clearauth 0.3.0

package/dist/auth/register.d.ts

@@ -0,0 +1,72 @@
+/**
+ * User Registration
+ *
+ * Handles user registration with email and password:
+ * - Email and password validation
+ * - Password hashing using Argon2id
+ * - User creation with email_verified=false
+ * - Email verification token generation
+ * - Initial session creation
+ */
+import type { Kysely } from 'kysely';
+import type { Database, User } from '../database/schema.js';
+import type { RequestContext } from '../types.js';
+import type { PasswordHasher } from '../password-hasher.js';
+/**
+ * Register a new user with email and password
+ *
+ * Creates a new user account with the provided email and password.
+ * The password is hashed using Argon2id before storage.
+ * An email verification token is generated and stored.
+ * An initial session is created for the user.
+ *
+ * @param db - Kysely database instance
+ * @param email - User's email address
+ * @param password - User's password (plain text, will be hashed)
+ * @param context - Optional request context (IP address, user agent)
+ * @returns User record, session ID, and verification token
+ * @throws {AuthError} If validation fails or user already exists
+ *
+ * @example
+ * ```ts
+ * const result = await registerUser(db, 'user@example.com', 'SecurePass123!', {
+ *   ipAddress: '192.168.1.1',
+ *   userAgent: 'Mozilla/5.0...'
+ * })
+ * console.log(result.user.id, result.sessionId, result.verificationToken)
+ * ```
+ */
+export declare function registerUser(db: Kysely<Database>, email: string, password: string, context?: RequestContext, passwordHasher?: PasswordHasher): Promise<{
+    user: User;
+    sessionId: string;
+    verificationToken: string;
+}>;
+/**
+ * Register user result type (for HTTP responses)
+ */
+export interface RegisterUserResult {
+    user: {
+        id: string;
+        email: string;
+        email_verified: boolean;
+        name: string | null;
+        avatar_url: string | null;
+        created_at: Date;
+    };
+    sessionId: string;
+    verificationToken: string;
+}
+/**
+ * Convert registration result to public format
+ *
+ * Removes sensitive fields like password_hash and provider IDs.
+ *
+ * @param result - Registration result
+ * @returns Public registration result
+ * @internal
+ */
+export declare function toPublicRegisterResult(result: {
+    user: User;
+    sessionId: string;
+    verificationToken: string;
+}): RegisterUserResult;

package/dist/auth/register.js

@@ -0,0 +1,122 @@
+/**
+ * User Registration
+ *
+ * Handles user registration with email and password:
+ * - Email and password validation
+ * - Password hashing using Argon2id
+ * - User creation with email_verified=false
+ * - Email verification token generation
+ * - Initial session creation
+ */
+import { createSession } from '../oauth/callbacks.js';
+import { createPbkdf2PasswordHasher } from '../password-hasher.js';
+import { isValidEmail, validatePassword, normalizeEmail, generateSecureToken, createAuthError, } from './utils.js';
+const defaultPasswordHasher = createPbkdf2PasswordHasher();
+/**
+ * Email verification token expiration (24 hours)
+ */
+const VERIFICATION_TOKEN_EXPIRY = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
+/**
+ * Register a new user with email and password
+ *
+ * Creates a new user account with the provided email and password.
+ * The password is hashed using Argon2id before storage.
+ * An email verification token is generated and stored.
+ * An initial session is created for the user.
+ *
+ * @param db - Kysely database instance
+ * @param email - User's email address
+ * @param password - User's password (plain text, will be hashed)
+ * @param context - Optional request context (IP address, user agent)
+ * @returns User record, session ID, and verification token
+ * @throws {AuthError} If validation fails or user already exists
+ *
+ * @example
+ * ```ts
+ * const result = await registerUser(db, 'user@example.com', 'SecurePass123!', {
+ *   ipAddress: '192.168.1.1',
+ *   userAgent: 'Mozilla/5.0...'
