alepha 0.13.0 → 0.13.1

package/dist/server-auth/index.d.cts

@@ -1,1164 +0,0 @@
-import * as alepha304 from "alepha";
-import { Alepha, Async, Descriptor, KIND, Static, TSchema } from "alepha";
-import { AccessTokenResponse, RealmDescriptor, SecurityProvider, ServiceAccountDescriptor, UserAccount, UserAccountToken } from "alepha/security";
-import { DateTimeProvider, DurationLike } from "alepha/datetime";
-import { Configuration } from "openid-client";
-import * as alepha_logger2 from "alepha/logger";
-import * as alepha_server6 from "alepha/server";
-import { ActionDescriptor, ClientRequestEntry, ClientRequestOptions, ClientRequestResponse, FetchOptions, FetchResponse, HttpClient, RequestConfigSchema, ServerHandler, ServerRequest, ServerRequestConfigEntry, ServerResponseBody, ServerRouterProvider, ServerTimingProvider } from "alepha/server";
-import * as alepha_retry0 from "alepha/retry";
-
-//#region src/server-cookies/services/CookieParser.d.ts
-declare class CookieParser {
-  parseRequestCookies(header: string): Record<string, string>;
-  serializeResponseCookies(cookies: Record<string, Cookie | null>, isHttps: boolean): string[];
-  cookieToString(name: string, cookie: Cookie, isHttps?: boolean): string;
-}
-//#endregion
-//#region src/server-cookies/providers/ServerCookiesProvider.d.ts
-declare class ServerCookiesProvider {
-  protected readonly alepha: Alepha;
-  protected readonly log: alepha_logger2.Logger;
-  protected readonly cookieParser: CookieParser;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly env: {
-    APP_SECRET: string;
-  };
-  protected readonly ALGORITHM = "aes-256-gcm";
-  protected readonly IV_LENGTH = 16;
-  protected readonly AUTH_TAG_LENGTH = 16;
-  protected readonly SIGNATURE_LENGTH = 32;
-  readonly onRequest: alepha304.HookDescriptor<"server:onRequest">;
-  readonly onAction: alepha304.HookDescriptor<"action:onRequest">;
-  readonly onSend: alepha304.HookDescriptor<"server:onSend">;
-  protected getCookiesFromContext(cookies?: Cookies): Cookies;
-  getCookie<T extends TSchema>(name: string, options: CookieDescriptorOptions<T>, contextCookies?: Cookies): Static<T> | undefined;
-  setCookie<T extends TSchema>(name: string, options: CookieDescriptorOptions<T>, data: Static<T>, contextCookies?: Cookies): void;
-  deleteCookie<T extends TSchema>(name: string, contextCookies?: Cookies): void;
-  protected encrypt(text: string): string;
-  protected decrypt(encryptedText: string): string;
-  secretKey(): string;
-  protected sign(data: string): string;
-}
-//#endregion
-//#region src/server-cookies/descriptors/$cookie.d.ts
-interface CookieDescriptorOptions<T extends TSchema> {
-  /** The schema for the cookie's value, used for validation and type safety. */
-  schema: T;
-  /** The name of the cookie. */
-  name?: string;
-  /** The cookie's path. Defaults to "/". */
-  path?: string;
-  /** Time-to-live for the cookie. Maps to `Max-Age`. */
-  ttl?: DurationLike;
-  /** If true, the cookie is only sent over HTTPS. Defaults to true in production. */
-  secure?: boolean;
-  /** If true, the cookie cannot be accessed by client-side scripts. */
-  httpOnly?: boolean;
-  /** SameSite policy for the cookie. Defaults to "lax". */
-  sameSite?: "strict" | "lax" | "none";
-  /** The domain for the cookie. */
-  domain?: string;
-  /** If true, the cookie value will be compressed using zlib. */
-  compress?: boolean;
-  /** If true, the cookie value will be encrypted. Requires `COOKIE_SECRET` env var. */
-  encrypt?: boolean;
-  /** If true, the cookie will be signed to prevent tampering. Requires `COOKIE_SECRET` env var. */
-  sign?: boolean;
-}
-interface AbstractCookieDescriptor<T extends TSchema> {
-  readonly name: string;
-  readonly options: CookieDescriptorOptions<T>;
-  set(value: Static<T>, options?: {
-    cookies?: Cookies;
-    ttl?: DurationLike;
-  }): void;
-  get(options?: {
-    cookies?: Cookies;
-  }): Static<T> | undefined;
-  del(options?: {
-    cookies?: Cookies;
-  }): void;
-}
-interface Cookies {
-  req: Record<string, string>;
-  res: Record<string, Cookie | null>;
-}
-interface Cookie {
-  value: string;
-  path?: string;
-  maxAge?: number;
-  secure?: boolean;
-  httpOnly?: boolean;
-  sameSite?: "strict" | "lax" | "none";
-  domain?: string;
-}
-//#endregion
-//#region src/server-cookies/index.d.ts
-declare module "alepha/server" {
-  interface ServerRequest {
-    cookies: Cookies;
-  }
-}
-/**
- * Provides HTTP cookie management capabilities for server requests and responses with type-safe cookie descriptors.
- *
- * The server-cookies module enables declarative cookie handling using the `$cookie` descriptor on class properties.
- * It offers automatic cookie parsing, secure cookie configuration, and seamless integration with server routes
- * for managing user sessions, preferences, and authentication tokens.
