kroxt 1.2.1 → 1.3.0

package/dist/security/index.d.ts

@@ -14,4 +14,5 @@ export declare function verifyCsrf(tokenInRequest: string, tokenInCookie: string
  * 2. Use a 'pepper' in createAuth to protect hashes.
  * 3. Implement rate limiting on /login and /register endpoints.
  */
+export * from "./rate-limit.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/security/index.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,cAAc,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAYjF;AAED;;;;;GAKG"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/security/index.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,cAAc,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAejF;AAED;;;;;GAKG;AAEH,cAAc,iBAAiB,CAAC"}

package/dist/security/rate-limit.d.ts

@@ -0,0 +1,39 @@
+import type { AuthAdapter } from "../adapters/index.js";
+export interface RateLimitOptions {
+    windowMs: number;
+    max: number;
+}
+export interface RateLimitResult {
+    success: boolean;
+    limit: number;
+    remaining: number;
+    reset: number;
+}
+/**
+ * A zero-dependency in-memory store for rate limiting.
+ * Used as a fallback if the provided AuthAdapter does not
+ * implement `incrementRateLimit`.
+ */
+export declare class MemoryRateLimitStore {
+    private hits;
+    increment(key: string, windowMs: number): Promise<{
+        count: number;
+        resetTime: number;
+    }>;
+    getRateLimit(key: string): Promise<{
+        count: number;
+        resetTime: number;
+    } | null>;
+}
+/**
+ * Creates a rate limiter function that uses the Database Adapter
+ * for state tracking (if supported), or falls back to Memory.
+ */
+export declare function createRateLimiter(adapter: AuthAdapter<any>, options?: RateLimitOptions): {
+    increment(key: string, overrideWindowMs?: number): Promise<RateLimitResult>;
+    check(key: string): Promise<{
+        count: number;
+        resetTime: number;
+    } | null>;
+} | null;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/security/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/auth/security/rate-limit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;CACjB;AAED;;;;GAIG;AACH,qBAAa,oBAAoB;IAC7B,OAAO,CAAC,IAAI,CAA2D;IAEjE,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAcvF,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CAMxF;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,WAAW,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB;mBAO1D,MAAM,qBAAqB,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;eAsBhE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;SAOrF"}

package/package.json

@@ -1,6 +1,9 @@
 {
   "name": "kroxt",
-  "version": "1.2.1",
+  "version": "1.3.0",
+  "bin": {
+    "kroxt": "./dist/cli/index.js"
+  },
   "keywords": [
     "auth",
     "authentication",
@@ -82,6 +85,9 @@
   "dependencies": {
     "arctic": "^3.7.0",
     "argon2": "^0.44.0",
+    "chalk": "^5.6.2",
+    "commander": "^14.0.3",
+    "enquirer": "^2.4.1",
     "jose": "^6.2.1",
     "zod": "^3.23.8"
   },
@@ -91,4 +97,4 @@
     "tsup": "^8.5.1",
     "typescript": "^5.9.3"
   }
-}
+}

package/dist/adapters/drizzle.cjs.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/adapters/drizzle.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\n\n/**\n * Creates a Drizzle ORM adapter.\n * \n * Works with any Drizzle-supported database (PostgreSQL, MySQL, SQLite)\n * by using the standard drizzle-orm `db` instance and table definition.\n * \n * @param db - The Drizzle database instance.\n * @param table - The Drizzle table representing users.\n * @param eq - The Drizzle `eq` operator (imported from `drizzle-orm`).\n * @returns An AuthAdapter compliant object.\n */\nexport function createDrizzleAdapter<TUser extends User = User>(\n  db: any,\n  table: any,\n  eq: any\n): AuthAdapter<TUser> {\n  return {\n    async createUser(data: any) {\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\n      const results = await db.insert(table).values(dataToSave).returning();\n      return results[0] as TUser;\n    },\n\n    async findUserByEmail(email: string) {\n      const results = await db.select().from(table).where(eq(table.email, email)).limit(1);\n      return (results[0] || null) as TUser | null;\n    },\n\n    async findUserById(id: string) {\n      const results = await db.select().from(table).where(eq(table.id, id)).limit(1);\n      return (results[0] || null) as TUser | null;\n    },\n\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\n      await db.update(table)\n        .set({\n          oauthProvider: provider,\n          oauthId: providerId,\n        })\n        .where(eq(table.id, userId));\n    },\n  };\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAaO,SAAS,qBACd,IACA,OACA,IACoB;AACpB,SAAO;AAAA,IACL,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,OAAO,UAAU,EAAE,UAAU;AACpE,aAAO,QAAQ,CAAC;AAAA,IAClB;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,OAAO,KAAK,CAAC,EAAE,MAAM,CAAC;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,MAAM,CAAC;AAC7E,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,GAAG,OAAO,KAAK,EAClB,IAAI;AAAA,QACH,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC,EACA,MAAM,GAAG,MAAM,IAAI,MAAM,CAAC;AAAA,IAC/B;AAAA,EACF;AACF;",
-  "names": []
-}

package/dist/adapters/drizzle.js

@@ -1,27 +0,0 @@
-function createDrizzleAdapter(db, table, eq) {
-  return {
-    async createUser(data) {
-      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };
-      const results = await db.insert(table).values(dataToSave).returning();
-      return results[0];
-    },
-    async findUserByEmail(email) {
-      const results = await db.select().from(table).where(eq(table.email, email)).limit(1);
-      return results[0] || null;
-    },
-    async findUserById(id) {
-      const results = await db.select().from(table).where(eq(table.id, id)).limit(1);
-      return results[0] || null;
-    },
-    async linkOAuthAccount(userId, provider, providerId) {
-      await db.update(table).set({
-        oauthProvider: provider,
-        oauthId: providerId
-      }).where(eq(table.id, userId));
-    }
-  };
-}
-export {
-  createDrizzleAdapter
-};
-//# sourceMappingURL=drizzle.js.map

