alepha 0.13.1 → 0.13.2

package/dist/server-auth/index.js

@@ -1,237 +1,14 @@
-import { $context, $env, $hook, $inject, $module, Alepha, AlephaError, Descriptor, KIND, createDescriptor, t } from "alepha";
-import { $action, $route, AlephaServer, BadRequestError, ForbiddenError, HttpClient, HttpError, ServerReply, ServerRouterProvider, ServerTimingProvider, UnauthorizedError, routeMethods } from "alepha/server";
-import { createCipheriv, createDecipheriv, createHmac, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
-import { deflateRawSync, inflateRawSync } from "node:zlib";
+import { $context, $hook, $inject, $module, Alepha, AlephaError, KIND, Primitive, createPrimitive, t } from "alepha";
+import { $cookie, AlephaServerCookies, ServerCookiesProvider } from "alepha/server/cookies";
 import { DateTimeProvider } from "alepha/datetime";
+import { InvalidCredentialsError, SecurityError, SecurityProvider, userAccountInfoSchema } from "alepha/security";
 import { $logger } from "alepha/logger";
-import { $permission, $realm, $role, AlephaSecurity, DEFAULT_APP_SECRET, InvalidCredentialsError, JwtProvider, SecurityError, SecurityProvider, userAccountInfoSchema } from "alepha/security";
-import { $retry } from "alepha/retry";
-import { ReadableStream } from "node:stream/web";
+import { $route, BadRequestError } from "alepha/server";
+import { ServerLinksProvider, apiLinksResponseSchema } from "alepha/server/links";
 
-//#region src/server-cookies/services/CookieParser.ts
-var CookieParser = class {
-	parseRequestCookies(header) {
-		const cookies = {};
-		const parts = header.split(";");
-		for (const part of parts) {
-			const [key, value] = part.split("=");
-			if (!key || !value) continue;
-			cookies[key.trim()] = value.trim();
-		}
-		return cookies;
-	}
-	serializeResponseCookies(cookies, isHttps) {
-		const headers$1 = [];
-		for (const [name, cookie] of Object.entries(cookies)) {
-			if (cookie == null) {
-				headers$1.push(`${name}=; Path=/; Max-Age=0`);
-				continue;
-			}
-			if (!cookie.value) continue;
-			headers$1.push(this.cookieToString(name, cookie, isHttps));
-		}
-		return headers$1;
-	}
-	cookieToString(name, cookie, isHttps) {
-		const parts = [];
-		parts.push(`${name}=${cookie.value}`);
-		if (cookie.path) parts.push(`Path=${cookie.path}`);
-		if (cookie.maxAge) parts.push(`Max-Age=${cookie.maxAge}`);
-		if (cookie.secure !== false && isHttps) parts.push("Secure");
-		if (cookie.httpOnly) parts.push("HttpOnly");
-		if (cookie.sameSite) parts.push(`SameSite=${cookie.sameSite}`);
-		if (cookie.domain) parts.push(`Domain=${cookie.domain}`);
-		return parts.join("; ");
-	}
-};
-
-//#endregion
-//#region src/server-cookies/providers/ServerCookiesProvider.ts
-const envSchema$2 = t.object({ APP_SECRET: t.text({ default: DEFAULT_APP_SECRET }) });
-var ServerCookiesProvider = class {
-	alepha = $inject(Alepha);
-	log = $logger();
-	cookieParser = $inject(CookieParser);
-	dateTimeProvider = $inject(DateTimeProvider);
-	env = $env(envSchema$2);
-	ALGORITHM = "aes-256-gcm";
-	IV_LENGTH = 16;
-	AUTH_TAG_LENGTH = 16;
-	SIGNATURE_LENGTH = 32;
-	onRequest = $hook({
-		on: "server:onRequest",
-		handler: async ({ request }) => {
-			request.cookies = {
-				req: this.cookieParser.parseRequestCookies(request.headers.cookie ?? ""),
-				res: {}
-			};
-		}
-	});
-	onAction = $hook({
-		on: "action:onRequest",
-		handler: async ({ request }) => {
-			request.cookies = {
-				req: this.cookieParser.parseRequestCookies(request.headers.cookie ?? ""),
-				res: {}
-			};
-		}
-	});
-	onSend = $hook({
-		on: "server:onSend",
-		handler: async ({ request }) => {
-			if (request.cookies && Object.keys(request.cookies.res).length > 0) {
-				const setCookieHeaders = this.cookieParser.serializeResponseCookies(request.cookies.res, request.url.protocol === "https:");
-				if (setCookieHeaders.length > 0) request.reply.headers["set-cookie"] = setCookieHeaders;
-			}
-		}
-	});
-	getCookiesFromContext(cookies) {
-		const contextCookies = this.alepha.context.get("request")?.cookies;
-		if (cookies) return cookies;
-		if (contextCookies) return contextCookies;
-		throw new Error("Cookie context is not available. This method must be called within a server request cycle.");
-	}
-	getCookie(name, options, contextCookies) {
-		const cookies = this.getCookiesFromContext(contextCookies);
-		let rawValue = cookies.req[name];
-		if (!rawValue) return void 0;
-		try {
-			rawValue = decodeURIComponent(rawValue);
-			if (options.sign) {
-				const signature = rawValue.substring(0, this.SIGNATURE_LENGTH * 2);
-				const value = rawValue.substring(this.SIGNATURE_LENGTH * 2);
-				const expectedSignature = this.sign(value);
-				if (!timingSafeEqual(Buffer.from(signature, "hex"), Buffer.from(expectedSignature, "hex"))) {
-					this.log.warn(`Invalid signature for cookie "${name}".`);
-					return;
-				}
-				rawValue = value;
-			}
-			if (options.encrypt) rawValue = this.decrypt(rawValue);
-			if (options.compress) rawValue = inflateRawSync(Buffer.from(rawValue, "base64")).toString("utf8");
-			return this.alepha.codec.decode(options.schema, JSON.parse(rawValue));
-		} catch (error) {
-			this.log.warn(`Failed to parse cookie "${name}"`, error);
-			this.deleteCookie(name, cookies);
-			return;
-		}
-	}
-	setCookie(name, options, data, contextCookies) {
-		const cookies = this.getCookiesFromContext(contextCookies);
-		let value = JSON.stringify(this.alepha.codec.decode(options.schema, data));
-		if (options.compress) value = deflateRawSync(value).toString("base64");
-		if (options.encrypt) value = this.encrypt(value);
-		if (options.sign) value = this.sign(value) + value;
-		const cookie = {
-			value: encodeURIComponent(value),
-			path: options.path ?? "/",
-			sameSite: options.sameSite ?? "lax",
-			secure: options.secure ?? this.alepha.isProduction(),
-			httpOnly: options.httpOnly,
-			domain: options.domain
-		};
-		if (options.ttl) cookie.maxAge = this.dateTimeProvider.duration(options.ttl).as("seconds");
-		cookies.res[name] = cookie;
-	}
-	deleteCookie(name, contextCookies) {
-		const cookies = this.getCookiesFromContext(contextCookies);
-		cookies.res[name] = null;
-	}
-	encrypt(text) {
