bezzie 0.2.1 → 1.0.0

package/README.md

@@ -1,12 +1,12 @@
 # Bezzie
 
-**Bezzie** — your BFF's BFF. Handles the Backend for Frontend OAuth pattern so you don't have to.
-
 [![npm downloads](https://img.shields.io/npm/dw/bezzie)](https://www.npmjs.com/package/bezzie)
 
-A BFF (Backend for Frontend) OAuth 2.0 auth library for Cloudflare Workers.
+> Bezzie is a BFF (Backend for Frontend) OAuth 2.0 library for Cloudflare Workers. It implements [BCP212](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps) — your frontend never sees a JWT.
+
+**Bezzie** — your BFF's BFF. Handles the Backend for Frontend OAuth pattern so you don't have to.
 
-Implements the [OAuth 2.0 for Browser-Based Apps (BCP212)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps) pattern — JWTs never touch the browser. The BFF owns the OAuth flow and issues a session cookie to the frontend instead.
+The BFF owns the OAuth flow and issues a session cookie to the frontend instead of handing tokens to the browser.
 
 ```
 npm install bezzie
@@ -33,13 +33,13 @@ wrangler secret put AUTH0_CLIENT_SECRET
 
 **4. Wire it up:**
 ```typescript
-import { createBezzie, providers, cloudflareKV } from 'bezzie'
+import { createBezzie, providers, cloudflareKVAdapter } from 'bezzie'
 
 const auth = createBezzie({
   ...providers.auth0('your-tenant.auth0.com'),
   clientId: 'xxx',
   clientSecret: env.AUTH0_CLIENT_SECRET,
-  adapter: cloudflareKV(env.SESSION_KV),
+  adapter: cloudflareKVAdapter(env.SESSION_KV),
   baseUrl: 'https://app.yourproject.com',
 })
 
@@ -75,14 +75,14 @@ There's no open source library for this specific combination (BFF OAuth on Cloud
 ## Usage
 
 ```typescript
-import { createBezzie, providers, cloudflareKV } from 'bezzie'
+import { createBezzie, providers, cloudflareKVAdapter } from 'bezzie'
 
 const auth = createBezzie({
   ...providers.auth0('your-tenant.auth0.com'),
   clientId: 'xxx',
   clientSecret: env.AUTH0_CLIENT_SECRET,
   audience: 'https://api.yourproject.com',
-  adapter: cloudflareKV(env.SESSION_KV),
+  adapter: cloudflareKVAdapter(env.SESSION_KV),
   baseUrl: 'https://app.yourproject.com',
 })
 
@@ -139,18 +139,44 @@ app.all('/api/proxy/*', async (c) => {
 
 ## How It Works
 
-### Login Flow
+### System context
 
+```mermaid
+C4Context
+  title System Context — Bezzie
+
+  Person(user, "User", "Browser application user")
+  System(bezzie, "Cloudflare Worker (bezzie)", "BFF: owns the OAuth flow, issues session cookies to the browser")
+  System_Ext(idp, "Identity Provider", "Auth0 / Okta / Keycloak / Google — issues tokens")
+  System_Ext(upstream, "Upstream API", "Your backend — trusts Bearer tokens forwarded by the Worker")
+
+  Rel(user, bezzie, "HTTPS requests + session cookie")
+  Rel(bezzie, idp, "OIDC discovery, token exchange, token refresh")
+  Rel(bezzie, upstream, "Proxied requests with Authorization: Bearer")
+  Rel(idp, user, "Redirect back after login")
 ```
-Browser → BFF /auth/login → Auth0 (Authorization Code + PKCE)
-                                    │
-                               code returned
-                                    │
-              BFF exchanges code → tokens stored in KV
-              BFF issues HttpOnly session cookie → Browser
+
+### Containers
+
+```mermaid
+C4Container
+  title Container — bezzie deployment
+
+  Person(user, "User")
+  Container(spa, "React SPA", "Cloudflare Pages", "Public landing page + protected dashboard")
+  Container(worker, "Cloudflare Worker", "Hono + bezzie", "BFF: auth routes + request middleware + token management")
+  ContainerDb(kv, "Cloudflare KV", "KVNamespace", "Stores sessions and PKCE state")
+  System_Ext(idp, "Identity Provider", "Auth0 / Okta / Keycloak")
+  System_Ext(upstream, "Upstream API", "Backend services")
+
+  Rel(user, spa, "HTTPS")
+  Rel(spa, worker, "API calls + __Host-session cookie")
+  Rel(worker, kv, "Session read / write / delete")
+  Rel(worker, idp, "OIDC discovery + token exchange + token refresh + JWKS")
+  Rel(worker, upstream, "Authorization: Bearer {accessToken}")
 ```
 
-### Per-Request Flow
+### Per-request flow
 
 1. Browser sends request to BFF with session cookie
 2. BFF looks up session in KV, retrieves access token
@@ -158,16 +184,6 @@ Browser → BFF /auth/login → Auth0 (Authorization Code + PKCE)
 4. If expired, BFF uses refresh token to get a new one and updates KV
 5. BFF forwards request upstream with `Authorization: Bearer <token>`
 
-### Session Storage
-
-Sessions are stored in Cloudflare KV:
-
-```
-sessionId → { accessToken, refreshToken, expiresAt, user }
-```
-
-KV TTL is aligned with the refresh token lifetime. When the refresh token expires, the user must log in again.
