kroxt 1.1.2 → 1.1.4

package/README.md

@@ -6,12 +6,13 @@ A framework-agnostic, modular authentication engine for modern TypeScript applic
 
 - 🔐 **Secure Hashing**: Powered by `argon2` for industry-standard password security.
 - 🎟️ **Dual-Token Sessions**: Native support for Access and Refresh tokens via `jose`.
+- 🧩 **JWT Customization**: Fully extensible payload with support for custom user fields and `sub` override.
 - 🌍 **OAuth Ready**: Built-in support for GitHub and Google OAuth via `arctic`.
 - 🧩 **Database Agnostic**: Use Mongoose, Prisma, Drizzle, or any store via the `AuthAdapter` pattern.
 - 🌶️ **Password Peppering**: Server-side pepper support for enhanced hash protection.
 - 🛡️ **Timing Attack Protection**: Built-in safeguards against side-channel analysis during login.
 - ✅ **Zod Schema Support**: Perfectly preserves and types your user metadata.
-- 🚀 **ESM First**: Native support for NodeNext module resolution.
+- 🌍 **Dual ESM/CJS Support**: Native support for both modern ESM (`import`) and CommonJS (`require`).
 
 ## Installation
 
@@ -25,35 +26,60 @@ npm install kroxt
 
 This guide walks you through setting up Kroxt from scratch in your application.
 
-### Step 1: The Adapter Pattern
+### Step 1: Define your User
 
-Kroxt doesn't care which database you use. You just need to implement the `AuthAdapter` interface. 
+First, define what a User looks like in your system. Kroxt allows any additional fields (like `role`, `schoolId`, etc.) which you can later sign into your JWTs.
 
-In this example, we use a simple user structure: `name`, `email`, and `password`.
-> [!NOTE]
-> Kroxt's adapter can accept **any** additional fields your application requires (e.g., `role`, `avatar`, `preferences`) with no limits.
+```typescript
+export interface MyUser {
+  id: string;
+  email: string;
+  passwordHash: string;
+  role: 'admin' | 'user';
+  schoolId: string;    // Custom field for enterprise/multi-tenant apps
+  oauthProvider?: string; // Support for OAuth (e.g., 'github')
+  oauthId?: string;       // Unique ID from the provider
+  name: string;
+}
+```
+
+### Step 2: The Adapter Pattern
+
+Kroxt doesn't care which database you use. You just need to implement the `AuthAdapter` interface using your model. Here is a complete example using Mongoose:
 
 ```typescript
-import type { AuthAdapter, User } from "kroxt/adapter";
+import type { AuthAdapter } from "kroxt/adapter";
+import { User } from "./models/user.model.js"; // Your Mongoose model
+import type { MyUser } from "./types.js";
 
-export const myAdapter: AuthAdapter = {
+export const myAdapter: AuthAdapter<MyUser> = {
   createUser: async (data) => {
-    // Save to your DB: { name, email, passwordHash, ...anyOtherFields }
-    // return the created user including its unique id
+    const user = await User.create(data);
+    const obj = user.toObject();
+    return { ...obj, id: obj._id.toString() };
   },
   findUserByEmail: async (email) => {
-    // Find user by email in your DB
+    const user = await User.findOne({ email });
+    if (!user) return null;
+    const obj = user.toObject();
+    return { ...obj, id: obj._id.toString() };
   },
   findUserById: async (id) => {
-    // Find user by ID in your DB
+    const user = await User.findById(id);
+    if (!user) return null;
+    const obj = user.toObject();
+    return { ...obj, id: obj._id.toString() };
   },
-  linkOAuthAccount: async (user, provider, providerId) => {
-    // Link an OAuth provider to an existing user
+  linkOAuthAccount: async (userId, provider, providerId) => {
+    await User.findByIdAndUpdate(userId, {
+      oauthProvider: provider,
+      oauthId: providerId
+    });
   }
 };
 ```
 
-### Step 2: Initialize the Auth Engine
+### Step 3: Initialize the Auth Engine
 
 Configure Kroxt with your adapter and security settings.
 
@@ -68,11 +94,26 @@ export const auth = createAuth({
   session: {
     expires: "15m",        // Access token duration
     refreshExpires: "7d"   // Refresh token duration
+  },
+  jwt: {
+    /**
+     * Optional: Fully customize the JWT payload or add extra fields.
+     */
+    payload: (user, type) => {
+      // Only add extra details to 'access' tokens to keep 'refresh' tokens light.
+      if (type === "access") {
+        return {
+          schoolId: user.schoolId, // Add custom user detail
+          role: user.role,         // Explicitly include role
+        };
+      }
+      return {}; // Refresh tokens stay minimal
+    }
   }
 });
 ```
 
-### Step 3: Implement Controllers & Routes
+### Step 4: Implement Controllers & Routes
 
 Use the engine in your application logic. Examples below use an Express-like structure.
 

package/dist/adapter.cjs

@@ -0,0 +1,17 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var adapter_exports = {};
+module.exports = __toCommonJS(adapter_exports);
+//# sourceMappingURL=adapter.cjs.map

package/dist/adapter.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/adapter.ts"],
+  "sourcesContent": ["export interface BaseUser {\r\n  id: string;\r\n  email: string;\r\n  passwordHash?: string;\r\n  role?: string;\r\n}\r\n\r\n// Allows any extended fields natively (like nin, bvn, maritalStatus, etc.)\r\nexport type User<TExtended = Record<string, any>> = BaseUser & TExtended;\r\n\r\nexport interface AuthAdapter<TUser = User> {\r\n  createUser: (data: any) => Promise<TUser>;\r\n  findUserByEmail: (email: string) => Promise<TUser | null>;\r\n  findUserById: (id: string) => Promise<TUser | null>;\r\n  linkOAuthAccount: (userId: string, provider: string, providerId: string) => Promise<void>;\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;AAAA;AAAA;",
+  "names": []
+}

package/{dist-lib → dist}/adapter.d.ts

@@ -11,3 +11,4 @@ export interface AuthAdapter<TUser = User> {
     findUserById: (id: string) => Promise<TUser | null>;
     linkOAuthAccount: (userId: string, provider: string, providerId: string) => Promise<void>;
 }
+//# sourceMappingURL=adapter.d.ts.map

package/dist/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../src/auth/adapter.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAGD,MAAM,MAAM,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,QAAQ,GAAG,SAAS,CAAC;AAEzE,MAAM,WAAW,WAAW,CAAC,KAAK,GAAG,IAAI;IACvC,UAAU,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;IAC1C,eAAe,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAC1D,YAAY,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IACpD,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3F"}

package/dist/adapter.js

@@ -0,0 +1 @@
+//# sourceMappingURL=adapter.js.map

package/dist/adapter.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": [],
+  "sourcesContent": [],
+  "mappings": "",
+  "names": []
+}

package/dist/core.cjs

@@ -0,0 +1,113 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var core_exports = {};
+__export(core_exports, {
+  createAuth: () => createAuth,
+  generateSecret: () => generateSecret
+});
+module.exports = __toCommonJS(core_exports);
+var argon2 = __toESM(require("argon2"), 1);
+var import_jose = require("jose");
+var import_crypto = __toESM(require("crypto"), 1);
+function createAuth(options) {
+  const { adapter, secret, pepper, session, providers } = options;
+  const encodedSecret = typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
+  const expiration = session?.expires || "1h";
+  const refreshExpiration = session?.refreshExpires || "7d";
+  async function generateToken(user, type = "access") {
+    let payload = { sub: user.id, role: user.role, type };
+    if (options.jwt?.payload) {
+      const customPayload = options.jwt.payload(user, type);
