kroxt 1.2.1 → 1.3.0

package/dist/auth/adapters/mongoose.cjs

@@ -0,0 +1,99 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var mongoose_exports = {};
+__export(mongoose_exports, {
+  createMongoAdapter: () => createMongoAdapter,
+  createRateLimitModel: () => createRateLimitModel
+});
+module.exports = __toCommonJS(mongoose_exports);
+function createRateLimitModel(mongoose) {
+  const schema = new mongoose.Schema({
+    key: { type: String, required: true, unique: true },
+    count: { type: Number, required: true, default: 1 },
+    resetTime: { type: Number, required: true },
+    expiresAt: { type: Date, required: true, expires: 0 }
+  });
+  return mongoose.models.KroxtRateLimit || mongoose.model("KroxtRateLimit", schema);
+}
+function createMongoAdapter(model, rateLimitModel) {
+  const adapter = {
+    async createUser(data) {
+      const user = await model.create(data);
+      const obj = user.toObject();
+      return { ...obj, id: obj._id.toString() };
+    },
+    async findUserByEmail(email) {
+      const user = await model.findOne({ email });
+      if (!user) return null;
+      const obj = user.toObject();
+      return { ...obj, id: obj._id.toString() };
+    },
+    async findUserById(id) {
+      const user = await model.findById(id);
+      if (!user) return null;
+      const obj = user.toObject();
+      return { ...obj, id: obj._id.toString() };
+    },
+    async updateUser(id, data) {
+      const user = await model.findByIdAndUpdate(id, data, { new: true });
+      if (!user) return null;
+      const obj = user.toObject();
+      return { ...obj, id: obj._id.toString() };
+    },
+    async linkOAuthAccount(userId, provider, providerId) {
+      await model.findByIdAndUpdate(userId, {
+        oauthProvider: provider,
+        oauthId: providerId
+      });
+    }
+  };
+  if (rateLimitModel) {
+    adapter.incrementRateLimit = async (key, windowMs) => {
+      const now = Date.now();
+      let record = await rateLimitModel.findOne({ key });
+      if (!record || now > record.resetTime) {
+        record = await rateLimitModel.findOneAndUpdate(
+          { key },
+          { count: 1, resetTime: now + windowMs, expiresAt: new Date(now + windowMs) },
+          { upsert: true, new: true, setDefaultsOnInsert: true }
+        );
+      } else {
+        record = await rateLimitModel.findOneAndUpdate(
+          { key },
+          { $inc: { count: 1 } },
+          { new: true }
+        );
+      }
+      return { count: record.count, resetTime: record.resetTime };
+    };
+    adapter.getRateLimit = async (key) => {
+      const now = Date.now();
+      const record = await rateLimitModel.findOne({ key });
+      if (!record || now > record.resetTime) return null;
+      return { count: record.count, resetTime: record.resetTime };
+    };
+  }
+  return adapter;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createMongoAdapter,
+  createRateLimitModel
+});
+//# sourceMappingURL=mongoose.cjs.map

package/dist/auth/adapters/mongoose.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/adapters/mongoose.ts"],
+  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\r\n\r\n/**\r\n * Creates a pre-configured Mongoose model for rate limiting.\r\n * @param mongoose The mongoose instance to use for schema creation.\r\n */\r\nexport function createRateLimitModel(mongoose: any) {\r\n  const schema = new mongoose.Schema({\r\n    key: { type: String, required: true, unique: true },\r\n    count: { type: Number, required: true, default: 1 },\r\n    resetTime: { type: Number, required: true },\r\n    expiresAt: { type: Date, required: true, expires: 0 }\r\n  });\r\n  return mongoose.models.KroxtRateLimit || mongoose.model('KroxtRateLimit', schema);\r\n}\r\n\r\n/**\r\n * Creates a MongoDB adapter using a Mongoose model.\r\n * \r\n * @param model - A Mongoose model instance (e.g., User model).\r\n * @param rateLimitModel - An optional Mongoose model for rate limiting tracking.\r\n * @returns An AuthAdapter compliant object.\r\n */\r\nexport function createMongoAdapter<TUser extends User = User>(model: any, rateLimitModel?: any): AuthAdapter<TUser> {\r\n  const adapter: AuthAdapter<TUser> = {\r\n    async createUser(data: any) {\r\n      const user = await model.create(data);\r\n      const obj = user.toObject();\r\n      return { ...obj, id: obj._id.toString() } as TUser;\r\n    },\r\n\r\n    async findUserByEmail(email: string) {\r\n      const user = await model.findOne({ email });\r\n      if (!user) return null;\r\n      const obj = user.toObject();\r\n      return { ...obj, id: obj._id.toString() } as TUser;\r\n    },\r\n\r\n    async findUserById(id: string) {\r\n      const user = await model.findById(id);\r\n      if (!user) return null;\r\n      const obj = user.toObject();\r\n      return { ...obj, id: obj._id.toString() } as TUser;\r\n    },\r\n\r\n    async updateUser(id: string, data: Partial<TUser>) {\r\n      const user = await model.findByIdAndUpdate(id, data, { new: true });\r\n      if (!user) return null;\r\n      const obj = user.toObject();\r\n      return { ...obj, id: obj._id.toString() } as TUser;\r\n    },\r\n\r\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\r\n      await model.findByIdAndUpdate(userId, {\r\n        oauthProvider: provider,\r\n        oauthId: providerId,\r\n      });\r\n    },\r\n  };\r\n\r\n  if (rateLimitModel) {\r\n    adapter.incrementRateLimit = async (key: string, windowMs: number) => {\r\n      const now = Date.now();\r\n      let record = await rateLimitModel.findOne({ key });\r\n      \r\n      if (!record || now > record.resetTime) {\r\n        record = await rateLimitModel.findOneAndUpdate(\r\n          { key },\r\n          { count: 1, resetTime: now + windowMs, expiresAt: new Date(now + windowMs) },\r\n          { upsert: true, new: true, setDefaultsOnInsert: true }\r\n        );\r\n      } else {\r\n        record = await rateLimitModel.findOneAndUpdate(\r\n          { key },\r\n          { $inc: { count: 1 } },\r\n          { new: true }\r\n        );\r\n      }\r\n\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n\r\n    