@venturekit/auth 0.0.0-dev.20260512121013 → 0.0.0-dev.20260514011201

package/dist/server/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,qBAAa,SAAU,SAAQ,KAAK;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBACZ,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAM;CAMxD;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,OAAO,EACZ,YAAY,EAAE,MAAM,EACpB,cAAc,SAAM,GACnB,SAAS,CAuBX"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,qBAAa,SAAU,SAAQ,KAAK;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBACZ,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAM;CAMxD;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,OAAO,EACZ,YAAY,EAAE,MAAM,EACpB,cAAc,SAAM,GACnB,SAAS,CA8BX"}

package/dist/server/errors.js

@@ -40,7 +40,14 @@ export function mapProviderError(err, fallbackCode, fallbackStatus = 401) {
         case 'TooManyFailedAttemptsException':
             return new AuthError('too_many_requests', message, 429);
         case 'InvalidParameterException':
+        case 'InvalidPasswordException':
             return new AuthError('invalid_parameter', message, 422);
+        case 'CodeMismatchException':
+            return new AuthError('invalid_code', message, 400);
+        case 'ExpiredCodeException':
+            return new AuthError('expired_code', message, 400);
+        case 'LimitExceededException':
+            return new AuthError('too_many_requests', message, 429);
         default:
             return new AuthError(code, message, fallbackStatus);
     }

package/dist/server/errors.js.map

@@ -1 +1 @@
-{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,OAAO,SAAU,SAAQ,KAAK;IACzB,IAAI,CAAS;IACb,MAAM,CAAS;IACxB,YAAY,IAAY,EAAE,OAAe,EAAE,MAAM,GAAG,GAAG;QACrD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,GAAY,EACZ,YAAoB,EACpB,cAAc,GAAG,GAAG;IAEpB,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,IAAI,SAAS,CAAC,YAAY,EAAE,uBAAuB,EAAE,cAAc,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,CAAC,GAAG,GAA0C,CAAC;IACrD,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,YAAY,CAAC;IACpC,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,IAAI,uBAAuB,CAAC;IACrD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,wBAAwB,CAAC;QAC9B,KAAK,uBAAuB;YAC1B,OAAO,IAAI,SAAS,CAAC,qBAAqB,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAClF,KAAK,2BAA2B;YAC9B,OAAO,IAAI,SAAS,CAAC,oBAAoB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC3D,KAAK,gCAAgC;YACnC,OAAO,IAAI,SAAS,CAAC,yBAAyB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAChE,KAAK,0BAA0B,CAAC;QAChC,KAAK,gCAAgC;YACnC,OAAO,IAAI,SAAS,CAAC,mBAAmB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1D,KAAK,2BAA2B;YAC9B,OAAO,IAAI,SAAS,CAAC,mBAAmB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1D;YACE,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IACxD,CAAC;AACH,CAAC"}
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,OAAO,SAAU,SAAQ,KAAK;IACzB,IAAI,CAAS;IACb,MAAM,CAAS;IACxB,YAAY,IAAY,EAAE,OAAe,EAAE,MAAM,GAAG,GAAG;QACrD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,GAAY,EACZ,YAAoB,EACpB,cAAc,GAAG,GAAG;IAEpB,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,IAAI,SAAS,CAAC,YAAY,EAAE,uBAAuB,EAAE,cAAc,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,CAAC,GAAG,GAA0C,CAAC;IACrD,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,YAAY,CAAC;IACpC,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,IAAI,uBAAuB,CAAC;IACrD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,wBAAwB,CAAC;QAC9B,KAAK,uBAAuB;YAC1B,OAAO,IAAI,SAAS,CAAC,qBAAqB,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAClF,KAAK,2BAA2B;YAC9B,OAAO,IAAI,SAAS,CAAC,oBAAoB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC3D,KAAK,gCAAgC;YACnC,OAAO,IAAI,SAAS,CAAC,yBAAyB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAChE,KAAK,0BAA0B,CAAC;QAChC,KAAK,gCAAgC;YACnC,OAAO,IAAI,SAAS,CAAC,mBAAmB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1D,KAAK,2BAA2B,CAAC;QACjC,KAAK,0BAA0B;YAC7B,OAAO,IAAI,SAAS,CAAC,mBAAmB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1D,KAAK,uBAAuB;YAC1B,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QACrD,KAAK,sBAAsB;YACzB,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QACrD,KAAK,wBAAwB;YAC3B,OAAO,IAAI,SAAS,CAAC,mBAAmB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1D;YACE,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IACxD,CAAC;AACH,CAAC"}

