alepha 0.9.2 → 0.9.4

package/redis.d.ts

@@ -1,7 +1,6 @@
-import * as _alepha_core2 from "alepha";
-import * as _alepha_core0$1 from "alepha";
-import * as _alepha_core0 from "alepha";
-import { Alepha, Logger, Static, TNumber, TObject, TOptional, TString } from "alepha";
+import * as _alepha_core1 from "alepha";
+import { Alepha, Static, TNumber, TObject, TOptional, TString } from "alepha";
+import * as _alepha_logger0 from "alepha/logger";
 import { RedisClientType, SetOptions, createClient } from "@redis/client";
 
 //#region src/providers/RedisProvider.d.ts
@@ -22,13 +21,17 @@ type RedisSetOptions = SetOptions;
  * Redis client provider.
  */
 declare class RedisProvider {
-  protected readonly log: Logger;
+  protected readonly log: _alepha_logger0.Logger;
   protected readonly alepha: Alepha;
-  protected readonly env: Static<typeof envSchema>;
+  protected readonly env: {
+    REDIS_PASSWORD?: string | undefined;
+    REDIS_PORT: number;
+    REDIS_HOST: string;
+  };
   protected readonly client: RedisClient;
   get publisher(): RedisClient;
-  protected readonly start: _alepha_core2.HookDescriptor<"start">;
-  protected readonly stop: _alepha_core2.HookDescriptor<"stop">;
+  protected readonly start: _alepha_core1.HookDescriptor<"start">;
+  protected readonly stop: _alepha_core1.HookDescriptor<"stop">;
   /**
    * Connect to the Redis server.
    */
@@ -51,13 +54,13 @@ declare class RedisProvider {
 //#endregion
 //#region src/providers/RedisSubscriberProvider.d.ts
 declare class RedisSubscriberProvider {
-  protected readonly log: Logger;
+  protected readonly log: _alepha_logger0.Logger;
   protected readonly alepha: Alepha;
   protected readonly redisProvider: RedisProvider;
   protected readonly client: RedisClient;
   get subscriber(): RedisClient;
-  protected readonly start: _alepha_core0$1.HookDescriptor<"start">;
-  protected readonly stop: _alepha_core0$1.HookDescriptor<"stop">;
+  protected readonly start: _alepha_core1.HookDescriptor<"start">;
+  protected readonly stop: _alepha_core1.HookDescriptor<"stop">;
   connect(): Promise<void>;
   close(): Promise<void>;
   /**
@@ -65,7 +68,6 @@ declare class RedisSubscriberProvider {
    */
   protected createClient(): RedisClient;
 }
-//# sourceMappingURL=RedisSubscriberProvider.d.ts.map
 //#endregion
 //#region src/index.d.ts
 /**
@@ -74,9 +76,7 @@ declare class RedisSubscriberProvider {
  * @see {@link RedisProvider}
  * @module alepha.redis
  */
-declare const AlephaRedis: _alepha_core0.ModuleDescriptor;
-//# sourceMappingURL=index.d.ts.map
-
+declare const AlephaRedis: _alepha_core1.Service<_alepha_core1.Module>;
 //#endregion
 export { AlephaRedis, RedisClient, RedisClientOptions, RedisProvider, RedisSetOptions, RedisSubscriberProvider };
 //# sourceMappingURL=index.d.ts.map

package/retry.d.ts

@@ -84,20 +84,16 @@ interface RetryBackoffOptions {
    */
   jitter?: boolean;
 }
-//# sourceMappingURL=$retry.d.ts.map
 //#endregion
 //#region src/errors/RetryCancelError.d.ts
 declare class RetryCancelError extends AlephaError {
   constructor();
 }
-//# sourceMappingURL=RetryCancelError.d.ts.map
 //#endregion
 //#region src/errors/RetryTimeoutError.d.ts
 declare class RetryTimeoutError extends AlephaError {
   constructor(duration: number);
 }
-//# sourceMappingURL=RetryTimeoutError.d.ts.map
-
 //#endregion
 export { $retry, RetryBackoffOptions, RetryCancelError, RetryDescriptor, RetryDescriptorFn, RetryDescriptorOptions, RetryTimeoutError };
 //# sourceMappingURL=index.d.ts.map

