@venturekit/auth 0.0.0-dev.20260429204013 → 0.0.0-dev.20260430161503

package/dist/server/cognito-client.d.ts

@@ -3,16 +3,17 @@
  *
  * The server flows in this directory all hit the same Cognito User Pool
  * within a Lambda invocation, so we cache one
- * `CognitoIdentityProviderClient` per region. The cache is keyed by region
- * because a single deployment could (in theory) host pools in multiple
- * regions — in practice every flow uses the region from
- * {@link AuthServerConfig.region}, so the cache stays at size 1.
+ * `CognitoIdentityProviderClient` per `(region, endpoint)` tuple. In
+ * production both stay constant per Lambda, so the cache stays at size 1.
+ * In `vk dev` the `endpoint` differs (it points at cognito-local), so we
+ * key on it as well to avoid serving prod-config requests through a
+ * dev-config client when both happen to live in the same process.
  *
  * This module is **not** part of the public API surface; consumers go
  * through `sign-in.ts`, `refresh.ts`, `revoke.ts`.
  */
 import { CognitoIdentityProviderClient } from '@aws-sdk/client-cognito-identity-provider';
-export declare function getCognitoClient(region: string): CognitoIdentityProviderClient;
+export declare function getCognitoClient(region: string, endpoint?: string): CognitoIdentityProviderClient;
 /** Test-only — clear the cached clients between vitest runs. */
 export declare function _resetCognitoClientCacheForTesting(): void;
 //# sourceMappingURL=cognito-client.d.ts.map

package/dist/server/cognito-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cognito-client.d.ts","sourceRoot":"","sources":["../../src/server/cognito-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,6BAA6B,EAAE,MAAM,2CAA2C,CAAC;AAI1F,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,6BAA6B,CAM9E;AAED,gEAAgE;AAChE,wBAAgB,kCAAkC,IAAI,IAAI,CAEzD"}
+{"version":3,"file":"cognito-client.d.ts","sourceRoot":"","sources":["../../src/server/cognito-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,6BAA6B,EAAE,MAAM,2CAA2C,CAAC;AAQ1F,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,GAChB,6BAA6B,CAa/B;AAED,gEAAgE;AAChE,wBAAgB,kCAAkC,IAAI,IAAI,CAEzD"}

package/dist/server/cognito-client.js

@@ -3,22 +3,33 @@
  *
  * The server flows in this directory all hit the same Cognito User Pool
  * within a Lambda invocation, so we cache one
- * `CognitoIdentityProviderClient` per region. The cache is keyed by region
- * because a single deployment could (in theory) host pools in multiple
- * regions — in practice every flow uses the region from
- * {@link AuthServerConfig.region}, so the cache stays at size 1.
+ * `CognitoIdentityProviderClient` per `(region, endpoint)` tuple. In
+ * production both stay constant per Lambda, so the cache stays at size 1.
+ * In `vk dev` the `endpoint` differs (it points at cognito-local), so we
+ * key on it as well to avoid serving prod-config requests through a
+ * dev-config client when both happen to live in the same process.
  *
  * This module is **not** part of the public API surface; consumers go
  * through `sign-in.ts`, `refresh.ts`, `revoke.ts`.
  */
 import { CognitoIdentityProviderClient } from '@aws-sdk/client-cognito-identity-provider';
 const cache = new Map();
-export function getCognitoClient(region) {
-    const existing = cache.get(region);
+function key(region, endpoint) {
+    return `${region}|${endpoint ?? ''}`;
+}
+export function getCognitoClient(region, endpoint) {
+    const k = key(region, endpoint);
+    const existing = cache.get(k);
     if (existing)
         return existing;
-    const client = new CognitoIdentityProviderClient({ region });
-    cache.set(region, client);
+    const client = new CognitoIdentityProviderClient({
+        region,
+        // When `endpoint` is set the SDK skips its usual host construction
+        // (`https://cognito-idp.<region>.amazonaws.com`) and POSTs to this URL
+        // instead — exactly what we want for cognito-local in dev.
+        ...(endpoint ? { endpoint } : {}),
+    });
+    cache.set(k, client);
     return client;
 }
 /** Test-only — clear the cached clients between vitest runs. */

package/dist/server/cognito-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"cognito-client.js","sourceRoot":"","sources":["../../src/server/cognito-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,6BAA6B,EAAE,MAAM,2CAA2C,CAAC;AAE1F,MAAM,KAAK,GAAG,IAAI,GAAG,EAAyC,CAAC;AAE/D,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,6BAA6B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7D,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,kCAAkC;IAChD,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}
+{"version":3,"file":"cognito-client.js","sourceRoot":"","sources":["../../src/server/cognito-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,6BAA6B,EAAE,MAAM,2CAA2C,CAAC;AAE1F,MAAM,KAAK,GAAG,IAAI,GAAG,EAAyC,CAAC;AAE/D,SAAS,GAAG,CAAC,MAAc,EAAE,QAA4B;IACvD,OAAO,GAAG,MAAM,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,MAAc,EACd,QAAiB;IAEjB,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAChC,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,6BAA6B,CAAC;QAC/C,MAAM;QACN,mEAAmE;QACnE,uEAAuE;QACvE,2DAA2D;QAC3D,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClC,CAAC,CAAC;IACH,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACrB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,kCAAkC;IAChD,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}

