dbsc-toolkit 1.0.1

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC"}

package/dist/index.js

@@ -0,0 +1,2 @@
+export * from "./core/index.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC"}

package/dist/nextjs/index.d.ts

@@ -0,0 +1,13 @@
+import type { NextRequest } from "next/server.js";
+import { NextResponse } from "next/server.js";
+import { type DbscOptions, type ProtectionTier } from "../core/index.js";
+export interface DbscNextOptions extends DbscOptions {
+    secure?: boolean;
+}
+export declare function createDbscMiddleware(opts: DbscNextOptions): (req: NextRequest) => Promise<NextResponse>;
+export interface DbscSessionInfo {
+    sessionId: string | null;
+    tier: ProtectionTier;
+}
+export declare function getDbscSession(req: NextRequest, storage: DbscOptions["storage"]): Promise<DbscSessionInfo>;
+//# sourceMappingURL=index.d.ts.map

package/dist/nextjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nextjs/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAYL,KAAK,WAAW,EAChB,KAAK,cAAc,EACpB,MAAM,kBAAkB,CAAC;AAS1B,MAAM,WAAW,eAAgB,SAAQ,WAAW;IAClD,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAWD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,eAAe,IAYvB,KAAK,WAAW,KAAG,OAAO,CAAC,YAAY,CAAC,CAqH1E;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,IAAI,EAAE,cAAc,CAAC;CACtB;AAED,wBAAsB,cAAc,CAClC,GAAG,EAAE,WAAW,EAChB,OAAO,EAAE,WAAW,CAAC,SAAS,CAAC,GAC9B,OAAO,CAAC,eAAe,CAAC,CAQ1B"}