package/dist/adapters/drizzle.js.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/adapters/drizzle.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\n\n/**\n * Creates a Drizzle ORM adapter.\n * \n * Works with any Drizzle-supported database (PostgreSQL, MySQL, SQLite)\n * by using the standard drizzle-orm `db` instance and table definition.\n * \n * @param db - The Drizzle database instance.\n * @param table - The Drizzle table representing users.\n * @param eq - The Drizzle `eq` operator (imported from `drizzle-orm`).\n * @returns An AuthAdapter compliant object.\n */\nexport function createDrizzleAdapter<TUser extends User = User>(\n  db: any,\n  table: any,\n  eq: any\n): AuthAdapter<TUser> {\n  return {\n    async createUser(data: any) {\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\n      const results = await db.insert(table).values(dataToSave).returning();\n      return results[0] as TUser;\n    },\n\n    async findUserByEmail(email: string) {\n      const results = await db.select().from(table).where(eq(table.email, email)).limit(1);\n      return (results[0] || null) as TUser | null;\n    },\n\n    async findUserById(id: string) {\n      const results = await db.select().from(table).where(eq(table.id, id)).limit(1);\n      return (results[0] || null) as TUser | null;\n    },\n\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\n      await db.update(table)\n        .set({\n          oauthProvider: provider,\n          oauthId: providerId,\n        })\n        .where(eq(table.id, userId));\n    },\n  };\n}\n"],
-  "mappings": "AAaO,SAAS,qBACd,IACA,OACA,IACoB;AACpB,SAAO;AAAA,IACL,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,OAAO,UAAU,EAAE,UAAU;AACpE,aAAO,QAAQ,CAAC;AAAA,IAClB;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,OAAO,KAAK,CAAC,EAAE,MAAM,CAAC;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,MAAM,CAAC;AAC7E,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,GAAG,OAAO,KAAK,EAClB,IAAI;AAAA,QACH,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC,EACA,MAAM,GAAG,MAAM,IAAI,MAAM,CAAC;AAAA,IAC/B;AAAA,EACF;AACF;",
-  "names": []
-}

package/dist/adapters/index.cjs.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/adapters/index.ts"],
-  "sourcesContent": ["export interface BaseUser {\n  id: string;\n  email: string;\n  passwordHash?: string;\n  role?: string;\n}\n\n// Allows any extended fields natively (like nin, bvn, maritalStatus, etc.)\nexport type User<TExtended = Record<string, any>> = BaseUser & TExtended;\n\nexport interface AuthAdapter<TUser = User> {\n  createUser: (data: any) => Promise<TUser>;\n  findUserByEmail: (email: string) => Promise<TUser | null>;\n  findUserById: (id: string) => Promise<TUser | null>;\n  linkOAuthAccount: (userId: string, provider: string, providerId: string) => Promise<void>;\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;AAAA;AAAA;",
-  "names": []
-}

package/dist/adapters/memory.cjs.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/adapters/memory.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\n\n/**\n * Creates an in-memory database adapter for the auth engine.\n * This is useful for testing, prototyping, or when you don't need persistent storage.\n * All data is kept in memory and is lost when the server restarts.\n */\nexport function createMemoryAdapter<TUser extends User = User>(): AuthAdapter<TUser> {\n    const users = new Map<string, TUser>();\n    const accounts = new Map<string, { userId: string; provider: string; providerId: string }>();\n\n    return {\n        createUser: async (data: any) => {\n            // Auto-generate ID if not provided\n            const id = data.id || Date.now().toString();\n            const newUser = { ...data, id } as TUser;\n\n            // Store using email as the primary lookup key\n            users.set(newUser.email, newUser);\n            return newUser;\n        },\n\n        findUserByEmail: async (email: string) => {\n            return users.get(email) || null;\n        },\n\n        findUserById: async (id: string) => {\n            for (const user of users.values()) {\n                if (user.id === id) {\n                    return user;\n                }\n            }\n            return null;\n        },\n\n        linkOAuthAccount: async (userId: string, provider: string, providerId: string) => {\n            const accountId = `${provider}_${providerId}`;\n            accounts.set(accountId, { userId, provider, providerId });\n        }\n    };\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAOO,SAAS,sBAAqE;AACjF,QAAM,QAAQ,oBAAI,IAAmB;AACrC,QAAM,WAAW,oBAAI,IAAsE;AAE3F,SAAO;AAAA,IACH,YAAY,OAAO,SAAc;AAE7B,YAAM,KAAK,KAAK,MAAM,KAAK,IAAI,EAAE,SAAS;AAC1C,YAAM,UAAU,EAAE,GAAG,MAAM,GAAG;AAG9B,YAAM,IAAI,QAAQ,OAAO,OAAO;AAChC,aAAO;AAAA,IACX;AAAA,IAEA,iBAAiB,OAAO,UAAkB;AACtC,aAAO,MAAM,IAAI,KAAK,KAAK;AAAA,IAC/B;AAAA,IAEA,cAAc,OAAO,OAAe;AAChC,iBAAW,QAAQ,MAAM,OAAO,GAAG;AAC/B,YAAI,KAAK,OAAO,IAAI;AAChB,iBAAO;AAAA,QACX;AAAA,MACJ;AACA,aAAO;AAAA,IACX;AAAA,IAEA,kBAAkB,OAAO,QAAgB,UAAkB,eAAuB;AAC9E,YAAM,YAAY,GAAG,QAAQ,IAAI,UAAU;AAC3C,eAAS,IAAI,WAAW,EAAE,QAAQ,UAAU,WAAW,CAAC;AAAA,IAC5D;AAAA,EACJ;AACJ;",
-  "names": []
-}

package/dist/adapters/memory.js

@@ -1,31 +0,0 @@
-function createMemoryAdapter() {
-  const users = /* @__PURE__ */ new Map();
-  const accounts = /* @__PURE__ */ new Map();
-  return {
-    createUser: async (data) => {
-      const id = data.id || Date.now().toString();
-      const newUser = { ...data, id };
-      users.set(newUser.email, newUser);
-      return newUser;
-    },
-    findUserByEmail: async (email) => {
-      return users.get(email) || null;
-    },
-    findUserById: async (id) => {
-      for (const user of users.values()) {
-        if (user.id === id) {
-          return user;
-        }
-      }
-      return null;
-    },
-    linkOAuthAccount: async (userId, provider, providerId) => {
-      const accountId = `${provider}_${providerId}`;
-      accounts.set(accountId, { userId, provider, providerId });
-    }
-  };
-}
-export {
-  createMemoryAdapter
-};
-//# sourceMappingURL=memory.js.map