package/dist/server/config.d.ts

@@ -7,12 +7,17 @@
  *   - `region`        — AWS region the user pool lives in
  *   - `userPoolId`    — Cognito User Pool id
  *   - `appClientId`   — Cognito User Pool app client id
+ *   - `endpoint`      — optional override for the Cognito API endpoint
+ *                       (used by `vk dev` to point at the in-docker
+ *                       cognito-local service; never set in deployed
+ *                       Lambdas)
  *
  * Most consumers will call {@link loadAuthServerConfig} which reads these
  * from environment variables (`COGNITO_REGION`/`AWS_REGION`,
- * `COGNITO_USER_POOL_ID`, `COGNITO_APP_CLIENT_ID`). The VentureKit
- * deploy pipeline injects these into the Lambda environment when an
- * `auth` intent is declared in `vk.config.ts`.
+ * `COGNITO_USER_POOL_ID`, `COGNITO_APP_CLIENT_ID`, optional
+ * `COGNITO_ENDPOINT`). The VentureKit deploy pipeline injects the first
+ * three into the Lambda environment automatically when an `auth` intent
+ * is declared in `vk.config.ts`.
  *
  * Tests / scripts can pass a `config` argument explicitly to every flow
  * and skip env-var loading entirely.
@@ -21,6 +26,15 @@ export interface AuthServerConfig {
     region: string;
     userPoolId: string;
     appClientId: string;
+    /**
+     * Cognito API endpoint override. When set, all SDK calls
+     * (`signInWithPassword`, `refreshSession`, `revokeRefreshToken`) target
+     * this URL instead of the public AWS endpoint, and JWT verification
+     * uses the generic OIDC verifier with `<endpoint>/<userPoolId>` as the
+     * issuer. `vk dev` populates this with `http://localhost:9229` (the
+     * cognito-local Docker service); deployed Lambdas leave it unset.
+     */
+    endpoint?: string;
 }
 /**
  * Read server-side auth configuration from environment variables.

package/dist/server/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,GAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAe,GACxE,gBAAgB,CAqBlB"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;;;OAOG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,GAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAe,GACxE,gBAAgB,CAwBlB"}

package/dist/server/config.js

@@ -7,12 +7,17 @@
  *   - `region`        — AWS region the user pool lives in
  *   - `userPoolId`    — Cognito User Pool id
  *   - `appClientId`   — Cognito User Pool app client id
+ *   - `endpoint`      — optional override for the Cognito API endpoint
+ *                       (used by `vk dev` to point at the in-docker
+ *                       cognito-local service; never set in deployed
+ *                       Lambdas)
  *
  * Most consumers will call {@link loadAuthServerConfig} which reads these
  * from environment variables (`COGNITO_REGION`/`AWS_REGION`,
- * `COGNITO_USER_POOL_ID`, `COGNITO_APP_CLIENT_ID`). The VentureKit
- * deploy pipeline injects these into the Lambda environment when an
- * `auth` intent is declared in `vk.config.ts`.
+ * `COGNITO_USER_POOL_ID`, `COGNITO_APP_CLIENT_ID`, optional
+ * `COGNITO_ENDPOINT`). The VentureKit deploy pipeline injects the first
+ * three into the Lambda environment automatically when an `auth` intent
+ * is declared in `vk.config.ts`.
  *
  * Tests / scripts can pass a `config` argument explicitly to every flow
  * and skip env-var loading entirely.
@@ -30,6 +35,7 @@ export function loadAuthServerConfig(env = process.env) {
     const region = env['COGNITO_REGION'] ?? env['AWS_REGION'];
     const userPoolId = env['COGNITO_USER_POOL_ID'];
     const appClientId = env['COGNITO_APP_CLIENT_ID'];
+    const endpoint = env['COGNITO_ENDPOINT'];
     const missing = [];
     if (!region)
         missing.push('COGNITO_REGION (or AWS_REGION)');
@@ -40,13 +46,15 @@ export function loadAuthServerConfig(env = process.env) {
     if (missing.length > 0) {
         throw new Error(`[@venturekit/auth/server] missing env var(s): ${missing.join(', ')} — ` +
             `VentureKit's auth intent in vk.config.ts injects these into the Lambda ` +
-            `environment from the deployed user pool. Set them manually in .env.local ` +
-            `for local dev.`);
+            `environment from the deployed user pool. For local dev, run \`vk dev\` ` +
+            `which auto-provisions a cognito-local user pool and writes the IDs ` +
+            `into the dev server's env (or set them manually in .env.local).`);
     }
     return {
         region: region,
         userPoolId: userPoolId,
         appClientId: appClientId,
+        ...(endpoint ? { endpoint } : {}),
     };
 }
 //# sourceMappingURL=config.js.map

package/dist/server/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAQH;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAA8D,OAAO,CAAC,GAAG;IAEzE,MAAM,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAC/C,MAAM,WAAW,GAAG,GAAG,CAAC,uBAAuB,CAAC,CAAC;IACjD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAC5D,IAAI,CAAC,UAAU;QAAE,OAAO,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACtD,IAAI,CAAC,WAAW;QAAE,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CACb,iDAAiD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK;YACtE,yEAAyE;YACzE,2EAA2E;YAC3E,gBAAgB,CACnB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,MAAM,EAAE,MAAO;QACf,UAAU,EAAE,UAAW;QACvB,WAAW,EAAE,WAAY;KAC1B,CAAC;AACJ,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAiBH;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAA8D,OAAO,CAAC,GAAG;IAEzE,MAAM,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAC/C,MAAM,WAAW,GAAG,GAAG,CAAC,uBAAuB,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,GAAG,CAAC,kBAAkB,CAAC,CAAC;IACzC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAC5D,IAAI,CAAC,UAAU;QAAE,OAAO,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACtD,IAAI,CAAC,WAAW;QAAE,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CACb,iDAAiD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK;YACtE,yEAAyE;YACzE,yEAAyE;YACzE,qEAAqE;YACrE,iEAAiE,CACpE,CAAC;IACJ,CAAC;IACD,OAAO;QACL,MAAM,EAAE,MAAO;QACf,UAAU,EAAE,UAAW;QACvB,WAAW,EAAE,WAAY;QACzB,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClC,CAAC;AACJ,CAAC"}

package/dist/server/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAKzD,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAGtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,MAAM,WAAW,2BAA2B;IAC1C;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC;IAC3B;;;;OAIG;IACH,MAAM,CAAC,EAAE,gBAAgB,CAAC;CAC3B;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,GAAE,2BAAgC,GACxC,UAAU,CAAC,cAAc,CAAC,CAgC5B;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,sBAAsB,EAC7B,UAAU,GAAE,MAAwB,GACnC,MAAM,GAAG,IAAI,CAaf"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAKzD,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAGtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,MAAM,WAAW,2BAA2B;IAC1C;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC;IAC3B;;;;OAIG;IACH,MAAM,CAAC,EAAE,gBAAgB,CAAC;CAC3B;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,GAAE,2BAAgC,GACxC,UAAU,CAAC,cAAc,CAAC,CAiC5B;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,sBAAsB,EAC7B,UAAU,GAAE,MAAwB,GACnC,MAAM,GAAG,IAAI,CAaf"}

