@warlock.js/auth 4.0.171 → 4.1.1

package/cjs/index.cjs

@@ -0,0 +1,807 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+//#region \0rolldown/runtime.js
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+	if (from && typeof from === "object" || typeof from === "function") {
+		for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
+			key = keys[i];
+			if (!__hasOwnProp.call(to, key) && key !== except) {
+				__defProp(to, key, {
+					get: ((k) => from[k]).bind(null, key),
+					enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+				});
+			}
+		}
+	}
+	return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+	value: mod,
+	enumerable: true
+}) : target, mod));
+
+//#endregion
+let _mongez_copper = require("@mongez/copper");
+let _warlock_js_core = require("@warlock.js/core");
+let _mongez_reinforcements = require("@mongez/reinforcements");
+let ms = require("ms");
+ms = __toESM(ms, 1);
+let _warlock_js_cascade = require("@warlock.js/cascade");
+let _warlock_js_seal = require("@warlock.js/seal");
+let _mongez_events = require("@mongez/events");
+_mongez_events = __toESM(_mongez_events, 1);
+let fast_jwt = require("fast-jwt");
+let _warlock_js_fs = require("@warlock.js/fs");
+let _warlock_js_logger = require("@warlock.js/logger");
+
+//#region ../../@warlock.js/auth/src/models/access-token/access-token.model.ts
+const accessTokenSchema = _warlock_js_seal.v.object({
+	token: _warlock_js_seal.v.string().required(),
+	last_access: _warlock_js_seal.v.date().defaultNow().optional(),
+	user_id: _warlock_js_seal.v.scalar().required(),
+	user_type: _warlock_js_seal.v.string().required(),
+	is_active: _warlock_js_seal.v.boolean().default(true)
+});
+var AccessToken = class extends _warlock_js_cascade.Model {
+	static {
+		this.table = "access_tokens";
+	}
+	static {
+		this.schema = accessTokenSchema;
+	}
+};
+
+//#endregion
+//#region ../../@warlock.js/auth/src/models/refresh-token/refresh-token.model.ts
+const refreshTokenSchema = _warlock_js_seal.v.object({
+	token: _warlock_js_seal.v.string().required(),
+	user_id: _warlock_js_seal.v.scalar().required(),
+	user_type: _warlock_js_seal.v.string().required(),
+	family_id: _warlock_js_seal.v.string().required(),
+	expires_at: _warlock_js_seal.v.date().required(),
+	last_used_at: _warlock_js_seal.v.date().default(() => /* @__PURE__ */ new Date()),
+	revoked_at: _warlock_js_seal.v.date().optional(),
+	device_info: _warlock_js_seal.v.record(_warlock_js_seal.v.any()).optional()
+});
+var RefreshToken = class extends _warlock_js_cascade.Model {
+	static {
+		this.table = "refresh_tokens";
+	}
+	static {
+		this.schema = refreshTokenSchema;
+	}
+	/**
+	* Check if token is expired
+	*/
+	get isExpired() {
+		const expiresAt = this.get("expires_at");
+		if (!expiresAt) return false;
+		return /* @__PURE__ */ new Date() > new Date(expiresAt);
+	}
+	/**
+	* Check if token is revoked
+	*/
+	get isRevoked() {
+		return !!this.get("revoked_at");
+	}
+	/**
+	* Check if token is valid (not expired and not revoked)
+	*/
+	get isValid() {
+		return !this.isExpired && !this.isRevoked;
+	}
+	/**
+	* Revoke this token
+	*/
+	async revoke() {
