kroxt 1.3.10 → 1.3.11

package/README.md

@@ -1,231 +1,270 @@
-# Kroxt
-
-**The Most Simplified auth library**
-
-Kroxt is a premium, framework-agnostic, and security-hardened authentication library for modern TypeScript environments. Designed for 100% schema control and "Zero-Config" onboarding.
-
-[![npm version](https://img.shields.io/npm/v/kroxt.svg)](https://www.npmjs.com/package/kroxt)
-[![License: MIT](https://img.shields.io/badge/License-MIT-black.svg)](https://opensource.org/licenses/MIT)
-
----
-
-## ⚡ 30-Second Onboarding
-
-The recommended way to start is the **Kroxt CLI**. It detects your framework (Next.js, Express, Fastify) and scaffolds a professional auth structure automatically.
-
-```bash
-npx kroxt init
-```
-
----
-
-## 🏗️ Core Architecture
-
-Kroxt is "Headless." It provides the **Brain** (Logic, Hashing, JWTs, Security) while you provide the **Face** (UI/Routes). 
-
-### 1. The Configuration Matrix
-Every feature in Kroxt is modular. Toggle security layers with a single boolean.
-
-```typescript
-import { createAuth } from "kroxt";
-import { createMongoAdapter } from "kroxt/adapters/mongoose";
-
-export const auth = createAuth({
-  adapter: createMongoAdapter(UserModel),
-  secret: process.env.JWT_SECRET,
-  
-  // Security Layer 1: Sessions
-  session: {
-    expires: "15m",           // Access Token duration
-    refreshExpires: "7d",     // Refresh Token duration
-    enforceStrictRevocation: true, // DB-lookup on EVERY request (Admin-mode)
-  },
-
-  // Security Layer 2: Defense
-  rateLimit: {
-    max: 100,                 // Requests per window
-    windowMs: 60 * 1000       // 1 Minute window
-  },
-
-  // Security Layer 3: Brute Force
-  ipBlocking: {
-    maxStrikes: 5,            // Ban after 5 failures
-    blockDurationMs: 15 * 60 * 1000 // 15 Min ban
-  },
-
-  // Security Layer 4: Crypto
-  passwordPolicy: {
-    minLength: 8,
-    requireUppercase: true,
-    requireSpecialCharacter: true,
-    usePepper: true           // Requires JWT_PEPPER env variable
-  }
-});
-```
-
----
-
-## 🔌 Universal Adapters
-
-Bring your own schema. Kroxt adapts to you.
-
-### Mongoose (MongoDB)
-```typescript
-import { createMongoAdapter } from "kroxt/adapters/mongoose";
-const adapter = createMongoAdapter(User); 
-```
-
-### Prisma (SQL)
-```typescript
-import { createPrismaAdapter } from "kroxt/adapters/prisma";
-const adapter = createPrismaAdapter(prisma.user);
-```
-
-### Drizzle (SQL)
-```typescript
-import { createDrizzleAdapter } from "kroxt/adapters/drizzle";
-import { eq } from "drizzle-orm";
-const adapter = createDrizzleAdapter(db, users, eq);
-```
-
-### Memory (Testing)
-```typescript
-import { createMemoryAdapter } from "kroxt";
-const adapter = createMemoryAdapter();
-```
-
----
-
-## 🧠 API Reference
-
-### `auth.signup(userData, password)`
-Registers a new user. User data is strictly typed to your schema.
-```typescript
-const { user, accessToken, refreshToken } = await auth.signup({ 
-  email: "dev@kroxt.io",
-  role: "admin" 
-}, "secure_password");
-```
-
-### `auth.loginWithPassword(email, password, clientIp?)`
-Authenticates a user and generates tokens. Pass `clientIp` to enable IP-Blocking.
-```typescript
-const result = await auth.loginWithPassword(email, password, req.ip);
-```
-
-### `auth.refreshSession(refreshToken, clientIp?)`
-Rotates the session. If `enforceStrictRevocation` is on, it validates the token against the user's current password hash.
-```typescript
-const { user, accessToken, refreshToken: newRefresh } = await auth.refreshSession(token);
-```
-
-### `auth.logout(refreshToken)`
-Invalidates a session.
-```typescript
-await auth.logout(refreshToken);
-```
-
-### `auth.changePassword(userId, newPassword)`
-Updates password and **instantly invalidates all other active sessions** globally via Hash-Linked revocation.