package/dist/nextjs/index.js

@@ -0,0 +1,126 @@
+import { NextResponse } from "next/server.js";
+import { handleRegistration, handleRefresh, issueChallenge, buildChallengeHeader, CHALLENGE_HEADER, LEGACY_CHALLENGE_HEADER, NoopRateLimiter, emit, DbscProtocolError, DbscVerificationError, } from "../core/index.js";
+const BOUND_COOKIE = "__Host-dbsc-session";
+const REGISTRATION_COOKIE = "__Host-dbsc-reg";
+const CHALLENGE_COOKIE = "__Host-dbsc-challenge";
+const DEFAULT_BOUND_TTL = 10 * 60;
+const DEFAULT_REG_TTL = 24 * 60 * 60;
+function cookieBase(secure) {
+    return {
+        httpOnly: true,
+        secure,
+        sameSite: "lax",
+        path: "/",
+    };
+}
+export function createDbscMiddleware(opts) {
+    const { storage, registrationPath = "/dbsc/registration", refreshPath = "/dbsc/refresh", boundCookieTtl = DEFAULT_BOUND_TTL * 1000, registrationCookieTtl = DEFAULT_REG_TTL * 1000, rateLimiter = new NoopRateLimiter(), onEvent, secure = true, } = opts;
+    return async function middleware(req) {
+        const url = req.nextUrl.pathname;
+        const ip = req.headers.get("x-forwarded-for") ?? "unknown";
+        if (req.method === "POST" && url === registrationPath) {
+            const sessionId = req.cookies.get(REGISTRATION_COOKIE)?.value;
+            const expectedJti = req.cookies.get(CHALLENGE_COOKIE)?.value;
+            if (!sessionId || !expectedJti) {
+                return NextResponse.json({ error: "missing session or challenge cookie" }, { status: 400 });
+            }
+            const allowed = await rateLimiter.checkRegistration(ip);
+            if (!allowed) {
+                return NextResponse.json({ error: "rate limited" }, { status: 429 });
+            }
+            try {
+                await handleRegistration({
+                    sessionId,
+                    secSessionResponseHeader: req.headers.get("secure-session-response") ??
+                        req.headers.get("sec-session-response") ??
+                        undefined,
+                    expectedJti,
+                }, storage);
+                emit(onEvent, {
+                    type: "registration",
+                    sessionId,
+                    tier: "dbsc",
+                    timestamp: Date.now(),
+                    algorithm: "ES256",
+                    ip,
+                });
+                const res = new NextResponse(null, { status: 204 });
+                res.cookies.set(BOUND_COOKIE, sessionId, {
+                    ...cookieBase(secure),
+                    maxAge: boundCookieTtl / 1000,
+                });
+                res.cookies.delete(CHALLENGE_COOKIE);
+                return res;
+            }
+            catch (err) {
+                await rateLimiter.recordFailure(ip, sessionId);
+                if (err instanceof DbscVerificationError || err instanceof DbscProtocolError) {
+                    return NextResponse.json({ error: err.message }, { status: 400 });
+                }
+                throw err;
+            }
+        }
+        if (req.method === "POST" && url === refreshPath) {
+            const sessionId = req.cookies.get(BOUND_COOKIE)?.value;
+            if (!sessionId) {
+                return NextResponse.json({ error: "no session" }, { status: 401 });
+            }
+            const allowed = await rateLimiter.checkRefresh(ip, sessionId);
+            if (!allowed) {
+                return NextResponse.json({ error: "rate limited" }, { status: 429 });
+            }
+            const responseHeader = req.headers.get("secure-session-response") ??
+                req.headers.get("sec-session-response");
+            if (!responseHeader) {
+                const challenge = await issueChallenge(sessionId, storage);
+                const res = new NextResponse(null, { status: 403 });
+                res.headers.set(CHALLENGE_HEADER, buildChallengeHeader(challenge.jti));
+                res.headers.set(LEGACY_CHALLENGE_HEADER, buildChallengeHeader(challenge.jti));
+                res.cookies.set(CHALLENGE_COOKIE, challenge.jti, {
+                    ...cookieBase(secure),
+                    maxAge: 5 * 60,
+                });
+                return res;
+            }
+            const expectedJti = req.cookies.get(CHALLENGE_COOKIE)?.value;
+            if (!expectedJti) {
+                return NextResponse.json({ error: "missing challenge cookie" }, { status: 400 });
+            }
+            try {
+                await handleRefresh({ sessionId, secSessionResponseHeader: responseHeader, expectedJti }, storage);
+                emit(onEvent, {
+                    type: "refresh",
+                    sessionId,
+                    tier: "dbsc",
+                    timestamp: Date.now(),
+                    ip,
+                });
+                const res = new NextResponse(null, { status: 204 });
+                res.cookies.set(BOUND_COOKIE, sessionId, {
+                    ...cookieBase(secure),
+                    maxAge: boundCookieTtl / 1000,
+                });
+                res.cookies.delete(CHALLENGE_COOKIE);
+                return res;
+            }
+            catch (err) {
+                await rateLimiter.recordFailure(ip, sessionId);
+                if (err instanceof DbscVerificationError || err instanceof DbscProtocolError) {
+                    return NextResponse.json({ error: err.message }, { status: 401 });
+                }
+                throw err;
+            }
+        }
+        return NextResponse.next();
+    };
+}
+export async function getDbscSession(req, storage) {
+    const sessionId = req.cookies.get(BOUND_COOKIE)?.value ?? null;
+    if (!sessionId)
+        return { sessionId: null, tier: "none" };
+    const session = await storage.getSession(sessionId);
+    if (!session)
+        return { sessionId: null, tier: "none" };
+    return { sessionId, tier: session.tier };
+}
+//# sourceMappingURL=index.js.map