package/router.d.ts

@@ -39,7 +39,6 @@ interface Tree<T extends Route> {
     route: T;
   };
 }
-//# sourceMappingURL=RouterProvider.d.ts.map
 //#endregion
 export { Route, RouteMatch, RouterProvider, Tree };
 //# sourceMappingURL=index.d.ts.map

package/scheduler.d.ts

@@ -1,9 +1,8 @@
 import * as _alepha_core4 from "alepha";
-import * as _alepha_core0$1 from "alepha";
-import * as _alepha_core0 from "alepha";
 import { Alepha, Async, Descriptor, KIND, Static } from "alepha";
 import * as _alepha_lock0 from "alepha/lock";
 import { DateTime, DateTimeProvider, DurationLike } from "alepha/datetime";
+import * as _alepha_logger0 from "alepha/logger";
 import { Cron } from "cron-schedule";
 import * as dayjs0 from "dayjs";
 
@@ -11,7 +10,7 @@ import * as dayjs0 from "dayjs";
 declare class CronProvider {
   protected readonly dt: DateTimeProvider;
   protected readonly alepha: Alepha;
-  protected readonly log: _alepha_core4.Logger;
+  protected readonly log: _alepha_logger0.Logger;
   protected readonly cronJobs: Array<CronJob>;
   getCronJobs(): Array<CronJob>;
   protected readonly start: _alepha_core4.HookDescriptor<"start">;
@@ -40,7 +39,6 @@ interface CronJob {
   onError?: (error: Error) => void;
   abort: AbortController;
 }
-//# sourceMappingURL=CronProvider.d.ts.map
 //#endregion
 //#region src/descriptors/$scheduler.d.ts
 /**
@@ -79,14 +77,14 @@ type SchedulerDescriptorOptions = {
    */
   lock?: boolean;
 };
-declare const envSchema: _alepha_core0$1.TObject<{
-  SCHEDULER_PREFIX: _alepha_core0$1.TOptional<_alepha_core0$1.TString>;
+declare const envSchema: _alepha_core4.TObject<{
+  SCHEDULER_PREFIX: _alepha_core4.TOptional<_alepha_core4.TString>;
 }>;
 declare module "alepha" {
   interface Env extends Partial<Static<typeof envSchema>> {}
 }
 declare class SchedulerDescriptor extends Descriptor<SchedulerDescriptorOptions> {
-  protected readonly log: _alepha_core0$1.Logger;
+  protected readonly log: _alepha_logger0.Logger;
   protected readonly env: {
     SCHEDULER_PREFIX?: string | undefined;
   };
@@ -111,9 +109,7 @@ interface SchedulerHandlerArguments {
  * @see {@link $scheduler}
  * @module alepha.scheduler
  */
-declare const AlephaScheduler: _alepha_core0.ModuleDescriptor;
-//# sourceMappingURL=index.d.ts.map
-
+declare const AlephaScheduler: _alepha_core4.Service<_alepha_core4.Module>;
 //#endregion
 export { $scheduler, AlephaScheduler, SchedulerDescriptor, SchedulerDescriptorOptions, SchedulerHandlerArguments };
 //# sourceMappingURL=index.d.ts.map

package/security.d.ts

@@ -1,50 +1,37 @@
-import * as _alepha_core0$1 from "alepha";
 import * as _alepha_core1 from "alepha";
-import * as _alepha_core0 from "alepha";
 import { Alepha, Descriptor, KIND, Static } from "alepha";
-import { DateTimeProvider } from "alepha/datetime";
+import * as _alepha_logger1 from "alepha/logger";
+import { DateTimeProvider, Duration, DurationLike } from "alepha/datetime";
 import { CryptoKey, FlattenedJWSInput, JSONWebKeySet, JWSHeaderParameters, JWTHeaderParameters, JWTPayload, JWTVerifyResult, KeyObject } from "jose";
 import * as _sinclair_typebox13 from "@sinclair/typebox";
-import * as _sinclair_typebox0 from "@sinclair/typebox";
+import { JWTVerifyOptions } from "jose/jwt/verify";
 