- *
- * @see {@link $cookie}
- * @module alepha.server.cookies
- */
-//#endregion
-//#region src/server-security/providers/ServerBasicAuthProvider.d.ts
-interface BasicAuthOptions {
-  username: string;
-  password: string;
-}
-//#endregion
-//#region src/server-security/providers/ServerSecurityProvider.d.ts
-type ServerRouteSecure = {
-  realm?: string;
-  basic?: BasicAuthOptions;
-};
-//#endregion
-//#region src/server-security/index.d.ts
-declare module "alepha" {
-  interface State {
-    /**
-     * Real (or fake) user account, used for internal actions.
-     *
-     * If you define this, you assume that all actions are executed by this user by default.
-     * > To force a different user, you need to pass it explicitly in the options.
-     */
-    "alepha.server.security.system.user"?: UserAccountToken;
-    /**
-     * The authenticated user account attached to the server request state.
-     *
-     * @internal
-     */
-    "alepha.server.request.user"?: UserAccount;
-  }
-}
-declare module "alepha/server" {
-  interface ServerRequest<TConfig> {
-    user?: UserAccountToken;
-  }
-  interface ServerActionRequest<TConfig> {
-    user: UserAccountToken;
-  }
-  interface ServerRoute {
-    /**
-     * If true, the route will be protected by the security provider.
-     * All actions are secure by default, but you can disable it for specific actions.
-     */
-    secure?: boolean | ServerRouteSecure;
-  }
-  interface ClientRequestOptions extends FetchOptions {
-    /**
-     * Forward user from the previous request.
-     * If "system", use system user. @see {ServerSecurityProvider.localSystemUser}
-     * If "context", use the user from the current context (e.g. request).
-     *
-     * @default "system" if provided, else "context" if available.
-     */
-    user?: UserAccountToken | "system" | "context";
-  }
-}
-/**
- * Plugin for Alepha Server that provides security features. Based on the Alepha Security module.
- *
- * By default, all $action will be guarded by a permission check.
- *
- * @see {@link ServerSecurityProvider}
- * @module alepha.server.security
- */
-//#endregion
-//#region src/server-links/schemas/apiLinksResponseSchema.d.ts
-declare const apiLinkSchema: alepha304.TObject<{
-  name: alepha304.TString;
-  group: alepha304.TOptional<alepha304.TString>;
-  path: alepha304.TString;
-  method: alepha304.TOptional<alepha304.TString>;
-  requestBodyType: alepha304.TOptional<alepha304.TString>;
-  service: alepha304.TOptional<alepha304.TString>;
-}>;
-declare const apiLinksResponseSchema: alepha304.TObject<{
-  prefix: alepha304.TOptional<alepha304.TString>;
-  links: alepha304.TArray<alepha304.TObject<{
-    name: alepha304.TString;
-    group: alepha304.TOptional<alepha304.TString>;
-    path: alepha304.TString;
-    method: alepha304.TOptional<alepha304.TString>;
-    requestBodyType: alepha304.TOptional<alepha304.TString>;
-    service: alepha304.TOptional<alepha304.TString>;
-  }>>;
-}>;
-type ApiLinksResponse = Static<typeof apiLinksResponseSchema>;
-type ApiLink = Static<typeof apiLinkSchema>;
-//#endregion
-//#region src/server-links/providers/LinkProvider.d.ts
-/**
- * Browser, SSR friendly, service to handle links.
- */
-declare class LinkProvider {
-  static path: {
-    apiLinks: string;
-    apiSchema: string;
-  };
-  protected readonly log: alepha_logger2.Logger;
-  protected readonly alepha: Alepha;
-  protected readonly httpClient: HttpClient;
-  protected serverLinks: Array<HttpClientLink>;
-  /**
-   * Get applicative links registered on the server.
-   * This does not include lazy-loaded remote links.
-   */
-  getServerLinks(): HttpClientLink[];
-  /**
-   * Register a new link for the application.
-   */
-  registerLink(link: HttpClientLink): void;
-  get links(): HttpClientLink[];
-  /**
-   * Force browser to refresh links from the server.
-   */
-  fetchLinks(): Promise<HttpClientLink[]>;
-  /**
-   * Create a virtual client that can be used to call actions.
-   *
-   * Use js Proxy under the hood.
-   */
-  client<T extends object>(scope?: ClientScope): HttpVirtualClient<T>;
-  /**
-   * Check if a link with the given name exists.
-   * @param name
-   */
-  can(name: string): boolean;
-  /**
-   * Resolve a link by its name and call it.
-   * - If link is local, it will call the local handler.
-   * - If link is remote, it will make a fetch request to the remote server.
-   */
-  follow(name: string, config?: Partial<ServerRequestConfigEntry>, options?: ClientRequestOptions & ClientScope): Promise<any>;
-  protected createVirtualAction<T extends RequestConfigSchema>(name: string, scope?: ClientScope): VirtualAction<T>;
-  protected followRemote(link: HttpClientLink, config?: Partial<ServerRequestConfigEntry>, options?: ClientRequestOptions): Promise<FetchResponse>;
-  protected getLinkByName(name: string, options?: ClientScope): Promise<HttpClientLink>;
-}
-interface HttpClientLink extends ApiLink {
-  secured?: boolean | ServerRouteSecure;
-  prefix?: string;
-  host?: string;
-  service?: string;
-  schema?: RequestConfigSchema;
-  handler?: (request: ServerRequest, options: ClientRequestOptions) => Async<ServerResponseBody>;
-}
-interface ClientScope {
-  group?: string;
-  service?: string;
-  hostname?: string;
-}
-type HttpVirtualClient<T> = { [K in keyof T as T[K] extends ActionDescriptor<RequestConfigSchema> ? K : never]: T[K] extends ActionDescriptor<infer Schema> ? VirtualAction<Schema> : never };
-interface VirtualAction<T extends RequestConfigSchema> extends Pick<ActionDescriptor<T>, "name" | "run" | "fetch"> {
-  (config?: ClientRequestEntry<T>, opts?: ClientRequestOptions): Promise<ClientRequestResponse<T>>;
-  can: () => boolean;
-}
-//#endregion
-//#region src/server-proxy/descriptors/$proxy.d.ts
-type ProxyDescriptorOptions = {
-  /**
-   * Path pattern to match for proxying requests.
