@warlock.js/auth 4.0.174 → 4.1.2

package/esm/services/auth.service.d.mts

@@ -0,0 +1,95 @@
+import { RefreshToken } from "../models/refresh-token/refresh-token.model.mjs";
+import { Auth } from "../models/auth.model.mjs";
+import { AccessTokenOutput, DeviceInfo, LoginResult, TokenPair } from "../contracts/types.mjs";
+import { ChildModel } from "@warlock.js/cascade";
+
+//#region ../../@warlock.js/auth/src/services/auth.service.d.ts
+declare class AuthService {
+  /**
+   * Build access token payload from user
+   */
+  buildAccessTokenPayload(user: Auth): {
+    id: any;
+    userType: string;
+    created_at: number;
+  };
+  /**
+   * Generate access token for user
+   */
+  generateAccessToken(user: Auth, payload?: any): Promise<AccessTokenOutput>;
+  /**
+   * Create refresh token for user
+   */
+  createRefreshToken(user: Auth, deviceInfo?: DeviceInfo): Promise<RefreshToken | undefined>;
+  /**
+   * Create both access and refresh tokens
+   */
+  createTokenPair(user: Auth, deviceInfo?: DeviceInfo): Promise<TokenPair>;
+  /**
+   * Refresh tokens using a refresh token
+   */
+  refreshTokens(refreshTokenString: string, deviceInfo?: DeviceInfo): Promise<TokenPair | null>;
+  /**
+   * Verify password
+   */
+  verifyPassword(plainPassword: string, hashedPassword: string): Promise<boolean>;
+  /**
+   * Hash password
+   */
+  hashPassword(password: string): Promise<string>;
+  /**
+   * Attempt to login user with given credentials
+   */
+  attemptLogin<T extends Auth>(Model: ChildModel<T>, data: any): Promise<T | null>;
+  /**
+   * Full login flow: validate credentials, create tokens, emit events
+   * Returns token pair on success, null on failure
+   */
+  login<T extends Auth>(Model: ChildModel<T>, credentials: any, deviceInfo?: DeviceInfo): Promise<LoginResult<T> | null>;
+  /**
+   * Logout user
+   * @param user - The authenticated user
+   * @param accessToken - Optional access token string to revoke
+   * @param refreshToken - Optional refresh token string to revoke
+   * If refresh token is not provided, behavior is determined by config:
+   * - "revoke-all" (default): Revoke ALL refresh tokens for security
+   * - "error": Throw error requiring refresh token
+   */
+  logout(user: Auth, accessToken?: string, refreshToken?: string): Promise<void>;
+  /**
+   * Remove specific access token
+   */
+  removeAccessToken(user: Auth, token: string): Promise<void>;
+  /**
+   * Remove all access tokens for a user
+   */
+  removeAllAccessTokens(user: Auth): Promise<void>;
+  /**
+   * Remove specific refresh token
+   */
+  removeRefreshToken(user: Auth, token: string): Promise<void>;
+  /**
+   * Revoke all tokens for a user
+   */
+  revokeAllTokens(user: Auth): Promise<void>;
+  /**
+   * Revoke entire token family (for rotation breach detection)
+   */
+  revokeTokenFamily(familyId: string): Promise<void>;
+  /**
+   * Cleanup expired tokens
+   */
+  cleanupExpiredTokens(): Promise<number>;
+  /**
+   * Enforce max refresh tokens per user
+   */
+  private enforceMaxRefreshTokens;
+  /**
+   * Get active sessions for user
+   */
+  getActiveSessions(user: Auth): Promise<RefreshToken[]>;
+}
+declare const authService: AuthService;
+//#endregion
+export { authService };
+//# sourceMappingURL=auth.service.d.mts.map

package/esm/services/auth.service.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.service.d.mts","names":[],"sources":["../../../../../../@warlock.js/auth/src/services/auth.service.ts"],"mappings":";;;;;;cAWM,WAAA;;;AAJiD;EAQ9C,uBAAA,CAAwB,IAAA,EAAM,IAAA;;;;;EAWwB;;;EAAhD,mBAAA,CAAoB,IAAA,EAAM,IAAA,EAAM,OAAA,SAAgB,OAAA,CAAQ,iBAAA;EA0BlE;;;EAHU,kBAAA,CACX,IAAA,EAAM,IAAA,EACN,UAAA,GAAa,UAAA,GACZ,OAAA,CAAQ,YAAA;EA2CwD;;;EAAtD,eAAA,CAAgB,IAAA,EAAM,IAAA,EAAM,UAAA,GAAa,UAAA,GAAa,OAAA,CAAQ,SAAA;EAqFC;;;EA1D/D,aAAA,CACX,kBAAA,UACA,UAAA,GAAa,UAAA,GACZ,OAAA,CAAQ,SAAA;EAqEsC;;;EAdpC,cAAA,CAAe,aAAA,UAAuB,cAAA,WAAyB,OAAA;EAwCxD;;;EAjCP,YAAA,CAAa,QAAA,WAAmB,OAAA;EAoClC;;;EA7BE,YAAA,WAAuB,IAAA,CAAA,CAAM,KAAA,EAAO,UAAA,CAAW,CAAA,GAAI,IAAA,QAAY,OAAA,CAAQ,CAAA;EAkG/C;;;;EAzExB,KAAA,WAAgB,IAAA,CAAA,CAC3B,KAAA,EAAO,UAAA,CAAW,CAAA,GAClB,WAAA,OACA,UAAA,GAAa,UAAA,GACZ,OAAA,CAAQ,WAAA,CAAY,CAAA;EAyFqC;;;;;;;;;EA3D/C,MAAA,CAAO,IAAA,EAAM,IAAA,EAAM,WAAA,WAAsB,YAAA,YAAwB,OAAA;EA9OvE;;;EAqRM,iBAAA,CAAkB,IAAA,EAAM,IAAA,EAAM,KAAA,WAAgB,OAAA;;;;EAU9C,qBAAA,CAAsB,IAAA,EAAM,IAAA,GAAO,OAAA;EApRf;;;EA8RpB,kBAAA,CAAmB,IAAA,EAAM,IAAA,EAAM,KAAA,WAAgB,OAAA;EAvQ/C;;;EAiRA,eAAA,CAAgB,IAAA,EAAM,IAAA,GAAO,OAAA;EA/QxC;;;EAsSW,iBAAA,CAAkB,QAAA,WAAmB,OAAA;EA1Pf;;;EA2QtB,oBAAA,CAAA,GAAwB,OAAA;EA3Q8B;;;EAAA,QA4RrD,uBAAA;EA/PC;;;EAuRF,iBAAA,CAAkB,IAAA,EAAM,IAAA,GAAO,OAAA,CAAQ,YAAA;AAAA;AAAA,cAazC,WAAA,EAAW,WAAoB"}