+ * })
+ * console.log(result.user.id, result.sessionId, result.verificationToken)
+ * ```
+ */
+export async function registerUser(db, email, password, context, passwordHasher) {
+    const hasher = passwordHasher ?? defaultPasswordHasher;
+    // Validate email
+    if (!isValidEmail(email)) {
+        throw createAuthError('Invalid email address', 'INVALID_EMAIL', 400);
+    }
+    // Validate password
+    const passwordError = validatePassword(password);
+    if (passwordError) {
+        throw createAuthError(passwordError, 'INVALID_PASSWORD', 400);
+    }
+    // Normalize email
+    const normalizedEmail = normalizeEmail(email);
+    // Check if user already exists
+    const existingUser = await db
+        .selectFrom('users')
+        .select('id')
+        .where('email', '=', normalizedEmail)
+        .executeTakeFirst();
+    if (existingUser) {
+        throw createAuthError('User with this email already exists', 'EMAIL_EXISTS', 409);
+    }
+    // Hash password
+    const passwordHash = await hasher.hash(password);
+    // Create user
+    const newUser = {
+        email: normalizedEmail,
+        email_verified: false,
+        password_hash: passwordHash,
+        github_id: null,
+        google_id: null,
+        name: null,
+        avatar_url: null,
+    };
+    const user = await db.insertInto('users').values(newUser).returningAll().executeTakeFirstOrThrow();
+    // Generate email verification token
+    const verificationToken = generateSecureToken(32); // 256 bits of entropy
+    const expiresAt = new Date(Date.now() + VERIFICATION_TOKEN_EXPIRY);
+    const newToken = {
+        token: verificationToken,
+        user_id: user.id,
+        email: normalizedEmail,
+        expires_at: expiresAt,
+    };
+    await db.insertInto('email_verification_tokens').values(newToken).execute();
+    // Create initial session
+    const sessionId = await createSession(db, user.id, 2592000, {
+        ipAddress: context?.ipAddress,
+        userAgent: context?.userAgent,
+    });
+    return {
+        user,
+        sessionId,
+        verificationToken,
+    };
+}
+/**
+ * Convert registration result to public format
+ *
+ * Removes sensitive fields like password_hash and provider IDs.
+ *
+ * @param result - Registration result
+ * @returns Public registration result
+ * @internal
+ */
+export function toPublicRegisterResult(result) {
+    return {
+        user: {
+            id: result.user.id,
+            email: result.user.email,
+            email_verified: result.user.email_verified,
+            name: result.user.name,
+            avatar_url: result.user.avatar_url,
+            created_at: result.user.created_at,
+        },
+        sessionId: result.sessionId,
+        verificationToken: result.verificationToken,
+    };
+}
+//# sourceMappingURL=register.js.map

package/dist/auth/register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.js","sourceRoot":"","sources":["../../src/auth/register.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AAGrD,OAAO,EAAE,0BAA0B,EAAE,MAAM,uBAAuB,CAAA;AAClE,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,mBAAmB,EACnB,eAAe,GAChB,MAAM,YAAY,CAAA;AAEnB,MAAM,qBAAqB,GAAG,0BAA0B,EAAE,CAAA;AAE1D;;GAEG;AACH,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,2BAA2B;AAEjF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,EAAoB,EACpB,KAAa,EACb,QAAgB,EAChB,OAAwB,EACxB,cAA+B;IAE/B,MAAM,MAAM,GAAG,cAAc,IAAI,qBAAqB,CAAA;IAEtD,iBAAiB;IACjB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,eAAe,CAAC,uBAAuB,EAAE,eAAe,EAAE,GAAG,CAAC,CAAA;IACtE,CAAC;IAED,oBAAoB;IACpB,MAAM,aAAa,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAA;IAChD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,eAAe,CAAC,aAAa,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAA;IAC/D,CAAC;IAED,kBAAkB;IAClB,MAAM,eAAe,GAAG,cAAc,CAAC,KAAK,CAAC,CAAA;IAE7