package/dist/adapters/memory.js.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/adapters/memory.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\n\n/**\n * Creates an in-memory database adapter for the auth engine.\n * This is useful for testing, prototyping, or when you don't need persistent storage.\n * All data is kept in memory and is lost when the server restarts.\n */\nexport function createMemoryAdapter<TUser extends User = User>(): AuthAdapter<TUser> {\n    const users = new Map<string, TUser>();\n    const accounts = new Map<string, { userId: string; provider: string; providerId: string }>();\n\n    return {\n        createUser: async (data: any) => {\n            // Auto-generate ID if not provided\n            const id = data.id || Date.now().toString();\n            const newUser = { ...data, id } as TUser;\n\n            // Store using email as the primary lookup key\n            users.set(newUser.email, newUser);\n            return newUser;\n        },\n\n        findUserByEmail: async (email: string) => {\n            return users.get(email) || null;\n        },\n\n        findUserById: async (id: string) => {\n            for (const user of users.values()) {\n                if (user.id === id) {\n                    return user;\n                }\n            }\n            return null;\n        },\n\n        linkOAuthAccount: async (userId: string, provider: string, providerId: string) => {\n            const accountId = `${provider}_${providerId}`;\n            accounts.set(accountId, { userId, provider, providerId });\n        }\n    };\n}\n"],
-  "mappings": "AAOO,SAAS,sBAAqE;AACjF,QAAM,QAAQ,oBAAI,IAAmB;AACrC,QAAM,WAAW,oBAAI,IAAsE;AAE3F,SAAO;AAAA,IACH,YAAY,OAAO,SAAc;AAE7B,YAAM,KAAK,KAAK,MAAM,KAAK,IAAI,EAAE,SAAS;AAC1C,YAAM,UAAU,EAAE,GAAG,MAAM,GAAG;AAG9B,YAAM,IAAI,QAAQ,OAAO,OAAO;AAChC,aAAO;AAAA,IACX;AAAA,IAEA,iBAAiB,OAAO,UAAkB;AACtC,aAAO,MAAM,IAAI,KAAK,KAAK;AAAA,IAC/B;AAAA,IAEA,cAAc,OAAO,OAAe;AAChC,iBAAW,QAAQ,MAAM,OAAO,GAAG;AAC/B,YAAI,KAAK,OAAO,IAAI;AAChB,iBAAO;AAAA,QACX;AAAA,MACJ;AACA,aAAO;AAAA,IACX;AAAA,IAEA,kBAAkB,OAAO,QAAgB,UAAkB,eAAuB;AAC9E,YAAM,YAAY,GAAG,QAAQ,IAAI,UAAU;AAC3C,eAAS,IAAI,WAAW,EAAE,QAAQ,UAAU,WAAW,CAAC;AAAA,IAC5D;AAAA,EACJ;AACJ;",
-  "names": []
-}

package/dist/adapters/mongoose.cjs

@@ -1,55 +0,0 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var mongoose_exports = {};
-__export(mongoose_exports, {
-  createMongoAdapter: () => createMongoAdapter
-});
-module.exports = __toCommonJS(mongoose_exports);
-function createMongoAdapter(model) {
-  return {
-    async createUser(data) {
-      const user = await model.create(data);
-      const obj = user.toObject();
-      return { ...obj, id: obj._id.toString() };
-    },
-    async findUserByEmail(email) {
-      const user = await model.findOne({ email });
-      if (!user) return null;
-      const obj = user.toObject();
-      return { ...obj, id: obj._id.toString() };
-    },
-    async findUserById(id) {
-      const user = await model.findById(id);
-      if (!user) return null;
-      const obj = user.toObject();
-      return { ...obj, id: obj._id.toString() };
-    },
-    async linkOAuthAccount(userId, provider, providerId) {
-      await model.findByIdAndUpdate(userId, {
-        oauthProvider: provider,
-        oauthId: providerId
-      });
-    }
-  };
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  createMongoAdapter
-});
-//# sourceMappingURL=mongoose.cjs.map

package/dist/adapters/mongoose.cjs.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/adapters/mongoose.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\n\n/**\n * Creates a MongoDB adapter using a Mongoose model.\n * \n * @param model - A Mongoose model instance (e.g., User model).\n * @returns An AuthAdapter compliant object.\n */\nexport function createMongoAdapter<TUser extends User = User>(model: any): AuthAdapter<TUser> {\n  return {\n    async createUser(data: any) {\n      const user = await model.create(data);\n      const obj = user.toObject();\n      return { ...obj, id: obj._id.toString() } as TUser;\n    },\n\n    async findUserByEmail(email: string) {\n      const user = await model.findOne({ email });\n      if (!user) return null;\n      const obj = user.toObject();\n      return { ...obj, id: obj._id.toString() } as TUser;\n    },\n\n    async findUserById(id: string) {\n      const user = await model.findById(id);\n      if (!user) return null;\n      const obj = user.toObject();\n      return { ...obj, id: obj._id.toString() } as TUser;\n    },\n\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\n      await model.findByIdAndUpdate(userId, {\n        oauthProvider: provider,\n        oauthId: providerId,\n      });\n    },\n  };\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAQO,SAAS,mBAA8C,OAAgC;AAC5F,SAAO;AAAA,IACL,MAAM,WAAW,MAAW;AAC1B,YAAM,OAAO,MAAM,MAAM,OAAO,IAAI;AACpC,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,OAAO,MAAM,MAAM,QAAQ,EAAE,MAAM,CAAC;AAC1C,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,OAAO,MAAM,MAAM,SAAS,EAAE;AACpC,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,MAAM,kBAAkB,QAAQ;AAAA,QACpC,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AACF;",
-  "names": []
-}

package/dist/adapters/mongoose.js

@@ -1,31 +0,0 @@
-function createMongoAdapter(model) {
-  return {
-    async createUser(data) {
-      const user = await model.create(data);
-      const obj = user.toObject();
-      return { ...obj, id: obj._id.toString() };
-    },
-    async findUserByEmail(email) {
-      const user = await model.findOne({ email });
-      if (!user) return null;
-      const obj = user.toObject();
-      return { ...obj, id: obj._id.toString() };
-    },
-    async findUserById(id) {
-      const user = await model.findById(id);
-      if (!user) return null;
-      const obj = user.toObject();
-      return { ...obj, id: obj._id.toString() };
-    },
-    async linkOAuthAccount(userId, provider, providerId) {
-      await model.findByIdAndUpdate(userId, {
-        oauthProvider: provider,
-        oauthId: providerId
-      });
-    }
-  };
-}
-export {
-  createMongoAdapter
-};
-//# sourceMappingURL=mongoose.js.map

package/dist/adapters/mongoose.js.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/adapters/mongoose.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\n\n/**\n * Creates a MongoDB adapter using a Mongoose model.\n * \n * @param model - A Mongoose model instance (e.g., User model).\n * @returns An AuthAdapter compliant object.\n */\nexport function createMongoAdapter<TUser extends User = User>(model: any): AuthAdapter<TUser> {\n  return {\n    async createUser(data: any) {\n      const user = await model.create(data);\n      const obj = user.toObject();\n      return { ...obj, id: obj._id.toString() } as TUser;\n    },\n\n    async findUserByEmail(email: string) {\n      const user = await model.findOne({ email });\n      if (!user) return null;\n      const obj = user.toObject();\n      return { ...obj, id: obj._id.toString() } as TUser;\n    },\n\n    async findUserById(id: string) {\n      const user = await model.findById(id);\n      if (!user) return null;\n      const obj = user.toObject();\n      return { ...obj, id: obj._id.toString() } as TUser;\n    },\n\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\n      await model.findByIdAndUpdate(userId, {\n        oauthProvider: provider,\n        oauthId: providerId,\n      });\n    },\n  };\n}\n"],
-  "mappings": "AAQO,SAAS,mBAA8C,OAAgC;AAC5F,SAAO;AAAA,IACL,MAAM,WAAW,MAAW;AAC1B,YAAM,OAAO,MAAM,MAAM,OAAO,IAAI;AACpC,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,OAAO,MAAM,MAAM,QAAQ,EAAE,MAAM,CAAC;AAC1C,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,OAAO,MAAM,MAAM,SAAS,EAAE;AACpC,UAAI,CAAC,KAAM,QAAO;AAClB,YAAM,MAAM,KAAK,SAAS;AAC1B,aAAO,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,SAAS,EAAE;AAAA,IAC1C;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,MAAM,kBAAkB,QAAQ;AAAA,QACpC,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AACF;",
-  "names": []
-}