package/dist/server/middleware.js

@@ -67,6 +67,7 @@ export function cookieAuthMiddleware(options = {}) {
                     userPoolId: cfg.userPoolId,
                     clientId: cfg.appClientId,
                     tokenUse,
+                    ...(cfg.endpoint ? { endpoint: cfg.endpoint } : {}),
                 });
                 if (claims) {
                     ctx.user = claimsToUserContext(claims);

package/dist/server/middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAQH,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAwBnD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAuC,EAAE;IAEzC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,eAAe,CAAC;IACzD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;IAC1C,oEAAoE;IACpE,mEAAmE;IACnE,oEAAoE;IACpE,qEAAqE;IACrE,gDAAgD;IAChD,IAAI,cAAc,GAA4B,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC;IACrE,MAAM,SAAS,GAAG,GAAqB,EAAE;QACvC,IAAI,CAAC,cAAc;YAAE,cAAc,GAAG,oBAAoB,EAAE,CAAC;QAC7D,OAAO,cAAc,CAAC;IACxB,CAAC,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACtB,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;gBACxB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE;oBAC1C,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,QAAQ,EAAE,GAAG,CAAC,WAAW;oBACzB,QAAQ;iBACT,CAAC,CAAC;gBACH,IAAI,MAAM,EAAE,CAAC;oBACX,GAAG,CAAC,IAAI,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;YACD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,KAA6B,EAC7B,aAAqB,eAAe;IAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAE3D,CAAC;IACd,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACnD,IAAI,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,CAAC;IACD,MAAM,YAAY,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,CAE/C,CAAC;IACd,OAAO,oBAAoB,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA+B;IAE/B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9B,sEAAsE;IACtE,oEAAoE;IACpE,mEAAmE;IACnE,0CAA0C;IAC1C,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,MAAM,GACV,OAAO,UAAU,KAAK,QAAQ;QAC5B,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QACvC,CAAC,CAAC,EAAE,CAAC;IACT,OAAO;QACL,EAAE,EAAE,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QACtC,KAAK,EAAE,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACpD,MAAM;QACN,MAAM;KACP,CAAC;AACJ,CAAC"}
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAQH,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAwBnD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAuC,EAAE;IAEzC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,eAAe,CAAC;IACzD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;IAC1C,oEAAoE;IACpE,mEAAmE;IACnE,oEAAoE;IACpE,qEAAqE;IACrE,gDAAgD;IAChD,IAAI,cAAc,GAA4B,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC;IACrE,MAAM,SAAS,GAAG,GAAqB,EAAE;QACvC,IAAI,CAAC,cAAc;YAAE,cAAc,GAAG,oBAAoB,EAAE,CAAC;QAC7D,OAAO,cAAc,CAAC;IACxB,CAAC,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACtB,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;gBACxB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE;oBAC1C,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,QAAQ,EAAE,GAAG,CAAC,WAAW;oBACzB,QAAQ;oBACR,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBACpD,CAAC,CAAC;gBACH,IAAI,MAAM,EAAE,CAAC;oBACX,GAAG,CAAC,IAAI,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;YACD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,KAA6B,EAC7B,aAAqB,eAAe;IAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAE3D,CAAC;IACd,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACnD,IAAI,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,CAAC;IACD,MAAM,YAAY,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,CAE/C,CAAC;IACd,OAAO,oBAAoB,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA+B;IAE/B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9B,sEAAsE;IACtE,oEAAoE;IACpE,mEAAmE;IACnE,0CAA0C;IAC1C,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,MAAM,GACV,OAAO,UAAU,KAAK,QAAQ;QAC5B,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QACvC,CAAC,CAAC,EAAE,CAAC;IACT,OAAO;QACL,EAAE,EAAE,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QACtC,KAAK,EAAE,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACpD,MAAM;QACN,MAAM;KACP,CAAC;AACJ,CAAC"}

package/dist/server/refresh.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAKpD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,aAAa,CAAC,CA4BxB"}
+{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAMpD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,aAAa,CAAC,CA8BxB"}

package/dist/server/refresh.js

@@ -11,6 +11,7 @@ import { InitiateAuthCommand } from '@aws-sdk/client-cognito-identity-provider';
 import { loadAuthServerConfig } from './config.js';
 import { getCognitoClient } from './cognito-client.js';
 import { AuthError, mapProviderError } from './errors.js';
+import { deriveExpiresInFromJwt } from './token-utils.js';
 /**
  * Exchange a refresh token for fresh id + access tokens.
  *
@@ -19,7 +20,7 @@ import { AuthError, mapProviderError } from './errors.js';
  * failures so the user is redirected straight to sign-in.
  */
 export async function refreshSession(refreshToken, config = loadAuthServerConfig()) {
-    const client = getCognitoClient(config.region);
+    const client = getCognitoClient(config.region, config.endpoint);
     let res;
     try {
         res = await client.send(new InitiateAuthCommand({
@@ -32,14 +33,16 @@ export async function refreshSession(refreshToken, config = loadAuthServerConfig
         throw mapProviderError(err, 'refresh_failed');
     }
     const result = res.AuthenticationResult;
-    if (!result?.IdToken || !result.AccessToken || !result.ExpiresIn) {
+    // Tokens MUST be present; `ExpiresIn` is derived from the access
+    // token's `exp` claim when the provider omits it (see `sign-in.ts`).
+    if (!result?.IdToken || !result.AccessToken) {
         throw new AuthError('incomplete_auth_result', 'Identity provider returned an incomplete refresh result', 500);
     }
     return {
         idToken: result.IdToken,
         accessToken: result.AccessToken,
         refreshToken: '',
-        expiresIn: result.ExpiresIn,
+        expiresIn: result.ExpiresIn ?? deriveExpiresInFromJwt(result.AccessToken),
     };
 }
 //# sourceMappingURL=refresh.js.map