C,+BAA+B;IAC/B,MAAM,YAAY,GAAG,MAAM,EAAE;SAC1B,UAAU,CAAC,OAAO,CAAC;SACnB,MAAM,CAAC,IAAI,CAAC;SACZ,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,eAAe,CAAC;SACpC,gBAAgB,EAAE,CAAA;IAErB,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,eAAe,CAAC,qCAAqC,EAAE,cAAc,EAAE,GAAG,CAAC,CAAA;IACnF,CAAC;IAED,gBAAgB;IAChB,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IAEhD,cAAc;IACd,MAAM,OAAO,GAAY;QACvB,KAAK,EAAE,eAAe;QACtB,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,YAAY;QAC3B,SAAS,EAAE,IAAI;QACf,SAAS,EAAE,IAAI;QACf,IAAI,EAAE,IAAI;QACV,UAAU,EAAE,IAAI;KACjB,CAAA;IAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,CAAC,uBAAuB,EAAE,CAAA;IAElG,oCAAoC;IACpC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAA,CAAC,sBAAsB;IACxE,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,yBAAyB,CAAC,CAAA;IAElE,MAAM,QAAQ,GAA8B;QAC1C,KAAK,EAAE,iBAAiB;QACxB,OAAO,EAAE,IAAI,CAAC,EAAE;QAChB,KAAK,EAAE,eAAe;QACtB,UAAU,EAAE,SAAS;KACtB,CAAA;IAED,MAAM,EAAE,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAA;IAE3E,yBAAyB;IACzB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE;QAC1D,SAAS,EAAE,OAAO,EAAE,SAAS;QAC7B,SAAS,EAAE,OAAO,EAAE,SAAS;KAC9B,CAAC,CAAA;IAEF,OAAO;QACL,IAAI;QACJ,SAAS;QACT,iBAAiB;KAClB,CAAA;AACH,CAAC;AAkBD;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAItC;IACC,OAAO;QACL,IAAI,EAAE;YACJ,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;YAClB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;YACxB,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,cAAc;YAC1C,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;YACtB,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU;YAClC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU;SACnC;QACD,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;KAC5C,CAAA;AACH,CAAC"}

package/dist/auth/reset-password.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Password Reset
+ *
+ * Handles password reset flow:
+ * - Password reset token generation and storage
+ * - Token validation and expiration checking
+ * - Password update with new hash
+ * - Session invalidation for security
+ */
+import type { Kysely } from 'kysely';
+import type { Database } from '../database/schema.js';
+import type { PasswordHasher } from '../password-hasher.js';
+/**
+ * Request password reset
+ *
+ * Generates a password reset token and stores it in the database.
+ * The token expires after 1 hour for security.
+ *
+ * **IMPORTANT:** This function does NOT return the token to prevent email enumeration.
+ * The token should be sent via email by the caller using an email service.
+ * The function always returns success, even if the user doesn't exist.
+ *
+ * @param db - Kysely database instance
+ * @param email - User's email address
+ * @param onTokenGenerated - Optional callback to send the token via email
+ * @returns Success status and email (for sending the token)
+ *
+ * @example
+ * ```ts
+ * const result = await requestPasswordReset(db, 'user@example.com', async (email, token) => {
+ *   await sendEmail({
+ *     to: email,
+ *     subject: 'Password Reset',
+ *     template: 'password-reset',
+ *     data: { token, resetUrl: `https://example.com/reset-password?token=${token}` }
+ *   })
+ * })
+ * // Always returns { success: true } regardless of whether user exists
+ * ```
+ */
+export declare function requestPasswordReset(db: Kysely<Database>, email: string, onTokenGenerated?: (email: string, token: string) => Promise<void>): Promise<{
+    success: true;
+    email: string;
+}>;
+/**
+ * Verify password reset token
+ *
+ * Checks if a password reset token is valid and not expired.
+ * Does not consume the token.
+ *
+ * @param db - Kysely database instance
+ * @param token - Password reset token
+ * @returns Validation result with user ID if valid
+ *
+ * @example
+ * ```ts
+ * const result = await verifyResetToken(db, 'abc123...')