package/dist/adapters/prisma.cjs.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/adapters/prisma.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\n\n/**\n * Creates a Prisma adapter using a Prisma delegate (e.g., prisma.user).\n * \n * Works with any Prisma-supported database by using the standard\n * Prisma delegate operations (findUnique, create, update).\n * \n * @param model - A Prisma delegate instance (e.g., prisma.user).\n * @returns An AuthAdapter compliant object.\n */\nexport function createPrismaAdapter<TUser extends User = User>(model: any): AuthAdapter<TUser> {\n  return {\n    async createUser(data: any) {\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\n      const user = await model.create({ data: dataToSave });\n      return user as TUser;\n    },\n\n    async findUserByEmail(email: string) {\n      const user = await model.findUnique({\n        where: { email },\n      });\n      return user as TUser | null;\n    },\n\n    async findUserById(id: string) {\n      const user = await model.findUnique({\n        where: { id },\n      });\n      return user as TUser | null;\n    },\n\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\n      await model.update({\n        where: { id: userId },\n        data: {\n          oauthProvider: provider,\n          oauthId: providerId,\n        },\n      });\n    },\n  };\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAWO,SAAS,oBAA+C,OAAgC;AAC7F,SAAO;AAAA,IACL,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,OAAO,MAAM,MAAM,OAAO,EAAE,MAAM,WAAW,CAAC;AACpD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,OAAO,MAAM,MAAM,WAAW;AAAA,QAClC,OAAO,EAAE,MAAM;AAAA,MACjB,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,OAAO,MAAM,MAAM,WAAW;AAAA,QAClC,OAAO,EAAE,GAAG;AAAA,MACd,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,MAAM,OAAO;AAAA,QACjB,OAAO,EAAE,IAAI,OAAO;AAAA,QACpB,MAAM;AAAA,UACJ,eAAe;AAAA,UACf,SAAS;AAAA,QACX;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;",
-  "names": []
-}

package/dist/adapters/prisma.js

@@ -1,34 +0,0 @@
-function createPrismaAdapter(model) {
-  return {
-    async createUser(data) {
-      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };
-      const user = await model.create({ data: dataToSave });
-      return user;
-    },
-    async findUserByEmail(email) {
-      const user = await model.findUnique({
-        where: { email }
-      });
-      return user;
-    },
-    async findUserById(id) {
-      const user = await model.findUnique({
-        where: { id }
-      });
-      return user;
-    },
-    async linkOAuthAccount(userId, provider, providerId) {
-      await model.update({
-        where: { id: userId },
-        data: {
-          oauthProvider: provider,
-          oauthId: providerId
-        }
-      });
-    }
-  };
-}
-export {
-  createPrismaAdapter
-};
-//# sourceMappingURL=prisma.js.map

package/dist/adapters/prisma.js.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/adapters/prisma.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\n\n/**\n * Creates a Prisma adapter using a Prisma delegate (e.g., prisma.user).\n * \n * Works with any Prisma-supported database by using the standard\n * Prisma delegate operations (findUnique, create, update).\n * \n * @param model - A Prisma delegate instance (e.g., prisma.user).\n * @returns An AuthAdapter compliant object.\n */\nexport function createPrismaAdapter<TUser extends User = User>(model: any): AuthAdapter<TUser> {\n  return {\n    async createUser(data: any) {\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\n      const user = await model.create({ data: dataToSave });\n      return user as TUser;\n    },\n\n    async findUserByEmail(email: string) {\n      const user = await model.findUnique({\n        where: { email },\n      });\n      return user as TUser | null;\n    },\n\n    async findUserById(id: string) {\n      const user = await model.findUnique({\n        where: { id },\n      });\n      return user as TUser | null;\n    },\n\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\n      await model.update({\n        where: { id: userId },\n        data: {\n          oauthProvider: provider,\n          oauthId: providerId,\n        },\n      });\n    },\n  };\n}\n"],
-  "mappings": "AAWO,SAAS,oBAA+C,OAAgC;AAC7F,SAAO;AAAA,IACL,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,OAAO,MAAM,MAAM,OAAO,EAAE,MAAM,WAAW,CAAC;AACpD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,OAAO,MAAM,MAAM,WAAW;AAAA,QAClC,OAAO,EAAE,MAAM;AAAA,MACjB,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,OAAO,MAAM,MAAM,WAAW;AAAA,QAClC,OAAO,EAAE,GAAG;AAAA,MACd,CAAC;AACD,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,MAAM,OAAO;AAAA,QACjB,OAAO,EAAE,IAAI,OAAO;AAAA,QACpB,MAAM;AAAA,UACJ,eAAe;AAAA,UACf,SAAS;AAAA,QACX;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;",
-  "names": []
-}

