append('set-cookie', `${name}=${encodeURIComponent(value)}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${maxAge}`);
+    return new globalThis.Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers,
+    });
+}
+//# sourceMappingURL=session-guard.js.map

package/dist/session-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-guard.js","sourceRoot":"","sources":["../src/session-guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAOvC,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,QAAQ,KAAK,UAAU,CAAC;AACjC,CAAC;AAED,MAAM,OAAO,YAAY;IAQJ;IACA;IACA;IATV,IAAI,CAAS;IACd,OAAO,CAAW;IAClB,WAAW,GAA2B,IAAI,CAAC;IAC3C,OAAO,CAAkB;IAEjC,YACE,IAAY,EACK,QAAsB,EACtB,KAAmB,EACnB,aAAoC;QAFpC,aAAQ,GAAR,QAAQ,CAAc;QACtB,UAAK,GAAL,KAAK,CAAc;QACnB,kBAAa,GAAb,aAAa,CAAuB;QAErD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;IAED,UAAU,CAAC,OAAuB;QAChC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC;QAC7C,MAAM,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QACxD,MAAM,EAAE,GAAG,UAAU,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAEpC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAkB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACxE,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,IAAI,CAAC,WAAW,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;YAC5D,IAAI,CAAC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC;QACvC,CAAC;aAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAC9B,IAAI,CAAC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,QAAqB;QACxC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACpB,IAAI,CAAC,OAAO,CAAC,EAAE,EACf,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAClB,IAAI,CAAC,aAAa,CAAC,eAAe,CACnC,CAAC;YACF,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,eAAe,GAAG,EAAE,CAAC;QACvD,OAAO,UAAU,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACnE,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,EAAE;QACA,OAAO,IAAI,CAAC,WAAW,EAAE,iBAAiB,EAAE,IAAI,IAAI,CAAC;IACvD,CAAC;IAED,KAAK;QACH,OAAO,IAAI,CAAC,WAAW,KAAK,IAAI,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,WAAmC;QAC/C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;QACpE,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,2BAA2B,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACzE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,2BAA2B,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,IAAqB;QAC/B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,iBAAiB,EAAE,CAAC,CAAC;QAClE,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,CAAC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM;QACV,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,CAAC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;CACF;AAED,SAAS,UAAU,CAAC,OAAuB,EAAE,IAAY;IACvD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9C,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,OAAO,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,UAAU,CACjB,QAAqB,EACrB,IAAY,EACZ,KAAa,EACb,MAAc;IAEd,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9C,OAAO,CAAC,MAAM,CACZ,YAAY,EACZ,GAAG,IAAI,IAAI,kBAAkB,CAAC,KAAK,CAAC,6CAA6C,MAAM,EAAE,CAC1F,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE;QAC5C,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,OAAO;KACR,CAAC,CAAC;AACL,CAAC"}

package/dist/session-store.d.ts

@@ -0,0 +1,18 @@
+import type { DatabaseConnection } from '@tyravel/database';
+import type { SessionStore } from './session.js';
+export declare class DatabaseSessionStore implements SessionStore {
+    private readonly connection;
+    private readonly table;
+    constructor(connection: DatabaseConnection, table?: string);
+    read(id: string): Promise<Record<string, unknown>>;
+    write(id: string, data: Record<string, unknown>, lifetimeMinutes: number): Promise<void>;
+    destroy(id: string): Promise<void>;
+    pruneExpired(lifetimeMinutes: number): Promise<void>;
+}
+export declare class MemorySessionStore implements SessionStore {
+    private readonly sessions;
+    read(id: string): Promise<Record<string, unknown>>;
+    write(id: string, data: Record<string, unknown>, _lifetimeMinutes: number): Promise<void>;
+    destroy(id: string): Promise<void>;
+}
+//# sourceMappingURL=session-store.d.ts.map

package/dist/session-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../src/session-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AASjD,qBAAa,oBAAqB,YAAW,YAAY;IAErD,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,KAAK;gBADL,UAAU,EAAE,kBAAkB,EAC9B,KAAK,SAAa;IAG/B,IAAI,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAgBlD,KAAK,CACT,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,IAAI,CAAC;IA2BV,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlC,YAAY,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAM3D;AAED,qBAAa,kBAAmB,YAAW,YAAY;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA8C;IAEjE,IAAI,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAIlD,KAAK,CACT,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,IAAI,CAAC;IAIV,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC"}