-
 ---
 
 ## Adapters
@@ -177,17 +193,22 @@ Bezzie supports multiple session storage backends:
 ### Cloudflare KV
 Recommended for production on Cloudflare Workers.
 ```typescript
-import { cloudflareKV } from 'bezzie'
+import { cloudflareKVAdapter } from 'bezzie'
 // ...
-adapter: cloudflareKV(env.SESSION_KV)
+adapter: cloudflareKVAdapter(env.SESSION_KV)
 ```
 
 ### Redis (Upstash)
-Good for cross-region session consistency.
+Good for cross-region session consistency. Works with [Upstash Redis](https://upstash.com) (recommended for Cloudflare Workers) and any Redis client with `get`/`set`/`del` methods.
+
 ```typescript
-import { RedisAdapter } from 'bezzie'
-// ...
-adapter: new RedisAdapter({ url: env.REDIS_URL, token: env.REDIS_TOKEN })
+import { redisAdapter } from 'bezzie'
+import { Redis } from '@upstash/redis/cloudflare'
+
+adapter: redisAdapter(new Redis({
+  url: env.UPSTASH_REDIS_REST_URL,
+  token: env.UPSTASH_REDIS_REST_TOKEN,
+}))
 ```
 
 ### Memory
@@ -208,9 +229,9 @@ adapter: new MemoryAdapter()
 | `clientId` | `string` | OAuth client ID |
 | `clientSecret` | `string` | OAuth client secret — keep in Workers secrets |
 | `audience` | `string` | API audience identifier |
-| `adapter` | `SessionAdapter` | Session adapter (e.g. `cloudflareKV(env.SESSION_KV)`) |
+| `adapter` | `SessionAdapter` | Session adapter (e.g. `cloudflareKVAdapter(env.SESSION_KV)`) |
 | `baseUrl` | `string` | Base URL of your application (used for callback and redirects) |
-| `providerHints` | `object` | Optional tweaks for specific providers (`logoutUrl`, `tokenEndpoint`) |
+| `providerOverrides` | `object` | Hard overrides for specific provider values (`logoutUrl`, `tokenEndpoint`) |
 
 ---
 
@@ -232,6 +253,20 @@ wrangler secret put AUTH0_CLIENT_SECRET
 
 ---
 
+## Alternatives
+
+| | Bezzie | Auth.js (NextAuth) | Lucia | Roll your own (oauth4webapi) |
+|---|---|---|---|---|
+| BFF pattern (tokens never in browser) | ✅ | ✅ (some adapters) | ❌ | You decide |
+| Cloudflare Workers native | ✅ | ⚠️ Edge adapter | ⚠️ | ✅ |
+| Hono integration | ✅ | ❌ | ❌ | ✅ |
+| OIDC discovery | ✅ | ✅ | ❌ | ✅ |
+| Token refresh | ✅ | ✅ | Manual | Manual |
+| Pluggable session storage | ✅ (KV, Redis, Memory) | ✅ | ✅ | Manual |
+| Zero Node.js deps | ✅ | ❌ | ✅ | ✅ |
+
+---
+
 ## Stack
 
 | Component | Choice |
@@ -249,6 +284,12 @@ v0.1.0 — pre-release
 
 ---
 
+## Changelog
+
+See [CHANGELOG.md](CHANGELOG.md) for release history.
+
+---
+
 ## License
 
 MIT

package/dist/adapters/cloudflare-kv.d.ts

@@ -1,5 +1,5 @@
 import { Session } from '../session';
-import { PKCEState, SessionAdapter } from './types';
+import { PKCEState, SessionAdapter, SessionAdapterFactory } from './types';
 export declare class CloudflareKVAdapter<TUser extends Record<string, unknown> = Record<string, unknown>> implements SessionAdapter<TUser> {
     private kv;
     constructor(kv: KVNamespace);
@@ -7,4 +7,8 @@ export declare class CloudflareKVAdapter<TUser extends Record<string, unknown> =
     set(sessionId: string, session: Session<TUser> | PKCEState, ttlSeconds: number): Promise<void>;
     delete(sessionId: string): Promise<void>;
 }
+/**
+ * Creates a Cloudflare KV session adapter factory.