package/dist/core/index.cjs.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/core/index.ts"],
-  "sourcesContent": ["import * as argon2 from \"argon2\";\nimport { SignJWT, jwtVerify } from \"jose\";\nimport crypto from \"crypto\";\nimport type { AuthAdapter, User } from \"../adapters/index.js\";\nimport type { Provider } from \"../providers/index.js\";\n\nexport interface CreateAuthOptions {\n    adapter: AuthAdapter<any>;\n    secret: string | Uint8Array;\n    pepper?: string;\n    session?: {\n        expires?: string | number; // For access tokens\n        refreshExpires?: string | number; // For refresh tokens\n    };\n    providers?: Provider[];\n    jwt?: {\n        /**\n         * A callback to add custom fields to the JWT payload.\n         * It receives the user object and the token type ('access' or 'refresh').\n         * Return an object containing the fields to be merged into the payload.\n         * You can also override default fields like 'sub'.\n         */\n        payload?: (user: User<any>, type: \"access\" | \"refresh\") => Record<string, any>;\n    };\n}\n\nexport function createAuth(options: CreateAuthOptions) {\n    const { adapter, secret, pepper, session, providers } = options;\n    const encodedSecret = typeof secret === \"string\" ? new TextEncoder().encode(secret) : secret;\n    const expiration = session?.expires || \"1h\"; // Default access token to 1h\n    const refreshExpiration = session?.refreshExpires || \"7d\";\n\n    /**\n     * Generates a stateless JWT for a user session\n     */\n    async function generateToken(user: User<any>, type: \"access\" | \"refresh\" = \"access\") {\n        let payload: Record<string, any> = { sub: user.id, role: user.role, type };\n\n        if (options.jwt?.payload) {\n            const customPayload = options.jwt.payload(user, type);\n            payload = { ...payload, ...customPayload };\n        }\n\n        return new SignJWT(payload)\n            .setProtectedHeader({ alg: \"HS256\" })\n            .setIssuedAt()\n            .setExpirationTime(type === \"access\" ? expiration : refreshExpiration)\n            .sign(encodedSecret);\n    }\n\n    /**\n     * Verifies a JWT and returns the payload.\n     * Optionally checks for a specific token type (access/refresh).\n     */\n    async function verifyToken(token: string, expectedType: \"access\" | \"refresh\" = \"access\") {\n        try {\n            const { payload } = await jwtVerify(token, encodedSecret);\n            if (payload.type !== expectedType) return null;\n            return payload;\n        } catch (e) {\n            return null;\n        }\n    }\n\n    /**\n     * Refreshes an access token using a valid refresh token.\n     */\n    async function refresh(refreshToken: string) {\n        const payload = await verifyToken(refreshToken, \"refresh\");\n        if (!payload || !payload.sub) {\n            throw new Error(\"Invalid or expired refresh token\");\n        }\n\n        const user = await adapter.findUserById(payload.sub as string);\n        if (!user) {\n            throw new Error(\"User not found\");\n        }\n\n        const accessToken = await generateToken(user, \"access\");\n        return { accessToken };\n    }\n\n    /**\n     * Signup with a new user payload.\n     * Incorporates server-side pepper for password hashing if provided.\n     */\n    async function signup(userData: Omit<User<any>, \"id\">, password?: string) {\n        let dataToSave = { ...userData };\n\n        if (password) {\n            const passwordWithPepper = pepper ? `${password}${pepper}` : password;\n            dataToSave.passwordHash = await argon2.hash(passwordWithPepper);\n        }\n\n        const newUser = await adapter.createUser(dataToSave);\n        const accessToken = await generateToken(newUser, \"access\");\n        const refreshToken = await generateToken(newUser, \"refresh\");\n\n        return { user: newUser, accessToken, refreshToken };\n    }\n\n    /**\n     * Standard Email/Password Login.\n     * Includes timing attack protection and password peppering.\n     */\n    async function loginWithPassword(email: string, password: string) {\n        const user = await adapter.findUserByEmail(email);\n\n        // Timing attack protection: Always verify a hash, even if user doesn't exist.\n        // We use a dummy hash to keep execution time consistent.\n        const dummyHash = \"$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i\";\n        const targetHash = user?.passwordHash || dummyHash;\n        const passwordWithPepper = pepper ? `${password}${pepper}` : password;\n\n        const isValid = await argon2.verify(targetHash, passwordWithPepper);\n\n        if (!user || !user.passwordHash || !isValid) {\n            throw new Error(\"Invalid credentials\");\n        }\n\n        const accessToken = await generateToken(user, \"access\");\n        const refreshToken = await generateToken(user, \"refresh\");\n\n        return { user, accessToken, refreshToken };\n    }\n\n    return {\n        signup,\n        loginWithPassword,\n        refresh,\n        verifyToken,\n        generateToken,\n        _providers: providers\n    };\n}\n\n/**\n * Utility to generate a high-entropy cryptographically secure secret.\n * Useful for initializing the 'secret' option in createAuth.\n */\nexport function generateSecret(length: number = 32): Uint8Array {\n    return crypto.getRandomValues(new Uint8Array(length));\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,aAAwB;AACxB,kBAAmC;AACnC,oBAAmB;AAwBZ,SAAS,WAAW,SAA4B;AACnD,QAAM,EAAE,SAAS,QAAQ,QAAQ,SAAS,UAAU,IAAI;AACxD,QAAM,gBAAgB,OAAO,WAAW,WAAW,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI;AACtF,QAAM,aAAa,SAAS,WAAW;AACvC,QAAM,oBAAoB,SAAS,kBAAkB;AAKrD,iBAAe,cAAc,MAAiB,OAA6B,UAAU;AACjF,QAAI,UAA+B,EAAE,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,KAAK;AAEzE,QAAI,QAAQ,KAAK,SAAS;AACtB,YAAM,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,IAAI;AACpD,gBAAU,EAAE,GAAG,SAAS,GAAG,cAAc;AAAA,IAC7C;AAEA,WAAO,IAAI,oBAAQ,OAAO,EACrB,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,YAAY,EACZ,kBAAkB,SAAS,WAAW,aAAa,iBAAiB,EACpE,KAAK,aAAa;AAAA,EAC3B;AAMA,iBAAe,YAAY,OAAe,eAAqC,UAAU;AACrF,QAAI;AACA,YAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,aAAa;AACxD,UAAI,QAAQ,SAAS,aAAc,QAAO;AAC1C,aAAO;AAAA,IACX,SAAS,GAAG;AACR,aAAO;AAAA,IACX;AAAA,EACJ;AAKA,iBAAe,QAAQ,cAAsB;AACzC,UAAM,UAAU,MAAM,YAAY,cAAc,SAAS;AACzD,QAAI,CAAC,WAAW,CAAC,QAAQ,KAAK;AAC1B,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACtD;AAEA,UAAM,OAAO,MAAM,QAAQ,aAAa,QAAQ,GAAa;AAC7D,QAAI,CAAC,MAAM;AACP,YAAM,IAAI,MAAM,gBAAgB;AAAA,IACpC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,WAAO,EAAE,YAAY;AAAA,EACzB;AAMA,iBAAe,OAAO,UAAiC,UAAmB;AACtE,QAAI,aAAa,EAAE,GAAG,SAAS;AAE/B,QAAI,UAAU;AACV,YAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAC7D,iBAAW,eAAe,MAAM,OAAO,KAAK,kBAAkB;AAAA,IAClE;AAEA,UAAM,UAAU,MAAM,QAAQ,WAAW,UAAU;AACnD,UAAM,cAAc,MAAM,cAAc,SAAS,QAAQ;AACzD,UAAM,eAAe,MAAM,cAAc,SAAS,SAAS;AAE3D,WAAO,EAAE,MAAM,SAAS,aAAa,aAAa;AAAA,EACtD;AAMA,iBAAe,kBAAkB,OAAe,UAAkB;AAC9D,UAAM,OAAO,MAAM,QAAQ,gBAAgB,KAAK;AAIhD,UAAM,YAAY;AAClB,UAAM,aAAa,MAAM,gBAAgB;AACzC,UAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAE7D,UAAM,UAAU,MAAM,OAAO,OAAO,YAAY,kBAAkB;AAElE,QAAI,CAAC,QAAQ,CAAC,KAAK,gBAAgB,CAAC,SAAS;AACzC,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACzC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,UAAM,eAAe,MAAM,cAAc,MAAM,SAAS;AAExD,WAAO,EAAE,MAAM,aAAa,aAAa;AAAA,EAC7C;AAEA,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,EAChB;AACJ;AAMO,SAAS,eAAe,SAAiB,IAAgB;AAC5D,SAAO,cAAAA,QAAO,gBAAgB,IAAI,WAAW,MAAM,CAAC;AACxD;",
-  "names": ["crypto"]
-}