+      payload = { ...payload, ...customPayload };
+    }
+    return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(type === "access" ? expiration : refreshExpiration).sign(encodedSecret);
+  }
+  async function verifyToken(token, expectedType = "access") {
+    try {
+      const { payload } = await (0, import_jose.jwtVerify)(token, encodedSecret);
+      if (payload.type !== expectedType) return null;
+      return payload;
+    } catch (e) {
+      return null;
+    }
+  }
+  async function refresh(refreshToken) {
+    const payload = await verifyToken(refreshToken, "refresh");
+    if (!payload || !payload.sub) {
+      throw new Error("Invalid or expired refresh token");
+    }
+    const user = await adapter.findUserById(payload.sub);
+    if (!user) {
+      throw new Error("User not found");
+    }
+    const accessToken = await generateToken(user, "access");
+    return { accessToken };
+  }
+  async function signup(userData, password) {
+    let dataToSave = { ...userData };
+    if (password) {
+      const passwordWithPepper = pepper ? `${password}${pepper}` : password;
+      dataToSave.passwordHash = await argon2.hash(passwordWithPepper);
+    }
+    const newUser = await adapter.createUser(dataToSave);
+    const accessToken = await generateToken(newUser, "access");
+    const refreshToken = await generateToken(newUser, "refresh");
+    return { user: newUser, accessToken, refreshToken };
+  }
+  async function loginWithPassword(email, password) {
+    const user = await adapter.findUserByEmail(email);
+    const dummyHash = "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i";
+    const targetHash = user?.passwordHash || dummyHash;
+    const passwordWithPepper = pepper ? `${password}${pepper}` : password;
+    const isValid = await argon2.verify(targetHash, passwordWithPepper);
+    if (!user || !user.passwordHash || !isValid) {
+      throw new Error("Invalid credentials");
+    }
+    const accessToken = await generateToken(user, "access");
+    const refreshToken = await generateToken(user, "refresh");
+    return { user, accessToken, refreshToken };
+  }
+  return {
+    signup,
+    loginWithPassword,
+    refresh,
+    verifyToken,
+    generateToken,
+    _providers: providers
+  };
+}
+function generateSecret(length = 32) {
+  return import_crypto.default.getRandomValues(new Uint8Array(length));
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuth,
+  generateSecret
+});
+//# sourceMappingURL=core.cjs.map

package/dist/core.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/core.ts"],
+  "sourcesContent": ["import * as argon2 from \"argon2\";\r\nimport { SignJWT, jwtVerify } from \"jose\";\r\nimport crypto from \"crypto\";\r\nimport type { AuthAdapter, User } from \"./adapter.js\";\r\nimport type { Provider } from \"./providers.js\";\r\n\r\nexport interface CreateAuthOptions {\r\n    adapter: AuthAdapter<any>;\r\n    secret: string | Uint8Array;\r\n    pepper?: string;\r\n    session?: {\r\n        expires?: string | number; // For access tokens\r\n        refreshExpires?: string | number; // For refresh tokens\r\n    };\r\n    providers?: Provider[];\r\n    jwt?: {\r\n        /**\r\n         * A callback to add custom fields to the JWT payload.\r\n         * It receives the user object and the token type ('access' or 'refresh').\r\n         * Return an object containing the fields to be merged into the payload.\r\n         * You can also override default fields like 'sub'.\r\n         */\r\n        payload?: (user: User<any>, type: \"access\" | \"refresh\") => Record<string, any>;\r\n    };\r\n}\r\n\r\nexport function createAuth(options: CreateAuthOptions) {\r\n    const { adapter, secret, pepper, session, providers } = options;\r\n    const encodedSecret = typeof secret === \"string\" ? new TextEncoder().encode(secret) : secret;\r\n    const expiration = session?.expires || \"1h\"; // Default access token to 1h\r\n    const refreshExpiration = session?.refreshExpires || \"7d\";\r\n\r\n    /**\r\n     * Generates a stateless JWT for a user session\r\n     */\r\n    async function generateToken(user: User<any>, type: \"access\" | \"refresh\" = \"access\") {\r\n        let payload: Record<string, any> = { sub: user.id, role: user.role, type };\r\n\r\n        if (options.jwt?.payload) {\r\n            const customPayload = options.jwt.payload(user, type);\r\n            payload = { ...payload, ...customPayload };\r\n        }\r\n\r\n        return new SignJWT(payload)\r\n            .setProtectedHeader({ alg: \"HS256\" })\r\n            .setIssuedAt()\r\n            .setExpirationTime(type === \"access\" ? expiration : refreshExpiration)\r\n            .sign(encodedSecret);\r\n    }\r\n\r\n    /**\r\n     * Verifies a JWT and returns the payload.\r\n     * Optionally checks for a specific token type (access/refresh).\r\n     */\r\n    async function verifyToken(token: string, expectedType: \"access\" | \"refresh\" = \"access\") {\r\n        try {\r\n            const { payload } = await jwtVerify(token, encodedSecret);\r\n            if (payload.type !== expectedType) return null;\r\n            return payload;\r\n        } catch (e) {\r\n            return null;\r\n        }\r\n    }\r\n\r\n    /**\r\n     * Refreshes an access token using a valid refresh token.\r\n     */\r\n    async function refresh(refreshToken: string) {\r\n        const payload = await verifyToken(refreshToken, \"refresh\");\r\n        if (!payload || !payload.sub) {\r\n            throw new Error(\"Invalid or expired refresh token\");\r\n        }\r\n\r\n        const user = await adapter.findUserById(payload.sub as string);\r\n        if (!user) {\r\n            throw new Error(\"User not found\");\r\n        }\r\n\r\n        const accessToken = await generateToken(user, \"access\");\r\n        return { accessToken };\r\n    }\r\n\r\n    /**\r\n     * Signup with a new user payload.\r\n     * Incorporates server-side pepper for password hashing if provided.\r\n     */\r\n    async function signup(userData: Omit<User<any>, \"id\">, password?: string) {\r\n        let dataToSave = { ...userData };\r\n\r\n        if (password) {\r\n            const passwordWithPepper = pepper ? `${password}${pepper}` : password;\r\n            dataToSave.passwordHash = await argon2.hash(passwordWithPepper);\r\n        }\r\n\r\n        const newUser = await adapter.createUser(dataToSave);\r\n        const accessToken = await generateToken(newUser, \"access\");\r\n        const refreshToken = await generateToken(newUser, \"refresh\");\r\n\r\n        return { user: newUser, accessToken, refreshToken };\r\n    }\r\n\r\n    /**\r\n     * Standard Email/Password Login.\r\n     * Includes timing attack protection and password peppering.\r\n     */\r\n    async function loginWithPassword(email: string, password: string) {\r\n        const user = await adapter.findUserByEmail(email);\r\n\r\n        // Timing attack protection: Always verify a hash, even if user doesn't exist.\r\n        // We use a dummy hash to keep execution time consistent.\r\n        const dummyHash = \"$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i\";\r\n        const targetHash = user?.passwordHash || dummyHash;\r\n        const passwordWithPepper = pepper ? `${password}${pepper}` : password;\r\n\r\n        const isValid = await argon2.verify(targetHash, passwordWithPepper);\r\n\r\n        if (!user || !user.passwordHash || !isValid) {\r\n            throw new Error(\"Invalid credentials\");\r\n        }\r\n\r\n        const accessToken = await generateToken(user, \"access\");\r\n        const refreshToken = await generateToken(user, \"refresh\");\r\n\r\n        return { user, accessToken, refreshToken };\r\n    }\r\n\r\n    return {\r\n        signup,\r\n        loginWithPassword,\r\n        refresh,\r\n        verifyToken,\r\n        generateToken,\r\n        _providers: providers\r\n    };\r\n}\r\n\r\n/**\r\n * Utility to generate a high-entropy cryptographically secure secret.