-   *
-   * Supports wildcards and path parameters:
-   * - `/api/*` - Matches all paths starting with `/api/`
-   * - `/api/v1/*` - Matches all paths starting with `/api/v1/`
-   * - `/users/:id` - Matches `/users/123`, `/users/abc`, etc.
-   *
-   * @example "/api/*"
-   * @example "/secure/admin/*"
-   * @example "/users/:id/posts"
-   */
-  path: string;
-  /**
-   * Target URL to which matching requests should be forwarded.
-   *
-   * Can be either:
-   * - **Static string**: A fixed URL like `"https://api.example.com"`
-   * - **Dynamic function**: A function that returns the URL, enabling runtime target resolution
-   *
-   * The target URL will be combined with the remaining path from the original request.
-   *
-   * @example "https://api.example.com"
-   * @example () => process.env.API_URL || "http://localhost:3001"
-   */
-  target: string | (() => string);
-  /**
-   * Whether this proxy is disabled.
-   *
-   * When `true`, requests matching the path will not be proxied and will be handled
-   * by other routes or return 404. Useful for feature toggles or conditional proxying.
-   *
-   * @default false
-   * @example !process.env.ENABLE_PROXY
-   */
-  disabled?: boolean;
-  /**
-   * Hook called before forwarding the request to the target server.
-   *
-   * Use this to:
-   * - Add authentication headers
-   * - Modify request headers or body
-   * - Add request tracking/logging
-   * - Transform the request before forwarding
-   *
-   * @param request - The original incoming server request
-   * @param proxyRequest - The request that will be sent to the target (modifiable)
-   *
-   * @example
-   * ```ts
-   * beforeRequest: async (request, proxyRequest) => {
-   *   proxyRequest.headers = {
-   *     ...proxyRequest.headers,
-   *     'Authorization': `Bearer ${await getToken()}`,
-   *     'X-Request-ID': generateRequestId()
-   *   };
-   * }
-   * ```
-   */
-  beforeRequest?: (request: ServerRequest, proxyRequest: RequestInit) => Async<void>;
-  /**
-   * Hook called after receiving the response from the target server.
-   *
-   * Use this to:
-   * - Log response details for monitoring
-   * - Add custom headers to the response
-   * - Transform response data
-   * - Handle error responses
-   *
-   * @param request - The original incoming server request
-   * @param proxyResponse - The response received from the target server
-   *
-   * @example
-   * ```ts
-   * afterResponse: async (request, proxyResponse) => {
-   *   console.log(`Proxy ${request.method} ${request.url} -> ${proxyResponse.status}`);
-   *
-   *   if (!proxyResponse.ok) {
-   *     await logError(`Proxy error: ${proxyResponse.status}`, { request, response: proxyResponse });
-   *   }
-   * }
-   * ```
-   */
-  afterResponse?: (request: ServerRequest, proxyResponse: Response) => Async<void>;
-  /**
-   * Function to rewrite the URL before sending to the target server.
-   *
-   * Use this to:
-   * - Remove or add path prefixes
-   * - Transform path parameters
-   * - Modify query parameters
-   * - Change the URL structure entirely
-   *
-   * The function receives a mutable URL object and should modify it in-place.
-   *
-   * @param url - The URL object to modify (mutable)
-   *
-   * @example
-   * ```ts
-   * // Remove /api prefix when forwarding
-   * rewrite: (url) => {
-   *   url.pathname = url.pathname.replace('/api', '');
-   * }
-   * ```
-   *
-   * @example
-   * ```ts
-   * // Add version prefix
-   * rewrite: (url) => {
-   *   url.pathname = `/v2${url.pathname}`;
-   * }
-   * ```
-   */
-  rewrite?: (url: URL) => void;
-};
-//#endregion
-//#region src/server-proxy/providers/ServerProxyProvider.d.ts
-declare class ServerProxyProvider {
-  protected readonly log: alepha_logger2.Logger;
-  protected readonly routerProvider: ServerRouterProvider;
-  protected readonly alepha: Alepha;
-  protected readonly configure: alepha304.HookDescriptor<"configure">;
-  createProxy(options: ProxyDescriptorOptions): void;
-  createProxyHandler(target: string, options: Omit<ProxyDescriptorOptions, "path">): ServerHandler;
-  private getRawRequestBody;
-}
-//#endregion
-//#region src/server-links/descriptors/$remote.d.ts
-interface RemoteDescriptorOptions {
-  /**
-   * The URL of the remote service.
-   * You can use a function to generate the URL dynamically.
-   * You probably should use $env(env) to get the URL from the environment.
-   *
-   * @example
-   * ```ts
-   * import { $remote } from "alepha/server";
-   * import { $inject, t } from "alepha";
-   *
-   * class App {
-   *   env = $env(t.object({
-   *     REMOTE_URL: t.text({default: "http://localhost:3000"}),
-   *   }));
-   *   remote = $remote({
-   *     url: this.env.REMOTE_URL,
-   *   });
-   * }
-   * ```
-   */
-  url: string | (() => string);
-  /**
-   * The name of the remote service.
-   *
-   * @default Member of the class containing the remote service.
-   */
-  name?: string;
-  /**
-   * If true, all methods of the remote service will be exposed as actions in this context.
-   * > Note: Proxy will never use the service account, it just... proxies the request.