+ */
+export declare function cloudflareKVAdapter(kv: KVNamespace): SessionAdapterFactory;
 //# sourceMappingURL=cloudflare-kv.d.ts.map

package/dist/adapters/cloudflare-kv.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloudflare-kv.d.ts","sourceRoot":"","sources":["../../src/adapters/cloudflare-kv.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACpC,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAEnD,qBAAa,mBAAmB,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAC9F,YAAW,cAAc,CAAC,KAAK,CAAC;IAEpB,OAAO,CAAC,EAAE;gBAAF,EAAE,EAAE,WAAW;IAE7B,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,IAAI,CAAC;IAIlE,GAAG,CACP,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,EACnC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;IASV,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C"}
+{"version":3,"file":"cloudflare-kv.d.ts","sourceRoot":"","sources":["../../src/adapters/cloudflare-kv.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACpC,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA;AAG1E,qBAAa,mBAAmB,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAC9F,YAAW,cAAc,CAAC,KAAK,CAAC;IAEpB,OAAO,CAAC,EAAE;gBAAF,EAAE,EAAE,WAAW;IAE7B,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,IAAI,CAAC;IAIlE,GAAG,CACP,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,EACnC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;IAYV,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,WAAW,GAAG,qBAAqB,CAG1E"}

package/dist/adapters/cloudflare-kv.js

@@ -1,3 +1,4 @@
+import { SessionStoreError } from '../errors';
 export class CloudflareKVAdapter {
     kv;
     constructor(kv) {
@@ -8,7 +9,7 @@ export class CloudflareKVAdapter {
     }
     async set(sessionId, session, ttlSeconds) {
         if (ttlSeconds < 60) {
-            throw new Error('Bezzie: KV TTL must be at least 60 seconds');
+            throw new SessionStoreError('session_storage_failed', 'Bezzie: KV TTL must be at least 60 seconds');
         }
         await this.kv.put(sessionId, JSON.stringify(session), {
             expirationTtl: ttlSeconds,
@@ -18,4 +19,10 @@ export class CloudflareKVAdapter {
         await this.kv.delete(sessionId);
     }
 }
+/**
+ * Creates a Cloudflare KV session adapter factory.
+ */
+export function cloudflareKVAdapter(kv) {
+    return () => new CloudflareKVAdapter(kv);
+}
 //# sourceMappingURL=cloudflare-kv.js.map

package/dist/adapters/cloudflare-kv.js.map

@@ -1 +1 @@
-{"version":3,"file":"cloudflare-kv.js","sourceRoot":"","sources":["../../src/adapters/cloudflare-kv.ts"],"names":[],"mappings":"AAGA,MAAM,OAAO,mBAAmB;IAGV;IAApB,YAAoB,EAAe;QAAf,OAAE,GAAF,EAAE,CAAa;IAAG,CAAC;IAEvC,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,OAAO,MAAM,IAAI,CAAC,EAAE,CAAC,GAAG,CAA6B,SAAS,EAAE,MAAM,CAAC,CAAA;IACzE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,SAAiB,EACjB,OAAmC,EACnC,UAAkB;QAElB,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAA;QAC/D,CAAC;QACD,MAAM,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE;YACpD,aAAa,EAAE,UAAU;SAC1B,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IACjC,CAAC;CACF"}
+{"version":3,"file":"cloudflare-kv.js","sourceRoot":"","sources":["../../src/adapters/cloudflare-kv.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAE7C,MAAM,OAAO,mBAAmB;IAGV;IAApB,YAAoB,EAAe;QAAf,OAAE,GAAF,EAAE,CAAa;IAAG,CAAC;IAEvC,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,OAAO,MAAM,IAAI,CAAC,EAAE,CAAC,GAAG,CAA6B,SAAS,EAAE,MAAM,CAAC,CAAA;IACzE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,SAAiB,EACjB,OAAmC,EACnC,UAAkB;QAElB,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CACzB,wBAAwB,EACxB,4CAA4C,CAC7C,CAAA;QACH,CAAC;QACD,MAAM,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE;YACpD,aAAa,EAAE,UAAU;SAC1B,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IACjC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,EAAe;IACjD,OAAO,GAA2F,EAAE,CAClG,IAAI,mBAAmB,CAAQ,EAAE,CAAC,CAAA;AACtC,CAAC"}

package/dist/adapters/memory.d.ts

@@ -1,9 +1,25 @@
 import { Session } from '../session';
-import { SessionAdapter, PKCEState } from './types';
+import { SessionAdapter, SessionAdapterFactory, PKCEState } from './types';
 export declare class MemoryAdapter<TUser extends Record<string, unknown> = Record<string, unknown>> implements SessionAdapter<TUser> {
     private store;
+    private lastCleanup;
+    private static readonly CLEANUP_INTERVAL_MS;
+    /**
+     * Evicts all entries whose TTL has expired.
+     *
+     * Workers runtimes don't support long-lived timers (`setInterval`), so rather
+     * than scheduling cleanup we trigger it opportunistically from `get()` at
+     * most once every `CLEANUP_INTERVAL_MS`. This bounds memory growth for
+     * long-running processes (e.g. local dev, tests) without adding overhead to
+     * every read.