\r\n * Useful for initializing the 'secret' option in createAuth.\r\n */\r\nexport function generateSecret(length: number = 32): Uint8Array {\r\n    return crypto.getRandomValues(new Uint8Array(length));\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,aAAwB;AACxB,kBAAmC;AACnC,oBAAmB;AAwBZ,SAAS,WAAW,SAA4B;AACnD,QAAM,EAAE,SAAS,QAAQ,QAAQ,SAAS,UAAU,IAAI;AACxD,QAAM,gBAAgB,OAAO,WAAW,WAAW,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI;AACtF,QAAM,aAAa,SAAS,WAAW;AACvC,QAAM,oBAAoB,SAAS,kBAAkB;AAKrD,iBAAe,cAAc,MAAiB,OAA6B,UAAU;AACjF,QAAI,UAA+B,EAAE,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,KAAK;AAEzE,QAAI,QAAQ,KAAK,SAAS;AACtB,YAAM,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,IAAI;AACpD,gBAAU,EAAE,GAAG,SAAS,GAAG,cAAc;AAAA,IAC7C;AAEA,WAAO,IAAI,oBAAQ,OAAO,EACrB,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,YAAY,EACZ,kBAAkB,SAAS,WAAW,aAAa,iBAAiB,EACpE,KAAK,aAAa;AAAA,EAC3B;AAMA,iBAAe,YAAY,OAAe,eAAqC,UAAU;AACrF,QAAI;AACA,YAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,aAAa;AACxD,UAAI,QAAQ,SAAS,aAAc,QAAO;AAC1C,aAAO;AAAA,IACX,SAAS,GAAG;AACR,aAAO;AAAA,IACX;AAAA,EACJ;AAKA,iBAAe,QAAQ,cAAsB;AACzC,UAAM,UAAU,MAAM,YAAY,cAAc,SAAS;AACzD,QAAI,CAAC,WAAW,CAAC,QAAQ,KAAK;AAC1B,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACtD;AAEA,UAAM,OAAO,MAAM,QAAQ,aAAa,QAAQ,GAAa;AAC7D,QAAI,CAAC,MAAM;AACP,YAAM,IAAI,MAAM,gBAAgB;AAAA,IACpC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,WAAO,EAAE,YAAY;AAAA,EACzB;AAMA,iBAAe,OAAO,UAAiC,UAAmB;AACtE,QAAI,aAAa,EAAE,GAAG,SAAS;AAE/B,QAAI,UAAU;AACV,YAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAC7D,iBAAW,eAAe,MAAM,OAAO,KAAK,kBAAkB;AAAA,IAClE;AAEA,UAAM,UAAU,MAAM,QAAQ,WAAW,UAAU;AACnD,UAAM,cAAc,MAAM,cAAc,SAAS,QAAQ;AACzD,UAAM,eAAe,MAAM,cAAc,SAAS,SAAS;AAE3D,WAAO,EAAE,MAAM,SAAS,aAAa,aAAa;AAAA,EACtD;AAMA,iBAAe,kBAAkB,OAAe,UAAkB;AAC9D,UAAM,OAAO,MAAM,QAAQ,gBAAgB,KAAK;AAIhD,UAAM,YAAY;AAClB,UAAM,aAAa,MAAM,gBAAgB;AACzC,UAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAE7D,UAAM,UAAU,MAAM,OAAO,OAAO,YAAY,kBAAkB;AAElE,QAAI,CAAC,QAAQ,CAAC,KAAK,gBAAgB,CAAC,SAAS;AACzC,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACzC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,UAAM,eAAe,MAAM,cAAc,MAAM,SAAS;AAExD,WAAO,EAAE,MAAM,aAAa,aAAa;AAAA,EAC7C;AAEA,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,EAChB;AACJ;AAMO,SAAS,eAAe,SAAiB,IAAgB;AAC5D,SAAO,cAAAA,QAAO,gBAAgB,IAAI,WAAW,MAAM,CAAC;AACxD;",
+  "names": ["crypto"]
+}

package/{dist-lib → dist}/core.d.ts

@@ -9,6 +9,15 @@ export interface CreateAuthOptions {
         refreshExpires?: string | number;
     };
     providers?: Provider[];
+    jwt?: {
+        /**
+         * A callback to add custom fields to the JWT payload.
+         * It receives the user object and the token type ('access' or 'refresh').
+         * Return an object containing the fields to be merged into the payload.
+         * You can also override default fields like 'sub'.
+         */
+        payload?: (user: User<any>, type: "access" | "refresh") => Record<string, any>;
+    };
 }
 export declare function createAuth(options: CreateAuthOptions): {
     signup: (userData: Omit<User<any>, "id">, password?: string) => Promise<{
@@ -24,12 +33,13 @@ export declare function createAuth(options: CreateAuthOptions): {
     refresh: (refreshToken: string) => Promise<{
         accessToken: string;
     }>;
-    verifyToken: (token: string, expectedType?: "access" | "refresh") => Promise<import("jose").JWTPayload>;
+    verifyToken: (token: string, expectedType?: "access" | "refresh") => Promise<import("jose").JWTPayload | null>;
     generateToken: (user: User<any>, type?: "access" | "refresh") => Promise<string>;
-    _providers: Provider[];
+    _providers: Provider[] | undefined;
 };
 /**
  * Utility to generate a high-entropy cryptographically secure secret.
  * Useful for initializing the 'secret' option in createAuth.
  */
 export declare function generateSecret(length?: number): Uint8Array;
+//# sourceMappingURL=core.d.ts.map

package/dist/core.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../src/auth/core.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE/C,MAAM,WAAW,iBAAiB;IAC9B,OAAO,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;IAC1B,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE;QACN,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAC1B,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;KACpC,CAAC;IACF,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC;IACvB,GAAG,CAAC,EAAE;QACF;;;;;WAKG;QACH,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,QAAQ,GAAG,SAAS,KAAK,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;KAClF,CAAC;CACL;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,iBAAiB;uBA4DjB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,aAAa,MAAM;;;;;+BAmBhC,MAAM,YAAY,MAAM;;;;;4BAtC3B,MAAM;;;yBAbT,MAAM,iBAAgB,QAAQ,GAAG,SAAS;0BAnBzC,IAAI,CAAC,GAAG,CAAC,SAAQ,QAAQ,GAAG,SAAS;;EAmG3E;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,GAAE,MAAW,GAAG,UAAU,CAE9D"}

package/dist/core.js

@@ -0,0 +1,78 @@
+import * as argon2 from "argon2";
+import { SignJWT, jwtVerify } from "jose";
+import crypto from "crypto";
+function createAuth(options) {
+  const { adapter, secret, pepper, session, providers } = options;
+  const encodedSecret = typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
+  const expiration = session?.expires || "1h";
+  const refreshExpiration = session?.refreshExpires || "7d";
+  async function generateToken(user, type = "access") {
+    let payload = { sub: user.id, role: user.role, type };
+    if (options.jwt?.payload) {
+      const customPayload = options.jwt.payload(user, type);
+      payload = { ...payload, ...customPayload };
+    }
+    return new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(type === "access" ? expiration : refreshExpiration).sign(encodedSecret);
+  }
+  async function verifyToken(token, expectedType = "access") {
+    try {
+      const { payload } = await jwtVerify(token, encodedSecret);
+      if (payload.type !== expectedType) return null;
+      return payload;
+    } catch (e) {
+      return null;
+    }
+  }
+  async function refresh(refreshToken) {
+    const payload = await verifyToken(refreshToken, "refresh");
+    if (!payload || !payload.sub) {
+      throw new Error("Invalid or expired refresh token");
+    }
+    const user = await adapter.findUserById(payload.sub);
+    if (!user) {
+      throw new Error("User not found");
+    }
+    const accessToken = await generateToken(user, "access");
+    return { accessToken };
+  }
+  async function signup(userData, password) {
+    let dataToSave = { ...userData };
+    if (password) {
+      const passwordWithPepper = pepper ? `${password}${pepper}` : password;
+      dataToSave.passwordHash = await argon2.hash(passwordWithPepper);
+    }
+    const newUser = await adapter.createUser(dataToSave);
+    const accessToken = await generateToken(newUser, "access");
+    const refreshToken = await generateToken(newUser, "refresh");
+    return { user: newUser, accessToken, refreshToken };
+  }
+  async function loginWithPassword(email, password) {
+    const user = await adapter.findUserByEmail(email);
+    const dummyHash = "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i";
+    const targetHash = user?.passwordHash || dummyHash;
