handshake-auth 0.1.0 → 0.2.0

package/dist/strategies/magic-link.d.ts

@@ -0,0 +1,141 @@
+import type { AuthResult, Strategy, HandshakeCallbacks } from '../types.js';
+/**
+ * Configuration options for the Magic Link strategy.
+ */
+export interface MagicLinkOptions {
+    /**
+     * Base URL for building the callback URL (e.g., 'http://localhost:3000').
+     * Required for constructing the full magic link URL.
+     */
+    baseUrl: string;
+    /**
+     * Path for the magic link callback route.
+     * @default '/auth/magic/callback'
+     */
+    callbackPath?: string;
+    /**
+     * How many minutes until the token expires.
+     * @default 15
+     */
+    tokenExpiryMinutes?: number;
+    /**
+     * Callback to send the magic link to the user.
+     * You handle email delivery (e.g., via handshake-email, Postmark, Resend, etc.)
+     *
+     * @param email - The user's email address
+     * @param token - The generated token
+     * @param url - The full callback URL with token
+     */
+    sendMagicLink: (email: string, token: string, url: string) => Promise<void>;
+}
+/**
+ * Result from the send phase of magic link authentication.
+ * Returned when initiating a magic link flow.
+ */
+export interface MagicLinkSendResult {
+    sent: true;
+    email: string;
+}
+/**
+ * Magic Link authentication strategy for passwordless authentication.
+ *
+ * This strategy uses the Inversion of Control pattern:
+ * - Library handles token generation and flow logic
+ * - You provide callbacks for storage and email delivery
+ *
+ * The strategy has two phases:
+ * 1. **Send phase** (`magic:send`): Generate token, store it, and send email
+ * 2. **Verify phase** (`magic:verify`): Verify token and return account
+ *
+ * @example
+ * ```typescript
+ * const hs = new Handshake({
+ *   findAccount: async (email) => db.accounts.findByEmail(email),
+ *   storeMagicToken: async (email, token, expiresAt) => {
+ *     await db.magicTokens.create({ email, token, expiresAt });
+ *   },
+ *   verifyMagicToken: async (token) => {
+ *     const record = await db.magicTokens.findOne({ token });
+ *     if (!record || record.expiresAt < new Date()) return null;
+ *     await db.magicTokens.delete({ token }); // One-time use
+ *     return { email: record.email };
+ *   },
+ * });
+ *
+ * hs.use(new MagicLinkStrategy({
+ *   baseUrl: 'http://localhost:3000',
+ *   sendMagicLink: async (email, token, url) => {
+ *     await emailService.send(email, 'Your magic link', url);
+ *   },
+ * }));
+ * ```
+ */
+export declare class MagicLinkStrategy<TAccount> implements Strategy<TAccount> {
+    readonly name = "magic";
+    private readonly baseUrl;
+    private readonly callbackPath;
+    private readonly tokenExpiryMinutes;
+    private readonly sendMagicLink;
+    constructor(options: MagicLinkOptions);
+    /**
+     * Authenticate using the magic link strategy.
+     *
+     * This method handles two sub-strategies:
+     * - `magic:send` - Initiate magic link flow (send email)
+     * - `magic:verify` - Verify token and return account
+     *
+     * @param callbacks - Handshake callbacks
+     * @param args - [phase, ...phaseArgs] where phase is 'send' or 'verify'
+     */
+    authenticate(callbacks: HandshakeCallbacks<TAccount>, ...args: unknown[]): Promise<AuthResult<TAccount>>;
+    /**
+     * Handle the send phase: generate token, store it, and send email.
+     */
+    private handleSend;
+    /**
+     * Handle the verify phase: verify token and return account.
+     */
+    private handleVerify;
+    /**
+     * Build the full callback URL with the token.
+     */
+    private buildCallbackUrl;
+}
+/**
+ * Alias strategies for the two magic link phases.
+ * These allow using `hs.authenticate('magic:send', email)` syntax.