-//#region src/interfaces/UserAccountInfo.d.ts
-/**
- * Represents a User Account extracted from JWT.
- */
-interface UserAccountInfo {
-  /**
-   * ID of user account. Based on JWT.sub.
-   */
-  id: string;
-  /**
-   * Represents the roles assigned to a user.
-   */
-  roles?: string[];
-  /**
-   * User full name, if available.
-   */
-  name?: string;
-  /**
-   * User email, if available.
-   */
-  email?: string;
-  /**
-   * User profile picture URL, if available.
-   */
-  picture?: string;
-  /**
-   * Organization ID, if available.
-   */
-  organization?: string;
-}
-//# sourceMappingURL=UserAccountInfo.d.ts.map
+//#region src/schemas/userAccountInfoSchema.d.ts
+declare const userAccountInfoSchema: _sinclair_typebox13.TObject<{
+  id: _sinclair_typebox13.TString;
+  name: _sinclair_typebox13.TOptional<_sinclair_typebox13.TString>;
+  email: _sinclair_typebox13.TOptional<_sinclair_typebox13.TString>;
+  username: _sinclair_typebox13.TOptional<_sinclair_typebox13.TString>;
+  picture: _sinclair_typebox13.TOptional<_sinclair_typebox13.TString>;
+  sessionId: _sinclair_typebox13.TOptional<_sinclair_typebox13.TString>;
+  organizations: _sinclair_typebox13.TOptional<_sinclair_typebox13.TArray<_sinclair_typebox13.TString>>;
+  roles: _sinclair_typebox13.TOptional<_sinclair_typebox13.TArray<_sinclair_typebox13.TString>>;
+}>;
+type UserAccount = Static<typeof userAccountInfoSchema>;
 //#endregion
 //#region src/interfaces/UserAccountToken.d.ts
-interface UserAccountToken extends UserAccountInfo {
+/**
+ * Add contextual metadata to a user account info.
+ * E.g. UserAccountToken is a UserAccountInfo during a request.
+ */
+interface UserAccountToken extends UserAccount {
   /**
    * Access token for the user.
    */
   token?: string;
+  /**
+   * Realm name of the user.
+   */
   realm?: string;
   /**
    * Is user dedicated to his own resources for this scope ?
@@ -52,7 +39,6 @@ interface UserAccountToken extends UserAccountInfo {
    */
   ownership?: string | boolean;
 }
-//# sourceMappingURL=UserAccountToken.d.ts.map
 //#endregion
 //#region src/schemas/permissionSchema.d.ts
 declare const permissionSchema: _sinclair_typebox13.TObject<{
@@ -63,30 +49,29 @@ declare const permissionSchema: _sinclair_typebox13.TObject<{
   path: _sinclair_typebox13.TOptional<_sinclair_typebox13.TString>;
 }>;
 type Permission = Static<typeof permissionSchema>;
-//# sourceMappingURL=permissionSchema.d.ts.map
 //#endregion
 //#region src/schemas/roleSchema.d.ts
-declare const roleSchema: _sinclair_typebox0.TObject<{
-  name: _sinclair_typebox0.TString;
-  description: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  default: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
-  permissions: _sinclair_typebox0.TArray<_sinclair_typebox0.TObject<{
-    name: _sinclair_typebox0.TString;
-    ownership: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
-    exclude: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+declare const roleSchema: _sinclair_typebox13.TObject<{
+  name: _sinclair_typebox13.TString;
+  description: _sinclair_typebox13.TOptional<_sinclair_typebox13.TString>;
+  default: _sinclair_typebox13.TOptional<_sinclair_typebox13.TBoolean>;
+  permissions: _sinclair_typebox13.TArray<_sinclair_typebox13.TObject<{
+    name: _sinclair_typebox13.TString;
+    ownership: _sinclair_typebox13.TOptional<_sinclair_typebox13.TBoolean>;
+    exclude: _sinclair_typebox13.TOptional<_sinclair_typebox13.TArray<_sinclair_typebox13.TString>>;
   }>>;
 }>;
 type Role = Static<typeof roleSchema>;
-//# sourceMappingURL=roleSchema.d.ts.map
 //#endregion
 //#region src/providers/JwtProvider.d.ts
 /**
  * Provides utilities for working with JSON Web Tokens (JWT).