-   */
-  proxy?: boolean | Partial<ProxyDescriptorOptions & {
-    /**
-     * If true, the remote service won't be available internally, only through the proxy.
-     */
-    noInternal: boolean;
-  }>;
-  /**
-   * For communication between the server and the remote service with a security layer.
-   * This will be used for internal communication and will not be exposed to the client.
-   */
-  serviceAccount?: ServiceAccountDescriptor;
-}
-declare class RemoteDescriptor extends Descriptor<RemoteDescriptorOptions> {
-  get name(): string;
-}
-//#endregion
-//#region src/server-links/providers/RemoteDescriptorProvider.d.ts
-declare class RemoteDescriptorProvider {
-  protected readonly env: {
-    SERVER_API_PREFIX: string;
-  };
-  protected readonly alepha: Alepha;
-  protected readonly proxyProvider: ServerProxyProvider;
-  protected readonly linkProvider: LinkProvider;
-  protected readonly remotes: Array<ServerRemote>;
-  protected readonly log: alepha_logger2.Logger;
-  getRemotes(): ServerRemote[];
-  readonly configure: alepha304.HookDescriptor<"configure">;
-  readonly start: alepha304.HookDescriptor<"start">;
-  registerRemote(value: RemoteDescriptor): Promise<void>;
-  protected readonly fetchLinks: alepha_retry0.RetryDescriptorFn<(opts: FetchLinksOptions) => Promise<ApiLinksResponse>>;
-}
-interface FetchLinksOptions {
-  /**
-   * Name of the remote service.
-   */
-  service: string;
-  /**
-   * URL to fetch links from.
-   */
-  url: string;
-  /**
-   * Authorization header containing access token.
-   */
-  authorization?: string;
-}
-interface ServerRemote {
-  /**
-   * URL of the remote service.
-   */
-  url: string;
-  /**
-   * Name of the remote service.
-   */
-  name: string;
-  /**
-   * Expose links as endpoint. It's not only internal.
-   */
-  proxy: boolean;
-  /**
-   * It's only used inside the application.
-   */
-  internal: boolean;
-  /**
-   * Links fetcher.
-   */
-  links: (args: {
-    authorization?: string;
-  }) => Promise<ApiLinksResponse>;
-  /**
-   * Fetches schema for the remote service.
-   */
-  schema: (args: {
-    name: string;
-    authorization?: string;
-  }) => Promise<any>;
-  /**
-   * Force a default access token provider when not provided.
-   */
-  serviceAccount?: ServiceAccountDescriptor;
-  /**
-   * Prefix for the remote service links.
-   */
-  prefix: string;
-}
-//#endregion
-//#region src/server-links/providers/ServerLinksProvider.d.ts
-declare class ServerLinksProvider {
-  protected readonly env: {
-    SERVER_API_PREFIX: string;
-  };
-  protected readonly alepha: Alepha;
-  protected readonly linkProvider: LinkProvider;
-  protected readonly remoteProvider: RemoteDescriptorProvider;
-  protected readonly serverTimingProvider: ServerTimingProvider;
-  get prefix(): string;
-  readonly onRoute: alepha304.HookDescriptor<"configure">;
-  /**
-   * First API - Get all API links for the user.
-   *
-   * This is based on the user's permissions.
-   */
-  readonly links: alepha_server6.RouteDescriptor<{
-    response: alepha304.TObject<{
-      prefix: alepha304.TOptional<alepha304.TString>;
-      links: alepha304.TArray<alepha304.TObject<{
-        name: alepha304.TString;
-        group: alepha304.TOptional<alepha304.TString>;
-        path: alepha304.TString;
-        method: alepha304.TOptional<alepha304.TString>;
-        requestBodyType: alepha304.TOptional<alepha304.TString>;
-        service: alepha304.TOptional<alepha304.TString>;
-      }>>;
-    }>;
-  }>;
-  /**
-   * Second API - Get schema for a specific API link.
-   *
-   * Note: Body/Response schema are not included in `links` API because it's TOO BIG.
-   * I mean for 150+ links, you got 50ms of serialization time.
-   */
-  readonly schema: alepha_server6.RouteDescriptor<{
-    params: alepha304.TObject<{
-      name: alepha304.TString;
-    }>;
-    response: alepha304.TRecord<string, alepha304.TAny>;
-  }>;
-  getSchemaByName(name: string, options?: GetApiLinksOptions): Promise<RequestConfigSchema>;
-  /**
-   * Retrieves API links for the user based on their permissions.
-   * Will check on local links and remote links.
-   */
-  getUserApiLinks(options: GetApiLinksOptions): Promise<ApiLinksResponse>;
-}
-interface GetApiLinksOptions {
-  user?: UserAccountToken;
-  authorization?: string;
-}
-//#endregion
-//#region src/server-links/index.d.ts
-declare module "alepha" {
-  interface State {
-    /**
-     * API links attached to the server request state.
-     *
-     * @see {@link ApiLinksResponse}
-     * @internal
-     */
-    "alepha.server.request.apiLinks"?: ApiLinksResponse;
-  }
-}
-/**
- * Provides server-side link management and remote capabilities for client-server interactions.
- *
- * The server-links module enables declarative link definitions using `$remote` and `$client` descriptors,
- * facilitating seamless API endpoint management and client-server communication. It integrates with server
- * security features to ensure safe and controlled access to resources.
