@venturekit/auth 0.0.0-dev.20260506001012 → 0.0.0-dev.20260506003129

package/dist/server/admin-users.d.ts

@@ -0,0 +1,90 @@
+/**
+ * Admin-side Cognito user management.
+ *
+ * Wraps the four `Admin*` flows every consumer ends up needing once
+ * they have an ops console: invite a non-self-signup user, propagate
+ * profile / role attribute changes, and toggle a user's enabled
+ * status. Every helper is idempotent in the sense that re-issuing
+ * the same command on an already-converged user is a no-op (or
+ * fails with a stable error code mapped to a 4xx).
+ *
+ * The executing IAM principal needs the matching `cognito-idp:Admin*`
+ * permissions in production. `cognito-local` accepts admin commands
+ * unauthenticated.
+ */
+import type { AuthServerConfig } from './config.js';
+export interface AdminInviteUserInput {
+    /** Username — typically the user's email for email-keyed pools. */
+    username: string;
+    /**
+     * Permanent-on-first-login temporary password. The user lands in
+     * `FORCE_CHANGE_PASSWORD` until they complete the
+     * `NEW_PASSWORD_REQUIRED` challenge on their first sign-in.
+     */
+    temporaryPassword: string;
+    /** Standard OIDC `name` attribute. */
+    name?: string;
+    /**
+     * Standard attributes (`given_name`, `family_name`, `phone_number`,
+     * …). Sent verbatim. The helper always pre-sets `email` and
+     * `email_verified=true` so the first sign-in skips the
+     * verification challenge.
+     */
+    attributes?: Record<string, string>;
+    /**
+     * Custom attributes — keyed without the `custom:` prefix; the
+     * helper prepends it.
+     */
+    customAttributes?: Record<string, string>;
+    /**
+     * Whether Cognito should send its built-in invite email. Default
+     * `false` — most consumers ship their own branded welcome flow
+     * and don't want the AWS-templated message.
+     */
+    sendCognitoInviteEmail?: boolean;
+}
+export interface AdminInviteUserResult {
+    userSub: string;
+}
+/**
+ * Provision a user from the admin console.
+ *
+ * The user lands in Cognito's `FORCE_CHANGE_PASSWORD` state on
+ * purpose: their first /auth/login attempt returns a
+ * `NEW_PASSWORD_REQUIRED` challenge, the consumer's UI completes
+ * it, and the temporary password is unusable thereafter. There's
+ * no `AdminSetUserPassword(Permanent=true)` call here.
+ */
+export declare function adminInviteUser(input: AdminInviteUserInput, config?: AuthServerConfig): Promise<AdminInviteUserResult>;
+export interface AdminUpdateAttributesInput {
+    /** Username (= email for typical pools). */
+    username: string;
+    /** Standard attributes to set. */
+    attributes?: Record<string, string>;
+    /** Custom attributes (without `custom:` prefix — added automatically). */
+    customAttributes?: Record<string, string>;
+}
+/**
+ * Update arbitrary attributes on a Cognito user.
+ *
+ * cognito-local insists on `email` being present in the same
+ * payload whenever `email_verified` is set. To keep prod and local
+ * on the same path, the caller can include the user's email in
+ * `attributes` whenever `email_verified` is being toggled — the
+ * helper does NOT auto-fetch it.
+ */
+export declare function adminUpdateUserAttributes(input: AdminUpdateAttributesInput, config?: AuthServerConfig): Promise<void>;
+/**
+ * Disable a Cognito user. JWT verification keeps working until the
+ * existing tokens expire — Cognito doesn't revoke previously issued
+ * sessions. Pair with {@link revokeRefreshToken} per active session
+ * if immediate cut-off matters.
+ */
+export declare function adminDisableUser(input: {
+    username: string;
+}, config?: AuthServerConfig): Promise<void>;
+/** Re-enable a previously disabled Cognito user. */
+export declare function adminEnableUser(input: {
+    username: string;
+}, config?: AuthServerConfig): Promise<void>;
+//# sourceMappingURL=admin-users.d.ts.map

package/dist/server/admin-users.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-users.d.ts","sourceRoot":"","sources":["../../src/server/admin-users.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AASH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAKpD,MAAM,WAAW,oBAAoB;IACnC,mEAAmE;IACnE,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sCAAsC;IACtC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,oBAAoB,EAC3B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,qBAAqB,CAAC,CA8BhC;AAED,MAAM,WAAW,0BAA0B;IACzC,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C;AAED;;;;;;;;GAQG;AACH,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,0BAA0B,EACjC,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,IAAI,CAAC,CAsBf;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,EAC3B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,IAAI,CAAC,CAYf;AAED,oDAAoD;AACpD,wBAAsB,eAAe,CACnC,KAAK,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,EAC3B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,IAAI,CAAC,CAYf"}

