clearauth 0.3.0

package/dist/mech-sql-client.js

@@ -0,0 +1,155 @@
+import { ClearAuthSqlError, ClearAuthNetworkError, ClearAuthTimeoutError, ClearAuthRateLimitError, } from "./errors.js";
+import { getDefaultLogger } from "./logger.js";
+import { validateUrl, validateUuid, validateNonEmpty, validatePositive, validateRange } from "./validation.js";
+/**
+ * HTTP client for Mech Storage PostgreSQL API
+ *
+ * @example
+ * ```ts
+ * const client = new MechSqlClient()
+ * const { rows } = await client.execute("SELECT * FROM users WHERE id = $1", [123])
+ * ```
+ */
+export class MechSqlClient {
+    constructor(config) {
+        // Resolve values with smart defaults
+        this.baseUrl = config.baseUrl ?? "https://storage.mechdna.net";
+        this.appId = config.appId;
+        // appSchemaId defaults to appId if not explicitly provided (most common case)
+        this.appSchemaId = config.appSchemaId ?? this.appId;
+        this.apiKey = config.apiKey;
+        this.timeout = config.timeout ?? 30000;
+        this.logger = config.logger ?? getDefaultLogger();
+        this.maxRetries = config.maxRetries ?? 2;
+        // Validate configuration
+        validateUrl(this.baseUrl, "baseUrl");
+        validateNonEmpty(this.appId, "appId");
+        validateUuid(this.appId, "appId");
+        validateNonEmpty(this.appSchemaId, "appSchemaId");
+        validateUuid(this.appSchemaId, "appSchemaId");
+        validateNonEmpty(this.apiKey, "apiKey");
+        validatePositive(this.timeout, "timeout");
+        validateRange(this.maxRetries, 0, 5, "maxRetries");
+        this.logger.debug("MechSqlClient initialized", {
+            baseUrl: this.baseUrl,
+            appId: this.appId,
+            timeout: this.timeout,
+            maxRetries: this.maxRetries
+        });
+    }
+    /**
+     * Execute a SQL query against Mech Storage
+     *
+     * @param sql - SQL query string (use $1, $2, etc. for parameters)
+     * @param params - Query parameters
+     * @returns Object with rows and rowCount
+     * @throws ClearAuthSqlError, ClearAuthNetworkError, ClearAuthTimeoutError, ClearAuthRateLimitError
+     *
+     * @example
+     * ```ts
+     * const { rows } = await client.execute(
+     *   "SELECT * FROM users WHERE email = $1",
+     *   ["user@example.com"]
+     * )
+     * ```
+     */
+    async execute(sql, params = []) {
+        return this.executeWithRetry(sql, params, 0);
+    }
+    async executeWithRetry(sql, params, attempt) {
+        try {
+            return await this.executeOnce(sql, params);
+        }
+        catch (err) {
+            if (attempt < this.maxRetries && this.isRetryable(err)) {
+                const delay = Math.pow(2, attempt) * 100; // exponential backoff
+                this.logger.warn(`Query failed, retrying in ${delay}ms (attempt ${attempt + 1}/${this.maxRetries})`, {
+                    error: err.message,
+                    attempt
+                });
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                return this.executeWithRetry(sql, params, attempt + 1);
+            }
+            throw err;
+        }
+    }
+    async executeOnce(sql, params) {