- *
- * @see {@link $remote}
- * @see {@link $client}
- * @module alepha.server.links
- */
-//#endregion
-//#region src/server-auth/schemas/authenticationProviderSchema.d.ts
-declare const authenticationProviderSchema: alepha304.TObject<{
-  name: alepha304.TString;
-  type: alepha304.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
-}>;
-type AuthenticationProvider = Static<typeof authenticationProviderSchema>;
-//#endregion
-//#region src/server-auth/schemas/tokensSchema.d.ts
-declare const tokensSchema: alepha304.TObject<{
-  provider: alepha304.TString;
-  access_token: alepha304.TString;
-  issued_at: alepha304.TNumber;
-  expires_in: alepha304.TOptional<alepha304.TNumber>;
-  refresh_token: alepha304.TOptional<alepha304.TString>;
-  refresh_token_expires_in: alepha304.TOptional<alepha304.TNumber>;
-  refresh_expires_in: alepha304.TOptional<alepha304.TNumber>;
-  id_token: alepha304.TOptional<alepha304.TString>;
-  scope: alepha304.TOptional<alepha304.TString>;
-}>;
-type Tokens = Static<typeof tokensSchema>;
-//#endregion
-//#region src/server-auth/providers/ServerAuthProvider.d.ts
-declare class ServerAuthProvider {
-  protected readonly log: alepha_logger2.Logger;
-  protected readonly alepha: Alepha;
-  protected readonly serverCookiesProvider: ServerCookiesProvider;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly serverLinksProvider: ServerLinksProvider;
-  protected readonly authorizationCode: AbstractCookieDescriptor<alepha304.TObject<{
-    provider: alepha304.TString;
-    codeVerifier: alepha304.TOptional<alepha304.TString>;
-    redirectUri: alepha304.TOptional<alepha304.TString>;
-    state: alepha304.TOptional<alepha304.TString>;
-    nonce: alepha304.TOptional<alepha304.TString>;
-  }>>;
-  readonly tokens: AbstractCookieDescriptor<alepha304.TObject<{
-    provider: alepha304.TString;
-    access_token: alepha304.TString;
-    issued_at: alepha304.TNumber;
-    expires_in: alepha304.TOptional<alepha304.TNumber>;
-    refresh_token: alepha304.TOptional<alepha304.TString>;
-    refresh_token_expires_in: alepha304.TOptional<alepha304.TNumber>;
-    refresh_expires_in: alepha304.TOptional<alepha304.TNumber>;
-    id_token: alepha304.TOptional<alepha304.TString>;
-    scope: alepha304.TOptional<alepha304.TString>;
-  }>>;
-  get identities(): Array<AuthDescriptor>;
-  getAuthenticationProviders(filters?: {
-    realmName?: string;
-  }): AuthenticationProvider[];
-  protected readonly configure: alepha304.HookDescriptor<"configure">;
-  protected getAccessTokens(tokens: Tokens): string | undefined;
-  /**
-   * Fill request headers with access token from cookies or fallback to provider's fallback function.
-   */
-  protected readonly onRequest: alepha304.HookDescriptor<"server:onRequest">;
-  /**
-   * Convert cookies to tokens.
-   * If the tokens are expired, try to refresh them using the refresh token.
-   */
-  protected cookiesToTokens(cookies: Cookies): Promise<Tokens | undefined>;
-  protected refreshTokens(tokens: Tokens): Promise<Tokens | undefined>;
-  /**
-   * Get user information.
-   */
-  readonly userinfo: alepha_server6.RouteDescriptor<{
-    response: alepha304.TObject<{
-      user: alepha304.TOptional<alepha304.TObject<{
-        id: alepha304.TString;
-        name: alepha304.TOptional<alepha304.TString>;
-        email: alepha304.TOptional<alepha304.TString>;
-        username: alepha304.TOptional<alepha304.TString>;
-        picture: alepha304.TOptional<alepha304.TString>;
-        sessionId: alepha304.TOptional<alepha304.TString>;
-        organizations: alepha304.TOptional<alepha304.TArray<alepha304.TString>>;
-        roles: alepha304.TOptional<alepha304.TArray<alepha304.TString>>;
-      }>>;
-      api: alepha304.TObject<{
-        prefix: alepha304.TOptional<alepha304.TString>;
-        links: alepha304.TArray<alepha304.TObject<{
-          name: alepha304.TString;
-          group: alepha304.TOptional<alepha304.TString>;
-          path: alepha304.TString;
-          method: alepha304.TOptional<alepha304.TString>;
-          requestBodyType: alepha304.TOptional<alepha304.TString>;
-          service: alepha304.TOptional<alepha304.TString>;
-        }>>;
-      }>;
-    }>;
-  }>;
-  /**
-   * Refresh a token for internal providers.
-   */
-  readonly refresh: alepha_server6.RouteDescriptor<{
-    query: alepha304.TObject<{
-      provider: alepha304.TString;
-    }>;
-    body: alepha304.TObject<{
-      refresh_token: alepha304.TString;
-      access_token: alepha304.TOptional<alepha304.TString>;
-    }>;
-    response: alepha304.TObject<{
-      provider: alepha304.TString;
-      access_token: alepha304.TString;
-      issued_at: alepha304.TNumber;
-      expires_in: alepha304.TOptional<alepha304.TNumber>;
-      refresh_token: alepha304.TOptional<alepha304.TString>;
-      refresh_token_expires_in: alepha304.TOptional<alepha304.TNumber>;
-      refresh_expires_in: alepha304.TOptional<alepha304.TNumber>;
-      id_token: alepha304.TOptional<alepha304.TString>;
-      scope: alepha304.TOptional<alepha304.TString>;
-    }>;
-  }>;
-  /**
-   * Login for local password-based authentication.