package/dist/server/admin-users.js

@@ -0,0 +1,132 @@
+/**
+ * Admin-side Cognito user management.
+ *
+ * Wraps the four `Admin*` flows every consumer ends up needing once
+ * they have an ops console: invite a non-self-signup user, propagate
+ * profile / role attribute changes, and toggle a user's enabled
+ * status. Every helper is idempotent in the sense that re-issuing
+ * the same command on an already-converged user is a no-op (or
+ * fails with a stable error code mapped to a 4xx).
+ *
+ * The executing IAM principal needs the matching `cognito-idp:Admin*`
+ * permissions in production. `cognito-local` accepts admin commands
+ * unauthenticated.
+ */
+import { AdminCreateUserCommand, AdminDisableUserCommand, AdminEnableUserCommand, AdminUpdateUserAttributesCommand, } from '@aws-sdk/client-cognito-identity-provider';
+import { loadAuthServerConfig } from './config.js';
+import { getCognitoClient } from './cognito-client.js';
+import { AuthError, mapProviderError } from './errors.js';
+/**
+ * Provision a user from the admin console.
+ *
+ * The user lands in Cognito's `FORCE_CHANGE_PASSWORD` state on
+ * purpose: their first /auth/login attempt returns a
+ * `NEW_PASSWORD_REQUIRED` challenge, the consumer's UI completes
+ * it, and the temporary password is unusable thereafter. There's
+ * no `AdminSetUserPassword(Permanent=true)` call here.
+ */
+export async function adminInviteUser(input, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    const username = input.username.toLowerCase();
+    const userAttributes = buildUserAttributes(username, input);
+    try {
+        const res = await client.send(new AdminCreateUserCommand({
+            UserPoolId: config.userPoolId,
+            Username: username,
+            MessageAction: input.sendCognitoInviteEmail ? undefined : 'SUPPRESS',
+            TemporaryPassword: input.temporaryPassword,
+            UserAttributes: userAttributes,
+        }));
+        const sub = res.User?.Attributes?.find((a) => a.Name === 'sub')?.Value;
+        if (!sub) {
+            throw new AuthError('admin_invite_failed', 'Identity provider returned no sub from AdminCreateUser', 500);
+        }
+        return { userSub: sub };
+    }
+    catch (err) {
+        if (err instanceof AuthError)
+            throw err;
+        throw mapProviderError(err, 'admin_invite_failed');
+    }
+}
+/**
+ * Update arbitrary attributes on a Cognito user.
+ *
+ * cognito-local insists on `email` being present in the same
+ * payload whenever `email_verified` is set. To keep prod and local
+ * on the same path, the caller can include the user's email in
+ * `attributes` whenever `email_verified` is being toggled — the
+ * helper does NOT auto-fetch it.
+ */
+export async function adminUpdateUserAttributes(input, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    const username = input.username.toLowerCase();
+    const userAttributes = [];
+    for (const [name, value] of Object.entries(input.attributes ?? {})) {
+        userAttributes.push({ Name: name, Value: value });
+    }
+    for (const [name, value] of Object.entries(input.customAttributes ?? {})) {
+        userAttributes.push({ Name: `custom:${name}`, Value: value });
+    }
+    if (userAttributes.length === 0)
+        return;
+    try {
+        await client.send(new AdminUpdateUserAttributesCommand({
+            UserPoolId: config.userPoolId,
+            Username: username,
+            UserAttributes: userAttributes,
+        }));
+    }
+    catch (err) {
+        throw mapProviderError(err, 'admin_attribute_update_failed');
+    }
+}
+/**
+ * Disable a Cognito user. JWT verification keeps working until the
+ * existing tokens expire — Cognito doesn't revoke previously issued
+ * sessions. Pair with {@link revokeRefreshToken} per active session
+ * if immediate cut-off matters.
+ */
+export async function adminDisableUser(input, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    try {
+        await client.send(new AdminDisableUserCommand({
+            UserPoolId: config.userPoolId,
+            Username: input.username.toLowerCase(),
+        }));
+    }
+    catch (err) {
+        throw mapProviderError(err, 'admin_disable_failed');
+    }
+}
+/** Re-enable a previously disabled Cognito user. */
+export async function adminEnableUser(input, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    try {
+        await client.send(new AdminEnableUserCommand({
+            UserPoolId: config.userPoolId,
+            Username: input.username.toLowerCase(),
+        }));
+    }
+    catch (err) {
+        throw mapProviderError(err, 'admin_enable_failed');
+    }
+}
+function buildUserAttributes(username, input) {
+    const out = [
+        { Name: 'email', Value: username },
+        { Name: 'email_verified', Value: 'true' },
+    ];
+    if (input.name !== undefined)
+        out.push({ Name: 'name', Value: input.name });
+    for (const [name, value] of Object.entries(input.attributes ?? {})) {
+        if (name === 'email' || name === 'email_verified')
+            continue;
+        out.push({ Name: name, Value: value });
+    }
+    for (const [name, value] of Object.entries(input.customAttributes ?? {})) {
+        out.push({ Name: `custom:${name}`, Value: value });
+    }
+    return out;
+}
+//# sourceMappingURL=admin-users.js.map