adapter.getRateLimit = async (key: string) => {\r\n      const now = Date.now();\r\n      const record = await rateLimitModel.findOne({ key });\r\n      if (!record || now > record.resetTime) return null;\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n  }\r\n\r\n  return adapter;\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAMO,SAAS,qBAAqB,UAAe;AAClD,QAAM,SAAS,IAAI,SAAS,OAAO;AAAA,IACjC,KAAK,EAAE,MAAM,QAAQ,UAAU,MAAM,QAAQ,KAAK;AAAA,IAClD,OAAO,EAAE,MAAM,QAAQ,UAAU,MAAM,SAAS,EAAE;AAAA,IAClD,WAAW,EAAE,MAAM,QAAQ,UAAU,KAAK;AAAA,IAC1C,WAAW,EAAE,MAAM,MAAM,UAAU,MAAM,SAAS,EAAE;AAAA,EACtD,CAAC;AACD,SAAO,SAAS,OAAO,kBAAkB,SAAS,MAAM,kBAAkB,MAAM;AAClF;AASO,SAAS,mBAA8C,OAAY,gBAA0C;AAClH,QAAM,UAA8B;AAAA,IAClC,MAAM,WAAW,MAAW;AAC1B,YAAM,OAAO,MAAM,MAAM,OAAO,IAAI;AACpC,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,OAAO,MAAM,MAAM,QAAQ,EAAE,MAAM,CAAC;AAC1C,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,OAAO,MAAM,MAAM,SAAS,EAAE;AACpC,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,WAAW,IAAY,MAAsB;AACjD,YAAM,OAAO,MAAM,MAAM,kBAAkB,IAAI,MAAM,EAAE,KAAK,KAAK,CAAC;AAClE,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,MAAM,kBAAkB,QAAQ;AAAA,QACpC,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,YAAQ,qBAAqB,OAAO,KAAa,aAAqB;AACpE,YAAM,MAAM,KAAK,IAAI;AACrB,UAAI,SAAS,MAAM,eAAe,QAAQ,EAAE,IAAI,CAAC;AAEjD,UAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACrC,iBAAS,MAAM,eAAe;AAAA,UAC5B,EAAE,IAAI;AAAA,UACN,EAAE,OAAO,GAAG,WAAW,MAAM,UAAU,WAAW,IAAI,KAAK,MAAM,QAAQ,EAAE;AAAA,UAC3E,EAAE,QAAQ,MAAM,KAAK,MAAM,qBAAqB,KAAK;AAAA,QACvD;AAAA,MACF,OAAO;AACL,iBAAS,MAAM,eAAe;AAAA,UAC5B,EAAE,IAAI;AAAA,UACN,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE;AAAA,UACrB,EAAE,KAAK,KAAK;AAAA,QACd;AAAA,MACF;AAEA,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAEA,YAAQ,eAAe,OAAO,QAAgB;AAC5C,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,SAAS,MAAM,eAAe,QAAQ,EAAE,IAAI,CAAC;AACnD,UAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAAA,EACF;AAEA,SAAO;AACT;",
+  "names": []
+}

package/dist/auth/adapters/mongoose.js

@@ -0,0 +1,74 @@
+function createRateLimitModel(mongoose) {
+  const schema = new mongoose.Schema({
+    key: { type: String, required: true, unique: true },
+    count: { type: Number, required: true, default: 1 },
+    resetTime: { type: Number, required: true },
+    expiresAt: { type: Date, required: true, expires: 0 }
+  });
+  return mongoose.models.KroxtRateLimit || mongoose.model("KroxtRateLimit", schema);
+}
+function createMongoAdapter(model, rateLimitModel) {
+  const adapter = {
+    async createUser(data) {
+      const user = await model.create(data);
+      const obj = user.toObject();
+      return { ...obj, id: obj._id.toString() };
+    },
+    async findUserByEmail(email) {
+      const user = await model.findOne({ email });
+      if (!user) return null;
+      const obj = user.toObject();
+      return { ...obj, id: obj._id.toString() };
+    },
+    async findUserById(id) {
+      const user = await model.findById(id);
+      if (!user) return null;
+      const obj = user.toObject();
+      return { ...obj, id: obj._id.toString() };
+    },
+    async updateUser(id, data) {
+      const user = await model.findByIdAndUpdate(id, data, { new: true });
+      if (!user) return null;
+      const obj = user.toObject();
+      return { ...obj, id: obj._id.toString() };
+    },
+    async linkOAuthAccount(userId, provider, providerId) {
+      await model.findByIdAndUpdate(userId, {
+        oauthProvider: provider,
+        oauthId: providerId
+      });
+    }
+  };
+  if (rateLimitModel) {
+    adapter.incrementRateLimit = async (key, windowMs) => {
+      const now = Date.now();
+      let record = await rateLimitModel.findOne({ key });
+      if (!record || now > record.resetTime) {
+        record = await rateLimitModel.findOneAndUpdate(
+          { key },
+          { count: 1, resetTime: now + windowMs, expiresAt: new Date(now + windowMs) },
+          { upsert: true, new: true, setDefaultsOnInsert: true }
+        );
+      } else {
+        record = await rateLimitModel.findOneAndUpdate(
+          { key },
+          { $inc: { count: 1 } },
+          { new: true }
+        );
+      }
+      return { count: record.count, resetTime: record.resetTime };
+    };
+    adapter.getRateLimit = async (key) => {
+      const now = Date.now();
+      const record = await rateLimitModel.findOne({ key });
+      if (!record || now > record.resetTime) return null;
+      return { count: record.count, resetTime: record.resetTime };
+    };
+  }
+  return adapter;
+}
+export {
+  createMongoAdapter,
+  createRateLimitModel
+};
+//# sourceMappingURL=mongoose.js.map

package/dist/auth/adapters/mongoose.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/adapters/mongoose.ts"],
+  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\r\n\r\n/**\r\n * Creates a pre-configured Mongoose model for rate limiting.\r\n * @param mongoose The mongoose instance to use for schema creation.\r\n */\r\nexport function createRateLimitModel(mongoose: any) {\r\n  const schema = new mongoose.Schema({\r\n    key: { type: String, required: true, unique: true },\r\n    count: { type: Number, required: true, default: 1 },\r\n    resetTime: { type: Number, required: true },\r\n    expiresAt: { type: Date, required: true, expires: 0 }\r\n  });\r\n  return mongoose.models.KroxtRateLimit || mongoose.model('KroxtRateLimit', schema);\r\n}\r\n\r\n/**\r\n * Creates a MongoDB adapter using a Mongoose model.\r\n * \r\n * @param model - A Mongoose model instance (e.g., User model).\r\n * @param rateLimitModel - An optional Mongoose model for rate limiting tracking.\r\n * @returns An AuthAdapter compliant object.