+ */
+export declare class MagicLinkSendStrategy<TAccount> implements Strategy<TAccount> {
+    private readonly magicLinkStrategy;
+    readonly name = "magic:send";
+    constructor(magicLinkStrategy: MagicLinkStrategy<TAccount>);
+    authenticate(callbacks: HandshakeCallbacks<TAccount>, ...args: unknown[]): Promise<AuthResult<TAccount>>;
+}
+export declare class MagicLinkVerifyStrategy<TAccount> implements Strategy<TAccount> {
+    private readonly magicLinkStrategy;
+    readonly name = "magic:verify";
+    constructor(magicLinkStrategy: MagicLinkStrategy<TAccount>);
+    authenticate(callbacks: HandshakeCallbacks<TAccount>, ...args: unknown[]): Promise<AuthResult<TAccount>>;
+}
+/**
+ * Helper function to register all magic link strategies at once.
+ *
+ * @example
+ * ```typescript
+ * import { Handshake, useMagicLink } from 'handshake-auth';
+ *
+ * const hs = new Handshake({...});
+ * useMagicLink(hs, {
+ *   baseUrl: 'http://localhost:3000',
+ *   sendMagicLink: async (email, token, url) => {...},
+ * });
+ *
+ * // Now you can use:
+ * await hs.authenticate('magic:send', email);
+ * await hs.authenticate('magic:verify', token);
+ * ```
+ */
+export declare function useMagicLink<TAccount>(hs: {
+    use: (strategy: Strategy<TAccount>) => unknown;
+}, options: MagicLinkOptions): MagicLinkStrategy<TAccount>;
+//# sourceMappingURL=magic-link.d.ts.map

package/dist/strategies/magic-link.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"magic-link.d.ts","sourceRoot":"","sources":["../../src/strategies/magic-link.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAE5E;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B;;;;;;;OAOG;IACH,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7E;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,IAAI,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,qBAAa,iBAAiB,CAAC,QAAQ,CAAE,YAAW,QAAQ,CAAC,QAAQ,CAAC;IACpE,QAAQ,CAAC,IAAI,WAAW;IAExB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;IAC5C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAoC;gBAEtD,OAAO,EAAE,gBAAgB;IAOrC;;;;;;;;;OASG;IACG,YAAY,CAChB,SAAS,EAAE,kBAAkB,CAAC,QAAQ,CAAC,EACvC,GAAG,IAAI,EAAE,OAAO,EAAE,GACjB,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAehC;;OAEG;YACW,UAAU;IAqCxB;;OAEG;YACW,YAAY;IAgC1B;;OAEG;IACH,OAAO,CAAC,gBAAgB;CAKzB;AAED;;;GAGG;AACH,qBAAa,qBAAqB,CAAC,QAAQ,CAAE,YAAW,QAAQ,CAAC,QAAQ,CAAC;IAG5D,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAF9C,QAAQ,CAAC,IAAI,gBAAgB;gBAEA,iBAAiB,EAAE,iBAAiB,CAAC,QAAQ,CAAC;IAErE,YAAY,CAChB,SAAS,EAAE,kBAAkB,CAAC,QAAQ,CAAC,EACvC,GAAG,IAAI,EAAE,OAAO,EAAE,GACjB,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;CAGjC;AAED,qBAAa,uBAAuB,CAAC,QAAQ,CAAE,YAAW,QAAQ,CAAC,QAAQ,CAAC;IAG9D,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAF9C,QAAQ,CAAC,IAAI,kBAAkB;gBAEF,iBAAiB,EAAE,iBAAiB,CAAC,QAAQ,CAAC;IAErE,YAAY,CAChB,SAAS,EAAE,kBAAkB,CAAC,QAAQ,CAAC,EACvC,GAAG,IAAI,EAAE,OAAO,EAAE,GACjB,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;CAGjC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EACnC,EAAE,EAAE;IAAE,GAAG,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,OAAO,CAAA;CAAE,EACtD,OAAO,EAAE,gBAAgB,GACxB,iBAAiB,CAAC,QAAQ,CAAC,CAM7B"}

package/dist/strategies/magic-link.js

@@ -0,0 +1,186 @@
+import { randomUUID } from 'crypto';
+/**
+ * Magic Link authentication strategy for passwordless authentication.