package/dist/server/admin-users.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-users.js","sourceRoot":"","sources":["../../src/server/admin-users.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,gCAAgC,GAEjC,MAAM,2CAA2C,CAAC;AAEnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAqC1D;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAA2B,EAC3B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC9C,MAAM,cAAc,GAAG,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAE5D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAC3B,IAAI,sBAAsB,CAAC;YACzB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,QAAQ;YAClB,aAAa,EAAE,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU;YACpE,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;YAC1C,cAAc,EAAE,cAAc;SAC/B,CAAC,CACH,CAAC;QACF,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,CACpC,CAAC,CAAgB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CACvC,EAAE,KAAK,CAAC;QACT,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,wDAAwD,EACxD,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAC1B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,MAAM,gBAAgB,CAAC,GAAG,EAAE,qBAAqB,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAWD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,KAAiC,EACjC,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC9C,MAAM,cAAc,GAAoB,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;QACnE,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACpD,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,IAAI,EAAE,CAAC,EAAE,CAAC;QACzE,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IACxC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,gCAAgC,CAAC;YACnC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,QAAQ;YAClB,cAAc,EAAE,cAAc;SAC/B,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,+BAA+B,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAA2B,EAC3B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,uBAAuB,CAAC;YAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE;SACvC,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,sBAAsB,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED,oDAAoD;AACpD,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAA2B,EAC3B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,sBAAsB,CAAC;YACzB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE;SACvC,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,qBAAqB,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAC1B,QAAgB,EAChB,KAA2B;IAE3B,MAAM,GAAG,GAAoB;QAC3B,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE;QAClC,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;KAC1C,CAAC;IACF,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5E,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;QACnE,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,gBAAgB;YAAE,SAAS;QAC5D,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACzC,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,IAAI,EAAE,CAAC,EAAE,CAAC;QACzE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/server/challenge.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Cognito challenge flows that surface intermediate state to the
+ * caller instead of throwing.
+ *
+ * The default `signInWithPassword` raises `auth_challenge_required`
+ * for any `ChallengeName` Cognito returns — fine for service-style
+ * authentication where the token triplet is the only acceptable
+ * outcome. {@link signInWithPasswordOrChallenge} relaxes that for
+ * apps that need to drive the **first-login `NEW_PASSWORD_REQUIRED`
+ * flow**: an admin invites a user with `AdminCreateUser`, the user
+ * lands in `FORCE_CHANGE_PASSWORD`, and their first sign-in attempt
+ * must echo a fresh permanent password back through
+ * `RespondToAuthChallenge` before tokens are issued.
+ *
+ * Other challenges (MFA, software-token setup, …) still throw — V0
+ * Cognito User Pools created by VentureKit's CDK stack ship with MFA
+ * disabled, so any chained challenge is a config drift the operator
+ * should investigate rather than silently route around.
+ */
+import type { AuthServerConfig } from './config.js';
+import { type SignInResult } from './tokens.js';
+import type { SignInCredentials } from './sign-in.js';
+/**
+ * Challenge envelope surfaced to the caller when Cognito withholds
+ * tokens until the user completes a step. The discriminator stays
+ * narrow on purpose — additional challenge names should be added
+ * one-by-one as the consumer's UI grows to handle them.
+ */
+export interface SignInChallenge {
+    challenge: 'NEW_PASSWORD_REQUIRED';
+    /** Opaque session token to pass back to {@link respondToNewPasswordChallenge}. */
+    session: string;
+    /** Echo of the username that triggered the challenge. */
+    username: string;
+}
+export type SignInOrChallengeResult = {
+    kind: 'tokens';
+    tokens: SignInResult;
+} | {
+    kind: 'challenge';
+    challenge: SignInChallenge;
+};
+/**
+ * Sign-in path that surfaces the `NEW_PASSWORD_REQUIRED` challenge
+ * Cognito raises for admin-invited users on their first attempt.
+ *
+ * Returns either the issued tokens (happy path) or a structured
+ * challenge envelope the calling route can forward to the SPA so the
+ * user can pick a permanent password through
+ * {@link respondToNewPasswordChallenge}.
+ *
+ * Other challenges (MFA, etc.) still surface as
+ * `auth_challenge_required` errors — see file header for rationale.
+ */
+export declare function signInWithPasswordOrChallenge(credentials: SignInCredentials, config?: AuthServerConfig): Promise<SignInOrChallengeResult>;
+export interface RespondNewPasswordInput {
+    /** Username (= email for typical pools). */
+    username: string;
+    /** New permanent password. Must satisfy the User Pool's password policy. */
+    newPassword: string;
+    /** Opaque session token returned by `signInWithPasswordOrChallenge`. */
+    session: string;
+}
+/**
+ * Complete a `NEW_PASSWORD_REQUIRED` challenge with a permanent
+ * password. Returns the issued tokens — the user is now logged in
+ * and the temporary password is dead.
+ *
+ * A chained challenge in the response (e.g. MFA) surfaces as a
+ * `unsupported_challenge` (HTTP 400) AuthError so an operator can
+ * fix the misconfiguration rather than silently lose the user.
+ */
+export declare function respondToNewPasswordChallenge(input: RespondNewPasswordInput, config?: AuthServerConfig): Promise<SignInResult>;
+//# sourceMappingURL=challenge.d.ts.map

package/dist/server/challenge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge.d.ts","sourceRoot":"","sources":["../../src/server/challenge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAOH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAIpD,OAAO,EAAuB,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEtD;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,uBAAuB,CAAC;IACnC,kFAAkF;IAClF,OAAO,EAAE,MAAM,CAAC;IAChB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,MAAM,uBAAuB,GAC/B;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,GACxC;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,SAAS,EAAE,eAAe,CAAA;CAAE,CAAC;AAEtD;;;;;;;;;;;GAWG;AACH,wBAAsB,6BAA6B,CACjD,WAAW,EAAE,iBAAiB,EAC9B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,uBAAuB,CAAC,CA0ClC;AAED,MAAM,WAAW,uBAAuB;IACtC,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,CAAC;IACjB,4EAA4E;IAC5E,WAAW,EAAE,MAAM,CAAC;IACpB,wEAAwE;IACxE,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,wBAAsB,6BAA6B,CACjD,KAAK,EAAE,uBAAuB,EAC9B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,YAAY,CAAC,CA2BvB"}