package/dist/server/refresh.js.map

@@ -1 +1 @@
-{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,2CAA2C,CAAC;AAEhF,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAe1D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,YAAoB,EACpB,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,GAAG,CAAC;IACR,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE,EAAE,aAAa,EAAE,YAAY,EAAE;SAChD,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,MAAM,GAAG,GAAG,CAAC,oBAAoB,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACjE,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,yDAAyD,EACzD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,EAAE;QAChB,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;AACJ,CAAC"}
+{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,2CAA2C,CAAC;AAEhF,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAe1D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,YAAoB,EACpB,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,GAAG,CAAC;IACR,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE,EAAE,aAAa,EAAE,YAAY,EAAE;SAChD,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,MAAM,GAAG,GAAG,CAAC,oBAAoB,CAAC;IACxC,iEAAiE;IACjE,qEAAqE;IACrE,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,yDAAyD,EACzD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,EAAE;QAChB,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,sBAAsB,CAAC,MAAM,CAAC,WAAW,CAAC;KAC1E,CAAC;AACJ,CAAC"}

package/dist/server/revoke.js

@@ -17,7 +17,7 @@ import { getCognitoClient } from './cognito-client.js';
  * the function never throws.
  */
 export async function revokeRefreshToken(refreshToken, config = loadAuthServerConfig()) {
-    const client = getCognitoClient(config.region);
+    const client = getCognitoClient(config.region, config.endpoint);
     try {
         await client.send(new RevokeTokenCommand({
             ClientId: config.appClientId,

package/dist/server/revoke.js.map

@@ -1 +1 @@
-{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../src/server/revoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,2CAA2C,CAAC;AAE/E,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,YAAoB,EACpB,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,kBAAkB,CAAC;YACrB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,KAAK,EAAE,YAAY;SACpB,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sCAAsC;QACtC,OAAO,CAAC,IAAI,CAAC,kEAAkE,EAAE,GAAG,CAAC,CAAC;IACxF,CAAC;AACH,CAAC"}
+{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../src/server/revoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,2CAA2C,CAAC;AAE/E,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,YAAoB,EACpB,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,kBAAkB,CAAC;YACrB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,KAAK,EAAE,YAAY;SACpB,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sCAAsC;QACtC,OAAO,CAAC,IAAI,CAAC,kEAAkE,EAAE,GAAG,CAAC,CAAC;IACxF,CAAC;AACH,CAAC"}

package/dist/server/sign-in.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sign-in.d.ts","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAMH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAKpD,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,YAAY,CAAC,CAkBvB"}
+{"version":3,"file":"sign-in.d.ts","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAOH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAMpD,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,YAAY,CAAC,CAsCvB"}

package/dist/server/sign-in.js

@@ -20,6 +20,7 @@ import { InitiateAuthCommand, } from '@aws-sdk/client-cognito-identity-provider'
 import { loadAuthServerConfig } from './config.js';
 import { getCognitoClient } from './cognito-client.js';
 import { AuthError, mapProviderError } from './errors.js';
+import { deriveExpiresInFromJwt } from './token-utils.js';
 /**
  * Authenticate a user with email + password and return freshly-minted
  * id, access, and refresh tokens.
@@ -29,7 +30,7 @@ import { AuthError, mapProviderError } from './errors.js';
  *                     {@link loadAuthServerConfig}.
  */
 export async function signInWithPassword(credentials, config = loadAuthServerConfig()) {
-    const client = getCognitoClient(config.region);
+    const client = getCognitoClient(config.region, config.endpoint);
     let res;
     try {
         res = await client.send(new InitiateAuthCommand({
@@ -44,20 +45,47 @@ export async function signInWithPassword(credentials, config = loadAuthServerCon
     catch (err) {
         throw mapProviderError(err, 'auth_failed');
     }
+    // Cognito returns one of three shapes:
+    //   1. `AuthenticationResult` — success, tokens are present
+    //   2. `ChallengeName` + `Session` — credentials OK but additional step
+    //      needed (NEW_PASSWORD_REQUIRED, MFA_SETUP, SMS_MFA, …)
+    //   3. neither — only happens with broken/misconfigured providers
+    //
+    // We don't auto-resolve challenges — surfacing the challenge name lets
+    // callers implement the right flow. The most common one in dev is
+    // NEW_PASSWORD_REQUIRED, which fires when a user was created with
+    // `admin-create-user --temporary-password` but never had
+    // `admin-set-user-password --permanent` run against them.
+    if (res.ChallengeName) {
+        throw new AuthError('auth_challenge_required', challengeMessage(res.ChallengeName), 400);
+    }
     return extractSignInTokens(res.AuthenticationResult);
 }
+function challengeMessage(challengeName) {
+    const base = `Identity provider requires challenge: ${challengeName}.`;
+    if (challengeName === 'NEW_PASSWORD_REQUIRED') {
+        return (base +
+            ' User is in FORCE_CHANGE_PASSWORD state — set a permanent password' +
+            ' (local dev: `aws cognito-idp admin-set-user-password --permanent`;' +
+            ' prod: complete the new-password flow client-side).');
+    }
+    return base;
+}
 function extractSignInTokens(result) {
+    // Tokens themselves MUST be present. `ExpiresIn` is derived from the
+    // access-token's `exp` claim when the response omits it — real AWS
+    // always sends it, but some OSS compatibles (cognito-local) don't,
+    // and the tokens are usable regardless.
     if (!result?.IdToken ||
         !result.AccessToken ||
-        !result.RefreshToken ||
-        !result.ExpiresIn) {
+        !result.RefreshToken) {
         throw new AuthError('incomplete_auth_result', 'Identity provider returned an incomplete authentication result', 500);
     }
     return {
         idToken: result.IdToken,
         accessToken: result.AccessToken,
         refreshToken: result.RefreshToken,
-        expiresIn: result.ExpiresIn,
+        expiresIn: result.ExpiresIn ?? deriveExpiresInFromJwt(result.AccessToken),
     };
 }
 //# sourceMappingURL=sign-in.js.map