\r\n */\r\nexport function createMongoAdapter<TUser extends User = User>(model: any, rateLimitModel?: any): AuthAdapter<TUser> {\r\n  const adapter: AuthAdapter<TUser> = {\r\n    async createUser(data: any) {\r\n      const user = await model.create(data);\r\n      const obj = user.toObject();\r\n      return { ...obj, id: obj._id.toString() } as TUser;\r\n    },\r\n\r\n    async findUserByEmail(email: string) {\r\n      const user = await model.findOne({ email });\r\n      if (!user) return null;\r\n      const obj = user.toObject();\r\n      return { ...obj, id: obj._id.toString() } as TUser;\r\n    },\r\n\r\n    async findUserById(id: string) {\r\n      const user = await model.findById(id);\r\n      if (!user) return null;\r\n      const obj = user.toObject();\r\n      return { ...obj, id: obj._id.toString() } as TUser;\r\n    },\r\n\r\n    async updateUser(id: string, data: Partial<TUser>) {\r\n      const user = await model.findByIdAndUpdate(id, data, { new: true });\r\n      if (!user) return null;\r\n      const obj = user.toObject();\r\n      return { ...obj, id: obj._id.toString() } as TUser;\r\n    },\r\n\r\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\r\n      await model.findByIdAndUpdate(userId, {\r\n        oauthProvider: provider,\r\n        oauthId: providerId,\r\n      });\r\n    },\r\n  };\r\n\r\n  if (rateLimitModel) {\r\n    adapter.incrementRateLimit = async (key: string, windowMs: number) => {\r\n      const now = Date.now();\r\n      let record = await rateLimitModel.findOne({ key });\r\n      \r\n      if (!record || now > record.resetTime) {\r\n        record = await rateLimitModel.findOneAndUpdate(\r\n          { key },\r\n          { count: 1, resetTime: now + windowMs, expiresAt: new Date(now + windowMs) },\r\n          { upsert: true, new: true, setDefaultsOnInsert: true }\r\n        );\r\n      } else {\r\n        record = await rateLimitModel.findOneAndUpdate(\r\n          { key },\r\n          { $inc: { count: 1 } },\r\n          { new: true }\r\n        );\r\n      }\r\n\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n\r\n    adapter.getRateLimit = async (key: string) => {\r\n      const now = Date.now();\r\n      const record = await rateLimitModel.findOne({ key });\r\n      if (!record || now > record.resetTime) return null;\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n  }\r\n\r\n  return adapter;\r\n}\r\n"],
+  "mappings": "AAMO,SAAS,qBAAqB,UAAe;AAClD,QAAM,SAAS,IAAI,SAAS,OAAO;AAAA,IACjC,KAAK,EAAE,MAAM,QAAQ,UAAU,MAAM,QAAQ,KAAK;AAAA,IAClD,OAAO,EAAE,MAAM,QAAQ,UAAU,MAAM,SAAS,EAAE;AAAA,IAClD,WAAW,EAAE,MAAM,QAAQ,UAAU,KAAK;AAAA,IAC1C,WAAW,EAAE,MAAM,MAAM,UAAU,MAAM,SAAS,EAAE;AAAA,EACtD,CAAC;AACD,SAAO,SAAS,OAAO,kBAAkB,SAAS,MAAM,kBAAkB,MAAM;AAClF;AASO,SAAS,mBAA8C,OAAY,gBAA0C;AAClH,QAAM,UAA8B;AAAA,IAClC,MAAM,WAAW,MAAW;AAC1B,YAAM,OAAO,MAAM,MAAM,OAAO,IAAI;AACpC,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,OAAO,MAAM,MAAM,QAAQ,EAAE,MAAM,CAAC;AAC1C,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,OAAO,MAAM,MAAM,SAAS,EAAE;AACpC,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,WAAW,IAAY,MAAsB;AACjD,YAAM,OAAO,MAAM,MAAM,kBAAkB,IAAI,MAAM,EAAE,KAAK,KAAK,CAAC;AAClE,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,MAAM,kBAAkB,QAAQ;AAAA,QACpC,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,YAAQ,qBAAqB,OAAO,KAAa,aAAqB;AACpE,YAAM,MAAM,KAAK,IAAI;AACrB,UAAI,SAAS,MAAM,eAAe,QAAQ,EAAE,IAAI,CAAC;AAEjD,UAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACrC,iBAAS,MAAM,eAAe;AAAA,UAC5B,EAAE,IAAI;AAAA,UACN,EAAE,OAAO,GAAG,WAAW,MAAM,UAAU,WAAW,IAAI,KAAK,MAAM,QAAQ,EAAE;AAAA,UAC3E,EAAE,QAAQ,MAAM,KAAK,MAAM,qBAAqB,KAAK;AAAA,QACvD;AAAA,MACF,OAAO;AACL,iBAAS,MAAM,eAAe;AAAA,UAC5B,EAAE,IAAI;AAAA,UACN,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE;AAAA,UACrB,EAAE,KAAK,KAAK;AAAA,QACd;AAAA,MACF;AAEA,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAEA,YAAQ,eAAe,OAAO,QAAgB;AAC5C,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,SAAS,MAAM,eAAe,QAAQ,EAAE,IAAI,CAAC;AACnD,UAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAAA,EACF;AAEA,SAAO;AACT;",
+  "names": []
+}

package/dist/{adapters → auth/adapters}/prisma.cjs

@@ -21,8 +21,8 @@ __export(prisma_exports, {
   createPrismaAdapter: () => createPrismaAdapter
 });
 module.exports = __toCommonJS(prisma_exports);
-function createPrismaAdapter(model) {
-  return {
+function createPrismaAdapter(model, rateLimitModel) {
+  const adapter = {
     async createUser(data) {
       const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };
       const user = await model.create({ data: dataToSave });
@@ -40,6 +40,13 @@ function createPrismaAdapter(model) {
       });
       return user;
     },
+    async updateUser(id, data) {
+      const user = await model.update({
+        where: { id },
+        data
+      });
+      return user;
+    },
     async linkOAuthAccount(userId, provider, providerId) {
       await model.update({
         where: { id: userId },
@@ -50,6 +57,33 @@ function createPrismaAdapter(model) {
       });
     }
   };
+  if (rateLimitModel) {
+    adapter.incrementRateLimit = async (key, windowMs) => {
+      const now = Date.now();
+      const record = await rateLimitModel.findUnique({ where: { key } });
+      if (!record || now > record.resetTime) {
+        const newRecord = await rateLimitModel.upsert({
+          where: { key },
+          update: { count: 1, resetTime: now + windowMs },
+          create: { key, count: 1, resetTime: now + windowMs }
+        });
+        return { count: newRecord.count, resetTime: newRecord.resetTime };
+      } else {
+        const updated = await rateLimitModel.update({
+          where: { key },
+          data: { count: { increment: 1 } }
+        });
+        return { count: updated.count, resetTime: updated.resetTime };
+      }
+    };
+    adapter.getRateLimit = async (key) => {
+      const now = Date.now();
+      const record = await rateLimitModel.findUnique({ where: { key } });
+      if (!record || now > record.resetTime) return null;
+      return { count: record.count, resetTime: record.resetTime };
+    };
+  }
+  return adapter;
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/auth/adapters/prisma.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/adapters/prisma.ts"],