package/esm/services/auth.service.mjs

@@ -0,0 +1,275 @@
+import { AccessToken } from "../models/access-token/access-token.model.mjs";
+import "../models/access-token/index.mjs";
+import { RefreshToken } from "../models/refresh-token/refresh-token.model.mjs";
+import "../models/refresh-token/index.mjs";
+import { authEvents } from "./auth-events.mjs";
+import { jwt } from "./jwt.mjs";
+import { config, hashPassword, verifyPassword } from "@warlock.js/core";
+import { Random } from "@mongez/reinforcements";
+import ms from "ms";
+
+//#region ../../@warlock.js/auth/src/services/auth.service.ts
+var AuthService = class {
+	/**
+	* Build access token payload from user
+	*/
+	buildAccessTokenPayload(user) {
+		return {
+			id: user.id,
+			userType: user.userType,
+			created_at: Date.now()
+		};
+	}
+	/**
+	* Generate access token for user
+	*/
+	async generateAccessToken(user, payload) {
+		const data = payload || this.buildAccessTokenPayload(user);
+		const expiresInConfig = config.key("auth.jwt.expiresIn");
+		const expiresIn = expiresInConfig ? ms(expiresInConfig) : 3600;
+		const token = await jwt.generate(data, { expiresIn });
+		const decoed = await jwt.verify(token);
+		await AccessToken.create({
+			token,
+			user_id: user.id,
+			user_type: user.userType
+		});
+		return {
+			token,
+			expiresAt: (/* @__PURE__ */ new Date(decoed.exp * 1e3)).toISOString()
+		};
+	}
+	/**
+	* Create refresh token for user
+	*/
+	async createRefreshToken(user, deviceInfo) {
+		if (config.get("auth.jwt.refresh.enabled") === false) return;
+		const familyId = deviceInfo?.familyId || Random.string(32);
+		const payload = {
+			userId: user.id,
+			userType: user.userType,
+			familyId
+		};
+		const expiresIn = ms(config.get("auth.jwt.refresh.expiresIn", "7d"));
+		const token = await jwt.generateRefreshToken(payload, { expiresIn });
+		const expiresAt = new Date(Date.now() + expiresIn).toISOString();
+		await this.enforceMaxRefreshTokens(user);
+		return RefreshToken.create({
+			token,
+			user_id: user.id,
+			user_type: user.userType,
+			family_id: familyId,
+			expires_at: expiresAt,
+			device_info: deviceInfo ? {
+				userAgent: deviceInfo.userAgent,
+				ip: deviceInfo.ip,
+				deviceId: deviceInfo.deviceId
+			} : void 0
+		});
+	}
+	/**
+	* Create both access and refresh tokens
+	*/
+	async createTokenPair(user, deviceInfo) {
+		const accessToken = await this.generateAccessToken(user, deviceInfo?.payload);
+		const refreshToken = await this.createRefreshToken(user, deviceInfo);
+		const tokenPair = {
+			accessToken,
+			refreshToken: refreshToken ? {
+				token: refreshToken.get("token"),
+				expiresAt: refreshToken.get("expires_at")
+			} : void 0
+		};
+		authEvents.emit("token.created", user, tokenPair);
+		if (refreshToken) authEvents.emit("session.created", user, refreshToken, deviceInfo);
+		return tokenPair;
+	}
+	/**
+	* Refresh tokens using a refresh token
+	*/
+	async refreshTokens(refreshTokenString, deviceInfo) {
+		try {
+			const decoded = await jwt.verifyRefreshToken(refreshTokenString);
+			if (!decoded) return null;
+			const refreshToken = await RefreshToken.first({ token: refreshTokenString });
+			if (!refreshToken?.isValid) {
+				if (refreshToken) await this.revokeTokenFamily(refreshToken.get("family_id"));
+				return null;
+			}
+			const UserModel = config.key(`auth.userType.${decoded.userType}`);
+			if (!UserModel) return null;
+			const user = await UserModel.find(decoded.userId);
+			if (!user) return null;
+			if (config.key("auth.jwt.refresh.rotation", true)) await refreshToken.revoke();
+			else await refreshToken.markAsUsed();
+			const newTokenPair = await this.createTokenPair(user, {
+				...deviceInfo,
+				familyId: refreshToken.get("family_id")
+			});
+			authEvents.emit("token.refreshed", user, newTokenPair, refreshToken);
+			return newTokenPair;
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Verify password
+	*/
+	async verifyPassword(plainPassword, hashedPassword) {
+		return verifyPassword(plainPassword, hashedPassword);
+	}
+	/**
+	* Hash password
+	*/
+	async hashPassword(password) {
+		return hashPassword(password);
+	}
+	/**
+	* Attempt to login user with given credentials
+	*/
+	async attemptLogin(Model, data) {
+		const { password, ...otherData } = data;
+		authEvents.emit("login.attempt", otherData);
+		const user = await Model.first(otherData);
+		if (!user) {
+			authEvents.emit("login.failed", otherData, "User not found");
+			return null;
+		}
+		if (!await this.verifyPassword(password, user.string("password"))) {
+			authEvents.emit("login.failed", otherData, "Invalid password");
+			return null;
+		}
+		return user;
+	}
+	/**
+	* Full login flow: validate credentials, create tokens, emit events
+	* Returns token pair on success, null on failure
+	*/
+	async login(Model, credentials, deviceInfo) {
+		const user = await this.attemptLogin(Model, credentials);
+		if (!user) return null;
+		if (!config.key("auth.jwt.refresh.enabled", true)) return {
+			user,
+			tokens: { accessToken: await this.generateAccessToken(user, deviceInfo?.payload) }
+		};
+		const tokens = await this.createTokenPair(user, deviceInfo);
+		authEvents.emit("login.success", user, tokens, deviceInfo);
+		return {
+			user,
+			tokens
+		};
+	}
+	/**
+	* Logout user
+	* @param user - The authenticated user
+	* @param accessToken - Optional access token string to revoke
+	* @param refreshToken - Optional refresh token string to revoke
+	* If refresh token is not provided, behavior is determined by config:
+	* - "revoke-all" (default): Revoke ALL refresh tokens for security
+	* - "error": Throw error requiring refresh token
+	*/
+	async logout(user, accessToken, refreshToken) {
+		if (accessToken) await this.removeAccessToken(user, accessToken);
+		if (refreshToken) {
+			const token = await RefreshToken.first({
+				token: refreshToken,
+				userId: user.id
+			});
+			if (token) {
+				await token.revoke();
+				authEvents.emit("session.destroyed", user, token);
+			}
+		} else {
+			if (config.key("auth.jwt.refresh.logoutWithoutToken", "revoke-all") === "error") throw new Error("Refresh token required for logout");
+			await this.revokeAllTokens(user);
+			authEvents.emit("logout.failsafe", user);
+		}
+		authEvents.emit("logout", user);
+	}
+	/**
+	* Remove specific access token
+	*/
+	async removeAccessToken(user, token) {
+		AccessToken.delete({
+			token,
+			userId: user.id
+		});
+	}
+	/**
+	* Remove all access tokens for a user
+	*/
+	async removeAllAccessTokens(user) {
+		AccessToken.delete({ user_id: user.id });
+	}
+	/**
+	* Remove specific refresh token
+	*/
+	async removeRefreshToken(user, token) {
+		RefreshToken.delete({
+			token,
+			userId: user.id
+		});
+	}
+	/**
+	* Revoke all tokens for a user
+	*/
+	async revokeAllTokens(user) {
+		const refreshTokens = await RefreshToken.query().where("user_id", user.id).where("user_type", user.userType).where("revoked_at", null).get();
+		for (const token of refreshTokens) {
+			await token.revoke();
+			authEvents.emit("token.revoked", user, token);
+		}
+		await this.removeAllAccessTokens(user);
+		authEvents.emit("logout.all", user);
+	}
+	/**
+	* Revoke entire token family (for rotation breach detection)
+	*/
+	async revokeTokenFamily(familyId) {
+		const tokens = await RefreshToken.query().where("family_id", familyId).where("revoked_at", null).get();
+		for (const token of tokens) await token.revoke();
+		authEvents.emit("token.familyRevoked", familyId, tokens);
+	}
+	/**
+	* Cleanup expired tokens
+	*/
+	async cleanupExpiredTokens() {
+		const expiredTokens = await RefreshToken.query().where("expires_at", "<", /* @__PURE__ */ new Date()).get();
+		for (const token of expiredTokens) {
+			authEvents.emit("token.expired", token);
+			await token.destroy();
+		}
+		authEvents.emit("cleanup.completed", expiredTokens.length);
+		return expiredTokens.length;
+	}
+	/**
+	* Enforce max refresh tokens per user
+	*/
+	async enforceMaxRefreshTokens(user) {
+		const maxPerUser = config.key("auth.jwt.refresh.maxPerUser", 5);
+		const activeTokens = await RefreshToken.query().where({
+			user_id: user.id,
+			user_type: user.userType,
+			revoked_at: null
+		}).orderBy("created_at", "asc").get();
+		if (activeTokens.length >= maxPerUser) {
+			const tokensToRevoke = activeTokens.slice(0, activeTokens.length - maxPerUser + 1);
+			for (const token of tokensToRevoke) await token.revoke();
+		}
+	}
+	/**
+	* Get active sessions for user
+	*/
+	async getActiveSessions(user) {
+		return RefreshToken.query().where({
+			user_id: user.id,
+			user_type: user.userType,
+			revoked_at: null
+		}).where("expires_at", ">", /* @__PURE__ */ new Date()).orderBy("created_at", "desc").get();
+	}
+};
+const authService = new AuthService();
+
+//#endregion
+export { authService };
+//# sourceMappingURL=auth.service.mjs.map