package/dist/server/sign-in.js.map

@@ -1 +1 @@
-{"version":3,"file":"sign-in.js","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EACL,mBAAmB,GAEpB,MAAM,2CAA2C,CAAC;AAEnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAe1D;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAA8B,EAC9B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,GAAG,CAAC;IACR,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE;gBACd,QAAQ,EAAE,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE;gBACzC,QAAQ,EAAE,WAAW,CAAC,QAAQ;aAC/B;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,mBAAmB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA4C;IAE5C,IACE,CAAC,MAAM,EAAE,OAAO;QAChB,CAAC,MAAM,CAAC,WAAW;QACnB,CAAC,MAAM,CAAC,YAAY;QACpB,CAAC,MAAM,CAAC,SAAS,EACjB,CAAC;QACD,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,gEAAgE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;AACJ,CAAC"}
+{"version":3,"file":"sign-in.js","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EACL,mBAAmB,GAGpB,MAAM,2CAA2C,CAAC;AAEnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAe1D;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAA8B,EAC9B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,GAA8B,CAAC;IACnC,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE;gBACd,QAAQ,EAAE,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE;gBACzC,QAAQ,EAAE,WAAW,CAAC,QAAQ;aAC/B;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC7C,CAAC;IAED,uCAAuC;IACvC,4DAA4D;IAC5D,wEAAwE;IACxE,6DAA6D;IAC7D,kEAAkE;IAClE,EAAE;IACF,uEAAuE;IACvE,kEAAkE;IAClE,kEAAkE;IAClE,yDAAyD;IACzD,0DAA0D;IAC1D,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;QACtB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,EACnC,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,OAAO,mBAAmB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,gBAAgB,CAAC,aAAqB;IAC7C,MAAM,IAAI,GAAG,yCAAyC,aAAa,GAAG,CAAC;IACvE,IAAI,aAAa,KAAK,uBAAuB,EAAE,CAAC;QAC9C,OAAO,CACL,IAAI;YACJ,oEAAoE;YACpE,qEAAqE;YACrE,qDAAqD,CACtD,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA4C;IAE5C,qEAAqE;IACrE,mEAAmE;IACnE,mEAAmE;IACnE,wCAAwC;IACxC,IACE,CAAC,MAAM,EAAE,OAAO;QAChB,CAAC,MAAM,CAAC,WAAW;QACnB,CAAC,MAAM,CAAC,YAAY,EACpB,CAAC;QACD,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,gEAAgE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,sBAAsB,CAAC,MAAM,CAAC,WAAW,CAAC;KAC1E,CAAC;AACJ,CAAC"}

package/dist/server/token-utils.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Internal token-introspection helpers.
+ *
+ * The Cognito SDK returns `ExpiresIn` alongside every successful
+ * `InitiateAuthCommand`, but some OSS Cognito compatibles
+ * (notably `cognito-local`) omit that top-level field even when the
+ * tokens themselves carry a perfectly valid `exp` claim. Rather than
+ * treat those responses as fatal, we derive the remaining lifetime
+ * from the access token itself.
+ *
+ * This file intentionally has no `@venturekit/auth/server` surface
+ * exposure — it's consumed by `sign-in.ts` and `refresh.ts` only.
+ */
+/** Cognito's default access-token lifetime (1 hour). */
+export declare const DEFAULT_ACCESS_TOKEN_TTL_SECONDS = 3600;
+/**
+ * Compute seconds-until-expiry from a JWT's `exp` claim, preferring
+ * `exp - now` (the actual remaining validity) and falling back to
+ * `exp - iat` if the system clock is off. Returns the Cognito default
+ * when the token is malformed or lacks a usable `exp`.
+ *
+ * This function does NOT verify the token's signature — the caller is
+ * expected to trust the minting provider (a fresh response from
+ * `InitiateAuthCommand`). Use `verifyAndDecode` for untrusted input.
+ */
+export declare function deriveExpiresInFromJwt(jwt: string, nowSeconds?: number): number;
+//# sourceMappingURL=token-utils.d.ts.map

package/dist/server/token-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-utils.d.ts","sourceRoot":"","sources":["../../src/server/token-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,wDAAwD;AACxD,eAAO,MAAM,gCAAgC,OAAO,CAAC;AAErD;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,MAAM,EACX,UAAU,GAAE,MAAsC,GACjD,MAAM,CAgBR"}

package/dist/server/token-utils.js

@@ -0,0 +1,63 @@
+/**
+ * Internal token-introspection helpers.
+ *
+ * The Cognito SDK returns `ExpiresIn` alongside every successful
+ * `InitiateAuthCommand`, but some OSS Cognito compatibles
+ * (notably `cognito-local`) omit that top-level field even when the
+ * tokens themselves carry a perfectly valid `exp` claim. Rather than
+ * treat those responses as fatal, we derive the remaining lifetime
+ * from the access token itself.
+ *
+ * This file intentionally has no `@venturekit/auth/server` surface
+ * exposure — it's consumed by `sign-in.ts` and `refresh.ts` only.
+ */
+/** Cognito's default access-token lifetime (1 hour). */
+export const DEFAULT_ACCESS_TOKEN_TTL_SECONDS = 3600;
+/**
+ * Compute seconds-until-expiry from a JWT's `exp` claim, preferring
+ * `exp - now` (the actual remaining validity) and falling back to
+ * `exp - iat` if the system clock is off. Returns the Cognito default
+ * when the token is malformed or lacks a usable `exp`.
+ *
+ * This function does NOT verify the token's signature — the caller is
+ * expected to trust the minting provider (a fresh response from
+ * `InitiateAuthCommand`). Use `verifyAndDecode` for untrusted input.
+ */
+export function deriveExpiresInFromJwt(jwt, nowSeconds = Math.floor(Date.now() / 1000)) {
+    const payload = decodeJwtPayload(jwt);
+    if (!payload)
+        return DEFAULT_ACCESS_TOKEN_TTL_SECONDS;
+    const exp = typeof payload.exp === 'number' ? payload.exp : undefined;
+    const iat = typeof payload.iat === 'number' ? payload.iat : undefined;
+    if (exp === undefined)
+        return DEFAULT_ACCESS_TOKEN_TTL_SECONDS;
+    const remaining = exp - nowSeconds;
+    if (remaining > 0)
+        return remaining;
+    // Clock skew fallback — prefer minted lifetime over a negative remaining.
+    if (iat !== undefined && exp > iat)
+        return exp - iat;
+    return DEFAULT_ACCESS_TOKEN_TTL_SECONDS;
+}
+/**
+ * Base64url-decode and JSON.parse a JWT payload. Returns `null` on any
+ * failure — callers fall back to a default.
+ */
+function decodeJwtPayload(jwt) {
+    if (typeof jwt !== 'string' || jwt.length === 0)
+        return null;
+    const parts = jwt.split('.');
+    if (parts.length < 2)
+        return null;
+    try {
+        const decoded = Buffer.from(parts[1], 'base64url').toString('utf8');
+        const obj = JSON.parse(decoded);
+        if (obj && typeof obj === 'object')
+            return obj;
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=token-utils.js.map