+     */
+    cleanup(): void;
     get(sessionId: string): Promise<Session<TUser> | PKCEState | null>;
     set(sessionId: string, session: Session<TUser> | PKCEState, ttlSeconds: number): Promise<void>;
     delete(sessionId: string): Promise<void>;
 }
+/**
+ * Creates an in-memory session adapter factory. Useful for tests and local dev.
+ */
+export declare function memoryAdapter(): SessionAdapterFactory;
 //# sourceMappingURL=memory.d.ts.map

package/dist/adapters/memory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"memory.d.ts","sourceRoot":"","sources":["../../src/adapters/memory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACpC,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AAOnD,qBAAa,aAAa,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CACxF,YAAW,cAAc,CAAC,KAAK,CAAC;IAEhC,OAAO,CAAC,KAAK,CAA0C;IAEjD,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,IAAI,CAAC;IAUlE,GAAG,CACP,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,EACnC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;IAOV,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C"}
+{"version":3,"file":"memory.d.ts","sourceRoot":"","sources":["../../src/adapters/memory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACpC,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AAO1E,qBAAa,aAAa,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CACxF,YAAW,cAAc,CAAC,KAAK,CAAC;IAEhC,OAAO,CAAC,KAAK,CAA0C;IACvD,OAAO,CAAC,WAAW,CAAI;IACvB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAEpD;;;;;;;;OAQG;IACH,OAAO,IAAI,IAAI;IAUT,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,IAAI,CAAC;IAgBlE,GAAG,CACP,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,EACnC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;IAOV,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,qBAAqB,CAGrD"}

package/dist/adapters/memory.js

@@ -1,10 +1,35 @@
 export class MemoryAdapter {
     store = new Map();
+    lastCleanup = 0;
+    static CLEANUP_INTERVAL_MS = 60_000;
+    /**
+     * Evicts all entries whose TTL has expired.
+     *
+     * Workers runtimes don't support long-lived timers (`setInterval`), so rather
+     * than scheduling cleanup we trigger it opportunistically from `get()` at
+     * most once every `CLEANUP_INTERVAL_MS`. This bounds memory growth for
+     * long-running processes (e.g. local dev, tests) without adding overhead to
+     * every read.
+     */
+    cleanup() {
+        const now = Date.now();
+        for (const [id, entry] of this.store) {
+            if (now > entry.expiresAt) {
+                this.store.delete(id);
+            }
+        }
+        this.lastCleanup = now;
+    }
     async get(sessionId) {
+        // Proactive TTL eviction (C6): run at most once per CLEANUP_INTERVAL_MS.
+        const now = Date.now();
+        if (now - this.lastCleanup > MemoryAdapter.CLEANUP_INTERVAL_MS) {
+            this.cleanup();
+        }
         const entry = this.store.get(sessionId);
         if (!entry)
             return null;
-        if (Date.now() > entry.expiresAt) {
+        if (now > entry.expiresAt) {
             this.store.delete(sessionId);
             return null;
         }
@@ -20,4 +45,10 @@ export class MemoryAdapter {
         this.store.delete(sessionId);
     }
 }
+/**
+ * Creates an in-memory session adapter factory. Useful for tests and local dev.
+ */
+export function memoryAdapter() {
+    return () => new MemoryAdapter();
+}
 //# sourceMappingURL=memory.js.map

package/dist/adapters/memory.js.map

@@ -1 +1 @@
-{"version":3,"file":"memory.js","sourceRoot":"","sources":["../../src/adapters/memory.ts"],"names":[],"mappings":"AAQA,MAAM,OAAO,aAAa;IAGhB,KAAK,GAAG,IAAI,GAAG,EAAgC,CAAA;IAEvD,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;YAC5B,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,KAAK,CAAC,OAAO,CAAA;IACtB,CAAC;IAED,KAAK,CAAC,GAAG,CACP,SAAiB,EACjB,OAAmC,EACnC,UAAkB;QAElB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE;YACxB,OAAO;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI;SAC1C,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IAC9B,CAAC;CACF"}
+{"version":3,"file":"memory.js","sourceRoot":"","sources":["../../src/adapters/memory.ts"],"names":[],"mappings":"AAQA,MAAM,OAAO,aAAa;IAGhB,KAAK,GAAG,IAAI,GAAG,EAAgC,CAAA;IAC/C,WAAW,GAAG,CAAC,CAAA;IACf,MAAM,CAAU,mBAAmB,GAAG,MAAM,CAAA;IAEpD;;;;;;;;OAQG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACrC,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC1B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;YACvB,CAAC;QACH,CAAC;QACD,IAAI,CAAC,WAAW,GAAG,GAAG,CAAA;IACxB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,yEAAyE;QACzE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,IAAI,GAAG,GAAG,IAAI,CAAC,WAAW,GAAG,aAAa,CAAC,mBAAmB,EAAE,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAA;QAChB,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YAC1B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;YAC5B,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,KAAK,CAAC,OAAO,CAAA;IACtB,CAAC;IAED,KAAK,CAAC,GAAG,CACP,SAAiB,EACjB,OAAmC,EACnC,UAAkB;QAElB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE;YACxB,OAAO;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI;SAC1C,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IAC9B,CAAC;;AAGH;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,GAA2F,EAAE,CAClG,IAAI,aAAa,EAAS,CAAA;AAC9B,CAAC"}

package/dist/adapters/redis.d.ts

@@ -1,5 +1,5 @@
 import { Session } from '../session';
-import { SessionAdapter, PKCEState } from './types';
+import { SessionAdapter, SessionAdapterFactory, PKCEState } from './types';
 export interface RedisClient {
     get(key: string): Promise<string | null>;
     set(key: string, value: string, options?: {
@@ -7,6 +7,24 @@ export interface RedisClient {
     }): Promise<unknown>;
     del(key: string): Promise<unknown>;
 }
+/**
+ * Redis-backed session adapter.