+		return this.merge({ revoked_at: /* @__PURE__ */ new Date() }).save();
+	}
+	/**
+	* Mark token as used (update last_used_at)
+	*/
+	async markAsUsed() {
+		await this.merge({ last_used_at: /* @__PURE__ */ new Date() }).save();
+	}
+};
+
+//#endregion
+//#region ../../@warlock.js/auth/src/services/auth-events.ts
+/**
+* Event namespace prefix for auth events
+*/
+const AUTH_EVENT_PREFIX = "auth.";
+/**
+* Type-safe auth events manager
+*
+* @example
+* ```typescript
+* // Subscribe to events with full autocomplete
+* authEvents.on("login.success", (user, tokenPair, deviceInfo) => {
+*   console.log(`User ${user.id} logged in`);
+* });
+*
+* authEvents.on("token.refreshed", (user, newPair, oldToken) => {
+*   console.log(`Token refreshed for user ${user.id}`);
+* });
+*
+* // Trigger events
+* authEvents.emit("login.success", user, tokenPair, deviceInfo);
+* ```
+*/
+const authEvents = {
+	/**
+	* Subscribe to an auth event
+	*/
+	on(event, callback) {
+		return _mongez_events.default.subscribe(AUTH_EVENT_PREFIX + event, callback);
+	},
+	/**
+	* Subscribe to an auth event (alias for `on`)
+	*/
+	subscribe(event, callback) {
+		return this.on(event, callback);
+	},
+	/**
+	* Emit an auth event
+	*/
+	emit(event, ...args) {
+		_mongez_events.default.trigger(AUTH_EVENT_PREFIX + event, ...args);
+	},
+	/**
+	* Emit an auth event (alias for `emit`)
+	*/
+	trigger(event, ...args) {
+		this.emit(event, ...args);
+	},
+	/**
+	* Unsubscribe from all auth events
+	*/
+	unsubscribeAll() {
+		_mongez_events.default.unsubscribeNamespace(AUTH_EVENT_PREFIX.slice(0, -1));
+	},
+	/**
+	* Unsubscribe from a specific auth event
+	*/
+	off(event) {
+		if (event) _mongez_events.default.unsubscribe(AUTH_EVENT_PREFIX + event);
+		else this.unsubscribeAll();
+	}
+};
+
+//#endregion
+//#region ../../@warlock.js/auth/src/services/jwt.ts
+const getSecretKey = () => _warlock_js_core.config.key("auth.jwt.secret");
+const getAlgorithm = () => _warlock_js_core.config.key("auth.jwt.algorithm", "HS256");
+const getRefreshSecretKey = () => _warlock_js_core.config.key("auth.jwt.refresh.secret") || getSecretKey();
+const jwt = {
+	/**
+	* Generate a new JWT token for the user.
+	* @param payload The payload to encode in the JWT token.
+	*/
+	async generate(payload, { key = getSecretKey(), algorithm = getAlgorithm(), ...options } = {}) {
+		return await (0, fast_jwt.createSigner)({
+			key,
+			...options,
+			algorithm
+		})({ ...payload });
+	},
+	/**
+	* Verify the given token.
+	* @param token The JWT token to verify.
+	* @returns The decoded token payload if verification is successful.
+	*/
+	async verify(token, { key = getSecretKey(), algorithms = getAlgorithm() ? [getAlgorithm()] : void 0, ...options } = {}) {
+		return await (0, fast_jwt.createVerifier)({
+			key,
+			...options,
+			algorithms
+		})(token);
+	},
+	/**
+	* Generate a new refresh token for the user.
+	*/
+	async generateRefreshToken(payload, { key = getRefreshSecretKey(), expiresIn, algorithm = getAlgorithm(), ...options } = {}) {
+		return (0, fast_jwt.createSigner)({
+			key,
+			expiresIn,
+			algorithm,
+			...options
+		})({ ...payload });
+	},
+	/**
+	* Verify the given refresh token.