+ * if (result.valid) {
+ *   console.log('Token is valid for user:', result.userId)
+ * }
+ * ```
+ */
+export declare function verifyResetToken(db: Kysely<Database>, token: string): Promise<{
+    valid: boolean;
+    userId?: string;
+}>;
+/**
+ * Reset password using token
+ *
+ * Updates the user's password with a new hash.
+ * Invalidates all existing sessions for security.
+ * Deletes the used reset token.
+ *
+ * @param db - Kysely database instance
+ * @param token - Password reset token
+ * @param newPassword - New password (plain text, will be hashed)
+ * @returns Success status
+ * @throws {AuthError} If token is invalid, expired, or password is invalid
+ *
+ * @example
+ * ```ts
+ * const result = await resetPassword(db, 'abc123...', 'NewSecurePass123!')
+ * if (result.success) {
+ *   console.log('Password reset successful')
+ * }
+ * ```
+ */
+export declare function resetPassword(db: Kysely<Database>, token: string, newPassword: string, passwordHasher?: PasswordHasher): Promise<{
+    success: boolean;
+}>;
+/**
+ * Clean up expired password reset tokens
+ *
+ * Removes all expired password reset tokens from the database.
+ * This should be run periodically as a background job.
+ *
+ * @param db - Kysely database instance
+ * @returns Number of tokens deleted
+ *
+ * @example
+ * ```ts
+ * const deleted = await cleanupExpiredResetTokens(db)
+ * console.log(`Cleaned up ${deleted} expired reset tokens`)
+ * ```
+ */
+export declare function cleanupExpiredResetTokens(db: Kysely<Database>): Promise<number>;

package/dist/auth/reset-password.js

@@ -0,0 +1,213 @@
+/**
+ * Password Reset
+ *
+ * Handles password reset flow:
+ * - Password reset token generation and storage
+ * - Token validation and expiration checking
+ * - Password update with new hash
+ * - Session invalidation for security
+ */
+import { deleteAllUserSessions } from '../oauth/callbacks.js';
+import { generateSecureToken, normalizeEmail, validatePassword, createAuthError } from './utils.js';
+import { isValidPasswordResetToken } from '../database/schema.js';
+import { createPbkdf2PasswordHasher } from '../password-hasher.js';
+/**
+ * Password reset token expiration (1 hour for security)
+ */
+const RESET_TOKEN_EXPIRY = 60 * 60 * 1000; // 1 hour in milliseconds
+const defaultPasswordHasher = createPbkdf2PasswordHasher();
+/**
+ * Request password reset
+ *
+ * Generates a password reset token and stores it in the database.
+ * The token expires after 1 hour for security.
+ *
+ * **IMPORTANT:** This function does NOT return the token to prevent email enumeration.
+ * The token should be sent via email by the caller using an email service.
+ * The function always returns success, even if the user doesn't exist.
+ *
+ * @param db - Kysely database instance
+ * @param email - User's email address
+ * @param onTokenGenerated - Optional callback to send the token via email
+ * @returns Success status and email (for sending the token)
+ *
+ * @example
+ * ```ts
+ * const result = await requestPasswordReset(db, 'user@example.com', async (email, token) => {
+ *   await sendEmail({
+ *     to: email,
+ *     subject: 'Password Reset',
+ *     template: 'password-reset',
+ *     data: { token, resetUrl: `https://example.com/reset-password?token=${token}` }
+ *   })
+ * })
+ * // Always returns { success: true } regardless of whether user exists
+ * ```
+ */
+export async function requestPasswordReset(db, email, onTokenGenerated) {
+    const normalizedEmail = normalizeEmail(email);
+    // Look up user by email
+    const user = await db
+        .selectFrom('users')
+        .select(['id', 'email', 'password_hash'])
+        .where('email', '=', normalizedEmail)
+        .executeTakeFirst();
+    // If user doesn't exist, return success but don't send email
+    // This prevents email enumeration attacks
+    if (!user) {
+        // Simulate work to prevent timing attacks
+        await generateSecureToken(32);
+        return { success: true, email: normalizedEmail };
+    }
+    // If user exists but has no password (OAuth-only), don't send reset email
+    // Return success to avoid revealing whether email exists
+    if (!user.password_hash) {
+        return { success: true, email: normalizedEmail };
+    }
+    // Delete any existing reset tokens for this user
+    await db.deleteFrom('password_reset_tokens').where('user_id', '=', user.id).execute();
+    // Generate password reset token
+    const resetToken = generateSecureToken(32); // 256 bits of entropy
+    const expiresAt = new Date(Date.now() + RESET_TOKEN_EXPIRY);
+    const newToken = {
+        token: resetToken,
+        user_id: user.id,
+        expires_at: expiresAt,
+    };
+    await db.insertInto('password_reset_tokens').values(newToken).execute();
+    // Call the optional callback to send the token via email
+    if (onTokenGenerated) {
+        await onTokenGenerated(normalizedEmail, resetToken);
+    }
+    return {
+        success: true,
+        email: normalizedEmail,
+    };
+}
+/**
+ * Verify password reset token
+ *
+ * Checks if a password reset token is valid and not expired.