  */
 declare class JwtProvider {
-  protected readonly log: _alepha_core0$1.Logger;
+  protected readonly log: _alepha_logger1.Logger;
   protected readonly keystore: KeyLoaderHolder[];
   protected readonly dateTimeProvider: DateTimeProvider;
+  protected readonly encoder: TextEncoder;
   /**
    * Adds a key loader to the embedded keystore.
    *
@@ -101,30 +86,17 @@ declare class JwtProvider {
    *
    * @return A Promise that resolves with the payload object from the token.
    */
-  parse(token: string): Promise<JwtParseResult>;
+  parse(token: string, keyName?: string, options?: JWTVerifyOptions): Promise<JwtParseResult>;
   /**
    * Creates a JWT token with the provided payload and secret key.
    *
    * @param payload - The payload to be encoded in the token.
    * 	It should include the `realm_access` property which contains an array of roles.
    * @param keyName - The name of the key to use when signing the token.
-   * @param signOptions - The options to use when signing the token.
    *
    * @returns The signed JWT token.
    */
   create(payload: ExtendedJWTPayload, keyName?: string, signOptions?: JwtSignOptions): Promise<string>;
-  /**
-   * Retrieves the options to use when signing a JWT token.
-   *
-   * @returns The JWT sign options.
-   */
-  signOptions(): JwtSignOptions;
-  /**
-   * Retrieves the first secret key from the keystore.
-   *
-   * @protected
-   */
-  protected getFirstSecretKey(): string | undefined;
   /**
    * Determines if the provided key is a secret key.
    *
@@ -132,16 +104,6 @@ declare class JwtProvider {
    * @protected
    */
   protected isSecretKey(key: string): boolean;
-  /**
-   * Try to find a realm name or something similar in the token.
-   *
-   * This is useful when the token is not encrypted and API has multiple realms.
-   * Instead of trying to verify the token with all keys, we can try to find the key !
-   *
-   * @param token
-   * @protected
-   */
-  protected tryToGetKeyLoaderFromToken(token: string): KeyLoaderHolder | undefined;
 }
 type KeyLoader = (protectedHeader?: JWSHeaderParameters, token?: FlattenedJWSInput) => Promise<CryptoKey | KeyObject>;
 interface KeyLoaderHolder {
@@ -150,13 +112,14 @@ interface KeyLoaderHolder {
   secretKey?: string;
 }
 interface JwtSignOptions {
-  issuedAt?: boolean;
-  protectedHeader?: JWTHeaderParameters;
-  expiresIn?: number;
+  header?: Partial<JWTHeaderParameters>;
 }
 interface ExtendedJWTPayload extends JWTPayload {
+  sid?: string;
   name?: string;
   roles?: string[];
+  email?: string;
+  organizations?: string[];
   realm_access?: {
     roles: string[];
   };
@@ -165,7 +128,6 @@ interface JwtParseResult {
   keyName: string;
   result: JWTVerifyResult<ExtendedJWTPayload>;
 }
-//# sourceMappingURL=JwtProvider.d.ts.map
 //#endregion
 //#region src/providers/SecurityProvider.d.ts
 declare const envSchema: _alepha_core1.TObject<{
@@ -175,10 +137,10 @@ declare module "alepha" {
   interface Env extends Partial<Static<typeof envSchema>> {}
 }
 declare class SecurityProvider {
-  protected readonly UNKNOWN_USER_NAME = "Unknown User";
+  protected readonly UNKNOWN_USER_NAME = "Anonymous User";
   protected readonly PERMISSION_REGEXP: RegExp;
   protected readonly PERMISSION_REGEXP_WILDCARD: RegExp;
-  protected readonly log: _alepha_core1.Logger;
+  protected readonly log: _alepha_logger1.Logger;
   protected readonly jwt: JwtProvider;
   protected readonly env: {
     SECURITY_SECRET_KEY: string;
@@ -192,8 +154,7 @@ declare class SecurityProvider {
    * The realms configured for the security provider.
    */
   protected readonly realms: Realm[];
-  protected configure: _alepha_core1.HookDescriptor<"configure">;