package/dist/server/token-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-utils.js","sourceRoot":"","sources":["../../src/server/token-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,wDAAwD;AACxD,MAAM,CAAC,MAAM,gCAAgC,GAAG,IAAI,CAAC;AAErD;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CACpC,GAAW,EACX,aAAqB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAElD,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,OAAO;QAAE,OAAO,gCAAgC,CAAC;IAEtD,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IACtE,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAEtE,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,gCAAgC,CAAC;IAE/D,MAAM,SAAS,GAAG,GAAG,GAAG,UAAU,CAAC;IACnC,IAAI,SAAS,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAEpC,0EAA0E;IAC1E,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,GAAG;QAAE,OAAO,GAAG,GAAG,GAAG,CAAC;IAErD,OAAO,gCAAgC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACrE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAY,CAAC;QAC3C,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,GAA8B,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/server/verify.d.ts

@@ -1,21 +1,58 @@
 /**
  * JWT verification against a Cognito User Pool's JWKS.
  *
- * Wraps `aws-jwt-verify`'s `CognitoJwtVerifier` so consumers don't take
- * a direct dependency on it. The verifier is cached per
- * `(userPoolId, tokenUse, clientId)` tuple so the JWKS is fetched once
- * per cold start.
+ * Wraps `aws-jwt-verify` so consumers don't take a direct dependency on
+ * it. Two code paths:
+ *
+ *   1. **Production** — `CognitoJwtVerifier` builds the issuer + JWKS URL
+ *      from the user-pool id (`https://cognito-idp.<region>.amazonaws.com/<userPoolId>`).
+ *   2. **`vk dev` (cognito-local)** — when `endpoint` is set we fall
+ *      through to the generic `JwtVerifier` with an explicit issuer
+ *      (`<endpoint>/<userPoolId>`) and `jwksUri`
+ *      (`<endpoint>/<userPoolId>/.well-known/jwks.json`). The
+ *      Cognito-specific `token_use` + `client_id` checks are reapplied
+ *      via `validateCognitoJwtFields`.
+ *
+ * The verifier is cached per `(userPoolId, tokenUse, clientId, endpoint)`
+ * tuple so the JWKS is fetched once per cold start.
  *
  * Use this when API Gateway is NOT fronting your Lambda with a Cognito
  * Authorizer — for example, cookie-based sessions where the Lambda
  * itself reads the cookie and verifies the token.
  */
+import { type JsonFetcher } from 'aws-jwt-verify/https';
+import type { Json } from 'aws-jwt-verify/safe-json-parse';
 export interface VerifyOptions {
     userPoolId: string;
     /** App client id(s) the token must have been issued to. */
     clientId?: string | string[];
     /** Defaults to `'access'`. Use `'id'` for id tokens. */
     tokenUse?: 'access' | 'id';
+    /**
+     * Cognito API endpoint override. When set, JWTs are validated as
+     * generic OIDC tokens with `<endpoint>/<userPoolId>` as the expected
+     * issuer (Cognito-specific fields are still checked via
+     * `validateCognitoJwtFields`). Used by `vk dev` to verify tokens
+     * minted by cognito-local; deployed Lambdas leave it undefined.
+     */
+    endpoint?: string;
+}
+/**
+ * `JsonFetcher` that transparently handles `http://` URIs by routing
+ * them through Node's `http` module. The library's stock
+ * `SimpleJsonFetcher` is hardcoded to `https`-only — see
+ * `aws-jwt-verify/dist/esm/https-node.js`'s `https.request` call —
+ * which is what we want in production but breaks against
+ * cognito-local's plain-HTTP JWKS endpoint and surfaces as
+ * `ERR_INVALID_PROTOCOL: Protocol "http:" not supported. Expected
+ * "https:"` from inside the verify error path.
+ *
+ * Exported for direct unit testing.
+ */
+export declare class HttpAwareJsonFetcher implements JsonFetcher {
+    private readonly httpsFallback;
+    constructor(httpsFallback?: JsonFetcher);
+    fetch: (uri: string, requestOptions?: Record<string, unknown>, data?: Buffer) => Promise<Json>;
 }
 /**
  * Verify a Cognito-signed JWT and return its claims, or `null` when the

package/dist/server/verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/server/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,wDAAwD;IACxD,QAAQ,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;CAC5B;AAcD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAiBzC;AAED,iEAAiE;AACjE,wBAAgB,6BAA6B,IAAI,IAAI,CAEpD"}
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/server/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAKH,OAAO,EAAqB,KAAK,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAE3E,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gCAAgC,CAAC;AAG3D,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,wDAAwD;IACxD,QAAQ,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC3B;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAgCD;;;;;;;;;;;GAWG;AACH,qBAAa,oBAAqB,YAAW,WAAW;IACtD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAc;gBAEhC,aAAa,GAAE,WAAqC;IAIhE,KAAK,GACH,KAAK,MAAM,EACX,iBAAiB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,OAAO,MAAM,KACZ,OAAO,CAAC,IAAI,CAAC,CA0Bd;CACH;AAED;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAyDzC;AAED,iEAAiE;AACjE,wBAAgB,6BAA6B,IAAI,IAAI,CAEpD"}