+	*/
+	async verifyRefreshToken(token, { key = getRefreshSecretKey(), algorithms = [getAlgorithm()], ...options } = {}) {
+		return await (0, fast_jwt.createVerifier)({
+			key,
+			algorithms,
+			...options
+		})(token);
+	}
+};
+
+//#endregion
+//#region ../../@warlock.js/auth/src/services/auth.service.ts
+var AuthService = class {
+	/**
+	* Build access token payload from user
+	*/
+	buildAccessTokenPayload(user) {
+		return {
+			id: user.id,
+			userType: user.userType,
+			created_at: Date.now()
+		};
+	}
+	/**
+	* Generate access token for user
+	*/
+	async generateAccessToken(user, payload) {
+		const data = payload || this.buildAccessTokenPayload(user);
+		const expiresInConfig = _warlock_js_core.config.key("auth.jwt.expiresIn");
+		const expiresIn = expiresInConfig ? (0, ms.default)(expiresInConfig) : 3600;
+		const token = await jwt.generate(data, { expiresIn });
+		const decoed = await jwt.verify(token);
+		await AccessToken.create({
+			token,
+			user_id: user.id,
+			user_type: user.userType
+		});
+		return {
+			token,
+			expiresAt: (/* @__PURE__ */ new Date(decoed.exp * 1e3)).toISOString()
+		};
+	}
+	/**
+	* Create refresh token for user
+	*/
+	async createRefreshToken(user, deviceInfo) {
+		if (_warlock_js_core.config.get("auth.jwt.refresh.enabled") === false) return;
+		const familyId = deviceInfo?.familyId || _mongez_reinforcements.Random.string(32);
+		const payload = {
+			userId: user.id,
+			userType: user.userType,
+			familyId
+		};
+		const expiresIn = (0, ms.default)(_warlock_js_core.config.get("auth.jwt.refresh.expiresIn", "7d"));
+		const token = await jwt.generateRefreshToken(payload, { expiresIn });
+		const expiresAt = new Date(Date.now() + expiresIn).toISOString();
+		await this.enforceMaxRefreshTokens(user);
+		return RefreshToken.create({
+			token,
+			user_id: user.id,
+			user_type: user.userType,
+			family_id: familyId,
+			expires_at: expiresAt,
+			device_info: deviceInfo ? {
+				userAgent: deviceInfo.userAgent,
+				ip: deviceInfo.ip,
+				deviceId: deviceInfo.deviceId
+			} : void 0
+		});
+	}
+	/**
+	* Create both access and refresh tokens
+	*/
+	async createTokenPair(user, deviceInfo) {
+		const accessToken = await this.generateAccessToken(user, deviceInfo?.payload);
+		const refreshToken = await this.createRefreshToken(user, deviceInfo);
+		const tokenPair = {
+			accessToken,
+			refreshToken: refreshToken ? {
+				token: refreshToken.get("token"),
+				expiresAt: refreshToken.get("expires_at")
+			} : void 0
+		};
+		authEvents.emit("token.created", user, tokenPair);
+		if (refreshToken) authEvents.emit("session.created", user, refreshToken, deviceInfo);
+		return tokenPair;
+	}
+	/**
+	* Refresh tokens using a refresh token
+	*/
+	async refreshTokens(refreshTokenString, deviceInfo) {
+		try {
+			const decoded = await jwt.verifyRefreshToken(refreshTokenString);
+			if (!decoded) return null;
+			const refreshToken = await RefreshToken.first({ token: refreshTokenString });
+			if (!refreshToken?.isValid) {
+				if (refreshToken) await this.revokeTokenFamily(refreshToken.get("family_id"));
+				return null;
+			}
+			const UserModel = _warlock_js_core.config.key(`auth.userType.${decoded.userType}`);
+			if (!UserModel) return null;
+			const user = await UserModel.find(decoded.userId);
+			if (!user) return null;
+			if (_warlock_js_core.config.key("auth.jwt.refresh.rotation", true)) await refreshToken.revoke();
+			else await refreshToken.markAsUsed();
+			const newTokenPair = await this.createTokenPair(user, {
+				...deviceInfo,
+				familyId: refreshToken.get("family_id")
+			});
+			authEvents.emit("token.refreshed", user, newTokenPair, refreshToken);
+			return newTokenPair;
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Verify password
+	*/