package/dist/core/index.js

@@ -1,78 +0,0 @@
-import * as argon2 from "argon2";
-import { SignJWT, jwtVerify } from "jose";
-import crypto from "crypto";
-function createAuth(options) {
-  const { adapter, secret, pepper, session, providers } = options;
-  const encodedSecret = typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
-  const expiration = session?.expires || "1h";
-  const refreshExpiration = session?.refreshExpires || "7d";
-  async function generateToken(user, type = "access") {
-    let payload = { sub: user.id, role: user.role, type };
-    if (options.jwt?.payload) {
-      const customPayload = options.jwt.payload(user, type);
-      payload = { ...payload, ...customPayload };
-    }
-    return new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(type === "access" ? expiration : refreshExpiration).sign(encodedSecret);
-  }
-  async function verifyToken(token, expectedType = "access") {
-    try {
-      const { payload } = await jwtVerify(token, encodedSecret);
-      if (payload.type !== expectedType) return null;
-      return payload;
-    } catch (e) {
-      return null;
-    }
-  }
-  async function refresh(refreshToken) {
-    const payload = await verifyToken(refreshToken, "refresh");
-    if (!payload || !payload.sub) {
-      throw new Error("Invalid or expired refresh token");
-    }
-    const user = await adapter.findUserById(payload.sub);
-    if (!user) {
-      throw new Error("User not found");
-    }
-    const accessToken = await generateToken(user, "access");
-    return { accessToken };
-  }
-  async function signup(userData, password) {
-    let dataToSave = { ...userData };
-    if (password) {
-      const passwordWithPepper = pepper ? `${password}${pepper}` : password;
-      dataToSave.passwordHash = await argon2.hash(passwordWithPepper);
-    }
-    const newUser = await adapter.createUser(dataToSave);
-    const accessToken = await generateToken(newUser, "access");
-    const refreshToken = await generateToken(newUser, "refresh");
-    return { user: newUser, accessToken, refreshToken };
-  }
-  async function loginWithPassword(email, password) {
-    const user = await adapter.findUserByEmail(email);
-    const dummyHash = "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i";
-    const targetHash = user?.passwordHash || dummyHash;
-    const passwordWithPepper = pepper ? `${password}${pepper}` : password;
-    const isValid = await argon2.verify(targetHash, passwordWithPepper);
-    if (!user || !user.passwordHash || !isValid) {
-      throw new Error("Invalid credentials");
-    }
-    const accessToken = await generateToken(user, "access");
-    const refreshToken = await generateToken(user, "refresh");
-    return { user, accessToken, refreshToken };
-  }
-  return {
-    signup,
-    loginWithPassword,
-    refresh,
-    verifyToken,
-    generateToken,
-    _providers: providers
-  };
-}
-function generateSecret(length = 32) {
-  return crypto.getRandomValues(new Uint8Array(length));
-}
-export {
-  createAuth,
-  generateSecret
-};
-//# sourceMappingURL=index.js.map