-  protected ready: _alepha_core1.HookDescriptor<"ready">;
+  protected configure: _alepha_core1.HookDescriptor<"start">;
   /**
    * Adds a role to one or more realms.
    *
@@ -225,7 +186,7 @@ declare class SecurityProvider {
    *
    * @returns The user info created from the payload.
    */
-  createInfoFromPayload(payload: JWTPayload, realmName?: string): UserAccountInfo;
+  createUserFromPayload(payload: JWTPayload, realmName?: string): UserAccount;
   /**
    * Checks if the user has the specified permission.
    *
@@ -241,7 +202,11 @@ declare class SecurityProvider {
    * @param headerOrToken
    * @param permissionLike
    */
-  createUserFromToken(headerOrToken?: string, permission?: Permission | string): Promise<UserAccountToken>;
+  createUserFromToken(headerOrToken?: string, options?: {
+    permission?: Permission | string;
+    realm?: string;
+    verify?: JWTVerifyOptions;
+  }): Promise<UserAccountToken>;
   /**
    * Checks if a user has a specific role.
    *
@@ -285,6 +250,7 @@ declare class SecurityProvider {
    * @return The user ID as a string.
    */
   getIdFromPayload(payload: Record<string, any>): string;
+  getSessionIdFromPayload(payload: Record<string, any>): string | undefined;
   /**
    * Retrieves the roles from the provided payload object.
    * @param payload - The payload object from which to extract the roles.
@@ -292,6 +258,7 @@ declare class SecurityProvider {
    */
   getRolesFromPayload(payload: Record<string, any>): string[];
   getPictureFromPayload(payload: Record<string, any>): string | undefined;
+  getUsernameFromPayload(payload: Record<string, any>): string | undefined;
   getEmailFromPayload(payload: Record<string, any>): string | undefined;
   /**
    * Returns the name from the given payload.
@@ -300,7 +267,7 @@ declare class SecurityProvider {
    * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.
    */
   getNameFromPayload(payload: Record<string, any>): string;
-  getOrganizationFromPayload(payload: Record<string, any>): string | undefined;
+  getOrganizationsFromPayload(payload: Record<string, any>): string[] | undefined;
 }
 /**
  * A realm definition.
@@ -313,29 +280,17 @@ interface Realm {
    *
    * Can be also a JWKS URL.
    */
-  secret?: string | JSONWebKeySet;
+  secret?: string | JSONWebKeySet | (() => string);
   /**
-   * Attach a user provider to the realm.
-   *
-   * This is useful when you want to use a custom user provider for a specific realm.
+   * Create the user account info based on the raw JWT payload.
+   * By default, SecurityProvider has his own implementation, but this method allow to override it.
    */
-  userAccountProvider?: SecurityUserAccountProvider;
-  onLoadUser?: (user: UserAccountInfo) => Promise<void> | void;
-}
-interface SecurityUserAccountProvider {
-  jwks: string | undefined;
-  synchronize(config: RealmConfig): Promise<void>;
+  profile?: (raw: Record<string, any>) => UserAccount;
 }
 interface SecurityCheckResult {
   isAuthorized: boolean;
   ownership: string | boolean | undefined;
 }
-interface RealmConfig {
-  roles?: Array<Role>;
-  smtp?: {
-    host?: string;
-  };
-}
 //#endregion
 //#region src/descriptors/$permission.d.ts
 /**
@@ -367,50 +322,85 @@ declare class PermissionDescriptor extends Descriptor<PermissionDescriptorOption
   /**
    * Check if the user has the permission.
    */
-  can(user: UserAccountInfo): boolean;
+  can(user: UserAccount): boolean;
 }
-//# sourceMappingURL=$permission.d.ts.map
 //#endregion
 //#region src/descriptors/$realm.d.ts
 /**
  * Create a new realm.
  */
 declare const $realm: {
-  (options?: RealmDescriptorOptions): RealmDescriptor;