-```typescript
-await auth.changePassword(user.id, "new_secure_pass");
-```
-
----
-
-## 🧩 Middleware Implementation
-
-### Express / Fastify
-```typescript
-const protect = async (req, res, next) => {
-  const token = req.headers.authorization?.split(" ")[1];
-  try {
-    const session = await auth.verifyAccessToken(token);
-    req.user = session.user;
-    next();
-  } catch (err) {
-    res.status(401).json({ error: "Unauthorized" });
-  }
-};
-```
-
----
-
-## 🚀 Advanced Deployment
-
-### Custom JWT Payloads
-Inject metadata into your tokens safely.
-```typescript
-jwt: {
-  payload: (user, type) => {
-    return type === "access" ? { role: user.role } : {};
-  }
-}
-```
-
-### Password Peppering
-Kroxt supports server-side peppering to protect against rainbow table attacks even if your database is leaked.
-1. Set `usePepper: true` in config.
-2. Add `JWT_PEPPER` to your `.env`.
-
----
-
-## 🧠 API Reference (Exhaustive)
-
-### `auth.signup()`
-| Argument | Type | Description |
-| --- | --- | --- |
-| `userData` | `Omit<User, "id">` | Your user object without the ID (ID is auto-generated) |
-| `password` | `string` (Optional) | Plain text password. Will be hashed using Argon2 |
-
-### `auth.loginWithPassword()`
-| Argument | Type | Description |
-| --- | --- | --- |
-| `email` | `string` | User email |
-| `password` | `string` | User password |
-| `clientIp` | `string` (Optional) | Required for IP-Blocking defense |
-
-### `auth.changePassword()`
-| Argument | Type | Description |
-| --- | --- | --- |
-| `userId` | `string` | The ID of the user to update |
-| `newPassword` | `string` | The new plain text password |
-
-> [!TIP]
-> **Hash-Linked Revocation**: When you call `changePassword`, all existing refresh tokens for that user are immediately invalidated because they contain a fragment of the old password hash.
-
----
-
-## 🚦 Error Handling
-
-Kroxt throws descriptive errors that you can catch in your controller.
-
-```typescript
-try {
-  await auth.loginWithPassword(email, password, req.ip);
-} catch (err) {
-  if (err.message === "IP is temporarily blocked.") {
-    return res.status(403).send("Banned.");
-  }
-  if (err.message === "Too many requests, please try again later.") {
-    return res.status(429).send("Slow down.");
-  }
-  return res.status(401).send("Invalid Credentials");
-}
-```
-
----
-
-## 🔒 Security Best Practices
-
-1. **Environmental Pepper**: Always use `JWT_PEPPER`. This adds a server-side secret to every password hash. If your database is stolen, your user passwords are still protected by this environment variable.
-2. **Strict Revocation**: Set `enforceStrictRevocation: true` for high-security areas (like admin panels). This forces a database lookup on every single request to ensure the user hasn't been banned or changed their password in the last few seconds.
-3. **Dual Tokens**: Always use the provided `accessToken` for short-term API access and the `refreshToken` (stored in an `HttpOnly` cookie) for session persistence.
-
----
-
-## 🔗 Ecosystem
-- [Kroxt Examples Repository](https://github.com/adepoju-oluwatobi/kroxt-examples)
-
-## 📄 License
-MIT © [Adepoju Oluwatobi](https://github.com/adepoju-oluwatobi)
+# Kroxt
+
+**The Most Simplified auth library**
+
+Kroxt is a premium, framework-agnostic, and security-hardened authentication engine for modern TypeScript environments. Engineered for **Next.js (App Router)**, Express, and Fastify—with 100% schema control and "Zero-Config" onboarding.
+
+[![npm version](https://img.shields.io/npm/v/kroxt.svg)](https://www.npmjs.com/package/kroxt)
+[![Next.js Ready](https://img.shields.io/badge/Next.js-First--Class-black?logo=next.js)](https://nextjs.org)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+The recommended way to start is the **Kroxt CLI**. It detects your framework (Next.js, Express, Fastify) and scaffolds a professional auth structure automatically.
+
+```bash
+npx kroxt init
+```
+
+---
+
+## 🚀 Next.js First-Class Support
+
+Kroxt is optimized for the Next.js App Router. Use standard **Route Handlers** for high performance and zero overhead.