+    const passwordWithPepper = pepper ? `${password}${pepper}` : password;
+    const isValid = await argon2.verify(targetHash, passwordWithPepper);
+    if (!user || !user.passwordHash || !isValid) {
+      throw new Error("Invalid credentials");
+    }
+    const accessToken = await generateToken(user, "access");
+    const refreshToken = await generateToken(user, "refresh");
+    return { user, accessToken, refreshToken };
+  }
+  return {
+    signup,
+    loginWithPassword,
+    refresh,
+    verifyToken,
+    generateToken,
+    _providers: providers
+  };
+}
+function generateSecret(length = 32) {
+  return crypto.getRandomValues(new Uint8Array(length));
+}
+export {
+  createAuth,
+  generateSecret
+};
+//# sourceMappingURL=core.js.map

package/dist/core.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/core.ts"],
+  "sourcesContent": ["import * as argon2 from \"argon2\";\r\nimport { SignJWT, jwtVerify } from \"jose\";\r\nimport crypto from \"crypto\";\r\nimport type { AuthAdapter, User } from \"./adapter.js\";\r\nimport type { Provider } from \"./providers.js\";\r\n\r\nexport interface CreateAuthOptions {\r\n    adapter: AuthAdapter<any>;\r\n    secret: string | Uint8Array;\r\n    pepper?: string;\r\n    session?: {\r\n        expires?: string | number; // For access tokens\r\n        refreshExpires?: string | number; // For refresh tokens\r\n    };\r\n    providers?: Provider[];\r\n    jwt?: {\r\n        /**\r\n         * A callback to add custom fields to the JWT payload.\r\n         * It receives the user object and the token type ('access' or 'refresh').\r\n         * Return an object containing the fields to be merged into the payload.\r\n         * You can also override default fields like 'sub'.\r\n         */\r\n        payload?: (user: User<any>, type: \"access\" | \"refresh\") => Record<string, any>;\r\n    };\r\n}\r\n\r\nexport function createAuth(options: CreateAuthOptions) {\r\n    const { adapter, secret, pepper, session, providers } = options;\r\n    const encodedSecret = typeof secret === \"string\" ? new TextEncoder().encode(secret) : secret;\r\n    const expiration = session?.expires || \"1h\"; // Default access token to 1h\r\n    const refreshExpiration = session?.refreshExpires || \"7d\";\r\n\r\n    /**\r\n     * Generates a stateless JWT for a user session\r\n     */\r\n    async function generateToken(user: User<any>, type: \"access\" | \"refresh\" = \"access\") {\r\n        let payload: Record<string, any> = { sub: user.id, role: user.role, type };\r\n\r\n        if (options.jwt?.payload) {\r\n            const customPayload = options.jwt.payload(user, type);\r\n            payload = { ...payload, ...customPayload };\r\n        }\r\n\r\n        return new SignJWT(payload)\r\n            .setProtectedHeader({ alg: \"HS256\" })\r\n            .setIssuedAt()\r\n            .setExpirationTime(type === \"access\" ? expiration : refreshExpiration)\r\n            .sign(encodedSecret);\r\n    }\r\n\r\n    /**\r\n     * Verifies a JWT and returns the payload.\r\n     * Optionally checks for a specific token type (access/refresh).\r\n     */\r\n    async function verifyToken(token: string, expectedType: \"access\" | \"refresh\" = \"access\") {\r\n        try {\r\n            const { payload } = await jwtVerify(token, encodedSecret);\r\n            if (payload.type !== expectedType) return null;\r\n            return payload;\r\n        } catch (e) {\r\n            return null;\r\n        }\r\n    }\r\n\r\n    /**\r\n     * Refreshes an access token using a valid refresh token.\r\n     */\r\n    async function refresh(refreshToken: string) {\r\n        const payload = await verifyToken(refreshToken, \"refresh\");\r\n        if (!payload || !payload.sub) {\r\n            throw new Error(\"Invalid or expired refresh token\");\r\n        }\r\n\r\n        const user = await adapter.findUserById(payload.sub as string);\r\n        if (!user) {\r\n            throw new Error(\"User not found\");\r\n        }\r\n\r\n        const accessToken = await generateToken(user, \"access\");\r\n        return { accessToken };\r\n    }\r\n\r\n    /**\r\n     * Signup with a new user payload.\r\n     * Incorporates server-side pepper for password hashing if provided.\r\n     */\r\n    async function signup(userData: Omit<User<any>, \"id\">, password?: string) {\r\n        let dataToSave = { ...userData };\r\n\r\n        if (password) {\r\n            const passwordWithPepper = pepper ? `${password}${pepper}` : password;\r\n            dataToSave.passwordHash = await argon2.hash(passwordWithPepper);\r\n        }\r\n\r\n        const newUser = await adapter.createUser(dataToSave);\r\n        const accessToken = await generateToken(newUser, \"access\");\r\n        const refreshToken = await generateToken(newUser, \"refresh\");\r\n\r\n        return { user: newUser, accessToken, refreshToken };\r\n    }\r\n\r\n    /**\r\n     * Standard Email/Password Login.\r\n     * Includes timing attack protection and password peppering.\r\n     */\r\n    async function loginWithPassword(email: string, password: string) {\r\n        const user = await adapter.findUserByEmail(email);\r\n\r\n        // Timing attack protection: Always verify a hash, even if user doesn't exist.\r\n        // We use a dummy hash to keep execution time consistent.\r\n        const dummyHash = \"$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i\";\r\n        const targetHash = user?.passwordHash || dummyHash;\r\n        const passwordWithPepper = pepper ? `${password}${pepper}` : password;\r\n\r\n        const isValid = await argon2.verify(targetHash, passwordWithPepper);\r\n\r\n        if (!user || !user.passwordHash || !isValid) {\r\n            throw new Error(\"Invalid credentials\");\r\n        }\r\n\r\n        const accessToken = await generateToken(user, \"access\");\r\n        const refreshToken = await generateToken(user, \"refresh\");\r\n\r\n        return { user, accessToken, refreshToken };\r\n    }\r\n\r\n    return {\r\n        signup,\r\n        loginWithPassword,\r\n        refresh,\r\n        verifyToken,\r\n        generateToken,\r\n        _providers: providers\r\n    };\r\n}\r\n\r\n/**\r\n * Utility to generate a high-entropy cryptographically secure secret.\r\n * Useful for initializing the 'secret' option in createAuth.\r\n */\r\nexport function generateSecret(length: number = 32): Uint8Array {\r\n    return crypto.getRandomValues(new Uint8Array(length));\r\n}\r\n"],
+  "mappings": "AAAA,YAAY,YAAY;AACxB,SAAS,SAAS,iBAAiB;AACnC,OAAO,YAAY;AAwBZ,SAAS,WAAW,SAA4B;AACnD,QAAM,EAAE,SAAS,QAAQ,QAAQ,SAAS,UAAU,IAAI;AACxD,QAAM,gBAAgB,OAAO,WAAW,WAAW,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI;AACtF,QAAM,aAAa,SAAS,WAAW;AACvC,QAAM,oBAAoB,SAAS,kBAAkB;AAKrD,iBAAe,cAAc,MAAiB,OAA6B,UAAU;AACjF,QAAI,UAA+B,EAAE,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,KAAK;AAEzE,QAAI,QAAQ,KAAK,SAAS;AACtB,YAAM,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,IAAI;AACpD,gBAAU,EAAE,GAAG,SAAS,GAAG,cAAc;AAAA,IAC7C;AAEA,WAAO,IAAI,QAAQ,OAAO,EACrB,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,YAAY,EACZ,kBAAkB,SAAS,WAAW,aAAa,iBAAiB,EACpE,KAAK,aAAa;AAAA,EAC3B;AAMA,iBAAe,YAAY,OAAe,eAAqC,UAAU;AACrF,QAAI;AACA,YAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,aAAa;AACxD,UAAI,QAAQ,SAAS,aAAc,QAAO;AAC1C,aAAO;AAAA,IACX,SAAS,GAAG;AACR,aAAO;AAAA,IACX;AAAA,EACJ;AAKA,iBAAe,QAAQ,cAAsB;AACzC,UAAM,UAAU,MAAM,YAAY,cAAc,SAAS;AACzD,QAAI,CAAC,WAAW,CAAC,QAAQ,KAAK;AAC1B,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACtD;AAEA,UAAM,OAAO,MAAM,QAAQ,aAAa,QAAQ,GAAa;AAC7D,QAAI,CAAC,MAAM;AACP,YAAM,IAAI,MAAM,gBAAgB;AAAA,IACpC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,WAAO,EAAE,YAAY;AAAA,EACzB;AAMA,iBAAe,OAAO,UAAiC,UAAmB;AACtE,QAAI,aAAa,EAAE,GAAG,SAAS;AAE/B,QAAI,UAAU;AACV,YAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAC7D,iBAAW,eAAe,MAAM,OAAO,KAAK,kBAAkB;AAAA,IAClE;AAEA,UAAM,UAAU,MAAM,QAAQ,WAAW,UAAU;AACnD,UAAM,cAAc,MAAM,cAAc,SAAS,QAAQ;AACzD,UAAM,eAAe,MAAM,cAAc,SAAS,SAAS;AAE3D,WAAO,EAAE,MAAM,SAAS,aAAa,aAAa;AAAA,EACtD;AAMA,iBAAe,kBAAkB,OAAe,UAAkB;AAC9D,UAAM,OAAO,MAAM,QAAQ,gBAAgB,KAAK;AAIhD,UAAM,YAAY;AAClB,UAAM,aAAa,MAAM,gBAAgB;AACzC,UAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAE7D,UAAM,UAAU,MAAM,OAAO,OAAO,YAAY,kBAAkB;AAElE,QAAI,CAAC,QAAQ,CAAC,KAAK,gBAAgB,CAAC,SAAS;AACzC,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACzC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,UAAM,eAAe,MAAM,cAAc,MAAM,SAAS;AAExD,WAAO,EAAE,MAAM,aAAa,aAAa;AAAA,EAC7C;AAEA,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,EAChB;AACJ;AAMO,SAAS,eAAe,SAAiB,IAAgB;AAC5D,SAAO,OAAO,gBAAgB,IAAI,WAAW,MAAM,CAAC;AACxD;",
