@venturekit/auth 0.0.0-dev.20260505233405 → 0.0.0-dev.20260506001012

package/dist/server/change-password.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Server-side self-service password change against a Cognito User Pool.
+ *
+ * Wraps Cognito's `ChangePassword` API which derives the user from the
+ * supplied access token (no admin credentials required). The caller must
+ * therefore have a fresh access token in hand — typically read from the
+ * `vk_access_token` cookie populated by {@link buildSessionCookies}.
+ *
+ * Errors are normalized via {@link mapProviderError} so route handlers
+ * can map them straight to typed responses without inspecting
+ * Cognito-specific error names.
+ */
+import type { AuthServerConfig } from './config.js';
+export interface ChangePasswordInput {
+    /** Current Cognito access token for the authenticated user. */
+    accessToken: string;
+    /** Current password — Cognito will reject the request otherwise. */
+    previousPassword: string;
+    /** Proposed new permanent password. Must satisfy the User Pool's password policy. */
+    proposedPassword: string;
+}
+/**
+ * Change the password of the currently-authenticated user.
+ *
+ * @param input   Access token + previous + proposed password.
+ * @param config  Optional explicit config; defaults to env vars via
+ *                {@link loadAuthServerConfig}.
+ *
+ * @throws {AuthError} `invalid_credentials` when the previous password
+ *   is wrong, `invalid_parameter` when the proposed password violates
+ *   the User Pool's password policy, `too_many_requests` when Cognito
+ *   throttles the caller.
+ */
+export declare function changePassword(input: ChangePasswordInput, config?: AuthServerConfig): Promise<void>;
+//# sourceMappingURL=change-password.d.ts.map

package/dist/server/change-password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"change-password.d.ts","sourceRoot":"","sources":["../../src/server/change-password.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAKpD,MAAM,WAAW,mBAAmB;IAClC,+DAA+D;IAC/D,WAAW,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,gBAAgB,EAAE,MAAM,CAAC;IACzB,qFAAqF;IACrF,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,mBAAmB,EAC1B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,IAAI,CAAC,CAaf"}

package/dist/server/change-password.js

@@ -0,0 +1,42 @@
+/**
+ * Server-side self-service password change against a Cognito User Pool.
+ *
+ * Wraps Cognito's `ChangePassword` API which derives the user from the
+ * supplied access token (no admin credentials required). The caller must
+ * therefore have a fresh access token in hand — typically read from the
+ * `vk_access_token` cookie populated by {@link buildSessionCookies}.
+ *
+ * Errors are normalized via {@link mapProviderError} so route handlers
+ * can map them straight to typed responses without inspecting
+ * Cognito-specific error names.
+ */
+import { ChangePasswordCommand } from '@aws-sdk/client-cognito-identity-provider';
+import { loadAuthServerConfig } from './config.js';
+import { getCognitoClient } from './cognito-client.js';
+import { mapProviderError } from './errors.js';
+/**
+ * Change the password of the currently-authenticated user.
+ *
+ * @param input   Access token + previous + proposed password.
+ * @param config  Optional explicit config; defaults to env vars via
+ *                {@link loadAuthServerConfig}.
+ *
+ * @throws {AuthError} `invalid_credentials` when the previous password
+ *   is wrong, `invalid_parameter` when the proposed password violates
+ *   the User Pool's password policy, `too_many_requests` when Cognito
+ *   throttles the caller.
+ */
+export async function changePassword(input, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    try {
+        await client.send(new ChangePasswordCommand({
+            AccessToken: input.accessToken,
+            PreviousPassword: input.previousPassword,
+            ProposedPassword: input.proposedPassword,
+        }));
+    }
+    catch (err) {
+        throw mapProviderError(err, 'change_password_failed');
+    }
+}
+//# sourceMappingURL=change-password.js.map

package/dist/server/change-password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"change-password.js","sourceRoot":"","sources":["../../src/server/change-password.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,2CAA2C,CAAC;AAElF,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAW/C;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAA0B,EAC1B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,qBAAqB,CAAC;YACxB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;YACxC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;SACzC,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,wBAAwB,CAAC,CAAC;IACxD,CAAC;AACH,CAAC"}

package/dist/server/index.d.ts

@@ -29,6 +29,8 @@ export { signInWithPassword } from './sign-in.js';
 export type { RefreshResult } from './refresh.js';
 export { refreshSession } from './refresh.js';
 export { revokeRefreshToken } from './revoke.js';
+export type { ChangePasswordInput } from './change-password.js';
+export { changePassword } from './change-password.js';
 export type { VerifyOptions } from './verify.js';
 export { verifyAndDecode } from './verify.js';
 export type { SessionTokens, CookieOptions } from './cookies.js';

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEnD,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEnD,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/server/index.js

@@ -26,6 +26,7 @@ export { loadAuthServerConfig } from './config.js';
 export { signInWithPassword } from './sign-in.js';
 export { refreshSession } from './refresh.js';
 export { revokeRefreshToken } from './revoke.js';
+export { changePassword } from './change-password.js';
 export { verifyAndDecode } from './verify.js';
 export { ID_TOKEN_COOKIE, ACCESS_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE, buildSessionCookies, buildClearSessionCookies, readCookieFromHeader, } from './cookies.js';
 export { cookieAuthMiddleware, extractToken } from './middleware.js';

package/dist/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturekit/auth",
-  "version": "0.0.0-dev.20260505233405",
+  "version": "0.0.0-dev.20260506001012",
   "description": "Authentication and authorization for VentureKit",
   "type": "module",
   "main": "./dist/index.js",
@@ -29,12 +29,12 @@
     }
   },
   "dependencies": {
-    "@venturekit/core": "0.0.0-dev.20260505233405",
+    "@venturekit/core": "0.0.0-dev.20260506001012",
     "@aws-sdk/client-cognito-identity-provider": "^3.668.0",
     "aws-jwt-verify": "^4.0.1"
   },
   "peerDependencies": {
-    "@venturekit/runtime": "0.0.0-dev.20260505233405"
+    "@venturekit/runtime": "0.0.0-dev.20260506001012"
   },
   "peerDependenciesMeta": {
     "@venturekit/runtime": {
@@ -42,7 +42,7 @@
     }
   },
   "devDependencies": {
-    "@venturekit/runtime": "0.0.0-dev.20260505233405",
+    "@venturekit/runtime": "0.0.0-dev.20260506001012",
     "@types/aws-lambda": "^8.10.131",
     "@types/node": "^25.6.0",
     "typescript": "^5.3.0"