package/dist/server/verify.js

@@ -1,23 +1,92 @@
 /**
  * JWT verification against a Cognito User Pool's JWKS.
  *
- * Wraps `aws-jwt-verify`'s `CognitoJwtVerifier` so consumers don't take
- * a direct dependency on it. The verifier is cached per
- * `(userPoolId, tokenUse, clientId)` tuple so the JWKS is fetched once
- * per cold start.
+ * Wraps `aws-jwt-verify` so consumers don't take a direct dependency on
+ * it. Two code paths:
+ *
+ *   1. **Production** — `CognitoJwtVerifier` builds the issuer + JWKS URL
+ *      from the user-pool id (`https://cognito-idp.<region>.amazonaws.com/<userPoolId>`).
+ *   2. **`vk dev` (cognito-local)** — when `endpoint` is set we fall
+ *      through to the generic `JwtVerifier` with an explicit issuer
+ *      (`<endpoint>/<userPoolId>`) and `jwksUri`
+ *      (`<endpoint>/<userPoolId>/.well-known/jwks.json`). The
+ *      Cognito-specific `token_use` + `client_id` checks are reapplied
+ *      via `validateCognitoJwtFields`.
+ *
+ * The verifier is cached per `(userPoolId, tokenUse, clientId, endpoint)`
+ * tuple so the JWKS is fetched once per cold start.
  *
  * Use this when API Gateway is NOT fronting your Lambda with a Cognito
  * Authorizer — for example, cookie-based sessions where the Lambda
  * itself reads the cookie and verifies the token.
  */
-import { CognitoJwtVerifier } from 'aws-jwt-verify';
+import http from 'node:http';
+import { CognitoJwtVerifier, JwtRsaVerifier } from 'aws-jwt-verify';
+import { validateCognitoJwtFields } from 'aws-jwt-verify/cognito-verifier';
+import { SimpleJsonFetcher } from 'aws-jwt-verify/https';
+import { SimpleJwksCache } from 'aws-jwt-verify/jwk';
 const verifierCache = new Map();
 function cacheKey(opts) {
     const tokenUse = opts.tokenUse ?? 'access';
     const clientId = Array.isArray(opts.clientId)
         ? opts.clientId.join(',')
         : (opts.clientId ?? 'null');
-    return `${opts.userPoolId}|${tokenUse}|${clientId}`;
+    const endpoint = opts.endpoint ?? '';
+    return `${opts.userPoolId}|${tokenUse}|${clientId}|${endpoint}`;
+}
+/**
+ * Strip a trailing slash from a URL so subsequent path joins don't end
+ * up with `//` — `<endpoint>/<userPoolId>` is the issuer cognito-local
+ * emits, and a `//` would silently fail signature checks.
+ */
+function trimTrailingSlash(url) {
+    return url.endsWith('/') ? url.slice(0, -1) : url;
+}
+/**
+ * `JsonFetcher` that transparently handles `http://` URIs by routing
+ * them through Node's `http` module. The library's stock
+ * `SimpleJsonFetcher` is hardcoded to `https`-only — see
+ * `aws-jwt-verify/dist/esm/https-node.js`'s `https.request` call —
+ * which is what we want in production but breaks against
+ * cognito-local's plain-HTTP JWKS endpoint and surfaces as
+ * `ERR_INVALID_PROTOCOL: Protocol "http:" not supported. Expected
+ * "https:"` from inside the verify error path.
+ *
+ * Exported for direct unit testing.
+ */
+export class HttpAwareJsonFetcher {
+    httpsFallback;
+    constructor(httpsFallback = new SimpleJsonFetcher()) {
+        this.httpsFallback = httpsFallback;
+    }
+    fetch = (uri, requestOptions, data) => {
+        if (!uri.startsWith('http://')) {
+            return this.httpsFallback.fetch(uri, requestOptions, data);
+        }
+        return new Promise((resolve, reject) => {
+            const req = http.get(uri, (res) => {
+                const status = res.statusCode ?? 0;
+                if (status < 200 || status >= 300) {
+                    res.resume();
+                    reject(new Error(`HTTP ${status} fetching ${uri}`));
+                    return;
+                }
+                const chunks = [];
+                res.on('data', (chunk) => chunks.push(chunk));
+                res.on('end', () => {
+                    try {
+                        const text = Buffer.concat(chunks).toString('utf-8');
+                        resolve(JSON.parse(text));
+                    }
+                    catch (err) {
+                        reject(err);
+                    }
+                });
+                res.on('error', reject);
+            });
+            req.on('error', reject);
+        });
+    };
 }
 /**
  * Verify a Cognito-signed JWT and return its claims, or `null` when the
@@ -29,8 +98,47 @@ function cacheKey(opts) {
  */
 export async function verifyAndDecode(token, options) {
     const key = cacheKey(options);
-    let verifier = verifierCache.get(key);
-    if (!verifier) {
+    const cached = verifierCache.get(key);
+    let verifier;
+    if (cached) {
+        verifier = cached;
+    }
+    else if (options.endpoint) {
+        // Dev path: cognito-local. Use the generic OIDC verifier with the
+        // local issuer + JWKS URL, and reapply Cognito-specific checks
+        // (`token_use`, `client_id` / `aud`) via `customJwtCheck`.
+        //
+        // **HTTP fetcher.** `aws-jwt-verify`'s built-in JWKS fetcher is
+        // hardcoded to HTTPS (see `aws-jwt-verify/dist/esm/https-node.js`
+        // → `https.request`). cognito-local serves the JWKS over plain
+        // HTTP, so we inject `HttpAwareJsonFetcher` via a `SimpleJwksCache`
+        // — without it the verifier rejects every token with
+        // `ERR_INVALID_PROTOCOL: Protocol "http:" not supported. Expected
+        // "https:"` and the middleware silently treats it as "invalid
+        // token" → 401 on every authenticated request.
+        const base = `${trimTrailingSlash(options.endpoint)}/${options.userPoolId}`;
+        verifier = JwtRsaVerifier.create({
+            issuer: base,
+            // `audience: null` — only Cognito ID tokens carry an `aud` claim;
+            // access tokens have `client_id`. `validateCognitoJwtFields`
+            // handles both. Setting `audience` here would force-check `aud`
+            // and fail access tokens.
+            audience: null,
+            jwksUri: `${base}/.well-known/jwks.json`,
+            customJwtCheck: ({ payload }) => {
+                validateCognitoJwtFields(payload, {
+                    tokenUse: options.tokenUse ?? null,
+                    clientId: options.clientId ?? null,
+                });
+            },
+        }, {
+            jwksCache: new SimpleJwksCache({
+                fetcher: new HttpAwareJsonFetcher(),
+            }),
+        });
+        verifierCache.set(key, verifier);
+    }
+    else {
         verifier = CognitoJwtVerifier.create({
             userPoolId: options.userPoolId,
             tokenUse: options.tokenUse ?? 'access',