+        const url = `${this.baseUrl.replace(/\/$/, "")}/api/apps/${this.appId}/postgresql/query`;
+        this.logger.debug("Executing SQL query", {
+            url,
+            paramCount: params.length,
+            sqlLength: sql.length
+        });
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+        try {
+            const res = await fetch(url, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "X-API-Key": this.apiKey,
+                    "X-App-ID": this.appSchemaId
+                },
+                body: JSON.stringify({ sql, params }),
+                signal: controller.signal
+            });
+            // Handle rate limiting
+            if (res.status === 429) {
+                const retryAfter = parseInt(res.headers.get("Retry-After") ?? "60", 10) * 1000;
+                this.logger.warn("Rate limited by Mech Storage", { retryAfter });
+                throw new ClearAuthRateLimitError(retryAfter, { statusCode: 429 });
+            }
+            if (!res.ok) {
+                const text = await res.text();
+                this.logger.error("HTTP error from Mech Storage", {
+                    status: res.status,
+                    statusText: res.statusText,
+                    responseLength: text.length
+                });
+                throw new ClearAuthNetworkError(`HTTP ${res.status}: ${res.statusText}`, res.status, {
+                    responseText: text.substring(0, 500) // truncate for logging
+                });
+            }
+            const json = await res.json();
+            if (json.success === false) {
+                this.logger.error("Mech Storage returned error", {
+                    code: json.error?.code,
+                    message: json.error?.message
+                });
+                throw new ClearAuthSqlError(json.error?.message ?? "Unknown error", {
+                    code: json.error?.code,
+                    hints: json.error?.hints
+                });
+            }
+            const rows = (json.rows ?? []);
+            const rowCount = json.rowCount ?? rows.length;
+            this.logger.debug("Query executed successfully", {
+                rowCount,
+                rowsReturned: rows.length
+            });
+            return { rows, rowCount };
+        }
+        catch (err) {
+            if (err instanceof DOMException && err.name === "AbortError") {
+                this.logger.error("Query timeout", { timeout: this.timeout });
+                throw new ClearAuthTimeoutError(`Query timed out after ${this.timeout}ms`, {
+                    timeout: this.timeout
+                });
+            }
+            throw err;
+        }
+        finally {
+            clearTimeout(timeoutId);
+        }
+    }
+    isRetryable(err) {
+        if (err instanceof ClearAuthRateLimitError)
+            return true;
+        if (err instanceof ClearAuthTimeoutError)
+            return true;
+        if (err instanceof ClearAuthNetworkError && err.statusCode && err.statusCode >= 500)
+            return true;
+        return false;
+    }
+}
+//# sourceMappingURL=mech-sql-client.js.map