+  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\r\n\r\n/**\r\n * Creates a Prisma adapter using a Prisma delegate (e.g., prisma.user).\r\n * \r\n * Works with any Prisma-supported database by using the standard\r\n * Prisma delegate operations (findUnique, create, update).\r\n * \r\n * @param model - A Prisma delegate instance (e.g., prisma.user).\r\n * @param rateLimitModel - An optional Prisma delegate for rate limit tracking.\r\n * @returns An AuthAdapter compliant object.\r\n */\r\nexport function createPrismaAdapter<TUser extends User = User>(model: any, rateLimitModel?: any): AuthAdapter<TUser> {\r\n  const adapter: AuthAdapter<TUser> = {\r\n    async createUser(data: any) {\r\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\r\n      const user = await model.create({ data: dataToSave });\r\n      return user as TUser;\r\n    },\r\n\r\n    async findUserByEmail(email: string) {\r\n      const user = await model.findUnique({\r\n        where: { email },\r\n      });\r\n      return user as TUser | null;\r\n    },\r\n\r\n    async findUserById(id: string) {\r\n      const user = await model.findUnique({\r\n        where: { id },\r\n      });\r\n      return user as TUser | null;\r\n    },\r\n\r\n    async updateUser(id: string, data: Partial<TUser>) {\r\n      const user = await model.update({\r\n        where: { id },\r\n        data,\r\n      });\r\n      return user as TUser | null;\r\n    },\r\n\r\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\r\n      await model.update({\r\n        where: { id: userId },\r\n        data: {\r\n          oauthProvider: provider,\r\n          oauthId: providerId,\r\n        },\r\n      });\r\n    },\r\n  };\r\n\r\n  if (rateLimitModel) {\r\n    adapter.incrementRateLimit = async (key: string, windowMs: number) => {\r\n      const now = Date.now();\r\n      const record = await rateLimitModel.findUnique({ where: { key } });\r\n      \r\n      if (!record || now > record.resetTime) {\r\n          const newRecord = await rateLimitModel.upsert({\r\n              where: { key },\r\n              update: { count: 1, resetTime: now + windowMs },\r\n              create: { key, count: 1, resetTime: now + windowMs }\r\n          });\r\n          return { count: newRecord.count, resetTime: newRecord.resetTime };\r\n      } else {\r\n          const updated = await rateLimitModel.update({\r\n              where: { key },\r\n              data: { count: { increment: 1 } }\r\n          });\r\n          return { count: updated.count, resetTime: updated.resetTime };\r\n      }\r\n    };\r\n\r\n    adapter.getRateLimit = async (key: string) => {\r\n      const now = Date.now();\r\n      const record = await rateLimitModel.findUnique({ where: { key } });\r\n      if (!record || now > record.resetTime) return null;\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n  }\r\n\r\n  return adapter;\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAYO,SAAS,oBAA+C,OAAY,gBAA0C;AACnH,QAAM,UAA8B;AAAA,IAClC,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,OAAO,MAAM,MAAM,OAAO,EAAE,MAAM,WAAW,CAAC;AACpD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,OAAO,MAAM,MAAM,WAAW;AAAA,QAClC,OAAO,EAAE,MAAM;AAAA,MACjB,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,OAAO,MAAM,MAAM,WAAW;AAAA,QAClC,OAAO,EAAE,GAAG;AAAA,MACd,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,WAAW,IAAY,MAAsB;AACjD,YAAM,OAAO,MAAM,MAAM,OAAO;AAAA,QAC9B,OAAO,EAAE,GAAG;AAAA,QACZ;AAAA,MACF,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,MAAM,OAAO;AAAA,QACjB,OAAO,EAAE,IAAI,OAAO;AAAA,QACpB,MAAM;AAAA,UACJ,eAAe;AAAA,UACf,SAAS;AAAA,QACX;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,YAAQ,qBAAqB,OAAO,KAAa,aAAqB;AACpE,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,SAAS,MAAM,eAAe,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAEjE,UAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACnC,cAAM,YAAY,MAAM,eAAe,OAAO;AAAA,UAC1C,OAAO,EAAE,IAAI;AAAA,UACb,QAAQ,EAAE,OAAO,GAAG,WAAW,MAAM,SAAS;AAAA,UAC9C,QAAQ,EAAE,KAAK,OAAO,GAAG,WAAW,MAAM,SAAS;AAAA,QACvD,CAAC;AACD,eAAO,EAAE,OAAO,UAAU,OAAO,WAAW,UAAU,UAAU;AAAA,MACpE,OAAO;AACH,cAAM,UAAU,MAAM,eAAe,OAAO;AAAA,UACxC,OAAO,EAAE,IAAI;AAAA,UACb,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE;AAAA,QACpC,CAAC;AACD,eAAO,EAAE,OAAO,QAAQ,OAAO,WAAW,QAAQ,UAAU;AAAA,MAChE;AAAA,IACF;AAEA,YAAQ,eAAe,OAAO,QAAgB;AAC5C,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,SAAS,MAAM,eAAe,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACjE,UAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAAA,EACF;AAEA,SAAO;AACT;",
+  "names": []
+}

package/dist/auth/adapters/prisma.js

@@ -0,0 +1,68 @@
+function createPrismaAdapter(model, rateLimitModel) {
+  const adapter = {
+    async createUser(data) {
+      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };
+      const user = await model.create({ data: dataToSave });
+      return user;
+    },
+    async findUserByEmail(email) {
+      const user = await model.findUnique({
+        where: { email }
+      });
+      return user;
+    },
+    async findUserById(id) {
+      const user = await model.findUnique({
+        where: { id }
+      });
+      return user;
+    },
+    async updateUser(id, data) {
+      const user = await model.update({
+        where: { id },
+        data
+      });
+      return user;
+    },
+    async linkOAuthAccount(userId, provider, providerId) {
+      await model.update({
+        where: { id: userId },
+        data: {
+          oauthProvider: provider,
+          oauthId: providerId
+        }
+      });
+    }
+  };
+  if (rateLimitModel) {
+    adapter.incrementRateLimit = async (key, windowMs) => {
+      const now = Date.now();
+      const record = await rateLimitModel.findUnique({ where: { key } });
+      if (!record || now > record.resetTime) {
+        const newRecord = await rateLimitModel.upsert({
+          where: { key },
+          update: { count: 1, resetTime: now + windowMs },
+          create: { key, count: 1, resetTime: now + windowMs }
+        });
+        return { count: newRecord.count, resetTime: newRecord.resetTime };
+      } else {
+        const updated = await rateLimitModel.update({
+          where: { key },
+          data: { count: { increment: 1 } }
+        });
+        return { count: updated.count, resetTime: updated.resetTime };
+      }
+    };
+    adapter.getRateLimit = async (key) => {