package/dist/server/forgot-password.d.ts

@@ -0,0 +1,103 @@
+/**
+ * Server-side "forgot password" flow against a Cognito User Pool.
+ *
+ * Two steps, mapping 1:1 to Cognito's user-facing endpoints:
+ *
+ *   1. {@link forgotPassword} — calls `ForgotPassword`. Cognito emails
+ *      (or SMSes) a one-time confirmation code to the user's verified
+ *      contact. The pool's app client must allow the unauthenticated
+ *      `ForgotPassword` action (VentureKit's CDK stack does so by
+ *      default — it's a public Cognito API).
+ *   2. {@link confirmForgotPassword} — calls `ConfirmForgotPassword`
+ *      with the code + a new permanent password. On success the
+ *      account password is rotated and the next sign-in succeeds.
+ *
+ * Errors are normalized via {@link mapProviderError} so route handlers
+ * can map them straight to typed responses without inspecting
+ * Cognito-specific error names. Notably:
+ *   - `CodeMismatchException`  → `invalid_code`   (HTTP 400)
+ *   - `ExpiredCodeException`   → `expired_code`   (HTTP 400)
+ *   - `InvalidPasswordException` → `invalid_parameter` (HTTP 422)
+ *   - `LimitExceededException` / `TooManyRequestsException`
+ *                              → `too_many_requests` (HTTP 429)
+ *   - `UserNotFoundException`  → `invalid_credentials` (HTTP 401)
+ *
+ * **Account-enumeration note.** Cognito leaks the existence of an
+ * account on the initiation step (it returns `UserNotFoundException`
+ * for unknown emails and a success for known ones, with measurable
+ * timing differences). Route handlers that care about enumeration
+ * resistance should catch `invalid_credentials` from
+ * {@link forgotPassword} and respond with the same opaque "if the
+ * account exists, a code has been sent" message they return on
+ * success. This helper deliberately surfaces the real outcome so the
+ * caller can decide.
+ */
+import type { AuthServerConfig } from './config.js';
+export interface ForgotPasswordInput {
+    /** Email / username of the account whose password should be reset. */
+    email: string;
+}
+/**
+ * Where Cognito delivered (or claims to have delivered) the
+ * confirmation code. Mirrors Cognito's `CodeDeliveryDetailsType`
+ * shape so consumers don't need to import SDK types.
+ */
+export interface CodeDeliveryDetails {
+    /** Masked destination, e.g. `j***@example.com` or `+12******23`. */
+    destination?: string;
+    /** Delivery channel — `EMAIL` or `SMS`. */
+    deliveryMedium?: string;
+    /** User attribute the code was sent to — typically `email` or `phone_number`. */
+    attributeName?: string;
+}
+export interface ForgotPasswordResult {
+    /**
+     * Delivery hint Cognito returned with the OTP. `undefined` when
+     * Cognito withheld the details (e.g. some compliance regions) or
+     * when the user pool has no verified contact method — in which case
+     * Cognito would normally throw `InvalidParameterException` before
+     * reaching this point.
+     */
+    codeDelivery?: CodeDeliveryDetails;
+}
+/**
+ * Initiate a password reset. Cognito sends a one-time code to the
+ * user's verified email or phone and the caller can then complete
+ * the flow via {@link confirmForgotPassword}.
+ *
+ * @param input  Account identifier (email is lower-cased before send).
+ * @param config Optional explicit config; defaults to env vars via
+ *               {@link loadAuthServerConfig}.
+ *
+ * @throws {AuthError}
+ *   - `invalid_credentials` (HTTP 401) — unknown user.
+ *   - `invalid_parameter`   (HTTP 422) — the user has no verified
+ *     contact method to receive the code.
+ *   - `too_many_requests`   (HTTP 429) — Cognito throttling.
+ */
+export declare function forgotPassword(input: ForgotPasswordInput, config?: AuthServerConfig): Promise<ForgotPasswordResult>;
+export interface ConfirmForgotPasswordInput {
+    /** Email / username of the account whose password is being reset. */
+    email: string;
+    /** Confirmation code Cognito delivered in step 1. */
+    code: string;
+    /** Proposed new permanent password. Must satisfy the User Pool's password policy. */
+    newPassword: string;
+}
+/**
+ * Complete a password reset by supplying the OTP from
+ * {@link forgotPassword} together with a new permanent password.
+ *
+ * Resolves with `void` on success — the user can now sign in with
+ * the new password through {@link signInWithPassword}.
+ *
+ * @throws {AuthError}
+ *   - `invalid_code`        (HTTP 400) — wrong OTP.
+ *   - `expired_code`        (HTTP 400) — OTP past its TTL.
+ *   - `invalid_parameter`   (HTTP 422) — new password violates the
+ *     User Pool's password policy.
+ *   - `too_many_requests`   (HTTP 429) — Cognito throttling.
+ *   - `invalid_credentials` (HTTP 401) — unknown user.
+ */
+export declare function confirmForgotPassword(input: ConfirmForgotPasswordInput, config?: AuthServerConfig): Promise<void>;
+//# sourceMappingURL=forgot-password.d.ts.map