package/dist/core/index.js.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/core/index.ts"],
-  "sourcesContent": ["import * as argon2 from \"argon2\";\nimport { SignJWT, jwtVerify } from \"jose\";\nimport crypto from \"crypto\";\nimport type { AuthAdapter, User } from \"../adapters/index.js\";\nimport type { Provider } from \"../providers/index.js\";\n\nexport interface CreateAuthOptions {\n    adapter: AuthAdapter<any>;\n    secret: string | Uint8Array;\n    pepper?: string;\n    session?: {\n        expires?: string | number; // For access tokens\n        refreshExpires?: string | number; // For refresh tokens\n    };\n    providers?: Provider[];\n    jwt?: {\n        /**\n         * A callback to add custom fields to the JWT payload.\n         * It receives the user object and the token type ('access' or 'refresh').\n         * Return an object containing the fields to be merged into the payload.\n         * You can also override default fields like 'sub'.\n         */\n        payload?: (user: User<any>, type: \"access\" | \"refresh\") => Record<string, any>;\n    };\n}\n\nexport function createAuth(options: CreateAuthOptions) {\n    const { adapter, secret, pepper, session, providers } = options;\n    const encodedSecret = typeof secret === \"string\" ? new TextEncoder().encode(secret) : secret;\n    const expiration = session?.expires || \"1h\"; // Default access token to 1h\n    const refreshExpiration = session?.refreshExpires || \"7d\";\n\n    /**\n     * Generates a stateless JWT for a user session\n     */\n    async function generateToken(user: User<any>, type: \"access\" | \"refresh\" = \"access\") {\n        let payload: Record<string, any> = { sub: user.id, role: user.role, type };\n\n        if (options.jwt?.payload) {\n            const customPayload = options.jwt.payload(user, type);\n            payload = { ...payload, ...customPayload };\n        }\n\n        return new SignJWT(payload)\n            .setProtectedHeader({ alg: \"HS256\" })\n            .setIssuedAt()\n            .setExpirationTime(type === \"access\" ? expiration : refreshExpiration)\n            .sign(encodedSecret);\n    }\n\n    /**\n     * Verifies a JWT and returns the payload.\n     * Optionally checks for a specific token type (access/refresh).\n     */\n    async function verifyToken(token: string, expectedType: \"access\" | \"refresh\" = \"access\") {\n        try {\n            const { payload } = await jwtVerify(token, encodedSecret);\n            if (payload.type !== expectedType) return null;\n            return payload;\n        } catch (e) {\n            return null;\n        }\n    }\n\n    /**\n     * Refreshes an access token using a valid refresh token.\n     */\n    async function refresh(refreshToken: string) {\n        const payload = await verifyToken(refreshToken, \"refresh\");\n        if (!payload || !payload.sub) {\n            throw new Error(\"Invalid or expired refresh token\");\n        }\n\n        const user = await adapter.findUserById(payload.sub as string);\n        if (!user) {\n            throw new Error(\"User not found\");\n        }\n\n        const accessToken = await generateToken(user, \"access\");\n        return { accessToken };\n    }\n\n    /**\n     * Signup with a new user payload.\n     * Incorporates server-side pepper for password hashing if provided.\n     */\n    async function signup(userData: Omit<User<any>, \"id\">, password?: string) {\n        let dataToSave = { ...userData };\n\n        if (password) {\n            const passwordWithPepper = pepper ? `${password}${pepper}` : password;\n            dataToSave.passwordHash = await argon2.hash(passwordWithPepper);\n        }\n\n        const newUser = await adapter.createUser(dataToSave);\n        const accessToken = await generateToken(newUser, \"access\");\n        const refreshToken = await generateToken(newUser, \"refresh\");\n\n        return { user: newUser, accessToken, refreshToken };\n    }\n\n    /**\n     * Standard Email/Password Login.\n     * Includes timing attack protection and password peppering.\n     */\n    async function loginWithPassword(email: string, password: string) {\n        const user = await adapter.findUserByEmail(email);\n\n        // Timing attack protection: Always verify a hash, even if user doesn't exist.\n        // We use a dummy hash to keep execution time consistent.\n        const dummyHash = \"$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i\";\n        const targetHash = user?.passwordHash || dummyHash;\n        const passwordWithPepper = pepper ? `${password}${pepper}` : password;\n\n        const isValid = await argon2.verify(targetHash, passwordWithPepper);\n\n        if (!user || !user.passwordHash || !isValid) {\n            throw new Error(\"Invalid credentials\");\n        }\n\n        const accessToken = await generateToken(user, \"access\");\n        const refreshToken = await generateToken(user, \"refresh\");\n\n        return { user, accessToken, refreshToken };\n    }\n\n    return {\n        signup,\n        loginWithPassword,\n        refresh,\n        verifyToken,\n        generateToken,\n        _providers: providers\n    };\n}\n\n/**\n * Utility to generate a high-entropy cryptographically secure secret.\n * Useful for initializing the 'secret' option in createAuth.\n */\nexport function generateSecret(length: number = 32): Uint8Array {\n    return crypto.getRandomValues(new Uint8Array(length));\n}\n"],
-  "mappings": "AAAA,YAAY,YAAY;AACxB,SAAS,SAAS,iBAAiB;AACnC,OAAO,YAAY;AAwBZ,SAAS,WAAW,SAA4B;AACnD,QAAM,EAAE,SAAS,QAAQ,QAAQ,SAAS,UAAU,IAAI;AACxD,QAAM,gBAAgB,OAAO,WAAW,WAAW,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI;AACtF,QAAM,aAAa,SAAS,WAAW;AACvC,QAAM,oBAAoB,SAAS,kBAAkB;AAKrD,iBAAe,cAAc,MAAiB,OAA6B,UAAU;AACjF,QAAI,UAA+B,EAAE,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,KAAK;AAEzE,QAAI,QAAQ,KAAK,SAAS;AACtB,YAAM,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,IAAI;AACpD,gBAAU,EAAE,GAAG,SAAS,GAAG,cAAc;AAAA,IAC7C;AAEA,WAAO,IAAI,QAAQ,OAAO,EACrB,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,YAAY,EACZ,kBAAkB,SAAS,WAAW,aAAa,iBAAiB,EACpE,KAAK,aAAa;AAAA,EAC3B;AAMA,iBAAe,YAAY,OAAe,eAAqC,UAAU;AACrF,QAAI;AACA,YAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,aAAa;AACxD,UAAI,QAAQ,SAAS,aAAc,QAAO;AAC1C,aAAO;AAAA,IACX,SAAS,GAAG;AACR,aAAO;AAAA,IACX;AAAA,EACJ;AAKA,iBAAe,QAAQ,cAAsB;AACzC,UAAM,UAAU,MAAM,YAAY,cAAc,SAAS;AACzD,QAAI,CAAC,WAAW,CAAC,QAAQ,KAAK;AAC1B,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACtD;AAEA,UAAM,OAAO,MAAM,QAAQ,aAAa,QAAQ,GAAa;AAC7D,QAAI,CAAC,MAAM;AACP,YAAM,IAAI,MAAM,gBAAgB;AAAA,IACpC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,WAAO,EAAE,YAAY;AAAA,EACzB;AAMA,iBAAe,OAAO,UAAiC,UAAmB;AACtE,QAAI,aAAa,EAAE,GAAG,SAAS;AAE/B,QAAI,UAAU;AACV,YAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAC7D,iBAAW,eAAe,MAAM,OAAO,KAAK,kBAAkB;AAAA,IAClE;AAEA,UAAM,UAAU,MAAM,QAAQ,WAAW,UAAU;AACnD,UAAM,cAAc,MAAM,cAAc,SAAS,QAAQ;AACzD,UAAM,eAAe,MAAM,cAAc,SAAS,SAAS;AAE3D,WAAO,EAAE,MAAM,SAAS,aAAa,aAAa;AAAA,EACtD;AAMA,iBAAe,kBAAkB,OAAe,UAAkB;AAC9D,UAAM,OAAO,MAAM,QAAQ,gBAAgB,KAAK;AAIhD,UAAM,YAAY;AAClB,UAAM,aAAa,MAAM,gBAAgB;AACzC,UAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAE7D,UAAM,UAAU,MAAM,OAAO,OAAO,YAAY,kBAAkB;AAElE,QAAI,CAAC,QAAQ,CAAC,KAAK,gBAAgB,CAAC,SAAS;AACzC,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACzC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,UAAM,eAAe,MAAM,cAAc,MAAM,SAAS;AAExD,WAAO,EAAE,MAAM,aAAa,aAAa;AAAA,EAC7C;AAEA,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,EAChB;AACJ;AAMO,SAAS,eAAe,SAAiB,IAAgB;AAC5D,SAAO,OAAO,gBAAgB,IAAI,WAAW,MAAM,CAAC;AACxD;",
-  "names": []
-}

package/dist/index.cjs.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../src/auth/index.ts"],
-  "sourcesContent": ["export type { AuthAdapter, User, BaseUser } from \"./adapters/index.js\";\nexport { GitHub, Google } from \"./providers/index.js\";\nexport type { Provider, ProviderConfig } from \"./providers/index.js\";\nexport { createAuth, generateSecret } from \"./core/index.js\";\nexport type { CreateAuthOptions } from \"./core/index.js\";\nexport { createMemoryAdapter } from \"./adapters/memory.js\";\nexport { createMongoAdapter } from \"./adapters/mongoose.js\";\nexport * from \"./security/index.js\";\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,uBAA+B;AAE/B,kBAA2C;AAE3C,oBAAoC;AACpC,sBAAmC;AACnC,0BAAc,gCAPd;",
-  "names": []
-}

package/dist/index.js.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../src/auth/index.ts"],
-  "sourcesContent": ["export type { AuthAdapter, User, BaseUser } from \"./adapters/index.js\";\nexport { GitHub, Google } from \"./providers/index.js\";\nexport type { Provider, ProviderConfig } from \"./providers/index.js\";\nexport { createAuth, generateSecret } from \"./core/index.js\";\nexport type { CreateAuthOptions } from \"./core/index.js\";\nexport { createMemoryAdapter } from \"./adapters/memory.js\";\nexport { createMongoAdapter } from \"./adapters/mongoose.js\";\nexport * from \"./security/index.js\";\n"],
-  "mappings": "AACA,SAAS,QAAQ,cAAc;AAE/B,SAAS,YAAY,sBAAsB;AAE3C,SAAS,2BAA2B;AACpC,SAAS,0BAA0B;AACnC,cAAc;",
-  "names": []
-}