+ *
+ * This strategy uses the Inversion of Control pattern:
+ * - Library handles token generation and flow logic
+ * - You provide callbacks for storage and email delivery
+ *
+ * The strategy has two phases:
+ * 1. **Send phase** (`magic:send`): Generate token, store it, and send email
+ * 2. **Verify phase** (`magic:verify`): Verify token and return account
+ *
+ * @example
+ * ```typescript
+ * const hs = new Handshake({
+ *   findAccount: async (email) => db.accounts.findByEmail(email),
+ *   storeMagicToken: async (email, token, expiresAt) => {
+ *     await db.magicTokens.create({ email, token, expiresAt });
+ *   },
+ *   verifyMagicToken: async (token) => {
+ *     const record = await db.magicTokens.findOne({ token });
+ *     if (!record || record.expiresAt < new Date()) return null;
+ *     await db.magicTokens.delete({ token }); // One-time use
+ *     return { email: record.email };
+ *   },
+ * });
+ *
+ * hs.use(new MagicLinkStrategy({
+ *   baseUrl: 'http://localhost:3000',
+ *   sendMagicLink: async (email, token, url) => {
+ *     await emailService.send(email, 'Your magic link', url);
+ *   },
+ * }));
+ * ```
+ */
+export class MagicLinkStrategy {
+    name = 'magic';
+    baseUrl;
+    callbackPath;
+    tokenExpiryMinutes;
+    sendMagicLink;
+    constructor(options) {
+        this.baseUrl = options.baseUrl;
+        this.callbackPath = options.callbackPath ?? '/auth/magic/callback';
+        this.tokenExpiryMinutes = options.tokenExpiryMinutes ?? 15;
+        this.sendMagicLink = options.sendMagicLink;
+    }
+    /**
+     * Authenticate using the magic link strategy.
+     *
+     * This method handles two sub-strategies:
+     * - `magic:send` - Initiate magic link flow (send email)
+     * - `magic:verify` - Verify token and return account
+     *
+     * @param callbacks - Handshake callbacks
+     * @param args - [phase, ...phaseArgs] where phase is 'send' or 'verify'
+     */
+    async authenticate(callbacks, ...args) {
+        const [phase, ...phaseArgs] = args;
+        if (phase === 'send') {
+            return this.handleSend(callbacks, phaseArgs[0]);
+        }
+        else if (phase === 'verify') {
+            return this.handleVerify(callbacks, phaseArgs[0]);
+        }
+        else {
+            return {
+                account: null,
+                error: `Invalid magic link phase: ${phase}. Use 'send' or 'verify'`,
+            };
+        }
+    }
+    /**
+     * Handle the send phase: generate token, store it, and send email.
+     */
+    async handleSend(callbacks, email) {
+        if (!email) {
+            return { account: null, error: 'Email is required' };
+        }
+        if (!callbacks.storeMagicToken) {
+            return {
+                account: null,
+                error: 'storeMagicToken callback is required for magic link strategy',
+            };
+        }
+        // Generate token and expiry
+        const token = randomUUID();
+        const expiresAt = new Date(Date.now() + this.tokenExpiryMinutes * 60 * 1000);
+        // Build callback URL
+        const url = this.buildCallbackUrl(token);
+        // Store the token (user's responsibility)
+        await callbacks.storeMagicToken(email, token, expiresAt);
+        // Send the email (user's responsibility)
+        await this.sendMagicLink(email, token, url);
+        // Return special result for send phase
+        // We return account: null but no error to indicate success
+        // The caller should check for the absence of error
+        return {
+            account: null,
+            // No error means success - email was sent
+        };
+    }
+    /**
+     * Handle the verify phase: verify token and return account.