+  "names": []
+}

package/dist/index.cjs

@@ -0,0 +1,42 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var index_exports = {};
+__export(index_exports, {
+  GitHub: () => import_providers.GitHub,
+  Google: () => import_providers.Google,
+  createAuth: () => import_core.createAuth,
+  createMemoryAdapter: () => import_memoryAdapter.createMemoryAdapter,
+  generateSecret: () => import_core.generateSecret
+});
+module.exports = __toCommonJS(index_exports);
+var import_providers = require("./providers.js");
+var import_core = require("./core.js");
+var import_memoryAdapter = require("./memoryAdapter.js");
+__reExport(index_exports, require("./security.js"), module.exports);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GitHub,
+  Google,
+  createAuth,
+  createMemoryAdapter,
+  generateSecret,
+  ...require("./security.js")
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/index.ts"],
+  "sourcesContent": ["export type { AuthAdapter, User, BaseUser } from \"./adapter.js\";\r\nexport { GitHub, Google } from \"./providers.js\";\r\nexport type { Provider, ProviderConfig } from \"./providers.js\";\r\nexport { createAuth, generateSecret } from \"./core.js\";\r\nexport type { CreateAuthOptions } from \"./core.js\";\r\nexport { createMemoryAdapter } from \"./memoryAdapter.js\";\r\nexport * from \"./security.js\";\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,uBAA+B;AAE/B,kBAA2C;AAE3C,2BAAoC;AACpC,0BAAc,0BANd;",
+  "names": []
+}

package/{dist-lib → dist}/index.d.ts

@@ -5,3 +5,4 @@ export { createAuth, generateSecret } from "./core.js";
 export type { CreateAuthOptions } from "./core.js";
 export { createMemoryAdapter } from "./memoryAdapter.js";
 export * from "./security.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/auth/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAChD,YAAY,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AACvD,YAAY,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,cAAc,eAAe,CAAC"}

package/dist/index.js

@@ -0,0 +1,12 @@
+import { GitHub, Google } from "./providers.js";
+import { createAuth, generateSecret } from "./core.js";
+import { createMemoryAdapter } from "./memoryAdapter.js";
+export * from "./security.js";
+export {
+  GitHub,
+  Google,
+  createAuth,
+  createMemoryAdapter,
+  generateSecret
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/index.ts"],
+  "sourcesContent": ["export type { AuthAdapter, User, BaseUser } from \"./adapter.js\";\r\nexport { GitHub, Google } from \"./providers.js\";\r\nexport type { Provider, ProviderConfig } from \"./providers.js\";\r\nexport { createAuth, generateSecret } from \"./core.js\";\r\nexport type { CreateAuthOptions } from \"./core.js\";\r\nexport { createMemoryAdapter } from \"./memoryAdapter.js\";\r\nexport * from \"./security.js\";\r\n"],
+  "mappings": "AACA,SAAS,QAAQ,cAAc;AAE/B,SAAS,YAAY,sBAAsB;AAE3C,SAAS,2BAA2B;AACpC,cAAc;",
+  "names": []
+}

package/dist/memoryAdapter.cjs

@@ -0,0 +1,55 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var memoryAdapter_exports = {};
+__export(memoryAdapter_exports, {
+  createMemoryAdapter: () => createMemoryAdapter
+});
+module.exports = __toCommonJS(memoryAdapter_exports);
+function createMemoryAdapter() {
+  const users = /* @__PURE__ */ new Map();
+  const accounts = /* @__PURE__ */ new Map();
+  return {
+    createUser: async (data) => {
+      const id = data.id || Date.now().toString();
+      const newUser = { ...data, id };
+      users.set(newUser.email, newUser);
+      return newUser;
+    },
+    findUserByEmail: async (email) => {
+      return users.get(email) || null;
+    },
+    findUserById: async (id) => {
+      for (const user of users.values()) {
+        if (user.id === id) {
+          return user;
+        }
+      }
+      return null;
+    },
+    linkOAuthAccount: async (userId, provider, providerId) => {
+      const accountId = `${provider}_${providerId}`;
+      accounts.set(accountId, { userId, provider, providerId });
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createMemoryAdapter
+});
+//# sourceMappingURL=memoryAdapter.cjs.map

package/dist/memoryAdapter.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/memoryAdapter.ts"],
+  "sourcesContent": ["import type { AuthAdapter, User } from \"./adapter.js\";\r\n\r\n/**\r\n * Creates an in-memory database adapter for the auth engine.\r\n * This is useful for testing, prototyping, or when you don't need persistent storage.\r\n * All data is kept in memory and is lost when the server restarts.\r\n */\r\nexport function createMemoryAdapter<TUser extends User = User>(): AuthAdapter<TUser> {\r\n    const users = new Map<string, TUser>();\r\n    const accounts = new Map<string, { userId: string; provider: string; providerId: string }>();\r\n\r\n    return {\r\n        createUser: async (data: any) => {\r\n            // Auto-generate ID if not provided\r\n            const id = data.id || Date.now().toString();\r\n            const newUser = { ...data, id } as TUser;\r\n\r\n            // Store using email as the primary lookup key\r\n            users.set(newUser.email, newUser);\r\n            return newUser;\r\n        },\r\n\r\n        findUserByEmail: async (email: string) => {\r\n            return users.get(email) || null;\r\n        },\r\n\r\n        findUserById: async (id: string) => {\r\n            for (const user of users.values()) {\r\n                if (user.id === id) {\r\n                    return user;\r\n                }\r\n            }\r\n            return null;\r\n        },\r\n\r\n        linkOAuthAccount: async (userId: string, provider: string, providerId: string) => {\r\n            const accountId = `${provider}_${providerId}`;\r\n            accounts.set(accountId, { userId, provider, providerId });\r\n        }\r\n    };\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAOO,SAAS,sBAAqE;AACjF,QAAM,QAAQ,oBAAI,IAAmB;AACrC,QAAM,WAAW,oBAAI,IAAsE;AAE3F,SAAO;AAAA,IACH,YAAY,OAAO,SAAc;AAE7B,YAAM,KAAK,KAAK,MAAM,KAAK,IAAI,EAAE,SAAS;AAC1C,YAAM,UAAU,EAAE,GAAG,MAAM,GAAG;AAG9B,YAAM,IAAI,QAAQ,OAAO,OAAO;AAChC,aAAO;AAAA,IACX;AAAA,IAEA,iBAAiB,OAAO,UAAkB;AACtC,aAAO,MAAM,IAAI,KAAK,KAAK;AAAA,IAC/B;AAAA,IAEA,cAAc,OAAO,OAAe;AAChC,iBAAW,QAAQ,MAAM,OAAO,GAAG;AAC/B,YAAI,KAAK,OAAO,IAAI;AAChB,iBAAO;AAAA,QACX;AAAA,MACJ;AACA,aAAO;AAAA,IACX;AAAA,IAEA,kBAAkB,OAAO,QAAgB,UAAkB,eAAuB;AAC9E,YAAM,YAAY,GAAG,QAAQ,IAAI,UAAU;AAC3C,eAAS,IAAI,WAAW,EAAE,QAAQ,UAAU,WAAW,CAAC;AAAA,IAC5D;AAAA,EACJ;AACJ;",
+  "names": []
+}

package/{dist-lib → dist}/memoryAdapter.d.ts

@@ -5,3 +5,4 @@ import type { AuthAdapter, User } from "./adapter.js";
  * All data is kept in memory and is lost when the server restarts.