+	async verifyPassword(plainPassword, hashedPassword) {
+		return (0, _warlock_js_core.verifyPassword)(plainPassword, hashedPassword);
+	}
+	/**
+	* Hash password
+	*/
+	async hashPassword(password) {
+		return (0, _warlock_js_core.hashPassword)(password);
+	}
+	/**
+	* Attempt to login user with given credentials
+	*/
+	async attemptLogin(Model, data) {
+		const { password, ...otherData } = data;
+		authEvents.emit("login.attempt", otherData);
+		const user = await Model.first(otherData);
+		if (!user) {
+			authEvents.emit("login.failed", otherData, "User not found");
+			return null;
+		}
+		if (!await this.verifyPassword(password, user.string("password"))) {
+			authEvents.emit("login.failed", otherData, "Invalid password");
+			return null;
+		}
+		return user;
+	}
+	/**
+	* Full login flow: validate credentials, create tokens, emit events
+	* Returns token pair on success, null on failure
+	*/
+	async login(Model, credentials, deviceInfo) {
+		const user = await this.attemptLogin(Model, credentials);
+		if (!user) return null;
+		if (!_warlock_js_core.config.key("auth.jwt.refresh.enabled", true)) return {
+			user,
+			tokens: { accessToken: await this.generateAccessToken(user, deviceInfo?.payload) }
+		};
+		const tokens = await this.createTokenPair(user, deviceInfo);
+		authEvents.emit("login.success", user, tokens, deviceInfo);
+		return {
+			user,
+			tokens
+		};
+	}
+	/**
+	* Logout user
+	* @param user - The authenticated user
+	* @param accessToken - Optional access token string to revoke
+	* @param refreshToken - Optional refresh token string to revoke
+	* If refresh token is not provided, behavior is determined by config:
+	* - "revoke-all" (default): Revoke ALL refresh tokens for security
+	* - "error": Throw error requiring refresh token
+	*/
+	async logout(user, accessToken, refreshToken) {
+		if (accessToken) await this.removeAccessToken(user, accessToken);
+		if (refreshToken) {
+			const token = await RefreshToken.first({
+				token: refreshToken,
+				userId: user.id
+			});
+			if (token) {
+				await token.revoke();
+				authEvents.emit("session.destroyed", user, token);
+			}
+		} else {
+			if (_warlock_js_core.config.key("auth.jwt.refresh.logoutWithoutToken", "revoke-all") === "error") throw new Error("Refresh token required for logout");
+			await this.revokeAllTokens(user);
+			authEvents.emit("logout.failsafe", user);
+		}
+		authEvents.emit("logout", user);
+	}
+	/**
+	* Remove specific access token
+	*/
+	async removeAccessToken(user, token) {
+		AccessToken.delete({
+			token,
+			userId: user.id
+		});
+	}
+	/**
+	* Remove all access tokens for a user
+	*/
+	async removeAllAccessTokens(user) {
+		AccessToken.delete({ user_id: user.id });
+	}
+	/**
+	* Remove specific refresh token
+	*/
+	async removeRefreshToken(user, token) {
+		RefreshToken.delete({
+			token,
+			userId: user.id
+		});
+	}
+	/**
+	* Revoke all tokens for a user
+	*/
+	async revokeAllTokens(user) {
+		const refreshTokens = await RefreshToken.query().where("user_id", user.id).where("user_type", user.userType).where("revoked_at", null).get();
+		for (const token of refreshTokens) {
+			await token.revoke();
+			authEvents.emit("token.revoked", user, token);
+		}
+		await this.removeAllAccessTokens(user);
+		authEvents.emit("logout.all", user);
+	}
+	/**
+	* Revoke entire token family (for rotation breach detection)
+	*/
+	async revokeTokenFamily(familyId) {
+		const tokens = await RefreshToken.query().where("family_id", familyId).where("revoked_at", null).get();
+		for (const token of tokens) await token.revoke();
+		authEvents.emit("token.familyRevoked", familyId, tokens);
+	}
+	/**
+	* Cleanup expired tokens
+	*/
+	async cleanupExpiredTokens() {
+		const expiredTokens = await RefreshToken.query().where("expires_at", "<", /* @__PURE__ */ new Date()).get();