-		const iv = randomBytes(this.IV_LENGTH);
-		const cipher = createCipheriv(this.ALGORITHM, Buffer.from(this.secretKey()), iv);
-		const encrypted = Buffer.concat([cipher.update(text, "utf8"), cipher.final()]);
-		const authTag = cipher.getAuthTag();
-		return Buffer.concat([
-			iv,
-			authTag,
-			encrypted
-		]).toString("base64");
-	}
-	decrypt(encryptedText) {
-		const data = Buffer.from(encryptedText, "base64");
-		const iv = data.subarray(0, this.IV_LENGTH);
-		const authTag = data.subarray(this.IV_LENGTH, this.IV_LENGTH + this.AUTH_TAG_LENGTH);
-		const encrypted = data.subarray(this.IV_LENGTH + this.AUTH_TAG_LENGTH);
-		const decipher = createDecipheriv(this.ALGORITHM, Buffer.from(this.secretKey()), iv);
-		decipher.setAuthTag(authTag);
-		return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString("utf8");
-	}
-	secretKey() {
-		let secret = this.env.APP_SECRET;
-		if (secret.length < 32) secret = secret.padEnd(32, "0");
-		else if (secret.length > 32) secret = secret.substring(0, 32);
-		return secret;
-	}
-	sign(data) {
-		return createHmac("sha256", this.secretKey()).update(data).digest("hex");
-	}
-};
-
-//#endregion
-//#region src/server-cookies/descriptors/$cookie.ts
-/**
-* Declares a type-safe, configurable HTTP cookie.
-* This descriptor provides methods to get, set, and delete the cookie
-* within the server request/response cycle.
-*/
-const $cookie = (options) => {
-	return createDescriptor(CookieDescriptor, options);
-};
-var CookieDescriptor = class extends Descriptor {
-	serverCookiesProvider = $inject(ServerCookiesProvider);
-	get schema() {
-		return this.options.schema;
-	}
-	get name() {
-		return this.options.name ?? `${this.config.propertyKey}`;
-	}
-	/**
-	* Sets the cookie with the given value in the current request's response.
-	*/
-	set(value, options) {
-		this.serverCookiesProvider.setCookie(this.name, {
-			...this.options,
-			ttl: options?.ttl ?? this.options.ttl
-		}, value, options?.cookies);
-	}
-	/**
-	* Gets the cookie value from the current request. Returns undefined if not found or invalid.
-	*/
-	get(options) {
-		return this.serverCookiesProvider.getCookie(this.name, this.options, options?.cookies);
-	}
-	/**
-	* Deletes the cookie in the current request's response.
-	*/
-	del(options) {
-		this.serverCookiesProvider.deleteCookie(this.name, options?.cookies);
-	}
-};
-$cookie[KIND] = CookieDescriptor;
-
-//#endregion
-//#region src/server-cookies/index.ts
-/**
-* Provides HTTP cookie management capabilities for server requests and responses with type-safe cookie descriptors.
-*
-* The server-cookies module enables declarative cookie handling using the `$cookie` descriptor on class properties.
-* It offers automatic cookie parsing, secure cookie configuration, and seamless integration with server routes
-* for managing user sessions, preferences, and authentication tokens.
-*
-* @see {@link $cookie}
-* @module alepha.server.cookies
-*/
-const AlephaServerCookies = $module({
-	name: "alepha.server.cookies",
-	descriptors: [$cookie],
-	services: [AlephaServer, ServerCookiesProvider]
-});
-
-//#endregion
 //#region ../../node_modules/oauth4webapi/build/index.js
 let USER_AGENT$1;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT$1 = `oauth4webapi/v3.8.2`;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT$1 = `oauth4webapi/v3.8.3`;
 function looseInstanceOf(input, expected) {
 	if (input == null) return false;
 	try {
@@ -435,14 +212,14 @@ function notJson(response, ...types) {
 function assertContentType(response, contentType) {
 	if (getContentType(response) !== contentType) throw notJson(response, contentType);
 }
-function randomBytes$1() {
+function randomBytes() {
 	return b64u(crypto.getRandomValues(new Uint8Array(32)));
 }
 function generateRandomCodeVerifier() {
-	return randomBytes$1();
+	return randomBytes();
 }
 function generateRandomState() {
-	return randomBytes$1();
+	return randomBytes();
 }
 async function calculatePKCECodeChallenge$1(codeVerifier) {
 	assertString$1(codeVerifier, "codeVerifier");
@@ -562,10 +339,10 @@ var WWWAuthenticateChallengeError = class extends Error {
 	}
 };
 const tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
-const token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+[=]{0,2}";
-const quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*\"((?:[^\"\\\\]|\\\\.)*)\"";
+const token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2}";
+const quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*\"((?:[^\"\\\\]|\\\\[\\s\\S])*)\"";
 const paramMatcher = "(" + tokenMatch + ")\\s*=\\s*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)";
-const schemeRE = /* @__PURE__ */ new RegExp("^[,\\s]*(" + tokenMatch + ")\\s(.*)");
+const schemeRE = /* @__PURE__ */ new RegExp("^[,\\s]*(" + tokenMatch + ")");
 const quotedParamRE = /* @__PURE__ */ new RegExp("^[,\\s]*" + quotedParamMatcher + "[,\\s]*(.*)");
 const unquotedParamRE = /* @__PURE__ */ new RegExp("^[,\\s]*" + paramMatcher + "[,\\s]*(.*)");
 const token68ParamRE = /* @__PURE__ */ new RegExp("^(" + token68Match + ")(?:$|[,\\s])(.*)");
@@ -578,11 +355,15 @@ function parseWwwAuthenticateChallenges(response) {
 	while (rest) {
 		let match = rest.match(schemeRE);
 		const scheme = match?.["1"].toLowerCase();
-		rest = match?.["2"];
 		if (!scheme) return;
+		const afterScheme = rest.substring(match[0].length);
+		if (afterScheme && !afterScheme.match(/^[\s,]/)) return;
+		const spaceMatch = afterScheme.match(/^\s+(.*)$/);
+		const hasParameters = !!spaceMatch;
+		rest = spaceMatch ? spaceMatch[1] : void 0;
 		const parameters = {};
 		let token68;
-		while (rest) {
+		if (hasParameters) while (rest) {
 			let key;
 			let value;
 			if (match = rest.match(quotedParamRE)) {
@@ -605,6 +386,7 @@ function parseWwwAuthenticateChallenges(response) {
 			}
 			return;
 		}
+		else rest = afterScheme || void 0;
 		const challenge = {
 			scheme,
 			parameters
@@ -1456,9 +1238,9 @@ function retryable(err, options) {
 const retry = Symbol();
 
 //#endregion
-//#region src/server-auth/descriptors/$auth.ts
+//#region src/server-auth/primitives/$auth.ts
 /**
-* Creates an authentication provider descriptor for handling user login flows.