package/dist/server/challenge.js

@@ -0,0 +1,107 @@
+/**
+ * Cognito challenge flows that surface intermediate state to the
+ * caller instead of throwing.
+ *
+ * The default `signInWithPassword` raises `auth_challenge_required`
+ * for any `ChallengeName` Cognito returns — fine for service-style
+ * authentication where the token triplet is the only acceptable
+ * outcome. {@link signInWithPasswordOrChallenge} relaxes that for
+ * apps that need to drive the **first-login `NEW_PASSWORD_REQUIRED`
+ * flow**: an admin invites a user with `AdminCreateUser`, the user
+ * lands in `FORCE_CHANGE_PASSWORD`, and their first sign-in attempt
+ * must echo a fresh permanent password back through
+ * `RespondToAuthChallenge` before tokens are issued.
+ *
+ * Other challenges (MFA, software-token setup, …) still throw — V0
+ * Cognito User Pools created by VentureKit's CDK stack ship with MFA
+ * disabled, so any chained challenge is a config drift the operator
+ * should investigate rather than silently route around.
+ */
+import { ChallengeNameType, InitiateAuthCommand, RespondToAuthChallengeCommand, } from '@aws-sdk/client-cognito-identity-provider';
+import { loadAuthServerConfig } from './config.js';
+import { getCognitoClient } from './cognito-client.js';
+import { AuthError, mapProviderError } from './errors.js';
+import { extractSignInTokens } from './tokens.js';
+/**
+ * Sign-in path that surfaces the `NEW_PASSWORD_REQUIRED` challenge
+ * Cognito raises for admin-invited users on their first attempt.
+ *
+ * Returns either the issued tokens (happy path) or a structured
+ * challenge envelope the calling route can forward to the SPA so the
+ * user can pick a permanent password through
+ * {@link respondToNewPasswordChallenge}.
+ *
+ * Other challenges (MFA, etc.) still surface as
+ * `auth_challenge_required` errors — see file header for rationale.
+ */
+export async function signInWithPasswordOrChallenge(credentials, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    const username = credentials.email.toLowerCase();
+    try {
+        const res = await client.send(new InitiateAuthCommand({
+            ClientId: config.appClientId,
+            AuthFlow: 'USER_PASSWORD_AUTH',
+            AuthParameters: {
+                USERNAME: username,
+                PASSWORD: credentials.password,
+            },
+        }));
+        if (res.ChallengeName === ChallengeNameType.NEW_PASSWORD_REQUIRED &&
+            res.Session) {
+            return {
+                kind: 'challenge',
+                challenge: {
+                    challenge: 'NEW_PASSWORD_REQUIRED',
+                    session: res.Session,
+                    username,
+                },
+            };
+        }
+        if (res.ChallengeName) {
+            throw new AuthError('auth_challenge_required', `Identity provider requires challenge: ${res.ChallengeName}.`, 400);
+        }
+        return {
+            kind: 'tokens',
+            tokens: extractSignInTokens(res.AuthenticationResult),
+        };
+    }
+    catch (err) {
+        if (err instanceof AuthError)
+            throw err;
+        throw mapProviderError(err, 'auth_failed');
+    }
+}
+/**
+ * Complete a `NEW_PASSWORD_REQUIRED` challenge with a permanent
+ * password. Returns the issued tokens — the user is now logged in
+ * and the temporary password is dead.
+ *
+ * A chained challenge in the response (e.g. MFA) surfaces as a
+ * `unsupported_challenge` (HTTP 400) AuthError so an operator can
+ * fix the misconfiguration rather than silently lose the user.
+ */
+export async function respondToNewPasswordChallenge(input, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    const username = input.username.toLowerCase();
+    try {
+        const res = await client.send(new RespondToAuthChallengeCommand({
+            ClientId: config.appClientId,
+            ChallengeName: ChallengeNameType.NEW_PASSWORD_REQUIRED,
+            Session: input.session,
+            ChallengeResponses: {
+                USERNAME: username,
+                NEW_PASSWORD: input.newPassword,
+            },
+        }));
+        if (res.ChallengeName) {
+            throw new AuthError('unsupported_challenge', `Unsupported chained challenge: ${res.ChallengeName}`, 400);
+        }
+        return extractSignInTokens(res.AuthenticationResult);
+    }
+    catch (err) {
+        if (err instanceof AuthError)
+            throw err;
+        throw mapProviderError(err, 'sign_in_challenge_failed');
+    }
+}
+//# sourceMappingURL=challenge.js.map

package/dist/server/challenge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge.js","sourceRoot":"","sources":["../../src/server/challenge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,2CAA2C,CAAC;AAEnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAqB,MAAM,aAAa,CAAC;AAqBrE;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,WAA8B,EAC9B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAC3B,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE;gBACd,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,WAAW,CAAC,QAAQ;aAC/B;SACF,CAAC,CACH,CAAC;QACF,IACE,GAAG,CAAC,aAAa,KAAK,iBAAiB,CAAC,qBAAqB;YAC7D,GAAG,CAAC,OAAO,EACX,CAAC;YACD,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE;oBACT,SAAS,EAAE,uBAAuB;oBAClC,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,QAAQ;iBACT;aACF,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;YACtB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,yCAAyC,GAAG,CAAC,aAAa,GAAG,EAC7D,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,mBAAmB,CAAC,GAAG,CAAC,oBAAoB,CAAC;SACtD,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,MAAM,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC7C,CAAC;AACH,CAAC;AAWD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,KAA8B,EAC9B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC9C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAC3B,IAAI,6BAA6B,CAAC;YAChC,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,aAAa,EAAE,iBAAiB,CAAC,qBAAqB;YACtD,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,kBAAkB,EAAE;gBAClB,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,KAAK,CAAC,WAAW;aAChC;SACF,CAAC,CACH,CAAC;QACF,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;YACtB,MAAM,IAAI,SAAS,CACjB,uBAAuB,EACvB,kCAAkC,GAAG,CAAC,aAAa,EAAE,EACrD,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,OAAO,mBAAmB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,MAAM,gBAAgB,CAAC,GAAG,EAAE,0BAA0B,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC"}

package/dist/server/index.d.ts

@@ -26,6 +26,12 @@ export type { AuthServerConfig } from './config.js';
 export { loadAuthServerConfig } from './config.js';
 export type { SignInCredentials, SignInResult } from './sign-in.js';
 export { signInWithPassword } from './sign-in.js';
+export type { SignInChallenge, SignInOrChallengeResult, RespondNewPasswordInput, } from './challenge.js';
+export { signInWithPasswordOrChallenge, respondToNewPasswordChallenge, } from './challenge.js';
+export type { SignUpInput, SignUpResult } from './sign-up.js';
+export { signUpUser } from './sign-up.js';
+export type { AdminInviteUserInput, AdminInviteUserResult, AdminUpdateAttributesInput, } from './admin-users.js';
+export { adminInviteUser, adminUpdateUserAttributes, adminDisableUser, adminEnableUser, } from './admin-users.js';
 export type { RefreshResult } from './refresh.js';
 export { refreshSession } from './refresh.js';
 export { revokeRefreshToken } from './revoke.js';