-   */
-  readonly token: alepha_server6.RouteDescriptor<{
-    query: alepha304.TObject<{
-      provider: alepha304.TString;
-    }>;
-    body: alepha304.TObject<{
-      username: alepha304.TString;
-      password: alepha304.TString;
-    }>;
-    response: alepha304.TObject<{
-      provider: alepha304.TString;
-      access_token: alepha304.TString;
-      issued_at: alepha304.TNumber;
-      expires_in: alepha304.TOptional<alepha304.TNumber>;
-      refresh_token: alepha304.TOptional<alepha304.TString>;
-      refresh_token_expires_in: alepha304.TOptional<alepha304.TNumber>;
-      refresh_expires_in: alepha304.TOptional<alepha304.TNumber>;
-      id_token: alepha304.TOptional<alepha304.TString>;
-      scope: alepha304.TOptional<alepha304.TString>;
-      user: alepha304.TObject<{
-        id: alepha304.TString;
-        name: alepha304.TOptional<alepha304.TString>;
-        email: alepha304.TOptional<alepha304.TString>;
-        username: alepha304.TOptional<alepha304.TString>;
-        picture: alepha304.TOptional<alepha304.TString>;
-        sessionId: alepha304.TOptional<alepha304.TString>;
-        organizations: alepha304.TOptional<alepha304.TArray<alepha304.TString>>;
-        roles: alepha304.TOptional<alepha304.TArray<alepha304.TString>>;
-      }>;
-      api: alepha304.TObject<{
-        prefix: alepha304.TOptional<alepha304.TString>;
-        links: alepha304.TArray<alepha304.TObject<{
-          name: alepha304.TString;
-          group: alepha304.TOptional<alepha304.TString>;
-          path: alepha304.TString;
-          method: alepha304.TOptional<alepha304.TString>;
-          requestBodyType: alepha304.TOptional<alepha304.TString>;
-          service: alepha304.TOptional<alepha304.TString>;
-        }>>;
-      }>;
-    }>;
-  }>;
-  /**
-   * Oauth2/OIDC login route.
-   */
-  readonly login: alepha_server6.RouteDescriptor<{
-    query: alepha304.TObject<{
-      provider: alepha304.TString;
-      redirect_uri: alepha304.TOptional<alepha304.TString>;
-    }>;
-  }>;
-  /**
-   * Callback for OAuth2/OIDC providers.
-   * It handles the authorization code flow and retrieves the access token.
-   */
-  readonly callback: alepha_server6.RouteDescriptor<alepha_server6.RequestConfigSchema>;
-  /**
-   * Logout route for OAuth2/OIDC providers.
-   */
-  readonly logout: alepha_server6.RouteDescriptor<{
-    query: alepha304.TObject<{
-      post_logout_redirect_uri: alepha304.TOptional<alepha304.TString>;
-    }>;
-  }>;
-  protected provider(opts: string | {
-    provider: string;
-  }): AuthDescriptor;
-  protected setTokens(tokens: Tokens, cookies?: Cookies): void;
-}
-interface OAuth2Profile {
-  sub: string;
-  email?: string;
-  name?: string;
-  given_name?: string;
-  family_name?: string;
-  middle_name?: string;
-  nickname?: string;
-  preferred_username?: string;
-  profile?: string;
-  picture?: string;
-  website?: string;
-  email_verified?: boolean;
-  gender?: string;
-  birthdate?: string;
-  zoneinfo?: string;
-  locale?: string;
-  phone_number?: string;
-  phone_number_verified?: boolean;
-  address?: {
-    formatted?: string;
-    street_address?: string;
-    locality?: string;
-    region?: string;
-    postal_code?: string;
-    country?: string;
-  };
-  updated_at?: number;
-  [key: string]: unknown;
-}
-//#endregion
-//#region src/server-auth/descriptors/$auth.d.ts
-/**
- * Creates an authentication provider descriptor for handling user login flows.
- *
- * Supports multiple authentication strategies: credentials (username/password), OAuth2,
- * and OIDC (OpenID Connect). Handles token management, user profile retrieval, and
- * integration with both external identity providers (Auth0, Keycloak) and internal realms.
- *
- * **Authentication Types**: Credentials, OAuth2 (Google, GitHub), OIDC, External providers
- *
- * @example
- * ```ts
- * class AuthProviders {
- *   // Internal credentials-based auth
- *   credentials = $auth({
- *     realm: this.userRealm,
- *     credentials: {
- *       account: async ({ username, password }) => {
- *         return await this.validateUser(username, password);
- *       }
- *     }
- *   });
- *
- *   // External OIDC provider
- *   keycloak = $auth({
- *     oidc: {
- *       issuer: "https://auth.example.com",
- *       clientId: "my-app",
- *       clientSecret: "secret",
- *       redirectUri: "/auth/callback"
- *     }
- *   });
- * }
- * ```
- */
-declare const $auth: {
-  (options: AuthDescriptorOptions): AuthDescriptor;
-  [KIND]: typeof AuthDescriptor;
-};
-type AuthDescriptorOptions = {
-  /**
-   * Name of the identity provider.
-   * If not provided, it will be derived from the property key.
-   */
-  name?: string;
-  /**
-   * If true, auth provider will be skipped.
-   */
-  disabled?: boolean;
-} & (AuthExternal | AuthInternal);
-/**
- * When you let an external service handle authentication. (e.g. Keycloak, Auth0, etc.)
- */
-type AuthExternal = {
-  /**
-   * Only OIDC is supported for external authentication.
-   */
-  oidc: OidcOptions;
-  /**
-   * For anonymous access, this will expect a service account access token.
-   *
-   * ```ts
-   * class App {
-   *   anonymous = $serviceAccount(...);
-   *   auth = $auth({
-   *     // ... config ...
-   *     fallback: this.anonymous,
-   *   })
-   * }
-   * ```
-   */
-  fallback?: () => Async<AccessToken>;
-};
-/**
- * When using your own authentication system, e.g. using a database to store user accounts.