  */
 export declare function createMemoryAdapter<TUser extends User = User>(): AuthAdapter<TUser>;
+//# sourceMappingURL=memoryAdapter.d.ts.map

package/dist/memoryAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memoryAdapter.d.ts","sourceRoot":"","sources":["../src/auth/memoryAdapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AAEtD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,SAAS,IAAI,GAAG,IAAI,KAAK,WAAW,CAAC,KAAK,CAAC,CAiCnF"}

package/dist/memoryAdapter.js

@@ -0,0 +1,31 @@
+function createMemoryAdapter() {
+  const users = /* @__PURE__ */ new Map();
+  const accounts = /* @__PURE__ */ new Map();
+  return {
+    createUser: async (data) => {
+      const id = data.id || Date.now().toString();
+      const newUser = { ...data, id };
+      users.set(newUser.email, newUser);
+      return newUser;
+    },
+    findUserByEmail: async (email) => {
+      return users.get(email) || null;
+    },
+    findUserById: async (id) => {
+      for (const user of users.values()) {
+        if (user.id === id) {
+          return user;
+        }
+      }
+      return null;
+    },
+    linkOAuthAccount: async (userId, provider, providerId) => {
+      const accountId = `${provider}_${providerId}`;
+      accounts.set(accountId, { userId, provider, providerId });
+    }
+  };
+}
+export {
+  createMemoryAdapter
+};
+//# sourceMappingURL=memoryAdapter.js.map

package/dist/memoryAdapter.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/memoryAdapter.ts"],
+  "sourcesContent": ["import type { AuthAdapter, User } from \"./adapter.js\";\r\n\r\n/**\r\n * Creates an in-memory database adapter for the auth engine.\r\n * This is useful for testing, prototyping, or when you don't need persistent storage.\r\n * All data is kept in memory and is lost when the server restarts.\r\n */\r\nexport function createMemoryAdapter<TUser extends User = User>(): AuthAdapter<TUser> {\r\n    const users = new Map<string, TUser>();\r\n    const accounts = new Map<string, { userId: string; provider: string; providerId: string }>();\r\n\r\n    return {\r\n        createUser: async (data: any) => {\r\n            // Auto-generate ID if not provided\r\n            const id = data.id || Date.now().toString();\r\n            const newUser = { ...data, id } as TUser;\r\n\r\n            // Store using email as the primary lookup key\r\n            users.set(newUser.email, newUser);\r\n            return newUser;\r\n        },\r\n\r\n        findUserByEmail: async (email: string) => {\r\n            return users.get(email) || null;\r\n        },\r\n\r\n        findUserById: async (id: string) => {\r\n            for (const user of users.values()) {\r\n                if (user.id === id) {\r\n                    return user;\r\n                }\r\n            }\r\n            return null;\r\n        },\r\n\r\n        linkOAuthAccount: async (userId: string, provider: string, providerId: string) => {\r\n            const accountId = `${provider}_${providerId}`;\r\n            accounts.set(accountId, { userId, provider, providerId });\r\n        }\r\n    };\r\n}\r\n"],
+  "mappings": "AAOO,SAAS,sBAAqE;AACjF,QAAM,QAAQ,oBAAI,IAAmB;AACrC,QAAM,WAAW,oBAAI,IAAsE;AAE3F,SAAO;AAAA,IACH,YAAY,OAAO,SAAc;AAE7B,YAAM,KAAK,KAAK,MAAM,KAAK,IAAI,EAAE,SAAS;AAC1C,YAAM,UAAU,EAAE,GAAG,MAAM,GAAG;AAG9B,YAAM,IAAI,QAAQ,OAAO,OAAO;AAChC,aAAO;AAAA,IACX;AAAA,IAEA,iBAAiB,OAAO,UAAkB;AACtC,aAAO,MAAM,IAAI,KAAK,KAAK;AAAA,IAC/B;AAAA,IAEA,cAAc,OAAO,OAAe;AAChC,iBAAW,QAAQ,MAAM,OAAO,GAAG;AAC/B,YAAI,KAAK,OAAO,IAAI;AAChB,iBAAO;AAAA,QACX;AAAA,MACJ;AACA,aAAO;AAAA,IACX;AAAA,IAEA,kBAAkB,OAAO,QAAgB,UAAkB,eAAuB;AAC9E,YAAM,YAAY,GAAG,QAAQ,IAAI,UAAU;AAC3C,eAAS,IAAI,WAAW,EAAE,QAAQ,UAAU,WAAW,CAAC;AAAA,IAC5D;AAAA,EACJ;AACJ;",
+  "names": []
+}

package/dist/providers.cjs

@@ -0,0 +1,50 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var providers_exports = {};
+__export(providers_exports, {
+  GitHub: () => GitHub,
+  Google: () => Google
+});
+module.exports = __toCommonJS(providers_exports);
+var import_arctic = require("arctic");
+function GitHub(config) {
+  return {
+    id: "github",
+    handler: new import_arctic.GitHub(config.clientId, config.clientSecret, null)
+  };
+}
+function Google(config) {
+  if (!config.redirectURI) {
+    throw new Error("redirectURI is required for Google OAuth provider");
+  }
+  return {
+    id: "google",
+    handler: new import_arctic.Google(
+      config.clientId,
+      config.clientSecret,
+      config.redirectURI
+    )
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GitHub,
+  Google
+});
+//# sourceMappingURL=providers.cjs.map

package/dist/providers.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/providers.ts"],
+  "sourcesContent": ["import { GitHub as ArcticGitHub, Google as ArcticGoogle } from \"arctic\";\r\n\r\nexport interface ProviderConfig {\r\n    clientId: string;\r\n    clientSecret: string;\r\n    redirectURI?: string;\r\n}\r\n\r\nexport interface Provider {\r\n    id: string;\r\n    handler: any; // `arctic` provider instance\r\n}\r\n\r\nexport function GitHub(config: ProviderConfig): Provider {\r\n    return {\r\n        id: \"github\",\r\n        handler: new ArcticGitHub(config.clientId, config.clientSecret, null),\r\n    };\r\n}\r\n\r\nexport function Google(config: ProviderConfig): Provider {\r\n    if (!config.redirectURI) {\r\n        throw new Error(\"redirectURI is required for Google OAuth provider\");\r\n    }\r\n    return {\r\n        id: \"google\",\r\n        handler: new ArcticGoogle(\r\n            config.clientId,\r\n            config.clientSecret,\r\n            config.redirectURI\r\n        ),\r\n    };\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAA+D;AAaxD,SAAS,OAAO,QAAkC;AACrD,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI,cAAAA,OAAa,OAAO,UAAU,OAAO,cAAc,IAAI;AAAA,EACxE;AACJ;AAEO,SAAS,OAAO,QAAkC;AACrD,MAAI,CAAC,OAAO,aAAa;AACrB,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACvE;AACA,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI,cAAAC;AAAA,MACT,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACX;AAAA,EACJ;AACJ;",
+  "names": ["ArcticGitHub", "ArcticGoogle"]
+}

package/{dist-lib → dist}/providers.d.ts

@@ -9,3 +9,4 @@ export interface Provider {
 }
 export declare function GitHub(config: ProviderConfig): Provider;
 export declare function Google(config: ProviderConfig): Provider;
+//# sourceMappingURL=providers.d.ts.map

package/dist/providers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"providers.d.ts","sourceRoot":"","sources":["../src/auth/providers.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,cAAc;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,QAAQ;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,GAAG,CAAC;CAChB;AAED,wBAAgB,MAAM,CAAC,MAAM,EAAE,cAAc,GAAG,QAAQ,CAKvD;AAED,wBAAgB,MAAM,CAAC,MAAM,EAAE,cAAc,GAAG,QAAQ,CAYvD"}

package/dist/providers.js

@@ -0,0 +1,25 @@
+import { GitHub as ArcticGitHub, Google as ArcticGoogle } from "arctic";
+function GitHub(config) {
+  return {
+    id: "github",
+    handler: new ArcticGitHub(config.clientId, config.clientSecret, null)
+  };
+}
+function Google(config) {
+  if (!config.redirectURI) {
+    throw new Error("redirectURI is required for Google OAuth provider");
+  }
+  return {
+    id: "google",
+    handler: new ArcticGoogle(
+      config.clientId,
+      config.clientSecret,
+      config.redirectURI
+    )
+  };
+}
+export {
+  GitHub,
+  Google
+};
+//# sourceMappingURL=providers.js.map

package/dist/providers.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/providers.ts"],