package/dist/providers/index.cjs.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/providers/index.ts"],
-  "sourcesContent": ["import { GitHub as ArcticGitHub, Google as ArcticGoogle } from \"arctic\";\n\nexport interface ProviderConfig {\n    clientId: string;\n    clientSecret: string;\n    redirectURI?: string;\n}\n\nexport interface Provider {\n    id: string;\n    handler: any; // `arctic` provider instance\n}\n\nexport function GitHub(config: ProviderConfig): Provider {\n    return {\n        id: \"github\",\n        handler: new ArcticGitHub(config.clientId, config.clientSecret, null),\n    };\n}\n\nexport function Google(config: ProviderConfig): Provider {\n    if (!config.redirectURI) {\n        throw new Error(\"redirectURI is required for Google OAuth provider\");\n    }\n    return {\n        id: \"google\",\n        handler: new ArcticGoogle(\n            config.clientId,\n            config.clientSecret,\n            config.redirectURI\n        ),\n    };\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAA+D;AAaxD,SAAS,OAAO,QAAkC;AACrD,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI,cAAAA,OAAa,OAAO,UAAU,OAAO,cAAc,IAAI;AAAA,EACxE;AACJ;AAEO,SAAS,OAAO,QAAkC;AACrD,MAAI,CAAC,OAAO,aAAa;AACrB,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACvE;AACA,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI,cAAAC;AAAA,MACT,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACX;AAAA,EACJ;AACJ;",
-  "names": ["ArcticGitHub", "ArcticGoogle"]
-}

package/dist/providers/index.js.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/providers/index.ts"],
-  "sourcesContent": ["import { GitHub as ArcticGitHub, Google as ArcticGoogle } from \"arctic\";\n\nexport interface ProviderConfig {\n    clientId: string;\n    clientSecret: string;\n    redirectURI?: string;\n}\n\nexport interface Provider {\n    id: string;\n    handler: any; // `arctic` provider instance\n}\n\nexport function GitHub(config: ProviderConfig): Provider {\n    return {\n        id: \"github\",\n        handler: new ArcticGitHub(config.clientId, config.clientSecret, null),\n    };\n}\n\nexport function Google(config: ProviderConfig): Provider {\n    if (!config.redirectURI) {\n        throw new Error(\"redirectURI is required for Google OAuth provider\");\n    }\n    return {\n        id: \"google\",\n        handler: new ArcticGoogle(\n            config.clientId,\n            config.clientSecret,\n            config.redirectURI\n        ),\n    };\n}\n"],
-  "mappings": "AAAA,SAAS,UAAU,cAAc,UAAU,oBAAoB;AAaxD,SAAS,OAAO,QAAkC;AACrD,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI,aAAa,OAAO,UAAU,OAAO,cAAc,IAAI;AAAA,EACxE;AACJ;AAEO,SAAS,OAAO,QAAkC;AACrD,MAAI,CAAC,OAAO,aAAa;AACrB,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACvE;AACA,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI;AAAA,MACT,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACX;AAAA,EACJ;AACJ;",
-  "names": []
-}

package/dist/security/index.cjs.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/security/index.ts"],
-  "sourcesContent": ["import crypto from \"crypto\";\n\n/**\n * Generates a stateless CSRF token using the double-submit cookie pattern.\n * This is recommended for Express/Kroxt setups using cookies for sessions.\n */\nexport function generateCsrfToken(): string {\n    return crypto.randomBytes(32).toString(\"hex\");\n}\n\n/**\n * Simple middleware-ready check for CSRF tokens.\n * Matches a token from the request body/headers against a cookie.\n */\nexport function verifyCsrf(tokenInRequest: string, tokenInCookie: string): boolean {\n    if (!tokenInRequest || !tokenInCookie) return false;\n\n    // Constant time comparison\n    try {\n        return crypto.timingSafeEqual(\n            Buffer.from(tokenInRequest),\n            Buffer.from(tokenInCookie)\n        );\n    } catch {\n        return false;\n    }\n}\n\n/**\n * Security Recommendations for Kroxt:\n * 1. Always set cookies with: httpOnly: true, secure: true, sameSite: 'strict'\n * 2. Use a 'pepper' in createAuth to protect hashes.\n * 3. Implement rate limiting on /login and /register endpoints.\n */\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAAmB;AAMZ,SAAS,oBAA4B;AACxC,SAAO,cAAAA,QAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAChD;AAMO,SAAS,WAAW,gBAAwB,eAAgC;AAC/E,MAAI,CAAC,kBAAkB,CAAC,cAAe,QAAO;AAG9C,MAAI;AACA,WAAO,cAAAA,QAAO;AAAA,MACV,OAAO,KAAK,cAAc;AAAA,MAC1B,OAAO,KAAK,aAAa;AAAA,IAC7B;AAAA,EACJ,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;",
-  "names": ["crypto"]
-}

package/dist/security/index.js

@@ -1,20 +0,0 @@
-import crypto from "crypto";
-function generateCsrfToken() {
-  return crypto.randomBytes(32).toString("hex");
-}
-function verifyCsrf(tokenInRequest, tokenInCookie) {
-  if (!tokenInRequest || !tokenInCookie) return false;
-  try {
-    return crypto.timingSafeEqual(
-      Buffer.from(tokenInRequest),
-      Buffer.from(tokenInCookie)
-    );
-  } catch {
-    return false;
-  }
-}
-export {
-  generateCsrfToken,
-  verifyCsrf
-};
-//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/auth/security/index.ts"],
-  "sourcesContent": ["import crypto from \"crypto\";\n\n/**\n * Generates a stateless CSRF token using the double-submit cookie pattern.\n * This is recommended for Express/Kroxt setups using cookies for sessions.\n */\nexport function generateCsrfToken(): string {\n    return crypto.randomBytes(32).toString(\"hex\");\n}\n\n/**\n * Simple middleware-ready check for CSRF tokens.\n * Matches a token from the request body/headers against a cookie.\n */\nexport function verifyCsrf(tokenInRequest: string, tokenInCookie: string): boolean {\n    if (!tokenInRequest || !tokenInCookie) return false;\n\n    // Constant time comparison\n    try {\n        return crypto.timingSafeEqual(\n            Buffer.from(tokenInRequest),\n            Buffer.from(tokenInCookie)\n        );\n    } catch {\n        return false;\n    }\n}\n\n/**\n * Security Recommendations for Kroxt:\n * 1. Always set cookies with: httpOnly: true, secure: true, sameSite: 'strict'\n * 2. Use a 'pepper' in createAuth to protect hashes.\n * 3. Implement rate limiting on /login and /register endpoints.\n */\n"],
-  "mappings": "AAAA,OAAO,YAAY;AAMZ,SAAS,oBAA4B;AACxC,SAAO,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAChD;AAMO,SAAS,WAAW,gBAAwB,eAAgC;AAC/E,MAAI,CAAC,kBAAkB,CAAC,cAAe,QAAO;AAG9C,MAAI;AACA,WAAO,OAAO;AAAA,MACV,OAAO,KAAK,cAAc;AAAA,MAC1B,OAAO,KAAK,aAAa;AAAA,IAC7B;AAAA,EACJ,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;",
-  "names": []
-}