package/esm/services/auth.service.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.service.mjs","names":[],"sources":["../../../../../../@warlock.js/auth/src/services/auth.service.ts"],"sourcesContent":["import { Random } from \"@mongez/reinforcements\";\nimport type { ChildModel } from \"@warlock.js/cascade\";\nimport { config, hashPassword, verifyPassword } from \"@warlock.js/core\";\nimport ms from \"ms\";\nimport type { AccessTokenOutput, DeviceInfo, LoginResult, TokenPair } from \"../contracts/types\";\nimport { AccessToken } from \"../models/access-token\";\nimport type { Auth } from \"../models/auth.model\";\nimport { RefreshToken } from \"../models/refresh-token\";\nimport { authEvents } from \"./auth-events\";\nimport { jwt } from \"./jwt\";\n\nclass AuthService {\n  /**\n   * Build access token payload from user\n   */\n  public buildAccessTokenPayload(user: Auth) {\n    return {\n      id: user.id,\n      userType: user.userType,\n      created_at: Date.now(),\n    };\n  }\n\n  /**\n   * Generate access token for user\n   */\n  public async generateAccessToken(user: Auth, payload?: any): Promise<AccessTokenOutput> {\n    const data = payload || this.buildAccessTokenPayload(user);\n    const expiresInConfig = config.key(\"auth.jwt.expiresIn\");\n    const expiresIn = expiresInConfig ? ms(expiresInConfig) : 3_600; // default 1 hour\n\n    // If expiresIn is undefined, token never expires\n    const token = await jwt.generate(data, { expiresIn });\n\n    const decoed = await jwt.verify(token);\n\n    // Store in database\n    await AccessToken.create({\n      token,\n      user_id: user.id,\n      user_type: user.userType,\n    });\n\n    return { token, expiresAt: new Date(decoed.exp * 1_000).toISOString() };\n  }\n\n  /**\n   * Create refresh token for user\n   */\n  public async createRefreshToken(\n    user: Auth,\n    deviceInfo?: DeviceInfo,\n  ): Promise<RefreshToken | undefined> {\n    if (config.get(\"auth.jwt.refresh.enabled\") === false) return;\n\n    const familyId = deviceInfo?.familyId || Random.string(32);\n\n    const payload = {\n      userId: user.id,\n      userType: user.userType,\n      familyId,\n    };\n\n    const epireTime = config.get(\"auth.jwt.refresh.expiresIn\", \"7d\");\n\n    const expiresIn = ms(epireTime);\n\n    const token = await jwt.generateRefreshToken(payload, { expiresIn });\n\n    // Calculate expiration date (undefined means never expires, but we still set a far future date)\n    const expiresAt = new Date(Date.now() + expiresIn).toISOString();\n\n    // Enforce max tokens per user\n    await this.enforceMaxRefreshTokens(user);\n\n    // Store in database\n    return RefreshToken.create({\n      token,\n      user_id: user.id,\n      user_type: user.userType,\n      family_id: familyId,\n      expires_at: expiresAt,\n      device_info: deviceInfo\n        ? {\n            userAgent: deviceInfo.userAgent,\n            ip: deviceInfo.ip,\n            deviceId: deviceInfo.deviceId,\n          }\n        : undefined,\n    });\n  }\n\n  /**\n   * Create both access and refresh tokens\n   */\n  public async createTokenPair(user: Auth, deviceInfo?: DeviceInfo): Promise<TokenPair> {\n    const accessToken = await this.generateAccessToken(user, deviceInfo?.payload);\n    const refreshToken = await this.createRefreshToken(user, deviceInfo);\n\n    const tokenPair: TokenPair = {\n      accessToken,\n      refreshToken: refreshToken\n        ? {\n            token: refreshToken.get(\"token\"),\n            expiresAt: refreshToken.get(\"expires_at\"),\n          }\n        : undefined,\n    };\n\n    // Emit events\n    authEvents.emit(\"token.created\", user, tokenPair);\n\n    if (refreshToken) {\n      authEvents.emit(\"session.created\", user, refreshToken, deviceInfo);\n    }\n\n    return tokenPair;\n  }\n\n  /**\n   * Refresh tokens using a refresh token\n   */\n  public async refreshTokens(\n    refreshTokenString: string,\n    deviceInfo?: DeviceInfo,\n  ): Promise<TokenPair | null> {\n    try {\n      // 1. Verify JWT signature\n      const decoded = await jwt.verifyRefreshToken<{\n        userId: number;\n        userType: string;\n        familyId: string;\n      }>(refreshTokenString);\n\n      if (!decoded) return null;\n\n      // 2. Find token in database\n      const refreshToken = await RefreshToken.first({ token: refreshTokenString });\n\n      if (!refreshToken?.isValid) {\n        // If token was already used (rotation detection), revoke entire family\n        if (refreshToken) {\n          await this.revokeTokenFamily(refreshToken.get(\"family_id\"));\n        }\n        return null;\n      }\n\n      // 3. Get user model and find user\n      const UserModel = config.key(`auth.userType.${decoded.userType}`);\n      if (!UserModel) return null;\n\n      const user = (await UserModel.find(decoded.userId)) as Auth | null;\n      if (!user) return null;\n\n      // 4. Rotate token if enabled (revoke old token)\n      const rotationEnabled = config.key(\"auth.jwt.refresh.rotation\", true);\n      if (rotationEnabled) {\n        await refreshToken.revoke();\n      } else {\n        await refreshToken.markAsUsed();\n      }\n\n      // 5. Generate new token pair (keep same family)\n      const newTokenPair = await this.createTokenPair(user, {\n        ...deviceInfo,\n        familyId: refreshToken.get(\"family_id\"),\n      });\n\n      // Emit token refreshed event\n      authEvents.emit(\"token.refreshed\", user, newTokenPair, refreshToken);\n\n      return newTokenPair;\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Verify password\n   */\n  public async verifyPassword(plainPassword: string, hashedPassword: string): Promise<boolean> {\n    return verifyPassword(plainPassword, hashedPassword);\n  }\n\n  /**\n   * Hash password\n   */\n  public async hashPassword(password: string): Promise<string> {\n    return hashPassword(password);\n  }\n\n  /**\n   * Attempt to login user with given credentials\n   */\n  public async attemptLogin<T extends Auth>(Model: ChildModel<T>, data: any): Promise<T | null> {\n    const { password, ...otherData } = data;\n\n    // Emit login attempt event\n    authEvents.emit(\"login.attempt\", otherData);\n\n    const user = (await Model.first(otherData)) as T | null;\n\n    if (!user) {\n      authEvents.emit(\"login.failed\", otherData, \"User not found\");\n      return null;\n    }\n\n    if (!