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEnD,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEnD,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,YAAY,EACV,eAAe,EACf,uBAAuB,EACvB,uBAAuB,GACxB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,6BAA6B,EAC7B,6BAA6B,GAC9B,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,YAAY,EACV,oBAAoB,EACpB,qBAAqB,EACrB,0BAA0B,GAC3B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,eAAe,EACf,yBAAyB,EACzB,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/server/index.js

@@ -24,6 +24,9 @@
 export { AuthError, mapProviderError } from './errors.js';
 export { loadAuthServerConfig } from './config.js';
 export { signInWithPassword } from './sign-in.js';
+export { signInWithPasswordOrChallenge, respondToNewPasswordChallenge, } from './challenge.js';
+export { signUpUser } from './sign-up.js';
+export { adminInviteUser, adminUpdateUserAttributes, adminDisableUser, adminEnableUser, } from './admin-users.js';
 export { refreshSession } from './refresh.js';
 export { revokeRefreshToken } from './revoke.js';
 export { changePassword } from './change-password.js';

package/dist/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAOlD,OAAO,EACL,6BAA6B,EAC7B,6BAA6B,GAC9B,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAO1C,OAAO,EACL,eAAe,EACf,yBAAyB,EACzB,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/server/refresh.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAMpD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,aAAa,CAAC,CA8BxB"}
+{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAWpD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,aAAa,CAAC,CA8BxB"}

package/dist/server/refresh.js.map

@@ -1 +1 @@
-{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,2CAA2C,CAAC;AAEhF,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAe1D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,YAAoB,EACpB,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,GAAG,CAAC;IACR,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE,EAAE,aAAa,EAAE,YAAY,EAAE;SAChD,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,MAAM,GAAG,GAAG,CAAC,oBAAoB,CAAC;IACxC,iEAAiE;IACjE,qEAAqE;IACrE,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,yDAAyD,EACzD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,EAAE;QAChB,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,sBAAsB,CAAC,MAAM,CAAC,WAAW,CAAC;KAC1E,CAAC;AACJ,CAAC"}
+{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,2CAA2C,CAAC;AAEhF,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAoB1D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,YAAoB,EACpB,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,GAAG,CAAC;IACR,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE,EAAE,aAAa,EAAE,YAAY,EAAE;SAChD,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,MAAM,GAAG,GAAG,CAAC,oBAAoB,CAAC;IACxC,iEAAiE;IACjE,qEAAqE;IACrE,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,yDAAyD,EACzD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,EAAE;QAChB,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,sBAAsB,CAAC,MAAM,CAAC,WAAW,CAAC;KAC1E,CAAC;AACJ,CAAC"}

package/dist/server/sign-in.d.ts

@@ -17,13 +17,8 @@
  * Cognito-specific error names.
  */
 import type { AuthServerConfig } from './config.js';
-export interface SignInResult {
-    idToken: string;
-    accessToken: string;
-    refreshToken: string;
-    /** Seconds until the id/access tokens expire. */
-    expiresIn: number;
-}
+import { type SignInResult } from './tokens.js';
+export type { SignInResult } from './tokens.js';
 export interface SignInCredentials {
     email: string;
     password: string;

package/dist/server/sign-in.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sign-in.d.ts","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAOH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAMpD,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,YAAY,CAAC,CAsCvB"}
+{"version":3,"file":"sign-in.d.ts","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAMH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAIpD,OAAO,EAAuB,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAErE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,YAAY,CAAC,CAsCvB"}

package/dist/server/sign-in.js

@@ -20,7 +20,7 @@ import { InitiateAuthCommand, } from '@aws-sdk/client-cognito-identity-provider'
 import { loadAuthServerConfig } from './config.js';
 import { getCognitoClient } from './cognito-client.js';
 import { AuthError, mapProviderError } from './errors.js';
-import { deriveExpiresInFromJwt } from './token-utils.js';
+import { extractSignInTokens } from './tokens.js';
 /**
  * Authenticate a user with email + password and return freshly-minted
  * id, access, and refresh tokens.
@@ -71,21 +71,4 @@ function challengeMessage(challengeName) {
     }
     return base;
 }
-function extractSignInTokens(result) {
-    // Tokens themselves MUST be present. `ExpiresIn` is derived from the
-    // access-token's `exp` claim when the response omits it — real AWS
-    // always sends it, but some OSS compatibles (cognito-local) don't,
-    // and the tokens are usable regardless.
-    if (!result?.IdToken ||
-        !result.AccessToken ||
-        !result.RefreshToken) {
-        throw new AuthError('incomplete_auth_result', 'Identity provider returned an incomplete authentication result', 500);
-    }
-    return {
-        idToken: result.IdToken,
-        accessToken: result.AccessToken,
-        refreshToken: result.RefreshToken,
-        expiresIn: result.ExpiresIn ?? deriveExpiresInFromJwt(result.AccessToken),
-    };
-}
 //# sourceMappingURL=sign-in.js.map