+		for (const token of expiredTokens) {
+			authEvents.emit("token.expired", token);
+			await token.destroy();
+		}
+		authEvents.emit("cleanup.completed", expiredTokens.length);
+		return expiredTokens.length;
+	}
+	/**
+	* Enforce max refresh tokens per user
+	*/
+	async enforceMaxRefreshTokens(user) {
+		const maxPerUser = _warlock_js_core.config.key("auth.jwt.refresh.maxPerUser", 5);
+		const activeTokens = await RefreshToken.query().where({
+			user_id: user.id,
+			user_type: user.userType,
+			revoked_at: null
+		}).orderBy("created_at", "asc").get();
+		if (activeTokens.length >= maxPerUser) {
+			const tokensToRevoke = activeTokens.slice(0, activeTokens.length - maxPerUser + 1);
+			for (const token of tokensToRevoke) await token.revoke();
+		}
+	}
+	/**
+	* Get active sessions for user
+	*/
+	async getActiveSessions(user) {
+		return RefreshToken.query().where({
+			user_id: user.id,
+			user_type: user.userType,
+			revoked_at: null
+		}).where("expires_at", ">", /* @__PURE__ */ new Date()).orderBy("created_at", "desc").get();
+	}
+};
+const authService = new AuthService();
+
+//#endregion
+//#region ../../@warlock.js/auth/src/commands/auth-cleanup-command.ts
+/**
+* Register the auth:cleanup CLI command
+*
+* @example
+* ```bash
+* warlock auth:cleanup
+* ```
+*/
+function registerAuthCleanupCommand() {
+	return (0, _warlock_js_core.command)({
+		name: "auth.cleanup",
+		description: "Remove expired refresh tokens from the database",
+		preload: {
+			env: true,
+			config: ["auth", "database"],
+			connectors: ["database"]
+		},
+		action: async () => {
+			console.log(_mongez_copper.colors.cyan("🧹 Cleaning up expired tokens..."));
+			const count = await authService.cleanupExpiredTokens();
+			if (count === 0) console.log(_mongez_copper.colors.green("✅ No expired tokens found."));
+			else console.log(_mongez_copper.colors.green(`✅ Removed ${count} expired token(s).`));
+		}
+	});
+}
+
+//#endregion
+//#region ../../@warlock.js/auth/src/services/generate-jwt-secret.ts
+async function generateJWTSecret() {
+	let envFile = (0, _warlock_js_core.rootPath)(".env");
+	_warlock_js_logger.log.info("jwt", "generating", "Generating JWT secrets");
+	const environmentMode = (0, _warlock_js_core.environment)();
+	if (!await (0, _warlock_js_fs.fileExistsAsync)(envFile)) envFile = (0, _warlock_js_core.rootPath)(environmentMode === "production" ? ".env.production" : ".env.development");
+	if (!await (0, _warlock_js_fs.fileExistsAsync)(envFile)) {
+		_warlock_js_logger.log.error("jwt", "error", ".env file not found");
+		return;
+	}
+	let contents = await (0, _warlock_js_fs.getFileAsync)(envFile);
+	const hasJwtSecret = contents.includes("JWT_SECRET");
+	const hasJwtRefreshSecret = contents.includes("JWT_REFRESH_SECRET");
+	if (hasJwtSecret && hasJwtRefreshSecret) {
+		_warlock_js_logger.log.warn("jwt", "exists", "JWT secrets already exist in the .env file.");
+		return;
+	}
+	let secretsToAdd = "";
+	if (!hasJwtSecret) {
+		const jwtSecret = _mongez_reinforcements.Random.string(32);
+		secretsToAdd += `
+# JWT Secret
+JWT_SECRET=${jwtSecret}
+`;
+		_warlock_js_logger.log.success("jwt", "generated", "JWT_SECRET generated and added to the .env file.");
+	} else _warlock_js_logger.log.info("jwt", "exists", "JWT_SECRET already exists in the .env file.");
+	if (!hasJwtRefreshSecret) {
+		const jwtRefreshSecret = _mongez_reinforcements.Random.string(32);
+		secretsToAdd += `
+# JWT Refresh Secret
+JWT_REFRESH_SECRET=${jwtRefreshSecret}
+`;
+		_warlock_js_logger.log.success("jwt", "generated", "JWT_REFRESH_SECRET generated and added to the .env file.");
+	} else _warlock_js_logger.log.info("jwt", "exists", "JWT_REFRESH_SECRET already exists in the .env file.");
+	if (secretsToAdd) {
+		contents += secretsToAdd;