package/dist/server/forgot-password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"forgot-password.d.ts","sourceRoot":"","sources":["../../src/server/forgot-password.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAOH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAKpD,MAAM,WAAW,mBAAmB;IAClC,sEAAsE;IACtE,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,oEAAoE;IACpE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,iFAAiF;IACjF,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,oBAAoB;IACnC;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,mBAAmB,EAC1B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,oBAAoB,CAAC,CAqB/B;AAED,MAAM,WAAW,0BAA0B;IACzC,qEAAqE;IACrE,KAAK,EAAE,MAAM,CAAC;IACd,qDAAqD;IACrD,IAAI,EAAE,MAAM,CAAC;IACb,qFAAqF;IACrF,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,0BAA0B,EACjC,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,IAAI,CAAC,CAcf"}

package/dist/server/forgot-password.js

@@ -0,0 +1,107 @@
+/**
+ * Server-side "forgot password" flow against a Cognito User Pool.
+ *
+ * Two steps, mapping 1:1 to Cognito's user-facing endpoints:
+ *
+ *   1. {@link forgotPassword} — calls `ForgotPassword`. Cognito emails
+ *      (or SMSes) a one-time confirmation code to the user's verified
+ *      contact. The pool's app client must allow the unauthenticated
+ *      `ForgotPassword` action (VentureKit's CDK stack does so by
+ *      default — it's a public Cognito API).
+ *   2. {@link confirmForgotPassword} — calls `ConfirmForgotPassword`
+ *      with the code + a new permanent password. On success the
+ *      account password is rotated and the next sign-in succeeds.
+ *
+ * Errors are normalized via {@link mapProviderError} so route handlers
+ * can map them straight to typed responses without inspecting
+ * Cognito-specific error names. Notably:
+ *   - `CodeMismatchException`  → `invalid_code`   (HTTP 400)
+ *   - `ExpiredCodeException`   → `expired_code`   (HTTP 400)
+ *   - `InvalidPasswordException` → `invalid_parameter` (HTTP 422)
+ *   - `LimitExceededException` / `TooManyRequestsException`
+ *                              → `too_many_requests` (HTTP 429)
+ *   - `UserNotFoundException`  → `invalid_credentials` (HTTP 401)
+ *
+ * **Account-enumeration note.** Cognito leaks the existence of an
+ * account on the initiation step (it returns `UserNotFoundException`
+ * for unknown emails and a success for known ones, with measurable
+ * timing differences). Route handlers that care about enumeration
+ * resistance should catch `invalid_credentials` from
+ * {@link forgotPassword} and respond with the same opaque "if the
+ * account exists, a code has been sent" message they return on
+ * success. This helper deliberately surfaces the real outcome so the
+ * caller can decide.
+ */
+import { ConfirmForgotPasswordCommand, ForgotPasswordCommand, } from '@aws-sdk/client-cognito-identity-provider';
+import { loadAuthServerConfig } from './config.js';
+import { getCognitoClient } from './cognito-client.js';
+import { mapProviderError } from './errors.js';
+/**
+ * Initiate a password reset. Cognito sends a one-time code to the
+ * user's verified email or phone and the caller can then complete
+ * the flow via {@link confirmForgotPassword}.
+ *
+ * @param input  Account identifier (email is lower-cased before send).
+ * @param config Optional explicit config; defaults to env vars via
+ *               {@link loadAuthServerConfig}.
+ *
+ * @throws {AuthError}
+ *   - `invalid_credentials` (HTTP 401) — unknown user.
+ *   - `invalid_parameter`   (HTTP 422) — the user has no verified
+ *     contact method to receive the code.
+ *   - `too_many_requests`   (HTTP 429) — Cognito throttling.
+ */
+export async function forgotPassword(input, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    let res;
+    try {
+        res = await client.send(new ForgotPasswordCommand({
+            ClientId: config.appClientId,
+            Username: input.email.toLowerCase(),
+        }));
+    }
+    catch (err) {
+        throw mapProviderError(err, 'forgot_password_failed');
+    }
+    const d = res.CodeDeliveryDetails;
+    if (!d)
+        return {};
+    const codeDelivery = {};
+    if (d.Destination !== undefined)
+        codeDelivery.destination = d.Destination;
+    if (d.DeliveryMedium !== undefined)
+        codeDelivery.deliveryMedium = d.DeliveryMedium;
+    if (d.AttributeName !== undefined)
+        codeDelivery.attributeName = d.AttributeName;
+    return { codeDelivery };
+}
+/**
+ * Complete a password reset by supplying the OTP from
+ * {@link forgotPassword} together with a new permanent password.
+ *
+ * Resolves with `void` on success — the user can now sign in with
+ * the new password through {@link signInWithPassword}.
+ *
+ * @throws {AuthError}
+ *   - `invalid_code`        (HTTP 400) — wrong OTP.
+ *   - `expired_code`        (HTTP 400) — OTP past its TTL.
+ *   - `invalid_parameter`   (HTTP 422) — new password violates the
+ *     User Pool's password policy.
+ *   - `too_many_requests`   (HTTP 429) — Cognito throttling.
+ *   - `invalid_credentials` (HTTP 401) — unknown user.
+ */
+export async function confirmForgotPassword(input, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region, config.endpoint);
+    try {
+        await client.send(new ConfirmForgotPasswordCommand({
+            ClientId: config.appClientId,
+            Username: input.email.toLowerCase(),
+            ConfirmationCode: input.code,
+            Password: input.newPassword,
+        }));
+    }
+    catch (err) {
+        throw mapProviderError(err, 'confirm_forgot_password_failed');
+    }
+}
+//# sourceMappingURL=forgot-password.js.map