+* Creates an authentication provider primitive for handling user login flows.
 *
 * Supports multiple authentication strategies: credentials (username/password), OAuth2,
 * and OIDC (OpenID Connect). Handles token management, user profile retrieval, and
@@ -1492,9 +1274,9 @@ const retry = Symbol();
 * ```
 */
 const $auth = (options) => {
-	return createDescriptor(AuthDescriptor, options);
+	return createPrimitive(AuthPrimitive, options);
 };
-var AuthDescriptor = class extends Descriptor {
+var AuthPrimitive = class extends Primitive {
 	securityProvider = $inject(SecurityProvider);
 	dateTimeProvider = $inject(DateTimeProvider);
 	oauth;
@@ -1587,981 +1369,7 @@ var AuthDescriptor = class extends Descriptor {
 		}
 	}
 };
-$auth[KIND] = AuthDescriptor;
-
-//#endregion
-//#region src/server-security/providers/ServerBasicAuthProvider.ts
-var ServerBasicAuthProvider = class {
-	alepha = $inject(Alepha);
-	log = $logger();
-	routerProvider = $inject(ServerRouterProvider);
-	realm = "Secure Area";
-	/**
-	* Registered basic auth descriptors with their configurations
-	*/
-	registeredAuths = [];
-	/**
-	* Register a basic auth configuration (called by descriptors)
-	*/
-	registerAuth(config) {
-		this.registeredAuths.push(config);
-	}
-	onStart = $hook({
-		on: "start",
-		handler: async () => {
-			for (const auth of this.registeredAuths) if (auth.paths) for (const pattern of auth.paths) {
-				const matchedRoutes = this.routerProvider.getRoutes(pattern);
-				for (const route of matchedRoutes) route.secure = { basic: {
-					username: auth.username,
-					password: auth.password
-				} };
-			}
-			if (this.registeredAuths.length > 0) this.log.info(`Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`);
-		}
-	});
-	/**
-	* Hook into server:onRequest to check basic auth
-	*/
-	onRequest = $hook({
-		on: "server:onRequest",
-		handler: async ({ route, request }) => {
-			const routeAuth = route.secure;
-			if (typeof routeAuth === "object" && "basic" in routeAuth && routeAuth.basic) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Hook into action:onRequest to check basic auth for actions
-	*/
-	onActionRequest = $hook({
-		on: "action:onRequest",
-		handler: async ({ action, request }) => {
-			const routeAuth = action.route.secure;
-			if (isBasicAuth(routeAuth)) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Check basic authentication
-	*/
-	checkAuth(request, options) {
-		const authHeader = request.headers?.authorization;
-		if (!authHeader || !authHeader.startsWith("Basic ")) {
-			this.sendAuthRequired(request);
-			throw new HttpError({
-				status: 401,
-				message: "Authentication required"
-			});
-		}
-		const base64Credentials = authHeader.slice(6);
-		const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8");
-		const colonIndex = credentials.indexOf(":");
-		const username = colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;
-		const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : "";
-		if (!this.timingSafeCredentialCheck(username, password, options.username, options.password)) {
-			this.sendAuthRequired(request);
-			this.log.warn(`Failed basic auth attempt for user`, { username });
-			throw new HttpError({
-				status: 401,
-				message: "Invalid credentials"
-			});
-		}
-	}
-	/**
-	* Performs a timing-safe comparison of credentials to prevent timing attacks.
-	* Always compares both username and password to avoid leaking which one is wrong.
-	*/
-	timingSafeCredentialCheck(inputUsername, inputPassword, expectedUsername, expectedPassword) {
-		const inputUserBuf = Buffer.from(inputUsername, "utf-8");
-		const expectedUserBuf = Buffer.from(expectedUsername, "utf-8");
-		const inputPassBuf = Buffer.from(inputPassword, "utf-8");
-		const expectedPassBuf = Buffer.from(expectedPassword, "utf-8");
-		return (this.safeCompare(inputUserBuf, expectedUserBuf) & this.safeCompare(inputPassBuf, expectedPassBuf)) === 1;
-	}
-	/**
-	* Compares two buffers in constant time, handling different lengths safely.
-	* Returns 1 if equal, 0 if not equal.
-	*/
-	safeCompare(input, expected) {
-		if (input.length !== expected.length) {
-			timingSafeEqual(input, input);
-			return 0;
-		}
-		return timingSafeEqual(input, expected) ? 1 : 0;
-	}
-	/**
-	* Send WWW-Authenticate header
-	*/
-	sendAuthRequired(request) {
-		request.reply.setHeader("WWW-Authenticate", `Basic realm="${this.realm}"`);
-	}
-};
-const isBasicAuth = (value) => {
-	return typeof value === "object" && !!value && "basic" in value && !!value.basic;
-};
-
-//#endregion
-//#region src/server-security/descriptors/$basicAuth.ts
-/**
-* Declares HTTP Basic Authentication for server routes.
-* This descriptor provides methods to protect routes with username/password authentication.
-*/
-const $basicAuth = (options) => {
-	return createDescriptor(BasicAuthDescriptor, options);
-};
-var BasicAuthDescriptor = class extends Descriptor {
-	serverBasicAuthProvider = $inject(ServerBasicAuthProvider);
-	get name() {
-		return this.options.name ?? `${this.config.propertyKey}`;
-	}
-	onInit() {
-		this.serverBasicAuthProvider.registerAuth(this.options);
-	}
-	/**
-	* Checks basic auth for the given request using this descriptor's configuration.