- * This is usually used with a custom login form.
- *
- * This relies on the `realm`, which is used to create/verify the access token.
- */
-type AuthInternal = {
-  realm: RealmDescriptor;
-} & ({
-  /**
-   * The common username/password authentication.
-   *
-   * - It uses the OAuth2 Client Credentials flow to obtain an access token.
-   *
-   * This is usually used with a custom login form on your website or mobile app.
-   */
-  credentials: CredentialsOptions;
-} | {
-  /**
-   * OAuth2 authentication. Delegates authentication to an OAuth2 provider. (e.g. Google, GitHub, etc.)
-   *
-   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
-   *
-   * This is usually used with a login button that redirects to the OAuth2 provider.
-   */
-  oauth: OAuth2Options;
-} | {
-  /**
-   * Like OAuth2, but uses OIDC (OpenID Connect) for authentication and user information retrieval.
-   * OIDC is an identity layer on top of OAuth2, providing user authentication and profile information.
-   *
-   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
-   * - PCKE (Proof Key for Code Exchange) is recommended for security.
-   *
-   * This is usually used with a login button that redirects to the OIDC provider.
-   */
-  oidc: OidcOptions;
-});
-type CredentialsOptions = {
-  account: CredentialsFn;
-};
-type CredentialsFn = (credentials: Credentials) => Async<UserAccount | undefined>;
-interface Credentials {
-  username: string;
-  password: string;
-}
-interface OidcOptions {
-  /**
-   * URL of the OIDC issuer.
-   */
-  issuer: string;
-  /**
-   * Client ID for the OIDC client.
-   */
-  clientId: string;
-  /**
-   * Client secret for the OIDC client.
-   * Optional if PKCE (Proof Key for Code Exchange) is used.
-   */
-  clientSecret?: string;
-  /**
-   * Redirect URI for the OIDC client.
-   * This is where the user will be redirected after authentication.
-   */
-  redirectUri?: string;
-  /**
-   * For external auth providers only.
-   * Take the ID token instead of the access token for validation.
-   */
-  useIdToken?: boolean;
-  /**
-   * URI to redirect the user after logout.
-   */
-  logoutUri?: string;
-  /**
-   * Optional scope for the OIDC client.
-   * @default "openid profile email".
-   */
-  scope?: string;
-  account?: LinkAccountFn;
-}
-interface LinkAccountOptions {
-  access_token: string;
-  user: OAuth2Profile;
-  id_token?: string;
-  expires_in?: number;
-  scope?: string;
-}
-type LinkAccountFn = (tokens: LinkAccountOptions) => Async<UserAccount>;
-interface OAuth2Options {
-  /**
-   * URL of the OAuth2 authorization endpoint.
-   */
-  clientId: string;
-  /**
-   * Client secret for the OAuth2 client.
-   */
-  clientSecret: string;
-  /**
-   * URL of the OAuth2 authorization endpoint.
-   */
-  authorization: string;
-  /**
-   * URL of the OAuth2 token endpoint.
-   */
-  token: string;
-  /**
-   * Function to retrieve user profile information from the OAuth2 tokens.
-   */
-  userinfo: (tokens: Tokens) => Async<OAuth2Profile>;
-  account?: LinkAccountFn;
-  /**
-   * URL of the OAuth2 authorization endpoint.
-   */
-  redirectUri?: string;
-  /**
-   * URL of the OAuth2 authorization endpoint.
-   */
-  scope?: string;
-}
-declare class AuthDescriptor extends Descriptor<AuthDescriptorOptions> {
-  protected readonly securityProvider: SecurityProvider;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  oauth?: Configuration;
-  get name(): string;
-  get jwks_uri(): string;
-  get scope(): string | undefined;
-  get redirect_uri(): string | undefined;
-  /**
-   * Refreshes the access token using the refresh token.
-   * Can be used on oauth2, oidc or credentials auth providers.
-   */
-  refresh(refreshToken: string, accessToken?: string): Promise<AccessTokenResponse>;
-  /**
-   * Extracts user information from the access token.
-   * This is used to create a user account from the access token.
-   */
-  user(tokens: Tokens): Promise<UserAccount>;
-  protected getUserFromIdToken(idToken: string): OAuth2Profile;
-  prepare(): Promise<void>;
-}
-type AccessToken = string | {
-  token: () => Async<string>;
-};
-interface WithLinkFn {
-  link?: (name: string) => (opts: LinkAccountOptions) => Async<UserAccount>;
-}
-interface WithLoginFn {
-  login?: (provider: string) => (creds: Credentials) => Async<UserAccount | undefined>;
-}
-//#endregion
-//#region src/server-auth/descriptors/$authCredentials.d.ts
-/**
- * Already configured Credentials authentication descriptor.
- *
- * Uses username and password to authenticate users.
- */
-declare const $authCredentials: (realm: RealmDescriptor & WithLoginFn, options?: Partial<CredentialsOptions>) => AuthDescriptor;
-//#endregion
-//#region src/server-auth/descriptors/$authGithub.d.ts
-/**
- * Already configured GitHub authentication descriptor.
- *
- * Uses OAuth2 to authenticate users via their GitHub accounts.
- * Upon successful authentication, it links the GitHub account to a user session.
- *
- * Environment Variables:
- * - `GITHUB_CLIENT_ID`: The client ID obtained from the GitHub Developer Settings.
- * - `GITHUB_CLIENT_SECRET`: The client secret obtained from the GitHub Developer Settings.