+     */
+    async handleVerify(callbacks, token) {
+        if (!token) {
+            return { account: null, error: 'Token is required' };
+        }
+        if (!callbacks.verifyMagicToken) {
+            return {
+                account: null,
+                error: 'verifyMagicToken callback is required for magic link strategy',
+            };
+        }
+        // Verify the token (user's responsibility to check expiry and delete)
+        const result = await callbacks.verifyMagicToken(token);
+        if (!result) {
+            return { account: null, error: 'Invalid or expired token' };
+        }
+        // Find the account by email
+        const account = await callbacks.findAccount(result.email);
+        if (!account) {
+            return { account: null, error: 'Account not found' };
+        }
+        return { account, strategy: this.name };
+    }
+    /**
+     * Build the full callback URL with the token.
+     */
+    buildCallbackUrl(token) {
+        const base = this.baseUrl.endsWith('/') ? this.baseUrl.slice(0, -1) : this.baseUrl;
+        const path = this.callbackPath.startsWith('/') ? this.callbackPath : `/${this.callbackPath}`;
+        return `${base}${path}?token=${encodeURIComponent(token)}`;
+    }
+}
+/**
+ * Alias strategies for the two magic link phases.
+ * These allow using `hs.authenticate('magic:send', email)` syntax.
+ */
+export class MagicLinkSendStrategy {
+    magicLinkStrategy;
+    name = 'magic:send';
+    constructor(magicLinkStrategy) {
+        this.magicLinkStrategy = magicLinkStrategy;
+    }
+    async authenticate(callbacks, ...args) {
+        return this.magicLinkStrategy.authenticate(callbacks, 'send', ...args);
+    }
+}
+export class MagicLinkVerifyStrategy {
+    magicLinkStrategy;
+    name = 'magic:verify';
+    constructor(magicLinkStrategy) {
+        this.magicLinkStrategy = magicLinkStrategy;
+    }
+    async authenticate(callbacks, ...args) {
+        return this.magicLinkStrategy.authenticate(callbacks, 'verify', ...args);
+    }
+}
+/**
+ * Helper function to register all magic link strategies at once.
+ *
+ * @example
+ * ```typescript
+ * import { Handshake, useMagicLink } from 'handshake-auth';
+ *
+ * const hs = new Handshake({...});
+ * useMagicLink(hs, {
+ *   baseUrl: 'http://localhost:3000',
+ *   sendMagicLink: async (email, token, url) => {...},
+ * });
+ *
+ * // Now you can use:
+ * await hs.authenticate('magic:send', email);
+ * await hs.authenticate('magic:verify', token);
+ * ```
+ */
+export function useMagicLink(hs, options) {
+    const strategy = new MagicLinkStrategy(options);
+    hs.use(strategy);
+    hs.use(new MagicLinkSendStrategy(strategy));
+    hs.use(new MagicLinkVerifyStrategy(strategy));
+    return strategy;
+}
+//# sourceMappingURL=magic-link.js.map

package/dist/strategies/magic-link.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"magic-link.js","sourceRoot":"","sources":["../../src/strategies/magic-link.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AA6CpC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,OAAO,CAAC;IAEP,OAAO,CAAS;IAChB,YAAY,CAAS;IACrB,kBAAkB,CAAS;IAC3B,aAAa,CAAoC;IAElE,YAAY,OAAyB;QACnC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,sBAAsB,CAAC;QACnE,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,IAAI,EAAE,CAAC;QAC3D,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IAC7C,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAChB,SAAuC,EACvC,GAAG,IAAe;QAElB,MAAM,CAAC,KAAK,EAAE,GAAG,SAAS,CAAC,GAAG,IAA8B,CAAC;QAE7D,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAW,CAAC,CAAC;QAC5D,CAAC;aAAM,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAW,CAAC,CAAC;QAC9D,CAAC;aAAM,CAAC;YACN,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,6BAA6B,KAAK,0BAA0B;aACpE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU,CACtB,SAAuC,EACvC,KAAa;QAEb,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACvD,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,eAAe,EAAE,CAAC;YAC/B,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,8DAA8D;aACtE,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