+  "sourcesContent": ["import { GitHub as ArcticGitHub, Google as ArcticGoogle } from \"arctic\";\r\n\r\nexport interface ProviderConfig {\r\n    clientId: string;\r\n    clientSecret: string;\r\n    redirectURI?: string;\r\n}\r\n\r\nexport interface Provider {\r\n    id: string;\r\n    handler: any; // `arctic` provider instance\r\n}\r\n\r\nexport function GitHub(config: ProviderConfig): Provider {\r\n    return {\r\n        id: \"github\",\r\n        handler: new ArcticGitHub(config.clientId, config.clientSecret, null),\r\n    };\r\n}\r\n\r\nexport function Google(config: ProviderConfig): Provider {\r\n    if (!config.redirectURI) {\r\n        throw new Error(\"redirectURI is required for Google OAuth provider\");\r\n    }\r\n    return {\r\n        id: \"google\",\r\n        handler: new ArcticGoogle(\r\n            config.clientId,\r\n            config.clientSecret,\r\n            config.redirectURI\r\n        ),\r\n    };\r\n}\r\n"],
+  "mappings": "AAAA,SAAS,UAAU,cAAc,UAAU,oBAAoB;AAaxD,SAAS,OAAO,QAAkC;AACrD,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI,aAAa,OAAO,UAAU,OAAO,cAAc,IAAI;AAAA,EACxE;AACJ;AAEO,SAAS,OAAO,QAAkC;AACrD,MAAI,CAAC,OAAO,aAAa;AACrB,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACvE;AACA,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI;AAAA,MACT,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACX;AAAA,EACJ;AACJ;",
+  "names": []
+}

package/dist/security.cjs

@@ -0,0 +1,55 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var security_exports = {};
+__export(security_exports, {
+  generateCsrfToken: () => generateCsrfToken,
+  verifyCsrf: () => verifyCsrf
+});
+module.exports = __toCommonJS(security_exports);
+var import_crypto = __toESM(require("crypto"), 1);
+function generateCsrfToken() {
+  return import_crypto.default.randomBytes(32).toString("hex");
+}
+function verifyCsrf(tokenInRequest, tokenInCookie) {
+  if (!tokenInRequest || !tokenInCookie) return false;
+  try {
+    return import_crypto.default.timingSafeEqual(
+      Buffer.from(tokenInRequest),
+      Buffer.from(tokenInCookie)
+    );
+  } catch {
+    return false;
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  generateCsrfToken,
+  verifyCsrf
+});
+//# sourceMappingURL=security.cjs.map

package/dist/security.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/security.ts"],
+  "sourcesContent": ["import crypto from \"crypto\";\r\n\r\n/**\r\n * Generates a stateless CSRF token using the double-submit cookie pattern.\r\n * This is recommended for Express/Kroxt setups using cookies for sessions.\r\n */\r\nexport function generateCsrfToken(): string {\r\n    return crypto.randomBytes(32).toString(\"hex\");\r\n}\r\n\r\n/**\r\n * Simple middleware-ready check for CSRF tokens.\r\n * Matches a token from the request body/headers against a cookie.\r\n */\r\nexport function verifyCsrf(tokenInRequest: string, tokenInCookie: string): boolean {\r\n    if (!tokenInRequest || !tokenInCookie) return false;\r\n\r\n    // Constant time comparison\r\n    try {\r\n        return crypto.timingSafeEqual(\r\n            Buffer.from(tokenInRequest),\r\n            Buffer.from(tokenInCookie)\r\n        );\r\n    } catch {\r\n        return false;\r\n    }\r\n}\r\n\r\n/**\r\n * Security Recommendations for Kroxt:\r\n * 1. Always set cookies with: httpOnly: true, secure: true, sameSite: 'strict'\r\n * 2. Use a 'pepper' in createAuth to protect hashes.\r\n * 3. Implement rate limiting on /login and /register endpoints.\r\n */\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAAmB;AAMZ,SAAS,oBAA4B;AACxC,SAAO,cAAAA,QAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAChD;AAMO,SAAS,WAAW,gBAAwB,eAAgC;AAC/E,MAAI,CAAC,kBAAkB,CAAC,cAAe,QAAO;AAG9C,MAAI;AACA,WAAO,cAAAA,QAAO;AAAA,MACV,OAAO,KAAK,cAAc;AAAA,MAC1B,OAAO,KAAK,aAAa;AAAA,IAC7B;AAAA,EACJ,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;",
+  "names": ["crypto"]
+}

package/{dist-lib → dist}/security.d.ts

@@ -14,3 +14,4 @@ export declare function verifyCsrf(tokenInRequest: string, tokenInCookie: string
  * 2. Use a 'pepper' in createAuth to protect hashes.
  * 3. Implement rate limiting on /login and /register endpoints.
  */
+//# sourceMappingURL=security.d.ts.map

package/dist/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/auth/security.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,cAAc,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAYjF;AAED;;;;;GAKG"}

package/dist/security.js

@@ -0,0 +1,20 @@
+import crypto from "crypto";
+function generateCsrfToken() {
+  return crypto.randomBytes(32).toString("hex");
+}
+function verifyCsrf(tokenInRequest, tokenInCookie) {
+  if (!tokenInRequest || !tokenInCookie) return false;
+  try {
+    return crypto.timingSafeEqual(
+      Buffer.from(tokenInRequest),
+      Buffer.from(tokenInCookie)
+    );
+  } catch {
+    return false;
+  }
+}
+export {
+  generateCsrfToken,
+  verifyCsrf
+};
+//# sourceMappingURL=security.js.map

package/dist/security.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth/security.ts"],
+  "sourcesContent": ["import crypto from \"crypto\";\r\n\r\n/**\r\n * Generates a stateless CSRF token using the double-submit cookie pattern.\r\n * This is recommended for Express/Kroxt setups using cookies for sessions.\r\n */\r\nexport function generateCsrfToken(): string {\r\n    return crypto.randomBytes(32).toString(\"hex\");\r\n}\r\n\r\n/**\r\n * Simple middleware-ready check for CSRF tokens.\r\n * Matches a token from the request body/headers against a cookie.\r\n */\r\nexport function verifyCsrf(tokenInRequest: string, tokenInCookie: string): boolean {\r\n    if (!tokenInRequest || !tokenInCookie) return false;\r\n\r\n    // Constant time comparison\r\n    try {\r\n        return crypto.timingSafeEqual(\r\n            Buffer.from(tokenInRequest),\r\n            Buffer.from(tokenInCookie)\r\n        );\r\n    } catch {\r\n        return false;\r\n    }\r\n}\r\n\r\n/**\r\n * Security Recommendations for Kroxt:\r\n * 1. Always set cookies with: httpOnly: true, secure: true, sameSite: 'strict'\r\n * 2. Use a 'pepper' in createAuth to protect hashes.\r\n * 3. Implement rate limiting on /login and /register endpoints.\r\n */\r\n"],
+  "mappings": "AAAA,OAAO,YAAY;AAMZ,SAAS,oBAA4B;AACxC,SAAO,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAChD;AAMO,SAAS,WAAW,gBAAwB,eAAgC;AAC/E,MAAI,CAAC,kBAAkB,CAAC,cAAe,QAAO;AAG9C,MAAI;AACA,WAAO,OAAO;AAAA,MACV,OAAO,KAAK,cAAc;AAAA,MAC1B,OAAO,KAAK,aAAa;AAAA,IAC7B;AAAA,EACJ,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;",
+  "names": []
+}

package/package.json

@@ -1,45 +1,56 @@
 {
   "name": "kroxt",
-  "version": "1.1.2",
+  "version": "1.1.4",
   "license": "MIT",
   "description": "A framework-agnostic modular auth engine",
   "type": "module",
-  "main": "./dist-lib/index.js",
-  "module": "./dist-lib/index.js",
-  "types": "./dist-lib/index.d.ts",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "exports": {
     ".": {
-      "types": "./dist-lib/index.d.ts",
-      "import": "./dist-lib/index.js"
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
     },
     "./adapter": {
-      "types": "./dist-lib/adapter.d.ts",
-      "import": "./dist-lib/adapter.js"
+      "types": "./dist/adapter.d.ts",
+      "import": "./dist/adapter.js",
+      "require": "./dist/adapter.cjs"
     },
     "./core": {
-      "types": "./dist-lib/core.d.ts",
-      "import": "./dist-lib/core.js"
+      "types": "./dist/core.d.ts",
+      "import": "./dist/core.js",
+      "require": "./dist/core.cjs"
     },
     "./providers": {
-      "types": "./dist-lib/providers.d.ts",
-      "import": "./dist-lib/providers.js"
+      "types": "./dist/providers.d.ts",
+      "import": "./dist/providers.js",
+      "require": "./dist/providers.cjs"
     },
     "./memoryAdapter": {
-      "types": "./dist-lib/memoryAdapter.d.ts",
-      "import": "./dist-lib/memoryAdapter.js"
+      "types": "./dist/memoryAdapter.d.ts",
+      "import": "./dist/memoryAdapter.js",