-	*/
-	check(request, options) {
-		const mergedOptions = {
-			...this.options,
-			...options
-		};
-		this.serverBasicAuthProvider.checkAuth(request, mergedOptions);
-	}
-};
-$basicAuth[KIND] = BasicAuthDescriptor;
-
-//#endregion
-//#region src/server-security/providers/ServerSecurityProvider.ts
-var ServerSecurityProvider = class {
-	log = $logger();
-	securityProvider = $inject(SecurityProvider);
-	jwtProvider = $inject(JwtProvider);
-	alepha = $inject(Alepha);
-	onConfigure = $hook({
-		on: "configure",
-		handler: async () => {
-			for (const action of this.alepha.descriptors($action)) {
-				if (action.options.disabled || action.options.secure === false || this.securityProvider.getRealms().length === 0) continue;
-				if (typeof action.options.secure !== "object") this.securityProvider.createPermission({
-					name: action.name,
-					group: action.group,
-					method: action.route.method,
-					path: action.route.path
-				});
-			}
-		}
-	});
-	onActionRequest = $hook({
-		on: "action:onRequest",
-		handler: async ({ action, request, options }) => {
-			if (action.options.secure === false && !options.user) {
-				this.log.trace("Skipping security check for route");
-				return;
-			}
-			if (isBasicAuth(action.route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === action.route.path && it.method === action.route.method);
-			try {
-				request.user = this.createUserFromLocalFunctionContext(options, permission);
-				const route = action.route;
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.state.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
-			} catch (error) {
-				if (action.options.secure || permission) throw error;
-				this.log.trace("Skipping security check for action");
-			}
-		}
-	});
-	onRequest = $hook({
-		on: "server:onRequest",
-		priority: "last",
-		handler: async ({ request, route }) => {
-			if (route.secure === false) {
-				this.log.trace("Skipping security check for route - explicitly disabled");
-				return;
-			}
-			if (isBasicAuth(route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === route.path && it.method === route.method);
-			if (!request.headers.authorization && !route.secure && !permission) {
-				this.log.trace("Skipping security check for route - no authorization header and not secure");
-				return;
-			}
-			try {
-				request.user = await this.securityProvider.createUserFromToken(request.headers.authorization, { permission });
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.state.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
-				this.log.trace("User set from request token", {
-					user: request.user,
-					permission
-				});
-			} catch (error) {
-				if (route.secure || permission) throw error;
-				this.log.trace("Skipping security check for route - error occurred", error);
-			}
-		}
-	});
-	check(user, secure) {
-		if (secure.realm) {
-			if (user.realm !== secure.realm) throw new ForbiddenError(`User must belong to realm '${secure.realm}' to access this route`);
-		}
-	}
-	/**
-	* Get the user account token for a local action call.
-	* There are three possible sources for the user:
-	* - `options.user`: the user passed in the options
-	* - `"system"`: the system user from the state (you MUST set state `server.security.system.user`)
-	* - `"context"`: the user from the request context (you MUST be in an HTTP request context)
-	*
-	* Priority order: `options.user` > `"system"` > `"context"`.
-	*
-	* In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.
-	*/
-	createUserFromLocalFunctionContext(options, permission) {
-		const fromOptions = typeof options.user === "object" ? options.user : void 0;
-		const type = typeof options.user === "string" ? options.user : void 0;
-		let user;
-		const fromContext = this.alepha.context.get("request")?.user;
-		const fromSystem = this.alepha.state.get("alepha.server.security.system.user");
-		if (type === "system") user = fromSystem;
-		else if (type === "context") user = fromContext;
-		else user = fromOptions ?? fromContext ?? fromSystem;
-		if (!user) {
-			if (this.alepha.isTest() && !("user" in options)) return this.createTestUser();
-			throw new UnauthorizedError("User is required for calling this action");
-		}
-		const roles = user.roles ?? (this.alepha.isTest() ? this.securityProvider.getRoles().map((role) => role.name) : []);
-		let ownership;
-		if (permission) {
-			const result = this.securityProvider.checkPermission(permission, ...roles);
-			if (!result.isAuthorized) throw new ForbiddenError(`Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`);
-			ownership = result.ownership;
-		}
-		return {
-			...user,
-			ownership
-		};
-	}
-	createTestUser() {
-		return {
-			id: randomUUID(),
-			name: "Test",
-			roles: this.securityProvider.getRoles().map((role) => role.name)
-		};
-	}
-	onClientRequest = $hook({
-		on: "client:onRequest",
-		handler: async ({ request, options }) => {
-			if (!this.alepha.isTest()) return;
-			if ("user" in options && options.user === void 0) return;
-			request.headers = new Headers(request.headers);
-			if (!request.headers.has("authorization")) {
-				const test = this.createTestUser();
-				const user = typeof options?.user === "object" ? options.user : void 0;
-				const sub = user?.id ?? test.id;
-				const roles = user?.roles ?? test.roles;
-				const token = await this.jwtProvider.create({
-					sub,
-					roles
-				}, user?.realm ?? this.securityProvider.getRealms()[0]?.name);
-				request.headers.set("authorization", `Bearer ${token}`);
-			}
-		}
-	});
-};
-
-//#endregion
-//#region src/server-security/index.ts
-/**
-* Plugin for Alepha Server that provides security features. Based on the Alepha Security module.
-*
-* By default, all $action will be guarded by a permission check.
-*
-* @see {@link ServerSecurityProvider}
-* @module alepha.server.security
-*/
-const AlephaServerSecurity = $module({
-	name: "alepha.server.security",
-	descriptors: [
-		$realm,
-		$role,
-		$permission,
-		$basicAuth
-	],
-	services: [
-		AlephaServer,
-		AlephaSecurity,
-		ServerSecurityProvider,
-		ServerBasicAuthProvider
-	]
-});
-
-//#endregion
-//#region src/server-links/schemas/apiLinksResponseSchema.ts
-const apiLinkSchema = t.object({
-	name: t.text({ description: "Name of the API link, used for identification." }),
-	group: t.optional(t.text({ description: "Group to which the API link belongs, used for categorization." })),
-	path: t.text({ description: "Pathname used to access the API link." }),
-	method: t.optional(t.text({ description: "HTTP method used for the API link, e.g., GET, POST, etc. If not specified, defaults to GET." })),
-	requestBodyType: t.optional(t.text({ description: "Type of the request body for the API link. Default is application/json for POST/PUT/PATCH, null for others." })),
-	service: t.optional(t.text({ description: "Service name associated with the API link, used for service discovery." }))
-});
-const apiLinksResponseSchema = t.object({
-	prefix: t.optional(t.text()),
-	links: t.array(apiLinkSchema)
-});
-
-//#endregion
-//#region src/server-links/providers/LinkProvider.ts
-/**
-* Browser, SSR friendly, service to handle links.
-*/
-var LinkProvider = class LinkProvider {
-	static path = {
-		apiLinks: "/api/_links",
-		apiSchema: "/api/_links/:name/schema"
-	};
-	log = $logger();
-	alepha = $inject(Alepha);
-	httpClient = $inject(HttpClient);
-	serverLinks = [];
-	/**
-	* Get applicative links registered on the server.