package/dist/server/sign-in.js.map

@@ -1 +1 @@
-{"version":3,"file":"sign-in.js","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EACL,mBAAmB,GAGpB,MAAM,2CAA2C,CAAC;AAEnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAe1D;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAA8B,EAC9B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,GAA8B,CAAC;IACnC,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE;gBACd,QAAQ,EAAE,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE;gBACzC,QAAQ,EAAE,WAAW,CAAC,QAAQ;aAC/B;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC7C,CAAC;IAED,uCAAuC;IACvC,4DAA4D;IAC5D,wEAAwE;IACxE,6DAA6D;IAC7D,kEAAkE;IAClE,EAAE;IACF,uEAAuE;IACvE,kEAAkE;IAClE,kEAAkE;IAClE,yDAAyD;IACzD,0DAA0D;IAC1D,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;QACtB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,EACnC,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,OAAO,mBAAmB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,gBAAgB,CAAC,aAAqB;IAC7C,MAAM,IAAI,GAAG,yCAAyC,aAAa,GAAG,CAAC;IACvE,IAAI,aAAa,KAAK,uBAAuB,EAAE,CAAC;QAC9C,OAAO,CACL,IAAI;YACJ,oEAAoE;YACpE,qEAAqE;YACrE,qDAAqD,CACtD,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA4C;IAE5C,qEAAqE;IACrE,mEAAmE;IACnE,mEAAmE;IACnE,wCAAwC;IACxC,IACE,CAAC,MAAM,EAAE,OAAO;QAChB,CAAC,MAAM,CAAC,WAAW;QACnB,CAAC,MAAM,CAAC,YAAY,EACpB,CAAC;QACD,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,gEAAgE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,sBAAsB,CAAC,MAAM,CAAC,WAAW,CAAC;KAC1E,CAAC;AACJ,CAAC"}
+{"version":3,"file":"sign-in.js","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EACL,mBAAmB,GAEpB,MAAM,2CAA2C,CAAC;AAEnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAqB,MAAM,aAAa,CAAC;AASrE;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAA8B,EAC9B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,GAA8B,CAAC;IACnC,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE;gBACd,QAAQ,EAAE,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE;gBACzC,QAAQ,EAAE,WAAW,CAAC,QAAQ;aAC/B;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC7C,CAAC;IAED,uCAAuC;IACvC,4DAA4D;IAC5D,wEAAwE;IACxE,6DAA6D;IAC7D,kEAAkE;IAClE,EAAE;IACF,uEAAuE;IACvE,kEAAkE;IAClE,kEAAkE;IAClE,yDAAyD;IACzD,0DAA0D;IAC1D,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;QACtB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,EACnC,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,OAAO,mBAAmB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,gBAAgB,CAAC,aAAqB;IAC7C,MAAM,IAAI,GAAG,yCAAyC,aAAa,GAAG,CAAC;IACvE,IAAI,aAAa,KAAK,uBAAuB,EAAE,CAAC;QAC9C,OAAO,CACL,IAAI;YACJ,oEAAoE;YACpE,qEAAqE;YACrE,qDAAqD,CACtD,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/server/sign-up.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Self-service user registration against a Cognito User Pool.
+ *
+ * Wraps the three-step pattern every consumer ends up writing for a
+ * working "sign-up + immediate login" flow:
+ *
+ *   1. `SignUp` — create the user with email + password + standard
+ *      and custom attributes.
+ *   2. `AdminConfirmSignUp` — skip the email-verification challenge
+ *      (the consumer's own flow is responsible for whatever real
+ *      verification ships before / after this).
+ *   3. `AdminUpdateUserAttributes` — flip `email_verified=true` so
+ *      Cognito doesn't re-challenge on the next sign-in.
+ *
+ * Steps 2-3 are gated by {@link SignUpInput.autoConfirm} (default
+ * `true`). When the consumer wants the standard Cognito email-link
+ * verification, set it to `false` and call `AdminConfirmSignUp`
+ * yourself out-of-band.
+ *
+ * In production the executing IAM principal needs
+ * `cognito-idp:AdminConfirmSignUp` and
+ * `cognito-idp:AdminUpdateUserAttributes` for steps 2-3.
+ * `cognito-local` accepts admin commands unauthenticated.
+ */
+import type { AuthServerConfig } from './config.js';
+export interface SignUpInput {
+    email: string;
+    password: string;
+    /**
+     * Standard OIDC `name` attribute on the Cognito user. Optional —
+     * omit when the pool doesn't request `name` as a required attribute.
+     */
+    name?: string;
+    /**
+     * Additional standard attributes (`given_name`, `family_name`,
+     * `phone_number`, …). Keys are sent verbatim. Standard claims are
+     * defined by Cognito's user-pool schema.
+     */
+    attributes?: Record<string, string>;
+    /**
+     * Custom attributes — keyed without the `custom:` prefix; the
+     * helper prepends it. So `{ role: 'buyer' }` becomes
+     * `{ Name: 'custom:role', Value: 'buyer' }`.
+     */
+    customAttributes?: Record<string, string>;
+    /**
+     * When `true` (default), follow the SignUp with
+     * `AdminConfirmSignUp` + `email_verified=true` so the user can
+     * immediately sign in without going through Cognito's email
+     * verification challenge. Set to `false` to opt into the standard
+     * verification flow.
+     */
+    autoConfirm?: boolean;
+}
+export interface SignUpResult {
+    /** Cognito `sub` — canonical user id across the platform. */
+    userSub: string;
+    /** Whether `AdminConfirmSignUp` ran successfully. */
+    confirmed: boolean;
+}
+/**
+ * Register a new user. Returns the Cognito `sub` so the caller can
+ * mirror it into their own `users` table.
+ *
+ * Errors are normalized via {@link mapProviderError}: a duplicate
+ * email surfaces as `UsernameExistsException` (HTTP 401 by default —
+ * route handlers typically map this to a 409), an invalid password
+ * as `invalid_parameter` (HTTP 422).
+ */
+export declare function signUpUser(input: SignUpInput, config?: AuthServerConfig): Promise<SignUpResult>;
+//# sourceMappingURL=sign-up.d.ts.map