(await this.verifyPassword(password, user.string(\"password\")!))) {\n      authEvents.emit(\"login.failed\", otherData, \"Invalid password\");\n      return null;\n    }\n\n    return user;\n  }\n\n  /**\n   * Full login flow: validate credentials, create tokens, emit events\n   * Returns token pair on success, null on failure\n   */\n  public async login<T extends Auth>(\n    Model: ChildModel<T>,\n    credentials: any,\n    deviceInfo?: DeviceInfo,\n  ): Promise<LoginResult<T> | null> {\n    const user = await this.attemptLogin(Model, credentials);\n\n    if (!user) {\n      return null;\n    }\n\n    // if no refresh token in config, then return user and access token only\n    if (!config.key(\"auth.jwt.refresh.enabled\", true)) {\n      const accessToken = await this.generateAccessToken(user, deviceInfo?.payload);\n      return { user, tokens: { accessToken } };\n    }\n\n    const tokens = await this.createTokenPair(user, deviceInfo);\n\n    // Emit login success event\n    authEvents.emit(\"login.success\", user, tokens, deviceInfo);\n\n    return { user, tokens } as LoginResult<T>;\n  }\n\n  /**\n   * Logout user\n   * @param user - The authenticated user\n   * @param accessToken - Optional access token string to revoke\n   * @param refreshToken - Optional refresh token string to revoke\n   * If refresh token is not provided, behavior is determined by config:\n   * - \"revoke-all\" (default): Revoke ALL refresh tokens for security\n   * - \"error\": Throw error requiring refresh token\n   */\n  public async logout(user: Auth, accessToken?: string, refreshToken?: string): Promise<void> {\n    // Remove access token if provided\n    if (accessToken) {\n      await this.removeAccessToken(user, accessToken);\n    }\n\n    if (refreshToken) {\n      // Revoke specific refresh token\n      const token = await RefreshToken.first({\n        token: refreshToken,\n        userId: user.id, // Security: ensure token belongs to this user\n      });\n\n      if (token) {\n        await token.revoke();\n        authEvents.emit(\"session.destroyed\", user, token);\n      }\n    } else {\n      // No refresh token provided - check configured behavior\n      const behavior = config.key(\"auth.jwt.refresh.logoutWithoutToken\", \"revoke-all\") as\n        | \"revoke-all\"\n        | \"error\";\n\n      if (behavior === \"error\") {\n        throw new Error(\"Refresh token required for logout\");\n      }\n\n      // Default: revoke-all (fail-safe)\n      await this.revokeAllTokens(user);\n      authEvents.emit(\"logout.failsafe\", user);\n    }\n\n    // Emit logout event\n    authEvents.emit(\"logout\", user);\n  }\n\n  /**\n   * Remove specific access token\n   */\n  public async removeAccessToken(user: Auth, token: string): Promise<void> {\n    AccessToken.delete({\n      token,\n      userId: user.id,\n    });\n  }\n\n  /**\n   * Remove all access tokens for a user\n   */\n  public async removeAllAccessTokens(user: Auth): Promise<void> {\n    // Delete access token\n    AccessToken.delete({\n      user_id: user.id,\n    });\n  }\n\n  /**\n   * Remove specific refresh token\n   */\n  public async removeRefreshToken(user: Auth, token: string): Promise<void> {\n    RefreshToken.delete({\n      token,\n      userId: user.id,\n    });\n  }\n\n  /**\n   * Revoke all tokens for a user\n   */\n  public async revokeAllTokens(user: Auth): Promise<void> {\n    // Revoke all refresh tokens\n    const refreshTokens = await RefreshToken.query()\n      .where(\"user_id\", user.id)\n      .where(\"user_type\", user.userType)\n      .where(\"revoked_at\", null)\n      .get();\n\n    for (const token of refreshTokens) {\n      await token.revoke();\n      authEvents.emit(\"token.revoked\", user, token);\n    }\n\n    // Delete all access tokens\n    await this.removeAllAccessTokens(user);\n\n    // Emit logout all event\n    authEvents.emit(\"logout.all\", user);\n  }\n\n  /**\n   * Revoke entire token family (for rotation breach detection)\n   */\n  public async revokeTokenFamily(familyId: string): Promise<void> {\n    const tokens = await RefreshToken.query()\n      .where(\"family_id\", familyId)\n      .where(\"revoked_at\", null)\n      .get();\n\n    for (const token of tokens) {\n      await token.revoke();\n    }\n\n    // Emit family revoked event\n    authEvents.emit(\"token.familyRevoked\", familyId, tokens);\n  }\n\n  /**\n   * Cleanup expired tokens\n   */\n  public async cleanupExpiredTokens(): Promise<number> {\n    const expiredTokens = await RefreshToken.query().where(\"expires_at\", \"<\", new Date()).get();\n\n    for (const token of expiredTokens) {\n      authEvents.emit(\"token.expired\", token);\n      await token.destroy();\n    }\n\n    // Emit cleanup completed event\n    authEvents.emit(\"cleanup.completed\", expiredTokens.length);\n\n    return expiredTokens.length;\n  }\n\n  /**\n   * Enforce max refresh tokens per user\n   */\n  private async enforceMaxRefreshTokens(user: Auth): Promise<void> {\n    const maxPerUser = config.key(\"auth.jwt.refresh.maxPerUser\", 5);\n\n    const activeTokens = await RefreshToken.query()\n      .where({\n        user_id: user.id,\n        user_type: user.userType,\n        revoked_at: null,\n      })\n      .orderBy(\"created_at\", \"asc\")\n      .get();\n\n    // Revoke oldest tokens if exceeding limit\n    if (activeTokens.length >= maxPerUser) {\n      const tokensToRevoke = activeTokens.slice(0, activeTokens.length - maxPerUser + 1);\n      for (const token of tokensToRevoke) {\n        await token.revoke();\n      }\n    }\n  }\n\n  /**\n   * Get active sessions for user\n   */\n  public async getActiveSessions(user: Auth): Promise<RefreshToken[]> {\n    return RefreshToken.query()\n      .where({\n        user_id: user.id,\n        user_type: user.userType,\n        revoked_at: null,\n      })\n      .where(\"expires_at\", \">\", new Date())\n      .orderBy(\"created_at\", \"desc\")\n      .get();\n  }\n}\n\nexport const authService = new AuthService();\n"],"mappings":";;;;;;;;;;;AAWA,IAAM,cAAN,MAAkB;;;;CAIhB,AAAO,wBAAwB,MAAY;EACzC,OAAO;GACL,IAAI,KAAK;GACT,UAAU,KAAK;GACf,YAAY,KAAK,IAAI;EACvB;CACF;;;;CAKA,MAAa,oBAAoB,MAAY,SAA2C;EACtF,MAAM,OAAO,WAAW,KAAK,wBAAwB,IAAI;EACzD,MAAM,kBAAkB,OAAO,IAAI,oBAAoB;EACvD,MAAM,YAAY,kBAAkB,GAAG,eAAe,IAAI;EAG1D,MAAM,QAAQ,MAAM,IAAI,SAAS,MAAM,EAAE,UAAU,CAAC;EAEpD,MAAM,SAAS,MAAM,IAAI,OAAO,KAAK;EAGrC,MAAM,YAAY,OAAO;GACvB;GACA,SAAS,KAAK;GACd,WAAW,KAAK;EAClB,CAAC;EAED,OAAO;GAAE;GAAO,4BAAW,IAAI,KAAK,OAAO,MAAM,GAAK,GAAE,YAAY;EAAE;CACxE;;;;CAKA,MAAa,mBACX,MACA,YACmC;EACnC,IAAI,OAAO,IAAI,0BAA0B,MAAM,OAAO;EAEtD,MAAM,WAAW,YAAY,YAAY,OAAO,OAAO,EAAE;EAEzD,MAAM,UAAU;GACd,QAAQ,KAAK;GACb,UAAU,KAAK;GACf;EACF;EAIA,MAAM,YAAY,GAFA,OAAO,IAAI,8BAA8B,IAE9B,CAAC;EAE9B,MAAM,QAAQ,MAAM,IAAI,qBAAqB,SAAS,EAAE,UAAU,CAAC;EAGnE,MAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,SAAS,EAAE,YAAY;EAG/D,MAAM,KAAK,wBAAwB,IAAI;EAGvC,OAAO,aAAa,OAAO;GACzB;GACA,SAAS,KAAK;GACd,WAAW,KAAK;GAChB,WAAW;GACX,YAAY;GACZ,aAAa,aACT;IACE,WAAW,WAAW;IACtB,IAAI,WAAW;IACf,UAAU,WAAW;GACvB,IACA;EACN,CAAC;CACH;;;;CAKA,MAAa,gBAAgB,MAAY,YAA6C;EACpF,MAAM,cAAc,MAAM,KAAK,oBAAoB,MAAM,YAAY,OAAO;EAC5E,MAAM,eAAe,MAAM,KAAK,mBAAmB,MAAM,UAAU;EAEnE,MAAM,YAAuB;GAC3B;GACA,cAAc,eACV;IACE,OAAO,aAAa,IAAI,OAAO;IAC/B,WAAW,aAAa,IAAI,YAAY;GAC1C,IACA;EACN;EAGA,WAAW,KAAK,iBAAiB,MAAM,SAAS;EAEhD,IAAI,cACF,WAAW,KAAK,mBAAmB,MAAM,cAAc,UAAU;EAGnE,OAAO;CACT;;;;CAKA,MAAa,cACX,oBACA,YAC2B;EAC3B,IAAI;GAEF,MAAM,UAAU,MAAM,IAAI,mBAIvB,kBAAkB;GAErB,IAAI,CAAC,SAAS,OAAO;GAGrB,MAAM,eAAe,MAAM,aAAa,MAAM,EAAE,OAAO,mBAAmB,CAAC;GAE3E,IAAI,CAAC,cAAc,SAAS;IAE1B,IAAI,cACF,MAAM,KAAK,kBAAkB,aAAa,IAAI,WAAW,CAAC;IAE5D,OAAO;GACT;GAGA,MAAM,YAAY,OAAO,IAAI,iBAAiB,QAAQ,UAAU;GAChE,IAAI,CAAC,WAAW,OAAO;GAEvB,MAAM,OAAQ,MAAM,UAAU,KAAK,QAAQ,MAAM;GACjD,IAAI,CAAC,MAAM,OAAO;GAIlB,IADwB,OAAO,IAAI,6BAA6B,IAC9C,GAChB,MAAM,aAAa,OAAO;QAE1B,MAAM,aAAa,WAAW;GAIhC,MAAM,eAAe,MAAM,KAAK,gBAAgB,MAAM;IACpD,GAAG;IACH,UAAU,aAAa,IAAI,WAAW;GACxC,CAAC;GAGD,WAAW,KAAK,mBAAmB,MAAM,cAAc,YAAY;GAEnE,OAAO;EACT,QAAQ;GACN,OAAO;EACT;CACF;;;;CAKA,MAAa,eAAe,eAAuB,gBAA0C;EAC3F,OAAO,eAAe,eAAe,cAAc;CACrD;;;;CAKA,MAAa,aAAa,UAAmC;EAC3D,OAAO,aAAa,QAAQ;CAC9B;;;;CAKA,MAAa,aAA6B,OAAsB,MAA8B;EAC5F,MAAM,EAAE,UAAU,GAAG,cAAc;EAGnC,WAAW,KAAK,iBAAiB,SAAS;EAE1C,MAAM,OAAQ,MAAM,MAAM,MAAM,SAAS;EAEzC,IAAI,CAAC,MAAM;GACT,WAAW,KAAK,gBAAgB,WAAW,gBAAgB;GAC3D,OAAO;EACT;EAEA,IAAI,CAAE,MAAM,KAAK,eAAe,UAAU,KAAK,OAAO,UAAU,CAAE,GAAI;GACpE,WAAW,KAAK,gBAAgB,WAAW,kBAAkB;GAC7D,OAAO;EACT;EAEA,OAAO;CACT;;;;;CAMA,MAAa,MACX,OACA,aACA,YACgC;EAChC,MAAM,OAAO,MAAM,KAAK,aAAa,OAAO,WAAW;EAEvD,IAAI,CAAC,MACH,OAAO;EAIT,IAAI,CAAC,OAAO,IAAI,4BAA4B,IAAI,GAE9C,OAAO;GAAE;GAAM,QAAQ,EAAE,mBADC,KAAK,oBAAoB,MAAM,YAAY,OAAO,EACvC;EAAE;EAGzC,MAAM,SAAS,MAAM,KAAK,gBAAgB,MAAM,UAAU;EAG1D,WAAW,KAAK,iBAAiB,MAAM,QAAQ,UAAU;EAEzD,OAAO;GAAE;GAAM;EAAO;CACxB;;;;;;;;;;CAWA,MAAa,OAAO,MAAY,aAAsB,cAAsC;EAE1F,IAAI,aACF,MAAM,KAAK,kBAAkB,MAAM,WAAW;EAGhD,IAAI,cAAc;GAEhB,MAAM,QAAQ,MAAM,aAAa,MAAM;IACrC,OAAO;IACP,QAAQ,KAAK;GACf,CAAC;GAED,IAAI,OAAO;IACT,MAAM,MAAM,OAAO;IACnB,WAAW,KAAK,qBAAqB,MAAM,KAAK;GAClD;EACF,OAAO;GAML,IAJiB,OAAO,IAAI,uCAAuC,YAIxD,MAAM,SACf,MAAM,IAAI,MAAM,mCAAmC;GAIrD,MAAM,KAAK,gBAAgB,IAAI;GAC/B,WAAW,KAAK,mBAAmB,IAAI;EACzC;EAGA,WAAW,KAAK,UAAU,IAAI;CAChC;;;;CAKA,MAAa,kBAAkB,MAAY,OAA8B;EACvE,YAAY,OAAO;GACjB;GACA,QAAQ,KAAK;EACf,CAAC;CACH;;;;CAKA,MAAa,sBAAsB,MAA2B;EAE5D,YAAY,OAAO,EACjB,SAAS,KAAK,GAChB,CAAC;CACH;;;;CAKA,MAAa,mBAAmB,MAAY,OAA8B;EACxE,aAAa,OAAO;GAClB;GACA,QAAQ,KAAK;EACf,CAAC;CACH;;;;CAKA,MAAa,gBAAgB,MAA2B;EAEtD,MAAM,gBAAgB,MAAM,aAAa,MAAM,EAC5C,MAAM,WAAW,KAAK,EAAE,EACxB,MAAM,aAAa,KAAK,QAAQ,EAChC,MAAM,cAAc,IAAI,EACxB,IAAI;EAEP,KAAK,MAAM,SAAS,eAAe;GACjC,MAAM,MAAM,OAAO;GACnB,WAAW,KAAK,iBAAiB,MAAM,KAAK;EAC9C;EAGA,MAAM,KAAK,sBAAsB,IAAI;EAGrC,WAAW,KAAK,cAAc,IAAI;CACpC;;;;CAKA,MAAa,kBAAkB,UAAiC;EAC9D,MAAM,SAAS,MAAM,aAAa,MAAM,EACrC,MAAM,aAAa,QAAQ,EAC3B,MAAM,cAAc,IAAI,EACxB,IAAI;EAEP,KAAK,MAAM,SAAS,QAClB,MAAM,MAAM,OAAO;EAIrB,WAAW,KAAK,uBAAuB,UAAU,MAAM;CACzD;;;;CAKA,MAAa,uBAAwC;EACnD,MAAM,gBAAgB,MAAM,aAAa,MAAM,EAAE,MAAM,cAAc,qBAAK,IAAI,KAAK,CAAC,EAAE,IAAI;EAE1F,KAAK,MAAM,SAAS,eAAe;GACjC,WAAW,KAAK,iBAAiB,KAAK;GACtC,MAAM,MAAM,QAAQ;EACtB;EAGA,WAAW,KAAK,qBAAqB,cAAc,MAAM;EAEzD,OAAO,cAAc;CACvB;;;;CAKA,MAAc,wBAAwB,MAA2B;EAC/D,MAAM,aAAa,OAAO,IAAI,+BAA+B,CAAC;EAE9D,MAAM,eAAe,MAAM,aAAa,MAAM,EAC3C,MAAM;GACL,SAAS,KAAK;GACd,WAAW,KAAK;GAChB,YAAY;EACd,CAAC,EACA,QAAQ,cAAc,KAAK,EAC3B,IAAI;EAGP,IAAI,aAAa,UAAU,YAAY;GACrC,MAAM,iBAAiB,aAAa,MAAM,GAAG,aAAa,SAAS,aAAa,CAAC;GACjF,KAAK,MAAM,SAAS,gBAClB,MAAM,MAAM,OAAO;EAEvB;CACF;;;;CAKA,MAAa,kBAAkB,MAAqC;EAClE,OAAO,aAAa,MAAM,EACvB,MAAM;GACL,SAAS,KAAK;GACd,WAAW,KAAK;GAChB,YAAY;EACd,CAAC,EACA,MAAM,cAAc,qBAAK,IAAI,KAAK,CAAC,EACnC,QAAQ,cAAc,MAAM,EAC5B,IAAI;CACT;AACF;AAEA,MAAa,cAAc,IAAI,YAAY"}