+
+### 1. Configuration (`lib/kroxt/auth.ts`)
+```typescript
+import { createAuth } from "kroxt";
+import { createMongoAdapter } from "kroxt/adapters/mongoose";
+import { User } from "./models/user.model";
+
+export const auth = createAuth({
+  adapter: createMongoAdapter(User),
+  secret: process.env.JWT_SECRET,
+  session: { enforceStrictRevocation: true } // Real-time security
+});
+```
+
+### 2. Login Route (`app/api/auth/login/route.ts`)
+```typescript
+import { auth } from "@/lib/kroxt/auth";
+import { NextRequest, NextResponse } from "next/server";
+
+export async function POST(req: NextRequest) {
+  try {
+    const { email, password } = await req.json();
+    const result = await auth.loginWithPassword(email, password, req.ip);
+    
+    return NextResponse.json(result);
+  } catch (error: any) {
+    return NextResponse.json({ error: error.message }, { status: 401 });
+  }
+}
+```
+
+## 🏗️ Core Architecture
+
+Kroxt is "Headless." It provides the **Brain** (Logic, Hashing, JWTs, Security) while you provide the **Face** (UI/Routes). 
+
+### 1. The Configuration Matrix
+Every feature in Kroxt is modular. Toggle security layers with a single boolean.
+
+```typescript
+import { createAuth } from "kroxt";
+import { createMongoAdapter } from "kroxt/adapters/mongoose";
+
+export const auth = createAuth({
+  adapter: createMongoAdapter(UserModel),
+  secret: process.env.JWT_SECRET,
+  
+  // Security Layer 1: Sessions
+  session: {
+    expires: "15m",           // Access Token duration
+    refreshExpires: "7d",     // Refresh Token duration
+    enforceStrictRevocation: true, // DB-lookup on EVERY request (Admin-mode)
+  },
+
+  // Security Layer 2: Defense
+  rateLimit: {
+    max: 100,                 // Requests per window
+    windowMs: 60 * 1000       // 1 Minute window
+  },
+
+  // Security Layer 3: Brute Force
+  ipBlocking: {
+    maxStrikes: 5,            // Ban after 5 failures
+    blockDurationMs: 15 * 60 * 1000 // 15 Min ban
+  },
+
+  // Security Layer 4: Crypto
+  passwordPolicy: {
+    minLength: 8,
+    requireUppercase: true,
+    requireSpecialCharacter: true,
+    usePepper: true           // Requires JWT_PEPPER env variable
+  }
+});
+```
+
+---
+
+## 🔌 Universal Adapters
+
+Bring your own schema. Kroxt adapts to you.
+
+### Mongoose (MongoDB)
+```typescript
+import { createMongoAdapter } from "kroxt/adapters/mongoose";
+const adapter = createMongoAdapter(User); 
+```
+
+### Prisma (SQL)
+```typescript
+import { createPrismaAdapter } from "kroxt/adapters/prisma";
+const adapter = createPrismaAdapter(prisma.user);
+```
+
+### Drizzle (SQL)
+```typescript
+import { createDrizzleAdapter } from "kroxt/adapters/drizzle";
+import { eq } from "drizzle-orm";
+const adapter = createDrizzleAdapter(db, users, eq);
+```
+
+### Memory (Testing)
+```typescript
+import { createMemoryAdapter } from "kroxt";
+const adapter = createMemoryAdapter();
+```
+
+---
+
+## 🧠 API Reference
+
+### `auth.signup(userData, password)`
+Registers a new user. User data is strictly typed to your schema.
+```typescript
+const { user, accessToken, refreshToken } = await auth.signup({ 
+  email: "dev@kroxt.io",
+  role: "admin" 
+}, "secure_password");
+```
+
+### `auth.loginWithPassword(email, password, clientIp?)`
+Authenticates a user and generates tokens. Pass `clientIp` to enable IP-Blocking.
+```typescript
+const result = await auth.loginWithPassword(email, password, req.ip);
+```
+
+### `auth.refreshSession(refreshToken, clientIp?)`
+Rotates the session. If `enforceStrictRevocation` is on, it validates the token against the user's current password hash.
+```typescript
+const { user, accessToken, refreshToken: newRefresh } = await auth.refreshSession(token);
+```
+
+### `auth.logout(userId)`
+Terminates all active sessions for a user globally. This increments the `sessionVersion` in the database, invalidating all current tokens instantly.