+		await (0, _warlock_js_fs.putFileAsync)(envFile, contents);
+	}
+}
+
+//#endregion
+//#region ../../@warlock.js/auth/src/commands/jwt-secret-generator-command.ts
+function registerJWTSecretGeneratorCommand() {
+	return (0, _warlock_js_core.command)({
+		name: "jwt.generate",
+		description: "Generate JWT Secret key in .env file",
+		action: generateJWTSecret
+	});
+}
+
+//#endregion
+//#region ../../@warlock.js/auth/src/contracts/types.ts
+/**
+* Symbol to indicate no expiration for tokens
+* Use this when you explicitly want tokens to never expire
+*
+* @example
+* ```typescript
+* // src/config/auth.ts
+* import { NO_EXPIRATION, type AuthConfigurations } from "@warlock.js/auth";
+*
+* const authConfigurations: AuthConfigurations = {
+*   jwt: {
+*     secret: env("JWT_SECRET"),
+*     expiresIn: NO_EXPIRATION,  // Token expires within 100 years
+*   },
+* };
+*
+* export default authConfigurations;
+* ```
+*/
+const NO_EXPIRATION = "100y";
+
+//#endregion
+//#region ../../@warlock.js/auth/src/utils/auth-error-codes.ts
+let AuthErrorCodes = /* @__PURE__ */ function(AuthErrorCodes) {
+	/**
+	* Missing Access Token Error Code EC001
+	* EC001 = Missing Access Token
+	*/
+	AuthErrorCodes["MissingAccessToken"] = "EC001";
+	/**
+	* Invalid Access Token Error Code EC002
+	* EC002 = Invalid Access Token
+	*/
+	AuthErrorCodes["InvalidAccessToken"] = "EC002";
+	/**
+	* Unauthorized Error Code EC003
+	* EC003 = Unauthorized
+	*/
+	AuthErrorCodes["Unauthorized"] = "EC003";
+	return AuthErrorCodes;
+}({});
+
+//#endregion
+//#region ../../@warlock.js/auth/src/middleware/auth.middleware.ts
+/**
+* Build a route gate that always requires an authenticated request.
+*
+* The argument is mandatory and selects which user types may pass:
+* - `[]` — any authenticated user (token required, type not checked).
+* - `"admin"` / `["admin", "staff"]` — token required AND the user's
+*   `userType` must be one of the listed types.
+*
+* There is no anonymous/optional mode: a request without a valid access
+* token is always rejected with `401`. Routes that should be public
+* simply omit the middleware.
+*
+* @example
+* router.get("/account", authMiddleware([]), accountController);
+* router.get("/admin", authMiddleware("admin"), adminController);
+* router.get("/back-office", authMiddleware(["admin", "staff"]), backOfficeController);
+*/
+function authMiddleware(allowedUserType) {
+	const allowedTypes = Array.isArray(allowedUserType) ? allowedUserType : [allowedUserType];
+	const auth = async (request, response) => {
+		try {
+			const authorizationValue = request.authorizationValue;
+			if (!authorizationValue) return response.unauthorized({
+				error: (0, _warlock_js_core.t)("auth.errors.missingAccessToken"),
+				errorCode: "EC001"
+			});
+			const user = await jwt.verify(authorizationValue);
+			request.decodedAccessToken = user;
+			const accessToken = await AccessToken.first({ token: authorizationValue });
+			if (!accessToken) return response.unauthorized({
+				error: (0, _warlock_js_core.t)("auth.errors.invalidAccessToken"),
+				errorCode: "EC002"
+			});
+			const userType = user.userType || accessToken.get("userType");
+			if (allowedTypes.length && !allowedTypes.includes(userType)) return response.unauthorized({
+				error: (0, _warlock_js_core.t)("auth.errors.unauthorized"),
+				errorCode: "EC003"
+			});
+			const UserModel = _warlock_js_core.config.key(`auth.userType.${userType}`);
+			if (!UserModel) throw new Error(`User type ${userType} is unknown type.`);
+			const currentUser = await UserModel.find(user.id);
+			if (!currentUser) {
+				accessToken.destroy();
+				return response.unauthorized({
+					error: (0, _warlock_js_core.t)("auth.errors.invalidAccessToken"),
+					errorCode: "EC002"
+				});
+			}
+			request.user = currentUser;