-	* This does not include lazy-loaded remote links.
-	*/
-	getServerLinks() {
-		if (this.alepha.isBrowser()) {
-			this.log.warn("Getting server links in the browser is not supported. Use `fetchLinks` to get links from the server.");
-			return [];
-		}
-		return this.serverLinks;
-	}
-	/**
-	* Register a new link for the application.
-	*/
-	registerLink(link) {
-		if (this.alepha.isBrowser()) {
-			this.log.warn("Registering links in the browser is not supported. Use `fetchLinks` to get links from the server.");
-			return;
-		}
-		if (!link.handler && !link.host) throw new AlephaError("Can't create link - 'handler' or 'host' is required");
-		if (this.serverLinks.some((l) => l.name === link.name)) this.serverLinks = this.serverLinks.filter((l) => l.name !== link.name);
-		this.serverLinks.push(link);
-	}
-	get links() {
-		const apiLinks = this.alepha.state.get("alepha.server.request.apiLinks")?.links;
-		if (apiLinks) {
-			if (this.alepha.isBrowser()) return apiLinks;
-			const links = [];
-			for (const link of apiLinks) {
-				const originalLink = this.serverLinks.find((l) => l.name === link.name);
-				if (originalLink) links.push(originalLink);
-			}
-			return links;
-		}
-		return this.serverLinks ?? [];
-	}
-	/**
-	* Force browser to refresh links from the server.
-	*/
-	async fetchLinks() {
-		const { data } = await this.httpClient.fetch(`${LinkProvider.path.apiLinks}`, {
-			method: "GET",
-			schema: { response: apiLinksResponseSchema }
-		});
-		this.alepha.state.set("alepha.server.request.apiLinks", data);
-		return data.links;
-	}
-	/**
-	* Create a virtual client that can be used to call actions.
-	*
-	* Use js Proxy under the hood.
-	*/
-	client(scope = {}) {
-		return new Proxy({}, { get: (_, prop) => {
-			if (typeof prop !== "string") return;
-			return this.createVirtualAction(prop, scope);
-		} });
-	}
-	/**
-	* Check if a link with the given name exists.
-	* @param name
-	*/
-	can(name) {
-		return this.links.some((link) => link.name === name);
-	}
-	/**
-	* Resolve a link by its name and call it.
-	* - If link is local, it will call the local handler.
-	* - If link is remote, it will make a fetch request to the remote server.
-	*/
-	async follow(name, config = {}, options = {}) {
-		this.log.trace("Following link", {
-			name,
-			config,
-			options
-		});
-		const link = await this.getLinkByName(name, options);
-		if (link.handler && !options.request) {
-			this.log.trace("Local link found", { name });
-			return link.handler({
-				method: link.method,
-				url: new URL(`http://localhost${link.path}`),
-				query: config.query ?? {},
-				body: config.body ?? {},
-				params: config.params ?? {},
-				headers: config.headers ?? {},
-				metadata: {},
-				reply: new ServerReply()
-			}, options);
-		}
-		this.log.trace("Remote link found", {
-			name,
-			host: link.host,
-			service: link.service
-		});
-		return this.followRemote(link, config, options).then((response) => response.data);
-	}
-	createVirtualAction(name, scope = {}) {
-		const $ = async (config = {}, options = {}) => {
-			return this.follow(name, config, {
-				...scope,
-				...options
-			});
-		};
-		Object.defineProperty($, "name", {
-			value: name,
-			writable: false
-		});
-		$.run = async (config = {}, options = {}) => {
-			return this.follow(name, config, {
-				...scope,
-				...options
-			});
-		};
-		$.fetch = async (config = {}, options = {}) => {
-			const link = await this.getLinkByName(name, scope);
-			return this.followRemote(link, config, options);
-		};
-		$.can = () => {
-			return this.can(name);
-		};
-		return $;
-	}
-	async followRemote(link, config = {}, options = {}) {
-		options.request ??= {};
-		options.request.headers = new Headers(options.request.headers);
-		const als = this.alepha.context.get("request");
-		if (als?.headers.authorization) options.request.headers.set("authorization", als.headers.authorization);
-		const context = this.alepha.context.get("context");
-		if (typeof context === "string") options.request.headers.set("x-request-id", context);
-		const action = {
-			...link,
-			schema: {
-				body: t.any(),
-				response: t.any()
-			}
-		};
-		if (!link.host && link.service) action.path = `/${link.service}${action.path}`;
-		action.path = `${action.prefix ?? "/api"}${action.path}`;
-		action.prefix = void 0;
-		return this.httpClient.fetchAction({
-			host: link.host,
-			config,
-			options,
-			action
-		});
-	}
-	async getLinkByName(name, options = {}) {
-		if (this.alepha.isBrowser() && !this.alepha.state.get("alepha.server.request.apiLinks")) await this.fetchLinks();
-		const link = this.links.find((a) => a.name === name && (!options.group || a.group === options.group) && (!options.service || options.service === a.service));
-		if (!link) {
-			const error = new UnauthorizedError(`Action ${name} not found.`);
-			await this.alepha.events.emit("client:onError", {
-				route: link,
-				error
-			});
-			throw error;
-		}
-		if (options.hostname) return {
-			...link,
-			host: options.hostname
-		};
-		return link;
-	}
-};
-
-//#endregion
-//#region src/server-links/descriptors/$client.ts
-/**
-* Create a new client.
-*/
-const $client = (scope) => {
-	return $inject(LinkProvider).client(scope);
-};
-$client[KIND] = "$client";
-
-//#endregion
-//#region src/server-links/descriptors/$remote.ts
-/**
-* $remote is a descriptor that allows you to define remote service access.
-*
-* Use it only when you have 2 or more services that need to communicate with each other.
-*
-* All remote services can be exposed as actions, ... or not.
-*
-* You can add a service account if you want to use a security layer.
-*/
-const $remote = (options) => {
-	return createDescriptor(RemoteDescriptor, options);
-};
-var RemoteDescriptor = class extends Descriptor {
-	get name() {
-		return this.options.name ?? this.config.propertyKey;
-	}
-};
-$remote[KIND] = RemoteDescriptor;
-
-//#endregion
-//#region src/server-proxy/descriptors/$proxy.ts
-/**
-* Creates a proxy descriptor to forward requests to another server.
-*
-* This descriptor enables you to create reverse proxy functionality, allowing your Alepha server
-* to forward requests to other services while maintaining a unified API surface. It's particularly
-* useful for microservice architectures, API gateways, or when you need to aggregate multiple
-* services behind a single endpoint.