+```typescript
+await auth.logout(payload.sub);
+```
+
+### `auth.changePassword(userId, newPassword)`
+Updates password and **instantly invalidates all other active sessions** globally via Hash-Linked revocation.
+```typescript
+await auth.changePassword(payload.sub, "new_secure_pass");
+```
+
+---
+
+## 🧩 Middleware Implementation
+
+### Express / Fastify
+```typescript
+const protect = async (req, res, next) => {
+  const token = req.headers.authorization?.split(" ")[1];
+  try {
+    const session = await auth.verifyAccessToken(token);
+    req.user = session.user;
+    next();
+  } catch (err) {
+    res.status(401).json({ error: "Unauthorized" });
+  }
+};
+```
+
+---
+
+## 🚀 Advanced Deployment
+
+### Custom JWT Payloads
+Inject metadata into your tokens safely.
+```typescript
+jwt: {
+  payload: (user, type) => {
+    return type === "access" ? { role: user.role } : {};
+  }
+}
+```
+
+### Password Peppering
+Kroxt supports server-side peppering to protect against rainbow table attacks even if your database is leaked.
+1. Set `usePepper: true` in config.
+2. Add `JWT_PEPPER` to your `.env`.
+
+---
+
+## 🧠 API Reference (Exhaustive)
+
+### `auth.signup()`
+| Argument | Type | Description |
+| --- | --- | --- |
+| `userData` | `Omit<User, "id">` | Your user object without the ID (ID is auto-generated) |
+| `password` | `string` (Optional) | Plain text password. Will be hashed using Argon2 |
+
+### `auth.loginWithPassword()`
+| Argument | Type | Description |
+| --- | --- | --- |
+| `email` | `string` | User email |
+| `password` | `string` | User password |
+| `clientIp` | `string` (Optional) | Required for IP-Blocking defense |
+
+### `auth.logout()`
+| Argument | Type | Description |
+| --- | --- | --- |
+| `userId` | `string` | The ID of the user whose sessions will be revoked |
+
+> [!IMPORTANT]
+> **Global Session Revocation**: Kroxt uses a `sessionVersion` counter. When `logout` is called, this counter increments in the database. Any token presented with an older version will be rejected during verification if `enforceStrictRevocation` is enabled or during session refreshes.
+
+### `auth.changePassword()`
+| Argument | Type | Description |
+| --- | --- | --- |
+| `userId` | `string` | The ID of the user to update |
+| `newPassword` | `string` | The new plain text password |
+
+> [!TIP]
+> **Hash-Linked Revocation**: When you call `changePassword`, all existing refresh tokens for that user are immediately invalidated because they contain a fragment of the old password hash (`pw_frag`).
+
+---
+
+## 🚦 Error Handling
+
+Kroxt throws descriptive errors that you can catch in your controller.
+
+```typescript
+try {
+  await auth.loginWithPassword(email, password, req.ip);
+} catch (err) {
+  if (err.message === "IP is temporarily blocked.") {
+    return res.status(403).send("Banned.");
+  }
+  if (err.message === "Too many requests, please try again later.") {
+    return res.status(429).send("Slow down.");
+  }
+  return res.status(401).send("Invalid Credentials");
+}
+```
+
+---
+
+## 🔒 Security Best Practices
+
+1. **Environmental Pepper**: Always use `JWT_PEPPER`. This adds a server-side secret to every password hash. If your database is stolen, your user passwords are still protected by this environment variable.
+2. **Strict Revocation**: Set `enforceStrictRevocation: true` for high-security areas (like admin panels). This forces a database lookup on every single request to ensure the user hasn't been banned or changed their password in the last few seconds.
+3. **Dual Tokens**: Always use the provided `accessToken` for short-term API access and the `refreshToken` (stored in an `HttpOnly` cookie) for session persistence.