package/dist/server/forgot-password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"forgot-password.js","sourceRoot":"","sources":["../../src/server/forgot-password.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,GAEtB,MAAM,2CAA2C,CAAC;AAEnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAgC/C;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAA0B,EAC1B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,GAAgC,CAAC;IACrC,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,qBAAqB,CAAC;YACxB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE;SACpC,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,wBAAwB,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,CAAC,GAAG,GAAG,CAAC,mBAAmB,CAAC;IAClC,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAClB,MAAM,YAAY,GAAwB,EAAE,CAAC;IAC7C,IAAI,CAAC,CAAC,WAAW,KAAK,SAAS;QAAE,YAAY,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;IAC1E,IAAI,CAAC,CAAC,cAAc,KAAK,SAAS;QAAE,YAAY,CAAC,cAAc,GAAG,CAAC,CAAC,cAAc,CAAC;IACnF,IAAI,CAAC,CAAC,aAAa,KAAK,SAAS;QAAE,YAAY,CAAC,aAAa,GAAG,CAAC,CAAC,aAAa,CAAC;IAChF,OAAO,EAAE,YAAY,EAAE,CAAC;AAC1B,CAAC;AAWD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAiC,EACjC,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,4BAA4B,CAAC;YAC/B,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE;YACnC,gBAAgB,EAAE,KAAK,CAAC,IAAI;YAC5B,QAAQ,EAAE,KAAK,CAAC,WAAW;SAC5B,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,gCAAgC,CAAC,CAAC;IAChE,CAAC;AACH,CAAC"}

package/dist/server/index.d.ts

@@ -37,6 +37,8 @@ export { refreshSession } from './refresh.js';
 export { revokeRefreshToken } from './revoke.js';
 export type { ChangePasswordInput } from './change-password.js';
 export { changePassword } from './change-password.js';
+export type { ForgotPasswordInput, ForgotPasswordResult, ConfirmForgotPasswordInput, CodeDeliveryDetails, } from './forgot-password.js';
+export { forgotPassword, confirmForgotPassword } from './forgot-password.js';
 export type { VerifyOptions } from './verify.js';
 export { verifyAndDecode } from './verify.js';
 export type { SessionTokens, CookieOptions } from './cookies.js';