package/dist/server/sign-up.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-up.d.ts","sourceRoot":"","sources":["../../src/server/sign-up.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAQH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAKpD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,6DAA6D;IAC7D,OAAO,EAAE,MAAM,CAAC;IAChB,qDAAqD;IACrD,SAAS,EAAE,OAAO,CAAC;CACpB;AAED;;;;;;;;GAQG;AACH,wBAAsB,UAAU,CAC9B,KAAK,EAAE,WAAW,EAClB,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,YAAY,CAAC,CAiEvB"}

package/dist/server/sign-up.js

@@ -0,0 +1,106 @@
+/**
+ * Self-service user registration against a Cognito User Pool.
+ *
+ * Wraps the three-step pattern every consumer ends up writing for a
+ * working "sign-up + immediate login" flow:
+ *
+ *   1. `SignUp` — create the user with email + password + standard
+ *      and custom attributes.
+ *   2. `AdminConfirmSignUp` — skip the email-verification challenge
+ *      (the consumer's own flow is responsible for whatever real
+ *      verification ships before / after this).
+ *   3. `AdminUpdateUserAttributes` — flip `email_verified=true` so
+ *      Cognito doesn't re-challenge on the next sign-in.
+ *
+ * Steps 2-3 are gated by {@link SignUpInput.autoConfirm} (default
+ * `true`). When the consumer wants the standard Cognito email-link
+ * verification, set it to `false` and call `AdminConfirmSignUp`
+ * yourself out-of-band.
+ *
+ * In production the executing IAM principal needs
+ * `cognito-idp:AdminConfirmSignUp` and
+ * `cognito-idp:AdminUpdateUserAttributes` for steps 2-3.
+ * `cognito-local` accepts admin commands unauthenticated.
+ */
+import { AdminConfirmSignUpCommand, AdminUpdateUserAttributesCommand, SignUpCommand, } from '@aws-sdk/client-cognito-identity-provider';
+import { loadAuthServerConfig } from './config.js';
+import { getCognitoClient } from './cognito-client.js';
+import { AuthError, mapProviderError } from './errors.js';
+/**
+ * Register a new user. Returns the Cognito `sub` so the caller can
+ * mirror it into their own `users` table.
+ *
+ * Errors are normalized via {@link mapProviderError}: a duplicate
+ * email surfaces as `UsernameExistsException` (HTTP 401 by default —
+ * route handlers typically map this to a 409), an invalid password
+ * as `invalid_parameter` (HTTP 422).
+ */
+export async function signUpUser(input, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    const email = input.email.toLowerCase();
+    const autoConfirm = input.autoConfirm ?? true;
+    const userAttributes = buildUserAttributes(email, input);
+    let userSub;
+    try {
+        const res = await client.send(new SignUpCommand({
+            ClientId: config.appClientId,
+            Username: email,
+            Password: input.password,
+            UserAttributes: userAttributes,
+        }));
+        if (!res.UserSub) {
+            throw new AuthError('sign_up_failed', 'Identity provider returned no UserSub from SignUp', 500);
+        }
+        userSub = res.UserSub;
+    }
+    catch (err) {
+        if (err instanceof AuthError)
+            throw err;
+        throw mapProviderError(err, 'sign_up_failed');
+    }
+    if (!autoConfirm) {
+        return { userSub, confirmed: false };
+    }
+    // Confirm + mark email verified so the next sign-in succeeds
+    // without manual intervention. Failures here are fatal — an
+    // unconfirmed user can't log in, leaving the account in a
+    // half-registered limbo.
+    try {
+        await client.send(new AdminConfirmSignUpCommand({
+            UserPoolId: config.userPoolId,
+            Username: email,
+        }));
+        await client.send(new AdminUpdateUserAttributesCommand({
+            UserPoolId: config.userPoolId,
+            Username: email,
+            // cognito-local insists on `email` being present whenever
+            // `email_verified` is set in the same request (see
+            // validatePermittedAttributeChanges in jagregory/cognito-local).
+            // Real Cognito doesn't require this but accepts it as a no-op
+            // re-set, so sending both keeps prod + local on the same path.
+            UserAttributes: [
+                { Name: 'email', Value: email },
+                { Name: 'email_verified', Value: 'true' },
+            ],
+        }));
+    }
+    catch (err) {
+        throw mapProviderError(err, 'sign_up_confirm_failed');
+    }
+    return { userSub, confirmed: true };
+}
+function buildUserAttributes(email, input) {
+    const out = [{ Name: 'email', Value: email }];
+    if (input.name !== undefined)
+        out.push({ Name: 'name', Value: input.name });
+    for (const [name, value] of Object.entries(input.attributes ?? {})) {
+        if (name === 'email')
+            continue; // already set above
+        out.push({ Name: name, Value: value });
+    }
+    for (const [name, value] of Object.entries(input.customAttributes ?? {})) {
+        out.push({ Name: `custom:${name}`, Value: value });
+    }
+    return out;
+}
+//# sourceMappingURL=sign-up.js.map