+
+---
+
+## 🔗 Ecosystem
+- [Kroxt Examples Repository](https://github.com/adepoju-oluwatobi/kroxt-examples)
+
+## 📄 License
+MIT © [Adepoju Oluwatobi](https://github.com/adepoju-oluwatobi)

package/dist/auth/adapters/drizzle.cjs

@@ -45,6 +45,11 @@ function createDrizzleAdapter(db, table, eq, rateLimitTable) {
         oauthProvider: provider,
         oauthId: providerId
       }).where(eq(table.id, userId));
+    },
+    async invalidateSession(userId) {
+      await db.update(table).set({
+        sessionVersion: (table.sessionVersion || 0) + 1
+      }).where(eq(table.id, userId));
     }
   };
   if (rateLimitTable) {

package/dist/auth/adapters/drizzle.cjs.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/auth/adapters/drizzle.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\r\n\r\n/**\r\n * Creates a Drizzle ORM adapter.\r\n * \r\n * Works with any Drizzle-supported database (PostgreSQL, MySQL, SQLite)\r\n * by using the standard drizzle-orm `db` instance and table definition.\r\n * \r\n * @param db - The Drizzle database instance.\r\n * @param table - The Drizzle table representing users.\r\n * @param eq - The Drizzle `eq` operator (imported from `drizzle-orm`).\r\n * @param rateLimitTable - Optional Drizzle table for rate limiting tracking.\r\n * @returns An AuthAdapter compliant object.\r\n */\r\nexport function createDrizzleAdapter<TUser extends User = User>(\r\n  db: any,\r\n  table: any,\r\n  eq: any,\r\n  rateLimitTable?: any\r\n): AuthAdapter<TUser> {\r\n  const adapter: AuthAdapter<TUser> = {\r\n    async createUser(data: any) {\r\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\r\n      const results = await db.insert(table).values(dataToSave).returning();\r\n      return results[0] as TUser;\r\n    },\r\n\r\n    async findUserByEmail(email: string) {\r\n      const results = await db.select().from(table).where(eq(table.email, email)).limit(1);\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async findUserById(id: string) {\r\n      const results = await db.select().from(table).where(eq(table.id, id)).limit(1);\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async updateUser(id: string, data: Partial<TUser>) {\r\n      const results = await db.update(table).set(data).where(eq(table.id, id)).returning();\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\r\n      await db.update(table)\r\n        .set({\r\n          oauthProvider: provider,\r\n          oauthId: providerId,\r\n        })\r\n        .where(eq(table.id, userId));\r\n    },\r\n  };\r\n\r\n  if (rateLimitTable) {\r\n    adapter.incrementRateLimit = async (key: string, windowMs: number) => {\r\n      const now = Date.now();\r\n      const resetTime = now + windowMs;\r\n      \r\n      let records = await db.select().from(rateLimitTable).where(eq(rateLimitTable.key, key)).limit(1);\r\n      let record = records[0];\r\n      \r\n      if (!record || now > record.resetTime) {\r\n          if (record) {\r\n              await db.update(rateLimitTable).set({ count: 1, resetTime }).where(eq(rateLimitTable.key, key));\r\n          } else {\r\n              await db.insert(rateLimitTable).values({ key, count: 1, resetTime });\r\n          }\r\n          return { count: 1, resetTime };\r\n      } else {\r\n          await db.update(rateLimitTable).set({ count: record.count + 1 }).where(eq(rateLimitTable.key, key));\r\n          return { count: record.count + 1, resetTime: record.resetTime };\r\n      }\r\n    };\r\n\r\n    adapter.getRateLimit = async (key: string) => {\r\n      const now = Date.now();\r\n      let records = await db.select().from(rateLimitTable).where(eq(rateLimitTable.key, key)).limit(1);\r\n      let record = records[0];\r\n      if (!record || now > record.resetTime) return null;\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n  }\r\n\r\n  return