+      const now = Date.now();
+      const record = await rateLimitModel.findUnique({ where: { key } });
+      if (!record || now > record.resetTime) return null;
+      return { count: record.count, resetTime: record.resetTime };
+    };
+  }
+  return adapter;
+}
+export {
+  createPrismaAdapter
+};
+//# sourceMappingURL=prisma.js.map

package/dist/auth/adapters/prisma.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/adapters/prisma.ts"],
+  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\r\n\r\n/**\r\n * Creates a Prisma adapter using a Prisma delegate (e.g., prisma.user).\r\n * \r\n * Works with any Prisma-supported database by using the standard\r\n * Prisma delegate operations (findUnique, create, update).\r\n * \r\n * @param model - A Prisma delegate instance (e.g., prisma.user).\r\n * @param rateLimitModel - An optional Prisma delegate for rate limit tracking.\r\n * @returns An AuthAdapter compliant object.\r\n */\r\nexport function createPrismaAdapter<TUser extends User = User>(model: any, rateLimitModel?: any): AuthAdapter<TUser> {\r\n  const adapter: AuthAdapter<TUser> = {\r\n    async createUser(data: any) {\r\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\r\n      const user = await model.create({ data: dataToSave });\r\n      return user as TUser;\r\n    },\r\n\r\n    async findUserByEmail(email: string) {\r\n      const user = await model.findUnique({\r\n        where: { email },\r\n      });\r\n      return user as TUser | null;\r\n    },\r\n\r\n    async findUserById(id: string) {\r\n      const user = await model.findUnique({\r\n        where: { id },\r\n      });\r\n      return user as TUser | null;\r\n    },\r\n\r\n    async updateUser(id: string, data: Partial<TUser>) {\r\n      const user = await model.update({\r\n        where: { id },\r\n        data,\r\n      });\r\n      return user as TUser | null;\r\n    },\r\n\r\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\r\n      await model.update({\r\n        where: { id: userId },\r\n        data: {\r\n          oauthProvider: provider,\r\n          oauthId: providerId,\r\n        },\r\n      });\r\n    },\r\n  };\r\n\r\n  if (rateLimitModel) {\r\n    adapter.incrementRateLimit = async (key: string, windowMs: number) => {\r\n      const now = Date.now();\r\n      const record = await rateLimitModel.findUnique({ where: { key } });\r\n      \r\n      if (!record || now > record.resetTime) {\r\n          const newRecord = await rateLimitModel.upsert({\r\n              where: { key },\r\n              update: { count: 1, resetTime: now + windowMs },\r\n              create: { key, count: 1, resetTime: now + windowMs }\r\n          });\r\n          return { count: newRecord.count, resetTime: newRecord.resetTime };\r\n      } else {\r\n          const updated = await rateLimitModel.update({\r\n              where: { key },\r\n              data: { count: { increment: 1 } }\r\n          });\r\n          return { count: updated.count, resetTime: updated.resetTime };\r\n      }\r\n    };\r\n\r\n    adapter.getRateLimit = async (key: string) => {\r\n      const now = Date.now();\r\n      const record = await rateLimitModel.findUnique({ where: { key } });\r\n      if (!record || now > record.resetTime) return null;\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n  }\r\n\r\n  return adapter;\r\n}\r\n"],
+  "mappings": "AAYO,SAAS,oBAA+C,OAAY,gBAA0C;AACnH,QAAM,UAA8B;AAAA,IAClC,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,OAAO,MAAM,MAAM,OAAO,EAAE,MAAM,WAAW,CAAC;AACpD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,OAAO,MAAM,MAAM,WAAW;AAAA,QAClC,OAAO,EAAE,MAAM;AAAA,MACjB,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,OAAO,MAAM,MAAM,WAAW;AAAA,QAClC,OAAO,EAAE,GAAG;AAAA,MACd,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,WAAW,IAAY,MAAsB;AACjD,YAAM,OAAO,MAAM,MAAM,OAAO;AAAA,QAC9B,OAAO,EAAE,GAAG;AAAA,QACZ;AAAA,MACF,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,MAAM,OAAO;AAAA,QACjB,OAAO,EAAE,IAAI,OAAO;AAAA,QACpB,MAAM;AAAA,UACJ,eAAe;AAAA,UACf,SAAS;AAAA,QACX;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,YAAQ,qBAAqB,OAAO,KAAa,aAAqB;AACpE,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,SAAS,MAAM,eAAe,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAEjE,UAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACnC,cAAM,YAAY,MAAM,eAAe,OAAO;AAAA,UAC1C,OAAO,EAAE,IAAI;AAAA,UACb,QAAQ,EAAE,OAAO,GAAG,WAAW,MAAM,SAAS;AAAA,UAC9C,QAAQ,EAAE,KAAK,OAAO,GAAG,WAAW,MAAM,SAAS;AAAA,QACvD,CAAC;AACD,eAAO,EAAE,OAAO,UAAU,OAAO,WAAW,UAAU,UAAU;AAAA,MACpE,OAAO;AACH,cAAM,UAAU,MAAM,eAAe,OAAO;AAAA,UACxC,OAAO,EAAE,IAAI;AAAA,UACb,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE;AAAA,QACpC,CAAC;AACD,eAAO,EAAE,OAAO,QAAQ,OAAO,WAAW,QAAQ,UAAU;AAAA,MAChE;AAAA,IACF;AAEA,YAAQ,eAAe,OAAO,QAAgB;AAC5C,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,SAAS,MAAM,eAAe,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACjE,UAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAAA,EACF;AAEA,SAAO;AACT;",
+  "names": []
+}

package/dist/{core → auth/core}/index.cjs

@@ -35,13 +35,18 @@ module.exports = __toCommonJS(core_exports);
 var argon2 = __toESM(require("argon2"), 1);
 var import_jose = require("jose");
 var import_crypto = __toESM(require("crypto"), 1);
+var import_rate_limit = require("../security/rate-limit.js");
 function createAuth(options) {
-  const { adapter, secret, pepper, session, providers } = options;
+  const { adapter, secret, pepper, session, providers, rateLimit, ipBlocking } = options;
   const encodedSecret = typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
   const expiration = session?.expires || "1h";
   const refreshExpiration = session?.refreshExpires || "7d";
+  const configuredRateLimiter = (0, import_rate_limit.createRateLimiter)(adapter, rateLimit);
   async function generateToken(user, type = "access") {
     let payload = { sub: user.id, role: user.role, type };
+    if (user.passwordHash && (type === "refresh" || session?.enforceStrictRevocation)) {
+      payload.pw_frag = user.passwordHash.slice(-10);
+    }
     if (options.jwt?.payload) {
       const customPayload = options.jwt.payload(user, type);