package/dist/nextjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nextjs/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EACL,kBAAkB,EAClB,aAAa,EACb,cAAc,EAEd,oBAAoB,EACpB,gBAAgB,EAChB,uBAAuB,EACvB,eAAe,EACf,IAAI,EACJ,iBAAiB,EACjB,qBAAqB,GAGtB,MAAM,kBAAkB,CAAC;AAE1B,MAAM,YAAY,GAAG,qBAAqB,CAAC;AAC3C,MAAM,mBAAmB,GAAG,iBAAiB,CAAC;AAC9C,MAAM,gBAAgB,GAAG,uBAAuB,CAAC;AAEjD,MAAM,iBAAiB,GAAG,EAAE,GAAG,EAAE,CAAC;AAClC,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAMrC,SAAS,UAAU,CAAC,MAAe;IACjC,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,MAAM;QACN,QAAQ,EAAE,KAAc;QACxB,IAAI,EAAE,GAAG;KACV,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAqB;IACxD,MAAM,EACJ,OAAO,EACP,gBAAgB,GAAG,oBAAoB,EACvC,WAAW,GAAG,eAAe,EAC7B,cAAc,GAAG,iBAAiB,GAAG,IAAI,EACzC,qBAAqB,GAAG,eAAe,GAAG,IAAI,EAC9C,WAAW,GAAG,IAAI,eAAe,EAAE,EACnC,OAAO,EACP,MAAM,GAAG,IAAI,GACd,GAAG,IAAI,CAAC;IAET,OAAO,KAAK,UAAU,UAAU,CAAC,GAAgB;QAC/C,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC;QACjC,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,SAAS,CAAC;QAE3D,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,KAAK,gBAAgB,EAAE,CAAC;YACtD,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE,KAAK,CAAC;YAC9D,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,KAAK,CAAC;YAE7D,IAAI,CAAC,SAAS,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC/B,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qCAAqC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC9F,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;YACxD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACvE,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,kBAAkB,CACtB;oBACE,SAAS;oBACT,wBAAwB,EACtB,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;wBAC1C,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;wBACvC,SAAS;oBACX,WAAW;iBACZ,EACD,OAAO,CACR,CAAC;gBAEF,IAAI,CAAC,OAAO,EAAE;oBACZ,IAAI,EAAE,cAAc;oBACpB,SAAS;oBACT,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;oBACrB,SAAS,EAAE,OAAO;oBAClB,EAAE;iBACH,CAAC,CAAC;gBAEH,MAAM,GAAG,GAAG,IAAI,YAAY,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE;oBACvC,GAAG,UAAU,CAAC,MAAM,CAAC;oBACrB,MAAM,EAAE,cAAc,GAAG,IAAI;iBAC9B,CAAC,CAAC;gBACH,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;gBACrC,OAAO,GAAG,CAAC;YACb,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,WAAW,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;gBAC/C,IAAI,GAAG,YAAY,qBAAqB,IAAI,GAAG,YAAY,iBAAiB,EAAE,CAAC;oBAC7E,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpE,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;YACjD,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC;YAEvD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACrE,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,YAAY,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;YAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACvE,CAAC;YAED,MAAM,cAAc,GAClB,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;gBAC1C,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;YAE1C,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;gBAC3D,MAAM,GAAG,GAAG,IAAI,YAAY,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,oBAAoB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;gBACvE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE,oBAAoB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC9E,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,GAAG,EAAE;oBAC/C,GAAG,UAAU,CAAC,MAAM,CAAC;oBACrB,MAAM,EAAE,CAAC,GAAG,EAAE;iBACf,CAAC,CAAC;gBACH,OAAO,GAAG,CAAC;YACb,CAAC;YAED,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,KAAK,CAAC;YAC7D,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACnF,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,EAAE,SAAS,EAAE,wBAAwB,EAAE,cAAc,EAAE,WAAW,EAAE,EAAE,OAAO,CAAC,CAAC;gBAEnG,IAAI,CAAC,OAAO,EAAE;oBACZ,IAAI,EAAE,SAAS;oBACf,SAAS;oBACT,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;oBACrB,EAAE;iBACH,CAAC,CAAC;gBAEH,MAAM,GAAG,GAAG,IAAI,YAAY,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE;oBACvC,GAAG,UAAU,CAAC,MAAM,CAAC;oBACrB,MAAM,EAAE,cAAc,GAAG,IAAI;iBAC9B,CAAC,CAAC;gBACH,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;gBACrC,OAAO,GAAG,CAAC;YACb,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,WAAW,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;gBAC/C,IAAI,GAAG,YAAY,qBAAqB,IAAI,GAAG,YAAY,iBAAiB,EAAE,CAAC;oBAC7E,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpE,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC,IAAI,EAAE,CAAC;IAC7B,CAAC,CAAC;AACJ,CAAC;AAOD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAgB,EAChB,OAA+B;IAE/B,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC;IAC/D,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAEzD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACpD,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAEvD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;AAC3C,CAAC"}