adapter;\r\n}\r\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAcO,SAAS,qBACd,IACA,OACA,IACA,gBACoB;AACpB,QAAM,UAA8B;AAAA,IAClC,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,OAAO,UAAU,EAAE,UAAU;AACpE,aAAO,QAAQ,CAAC;AAAA,IAClB;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,OAAO,KAAK,CAAC,EAAE,MAAM,CAAC;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,MAAM,CAAC;AAC7E,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,WAAW,IAAY,MAAsB;AACjD,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,IAAI,IAAI,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,UAAU;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,GAAG,OAAO,KAAK,EAClB,IAAI;AAAA,QACH,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC,EACA,MAAM,GAAG,MAAM,IAAI,MAAM,CAAC;AAAA,IAC/B;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,YAAQ,qBAAqB,OAAO,KAAa,aAAqB;AACpE,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,YAAY,MAAM;AAExB,UAAI,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC,EAAE,MAAM,CAAC;AAC/F,UAAI,SAAS,QAAQ,CAAC;AAEtB,UAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACnC,YAAI,QAAQ;AACR,gBAAM,GAAG,OAAO,cAAc,EAAE,IAAI,EAAE,OAAO,GAAG,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC;AAAA,QAClG,OAAO;AACH,gBAAM,GAAG,OAAO,cAAc,EAAE,OAAO,EAAE,KAAK,OAAO,GAAG,UAAU,CAAC;AAAA,QACvE;AACA,eAAO,EAAE,OAAO,GAAG,UAAU;AAAA,MACjC,OAAO;AACH,cAAM,GAAG,OAAO,cAAc,EAAE,IAAI,EAAE,OAAO,OAAO,QAAQ,EAAE,CAAC,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC;AAClG,eAAO,EAAE,OAAO,OAAO,QAAQ,GAAG,WAAW,OAAO,UAAU;AAAA,MAClE;AAAA,IACF;AAEA,YAAQ,eAAe,OAAO,QAAgB;AAC5C,YAAM,MAAM,KAAK,IAAI;AACrB,UAAI,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC,EAAE,MAAM,CAAC;AAC/F,UAAI,SAAS,QAAQ,CAAC;AACtB,UAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAAA,EACF;AAEA,SAAO;AACT;",
+  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\r\n\r\n/**\r\n * Creates a Drizzle ORM adapter.\r\n * \r\n * Works with any Drizzle-supported database (PostgreSQL, MySQL, SQLite)\r\n * by using the standard drizzle-orm `db` instance and table definition.\r\n * \r\n * @param db - The Drizzle database instance.\r\n * @param table - The Drizzle table representing users.\r\n * @param eq - The Drizzle `eq` operator (imported from `drizzle-orm`).\r\n * @param rateLimitTable - Optional Drizzle table for rate limiting tracking.\r\n * @returns An AuthAdapter compliant object.\r\n */\r\nexport function createDrizzleAdapter<TUser extends User = User>(\r\n  db: any,\r\n  table: any,\r\n  eq: any,\r\n  rateLimitTable?: any\r\n): AuthAdapter<TUser> {\r\n  const adapter: AuthAdapter<TUser> = {\r\n    async createUser(data: any) {\r\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\r\n      const results = await db.insert(table).values(dataToSave).returning();\r\n      return results[0] as TUser;\r\n    },\r\n\r\n    async findUserByEmail(email: string) {\r\n      const results = await db.select().from(table).where(eq(table.email, email)).limit(1);\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async findUserById(id: string) {\r\n      const results = await db.select().from(table).where(eq(table.id, id)).limit(1);\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async updateUser(id: string, data: Partial<TUser>) {\r\n      const results = await db.update(table).set(data).where(eq(table.id, id)).returning();\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\r\n      await db.update(table)\r\n        .set({\r\n          oauthProvider: provider,\r\n          oauthId: providerId,\r\n        })\r\n        .where(eq(table.id, userId));\r\n    },\r\n\r\n    async invalidateSession(userId: string) {\r\n      await db.update(table)\r\n        .set({\r\n          sessionVersion: (table.sessionVersion || 0) + 1,\r\n        })\r\n        .where(eq(table.id, userId));\r\n    },\r\n  };\r\n\r\n  if (rateLimitTable) {\r\n    adapter.incrementRateLimit = async (key: string, windowMs: number) => {\r\n      const now = Date.now();\r\n      const resetTime = now + windowMs;\r\n      \r\n      let records = await db.select().from(rateLimitTable).where(eq(rateLimitTable.key, key)).limit(1);\r\n      let record = records[0];\r\n      \r\n      if (!record || now > record.resetTime) {\r\n          if (record) {\r\n              await db.update(rateLimitTable).set({ count: 1, resetTime }).where(eq(rateLimitTable.key, key));\r\n          } else {\r\n              await db.insert(rateLimitTable).values({ key, count: 1, resetTime });\r\n          }\r\n          