package/esm/services/generate-jwt-secret.d.mts

@@ -0,0 +1,5 @@
+//#region ../../@warlock.js/auth/src/services/generate-jwt-secret.d.ts
+declare function generateJWTSecret(): Promise<void>;
+//#endregion
+export { generateJWTSecret };
+//# sourceMappingURL=generate-jwt-secret.d.mts.map

package/esm/services/generate-jwt-secret.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-jwt-secret.d.mts","names":[],"sources":["../../../../../../@warlock.js/auth/src/services/generate-jwt-secret.ts"],"mappings":";iBAKsB,iBAAA,CAAA,GAAiB,OAAA"}

package/esm/services/generate-jwt-secret.mjs

@@ -0,0 +1,48 @@
+import { environment, rootPath } from "@warlock.js/core";
+import { Random } from "@mongez/reinforcements";
+import { fileExistsAsync, getFileAsync, putFileAsync } from "@warlock.js/fs";
+import { log } from "@warlock.js/logger";
+
+//#region ../../@warlock.js/auth/src/services/generate-jwt-secret.ts
+async function generateJWTSecret() {
+	let envFile = rootPath(".env");
+	log.info("jwt", "generating", "Generating JWT secrets");
+	const environmentMode = environment();
+	if (!await fileExistsAsync(envFile)) envFile = rootPath(environmentMode === "production" ? ".env.production" : ".env.development");
+	if (!await fileExistsAsync(envFile)) {
+		log.error("jwt", "error", ".env file not found");
+		return;
+	}
+	let contents = await getFileAsync(envFile);
+	const hasJwtSecret = contents.includes("JWT_SECRET");
+	const hasJwtRefreshSecret = contents.includes("JWT_REFRESH_SECRET");
+	if (hasJwtSecret && hasJwtRefreshSecret) {
+		log.warn("jwt", "exists", "JWT secrets already exist in the .env file.");
+		return;
+	}
+	let secretsToAdd = "";
+	if (!hasJwtSecret) {
+		const jwtSecret = Random.string(32);
+		secretsToAdd += `
+# JWT Secret
+JWT_SECRET=${jwtSecret}
+`;
+		log.success("jwt", "generated", "JWT_SECRET generated and added to the .env file.");
+	} else log.info("jwt", "exists", "JWT_SECRET already exists in the .env file.");
+	if (!hasJwtRefreshSecret) {
+		const jwtRefreshSecret = Random.string(32);
+		secretsToAdd += `
+# JWT Refresh Secret
+JWT_REFRESH_SECRET=${jwtRefreshSecret}
+`;
+		log.success("jwt", "generated", "JWT_REFRESH_SECRET generated and added to the .env file.");
+	} else log.info("jwt", "exists", "JWT_REFRESH_SECRET already exists in the .env file.");
+	if (secretsToAdd) {
+		contents += secretsToAdd;
+		await putFileAsync(envFile, contents);
+	}
+}
+
+//#endregion
+export { generateJWTSecret };
+//# sourceMappingURL=generate-jwt-secret.mjs.map