package/dist/storage/memory/index.d.ts

@@ -0,0 +1,20 @@
+import type { StorageAdapter, Session, BoundKey, Challenge } from "../../core/index.js";
+export declare class MemoryStorage implements StorageAdapter {
+    private sessions;
+    private keys;
+    private challenges;
+    private revoked;
+    getSession(id: string): Promise<Session | null>;
+    setSession(session: Session): Promise<void>;
+    deleteSession(id: string): Promise<void>;
+    getBoundKey(sessionId: string): Promise<BoundKey | null>;
+    setBoundKey(key: BoundKey): Promise<void>;
+    deleteBoundKey(sessionId: string): Promise<void>;
+    getChallenge(jti: string): Promise<Challenge | null>;
+    setChallenge(challenge: Challenge): Promise<void>;
+    consumeChallenge(jti: string): Promise<boolean>;
+    revokeSession(sessionId: string): Promise<void>;
+    revokeAllForUser(userId: string): Promise<void>;
+    gc(): void;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/storage/memory/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/storage/memory/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAExF,qBAAa,aAAc,YAAW,cAAc;IAClD,OAAO,CAAC,QAAQ,CAA8B;IAC9C,OAAO,CAAC,IAAI,CAA+B;IAC3C,OAAO,CAAC,UAAU,CAAgC;IAClD,OAAO,CAAC,OAAO,CAAqB;IAE9B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAU/C,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAI3C,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKxC,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAIxD,WAAW,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzC,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhD,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAUpD,YAAY,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjD,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO/C,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM/C,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWrD,EAAE,IAAI,IAAI;CASX"}

package/dist/storage/memory/index.js

@@ -0,0 +1,79 @@
+export class MemoryStorage {
+    sessions = new Map();
+    keys = new Map();
+    challenges = new Map();
+    revoked = new Set();
+    async getSession(id) {
+        const sess = this.sessions.get(id);
+        if (!sess)
+            return null;
+        if (Date.now() > sess.expiresAt) {
+            this.sessions.delete(id);
+            return null;
+        }
+        return sess;
+    }
+    async setSession(session) {
+        this.sessions.set(session.id, session);
+    }
+    async deleteSession(id) {
+        this.sessions.delete(id);
+        this.keys.delete(id);
+    }
+    async getBoundKey(sessionId) {
+        return this.keys.get(sessionId) ?? null;
+    }
+    async setBoundKey(key) {
+        this.keys.set(key.sessionId, key);
+    }
+    async deleteBoundKey(sessionId) {
+        this.keys.delete(sessionId);
+    }
+    async getChallenge(jti) {
+        const challenge = this.challenges.get(jti);
+        if (!challenge)
+            return null;
+        if (Date.now() > challenge.expiresAt) {
+            this.challenges.delete(jti);
+            return null;
+        }
+        return challenge;
+    }
+    async setChallenge(challenge) {
+        this.challenges.set(challenge.jti, challenge);
+    }
+    async consumeChallenge(jti) {
+        const challenge = this.challenges.get(jti);
+        if (!challenge || challenge.consumed)
+            return false;
+        challenge.consumed = true;
+        return true;
+    }
+    async revokeSession(sessionId) {
+        this.revoked.add(sessionId);
+        this.sessions.delete(sessionId);
+        this.keys.delete(sessionId);
+    }
+    async revokeAllForUser(userId) {
+        for (const [id, sess] of this.sessions.entries()) {
+            if (sess.userId === userId) {
+                this.revoked.add(id);
+                this.sessions.delete(id);
+                this.keys.delete(id);
+            }
+        }
+    }
+    // Useful in tests: removes all expired entries from all maps
+    gc() {
+        const now = Date.now();
+        for (const [id, sess] of this.sessions.entries()) {
+            if (now > sess.expiresAt)
+                this.sessions.delete(id);
+        }
+        for (const [jti, ch] of this.challenges.entries()) {
+            if (now > ch.expiresAt)
+                this.challenges.delete(jti);
+        }
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/storage/memory/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/storage/memory/index.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,aAAa;IAChB,QAAQ,GAAG,IAAI,GAAG,EAAmB,CAAC;IACtC,IAAI,GAAG,IAAI,GAAG,EAAoB,CAAC;IACnC,UAAU,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC1C,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAEpC,KAAK,CAAC,UAAU,CAAC,EAAU;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;YAChC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAAgB;QAC/B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAU;QAC5B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAa;QAC7B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,SAAiB;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW;QAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC3C,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAC5B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;YACrC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,SAAoB;QACrC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,GAAW;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC3C,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QACnD,SAAS,CAAC,QAAQ,GAAG,IAAI,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,MAAc;QACnC,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACjD,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC3B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACrB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,EAAE;QACA,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACjD,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS;gBAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACrD,CAAC;QACD,KAAK,MAAM,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;YAClD,IAAI,GAAG,GAAG,EAAE,CAAC,SAAS;gBAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;CACF"}