return { count: 1, resetTime };\r\n      } else {\r\n          await db.update(rateLimitTable).set({ count: record.count + 1 }).where(eq(rateLimitTable.key, key));\r\n          return { count: record.count + 1, resetTime: record.resetTime };\r\n      }\r\n    };\r\n\r\n    adapter.getRateLimit = async (key: string) => {\r\n      const now = Date.now();\r\n      let records = await db.select().from(rateLimitTable).where(eq(rateLimitTable.key, key)).limit(1);\r\n      let record = records[0];\r\n      if (!record || now > record.resetTime) return null;\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n  }\r\n\r\n  return adapter;\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAcO,SAAS,qBACd,IACA,OACA,IACA,gBACoB;AACpB,QAAM,UAA8B;AAAA,IAClC,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,OAAO,UAAU,EAAE,UAAU;AACpE,aAAO,QAAQ,CAAC;AAAA,IAClB;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,OAAO,KAAK,CAAC,EAAE,MAAM,CAAC;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,MAAM,CAAC;AAC7E,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,WAAW,IAAY,MAAsB;AACjD,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,IAAI,IAAI,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,UAAU;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,GAAG,OAAO,KAAK,EAClB,IAAI;AAAA,QACH,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC,EACA,MAAM,GAAG,MAAM,IAAI,MAAM,CAAC;AAAA,IAC/B;AAAA,IAEA,MAAM,kBAAkB,QAAgB;AACtC,YAAM,GAAG,OAAO,KAAK,EAClB,IAAI;AAAA,QACH,iBAAiB,MAAM,kBAAkB,KAAK;AAAA,MAChD,CAAC,EACA,MAAM,GAAG,MAAM,IAAI,MAAM,CAAC;AAAA,IAC/B;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,YAAQ,qBAAqB,OAAO,KAAa,aAAqB;AACpE,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,YAAY,MAAM;AAExB,UAAI,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC,EAAE,MAAM,CAAC;AAC/F,UAAI,SAAS,QAAQ,CAAC;AAEtB,UAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACnC,YAAI,QAAQ;AACR,gBAAM,GAAG,OAAO,cAAc,EAAE,IAAI,EAAE,OAAO,GAAG,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC;AAAA,QAClG,OAAO;AACH,gBAAM,GAAG,OAAO,cAAc,EAAE,OAAO,EAAE,KAAK,OAAO,GAAG,UAAU,CAAC;AAAA,QACvE;AACA,eAAO,EAAE,OAAO,GAAG,UAAU;AAAA,MACjC,OAAO;AACH,cAAM,GAAG,OAAO,cAAc,EAAE,IAAI,EAAE,OAAO,OAAO,QAAQ,EAAE,CAAC,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC;AAClG,eAAO,EAAE,OAAO,OAAO,QAAQ,GAAG,WAAW,OAAO,UAAU;AAAA,MAClE;AAAA,IACF;AAEA,YAAQ,eAAe,OAAO,QAAgB;AAC5C,YAAM,MAAM,KAAK,IAAI;AACrB,UAAI,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC,EAAE,MAAM,CAAC;AAC/F,UAAI,SAAS,QAAQ,CAAC;AACtB,UAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAAA,EACF;AAEA,SAAO;AACT;",
   "names": []
 }

package/dist/auth/adapters/drizzle.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"drizzle.d.ts","sourceRoot":"","sources":["../../../src/auth/adapters/drizzle.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEpD;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,SAAS,IAAI,GAAG,IAAI,EAC5D,EAAE,EAAE,GAAG,EACP,KAAK,EAAE,GAAG,EACV,EAAE,EAAE,GAAG,EACP,cAAc,CAAC,EAAE,GAAG,GACnB,WAAW,CAAC,KAAK,CAAC,CAgEpB"}
+{"version":3,"file":"drizzle.d.ts","sourceRoot":"","sources":["../../../src/auth/adapters/drizzle.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEpD;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,SAAS,IAAI,GAAG,IAAI,EAC5D,EAAE,EAAE,GAAG,EACP,KAAK,EAAE,GAAG,EACV,EAAE,EAAE,GAAG,EACP,cAAc,CAAC,EAAE,GAAG,GACnB,WAAW,CAAC,KAAK,CAAC,CAwEpB"}

package/dist/auth/adapters/drizzle.js

@@ -22,6 +22,11 @@ function createDrizzleAdapter(db, table, eq, rateLimitTable) {
         oauthProvider: provider,
         oauthId: providerId
       }).where(eq(table.id, userId));
+    },
+    async invalidateSession(userId) {
+      await db.update(table).set({
+        sessionVersion: (table.sessionVersion || 0) + 1
+      }).where(eq(table.id, userId));
     }
   };
   if (rateLimitTable) {

package/dist/auth/adapters/drizzle.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/auth/adapters/drizzle.ts"],