+  (options: RealmDescriptorOptions): RealmDescriptor;
   [KIND]: typeof RealmDescriptor;
 };
-interface RealmDescriptorOptions {
+type RealmDescriptorOptions = {
   /**
    * Define the realm name.
-   *
-   * @default key name
+   * If not provided, it will use the property key.
    */
   name?: string;
   /**
-   * Describe the realm.
+   * Short description about the realm.
    */
   description?: string;
   /**
    * All roles available in the realm. Role is a string (role name) or a Role object (embedded role).
    */
   roles?: Array<string | Role>;
+  settings?: RealmSettings;
+  /**
+   * Parse the JWT payload to create a user account info.
+   */
+  profile?: (jwtPayload: Record<string, any>) => UserAccount;
+} & (RealmInternal | RealmExternal);
+interface RealmSettings {
+  accessToken?: {
+    /**
+     * Lifetime of the access token.
+     * @default 15 minutes
+     */
+    expiration?: DurationLike;
+  };
+  refreshToken?: {
+    /**
+     * Lifetime of the refresh token.
+     * @default 30 days
+     */
+    expiration?: DurationLike;
+  };
+  onCreateSession?: (user: UserAccount, config: {
+    expiresIn: number;
+  }) => Promise<{
+    refreshToken: string;
+    sessionId?: string;
+  }>;
+  onRefreshSession?: (refreshToken: string) => Promise<{
+    user: UserAccount;
+    expiresIn: number;
+    sessionId?: string;
+  }>;
+  onDeleteSession?: (refreshToken: string) => Promise<void>;
+}
+type RealmInternal = {
   /**
-   * In order to verify user of the realm, a secret is required.
-   * Can be a string based secret or a JWKS URL.
-   *
-   * Note: You can skip this if you are using a user account provider with JWKS.
+   * Internal secret to sign JWT tokens and verify them.
    */
-  secret?: string | JSONWebKeySet | (() => string);
+  secret: string;
+};
+interface RealmExternal {
   /**
-   * Attach a user account provider to the realm to manage roles.
-   * For example, you can use a KeycloakUserProvider to automatically create realm roles inside Keycloak.
+   * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.
    */
-  userAccountProvider?: SecurityUserAccountProvider | (() => SecurityUserAccountProvider);
+  jwks: (() => string) | JSONWebKeySet;
 }
 declare class RealmDescriptor extends Descriptor<RealmDescriptorOptions> {
   protected readonly securityProvider: SecurityProvider;
+  protected readonly dateTimeProvider: DateTimeProvider;
   protected readonly jwt: JwtProvider;
+  protected readonly log: _alepha_logger1.Logger;
   get name(): string;
+  get accessTokenExpiration(): Duration;
+  get refreshTokenExpiration(): Duration;
   protected onInit(): void;
   /**
    * Get all roles in the realm.
@@ -424,12 +414,34 @@ declare class RealmDescriptor extends Descriptor<RealmDescriptorOptions> {
    * Get a role by name, throws an error if not found.
    */
   getRoleByName(name: string): Role;
+  parseToken(token: string): Promise<JWTPayload>;
   /**
    * Create a token for the subject.
    */
-  createToken(subject: string, roles?: string[]): Promise<string>;
+  createToken(user: UserAccount, refreshToken?: {
+    sid?: string;
+    refresh_token?: string;
+    refresh_token_expires_in?: number;
+  }): Promise<AccessTokenResponse>;
+  refreshToken(refreshToken: string, accessToken?: string): Promise<{
+    tokens: AccessTokenResponse;
+    user: UserAccount;
+  }>;
+}
+interface CreateTokenOptions {
+  sub: string;
+  roles?: string[];
+  email?: string;
+}
+interface AccessTokenResponse {
+  access_token: string;
+  token_type: string;
+  expires_in?: number;
+  issued_at: number;
+  refresh_token?: string;
+  refresh_token_expires_in?: number;
+  scope?: string;
 }
-//# sourceMappingURL=$realm.d.ts.map