-*
-* **Key Features**
-*
-* - **Path-based routing**: Match specific paths or patterns to proxy
-* - **Dynamic targets**: Support both static and dynamic target resolution
-* - **Request/Response hooks**: Modify requests before forwarding and responses after receiving
-* - **URL rewriting**: Transform URLs before forwarding to the target
-* - **Conditional proxying**: Enable/disable proxies based on environment or conditions
-*
-* @example
-* **Basic proxy setup:**
-* ```ts
-* import { $proxy } from "alepha/server/proxy";
-*
-* class ApiGateway {
-*   // Forward all /api/* requests to external service
-*   api = $proxy({
-*     path: "/api/*",
-*     target: "https://api.example.com"
-*   });
-* }
-* ```
-*
-* @example
-* **Dynamic target with environment-based routing:**
-* ```ts
-* class ApiGateway {
-*   // Route to different environments based on configuration
-*   api = $proxy({
-*     path: "/api/*",
-*     target: () => process.env.NODE_ENV === "production"
-*       ? "https://api.prod.example.com"
-*       : "https://api.dev.example.com"
-*   });
-* }
-* ```
-*
-* @example
-* **Advanced proxy with request/response modification:**
-* ```ts
-* class SecureProxy {
-*   secure = $proxy({
-*     path: "/secure/*",
-*     target: "https://secure-api.example.com",
-*     beforeRequest: async (request, proxyRequest) => {
-*       // Add authentication headers
-*       proxyRequest.headers = {
-*         ...proxyRequest.headers,
-*         'Authorization': `Bearer ${await getServiceToken()}`,
-*         'X-Forwarded-For': request.headers['x-forwarded-for'] || request.ip
-*       };
-*     },
-*     afterResponse: async (request, proxyResponse) => {
-*       // Log response for monitoring
-*       console.log(`Proxied ${request.url} -> ${proxyResponse.status}`);
-*     },
-*     rewrite: (url) => {
-*       // Remove /secure prefix when forwarding
-*       url.pathname = url.pathname.replace('/secure', '');
-*     }
-*   });
-* }
-* ```
-*
-* @example
-* **Conditional proxy based on feature flags:**
-* ```ts
-* class FeatureProxy {
-*   newApi = $proxy({
-*     path: "/v2/*",
-*     target: "https://new-api.example.com",
-*     disabled: !process.env.ENABLE_V2_API // Disable if feature flag is off
-*   });
-* }
-* ```
-*/
-const $proxy = (options) => {
-	return createDescriptor(ProxyDescriptor, options);
-};
-var ProxyDescriptor = class extends Descriptor {};
-$proxy[KIND] = ProxyDescriptor;
-
-//#endregion
-//#region src/server-proxy/providers/ServerProxyProvider.ts
-var ServerProxyProvider = class {
-	log = $logger();
-	routerProvider = $inject(ServerRouterProvider);
-	alepha = $inject(Alepha);
-	configure = $hook({
-		on: "configure",
-		handler: () => {
-			for (const proxy of this.alepha.descriptors($proxy)) this.createProxy(proxy.options);
-		}
-	});
-	createProxy(options) {
-		if (options.disabled) return;
-		const path = options.path;
-		const target = typeof options.target === "function" ? options.target() : options.target;
-		if (!path.endsWith("/*")) throw new AlephaError("Proxy path should end with '/*'");
-		const handler = this.createProxyHandler(target, options);
-		for (const method of routeMethods) this.routerProvider.createRoute({
-			method,
-			path,
-			handler
-		});
-		this.log.info("Proxying", {
-			path,
-			target
-		});
-	}
-	createProxyHandler(target, options) {
-		return async (request) => {
-			const url = new URL(target + request.url.pathname);
-			if (request.url.search) url.search = request.url.search;
-			options.rewrite?.(url);
-			const requestInit = {
-				url: url.toString(),
-				method: request.method,
-				headers: {
-					...request.headers,
-					"accept-encoding": "identity"
-				},
-				body: this.getRawRequestBody(request)
-			};
-			if (requestInit.body) requestInit.duplex = "half";
-			if (options.beforeRequest) await options.beforeRequest(request, requestInit);
-			this.log.debug("Proxying request", {
-				url: url.toString(),
-				method: request.method,
-				headers: request.headers
-			});
-			const response = await fetch(requestInit.url, requestInit);
-			request.reply.status = response.status;
-			request.reply.headers = Object.fromEntries(response.headers.entries());
-			request.reply.body = response.body;
-			this.log.debug("Received response", {
-				status: request.reply.status,
-				headers: request.reply.headers
-			});
-			if (options.afterResponse) await options.afterResponse(request, response);
-		};
-	}
-	getRawRequestBody(req) {
-		const { method } = req;
-		if (method === "GET" || method === "HEAD" || method === "OPTIONS") return;
-		if (req.raw?.web?.req) return req.raw.web.req.body;
-		if (req.raw?.node?.req) {
-			const nodeReq = req.raw.node.req;
-			return ReadableStream.from(nodeReq);
-		}
-	}
-};
-
-//#endregion
-//#region src/server-proxy/index.ts
-/**
-* Plugin for Alepha that provides a proxy server functionality.