,MAAM,KAAK,GAAG,UAAU,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,kBAAkB,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE7E,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAEzC,0CAA0C;QAC1C,MAAM,SAAS,CAAC,eAAe,CAAC,KAAK,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;QAEzD,yCAAyC;QACzC,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAE5C,uCAAuC;QACvC,2DAA2D;QAC3D,mDAAmD;QACnD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,0CAA0C;SACkB,CAAC;IACjE,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY,CACxB,SAAuC,EACvC,KAAa;QAEb,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACvD,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAChC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,+DAA+D;aACvE,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAEvD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;QAC9D,CAAC;QAED,4BAA4B;QAC5B,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAE1D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACvD,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,KAAa;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;QACnF,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QAC7F,OAAO,GAAG,IAAI,GAAG,IAAI,UAAU,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;IAC7D,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,qBAAqB;IAGH;IAFpB,IAAI,GAAG,YAAY,CAAC;IAE7B,YAA6B,iBAA8C;QAA9C,sBAAiB,GAAjB,iBAAiB,CAA6B;IAAG,CAAC;IAE/E,KAAK,CAAC,YAAY,CAChB,SAAuC,EACvC,GAAG,IAAe;QAElB,OAAO,IAAI,CAAC,iBAAiB,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC;IACzE,CAAC;CACF;AAED,MAAM,OAAO,uBAAuB;IAGL;IAFpB,IAAI,GAAG,cAAc,CAAC;IAE/B,YAA6B,iBAA8C;QAA9C,sBAAiB,GAAjB,iBAAiB,CAA6B;IAAG,CAAC;IAE/E,KAAK,CAAC,YAAY,CAChB,SAAuC,EACvC,GAAG,IAAe;QAElB,OAAO,IAAI,CAAC,iBAAiB,CAAC,YAAY,CAAC,SAAS,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,CAAC;IAC3E,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,YAAY,CAC1B,EAAsD,EACtD,OAAyB;IAEzB,MAAM,QAAQ,GAAG,IAAI,iBAAiB,CAAW,OAAO,CAAC,CAAC;IAC1D,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjB,EAAE,CAAC,GAAG,CAAC,IAAI,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC5C,EAAE,CAAC,GAAG,CAAC,IAAI,uBAAuB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9C,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/strategies/microsoft.d.ts

@@ -0,0 +1,127 @@
+import type { OAuthProfile } from '../types.js';
+import { OAuthStrategy } from './oauth-base.js';
+/**
+ * Microsoft user profile from the Microsoft Graph /me endpoint.
+ */
+export interface MicrosoftProfile {
+    id: string;
+    displayName?: string;
+    givenName?: string;
+    surname?: string;
+    mail?: string;
+    userPrincipalName?: string;
+    jobTitle?: string;
+    officeLocation?: string;
+    preferredLanguage?: string;
+    businessPhones?: string[];
+    mobilePhone?: string;
+}
+/**
+ * Microsoft tenant options.
+ * - 'common': Any Microsoft account (personal or work/school)
+ * - 'organizations': Work/school accounts only
+ * - 'consumers': Personal Microsoft accounts only
+ * - Specific tenant ID: Accounts from that tenant only
+ */
+export type MicrosoftTenant = 'common' | 'organizations' | 'consumers' | string;
+/**
+ * Configuration options for Microsoft OAuth strategy.
+ */
+export interface MicrosoftStrategyOptions {
+    /**
+     * Microsoft OAuth client ID (Application ID)
+     */
+    clientId: string;
+    /**
+     * Microsoft OAuth client secret
+     */
+    clientSecret: string;
+    /**
+     * Your callback URL (must match Azure Portal configuration)
+     */
+    redirectUri: string;
+    /**
+     * Azure AD tenant
+     * - 'common': Any Microsoft account (default)
+     * - 'organizations': Work/school accounts only
+     * - 'consumers': Personal Microsoft accounts only
+     * - Specific tenant ID: Accounts from that tenant only
+     * @default 'common'
+     */
+    tenant?: MicrosoftTenant;
+    /**
+     * OAuth scopes to request
+     * @default ['openid', 'email', 'profile', 'User.Read']
+     */
+    scopes?: string[];
+}
+/**
+ * Microsoft OAuth2 authentication strategy using Azure AD / Microsoft Identity Platform.