+      "require": "./dist/memoryAdapter.cjs"
     }
   },
   "files": [
-    "dist-lib",
+    "dist",
     "README.md"
   ],
   "scripts": {
-    "build": "npx tsc src/auth/index.ts --outDir dist-lib --module nodenext --declaration"
+    "build": "node build.js"
   },
   "dependencies": {
     "arctic": "^3.7.0",
     "argon2": "^0.44.0",
     "jose": "^6.2.1",
     "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.0",
+    "esbuild": "^0.27.4",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
   }
 }

package/dist-lib/adapter.js

@@ -1 +0,0 @@
-export {};

package/dist-lib/core.js

@@ -1,98 +0,0 @@
-import * as argon2 from "argon2";
-import { SignJWT, jwtVerify } from "jose";
-import crypto from "crypto";
-export function createAuth(options) {
-    const { adapter, secret, pepper, session, providers } = options;
-    const encodedSecret = typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
-    const expiration = session?.expires || "1h"; // Default access token to 1h
-    const refreshExpiration = session?.refreshExpires || "7d";
-    /**
-     * Generates a stateless JWT for a user session
-     */
-    async function generateToken(user, type = "access") {
-        return new SignJWT({ sub: user.id, role: user.role, type })
-            .setProtectedHeader({ alg: "HS256" })
-            .setIssuedAt()
-            .setExpirationTime(type === "access" ? expiration : refreshExpiration)
-            .sign(encodedSecret);
-    }
-    /**
-     * Verifies a JWT and returns the payload.
-     * Optionally checks for a specific token type (access/refresh).
-     */
-    async function verifyToken(token, expectedType = "access") {
-        try {
-            const { payload } = await jwtVerify(token, encodedSecret);
-            if (payload.type !== expectedType)
-                return null;
-            return payload;
-        }
-        catch (e) {
-            return null;
-        }
-    }
-    /**
-     * Refreshes an access token using a valid refresh token.
-     */
-    async function refresh(refreshToken) {
-        const payload = await verifyToken(refreshToken, "refresh");
-        if (!payload || !payload.sub) {
-            throw new Error("Invalid or expired refresh token");
-        }
-        const user = await adapter.findUserById(payload.sub);
-        if (!user) {
-            throw new Error("User not found");
-        }
-        const accessToken = await generateToken(user, "access");
-        return { accessToken };
-    }
-    /**
-     * Signup with a new user payload.
-     * Incorporates server-side pepper for password hashing if provided.
-     */
-    async function signup(userData, password) {
-        let dataToSave = { ...userData };
-        if (password) {
-            const passwordWithPepper = pepper ? `${password}${pepper}` : password;
-            dataToSave.passwordHash = await argon2.hash(passwordWithPepper);
-        }
-        const newUser = await adapter.createUser(dataToSave);
-        const accessToken = await generateToken(newUser, "access");
-        const refreshToken = await generateToken(newUser, "refresh");
-        return { user: newUser, accessToken, refreshToken };
-    }
-    /**
-     * Standard Email/Password Login.
-     * Includes timing attack protection and password peppering.
-     */
-    async function loginWithPassword(email, password) {
-        const user = await adapter.findUserByEmail(email);
-        // Timing attack protection: Always verify a hash, even if user doesn't exist.
-        // We use a dummy hash to keep execution time consistent.
-        const dummyHash = "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i";
-        const targetHash = user?.passwordHash || dummyHash;
-        const passwordWithPepper = pepper ? `${password}${pepper}` : password;
-        const isValid = await argon2.verify(targetHash, passwordWithPepper);
-        if (!user || !user.passwordHash || !isValid) {
-            throw new Error("Invalid credentials");
-        }
-        const accessToken = await generateToken(user, "access");
-        const refreshToken = await generateToken(user, "refresh");
-        return { user, accessToken, refreshToken };
-    }
-    return {
-        signup,
-        loginWithPassword,
-        refresh,
-        verifyToken,
-        generateToken,
-        _providers: providers
-    };
-}
-/**
- * Utility to generate a high-entropy cryptographically secure secret.
- * Useful for initializing the 'secret' option in createAuth.
- */
-export function generateSecret(length = 32) {
-    return crypto.getRandomValues(new Uint8Array(length));
-}

package/dist-lib/index.js

@@ -1,4 +0,0 @@
-export { GitHub, Google } from "./providers.js";
-export { createAuth, generateSecret } from "./core.js";
-export { createMemoryAdapter } from "./memoryAdapter.js";
-export * from "./security.js";

package/dist-lib/memoryAdapter.js

@@ -1,34 +0,0 @@
-/**
- * Creates an in-memory database adapter for the auth engine.
- * This is useful for testing, prototyping, or when you don't need persistent storage.
- * All data is kept in memory and is lost when the server restarts.
- */
-export function createMemoryAdapter() {
-    const users = new Map();
-    const accounts = new Map();
-    return {
-        createUser: async (data) => {
-            // Auto-generate ID if not provided
-            const id = data.id || Date.now().toString();
-            const newUser = { ...data, id };
-            // Store using email as the primary lookup key
-            users.set(newUser.email, newUser);
-            return newUser;
-        },
-        findUserByEmail: async (email) => {
-            return users.get(email) || null;
-        },
-        findUserById: async (id) => {
-            for (const user of users.values()) {
-                if (user.id === id) {
-                    return user;
-                }
-            }
-            return null;
-        },
-        linkOAuthAccount: async (userId, provider, providerId) => {
-            const accountId = `${provider}_${providerId}`;
-            accounts.set(accountId, { userId, provider, providerId });
-        }
-    };
-}

package/dist-lib/providers.js

@@ -1,16 +0,0 @@
-import { GitHub as ArcticGitHub, Google as ArcticGoogle } from "arctic";
-export function GitHub(config) {
-    return {
-        id: "github",
-        handler: new ArcticGitHub(config.clientId, config.clientSecret, null),
-    };
-}
-export function Google(config) {
-    if (!config.redirectURI) {
-        throw new Error("redirectURI is required for Google OAuth provider");
-    }
-    return {
-        id: "google",
-        handler: new ArcticGoogle(config.clientId, config.clientSecret, config.redirectURI),
-    };
-}

package/dist-lib/security.js

@@ -1,29 +0,0 @@
-import crypto from "crypto";
-/**
- * Generates a stateless CSRF token using the double-submit cookie pattern.
- * This is recommended for Express/Kroxt setups using cookies for sessions.
- */
-export function generateCsrfToken() {
-    return crypto.randomBytes(32).toString("hex");
-}
-/**
- * Simple middleware-ready check for CSRF tokens.
- * Matches a token from the request body/headers against a cookie.
- */
-export function verifyCsrf(tokenInRequest, tokenInCookie) {
-    if (!tokenInRequest || !tokenInCookie)
-        return false;
-    // Constant time comparison
-    try {
-        return crypto.timingSafeEqual(Buffer.from(tokenInRequest), Buffer.from(tokenInCookie));
-    }
-    catch {
-        return false;
-    }
-}
-/**
- * Security Recommendations for Kroxt:
- * 1. Always set cookies with: httpOnly: true, secure: true, sameSite: 'strict'
- * 2. Use a 'pepper' in createAuth to protect hashes.
- * 3. Implement rate limiting on /login and /register endpoints.
- */