package/dist/server/sign-up.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-up.js","sourceRoot":"","sources":["../../src/server/sign-up.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EACL,yBAAyB,EACzB,gCAAgC,EAChC,aAAa,GAEd,MAAM,2CAA2C,CAAC;AAEnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAuC1D;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,KAAkB,EAClB,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;IACxC,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC;IAE9C,MAAM,cAAc,GAAG,mBAAmB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAEzD,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAC3B,IAAI,aAAa,CAAC;YAChB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,cAAc,EAAE,cAAc;SAC/B,CAAC,CACH,CAAC;QACF,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,SAAS,CACjB,gBAAgB,EAChB,mDAAmD,EACnD,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IACxB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,MAAM,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACvC,CAAC;IAED,6DAA6D;IAC7D,4DAA4D;IAC5D,0DAA0D;IAC1D,yBAAyB;IACzB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,yBAAyB,CAAC;YAC5B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,KAAK;SAChB,CAAC,CACH,CAAC;QACF,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,gCAAgC,CAAC;YACnC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,KAAK;YACf,0DAA0D;YAC1D,mDAAmD;YACnD,iEAAiE;YACjE,8DAA8D;YAC9D,+DAA+D;YAC/D,cAAc,EAAE;gBACd,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE;gBAC/B,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;aAC1C;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,wBAAwB,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AACtC,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAAa,EACb,KAAkB;IAElB,MAAM,GAAG,GAAoB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/D,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5E,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;QACnE,IAAI,IAAI,KAAK,OAAO;YAAE,SAAS,CAAC,oBAAoB;QACpD,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACzC,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,IAAI,EAAE,CAAC,EAAE,CAAC;QACzE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/server/tokens.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Internal token-extraction helper shared by every Cognito flow that
+ * resolves an `AuthenticationResult` (sign-in, refresh, challenge
+ * response).
+ *
+ * `ExpiresIn` is populated by real AWS Cognito on every successful
+ * `InitiateAuth` / `RespondToAuthChallenge` response, but some OSS
+ * compatibles (notably `cognito-local`) omit it. The access token's
+ * `exp` claim is always present and trustworthy (we just minted the
+ * token), so we derive the remaining lifetime from it as a fallback.
+ *
+ * Not part of the public API — `@venturekit/auth/server` consumers
+ * receive the resolved {@link SignInResult} from the flow they call.
+ */
+import type { AuthenticationResultType } from '@aws-sdk/client-cognito-identity-provider';
+export interface SignInResult {
+    idToken: string;
+    accessToken: string;
+    refreshToken: string;
+    /** Seconds until the id/access tokens expire. */
+    expiresIn: number;
+}
+/**
+ * Map a successful Cognito `AuthenticationResult` to the
+ * {@link SignInResult} shape consumers receive from the public flows.
+ *
+ * Throws {@link AuthError} (`incomplete_auth_result`, HTTP 500) when
+ * any of the three tokens is missing — that's a provider-side bug,
+ * not a credentials problem.
+ */
+export declare function extractSignInTokens(result: AuthenticationResultType | undefined): SignInResult;
+//# sourceMappingURL=tokens.d.ts.map

package/dist/server/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../../src/server/tokens.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,2CAA2C,CAAC;AAI1F,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,wBAAwB,GAAG,SAAS,GAC3C,YAAY,CAcd"}

package/dist/server/tokens.js

@@ -0,0 +1,36 @@
+/**
+ * Internal token-extraction helper shared by every Cognito flow that
+ * resolves an `AuthenticationResult` (sign-in, refresh, challenge
+ * response).
+ *
+ * `ExpiresIn` is populated by real AWS Cognito on every successful
+ * `InitiateAuth` / `RespondToAuthChallenge` response, but some OSS
+ * compatibles (notably `cognito-local`) omit it. The access token's
+ * `exp` claim is always present and trustworthy (we just minted the
+ * token), so we derive the remaining lifetime from it as a fallback.
+ *
+ * Not part of the public API — `@venturekit/auth/server` consumers
+ * receive the resolved {@link SignInResult} from the flow they call.
+ */
+import { AuthError } from './errors.js';
+import { deriveExpiresInFromJwt } from './token-utils.js';
+/**
+ * Map a successful Cognito `AuthenticationResult` to the
+ * {@link SignInResult} shape consumers receive from the public flows.
+ *
+ * Throws {@link AuthError} (`incomplete_auth_result`, HTTP 500) when
+ * any of the three tokens is missing — that's a provider-side bug,
+ * not a credentials problem.
+ */
+export function extractSignInTokens(result) {
+    if (!result?.IdToken || !result.AccessToken || !result.RefreshToken) {
+        throw new AuthError('incomplete_auth_result', 'Identity provider returned an incomplete authentication result', 500);
+    }
+    return {
+        idToken: result.IdToken,
+        accessToken: result.AccessToken,
+        refreshToken: result.RefreshToken,
+        expiresIn: result.ExpiresIn ?? deriveExpiresInFromJwt(result.AccessToken),
+    };
+}
+//# sourceMappingURL=tokens.js.map

package/dist/server/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../../src/server/tokens.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAU1D;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAA4C;IAE5C,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACpE,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,gEAAgE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,sBAAsB,CAAC,MAAM,CAAC,WAAW,CAAC;KAC1E,CAAC;AACJ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturekit/auth",
-  "version": "0.0.0-dev.20260506001012",
+  "version": "0.0.0-dev.20260506003129",
   "description": "Authentication and authorization for VentureKit",
   "type": "module",
   "main": "./dist/index.js",
@@ -29,12 +29,12 @@
     }
   },
   "dependencies": {
-    "@venturekit/core": "0.0.0-dev.20260506001012",
+    "@venturekit/core": "0.0.0-dev.20260506003129",
     "@aws-sdk/client-cognito-identity-provider": "^3.668.0",
     "aws-jwt-verify": "^4.0.1"
   },
   "peerDependencies": {
-    "@venturekit/runtime": "0.0.0-dev.20260506001012"
+    "@venturekit/runtime": "0.0.0-dev.20260506003129"
   },
   "peerDependenciesMeta": {
     "@venturekit/runtime": {
@@ -42,7 +42,7 @@
     }
   },
   "devDependencies": {
-    "@venturekit/runtime": "0.0.0-dev.20260506001012",
+    "@venturekit/runtime": "0.0.0-dev.20260506003129",
     "@types/aws-lambda": "^8.10.131",
     "@types/node": "^25.6.0",
     "typescript": "^5.3.0"