package/dist/mech-sql-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mech-sql-client.js","sourceRoot":"","sources":["../src/mech-sql-client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,GACxB,MAAM,aAAa,CAAA;AACpB,OAAO,EAAU,gBAAgB,EAAE,MAAM,aAAa,CAAA;AACtD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AA8C9G;;;;;;;;GAQG;AACH,MAAM,OAAO,aAAa;IASxB,YAAY,MAA2B;QACrC,qCAAqC;QACrC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,6BAA6B,CAAA;QAC9D,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAA;QACzB,8EAA8E;QAC9E,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,KAAK,CAAA;QACnD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAA;QAC3B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,KAAK,CAAA;QACtC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,gBAAgB,EAAE,CAAA;QACjD,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,CAAC,CAAA;QAExC,yBAAyB;QACzB,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;QACpC,gBAAgB,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QACrC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QACjC,gBAAgB,CAAC,IAAI,CAAC,WAAW,EAAE,aAAa,CAAC,CAAA;QACjD,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,aAAa,CAAC,CAAA;QAC7C,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QACvC,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;QACzC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,CAAC,EAAE,YAAY,CAAC,CAAA;QAElD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE;YAC7C,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,UAAU,EAAE,IAAI,CAAC,UAAU;SAC5B,CAAC,CAAA;IACJ,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,OAAO,CAAc,GAAW,EAAE,SAA6B,EAAE;QACrE,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;IAC9C,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,GAAW,EACX,MAA0B,EAC1B,OAAe;QAEf,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,WAAW,CAAI,GAAG,EAAE,MAAM,CAAC,CAAA;QAC/C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,GAAG,CAAA,CAAC,sBAAsB;gBAC/D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6BAA6B,KAAK,eAAe,OAAO,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,GAAG,EAAE;oBACnG,KAAK,EAAG,GAAa,CAAC,OAAO;oBAC7B,OAAO;iBACR,CAAC,CAAA;gBACF,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAA;gBAC1D,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAG,CAAC,CAAC,CAAA;YACxD,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW,CAAc,GAAW,EAAE,MAA0B;QAC5E,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,IAAI,CAAC,KAAK,mBAAmB,CAAA;QAExF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE;YACvC,GAAG;YACH,UAAU,EAAE,MAAM,CAAC,MAAM;YACzB,SAAS,EAAE,GAAG,CAAC,MAAM;SACtB,CAAC,CAAA;QAEF,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAA;QACxC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;QAEpE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,WAAW,EAAE,IAAI,CAAC,MAAM;oBACxB,UAAU,EAAE,IAAI,CAAC,WAAW;iBAC7B;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;gBACrC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAA;YAEF,uBAAuB;YACvB,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,MAAM,UAAU,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC,GAAG,IAAI,CAAA;gBAC9E,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8BAA8B,EAAE,EAAE,UAAU,EAAE,CAAC,CAAA;gBAChE,MAAM,IAAI,uBAAuB,CAAC,UAAU,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAA;YACpE,CAAC;YAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;gBAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE;oBAChD,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,cAAc,EAAE,IAAI,CAAC,MAAM;iBAC5B,CAAC,CAAA;gBACF,MAAM,IAAI,qBAAqB,CAAC,QAAQ,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,UAAU,EAAE,EAAE,GAAG,CAAC,MAAM,EAAE;oBACnF,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,uBAAuB;iBAC7D,CAAC,CAAA;YACJ,CAAC;YAED,MAAM,IAAI,GAAoB,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;YAE9C,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;gBAC3B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI;oBACtB,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO;iBAC7B,CAAC,CAAA;gBACF,MAAM,IAAI,iBAAiB,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,IAAI,eAAe,EAAE;oBAClE,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI;oBACtB,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,KAAK;iBACzB,CAAC,CAAA;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAQ,CAAA;YACrC,MAAM,QAAQ,GAAW,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAA;YAErD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE;gBAC/C,QAAQ;gBACR,YAAY,EAAE,IAAI,CAAC,MAAM;aAC1B,CAAC,CAAA;YAEF,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,YAAY,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC7D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAA;gBAC7D,MAAM,IAAI,qBAAqB,CAAC,yBAAyB,IAAI,CAAC,OAAO,IAAI,EAAE;oBACzE,OAAO,EAAE,IAAI,CAAC,OAAO;iBACtB,CAAC,CAAA;YACJ,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,SAAS,CAAC,CAAA;QACzB,CAAC;IACH,CAAC;IAEO,WAAW,CAAC,GAAY;QAC9B,IAAI,GAAG,YAAY,uBAAuB;YAAE,OAAO,IAAI,CAAA;QACvD,IAAI,GAAG,YAAY,qBAAqB;YAAE,OAAO,IAAI,CAAA;QACrD,IAAI,GAAG,YAAY,qBAAqB,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG;YAAE,OAAO,IAAI,CAAA;QAChG,OAAO,KAAK,CAAA;IACd,CAAC;CACF"}