- */
-declare const $authGithub: (realm: RealmDescriptor & WithLinkFn, options?: Partial<OidcOptions>) => AuthDescriptor;
-//#endregion
-//#region src/server-auth/descriptors/$authGoogle.d.ts
-/**
- * Already configured Google authentication descriptor.
- *
- * Uses OpenID Connect (OIDC) to authenticate users via their Google accounts.
- * Upon successful authentication, it links the Google account to a user session.
- *
- * Environment Variables:
- * - `GOOGLE_CLIENT_ID`: The client ID obtained from the Google Developer Console.
- * - `GOOGLE_CLIENT_SECRET`: The client secret obtained from the Google Developer Console.
- */
-declare const $authGoogle: (realm: RealmDescriptor & WithLinkFn, options?: Partial<OidcOptions>) => AuthDescriptor;
-//#endregion
-//#region src/server-auth/constants/routes.d.ts
-declare const alephaServerAuthRoutes: {
-  login: string;
-  callback: string;
-  logout: string;
-  token: string;
-  refresh: string;
-  userinfo: string;
-};
-//#endregion
-//#region src/server-auth/schemas/tokenResponseSchema.d.ts
-declare const tokenResponseSchema: alepha304.TObject<{
-  provider: alepha304.TString;
-  access_token: alepha304.TString;
-  issued_at: alepha304.TNumber;
-  expires_in: alepha304.TOptional<alepha304.TNumber>;
-  refresh_token: alepha304.TOptional<alepha304.TString>;
-  refresh_token_expires_in: alepha304.TOptional<alepha304.TNumber>;
-  refresh_expires_in: alepha304.TOptional<alepha304.TNumber>;
-  id_token: alepha304.TOptional<alepha304.TString>;
-  scope: alepha304.TOptional<alepha304.TString>;
-  user: alepha304.TObject<{
-    id: alepha304.TString;
-    name: alepha304.TOptional<alepha304.TString>;
-    email: alepha304.TOptional<alepha304.TString>;
-    username: alepha304.TOptional<alepha304.TString>;
-    picture: alepha304.TOptional<alepha304.TString>;
-    sessionId: alepha304.TOptional<alepha304.TString>;
-    organizations: alepha304.TOptional<alepha304.TArray<alepha304.TString>>;
-    roles: alepha304.TOptional<alepha304.TArray<alepha304.TString>>;
-  }>;
-  api: alepha304.TObject<{
-    prefix: alepha304.TOptional<alepha304.TString>;
-    links: alepha304.TArray<alepha304.TObject<{
-      name: alepha304.TString;
-      group: alepha304.TOptional<alepha304.TString>;
-      path: alepha304.TString;
-      method: alepha304.TOptional<alepha304.TString>;
-      requestBodyType: alepha304.TOptional<alepha304.TString>;
-      service: alepha304.TOptional<alepha304.TString>;
-    }>>;
-  }>;
-}>;
-type TokenResponse = Static<typeof tokenResponseSchema>;
-//#endregion
-//#region src/server-auth/schemas/userinfoResponseSchema.d.ts
-declare const userinfoResponseSchema: alepha304.TObject<{
-  user: alepha304.TOptional<alepha304.TObject<{
-    id: alepha304.TString;
-    name: alepha304.TOptional<alepha304.TString>;
-    email: alepha304.TOptional<alepha304.TString>;
-    username: alepha304.TOptional<alepha304.TString>;
-    picture: alepha304.TOptional<alepha304.TString>;
-    sessionId: alepha304.TOptional<alepha304.TString>;
-    organizations: alepha304.TOptional<alepha304.TArray<alepha304.TString>>;
-    roles: alepha304.TOptional<alepha304.TArray<alepha304.TString>>;
-  }>>;
-  api: alepha304.TObject<{
-    prefix: alepha304.TOptional<alepha304.TString>;
-    links: alepha304.TArray<alepha304.TObject<{
-      name: alepha304.TString;
-      group: alepha304.TOptional<alepha304.TString>;
-      path: alepha304.TString;
-      method: alepha304.TOptional<alepha304.TString>;
-      requestBodyType: alepha304.TOptional<alepha304.TString>;
-      service: alepha304.TOptional<alepha304.TString>;
-    }>>;
-  }>;
-}>;
-type UserinfoResponse = Static<typeof userinfoResponseSchema>;
-//#endregion
-//#region src/server-auth/index.d.ts
-declare module "alepha" {
-  interface State {
-    /**
-     * The authenticated user account attached to the server request state.
-     *
-     * @internal
-     */
-    "alepha.server.request.user"?: UserAccount;
-  }
-}
-/**
- * Allow authentication services for server applications.
- * It provides login and logout functionalities.
- *
- * There are multiple authentication providers available (e.g., Google, GitHub).
- * You can also delegate authentication to your own OIDC/OAuth2, for example using Keycloak or Auth0.
- *
- * It's cookie-based and SSR friendly.
- *
- * @see {@link $auth}
- * @see {@link ServerAuthProvider}
- * @module alepha.server.auth
- */
-declare const AlephaServerAuth: alepha304.Service<alepha304.Module>;
-//#endregion
-export { $auth, $authCredentials, $authGithub, $authGoogle, AccessToken, AlephaServerAuth, AuthDescriptor, AuthDescriptorOptions, AuthExternal, AuthInternal, AuthenticationProvider, Credentials, CredentialsFn, CredentialsOptions, LinkAccountFn, LinkAccountOptions, OAuth2Options, OAuth2Profile, OidcOptions, ServerAuthProvider, TokenResponse, Tokens, UserinfoResponse, WithLinkFn, WithLoginFn, alephaServerAuthRoutes, authenticationProviderSchema, tokenResponseSchema, tokensSchema, userinfoResponseSchema };
-//# sourceMappingURL=index.d.cts.map