       payload = { ...payload, ...customPayload };
@@ -52,6 +57,12 @@ function createAuth(options) {
     try {
       const { payload } = await (0, import_jose.jwtVerify)(token, encodedSecret);
       if (payload.type !== expectedType) return null;
+      if (expectedType === "access" && session?.enforceStrictRevocation && payload.pw_frag) {
+        const user = await adapter.findUserById(payload.sub);
+        if (!user || payload.pw_frag !== user.passwordHash?.slice(-10)) {
+          throw new Error("Strict Revocation: Access Token revoked due to password change");
+        }
+      }
       return payload;
     } catch (e) {
       return null;
@@ -66,12 +77,37 @@ function createAuth(options) {
     if (!user) {
       throw new Error("User not found");
     }
+    if (payload.pw_frag && user.passwordHash) {
+      if (payload.pw_frag !== user.passwordHash.slice(-10)) {
+        throw new Error("Session revoked (Password changed)");
+      }
+    }
     const accessToken = await generateToken(user, "access");
     return { accessToken };
   }
+  function validatePassword(password) {
+    if (!password || !options.passwordPolicy) return;
+    const p = options.passwordPolicy;
+    if (p.minLength && password.length < p.minLength) {
+      throw new Error(`Password must be at least ${p.minLength} characters`);
+    }
+    if (p.requireUppercase && !/[A-Z]/.test(password)) {
+      throw new Error("Password must contain at least one uppercase letter");
+    }
+    if (p.requireLowercase && !/[a-z]/.test(password)) {
+      throw new Error("Password must contain at least one lowercase letter");
+    }
+    if (p.requireNumber && !/[0-9]/.test(password)) {
+      throw new Error("Password must contain at least one number");
+    }
+    if (p.requireSpecialCharacter && !/[^A-Za-z0-9]/.test(password)) {
+      throw new Error("Password must contain at least one special character");
+    }
+  }
   async function signup(userData, password) {
     let dataToSave = { ...userData };
     if (password) {
+      validatePassword(password);
       const passwordWithPepper = pepper ? `${password}${pepper}` : password;
       dataToSave.passwordHash = await argon2.hash(passwordWithPepper);
     }
@@ -80,7 +116,22 @@ function createAuth(options) {
     const refreshToken = await generateToken(newUser, "refresh");
     return { user: newUser, accessToken, refreshToken };
   }
-  async function loginWithPassword(email, password) {
+  async function loginWithPassword(email, password, clientIp) {
+    if (ipBlocking && clientIp && configuredRateLimiter) {
+      const strikeCheck = await configuredRateLimiter.check(`strike_${clientIp}`);
+      if (strikeCheck && strikeCheck.count >= ipBlocking.maxStrikes) {
+        throw new Error("IP is temporarily blocked.");
+      }
+    }
+    if (configuredRateLimiter) {
+      const limitStatus = await configuredRateLimiter.increment(`login_${email}`);
+      if (!limitStatus.success) {
+        if (ipBlocking && clientIp) {
+          await configuredRateLimiter.increment(`strike_${clientIp}`, ipBlocking.blockDurationMs);
+        }
+        throw new Error("Too many requests, please try again later.");
+      }
+    }
     const user = await adapter.findUserByEmail(email);
     const dummyHash = "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i";
     const targetHash = user?.passwordHash || dummyHash;
@@ -93,9 +144,23 @@ function createAuth(options) {
     const refreshToken = await generateToken(user, "refresh");
     return { user, accessToken, refreshToken };
   }
+  async function changePassword(userId, newPassword) {
+    if (!adapter.updateUser) {
+      throw new Error("The AuthAdapter does not support updating user records natively.");
+    }
+    validatePassword(newPassword);
+    const passwordWithPepper = pepper ? `${newPassword}${pepper}` : newPassword;
+    const newHash = await argon2.hash(passwordWithPepper);
+    const updatedUser = await adapter.updateUser(userId, { passwordHash: newHash });
+    if (!updatedUser) {
+      throw new Error("User not found");
+    }
+    return updatedUser;
+  }
   return {
     signup,
     loginWithPassword,
+    changePassword,
     refresh,
     verifyToken,
     generateToken,

package/dist/auth/core/index.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/core/index.ts"],
+  "sourcesContent": ["import * as argon2 from \"argon2\";\r\nimport { SignJWT, jwtVerify } from \"jose\";\r\nimport crypto from \"crypto\";\r\nimport type { AuthAdapter, User } from \"../adapters/index.js\";\r\nimport type { Provider } from \"../providers/index.js\";\r\nimport { createRateLimiter, type RateLimitOptions } from \"../security/rate-limit.js\";\r\n\r\nexport interface CreateAuthOptions {\r\n    adapter: AuthAdapter<any>;\r\n    secret: string | Uint8Array;\r\n    pepper?: string;\r\n    session?: {\r\n        expires?: string | number; // For access tokens\r\n        refreshExpires?: string | number; // For refresh tokens\r\n        enforceStrictRevocation?: boolean; // If true, DB check on access tokens\r\n    };\r\n    providers?: Provider[];\r\n    jwt?: {\r\n        /**\r\n         * A callback to add custom fields to the JWT payload.\r\n         * It receives the user object and the token type ('access' or 'refresh').\r\n         * Return an object containing the fields to be merged into the payload.\r\n         * You can also override default fields like 'sub'.