package/dist/node.d.ts

@@ -0,0 +1,4 @@
+import type { CreateClearAuthOptions } from "./createMechAuth.js";
+export declare function createClearAuthNode(options: CreateClearAuthOptions): import("./types.js").ClearAuthConfig;
+export { defaultSessionConfig, longSessionConfig, shortSessionConfig } from "./createMechAuth.js";
+export type { ClearAuthConfig } from "./types.js";

package/dist/node.js

@@ -0,0 +1,10 @@
+import { createClearAuth } from "./createMechAuth.js";
+import { createArgon2idPasswordHasher } from "./password-hasher-argon2.js";
+export function createClearAuthNode(options) {
+    return createClearAuth({
+        ...options,
+        passwordHasher: options.passwordHasher ?? createArgon2idPasswordHasher(),
+    });
+}
+export { defaultSessionConfig, longSessionConfig, shortSessionConfig } from "./createMechAuth.js";
+//# sourceMappingURL=node.js.map

package/dist/node.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"node.js","sourceRoot":"","sources":["../src/node.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AACrD,OAAO,EAAE,4BAA4B,EAAE,MAAM,6BAA6B,CAAA;AAE1E,MAAM,UAAU,mBAAmB,CAAC,OAA+B;IACjE,OAAO,eAAe,CAAC;QACrB,GAAG,OAAO;QACV,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,4BAA4B,EAAE;KACzE,CAAC,CAAA;AACJ,CAAC;AAED,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAA"}

package/dist/oauth/arctic-providers.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Arctic OAuth Provider Factory
+ *
+ * Creates Arctic OAuth provider instances for GitHub and Google authentication.
+ * Arctic is a lightweight OAuth library that works across all JavaScript runtimes
+ * including Cloudflare Workers.
+ *
+ * @see https://arcticjs.dev/
+ */
+import { GitHub, Google } from 'arctic';
+import type { ClearAuthConfig } from '../types.js';
+/**
+ * Create GitHub OAuth provider instance
+ *
+ * @param config - ClearAuth configuration
+ * @returns Arctic GitHub provider instance
+ * @throws Error if GitHub OAuth is not configured
+ *
+ * @example
+ * ```ts
+ * const github = createGitHubProvider(config)
+ * const url = await github.createAuthorizationURL(state, { scopes: ['user:email'] })
+ * ```
+ */
+export declare function createGitHubProvider(config: ClearAuthConfig): GitHub;
+/**
+ * Create Google OAuth provider instance
+ *
+ * @param config - ClearAuth configuration
+ * @returns Arctic Google provider instance
+ * @throws Error if Google OAuth is not configured
+ *
+ * @example
+ * ```ts
+ * const google = createGoogleProvider(config)
+ * const url = await google.createAuthorizationURL(state, codeVerifier, { scopes: ['email', 'profile'] })
+ * ```
+ */
+export declare function createGoogleProvider(config: ClearAuthConfig): Google;
+/**
+ * Get configured OAuth providers
+ *
+ * Returns a map of provider names to Arctic provider instances.
+ * Only includes providers that are configured.
+ *
+ * @param config - ClearAuth configuration
+ * @returns Map of provider names to Arctic provider instances
+ *
+ * @example
+ * ```ts
+ * const providers = getConfiguredProviders(config)
+ * if (providers.github) {
+ *   // GitHub is configured
+ * }
+ * ```
+ */
+export declare function getConfiguredProviders(config: ClearAuthConfig): {
+    github?: GitHub;
+    google?: Google;
+};