-*
-* @see {@link $proxy}
-* @module alepha.server.proxy
-*/
-const AlephaServerProxy = $module({
-	name: "alepha.server.proxy",
-	descriptors: [$proxy],
-	services: [AlephaServer, ServerProxyProvider]
-});
-
-//#endregion
-//#region src/server-links/providers/RemoteDescriptorProvider.ts
-const envSchema$1 = t.object({ SERVER_API_PREFIX: t.text({
-	description: "Prefix for all API routes (e.g. $action).",
-	default: "/api"
-}) });
-var RemoteDescriptorProvider = class {
-	env = $env(envSchema$1);
-	alepha = $inject(Alepha);
-	proxyProvider = $inject(ServerProxyProvider);
-	linkProvider = $inject(LinkProvider);
-	remotes = [];
-	log = $logger();
-	getRemotes() {
-		return this.remotes;
-	}
-	configure = $hook({
-		on: "configure",
-		handler: async () => {
-			const remotes = this.alepha.descriptors($remote);
-			for (const remote of remotes) await this.registerRemote(remote);
-		}
-	});
-	start = $hook({
-		on: "start",
-		handler: async () => {
-			for (const remote of this.remotes) {
-				const token = typeof remote.serviceAccount?.token === "function" ? await remote.serviceAccount.token() : void 0;
-				if (!remote.internal) continue;
-				const { links } = await remote.links({ authorization: token });
-				for (const link of links) {
-					let path = link.path.replace(remote.prefix, "");
-					if (link.service) path = `/${link.service}${path}`;
-					this.linkProvider.registerLink({
-						...link,
-						prefix: remote.prefix,
-						path,
-						method: link.method ?? "GET",
-						host: remote.url,
-						service: remote.name
-					});
-				}
-				this.log.info(`Remote '${remote.name}' OK`, {
-					links: remote.links.length,
-					prefix: remote.prefix
-				});
-			}
-		}
-	});
-	async registerRemote(value) {
-		const options = value.options;
-		const url = typeof options.url === "string" ? options.url : options.url();
-		const linkPath = LinkProvider.path.apiLinks;
-		const name = value.name;
-		const proxy = typeof options.proxy === "object" ? options.proxy : {};
-		const remote = {
-			url,
-			name,
-			prefix: "/api",
-			serviceAccount: options.serviceAccount,
-			proxy: !!options.proxy,
-			internal: !proxy.noInternal,
-			schema: async (opts) => {
-				const { authorization, name: name$1 } = opts;
-				return await fetch(`${url}${linkPath}/${name$1}/schema`, { headers: new Headers(authorization ? { authorization } : {}) }).then((it) => it.json());
-			},
-			links: async (opts) => {
-				const { authorization } = opts;
-				const remoteApi = await this.fetchLinks.run({
-					service: name,
-					url: `${url}${linkPath}`,
-					authorization
-				});
-				if (remoteApi.prefix != null) remote.prefix = remoteApi.prefix;
-				return remoteApi;
-			}
-		};
-		this.remotes.push(remote);
-		if (options.proxy) this.proxyProvider.createProxy({
-			path: `${this.env.SERVER_API_PREFIX}/${name}/*`,
-			target: url,
-			rewrite: (url$1) => {
-				url$1.pathname = url$1.pathname.replace(`${this.env.SERVER_API_PREFIX}/${name}`, remote.prefix);
-			},
-			...proxy
-		});
-	}
-	fetchLinks = $retry({
-		max: 10,
-		backoff: { initial: 1e3 },
-		onError: (_, attempt, { service, url }) => {
-			this.log.warn(`Failed to fetch links, retry (${attempt})...`, {
-				service,
-				url
-			});
-		},
-		handler: async (opts) => {
-			const { url, authorization } = opts;
-			const response = await fetch(url, { headers: new Headers(authorization ? { authorization } : {}) });
-			if (!response.ok) throw new Error(`Failed to fetch links from ${url}`);
-			return this.alepha.codec.decode(apiLinksResponseSchema, await response.json());
-		}
-	});
-};
-
-//#endregion
-//#region src/server-links/providers/ServerLinksProvider.ts
-const envSchema = t.object({ SERVER_API_PREFIX: t.text({
-	description: "Prefix for all API routes (e.g. $action).",
-	default: "/api"
-}) });
-var ServerLinksProvider = class {
-	env = $env(envSchema);
-	alepha = $inject(Alepha);
-	linkProvider = $inject(LinkProvider);
-	remoteProvider = $inject(RemoteDescriptorProvider);
-	serverTimingProvider = $inject(ServerTimingProvider);
-	get prefix() {
-		return this.env.SERVER_API_PREFIX;
-	}
-	onRoute = $hook({
-		on: "configure",
-		handler: () => {
-			for (const action of this.alepha.descriptors($action)) this.linkProvider.registerLink({
-				name: action.name,
-				group: action.group,
-				schema: action.options.schema,
-				requestBodyType: action.getBodyContentType(),
-				secured: action.options.secure ?? true,
-				method: action.method === "GET" ? void 0 : action.method,
-				prefix: action.prefix,
-				path: action.path,
-				handler: (config, options = {}) => action.run(config, options)
-			});
-		}
-	});
-	/**
-	* First API - Get all API links for the user.
-	*
-	* This is based on the user's permissions.
-	*/
-	links = $route({
-		path: LinkProvider.path.apiLinks,
-		schema: { response: apiLinksResponseSchema },
-		handler: ({ user, headers: headers$1 }) => {
-			return this.getUserApiLinks({
-				user,
-				authorization: headers$1.authorization
-			});
-		}
-	});
-	/**
-	* Second API - Get schema for a specific API link.
-	*
-	* Note: Body/Response schema are not included in `links` API because it's TOO BIG.
-	* I mean for 150+ links, you got 50ms of serialization time.
-	*/
-	schema = $route({
-		path: LinkProvider.path.apiSchema,
-		schema: {
-			params: t.object({ name: t.text() }),
-			response: t.json()
-		},
-		handler: ({ params, user, headers: headers$1 }) => {
-			return this.getSchemaByName(params.name, {
-				user,
-				authorization: headers$1.authorization
-			});
-		}
-	});
-	async getSchemaByName(name, options = {}) {
-		const authorization = options.authorization;
-		const api = await this.getUserApiLinks({
-			user: options.user,
-			authorization
-		});
-		for (const link of api.links) if (link.name === name) {
-			if (link.service) return this.remoteProvider.getRemotes().find((it) => it.name === link.service)?.schema({
-				name,
-				authorization
-			});
-			return this.linkProvider.getServerLinks().find((it) => it.name === name)?.schema ?? {};
-		}
-		return {};
-	}
-	/**
-	* Retrieves API links for the user based on their permissions.
-	* Will check on local links and remote links.
-	*/
-	async getUserApiLinks(options) {
-		const { user } = options;
-		let permissions;
-		let permissionMap;
-		const hasSecurity = this.alepha.has(SecurityProvider);
-		if (hasSecurity && user) {
-			permissions = this.alepha.inject(SecurityProvider).getPermissions(user);
-			permissionMap = new Map(permissions.map((it) => [`${it.group}:${it.name}`, it]));
-		}
-		const userLinks = [];
-		for (const permission of permissions ?? []) if (!permission.path && !permission.method && permission.name && permission.group) userLinks.push({
-			path: "",
-			name: permission.name,
-			group: permission.group
-		});
-		for (const link of this.linkProvider.getServerLinks()) {
-			if (link.host) continue;
-			if (hasSecurity && link.secured) {
-				if (!user) continue;
-				if (typeof link.secured === "object" && link.secured.realm) {
-					if (user.realm !== link.secured.realm) continue;
-				} else if (permissionMap) {
-					if (!permissionMap.has(`${link.group}:${link.name}`)) continue;
-				}
-			}
-			userLinks.push({
-				name: link.name,
-				group: link.group,
-				requestBodyType: link.requestBodyType,
-				method: link.method,
-				path: link.path
-			});
-		}
-		this.serverTimingProvider.beginTiming("fetchRemoteLinks");
-		const promises = this.remoteProvider.getRemotes().filter((it) => it.proxy).map(async (remote) => {
-			const { links, prefix } = await remote.links(options);
-			return links.map((link) => {
-				let path = link.path.replace(prefix ?? "/api", "");
-				if (link.service) path = `/${link.service}${path}`;
-				return {
-					...link,
-					path,
-					proxy: true,
-					service: remote.name
-				};
-			});
-		});
-		userLinks.push(...(await Promise.all(promises)).flat());
-		this.serverTimingProvider.endTiming("fetchRemoteLinks");
-		return {
-			prefix: this.env.SERVER_API_PREFIX,
-			links: userLinks
-		};
-	}
-};
-
-//#endregion
-//#region src/server-links/index.ts
-/**
-* Provides server-side link management and remote capabilities for client-server interactions.