+ *
+ * Supports multiple tenant configurations:
+ * - `common`: Accept any Microsoft account
+ * - `organizations`: Only work/school accounts
+ * - `consumers`: Only personal Microsoft accounts
+ * - Specific tenant ID: Only accounts from that organization
+ *
+ * @example
+ * ```typescript
+ * const hs = new Handshake({
+ *   findAccount: async (email) => db.accounts.findByEmail(email),
+ *   findOrCreateFromOAuth: async (provider, profile) => {
+ *     let account = await db.accounts.findByProviderId(provider, profile.id);
+ *     if (!account) {
+ *       account = await db.accounts.create({
+ *         email: profile.email,
+ *         name: profile.name,
+ *         providerId: profile.id,
+ *         provider,
+ *       });
+ *     }
+ *     return account;
+ *   },
+ * });
+ *
+ * // Accept any Microsoft account
+ * hs.use(new MicrosoftStrategy({
+ *   clientId: process.env.MICROSOFT_CLIENT_ID!,
+ *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
+ *   redirectUri: 'http://localhost:3000/auth/microsoft/callback',
+ *   tenant: 'common',
+ * }));
+ *
+ * // Or restrict to a specific organization
+ * hs.use(new MicrosoftStrategy({
+ *   clientId: process.env.MICROSOFT_CLIENT_ID!,
+ *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
+ *   redirectUri: 'http://localhost:3000/auth/microsoft/callback',
+ *   tenant: 'your-tenant-id',
+ * }));
+ *
+ * // Routes
+ * app.get('/auth/microsoft', async (req, res) => {
+ *   const result = await hs.authenticate('microsoft', req, res, 'redirect');
+ *   if ('redirectUrl' in result) {
+ *     res.redirect(result.redirectUrl);
+ *   }
+ * });
+ *
+ * app.get('/auth/microsoft/callback', async (req, res) => {
+ *   const result = await hs.authenticate('microsoft', req, res, 'callback');
+ *   if (result.account) {
+ *     login(req, result.account);
+ *     res.redirect('/dashboard');
+ *   } else {
+ *     res.status(401).send(result.error);
+ *   }
+ * });
+ * ```
+ */
+export declare class MicrosoftStrategy<TAccount> extends OAuthStrategy<TAccount> {
+    constructor(options: MicrosoftStrategyOptions);
+    /**
+     * Map Microsoft profile to standard OAuthProfile.
+     */
+    protected mapProfile(data: unknown, accessToken: string): OAuthProfile;
+}
+//# sourceMappingURL=microsoft.d.ts.map

package/dist/strategies/microsoft.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"microsoft.d.ts","sourceRoot":"","sources":["../../src/strategies/microsoft.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAEhD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,eAAe,GAAG,WAAW,GAAG,MAAM,CAAC;AAEhF;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;;;;;OAOG;IACH,MAAM,CAAC,EAAE,eAAe,CAAC;IAEzB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6DG;AACH,qBAAa,iBAAiB,CAAC,QAAQ,CAAE,SAAQ,aAAa,CAAC,QAAQ,CAAC;gBAC1D,OAAO,EAAE,wBAAwB;IAgB7C;;OAEG;IAEH,SAAS,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,GAAG,YAAY;CAgBvE"}

package/dist/strategies/microsoft.js

@@ -0,0 +1,98 @@
+import { OAuthStrategy } from './oauth-base.js';
+/**
+ * Microsoft OAuth2 authentication strategy using Azure AD / Microsoft Identity Platform.