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEnD,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,YAAY,EACV,eAAe,EACf,uBAAuB,EACvB,uBAAuB,GACxB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,6BAA6B,EAC7B,6BAA6B,GAC9B,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,YAAY,EACV,oBAAoB,EACpB,qBAAqB,EACrB,0BAA0B,GAC3B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,eAAe,EACf,yBAAyB,EACzB,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAErE,YAAY,EACV,iBAAiB,EACjB,gBAAgB,EAChB,4BAA4B,EAC5B,0BAA0B,EAC1B,sBAAsB,EACtB,8BAA8B,GAC/B,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,gCAAgC,EAChC,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,yBAAyB,EACzB,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EACV,mBAAmB,EACnB,qBAAqB,EACrB,sBAAsB,EACtB,4BAA4B,EAC5B,6BAA6B,EAC7B,2BAA2B,GAC5B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,mCAAmC,GACpC,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEnD,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,YAAY,EACV,eAAe,EACf,uBAAuB,EACvB,uBAAuB,GACxB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,6BAA6B,EAC7B,6BAA6B,GAC9B,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,YAAY,EACV,oBAAoB,EACpB,qBAAqB,EACrB,0BAA0B,GAC3B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,eAAe,EACf,yBAAyB,EACzB,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAE7E,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAErE,YAAY,EACV,iBAAiB,EACjB,gBAAgB,EAChB,4BAA4B,EAC5B,0BAA0B,EAC1B,sBAAsB,EACtB,8BAA8B,GAC/B,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,gCAAgC,EAChC,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,yBAAyB,EACzB,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EACV,mBAAmB,EACnB,qBAAqB,EACrB,sBAAsB,EACtB,4BAA4B,EAC5B,6BAA6B,EAC7B,2BAA2B,GAC5B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,mCAAmC,GACpC,MAAM,mBAAmB,CAAC"}

package/dist/server/index.js

@@ -30,6 +30,7 @@ export { adminInviteUser, adminUpdateUserAttributes, adminDisableUser, adminEnab
 export { refreshSession } from './refresh.js';
 export { revokeRefreshToken } from './revoke.js';
 export { changePassword } from './change-password.js';
+export { forgotPassword, confirmForgotPassword } from './forgot-password.js';
 export { verifyAndDecode } from './verify.js';
 export { ID_TOKEN_COOKIE, ACCESS_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE, buildSessionCookies, buildClearSessionCookies, readCookieFromHeader, } from './cookies.js';
 export { cookieAuthMiddleware, extractToken } from './middleware.js';

package/dist/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAOlD,OAAO,EACL,6BAA6B,EAC7B,6BAA6B,GAC9B,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAO1C,OAAO,EACL,eAAe,EACf,yBAAyB,EACzB,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAUrE,OAAO,EACL,gCAAgC,EAChC,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,yBAAyB,EACzB,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAUxB,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,mCAAmC,GACpC,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAOlD,OAAO,EACL,6BAA6B,EAC7B,6BAA6B,GAC9B,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAO1C,OAAO,EACL,eAAe,EACf,yBAAyB,EACzB,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAQtD,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAG7E,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAUrE,OAAO,EACL,gCAAgC,EAChC,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,yBAAyB,EACzB,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAUxB,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,mCAAmC,GACpC,MAAM,mBAAmB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturekit/auth",
-  "version": "0.0.0-dev.20260512121013",
+  "version": "0.0.0-dev.20260514011201",
   "description": "Authentication and authorization for VentureKit",
   "type": "module",
   "main": "./dist/index.js",
@@ -33,13 +33,13 @@
     }
   },
   "dependencies": {
-    "@venturekit/core": "0.0.0-dev.20260512121013",
+    "@venturekit/core": "0.0.0-dev.20260514011201",
     "@aws-sdk/client-cognito-identity-provider": "^3.668.0",
     "@aws-sdk/client-secrets-manager": "^3.668.0",
     "aws-jwt-verify": "^4.0.1"
   },
   "peerDependencies": {
-    "@venturekit/runtime": "0.0.0-dev.20260512121013"
+    "@venturekit/runtime": "0.0.0-dev.20260514011201"
   },
   "peerDependenciesMeta": {
     "@venturekit/runtime": {
@@ -47,7 +47,7 @@
     }
   },
   "devDependencies": {
-    "@venturekit/runtime": "0.0.0-dev.20260512121013",
+    "@venturekit/runtime": "0.0.0-dev.20260514011201",
     "@types/aws-lambda": "^8.10.131",
     "@types/node": "^25.6.0",
     "typescript": "^5.3.0"