package/dist/storage/postgres/index.d.ts

@@ -0,0 +1,19 @@
+import type { Pool } from "pg";
+import type { StorageAdapter, Session, BoundKey, Challenge } from "../../core/index.js";
+export declare class PostgresStorage implements StorageAdapter {
+    private readonly pool;
+    constructor(pool: Pool);
+    getSession(id: string): Promise<Session | null>;
+    setSession(session: Session): Promise<void>;
+    deleteSession(id: string): Promise<void>;
+    getBoundKey(sessionId: string): Promise<BoundKey | null>;
+    setBoundKey(key: BoundKey): Promise<void>;
+    deleteBoundKey(sessionId: string): Promise<void>;
+    getChallenge(jti: string): Promise<Challenge | null>;
+    setChallenge(challenge: Challenge): Promise<void>;
+    consumeChallenge(jti: string): Promise<boolean>;
+    revokeSession(sessionId: string): Promise<void>;
+    revokeAllForUser(userId: string): Promise<void>;
+    runMigrations(): Promise<void>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/storage/postgres/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/storage/postgres/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAc,MAAM,IAAI,CAAC;AAC3C,OAAO,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAExF,qBAAa,eAAgB,YAAW,cAAc;IACxC,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,IAAI;IAEjC,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IA6B/C,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAS3C,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxC,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAsBxD,WAAW,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IASzC,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhD,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAwBpD,YAAY,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IAQjD,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAS/C,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/C,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/C,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;CASrC"}