+ *
+ * Compatible with any Redis client that implements the {@link RedisClient} interface,
+ * including [Upstash Redis](https://upstash.com) — the recommended choice for Cloudflare Workers
+ * because it communicates over HTTP rather than TCP.
+ *
+ * @example
+ * ```typescript
+ * import { redisAdapter } from 'bezzie'
+ * import { Redis } from '@upstash/redis/cloudflare'
+ *
+ * adapter: redisAdapter(new Redis({
+ *   url: env.UPSTASH_REDIS_REST_URL,
+ *   token: env.UPSTASH_REDIS_REST_TOKEN,
+ * }))
+ * ```
+ */
 export declare class RedisAdapter<TUser extends Record<string, unknown> = Record<string, unknown>> implements SessionAdapter<TUser> {
     private redis;
     constructor(redis: RedisClient);
@@ -14,4 +32,23 @@ export declare class RedisAdapter<TUser extends Record<string, unknown> = Record
     set(sessionId: string, session: Session<TUser> | PKCEState, ttlSeconds: number): Promise<void>;
     delete(sessionId: string): Promise<void>;
 }
+/**
+ * Creates a Redis-backed session adapter factory.
+ *
+ * Accepts any client that satisfies the {@link RedisClient} interface, including
+ * [Upstash Redis](https://upstash.com) (`@upstash/redis/cloudflare`) — recommended for
+ * Cloudflare Workers because it uses the Upstash REST API over HTTP rather than a TCP socket.
+ *
+ * @example
+ * ```typescript
+ * import { redisAdapter } from 'bezzie'
+ * import { Redis } from '@upstash/redis/cloudflare'
+ *
+ * adapter: redisAdapter(new Redis({
+ *   url: env.UPSTASH_REDIS_REST_URL,
+ *   token: env.UPSTASH_REDIS_REST_TOKEN,
+ * }))
+ * ```
+ */
+export declare function redisAdapter(client: RedisClient): SessionAdapterFactory;
 //# sourceMappingURL=redis.d.ts.map

package/dist/adapters/redis.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redis.d.ts","sourceRoot":"","sources":["../../src/adapters/redis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACpC,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AAEnD,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IACxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAC5E,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CACnC;AAED,qBAAa,YAAY,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CACvF,YAAW,cAAc,CAAC,KAAK,CAAC;IAEpB,OAAO,CAAC,KAAK;gBAAL,KAAK,EAAE,WAAW;IAEhC,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,IAAI,CAAC;IAMlE,GAAG,CACP,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,EACnC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;IAIV,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C"}
+{"version":3,"file":"redis.d.ts","sourceRoot":"","sources":["../../src/adapters/redis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACpC,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AAE1E,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IACxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAC5E,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CACnC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,YAAY,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CACvF,YAAW,cAAc,CAAC,KAAK,CAAC;IAEpB,OAAO,CAAC,KAAK;gBAAL,KAAK,EAAE,WAAW;IAEhC,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,IAAI,CAAC;IAMlE,GAAG,CACP,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,EACnC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;IAIV,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,WAAW,GAAG,qBAAqB,CAGvE"}

package/dist/adapters/redis.js

@@ -1,3 +1,21 @@
+/**
+ * Redis-backed session adapter.
+ *
+ * Compatible with any Redis client that implements the {@link RedisClient} interface,
+ * including [Upstash Redis](https://upstash.com) — the recommended choice for Cloudflare Workers
+ * because it communicates over HTTP rather than TCP.
+ *
+ * @example
+ * ```typescript
+ * import { redisAdapter } from 'bezzie'
+ * import { Redis } from '@upstash/redis/cloudflare'
+ *
+ * adapter: redisAdapter(new Redis({
+ *   url: env.UPSTASH_REDIS_REST_URL,
+ *   token: env.UPSTASH_REDIS_REST_TOKEN,
+ * }))
+ * ```
+ */
 export class RedisAdapter {
     redis;
     constructor(redis) {
@@ -16,4 +34,25 @@ export class RedisAdapter {
         await this.redis.del(sessionId);
     }
 }
+/**
+ * Creates a Redis-backed session adapter factory.