package/esm/services/generate-jwt-secret.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-jwt-secret.mjs","names":[],"sources":["../../../../../../@warlock.js/auth/src/services/generate-jwt-secret.ts"],"sourcesContent":["import { fileExistsAsync, getFileAsync, putFileAsync } from \"@warlock.js/fs\";\r\nimport { Random } from \"@mongez/reinforcements\";\r\nimport { environment, rootPath } from \"@warlock.js/core\";\r\nimport { log } from \"@warlock.js/logger\";\r\n\r\nexport async function generateJWTSecret() {\r\n  let envFile = rootPath(\".env\");\r\n\r\n  log.info(\"jwt\", \"generating\", \"Generating JWT secrets\");\r\n\r\n  const environmentMode = environment();\r\n\r\n  if (!(await fileExistsAsync(envFile))) {\r\n    const envFileType = environmentMode === \"production\" ? \".env.production\" : \".env.development\";\r\n    envFile = rootPath(envFileType);\r\n  }\r\n\r\n  if (!(await fileExistsAsync(envFile))) {\r\n    log.error(\"jwt\", \"error\", \".env file not found\");\r\n    return;\r\n  }\r\n\r\n  let contents = await getFileAsync(envFile);\r\n\r\n  const hasJwtSecret = contents.includes(\"JWT_SECRET\");\r\n  const hasJwtRefreshSecret = contents.includes(\"JWT_REFRESH_SECRET\");\r\n\r\n  if (hasJwtSecret && hasJwtRefreshSecret) {\r\n    log.warn(\"jwt\", \"exists\", \"JWT secrets already exist in the .env file.\");\r\n    return;\r\n  }\r\n\r\n  let secretsToAdd = \"\";\r\n\r\n  if (!hasJwtSecret) {\r\n    const jwtSecret = Random.string(32);\r\n    secretsToAdd += `\r\n# JWT Secret\r\nJWT_SECRET=${jwtSecret}\r\n`;\r\n    log.success(\"jwt\", \"generated\", \"JWT_SECRET generated and added to the .env file.\");\r\n  } else {\r\n    log.info(\"jwt\", \"exists\", \"JWT_SECRET already exists in the .env file.\");\r\n  }\r\n\r\n  if (!hasJwtRefreshSecret) {\r\n    const jwtRefreshSecret = Random.string(32);\r\n    secretsToAdd += `\r\n# JWT Refresh Secret\r\nJWT_REFRESH_SECRET=${jwtRefreshSecret}\r\n`;\r\n    log.success(\"jwt\", \"generated\", \"JWT_REFRESH_SECRET generated and added to the .env file.\");\r\n  } else {\r\n    log.info(\"jwt\", \"exists\", \"JWT_REFRESH_SECRET already exists in the .env file.\");\r\n  }\r\n\r\n  if (secretsToAdd) {\r\n    contents += secretsToAdd;\r\n    await putFileAsync(envFile, contents);\r\n  }\r\n}\r\n"],"mappings":";;;;;;AAKA,eAAsB,oBAAoB;CACxC,IAAI,UAAU,SAAS,MAAM;CAE7B,IAAI,KAAK,OAAO,cAAc,wBAAwB;CAEtD,MAAM,kBAAkB,YAAY;CAEpC,IAAI,CAAE,MAAM,gBAAgB,OAAO,GAEjC,UAAU,SADU,oBAAoB,eAAe,oBAAoB,kBAC7C;CAGhC,IAAI,CAAE,MAAM,gBAAgB,OAAO,GAAI;EACrC,IAAI,MAAM,OAAO,SAAS,qBAAqB;EAC/C;CACF;CAEA,IAAI,WAAW,MAAM,aAAa,OAAO;CAEzC,MAAM,eAAe,SAAS,SAAS,YAAY;CACnD,MAAM,sBAAsB,SAAS,SAAS,oBAAoB;CAElE,IAAI,gBAAgB,qBAAqB;EACvC,IAAI,KAAK,OAAO,UAAU,6CAA6C;EACvE;CACF;CAEA,IAAI,eAAe;CAEnB,IAAI,CAAC,cAAc;EACjB,MAAM,YAAY,OAAO,OAAO,EAAE;EAClC,gBAAgB;;aAEP,UAAU;;EAEnB,IAAI,QAAQ,OAAO,aAAa,kDAAkD;CACpF,OACE,IAAI,KAAK,OAAO,UAAU,6CAA6C;CAGzE,IAAI,CAAC,qBAAqB;EACxB,MAAM,mBAAmB,OAAO,OAAO,EAAE;EACzC,gBAAgB;;qBAEC,iBAAiB;;EAElC,IAAI,QAAQ,OAAO,aAAa,0DAA0D;CAC5F,OACE,IAAI,KAAK,OAAO,UAAU,qDAAqD;CAGjF,IAAI,cAAc;EAChB,YAAY;EACZ,MAAM,aAAa,SAAS,QAAQ;CACtC;AACF"}

package/esm/services/index.d.mts

@@ -0,0 +1,4 @@
+import { AuthEventCallback, AuthEventName, AuthEventPayloads, authEvents } from "./auth-events.mjs";
+import { authService } from "./auth.service.mjs";
+import { generateJWTSecret } from "./generate-jwt-secret.mjs";
+import { jwt } from "./jwt.mjs";

package/esm/services/index.mjs

@@ -0,0 +1,6 @@
+import { authEvents } from "./auth-events.mjs";
+import { jwt } from "./jwt.mjs";
+import { authService } from "./auth.service.mjs";
+import { generateJWTSecret } from "./generate-jwt-secret.mjs";
+
+export {  };

package/esm/services/jwt.d.mts

@@ -0,0 +1,52 @@
+import { SignerOptions, VerifierOptions } from "fast-jwt";
+
+//#region ../../@warlock.js/auth/src/services/jwt.d.ts
+declare const jwt: {
+  /**
+   * Generate a new JWT token for the user.
+   * @param payload The payload to encode in the JWT token.
+   */
+  generate(payload: any, {
+    key,
+    algorithm,
+    ...options
+  }?: SignerOptions & {
+    key?: string;
+  }): Promise<string>;
+  /**
+   * Verify the given token.
+   * @param token The JWT token to verify.
+   * @returns The decoded token payload if verification is successful.
+   */
+  verify<T = any>(token: string, {
+    key,
+    algorithms,
+    ...options
+  }?: VerifierOptions & {
+    key?: string;
+  }): Promise<T>;
+  /**
+   * Generate a new refresh token for the user.
+   */
+  generateRefreshToken(payload: any, {
+    key,
+    expiresIn,
+    algorithm,
+    ...options
+  }?: SignerOptions & {
+    key?: string;
+  }): Promise<string>;
+  /**
+   * Verify the given refresh token.
+   */
+  verifyRefreshToken<T = any>(token: string, {
+    key,
+    algorithms,
+    ...options
+  }?: VerifierOptions & {
+    key?: string;
+  }): Promise<T>;
+};
+//#endregion
+export { jwt };
+//# sourceMappingURL=jwt.d.mts.map

package/esm/services/jwt.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.mts","names":[],"sources":["../../../../../../@warlock.js/auth/src/services/jwt.ts"],"mappings":";;;cA0Ba,GAAA;;AAAb;;;;IAMgB,GAAA;IAAA,SAAA;IAAA,GAAA;EAAA,IAKT,aAAA;IAAkB,GAAA;EAAA,IACpB,OAAA;EAAA;;;;;kBAaW,KAAA;IACC,GAAA;IAAA,UAAA;IAAA,GAAA;EAAA,IAKV,eAAA;IAAoB,GAAA;EAAA,IACtB,OAAA,CAAQ,CAAA;EAUG;;;;IAAA,GAAA;IAAA,SAAA;IAAA,SAAA;IAAA,GAAA;EAAA,IAMT,aAAA;IAAkB,GAAA;EAAA,IACpB,OAAA;EAeQ;;;8BAPe,KAAA;IACX,GAAA;IAAA,UAAA;IAAA,GAAA;EAAA,IAKV,eAAA;IAAoB,GAAA;EAAA,IACtB,OAAA,CAAQ,CAAA;AAAA"}

package/esm/services/jwt.mjs

@@ -0,0 +1,58 @@
+import { config } from "@warlock.js/core";
+import ms from "ms";
+import { createSigner, createVerifier } from "fast-jwt";
+
+//#region ../../@warlock.js/auth/src/services/jwt.ts
+const getSecretKey = () => config.key("auth.jwt.secret");
+const getAlgorithm = () => config.key("auth.jwt.algorithm", "HS256");
+const getRefreshSecretKey = () => config.key("auth.jwt.refresh.secret") || getSecretKey();
+const jwt = {
+	/**
+	* Generate a new JWT token for the user.
+	* @param payload The payload to encode in the JWT token.
+	*/
+	async generate(payload, { key = getSecretKey(), algorithm = getAlgorithm(), ...options } = {}) {
+		return await createSigner({
+			key,
+			...options,
+			algorithm
+		})({ ...payload });
+	},
+	/**
+	* Verify the given token.
+	* @param token The JWT token to verify.
+	* @returns The decoded token payload if verification is successful.
+	*/
+	async verify(token, { key = getSecretKey(), algorithms = getAlgorithm() ? [getAlgorithm()] : void 0, ...options } = {}) {
+		return await createVerifier({
+			key,
+			...options,
+			algorithms
+		})(token);
+	},
+	/**
+	* Generate a new refresh token for the user.
+	*/
+	async generateRefreshToken(payload, { key = getRefreshSecretKey(), expiresIn, algorithm = getAlgorithm(), ...options } = {}) {
+		return createSigner({
+			key,
+			expiresIn,
+			algorithm,
+			...options
+		})({ ...payload });
+	},
+	/**
+	* Verify the given refresh token.
+	*/
+	async verifyRefreshToken(token, { key = getRefreshSecretKey(), algorithms = [getAlgorithm()], ...options } = {}) {
+		return await createVerifier({
+			key,
+			algorithms,
+			...options
+		})(token);
+	}
+};
+
+//#endregion
+export { jwt };
+//# sourceMappingURL=jwt.mjs.map