+ * Does not consume the token.
+ *
+ * @param db - Kysely database instance
+ * @param token - Password reset token
+ * @returns Validation result with user ID if valid
+ *
+ * @example
+ * ```ts
+ * const result = await verifyResetToken(db, 'abc123...')
+ * if (result.valid) {
+ *   console.log('Token is valid for user:', result.userId)
+ * }
+ * ```
+ */
+export async function verifyResetToken(db, token) {
+    if (!token || token.trim() === '') {
+        return { valid: false };
+    }
+    // Look up token in database
+    const tokenRecord = await db
+        .selectFrom('password_reset_tokens')
+        .selectAll()
+        .where('token', '=', token)
+        .executeTakeFirst();
+    if (!tokenRecord) {
+        return { valid: false };
+    }
+    // Check if token is expired
+    if (!isValidPasswordResetToken(tokenRecord)) {
+        // Delete expired token
+        await db.deleteFrom('password_reset_tokens').where('token', '=', token).execute();
+        return { valid: false };
+    }
+    return {
+        valid: true,
+        userId: tokenRecord.user_id,
+    };
+}
+/**
+ * Reset password using token
+ *
+ * Updates the user's password with a new hash.
+ * Invalidates all existing sessions for security.
+ * Deletes the used reset token.
+ *
+ * @param db - Kysely database instance
+ * @param token - Password reset token
+ * @param newPassword - New password (plain text, will be hashed)
+ * @returns Success status
+ * @throws {AuthError} If token is invalid, expired, or password is invalid
+ *
+ * @example
+ * ```ts
+ * const result = await resetPassword(db, 'abc123...', 'NewSecurePass123!')
+ * if (result.success) {
+ *   console.log('Password reset successful')
+ * }
+ * ```
+ */
+export async function resetPassword(db, token, newPassword, passwordHasher) {
+    const hasher = passwordHasher ?? defaultPasswordHasher;
+    if (!token || token.trim() === '') {
+        throw createAuthError('Reset token is required', 'INVALID_TOKEN', 400);
+    }
+    // Validate new password
+    const passwordError = validatePassword(newPassword);
+    if (passwordError) {
+        throw createAuthError(passwordError, 'INVALID_PASSWORD', 400);
+    }
+    // Look up token in database
+    const tokenRecord = await db
+        .selectFrom('password_reset_tokens')
+        .selectAll()
+        .where('token', '=', token)
+        .executeTakeFirst();
+    if (!tokenRecord) {
+        throw createAuthError('Invalid or expired reset token', 'INVALID_TOKEN', 400);
+    }
+    // Check if token is expired
+    if (!isValidPasswordResetToken(tokenRecord)) {
+        // Delete expired token
+        await db.deleteFrom('password_reset_tokens').where('token', '=', token).execute();
+        throw createAuthError('Reset token has expired', 'TOKEN_EXPIRED', 400);
+    }
+    // Hash new password
+    const passwordHash = await hasher.hash(newPassword);
+    // Update user's password
+    await db
+        .updateTable('users')
+        .set({ password_hash: passwordHash })
+        .where('id', '=', tokenRecord.user_id)
+        .execute();
+    // Delete used reset token
+    await db.deleteFrom('password_reset_tokens').where('token', '=', token).execute();
+    // Invalidate all sessions for security
+    await deleteAllUserSessions(db, tokenRecord.user_id);
+    return {
+        success: true,
+    };
+}
+/**
+ * Clean up expired password reset tokens
+ *
+ * Removes all expired password reset tokens from the database.