package/dist/storage/postgres/index.js

@@ -0,0 +1,89 @@
+export class PostgresStorage {
+    pool;
+    constructor(pool) {
+        this.pool = pool;
+    }
+    async getSession(id) {
+        const { rows } = await this.pool.query("SELECT id, user_id, tier, created_at, expires_at, last_refresh_at FROM dbsc_sessions WHERE id = $1", [id]);
+        const row = rows[0];
+        if (!row)
+            return null;
+        const expiresAt = parseInt(row.expires_at, 10);
+        if (Date.now() > expiresAt)
+            return null;
+        return {
+            id: row.id,
+            userId: row.user_id,
+            tier: row.tier,
+            createdAt: parseInt(row.created_at, 10),
+            expiresAt,
+            lastRefreshAt: row.last_refresh_at ? parseInt(row.last_refresh_at, 10) : 0,
+        };
+    }
+    async setSession(session) {
+        await this.pool.query(`INSERT INTO dbsc_sessions (id, user_id, tier, created_at, expires_at, last_refresh_at)
+       VALUES ($1, $2, $3, $4, $5, $6)
+       ON CONFLICT (id) DO UPDATE SET tier = $3, expires_at = $5, last_refresh_at = $6`, [session.id, session.userId, session.tier, session.createdAt, session.expiresAt, session.lastRefreshAt]);
+    }
+    async deleteSession(id) {
+        await this.pool.query("DELETE FROM dbsc_sessions WHERE id = $1", [id]);
+    }
+    async getBoundKey(sessionId) {
+        const { rows } = await this.pool.query("SELECT session_id, jwk, algorithm, created_at FROM dbsc_bound_keys WHERE session_id = $1", [sessionId]);
+        const row = rows[0];
+        if (!row)
+            return null;
+        return {
+            sessionId: row.session_id,
+            jwk: row.jwk,
+            algorithm: row.algorithm,
+            createdAt: parseInt(row.created_at, 10),
+        };
+    }
+    async setBoundKey(key) {
+        await this.pool.query(`INSERT INTO dbsc_bound_keys (session_id, jwk, algorithm, created_at)
+       VALUES ($1, $2, $3, $4)
+       ON CONFLICT (session_id) DO UPDATE SET jwk = $2, algorithm = $3`, [key.sessionId, JSON.stringify(key.jwk), key.algorithm, key.createdAt]);
+    }
+    async deleteBoundKey(sessionId) {
+        await this.pool.query("DELETE FROM dbsc_bound_keys WHERE session_id = $1", [sessionId]);
+    }
+    async getChallenge(jti) {
+        const { rows } = await this.pool.query("SELECT jti, session_id, created_at, expires_at, consumed FROM dbsc_challenges WHERE jti = $1", [jti]);
+        const row = rows[0];
+        if (!row)
+            return null;
+        return {
+            jti: row.jti,
+            sessionId: row.session_id,
+            createdAt: parseInt(row.created_at, 10),
+            expiresAt: parseInt(row.expires_at, 10),
+            consumed: row.consumed,
+        };
+    }
+    async setChallenge(challenge) {
+        await this.pool.query(`INSERT INTO dbsc_challenges (jti, session_id, created_at, expires_at, consumed)
+       VALUES ($1, $2, $3, $4, $5)`, [challenge.jti, challenge.sessionId, challenge.createdAt, challenge.expiresAt, challenge.consumed]);
+    }
+    async consumeChallenge(jti) {
+        const { rowCount } = await this.pool.query(`UPDATE dbsc_challenges SET consumed = TRUE
+       WHERE jti = $1 AND consumed = FALSE AND expires_at > $2`, [jti, Date.now()]);
+        return (rowCount ?? 0) > 0;
+    }
+    async revokeSession(sessionId) {
+        await this.deleteSession(sessionId);
+    }
+    async revokeAllForUser(userId) {
+        await this.pool.query("DELETE FROM dbsc_sessions WHERE user_id = $1", [userId]);
+    }
+    async runMigrations() {
+        await this.pool.query(`
+      CREATE TABLE IF NOT EXISTS dbsc_migrations (
+        id SERIAL PRIMARY KEY,
+        name TEXT UNIQUE NOT NULL,
+        applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+      )
+    `);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/storage/postgres/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/storage/postgres/index.ts"],"names":[],"mappings":"AAGA,MAAM,OAAO,eAAe;IACG;IAA7B,YAA6B,IAAU;QAAV,SAAI,GAAJ,IAAI,CAAM;IAAG,CAAC;IAE3C,KAAK,CAAC,UAAU,CAAC,EAAU;QACzB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAQpC,oGAAoG,EACpG,CAAC,EAAE,CAAC,CACL,CAAC;QAEF,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAC/C,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAAE,OAAO,IAAI,CAAC;QAExC,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,MAAM,EAAE,GAAG,CAAC,OAAO;YACnB,IAAI,EAAE,GAAG,CAAC,IAAuB;YACjC,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,CAAC;YACvC,SAAS;YACT,aAAa,EAAE,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;SAC3E,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAAgB;QAC/B,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CACnB;;uFAEiF,EACjF,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,CACxG,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAU;QAC5B,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,yCAAyC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,SAAiB;QACjC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAMpC,0FAA0F,EAC1F,CAAC,SAAS,CAAC,CACZ,CAAC;QAEF,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,OAAO;YACL,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,GAAG,EAAE,GAAG,CAAC,GAAiB;YAC1B,SAAS,EAAE,GAAG,CAAC,SAAkC;YACjD,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,CAAC;SACxC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAa;QAC7B,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CACnB;;uEAEiE,EACjE,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,CACvE,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,SAAiB;QACpC,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,mDAAmD,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;IAC1F,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW;QAC5B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAOpC,8FAA8F,EAC9F,CAAC,GAAG,CAAC,CACN,CAAC;QAEF,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,OAAO;YACL,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,CAAC;YACvC,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,CAAC;YACvC,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,SAAoB;QACrC,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CACnB;mCAC6B,EAC7B,CAAC,SAAS,CAAC,GAAG,EAAE,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CACnG,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,GAAW;QAChC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CACxC;+DACyD,EACzD,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAClB,CAAC;QACF,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,MAAc;QACnC,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,8CAA8C,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IAClF,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC;;;;;;KAMrB,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/storage/redis/index.d.ts