+ *
+ * Supports multiple tenant configurations:
+ * - `common`: Accept any Microsoft account
+ * - `organizations`: Only work/school accounts
+ * - `consumers`: Only personal Microsoft accounts
+ * - Specific tenant ID: Only accounts from that organization
+ *
+ * @example
+ * ```typescript
+ * const hs = new Handshake({
+ *   findAccount: async (email) => db.accounts.findByEmail(email),
+ *   findOrCreateFromOAuth: async (provider, profile) => {
+ *     let account = await db.accounts.findByProviderId(provider, profile.id);
+ *     if (!account) {
+ *       account = await db.accounts.create({
+ *         email: profile.email,
+ *         name: profile.name,
+ *         providerId: profile.id,
+ *         provider,
+ *       });
+ *     }
+ *     return account;
+ *   },
+ * });
+ *
+ * // Accept any Microsoft account
+ * hs.use(new MicrosoftStrategy({
+ *   clientId: process.env.MICROSOFT_CLIENT_ID!,
+ *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
+ *   redirectUri: 'http://localhost:3000/auth/microsoft/callback',
+ *   tenant: 'common',
+ * }));
+ *
+ * // Or restrict to a specific organization
+ * hs.use(new MicrosoftStrategy({
+ *   clientId: process.env.MICROSOFT_CLIENT_ID!,
+ *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
+ *   redirectUri: 'http://localhost:3000/auth/microsoft/callback',
+ *   tenant: 'your-tenant-id',
+ * }));
+ *
+ * // Routes
+ * app.get('/auth/microsoft', async (req, res) => {
+ *   const result = await hs.authenticate('microsoft', req, res, 'redirect');
+ *   if ('redirectUrl' in result) {
+ *     res.redirect(result.redirectUrl);
+ *   }
+ * });
+ *
+ * app.get('/auth/microsoft/callback', async (req, res) => {
+ *   const result = await hs.authenticate('microsoft', req, res, 'callback');
+ *   if (result.account) {
+ *     login(req, result.account);
+ *     res.redirect('/dashboard');
+ *   } else {
+ *     res.status(401).send(result.error);
+ *   }
+ * });
+ * ```
+ */
+export class MicrosoftStrategy extends OAuthStrategy {
+    constructor(options) {
+        const tenant = options.tenant ?? 'common';
+        super({
+            name: 'microsoft',
+            clientId: options.clientId,
+            clientSecret: options.clientSecret,
+            redirectUri: options.redirectUri,
+            authorizeUrl: `https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize`,
+            tokenUrl: `https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token`,
+            userInfoUrl: 'https://graph.microsoft.com/v1.0/me',
+            scopes: options.scopes ?? ['openid', 'email', 'profile', 'User.Read'],
+            stateCookieName: 'microsoft_oauth_state',
+        });
+    }
+    /**
+     * Map Microsoft profile to standard OAuthProfile.
+     */
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    mapProfile(data, accessToken) {
+        const profile = data;
+        // Microsoft may provide email in 'mail' or 'userPrincipalName'
+        // userPrincipalName is often an email for work/school accounts
+        const email = profile.mail ??
+            (profile.userPrincipalName?.includes('@') ? profile.userPrincipalName : null);
+        return {
+            id: profile.id,
+            email: email ?? null,
+            name: profile.displayName ?? null,
+            picture: null, // Microsoft Graph requires separate API call for photo
+            raw: profile,
+        };
+    }
+}
+//# sourceMappingURL=microsoft.js.map

package/dist/strategies/microsoft.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"microsoft.js","sourceRoot":"","sources":["../../src/strategies/microsoft.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAgEhD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6DG;AACH,MAAM,OAAO,iBAA4B,SAAQ,aAAuB;IACtE,YAAY,OAAiC;QAC3C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC;QAE1C,KAAK,CAAC;YACJ,IAAI,EAAE,WAAW;YACjB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,YAAY,EAAE,qCAAqC,MAAM,wBAAwB;YACjF,QAAQ,EAAE,qCAAqC,MAAM,oBAAoB;YACzE,WAAW,EAAE,qCAAqC;YAClD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC;YACrE,eAAe,EAAE,uBAAuB;SACzC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,6DAA6D;IACnD,UAAU,CAAC,IAAa,EAAE,WAAmB;QACrD,MAAM,OAAO,GAAG,IAAwB,CAAC;QAEzC,+DAA+D;QAC/D,+DAA+D;QAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI;YACxB,CAAC,OAAO,CAAC,iBAAiB,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAEhF,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,KAAK,EAAE,KAAK,IAAI,IAAI;YACpB,IAAI,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI;YACjC,OAAO,EAAE,IAAI,EAAE,uDAAuD;YACtE,GAAG,EAAE,OAA6C;SACnD,CAAC;IACJ,CAAC;CACF"}