+ * This should be run periodically as a background job.
+ *
+ * @param db - Kysely database instance
+ * @returns Number of tokens deleted
+ *
+ * @example
+ * ```ts
+ * const deleted = await cleanupExpiredResetTokens(db)
+ * console.log(`Cleaned up ${deleted} expired reset tokens`)
+ * ```
+ */
+export async function cleanupExpiredResetTokens(db) {
+    const result = await db
+        .deleteFrom('password_reset_tokens')
+        .where('expires_at', '<=', new Date())
+        .executeTakeFirst();
+    return Number(result.numDeletedRows ?? 0);
+}
+//# sourceMappingURL=reset-password.js.map

package/dist/auth/reset-password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reset-password.js","sourceRoot":"","sources":["../../src/auth/reset-password.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAC7D,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AACnG,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAA;AAEjE,OAAO,EAAE,0BAA0B,EAAE,MAAM,uBAAuB,CAAA;AAElE;;GAEG;AACH,MAAM,kBAAkB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,yBAAyB;AAEnE,MAAM,qBAAqB,GAAG,0BAA0B,EAAE,CAAA;AAE1D;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,EAAoB,EACpB,KAAa,EACb,gBAAkE;IAElE,MAAM,eAAe,GAAG,cAAc,CAAC,KAAK,CAAC,CAAA;IAE7C,wBAAwB;IACxB,MAAM,IAAI,GAAG,MAAM,EAAE;SAClB,UAAU,CAAC,OAAO,CAAC;SACnB,MAAM,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC;SACxC,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,eAAe,CAAC;SACpC,gBAAgB,EAAE,CAAA;IAErB,6DAA6D;IAC7D,0CAA0C;IAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,0CAA0C;QAC1C,MAAM,mBAAmB,CAAC,EAAE,CAAC,CAAA;QAC7B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,eAAe,EAAE,CAAA;IAClD,CAAC;IAED,0EAA0E;IAC1E,yDAAyD;IACzD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;QACxB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,eAAe,EAAE,CAAA;IAClD,CAAC;IAED,iDAAiD;IACjD,MAAM,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAA;IAErF,gCAAgC;IAChC,MAAM,UAAU,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAA,CAAC,sBAAsB;IACjE,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,kBAAkB,CAAC,CAAA;IAE3D,MAAM,QAAQ,GAA0B;QACtC,KAAK,EAAE,UAAU;QACjB,OAAO,EAAE,IAAI,CAAC,EAAE;QAChB,UAAU,EAAE,SAAS;KACtB,CAAA;IAED,MAAM,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAA;IAEvE,yDAAyD;IACzD,IAAI,gBAAgB,EAAE,CAAC;QACrB,MAAM,gBAAgB,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;IACrD,CAAC;IAED,OAAO;QACL,OAAO,EAAE,IAAI;QACb,KAAK,EAAE,eAAe;KACvB,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,EAAoB,EACpB,KAAa;IAEb,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAClC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAA;IACzB,CAAC;IAED,4BAA4B;IAC5B,MAAM,WAAW,GAAG,MAAM,EAAE;SACzB,UAAU,CAAC,uBAAuB,CAAC;SACnC,SAAS,EAAE;SACX,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC;SAC1B,gBAAgB,EAAE,CAAA;IAErB,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAA;IACzB,CAAC;IAED,4BAA4B;IAC5B,IAAI,CAAC,yBAAyB,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5C,uBAAuB;QACvB,MAAM,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,OAAO,EAAE,CAAA;QACjF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAA;IACzB,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,WAAW,CAAC,OAAO;KAC5B,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,EAAoB,EACpB,KAAa,EACb,WAAmB,EACnB,cAA+B;IAE/B,MAAM,MAAM,GAAG,cAAc,IAAI,qBAAqB,CAAA;IAEtD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAClC,MAAM,eAAe,CAAC,yBAAyB,EAAE,eAAe,EAAE,GAAG,CAAC,CAAA;IACxE,CAAC;IAED,wBAAwB;IACxB,MAAM,aAAa,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAA;IACnD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,eAAe,CAAC,aAAa,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAA;IAC/D,CAAC;IAED,4BAA4B;IAC5B,MAAM,WAAW,GAAG,MAAM,EAAE;SACzB,UAAU,CAAC,uBAAuB,CAAC;SACnC,SAAS,EAAE;SACX,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC;SAC1B,gBAAgB,EAAE,CAAA;IAErB,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,eAAe,CAAC,gCAAgC,EAAE,eAAe,EAAE,GAAG,CAAC,CAAA;IAC/E,CAAC;IAED,4BAA4B;IAC5B,IAAI,CAAC,yBAAyB,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5C,uBAAuB;QACvB,MAAM,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,OAAO,EAAE,CAAA;QACjF,MAAM,eAAe,CAAC,yBAAyB,EAAE,eAAe,EAAE,GAAG,CAAC,CAAA;IACxE,CAAC;IAED,oBAAoB;IACpB,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAEnD,yBAAyB;IACzB,MAAM,EAAE;SACL,WAAW,CAAC,OAAO,CAAC;SACpB,GAAG,CAAC,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;SACpC,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,WAAW,CAAC,OAAO,CAAC;SACrC,OAAO,EAAE,CAAA;IAEZ,0BAA0B;IAC1B,MAAM,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,OAAO,EAAE,CAAA;IAEjF,uCAAuC;IACvC,MAAM,qBAAqB,CAAC,EAAE,EAAE,WAAW,CAAC,OAAO,CAAC,CAAA;IAEpD,OAAO;QACL,OAAO,EAAE,IAAI;KACd,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,EAAoB;IAClE,MAAM,MAAM,GAAG,MAAM,EAAE;SACpB,UAAU,CAAC,uBAAuB,CAAC;SACnC,KAAK,CAAC,YAAY,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;SACrC,gBAAgB,EAAE,CAAA;IAErB,OAAO,MAAM,CAAC,MAAM,CAAC,cAAc,IAAI,CAAC,CAAC,CAAA;AAC3C,CAAC"}

package/dist/auth/utils.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Authentication Utilities
+ *
+ * Shared utilities for email/password authentication including:
+ * - Email validation
+ * - Password validation
+ * - Secure token generation
+ */
+/**
+ * Validate email format
+ *
+ * @param email - Email address to validate
+ * @returns True if valid, false otherwise
+ */
+export declare function isValidEmail(email: string): boolean;
+/**
+ * Validate password strength
+ *
+ * @param password - Password to validate
+ * @param minLength - Minimum password length (default: 8)
+ * @returns Error message if invalid, null if valid
+ */
+export declare function validatePassword(password: string, minLength?: number): string | null;
+/**
+ * Generate a secure random token
+ *
+ * Uses cryptographically secure random values from Web Crypto API.
+ *
+ * @param entropySize - Number of bytes of entropy (default: 32)
+ * @returns Base64url-encoded token
+ *
+ * @example
+ * ```ts
+ * const token = generateSecureToken(32) // 256 bits of entropy
+ * ```
+ */
+export declare function generateSecureToken(entropySize?: number): string;
+/**
+ * Normalize email address
+ *
+ * Converts email to lowercase for consistent storage and comparison.
+ *
+ * @param email - Email address to normalize
+ * @returns Normalized email address
+ */
+export declare function normalizeEmail(email: string): string;
+/**
+ * Authentication error types
+ */
+export declare class AuthError extends Error {
+    code: string;
+    statusCode: number;
+    constructor(message: string, code: string, statusCode?: number);
+}
+/**
+ * Create a standardized auth error
+ */
+export declare function createAuthError(message: string, code: string, statusCode?: number): AuthError;