@@ -0,0 +1,18 @@
+import type { Redis } from "ioredis";
+import type { StorageAdapter, Session, BoundKey, Challenge } from "../../core/index.js";
+export declare class RedisStorage implements StorageAdapter {
+    private readonly client;
+    constructor(client: Redis);
+    getSession(id: string): Promise<Session | null>;
+    setSession(session: Session): Promise<void>;
+    deleteSession(id: string): Promise<void>;
+    getBoundKey(sessionId: string): Promise<BoundKey | null>;
+    setBoundKey(key: BoundKey): Promise<void>;
+    deleteBoundKey(sessionId: string): Promise<void>;
+    getChallenge(jti: string): Promise<Challenge | null>;
+    setChallenge(challenge: Challenge): Promise<void>;
+    consumeChallenge(jti: string): Promise<boolean>;
+    revokeSession(sessionId: string): Promise<void>;
+    revokeAllForUser(userId: string): Promise<void>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/storage/redis/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/storage/redis/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AA0BxF,qBAAa,YAAa,YAAW,cAAc;IACrC,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,KAAK;IAEpC,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAM/C,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAM3C,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASxC,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAMxD,WAAW,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzC,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhD,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAMpD,YAAY,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IAKjD,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK/C,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/C,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAYtD"}

package/dist/storage/redis/index.js

@@ -0,0 +1,88 @@
+const KEY = {
+    session: (id) => `dbsc:session:${id}`,
+    key: (sessionId) => `dbsc:key:${sessionId}`,
+    challenge: (jti) => `dbsc:challenge:${jti}`,
+    userSessions: (userId) => `dbsc:user:${userId}:sessions`,
+};
+// Lua script for atomic challenge consume: get, check consumed flag, set consumed=true
+const CONSUME_CHALLENGE_SCRIPT = `
+local raw = redis.call('GET', KEYS[1])
+if not raw then return 0 end
+local data = cjson.decode(raw)
+if data.consumed then return 0 end
+data.consumed = true
+local ttl = redis.call('TTL', KEYS[1])
+if ttl > 0 then
+  redis.call('SET', KEYS[1], cjson.encode(data), 'EX', ttl)
+else
+  redis.call('SET', KEYS[1], cjson.encode(data))
+end
+return 1
+`;
+export class RedisStorage {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    async getSession(id) {
+        const raw = await this.client.get(KEY.session(id));
+        if (!raw)
+            return null;
+        return JSON.parse(raw);
+    }
+    async setSession(session) {
+        const ttlSeconds = Math.max(1, Math.ceil((session.expiresAt - Date.now()) / 1000));
+        await this.client.set(KEY.session(session.id), JSON.stringify(session), "EX", ttlSeconds);
+        await this.client.sadd(KEY.userSessions(session.userId), session.id);
+    }
+    async deleteSession(id) {
+        const raw = await this.client.get(KEY.session(id));
+        if (raw) {
+            const sess = JSON.parse(raw);
+            await this.client.srem(KEY.userSessions(sess.userId), id);
+        }
+        await this.client.del(KEY.session(id), KEY.key(id));
+    }
+    async getBoundKey(sessionId) {
+        const raw = await this.client.get(KEY.key(sessionId));
+        if (!raw)
+            return null;
+        return JSON.parse(raw);
+    }
+    async setBoundKey(key) {
+        await this.client.set(KEY.key(key.sessionId), JSON.stringify(key));
+    }
+    async deleteBoundKey(sessionId) {
+        await this.client.del(KEY.key(sessionId));
+    }
+    async getChallenge(jti) {
+        const raw = await this.client.get(KEY.challenge(jti));
+        if (!raw)
+            return null;
+        return JSON.parse(raw);
+    }
+    async setChallenge(challenge) {
+        const ttlSeconds = Math.max(1, Math.ceil((challenge.expiresAt - Date.now()) / 1000));
+        await this.client.set(KEY.challenge(challenge.jti), JSON.stringify(challenge), "EX", ttlSeconds);
+    }
+    async consumeChallenge(jti) {
+        const result = await this.client.eval(CONSUME_CHALLENGE_SCRIPT, 1, KEY.challenge(jti));
+        return result === 1;
+    }
+    async revokeSession(sessionId) {
+        await this.deleteSession(sessionId);
+    }
+    async revokeAllForUser(userId) {
+        const sessionIds = await this.client.smembers(KEY.userSessions(userId));
+        if (sessionIds.length === 0)
+            return;
+        const pipeline = this.client.pipeline();
+        for (const id of sessionIds) {
+            pipeline.del(KEY.session(id));
+            pipeline.del(KEY.key(id));
+        }
+        pipeline.del(KEY.userSessions(userId));
+        await pipeline.exec();
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/storage/redis/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/storage/redis/index.ts"],"names":[],"mappings":"AAIA,MAAM,GAAG,GAAG;IACV,OAAO,EAAE,CAAC,EAAU,EAAE,EAAE,CAAC,gBAAgB,EAAE,EAAE;IAC7C,GAAG,EAAE,CAAC,SAAiB,EAAE,EAAE,CAAC,YAAY,SAAS,EAAE;IACnD,SAAS,EAAE,CAAC,GAAW,EAAE,EAAE,CAAC,kBAAkB,GAAG,EAAE;IACnD,YAAY,EAAE,CAAC,MAAc,EAAE,EAAE,CAAC,aAAa,MAAM,WAAW;CACjE,CAAC;AAEF,uFAAuF;AACvF,MAAM,wBAAwB,GAAG;;;;;;;;;;;;;CAahC,CAAC;AAEF,MAAM,OAAO,YAAY;IACM;IAA7B,YAA6B,MAAa;QAAb,WAAM,GAAN,MAAM,CAAO;IAAG,CAAC;IAE9C,KAAK,CAAC,UAAU,CAAC,EAAU;QACzB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;QACnD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAAgB;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QACnF,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;QAC1F,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAU;QAC5B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;QACnD,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;YACxC,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;QAC5D,CAAC;QACD,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,SAAiB;QACjC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;QACtD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAa;QAC7B,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,SAAiB;QACpC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW;QAC5B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;QACtD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAc,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,SAAoB;QACrC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QACrF,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;IACnG,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,GAAW;QAChC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;QACvF,OAAO,MAAM,KAAK,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,MAAc;QACnC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QACxE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAEpC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxC,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;YAC9B,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5B,CAAC;QACD,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QACvC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACxB,CAAC;CACF"}