+ *
+ * Accepts any client that satisfies the {@link RedisClient} interface, including
+ * [Upstash Redis](https://upstash.com) (`@upstash/redis/cloudflare`) — recommended for
+ * Cloudflare Workers because it uses the Upstash REST API over HTTP rather than a TCP socket.
+ *
+ * @example
+ * ```typescript
+ * import { redisAdapter } from 'bezzie'
+ * import { Redis } from '@upstash/redis/cloudflare'
+ *
+ * adapter: redisAdapter(new Redis({
+ *   url: env.UPSTASH_REDIS_REST_URL,
+ *   token: env.UPSTASH_REDIS_REST_TOKEN,
+ * }))
+ * ```
+ */
+export function redisAdapter(client) {
+    return () => new RedisAdapter(client);
+}
 //# sourceMappingURL=redis.js.map

package/dist/adapters/redis.js.map

@@ -1 +1 @@
-{"version":3,"file":"redis.js","sourceRoot":"","sources":["../../src/adapters/redis.ts"],"names":[],"mappings":"AASA,MAAM,OAAO,YAAY;IAGH;IAApB,YAAoB,KAAkB;QAAlB,UAAK,GAAL,KAAK,CAAa;IAAG,CAAC;IAE1C,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QAC/C,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QACzB,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA+B,CAAA;IAC1D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,SAAiB,EACjB,OAAmC,EACnC,UAAkB;QAElB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,CAAA;IAC9E,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IACjC,CAAC;CACF"}
+{"version":3,"file":"redis.js","sourceRoot":"","sources":["../../src/adapters/redis.ts"],"names":[],"mappings":"AASA;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,YAAY;IAGH;IAApB,YAAoB,KAAkB;QAAlB,UAAK,GAAL,KAAK,CAAa;IAAG,CAAC;IAE1C,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QAC/C,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QACzB,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA+B,CAAA;IAC1D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,SAAiB,EACjB,OAAmC,EACnC,UAAkB;QAElB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,CAAA;IAC9E,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IACjC,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,YAAY,CAAC,MAAmB;IAC9C,OAAO,GAA2F,EAAE,CAClG,IAAI,YAAY,CAAQ,MAAM,CAAC,CAAA;AACnC,CAAC"}

package/dist/adapters/types.d.ts

@@ -15,6 +15,17 @@ export interface PKCEState {
      * URL to redirect to after successful authentication.
      */
     returnTo?: string;
+    /**
+     * CSRF token bound to the user's browser session via the `__Host-pkce-csrf` cookie.
+     * Used to prevent login-CSRF attacks (S4).
+     */
+    csrfToken: string;
+    /**
+     * OIDC `nonce` value. Generated at `/login`, passed in the authorization
+     * request, and verified against the `nonce` claim of the returned ID token
+     * at `/callback` to prevent ID token replay attacks (S8).
+     */
+    nonce: string;
 }
 /**
  * Interface for session storage adapters.
@@ -42,4 +53,12 @@ export interface SessionAdapter<TUser extends Record<string, unknown> = Record<s
      */
     delete(sessionId: string): Promise<void>;
 }
+/**
+ * Factory function that produces a {@link SessionAdapter} for a given `TUser`.
+ *
+ * Consumers construct adapters via the factory form (e.g. `memoryAdapter()`,
+ * `cloudflareKVAdapter(env.SESSION_KV)`) so `TUser` is inferred from
+ * `createBezzie<TUser>(...)` rather than needing to be specified twice.
+ */
+export type SessionAdapterFactory = <TUser extends Record<string, unknown> = Record<string, unknown>>() => SessionAdapter<TUser>;
 //# sourceMappingURL=types.d.ts.map

package/dist/adapters/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/adapters/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAEpC;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;OAEG;IACH,YAAY,EAAE,MAAM,CAAA;IACpB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC7F;;;;;OAKG;IACH,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,IAAI,CAAC,CAAA;IAElE;;;;;;OAMG;IACH,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE9F;;;;OAIG;IACH,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACzC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/adapters/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAEpC;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;OAEG;IACH,YAAY,EAAE,MAAM,CAAA;IACpB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB;;;OAGG;IACH,SAAS,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,KAAK,EAAE,MAAM,CAAA;CACd;AAED;;GAEG;AACH,MAAM,WAAW,cAAc,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC7F;;;;;OAKG;IACH,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,IAAI,CAAC,CAAA;IAElE;;;;;;OAMG;IACH,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE9F;;;;OAIG;IACH,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACzC;AAED;;;;;;GAMG;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,cAAc,CAAC,KAAK,CAAC,CAAA"}

package/dist/discovery.d.ts

@@ -1,10 +1,21 @@
 import * as oauth from 'oauth4webapi';
-import type { BezzieConfig } from './index';
+/**
+ * Minimal config shape that discovery needs — it only reads `issuer` and
+ * `providerOverrides.tokenEndpoint`. Accepting this interface (rather than
+ * `BezzieConfig`) avoids a generic parameter that has no bearing on discovery.