package/dist/server/verify.js.map

@@ -1 +1 @@
-{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/server/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAYpD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAoB,CAAC;AAElD,SAAS,QAAQ,CAAC,IAAmB;IACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC;IAC3C,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC3C,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;QACzB,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC;IAC9B,OAAO,GAAG,IAAI,CAAC,UAAU,IAAI,QAAQ,IAAI,QAAQ,EAAE,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,OAAsB;IAEtB,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9B,IAAI,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC;YACnC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,QAAQ;YACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;SACnC,CAAC,CAAC;QACH,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO,OAAkC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,6BAA6B;IAC3C,aAAa,CAAC,KAAK,EAAE,CAAC;AACxB,CAAC"}
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/server/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACpE,OAAO,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAC3E,OAAO,EAAE,iBAAiB,EAAoB,MAAM,sBAAsB,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AA8BrD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAwB,CAAC;AAEtD,SAAS,QAAQ,CAAC,IAAmB;IACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC;IAC3C,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC3C,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;QACzB,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC;IAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IACrC,OAAO,GAAG,IAAI,CAAC,UAAU,IAAI,QAAQ,IAAI,QAAQ,IAAI,QAAQ,EAAE,CAAC;AAClE,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,GAAW;IACpC,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AACpD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,oBAAoB;IACd,aAAa,CAAc;IAE5C,YAAY,gBAA6B,IAAI,iBAAiB,EAAE;QAC9D,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED,KAAK,GAAG,CACN,GAAW,EACX,cAAwC,EACxC,IAAa,EACE,EAAE;QACjB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE;gBAChC,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC;gBACnC,IAAI,MAAM,GAAG,GAAG,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;oBAClC,GAAG,CAAC,MAAM,EAAE,CAAC;oBACb,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,MAAM,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC;oBACpD,OAAO;gBACT,CAAC;gBACD,MAAM,MAAM,GAAa,EAAE,CAAC;gBAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;gBACtD,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,IAAI,CAAC;wBACH,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;wBACrD,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAS,CAAC,CAAC;oBACpC,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,MAAM,CAAC,GAAG,CAAC,CAAC;oBACd,CAAC;gBACH,CAAC,CAAC,CAAC;gBACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC1B,CAAC,CAAC,CAAC;YACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;CACH;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,OAAsB;IAEtB,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,QAAsB,CAAC;IAC3B,IAAI,MAAM,EAAE,CAAC;QACX,QAAQ,GAAG,MAAM,CAAC;IACpB,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QAC5B,kEAAkE;QAClE,+DAA+D;QAC/D,2DAA2D;QAC3D,EAAE;QACF,gEAAgE;QAChE,kEAAkE;QAClE,+DAA+D;QAC/D,oEAAoE;QACpE,qDAAqD;QACrD,kEAAkE;QAClE,8DAA8D;QAC9D,+CAA+C;QAC/C,MAAM,IAAI,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QAC5E,QAAQ,GAAG,cAAc,CAAC,MAAM,CAC9B;YACE,MAAM,EAAE,IAAI;YACZ,kEAAkE;YAClE,6DAA6D;YAC7D,gEAAgE;YAChE,0BAA0B;YAC1B,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,GAAG,IAAI,wBAAwB;YACxC,cAAc,EAAE,CAAC,EAAE,OAAO,EAA2B,EAAE,EAAE;gBACvD,wBAAwB,CAAC,OAAO,EAAE;oBAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;oBAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;iBACnC,CAAC,CAAC;YACL,CAAC;SACF,EACD;YACE,SAAS,EAAE,IAAI,eAAe,CAAC;gBAC7B,OAAO,EAAE,IAAI,oBAAoB,EAAE;aACpC,CAAC;SACH,CACF,CAAC;QACF,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC;YACnC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,QAAQ;YACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;SACnC,CAAC,CAAC;QACH,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO,OAAkC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,6BAA6B;IAC3C,aAAa,CAAC,KAAK,EAAE,CAAC;AACxB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturekit/auth",
-  "version": "0.0.0-dev.20260429204013",
+  "version": "0.0.0-dev.20260430161503",
   "description": "Authentication and authorization for VentureKit",
   "type": "module",
   "main": "./dist/index.js",
@@ -29,12 +29,12 @@
     }
   },
   "dependencies": {
-    "@venturekit/core": "0.0.0-dev.20260429204013",
+    "@venturekit/core": "0.0.0-dev.20260430161503",
     "@aws-sdk/client-cognito-identity-provider": "^3.668.0",
     "aws-jwt-verify": "^4.0.1"
   },
   "peerDependencies": {
-    "@venturekit/runtime": "0.0.0-dev.20260429204013"
+    "@venturekit/runtime": "0.0.0-dev.20260430161503"
   },
   "peerDependenciesMeta": {
     "@venturekit/runtime": {
@@ -42,7 +42,7 @@
     }
   },
   "devDependencies": {
-    "@venturekit/runtime": "0.0.0-dev.20260429204013",
+    "@venturekit/runtime": "0.0.0-dev.20260430161503",
     "@types/aws-lambda": "^8.10.131",
     "@types/node": "^25.6.0",
     "typescript": "^5.3.0"