package/esm/services/jwt.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.mjs","names":[],"sources":["../../../../../../@warlock.js/auth/src/services/jwt.ts"],"sourcesContent":["import { config } from \"@warlock.js/core\";\r\nimport {\r\n  createSigner,\r\n  createVerifier,\r\n  type Algorithm,\r\n  type SignerOptions,\r\n  type VerifierOptions,\r\n} from \"fast-jwt\";\r\nimport ms from \"ms\";\r\n\r\nconst getSecretKey = () => config.key(\"auth.jwt.secret\") as string;\r\nconst getAlgorithm = () => config.key(\"auth.jwt.algorithm\", \"HS256\") as Algorithm;\r\n\r\n// Refresh tokens may declare their own secret. When `auth.jwt.refresh.secret`\r\n// is unset/empty we fall back to the main JWT secret, matching the documented\r\n// optional behavior in `contracts/types.ts`.\r\nconst getRefreshSecretKey = () =>\r\n  (config.key(\"auth.jwt.refresh.secret\") || getSecretKey()) as string;\r\n// Refresh token validity — defaults to 7d when not configured. Opt in to\r\n// no-expiry semantics with `NO_EXPIRATION` (100y) from `contracts/types.ts`.\r\nconst getRefreshTokenValidity = () => {\r\n  const expiresIn = config.key(\"auth.jwt.refresh.expiresIn\") || \"7d\";\r\n\r\n  return ms(expiresIn);\r\n};\r\n\r\nexport const jwt = {\r\n  /**\r\n   * Generate a new JWT token for the user.\r\n   * @param payload The payload to encode in the JWT token.\r\n   */\r\n  async generate(\r\n    payload: any,\r\n    {\r\n      key = getSecretKey(),\r\n      algorithm = getAlgorithm(),\r\n      ...options\r\n    }: SignerOptions & { key?: string } = {},\r\n  ): Promise<string> {\r\n    // Create a signer function with predefined options\r\n    const sign = createSigner({ key, ...options, algorithm });\r\n\r\n    const token = await sign({ ...payload });\r\n    return token;\r\n  },\r\n\r\n  /**\r\n   * Verify the given token.\r\n   * @param token The JWT token to verify.\r\n   * @returns The decoded token payload if verification is successful.\r\n   */\r\n  async verify<T = any>(\r\n    token: string,\r\n    {\r\n      key = getSecretKey(),\r\n      algorithms = getAlgorithm() ? [getAlgorithm()] : undefined,\r\n      ...options\r\n    }: VerifierOptions & { key?: string } = {},\r\n  ): Promise<T> {\r\n    const verify = createVerifier({ key, ...options, algorithms });\r\n\r\n    return await verify(token as string);\r\n  },\r\n\r\n  /**\r\n   * Generate a new refresh token for the user.\r\n   */\r\n  async generateRefreshToken(\r\n    payload: any,\r\n    {\r\n      key = getRefreshSecretKey(),\r\n      expiresIn,\r\n      algorithm = getAlgorithm(),\r\n      ...options\r\n    }: SignerOptions & { key?: string } = {},\r\n  ): Promise<string> {\r\n    const sign = createSigner({ key, expiresIn, algorithm, ...options });\r\n    return sign({ ...payload });\r\n  },\r\n\r\n  /**\r\n   * Verify the given refresh token.\r\n   */\r\n  async verifyRefreshToken<T = any>(\r\n    token: string,\r\n    {\r\n      key = getRefreshSecretKey(),\r\n      algorithms = [getAlgorithm()],\r\n      ...options\r\n    }: VerifierOptions & { key?: string } = {},\r\n  ): Promise<T> {\r\n    const verify = createVerifier({ key, algorithms, ...options });\r\n    return await verify(token);\r\n  },\r\n};\r\n"],"mappings":";;;;;AAUA,MAAM,qBAAqB,OAAO,IAAI,iBAAiB;AACvD,MAAM,qBAAqB,OAAO,IAAI,sBAAsB,OAAO;AAKnE,MAAM,4BACH,OAAO,IAAI,yBAAyB,KAAK,aAAa;AASzD,MAAa,MAAM;;;;;CAKjB,MAAM,SACJ,SACA,EACE,MAAM,aAAa,GACnB,YAAY,aAAa,GACzB,GAAG,YACiC,CAAC,GACtB;EAKjB,OAAO,MAHM,aAAa;GAAE;GAAK,GAAG;GAAS;EAAU,CAEhC,EAAE,EAAE,GAAG,QAAQ,CAAC;CAEzC;;;;;;CAOA,MAAM,OACJ,OACA,EACE,MAAM,aAAa,GACnB,aAAa,aAAa,IAAI,CAAC,aAAa,CAAC,IAAI,QACjD,GAAG,YACmC,CAAC,GAC7B;EAGZ,OAAO,MAFQ,eAAe;GAAE;GAAK,GAAG;GAAS;EAAW,CAE1C,EAAE,KAAe;CACrC;;;;CAKA,MAAM,qBACJ,SACA,EACE,MAAM,oBAAoB,GAC1B,WACA,YAAY,aAAa,GACzB,GAAG,YACiC,CAAC,GACtB;EAEjB,OADa,aAAa;GAAE;GAAK;GAAW;GAAW,GAAG;EAAQ,CACxD,EAAE,EAAE,GAAG,QAAQ,CAAC;CAC5B;;;;CAKA,MAAM,mBACJ,OACA,EACE,MAAM,oBAAoB,GAC1B,aAAa,CAAC,aAAa,CAAC,GAC5B,GAAG,YACmC,CAAC,GAC7B;EAEZ,OAAO,MADQ,eAAe;GAAE;GAAK;GAAY,GAAG;EAAQ,CAC1C,EAAE,KAAK;CAC3B;AACF"}

package/esm/utils/auth-error-codes.d.mts

@@ -0,0 +1,23 @@
+//#region ../../@warlock.js/auth/src/utils/auth-error-codes.d.ts
+declare enum AuthErrorCodes {
+  /**
+   * Missing Access Token Error Code EC001
+   * EC001 = Missing Access Token
+   */
+  MissingAccessToken = "EC001",
+  // Error Code 001
+  /**
+   * Invalid Access Token Error Code EC002
+   * EC002 = Invalid Access Token
+   */
+  InvalidAccessToken = "EC002",
+  // Error Code 002
+  /**
+   * Unauthorized Error Code EC003
+   * EC003 = Unauthorized
+   */
+  Unauthorized = "EC003"
+}
+//#endregion
+export { AuthErrorCodes };
+//# sourceMappingURL=auth-error-codes.d.mts.map

package/esm/utils/auth-error-codes.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-error-codes.d.mts","names":[],"sources":["../../../../../../@warlock.js/auth/src/utils/auth-error-codes.ts"],"mappings":";aAAY,cAAA;EAAA;;;;EAKV,kBAAA;EAAA;EAKA;;;AAKY;EALZ,kBAAA;EAAA;;;;;EAKA,YAAA;AAAA"}