+ */
+interface DiscoveryConfig {
+    issuer: string;
+    providerOverrides?: {
+        tokenEndpoint?: string;
+    };
+}
 export interface DiscoveryCache {
     cachedAS: oauth.AuthorizationServer | null;
     cacheExpiresAt: number;
     jwksCache: oauth.JWKSCacheInput;
 }
 export declare function createDiscoveryCache(): DiscoveryCache;
-export declare function getAuthorizationServer(config: BezzieConfig, cache: DiscoveryCache): Promise<oauth.AuthorizationServer>;
+export declare function getAuthorizationServer(config: DiscoveryConfig, cache: DiscoveryCache): Promise<oauth.AuthorizationServer>;
+export {};
 //# sourceMappingURL=discovery.d.ts.map

package/dist/discovery.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,cAAc,CAAA;AACrC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAE3C,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAA;IAC1C,cAAc,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,KAAK,CAAC,cAAc,CAAA;CAChC;AAED,wBAAgB,oBAAoB,IAAI,cAAc,CAErD;AAED,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,YAAY,EACpB,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAoBpC"}
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,cAAc,CAAA;AAGrC;;;;GAIG;AACH,UAAU,eAAe;IACvB,MAAM,EAAE,MAAM,CAAA;IACd,iBAAiB,CAAC,EAAE;QAClB,aAAa,CAAC,EAAE,MAAM,CAAA;KACvB,CAAA;CACF;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAA;IAC1C,cAAc,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,KAAK,CAAC,cAAc,CAAA;CAChC;AAED,wBAAgB,oBAAoB,IAAI,cAAc,CAErD;AAED,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,eAAe,EACvB,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAoBpC"}

package/dist/discovery.js

@@ -1,4 +1,5 @@
 import * as oauth from 'oauth4webapi';
+import { DiscoveryError } from './errors';
 export function createDiscoveryCache() {
     return { cachedAS: null, cacheExpiresAt: 0, jwksCache: {} };
 }
@@ -8,17 +9,17 @@ export async function getAuthorizationServer(config, cache) {
     }
     const issuer = new URL(config.issuer);
     try {
-        const response = await oauth.discoveryRequest(issuer);
+        const response = await oauth.discoveryRequest(issuer, { signal: AbortSignal.timeout(5000) });
         const as = await oauth.processDiscoveryResponse(issuer, response);
-        const cachedAS = config.providerHints?.tokenEndpoint
-            ? { ...as, token_endpoint: config.providerHints.tokenEndpoint }
+        const cachedAS = config.providerOverrides?.tokenEndpoint
+            ? { ...as, token_endpoint: config.providerOverrides.tokenEndpoint }
             : as;
         cache.cachedAS = cachedAS;
         cache.cacheExpiresAt = Date.now() + 60 * 60 * 1000;
         return cachedAS;
     }
     catch (err) {
-        throw new Error(`Bezzie: OIDC discovery failed for ${config.issuer}: ${err instanceof Error ? err.message : String(err)}`, { cause: err });
+        throw new DiscoveryError(`Bezzie: OIDC discovery failed for ${config.issuer}: ${err instanceof Error ? err.message : String(err)}`, { cause: err });
     }
 }
 //# sourceMappingURL=discovery.js.map

package/dist/discovery.js.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,cAAc,CAAA;AASrC,MAAM,UAAU,oBAAoB;IAClC,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAA;AAC7D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,MAAoB,EACpB,KAAqB;IAErB,IAAI,KAAK,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;QACxD,OAAO,KAAK,CAAC,QAAQ,CAAA;IACvB,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACrC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAA;QACrD,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,wBAAwB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QACjE,MAAM,QAAQ,GAAG,MAAM,CAAC,aAAa,EAAE,aAAa;YAClD,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,cAAc,EAAE,MAAM,CAAC,aAAa,CAAC,aAAa,EAAE;YAC/D,CAAC,CAAC,EAAE,CAAA;QACN,KAAK,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACzB,KAAK,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;QAClD,OAAO,QAAQ,CAAA;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,qCAAqC,MAAM,CAAC,MAAM,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACzG,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAA;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,cAAc,CAAA;AACrC,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AAoBzC,MAAM,UAAU,oBAAoB;IAClC,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAA;AAC7D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,MAAuB,EACvB,KAAqB;IAErB,IAAI,KAAK,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;QACxD,OAAO,KAAK,CAAC,QAAQ,CAAA;IACvB,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACrC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAC5F,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,wBAAwB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QACjE,MAAM,QAAQ,GAAG,MAAM,CAAC,iBAAiB,EAAE,aAAa;YACtD,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,cAAc,EAAE,MAAM,CAAC,iBAAiB,CAAC,aAAa,EAAE;YACnE,CAAC,CAAC,EAAE,CAAA;QACN,KAAK,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACzB,KAAK,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;QAClD,OAAO,QAAQ,CAAA;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,cAAc,CACtB,qCAAqC,MAAM,CAAC,MAAM,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACzG,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAA;IACH,CAAC;AACH,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,28 @@
+export type BezzieErrorCode = 'discovery_failed' | 'callback_invalid_state' | 'callback_provider_error' | 'token_exchange_failed' | 'refresh_failed' | 'refresh_token_revoked' | 'session_storage_failed' | 'session_not_found' | 'config_invalid';
+export interface BezzieErrorOptions {
+    cause?: unknown;
+    httpStatus?: number;
+    oauthError?: string;
+    oauthErrorDescription?: string;
+}
+export declare class BezzieError extends Error {
+    readonly code: BezzieErrorCode;
+    readonly httpStatus?: number;
+    readonly oauthError?: string;
+    readonly oauthErrorDescription?: string;
+    constructor(code: BezzieErrorCode, message: string, opts?: BezzieErrorOptions);
+}
+export declare class DiscoveryError extends BezzieError {
+    constructor(message: string, opts?: BezzieErrorOptions);
+}
+export declare class CallbackError extends BezzieError {
+}
+export declare class TokenExchangeError extends BezzieError {
+}
+export declare class RefreshError extends BezzieError {
+}
+export declare class SessionStoreError extends BezzieError {
+}
+export declare class ConfigError extends BezzieError {
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GACvB,kBAAkB,GAClB,wBAAwB,GACxB,yBAAyB,GACzB,uBAAuB,GACvB,gBAAgB,GAChB,uBAAuB,GACvB,wBAAwB,GACxB,mBAAmB,GACnB,gBAAgB,CAAA;AAEpB,MAAM,WAAW,kBAAkB;IACjC,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,qBAAqB,CAAC,EAAE,MAAM,CAAA;CAC/B;AAED,qBAAa,WAAY,SAAQ,KAAK;IACpC,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAA;IAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAA;gBAE3B,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,kBAAuB;CASlF;AAED,qBAAa,cAAe,SAAQ,WAAW;gBACjC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,kBAAkB;CAGvD;AAED,qBAAa,aAAc,SAAQ,WAAW;CAAG;AACjD,qBAAa,kBAAmB,SAAQ,WAAW;CAAG;AACtD,qBAAa,YAAa,SAAQ,WAAW;CAAG;AAChD,qBAAa,iBAAkB,SAAQ,WAAW;CAAG;AACrD,qBAAa,WAAY,SAAQ,WAAW;CAAG"}

package/dist/errors.js

@@ -0,0 +1,31 @@
+export class BezzieError extends Error {
+    code;
+    httpStatus;
+    oauthError;
+    oauthErrorDescription;
+    constructor(code, message, opts = {}) {
+        super(message, { cause: opts.cause });
+        this.name = this.constructor.name;
+        this.code = code;
+        this.httpStatus = opts.httpStatus;
+        this.oauthError = opts.oauthError;
+        this.oauthErrorDescription = opts.oauthErrorDescription;
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+export class DiscoveryError extends BezzieError {
+    constructor(message, opts) {
+        super('discovery_failed', message, opts);
+    }
+}
+export class CallbackError extends BezzieError {
+}
+export class TokenExchangeError extends BezzieError {
+}
+export class RefreshError extends BezzieError {
+}
+export class SessionStoreError extends BezzieError {
+}
+export class ConfigError extends BezzieError {
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAkBA,MAAM,OAAO,WAAY,SAAQ,KAAK;IAC3B,IAAI,CAAiB;IACrB,UAAU,CAAS;IACnB,UAAU,CAAS;IACnB,qBAAqB,CAAS;IAEvC,YAAY,IAAqB,EAAE,OAAe,EAAE,OAA2B,EAAE;QAC/E,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAA;QACrC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAA;QACjC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;QAChB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAA;QACjC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAA;QACjC,IAAI,CAAC,qBAAqB,GAAG,IAAI,CAAC,qBAAqB,CAAA;QACvD,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IACnD,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,WAAW;IAC7C,YAAY,OAAe,EAAE,IAAyB;QACpD,KAAK,CAAC,kBAAkB,EAAE,OAAO,EAAE,IAAI,CAAC,CAAA;IAC1C,CAAC;CACF;AAED,MAAM,OAAO,aAAc,SAAQ,WAAW;CAAG;AACjD,MAAM,OAAO,kBAAmB,SAAQ,WAAW;CAAG;AACtD,MAAM,OAAO,YAAa,SAAQ,WAAW;CAAG;AAChD,MAAM,OAAO,iBAAkB,SAAQ,WAAW;CAAG;AACrD,MAAM,OAAO,WAAY,SAAQ,WAAW;CAAG"}