\r\n         */\r\n        payload?: (user: User<any>, type: \"access\" | \"refresh\") => Record<string, any>;\r\n    };\r\n    rateLimit?: RateLimitOptions;\r\n    ipBlocking?: { maxStrikes: number; blockDurationMs: number };\r\n    passwordPolicy?: {\r\n        minLength?: number;\r\n        requireUppercase?: boolean;\r\n        requireLowercase?: boolean;\r\n        requireNumber?: boolean;\r\n        requireSpecialCharacter?: boolean;\r\n    };\r\n}\r\n\r\nexport function createAuth(options: CreateAuthOptions) {\r\n    const { adapter, secret, pepper, session, providers, rateLimit, ipBlocking } = options;\r\n    const encodedSecret = typeof secret === \"string\" ? new TextEncoder().encode(secret) : secret;\r\n    const expiration = session?.expires || \"1h\"; // Default access token to 1h\r\n    const refreshExpiration = session?.refreshExpires || \"7d\";\r\n\r\n    const configuredRateLimiter = createRateLimiter(adapter, rateLimit);\r\n\r\n    /**\r\n     * Generates a stateless JWT for a user session\r\n     */\r\n    async function generateToken(user: User<any>, type: \"access\" | \"refresh\" = \"access\") {\r\n        let payload: Record<string, any> = { sub: user.id, role: user.role, type };\r\n\r\n        // Lightweight Session Revocation: Link token to current password hash state\r\n        if (user.passwordHash && (type === \"refresh\" || session?.enforceStrictRevocation)) {\r\n            payload.pw_frag = user.passwordHash.slice(-10);\r\n        }\r\n\r\n        if (options.jwt?.payload) {\r\n            const customPayload = options.jwt.payload(user, type);\r\n            payload = { ...payload, ...customPayload };\r\n        }\r\n\r\n        return new SignJWT(payload)\r\n            .setProtectedHeader({ alg: \"HS256\" })\r\n            .setIssuedAt()\r\n            .setExpirationTime(type === \"access\" ? expiration : refreshExpiration)\r\n            .sign(encodedSecret);\r\n    }\r\n\r\n    /**\r\n     * Verifies a JWT and returns the payload.\r\n     * Optionally checks for a specific token type (access/refresh).\r\n     */\r\n    async function verifyToken(token: string, expectedType: \"access\" | \"refresh\" = \"access\") {\r\n        try {\r\n            const { payload } = await jwtVerify(token, encodedSecret);\r\n            if (payload.type !== expectedType) return null;\r\n\r\n            if (expectedType === \"access\" && session?.enforceStrictRevocation && payload.pw_frag) {\r\n                const user = await adapter.findUserById(payload.sub as string);\r\n                if (!user || payload.pw_frag !== user.passwordHash?.slice(-10)) {\r\n                    throw new Error(\"Strict Revocation: Access Token revoked due to password change\");\r\n                }\r\n            }\r\n\r\n            return payload;\r\n        } catch (e) {\r\n            return null;\r\n        }\r\n    }\r\n\r\n    /**\r\n     * Refreshes an access token using a valid refresh token.\r\n     */\r\n    async function refresh(refreshToken: string) {\r\n        const payload = await verifyToken(refreshToken, \"refresh\");\r\n        if (!payload || !payload.sub) {\r\n            throw new Error(\"Invalid or expired refresh token\");\r\n        }\r\n\r\n        const user = await adapter.findUserById(payload.sub as string);\r\n        if (!user) {\r\n            throw new Error(\"User not found\");\r\n        }\r\n\r\n        // Lightweight Session Revocation: Validate password hasn't changed since token issuance\r\n        if (payload.pw_frag && user.passwordHash) {\r\n            if (payload.pw_frag !== user.passwordHash.slice(-10)) {\r\n                throw new Error(\"Session revoked (Password changed)\");\r\n            }\r\n        }\r\n\r\n        const accessToken = await generateToken(user, \"access\");\r\n        return { accessToken };\r\n    }\r\n\r\n    function validatePassword(password?: string) {\r\n        if (!password || !options.passwordPolicy) return;\r\n        \r\n        const p = options.passwordPolicy;\r\n        if (p.minLength && password.length < p.minLength) {\r\n            throw new Error(`Password must be at least ${p.minLength} characters`);\r\n        }\r\n        if (p.requireUppercase && !/[A-Z]/.test(password)) {\r\n            throw new Error(\"Password must contain at least one uppercase letter\");\r\n        }\r\n        if (p.requireLowercase && !/[a-z]/.test(password)) {\r\n            throw new Error(\"Password must contain at least one lowercase letter\");\r\n        }\r\n        if (p.requireNumber && !/[0-9]/.test(password)) {\r\n            throw new Error(\"Password must contain at least one number\");\r\n        }\r\n        if (p.requireSpecialCharacter && !/[^A-Za-z0-9]/.test(password)) {\r\n            throw new Error(\"Password must contain at least one special character\");\r\n        }\r\n    }\r\n\r\n    /**\r\n     * Signup with a new user payload.\r\n     * Incorporates server-side pepper for password hashing if provided.\r\n     */\r\n    async function signup(userData: Omit<User<any>, \"id\">, password?: string) {\r\n        let dataToSave = { ...userData };\r\n\r\n        if (password) {\r\n            validatePassword(password);\r\n            const passwordWithPepper = pepper ? `${password}${pepper}` : password;\r\n            dataToSave.passwordHash = await argon2.hash(passwordWithPepper);\r\n        }\r\n\r\n        const newUser = await adapter.createUser(dataToSave);\r\n        const accessToken = await generateToken(newUser, \"access\");\r\n        const refreshToken = await generateToken(newUser, \"refresh\");\r\n\r\n        return { user: newUser, accessToken, refreshToken };\r\n    }\r\n\r\n    /**\r\n     * Standard Email/Password Login.\r\n     * Includes timing attack protection and password peppering.\r\n     */\r\n    async function loginWithPassword(email: string, password: string, clientIp?: string) {\r\n        if (ipBlocking && clientIp && configuredRateLimiter) {\r\n            const strikeCheck = await configuredRateLimiter.check(`strike_${clientIp}`);\r\n            if (strikeCheck && strikeCheck.count >= ipBlocking.maxStrikes) {\r\n                throw new Error(\"IP is temporarily blocked.\");\r\n            }\r\n        }\r\n\r\n        if (configuredRateLimiter) {\r\n            const limitStatus = await configuredRateLimiter.increment(`login_${email}`);\r\n            if (!limitStatus.success) {\r\n                if (ipBlocking && clientIp) {\r\n                    await configuredRateLimiter.increment(`strike_${clientIp}`, ipBlocking.blockDurationMs);\r\n                }\r\n                throw new Error(\"Too many requests, please try again later.\");\r\n            }\r\n        }\r\n\r\n        const user = await adapter.findUserByEmail(email);\r\n\r\n        // Timing attack protection: Always verify a hash, even if user doesn't exist.