package/migrations/001_initial.sql

@@ -0,0 +1,41 @@
+CREATE TABLE IF NOT EXISTS dbsc_sessions (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  tier TEXT NOT NULL CHECK (tier IN ('dbsc', 'webauthn', 'hmac', 'none')),
+  created_at BIGINT NOT NULL,
+  expires_at BIGINT NOT NULL,
+  last_refresh_at BIGINT NOT NULL DEFAULT 0
+);
+
+CREATE INDEX IF NOT EXISTS dbsc_sessions_user_id ON dbsc_sessions (user_id);
+CREATE INDEX IF NOT EXISTS dbsc_sessions_expires_at ON dbsc_sessions (expires_at);
+
+CREATE TABLE IF NOT EXISTS dbsc_bound_keys (
+  session_id TEXT PRIMARY KEY REFERENCES dbsc_sessions (id) ON DELETE CASCADE,
+  jwk JSONB NOT NULL,
+  algorithm TEXT NOT NULL CHECK (algorithm IN ('ES256', 'RS256')),
+  created_at BIGINT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS dbsc_challenges (
+  jti TEXT PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  created_at BIGINT NOT NULL,
+  expires_at BIGINT NOT NULL,
+  consumed BOOLEAN NOT NULL DEFAULT FALSE
+);
+
+CREATE INDEX IF NOT EXISTS dbsc_challenges_session_id ON dbsc_challenges (session_id);
+CREATE INDEX IF NOT EXISTS dbsc_challenges_expires_at ON dbsc_challenges (expires_at);
+
+CREATE TABLE IF NOT EXISTS dbsc_audit_log (
+  id BIGSERIAL PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  ip TEXT,
+  metadata JSONB,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS dbsc_audit_log_session_id ON dbsc_audit_log (session_id);
+CREATE INDEX IF NOT EXISTS dbsc_audit_log_created_at ON dbsc_audit_log (created_at);