package/dist/oauth/arctic-providers.js

@@ -0,0 +1,94 @@
+/**
+ * Arctic OAuth Provider Factory
+ *
+ * Creates Arctic OAuth provider instances for GitHub and Google authentication.
+ * Arctic is a lightweight OAuth library that works across all JavaScript runtimes
+ * including Cloudflare Workers.
+ *
+ * @see https://arcticjs.dev/
+ */
+import { GitHub, Google } from 'arctic';
+/**
+ * Create GitHub OAuth provider instance
+ *
+ * @param config - ClearAuth configuration
+ * @returns Arctic GitHub provider instance
+ * @throws Error if GitHub OAuth is not configured
+ *
+ * @example
+ * ```ts
+ * const github = createGitHubProvider(config)
+ * const url = await github.createAuthorizationURL(state, { scopes: ['user:email'] })
+ * ```
+ */
+export function createGitHubProvider(config) {
+    if (!config.oauth?.github) {
+        throw new Error('GitHub OAuth is not configured');
+    }
+    const { clientId, clientSecret, redirectUri } = config.oauth.github;
+    if (!clientId || !clientSecret || !redirectUri) {
+        throw new Error('GitHub OAuth configuration is incomplete (missing clientId, clientSecret, or redirectUri)');
+    }
+    return new GitHub(clientId, clientSecret, redirectUri);
+}
+/**
+ * Create Google OAuth provider instance
+ *
+ * @param config - ClearAuth configuration
+ * @returns Arctic Google provider instance
+ * @throws Error if Google OAuth is not configured
+ *
+ * @example
+ * ```ts
+ * const google = createGoogleProvider(config)
+ * const url = await google.createAuthorizationURL(state, codeVerifier, { scopes: ['email', 'profile'] })
+ * ```
+ */
+export function createGoogleProvider(config) {
+    if (!config.oauth?.google) {
+        throw new Error('Google OAuth is not configured');
+    }
+    const { clientId, clientSecret, redirectUri } = config.oauth.google;
+    if (!clientId || !clientSecret || !redirectUri) {
+        throw new Error('Google OAuth configuration is incomplete (missing clientId, clientSecret, or redirectUri)');
+    }
+    return new Google(clientId, clientSecret, redirectUri);
+}
+/**
+ * Get configured OAuth providers
+ *
+ * Returns a map of provider names to Arctic provider instances.
+ * Only includes providers that are configured.
+ *
+ * @param config - ClearAuth configuration
+ * @returns Map of provider names to Arctic provider instances
+ *
+ * @example
+ * ```ts
+ * const providers = getConfiguredProviders(config)
+ * if (providers.github) {
+ *   // GitHub is configured
+ * }
+ * ```
+ */
+export function getConfiguredProviders(config) {
+    const providers = {};
+    if (config.oauth?.github) {
+        try {
+            providers.github = createGitHubProvider(config);
+        }
+        catch (err) {
+            console.error('Failed to create GitHub provider:', err);
+        }
+    }
+    if (config.oauth?.google) {
+        try {
+            providers.google = createGoogleProvider(config);
+        }
+        catch (err) {
+            console.error('Failed to create Google provider:', err);
+        }
+    }
+    return providers;
+}
+//# sourceMappingURL=arctic-providers.js.map

package/dist/oauth/arctic-providers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"arctic-providers.js","sourceRoot":"","sources":["../../src/oauth/arctic-providers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAGvC;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAuB;IAC1D,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAA;IAEnE,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAA;IAC9G,CAAC;IAED,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,CAAC,CAAA;AACxD,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAuB;IAC1D,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAA;IAEnE,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAA;IAC9G,CAAC;IAED,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,CAAC,CAAA;AACxD,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAuB;IAI5D,MAAM,SAAS,GAAyC,EAAE,CAAA;IAE1D,IAAI,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,SAAS,CAAC,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAA;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,GAAG,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,SAAS,CAAC,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAA;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,GAAG,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC"}