\r\n        // We use a dummy hash to keep execution time consistent.\r\n        const dummyHash = \"$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i\";\r\n        const targetHash = user?.passwordHash || dummyHash;\r\n        const passwordWithPepper = pepper ? `${password}${pepper}` : password;\r\n\r\n        const isValid = await argon2.verify(targetHash, passwordWithPepper);\r\n\r\n        if (!user || !user.passwordHash || !isValid) {\r\n            throw new Error(\"Invalid credentials\");\r\n        }\r\n\r\n        const accessToken = await generateToken(user, \"access\");\r\n        const refreshToken = await generateToken(user, \"refresh\");\r\n\r\n        return { user, accessToken, refreshToken };\r\n    }\r\n\r\n    /**\r\n     * Changes a user's password securely using the configured pepper and hashing algorithm.\r\n     * Instantly revokes all active refresh tokens for the user globally.\r\n     */\r\n    async function changePassword(userId: string, newPassword: string) {\r\n        if (!adapter.updateUser) {\r\n            throw new Error(\"The AuthAdapter does not support updating user records natively.\");\r\n        }\r\n\r\n        validatePassword(newPassword);\r\n        const passwordWithPepper = pepper ? `${newPassword}${pepper}` : newPassword;\r\n        const newHash = await argon2.hash(passwordWithPepper);\r\n\r\n        const updatedUser = await adapter.updateUser(userId, { passwordHash: newHash } as any);\r\n        if (!updatedUser) {\r\n            throw new Error(\"User not found\");\r\n        }\r\n        \r\n        return updatedUser;\r\n    }\r\n\r\n    return {\r\n        signup,\r\n        loginWithPassword,\r\n        changePassword,\r\n        refresh,\r\n        verifyToken,\r\n        generateToken,\r\n        _providers: providers\r\n    };\r\n}\r\n\r\n/**\r\n * Utility to generate a high-entropy cryptographically secure secret.\r\n * Useful for initializing the 'secret' option in createAuth.\r\n */\r\nexport function generateSecret(length: number = 32): Uint8Array {\r\n    return crypto.getRandomValues(new Uint8Array(length));\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,aAAwB;AACxB,kBAAmC;AACnC,oBAAmB;AAGnB,wBAAyD;AAgClD,SAAS,WAAW,SAA4B;AACnD,QAAM,EAAE,SAAS,QAAQ,QAAQ,SAAS,WAAW,WAAW,WAAW,IAAI;AAC/E,QAAM,gBAAgB,OAAO,WAAW,WAAW,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI;AACtF,QAAM,aAAa,SAAS,WAAW;AACvC,QAAM,oBAAoB,SAAS,kBAAkB;AAErD,QAAM,4BAAwB,qCAAkB,SAAS,SAAS;AAKlE,iBAAe,cAAc,MAAiB,OAA6B,UAAU;AACjF,QAAI,UAA+B,EAAE,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,KAAK;AAGzE,QAAI,KAAK,iBAAiB,SAAS,aAAa,SAAS,0BAA0B;AAC/E,cAAQ,UAAU,KAAK,aAAa,MAAM,GAAG;AAAA,IACjD;AAEA,QAAI,QAAQ,KAAK,SAAS;AACtB,YAAM,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,IAAI;AACpD,gBAAU,EAAE,GAAG,SAAS,GAAG,cAAc;AAAA,IAC7C;AAEA,WAAO,IAAI,oBAAQ,OAAO,EACrB,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,YAAY,EACZ,kBAAkB,SAAS,WAAW,aAAa,iBAAiB,EACpE,KAAK,aAAa;AAAA,EAC3B;AAMA,iBAAe,YAAY,OAAe,eAAqC,UAAU;AACrF,QAAI;AACA,YAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,aAAa;AACxD,UAAI,QAAQ,SAAS,aAAc,QAAO;AAE1C,UAAI,iBAAiB,YAAY,SAAS,2BAA2B,QAAQ,SAAS;AAClF,cAAM,OAAO,MAAM,QAAQ,aAAa,QAAQ,GAAa;AAC7D,YAAI,CAAC,QAAQ,QAAQ,YAAY,KAAK,cAAc,MAAM,GAAG,GAAG;AAC5D,gBAAM,IAAI,MAAM,gEAAgE;AAAA,QACpF;AAAA,MACJ;AAEA,aAAO;AAAA,IACX,SAAS,GAAG;AACR,aAAO;AAAA,IACX;AAAA,EACJ;AAKA,iBAAe,QAAQ,cAAsB;AACzC,UAAM,UAAU,MAAM,YAAY,cAAc,SAAS;AACzD,QAAI,CAAC,WAAW,CAAC,QAAQ,KAAK;AAC1B,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACtD;AAEA,UAAM,OAAO,MAAM,QAAQ,aAAa,QAAQ,GAAa;AAC7D,QAAI,CAAC,MAAM;AACP,YAAM,IAAI,MAAM,gBAAgB;AAAA,IACpC;AAGA,QAAI,QAAQ,WAAW,KAAK,cAAc;AACtC,UAAI,QAAQ,YAAY,KAAK,aAAa,MAAM,GAAG,GAAG;AAClD,cAAM,IAAI,MAAM,oCAAoC;AAAA,MACxD;AAAA,IACJ;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,WAAO,EAAE,YAAY;AAAA,EACzB;AAEA,WAAS,iBAAiB,UAAmB;AACzC,QAAI,CAAC,YAAY,CAAC,QAAQ,eAAgB;AAE1C,UAAM,IAAI,QAAQ;AAClB,QAAI,EAAE,aAAa,SAAS,SAAS,EAAE,WAAW;AAC9C,YAAM,IAAI,MAAM,6BAA6B,EAAE,SAAS,aAAa;AAAA,IACzE;AACA,QAAI,EAAE,oBAAoB,CAAC,QAAQ,KAAK,QAAQ,GAAG;AAC/C,YAAM,IAAI,MAAM,qDAAqD;AAAA,IACzE;AACA,QAAI,EAAE,oBAAoB,CAAC,QAAQ,KAAK,QAAQ,GAAG;AAC/C,YAAM,IAAI,MAAM,qDAAqD;AAAA,IACzE;AACA,QAAI,EAAE,iBAAiB,CAAC,QAAQ,KAAK,QAAQ,GAAG;AAC5C,YAAM,IAAI,MAAM,2CAA2C;AAAA,IAC/D;AACA,QAAI,EAAE,2BAA2B,CAAC,eAAe,KAAK,QAAQ,GAAG;AAC7D,YAAM,IAAI,MAAM,sDAAsD;AAAA,IAC1E;AAAA,EACJ;AAMA,iBAAe,OAAO,UAAiC,UAAmB;AACtE,QAAI,aAAa,EAAE,GAAG,SAAS;AAE/B,QAAI,UAAU;AACV,uBAAiB,QAAQ;AACzB,YAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAC7D,iBAAW,eAAe,MAAM,OAAO,KAAK,kBAAkB;AAAA,IAClE;AAEA,UAAM,UAAU,MAAM,QAAQ,WAAW,UAAU;AACnD,UAAM,cAAc,MAAM,cAAc,SAAS,QAAQ;AACzD,UAAM,eAAe,MAAM,cAAc,SAAS,SAAS;AAE3D,WAAO,EAAE,MAAM,SAAS,aAAa,aAAa;AAAA,EACtD;AAMA,iBAAe,kBAAkB,OAAe,UAAkB,UAAmB;AACjF,QAAI,cAAc,YAAY,uBAAuB;AACjD,YAAM,cAAc,MAAM,sBAAsB,MAAM,UAAU,QAAQ,EAAE;AAC1E,UAAI,eAAe,YAAY,SAAS,WAAW,YAAY;AAC3D,cAAM,IAAI,MAAM,4BAA4B;AAAA,MAChD;AAAA,IACJ;AAEA,QAAI,uBAAuB;AACvB,YAAM,cAAc,MAAM,sBAAsB,UAAU,SAAS,KAAK,EAAE;AAC1E,UAAI,CAAC,YAAY,SAAS;AACtB,YAAI,cAAc,UAAU;AACxB,gBAAM,sBAAsB,UAAU,UAAU,QAAQ,IAAI,WAAW,eAAe;AAAA,QAC1F;AACA,cAAM,IAAI,MAAM,4CAA4C;AAAA,MAChE;AAAA,IACJ;AAEA,UAAM,OAAO,MAAM,QAAQ,gBAAgB,KAAK;AAIhD,UAAM,YAAY;AAClB,UAAM,aAAa,MAAM,gBAAgB;AACzC,UAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAE7D,UAAM,UAAU,MAAM,OAAO,OAAO,YAAY,kBAAkB;AAElE,QAAI,CAAC,QAAQ,CAAC,KAAK,gBAAgB,CAAC,SAAS;AACzC,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACzC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,UAAM,eAAe,MAAM,cAAc,MAAM,SAAS;AAExD,WAAO,EAAE,MAAM,aAAa,aAAa;AAAA,EAC7C;AAMA,iBAAe,eAAe,QAAgB,aAAqB;AAC/D,QAAI,CAAC,QAAQ,YAAY;AACrB,YAAM,IAAI,MAAM,kEAAkE;AAAA,IACtF;AAEA,qBAAiB,WAAW;AAC5B,UAAM,qBAAqB,SAAS,GAAG,WAAW,GAAG,MAAM,KAAK;AAChE,UAAM,UAAU,MAAM,OAAO,KAAK,kBAAkB;AAEpD,UAAM,cAAc,MAAM,QAAQ,WAAW,QAAQ,EAAE,cAAc,QAAQ,CAAQ;AACrF,QAAI,CAAC,aAAa;AACd,YAAM,IAAI,MAAM,gBAAgB;AAAA,IACpC;AAEA,WAAO;AAAA,EACX;AAEA,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,EAChB;AACJ;AAMO,SAAS,eAAe,SAAiB,IAAgB;AAC5D,SAAO,cAAAA,QAAO,gBAAgB,IAAI,WAAW,MAAM,CAAC;AACxD;",
+  "names": ["crypto"]
+}