-*
-* The server-links module enables declarative link definitions using `$remote` and `$client` descriptors,
-* facilitating seamless API endpoint management and client-server communication. It integrates with server
-* security features to ensure safe and controlled access to resources.
-*
-* @see {@link $remote}
-* @see {@link $client}
-* @module alepha.server.links
-*/
-const AlephaServerLinks = $module({
-	name: "alepha.server.links",
-	descriptors: [$remote, $client],
-	services: [
-		AlephaServer,
-		ServerLinksProvider,
-		RemoteDescriptorProvider,
-		LinkProvider
-	]
-});
+$auth[KIND] = AuthPrimitive;
 
 //#endregion
 //#region src/server-auth/constants/routes.ts
@@ -2631,7 +1439,7 @@ var ServerAuthProvider = class {
 		schema: tokensSchema
 	});
 	get identities() {
-		return this.alepha.descriptors($auth).filter((auth) => !auth.options.disabled);
+		return this.alepha.primitives($auth).filter((auth) => !auth.options.disabled);
 	}
 	getAuthenticationProviders(filters = {}) {
 		const providers = [];
@@ -2985,16 +1793,27 @@ var ServerAuthProvider = class {
 };
 
 //#endregion
-//#region src/server-auth/descriptors/$authCredentials.ts
+//#region src/server-auth/schemas/authenticationProviderSchema.ts
+const authenticationProviderSchema = t.object({
+	name: t.text({ description: "Name of the authentication provider." }),
+	type: t.enum([
+		"OAUTH2",
+		"OIDC",
+		"CREDENTIALS"
+	], { description: "Type of the authentication provider." })
+}, { title: "AuthenticationProvider" });
+
+//#endregion
+//#region src/server-auth/primitives/$authCredentials.ts
 /**
-* Already configured Credentials authentication descriptor.
+* Already configured Credentials authentication primitive.
 *
 * Uses username and password to authenticate users.
 */
 const $authCredentials = (realm, options = {}) => {
 	const name = "credentials";
 	const account = realm.login ? realm.login(name) : options.account;
-	if (!account) throw new AlephaError("Credentials authentication requires a login function in the realm descriptor.");
+	if (!account) throw new AlephaError("Credentials authentication requires a login function in the realm primitive.");
 	return $auth({
 		realm,
 		name,
@@ -3003,9 +1822,9 @@ const $authCredentials = (realm, options = {}) => {
 };
 
 //#endregion
-//#region src/server-auth/descriptors/$authGithub.ts
+//#region src/server-auth/primitives/$authGithub.ts
 /**
-* Already configured GitHub authentication descriptor.
+* Already configured GitHub authentication primitive.
 *
 * Uses OAuth2 to authenticate users via their GitHub accounts.
 * Upon successful authentication, it links the GitHub account to a user session.
@@ -3023,7 +1842,7 @@ const $authGithub = (realm, options = {}) => {
 	const disabled = !env.GITHUB_CLIENT_ID || !env.GITHUB_CLIENT_SECRET;
 	const name = "github";
 	const account = options.account ?? (realm.link ? realm.link(name) : void 0);
-	if (!account) throw new AlephaError("Authentication requires a link function in the realm descriptor.");
+	if (!account) throw new AlephaError("Authentication requires a link function in the realm primitive.");
 	return $auth({
 		realm,
 		name,
@@ -3063,9 +1882,9 @@ const $authGithub = (realm, options = {}) => {
 };
 
 //#endregion
-//#region src/server-auth/descriptors/$authGoogle.ts
+//#region src/server-auth/primitives/$authGoogle.ts
 /**
-* Already configured Google authentication descriptor.
+* Already configured Google authentication primitive.
 *
 * Uses OpenID Connect (OIDC) to authenticate users via their Google accounts.
 * Upon successful authentication, it links the Google account to a user session.
@@ -3083,7 +1902,7 @@ const $authGoogle = (realm, options = {}) => {
 	const disabled = !env.GOOGLE_CLIENT_ID || !env.GOOGLE_CLIENT_SECRET;
 	const name = "google";
 	const account = options.account ?? (realm.link ? realm.link(name) : void 0);
-	if (!account) throw new AlephaError("Authentication requires a link function in the realm descriptor.");
+	if (!account) throw new AlephaError("Authentication requires a link function in the realm primitive.");
 	return $auth({
 		realm,
 		name,
@@ -3098,17 +1917,6 @@ const $authGoogle = (realm, options = {}) => {
 	});
 };
 
-//#endregion
-//#region src/server-auth/schemas/authenticationProviderSchema.ts
-const authenticationProviderSchema = t.object({
-	name: t.text({ description: "Name of the authentication provider." }),
-	type: t.enum([
-		"OAUTH2",
-		"OIDC",
-		"CREDENTIALS"
-	], { description: "Type of the authentication provider." })
-}, { title: "AuthenticationProvider" });
-
 //#endregion
 //#region src/server-auth/index.ts
 /**
@@ -3126,10 +1934,10 @@ const authenticationProviderSchema = t.object({
 */
 const AlephaServerAuth = $module({
 	name: "alepha.server.auth",
-	descriptors: [$auth],
+	primitives: [$auth],
 	services: [AlephaServerCookies, ServerAuthProvider]
 });
 
 //#endregion
-export { $auth, $authCredentials, $authGithub, $authGoogle, AlephaServerAuth, AuthDescriptor, ServerAuthProvider, alephaServerAuthRoutes, authenticationProviderSchema, tokenResponseSchema, tokensSchema, userinfoResponseSchema };
+export { $auth, $authCredentials, $authGithub, $authGoogle, AlephaServerAuth, AuthPrimitive, ServerAuthProvider, alephaServerAuthRoutes, authenticationProviderSchema, tokenResponseSchema, tokensSchema, userinfoResponseSchema };
 //# sourceMappingURL=index.js.map