package/dist/oauth/callbacks.d.ts

@@ -0,0 +1,155 @@
+/**
+ * OAuth Callback Utilities
+ *
+ * Shared logic for OAuth callback handling including:
+ * - State parameter validation (CSRF protection)
+ * - User upsert (create or update user by OAuth provider ID)
+ * - Session creation after successful OAuth
+ * - Error handling
+ */
+import type { Kysely } from 'kysely';
+import type { Database, User } from '../database/schema.js';
+import type { OAuthUserProfile, RequestContext } from '../types.js';
+/**
+ * Upsert user from OAuth profile
+ *
+ * Creates a new user or updates an existing user based on the OAuth provider ID.
+ * Uses github_id or google_id column to identify existing users.
+ *
+ * @param db - Kysely database instance
+ * @param provider - OAuth provider name ('github' or 'google')
+ * @param profile - Normalized OAuth user profile
+ * @returns User record from database
+ *
+ * @example
+ * ```ts
+ * const user = await upsertOAuthUser(db, 'github', profile)
+ * ```
+ */
+export declare function upsertOAuthUser(db: Kysely<Database>, provider: 'github' | 'google', profile: OAuthUserProfile): Promise<User>;
+/**
+ * Create session for user
+ *
+ * Creates a new session record in the database and returns the session ID.
+ * Sessions expire after the configured duration (default: 30 days).
+ *
+ * @param db - Kysely database instance
+ * @param userId - User ID to create session for
+ * @param expiresInSeconds - Session expiration time in seconds (default: 2592000 = 30 days)
+ * @param context - Optional request context (IP address, user agent)
+ * @returns Session ID
+ *
+ * @example
+ * ```ts
+ * const sessionId = await createSession(db, user.id, 2592000, { ipAddress, userAgent })
+ * ```
+ */
+export declare function createSession(db: Kysely<Database>, userId: string, expiresInSeconds?: number, // 30 days
+context?: RequestContext): Promise<string>;
+/**
+ * Validate session
+ *
+ * Checks if a session exists and is not expired.
+ *
+ * @param db - Kysely database instance
+ * @param sessionId - Session ID to validate
+ * @returns User if session is valid, null otherwise
+ *
+ * @example
+ * ```ts
+ * const user = await validateSession(db, sessionId)
+ * if (!user) {
+ *   return new Response('Unauthorized', { status: 401 })
+ * }
+ * ```
+ */
+export declare function validateSession(db: Kysely<Database>, sessionId: string): Promise<User | null>;
+/**
+ * Delete session (logout)
+ *
+ * Removes a session from the database.
+ *
+ * @param db - Kysely database instance
+ * @param sessionId - Session ID to delete
+ *
+ * @example
+ * ```ts
+ * await deleteSession(db, sessionId)
+ * ```
+ */
+export declare function deleteSession(db: Kysely<Database>, sessionId: string): Promise<void>;
+/**
+ * Delete all sessions for a user
+ *
+ * Removes all sessions for a specific user (useful for password changes, etc.)
+ *
+ * @param db - Kysely database instance
+ * @param userId - User ID to delete sessions for
+ *
+ * @example
+ * ```ts
+ * await deleteAllUserSessions(db, userId)
+ * ```
+ */
+export declare function deleteAllUserSessions(db: Kysely<Database>, userId: string): Promise<void>;
+/**
+ * Clean up expired sessions
+ *
+ * Removes all expired sessions from the database.
+ * This should be run periodically as a background job.
+ *
+ * @param db - Kysely database instance
+ * @returns Number of sessions deleted
+ *
+ * @example
+ * ```ts
+ * const deleted = await cleanupExpiredSessions(db)
+ * console.log(`Cleaned up ${deleted} expired sessions`)
+ * ```
+ */
+export declare function cleanupExpiredSessions(db: Kysely<Database>): Promise<number>;
+/**
+ * Parse cookie header
+ *
+ * Parses the Cookie header and returns a map of cookie names to values.
+ *
+ * @param cookieHeader - Cookie header string
+ * @returns Map of cookie names to values
+ *
+ * @internal
+ */
+export declare function parseCookies(cookieHeader: string): Record<string, string>;
+/**
+ * Create cookie header
+ *
+ * Creates a Set-Cookie header string with appropriate security attributes.
+ *
+ * @param name - Cookie name
+ * @param value - Cookie value
+ * @param options - Cookie options
+ * @returns Set-Cookie header string
+ *
+ * @internal
+ */
+export declare function createCookieHeader(name: string, value: string, options?: {
+    httpOnly?: boolean;
+    secure?: boolean;
+    sameSite?: 'strict' | 'lax' | 'none';
+    path?: string;
+    maxAge?: number;
+    expires?: Date;
+}): string;
+/**
+ * Create delete cookie header
+ *
+ * Creates a Set-Cookie header that deletes a cookie.
+ *
+ * @param name - Cookie name
+ * @param options - Cookie options (path, etc.)
+ * @returns Set-Cookie header string
+ *
+ * @internal
+ */
+export declare function createDeleteCookieHeader(name: string, options?: {
+    path?: string;
+}): string;