+		} catch (err) {
+			_warlock_js_logger.log.error("http", "auth", err);
+			request.clearCurrentUser();
+			return response.unauthorized({
+				error: (0, _warlock_js_core.t)("auth.errors.invalidAccessToken"),
+				errorCode: "EC002"
+			});
+		}
+	};
+	return auth;
+}
+
+//#endregion
+//#region ../../@warlock.js/auth/src/models/access-token/migration.ts
+const AccessTokenMigration = (0, _warlock_js_cascade.migrate)(AccessToken, {
+	name: "accessToken",
+	up() {
+		this.createTableIfNotExists();
+		this.primaryUuid();
+		this.text("token").unique();
+		this.timestamp("last_access").nullable();
+		this.uuid("user_id").index();
+		this.string("user_type", 50).nullable();
+		this.boolean("is_active").nullable();
+		this.timestamps();
+	},
+	down() {
+		this.dropTableIfExists();
+	}
+});
+
+//#endregion
+//#region ../../@warlock.js/auth/src/models/refresh-token/migration.ts
+const RefreshTokenMigration = (0, _warlock_js_cascade.migrate)(RefreshToken, {
+	name: "refreshToken",
+	up() {
+		this.createTableIfNotExists();
+		this.primaryUuid();
+		this.text("token").unique();
+		this.uuid("user_id").index();
+		this.string("user_type", 50).nullable();
+		this.text("family_id").index().nullable();
+		this.timestamp("expires_at").index().nullable();
+		this.timestamp("last_used_at").nullable();
+		this.timestamp("revoked_at").nullable();
+		this.json("device_info").nullable();
+		this.timestamps();
+	},
+	down() {
+		this.dropTableIfExists();
+	}
+});
+
+//#endregion
+//#region ../../@warlock.js/auth/src/models/auth.model.ts
+var Auth = class extends _warlock_js_cascade.Model {
+	/**
+	* Get access token payload
+	*/
+	accessTokenPayload() {
+		return authService.buildAccessTokenPayload(this);
+	}
+	/**
+	* Create both access and refresh tokens
+	*/
+	async createTokenPair(deviceInfo) {
+		return authService.createTokenPair(this, deviceInfo);
+	}
+	/**
+	* Generate access token
+	*/
+	async generateAccessToken(data) {
+		return authService.generateAccessToken(this, data);
+	}
+	/**
+	* Generate refresh token
+	*/
+	async generateRefreshToken(deviceInfo) {
+		return authService.createRefreshToken(this, deviceInfo);
+	}
+	/**
+	* Remove current access token
+	*/
+	async removeAccessToken(token) {
+		return authService.removeAccessToken(this, token);
+	}
+	/**
+	* Remove refresh token
+	*/
+	async removeRefreshToken(token) {
+		return authService.removeRefreshToken(this, token);
+	}
+	/**
+	* Remove all access tokens
+	*/
+	async removeAllAccessTokens() {
+		return authService.removeAllAccessTokens(this);
+	}
+	/**
+	* Revoke all tokens (logout from all devices)
+	*/
+	async revokeAllTokens() {
+		return authService.revokeAllTokens(this);
+	}
+	/**
+	* Get active sessions
+	*/
+	async activeSessions() {
+		return authService.getActiveSessions(this);
+	}
+	/**
+	* Attempt to login the user
+	*/
+	static async attempt(data) {
+		return authService.attemptLogin(this, data);
+	}
+	/**
+	* Confirm password
+	*/
+	async confirmPassword(password) {
+		return authService.verifyPassword(password, this.string("password"));
+	}
+};
+
+//#endregion
+//#region ../../@warlock.js/auth/src/models/index.ts
+const authMigrations = [AccessTokenMigration, RefreshTokenMigration];
+
+//#endregion
+exports.AccessToken = AccessToken;
+exports.Auth = Auth;
+exports.AuthErrorCodes = AuthErrorCodes;
+exports.NO_EXPIRATION = NO_EXPIRATION;
+exports.RefreshToken = RefreshToken;
+exports.authEvents = authEvents;
+exports.authMiddleware = authMiddleware;
+exports.authMigrations = authMigrations;
+exports.authService = authService;
+exports.generateJWTSecret = generateJWTSecret;
+exports.jwt = jwt;
+exports.registerAuthCleanupCommand = registerAuthCleanupCommand;
+exports.registerJWTSecretGeneratorCommand = registerJWTSecretGeneratorCommand;
+//# sourceMappingURL=index.cjs.map