 //#endregion
 //#region src/descriptors/$role.d.ts
 /**
@@ -463,7 +475,6 @@ declare class RoleDescriptor extends Descriptor<RoleDescriptorOptions> {
    */
   get realm(): string | RealmDescriptor | undefined;
 }
-//# sourceMappingURL=$role.d.ts.map
 //#endregion
 //#region src/descriptors/$serviceAccount.d.ts
 /**
@@ -500,13 +511,9 @@ type ServiceAccountDescriptorOptions = {
 } & ({
   oauth2: Oauth2ServiceAccountDescriptorOptions;
 } | {
-  jwt: JwtServiceAccountDescriptorOptions;
+  realm: RealmDescriptor;
+  user: UserAccount;
 });
-interface JwtServiceAccountDescriptorOptions {
-  secret: string;
-  roles?: string[];
-  signOptions?: JwtSignOptions;
-}
 interface Oauth2ServiceAccountDescriptorOptions {
   /**
    * Get Token URL.
@@ -524,36 +531,33 @@ interface Oauth2ServiceAccountDescriptorOptions {
 interface ServiceAccountDescriptor {
   token: () => Promise<string>;
 }
-interface AccessTokenResponse {
-  access_token: string;
-  expires_in: number;
-  at: number;
-}
 interface ServiceAccountStore {
   response?: AccessTokenResponse;
 }
-//# sourceMappingURL=$serviceAccount.d.ts.map
 //#endregion
 //#region src/errors/InvalidPermissionError.d.ts
 declare class InvalidPermissionError extends Error {
   constructor(name: string);
 }
-//# sourceMappingURL=InvalidPermissionError.d.ts.map
 //#endregion
 //#region src/errors/SecurityError.d.ts
 declare class SecurityError extends Error {
+  name: string;
   readonly status = 403;
-  readonly code = "ERR_SECURITY";
 }
-//# sourceMappingURL=SecurityError.d.ts.map
-
+//#endregion
+//#region src/providers/CryptoProvider.d.ts
+declare class CryptoProvider {
+  hashPassword(password: string): Promise<string>;
+  verifyPassword(password: string, stored: string): Promise<boolean>;
+}
 //#endregion
 //#region src/index.d.ts
 declare module "alepha" {
   interface Hooks {
     "security:user:created": {
       realm: string;
-      user: UserAccountInfo;
+      user: UserAccount;
     };
   }
 }
@@ -569,9 +573,7 @@ declare module "alepha" {
  * @see {@link $permission}
  * @module alepha.security
  */
-declare const AlephaSecurity: _alepha_core0.ModuleDescriptor;
-//# sourceMappingURL=index.d.ts.map
-
+declare const AlephaSecurity: _alepha_core1.Service<_alepha_core1.Module>;
 //#endregion
-export { $permission, $realm, $role, $serviceAccount, AccessTokenResponse, AlephaSecurity, ExtendedJWTPayload, InvalidPermissionError, JwtParseResult, JwtProvider, JwtServiceAccountDescriptorOptions, JwtSignOptions, KeyLoader, KeyLoaderHolder, Oauth2ServiceAccountDescriptorOptions, Permission, PermissionDescriptor, PermissionDescriptorOptions, Realm, RealmConfig, RealmDescriptor, RealmDescriptorOptions, Role, RoleDescriptor, RoleDescriptorOptions, SecurityCheckResult, SecurityError, SecurityProvider, SecurityUserAccountProvider, ServiceAccountDescriptor, ServiceAccountDescriptorOptions, ServiceAccountStore, UserAccountInfo, UserAccountToken, permissionSchema, roleSchema };
+export { $permission, $realm, $role, $serviceAccount, AccessTokenResponse, AlephaSecurity, CreateTokenOptions, CryptoProvider, ExtendedJWTPayload, InvalidPermissionError, JwtParseResult, JwtProvider, JwtSignOptions, KeyLoader, KeyLoaderHolder, Oauth2ServiceAccountDescriptorOptions, Permission, PermissionDescriptor, PermissionDescriptorOptions, Realm, RealmDescriptor, RealmDescriptorOptions, RealmExternal, RealmInternal, RealmSettings, Role, RoleDescriptor, RoleDescriptorOptions, SecurityCheckResult, SecurityError, SecurityProvider, ServiceAccountDescriptor, ServiceAccountDescriptorOptions, ServiceAccountStore, UserAccount, UserAccountToken, permissionSchema, roleSchema, userAccountInfoSchema };
 //# sourceMappingURL=index.d.ts.map