-  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\r\n\r\n/**\r\n * Creates a Drizzle ORM adapter.\r\n * \r\n * Works with any Drizzle-supported database (PostgreSQL, MySQL, SQLite)\r\n * by using the standard drizzle-orm `db` instance and table definition.\r\n * \r\n * @param db - The Drizzle database instance.\r\n * @param table - The Drizzle table representing users.\r\n * @param eq - The Drizzle `eq` operator (imported from `drizzle-orm`).\r\n * @param rateLimitTable - Optional Drizzle table for rate limiting tracking.\r\n * @returns An AuthAdapter compliant object.\r\n */\r\nexport function createDrizzleAdapter<TUser extends User = User>(\r\n  db: any,\r\n  table: any,\r\n  eq: any,\r\n  rateLimitTable?: any\r\n): AuthAdapter<TUser> {\r\n  const adapter: AuthAdapter<TUser> = {\r\n    async createUser(data: any) {\r\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\r\n      const results = await db.insert(table).values(dataToSave).returning();\r\n      return results[0] as TUser;\r\n    },\r\n\r\n    async findUserByEmail(email: string) {\r\n      const results = await db.select().from(table).where(eq(table.email, email)).limit(1);\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async findUserById(id: string) {\r\n      const results = await db.select().from(table).where(eq(table.id, id)).limit(1);\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async updateUser(id: string, data: Partial<TUser>) {\r\n      const results = await db.update(table).set(data).where(eq(table.id, id)).returning();\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\r\n      await db.update(table)\r\n        .set({\r\n          oauthProvider: provider,\r\n          oauthId: providerId,\r\n        })\r\n        .where(eq(table.id, userId));\r\n    },\r\n  };\r\n\r\n  if (rateLimitTable) {\r\n    adapter.incrementRateLimit = async (key: string, windowMs: number) => {\r\n      const now = Date.now();\r\n      const resetTime = now + windowMs;\r\n      \r\n      let records = await db.select().from(rateLimitTable).where(eq(rateLimitTable.key, key)).limit(1);\r\n      let record = records[0];\r\n      \r\n      if (!record || now > record.resetTime) {\r\n          if (record) {\r\n              await db.update(rateLimitTable).set({ count: 1, resetTime }).where(eq(rateLimitTable.key, key));\r\n          } else {\r\n              await db.insert(rateLimitTable).values({ key, count: 1, resetTime });\r\n          }\r\n          return { count: 1, resetTime };\r\n      } else {\r\n          await db.update(rateLimitTable).set({ count: record.count + 1 }).where(eq(rateLimitTable.key, key));\r\n          return { count: record.count + 1, resetTime: record.resetTime };\r\n      }\r\n    };\r\n\r\n    adapter.getRateLimit = async (key: string) => {\r\n      const now = Date.now();\r\n      let records = await db.select().from(rateLimitTable).where(eq(rateLimitTable.key, key)).limit(1);\r\n      let record = records[0];\r\n      if (!record || now > record.resetTime) return null;\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n  }\r\n\r\n  return adapter;\r\n}\r\n"],
-  "mappings": "AAcO,SAAS,qBACd,IACA,OACA,IACA,gBACoB;AACpB,QAAM,UAA8B;AAAA,IAClC,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,OAAO,UAAU,EAAE,UAAU;AACpE,aAAO,QAAQ,CAAC;AAAA,IAClB;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,OAAO,KAAK,CAAC,EAAE,MAAM,CAAC;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,MAAM,CAAC;AAC7E,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,WAAW,IAAY,MAAsB;AACjD,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,IAAI,IAAI,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,UAAU;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,GAAG,OAAO,KAAK,EAClB,IAAI;AAAA,QACH,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC,EACA,MAAM,GAAG,MAAM,IAAI,MAAM,CAAC;AAAA,IAC/B;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,YAAQ,qBAAqB,OAAO,KAAa,aAAqB;AACpE,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,YAAY,MAAM;AAExB,UAAI,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC,EAAE,MAAM,CAAC;AAC/F,UAAI,SAAS,QAAQ,CAAC;AAEtB,UAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACnC,YAAI,QAAQ;AACR,gBAAM,GAAG,OAAO,cAAc,EAAE,IAAI,EAAE,OAAO,GAAG,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC;AAAA,QAClG,OAAO;AACH,gBAAM,GAAG,OAAO,cAAc,EAAE,OAAO,EAAE,KAAK,OAAO,GAAG,UAAU,CAAC;AAAA,QACvE;AACA,eAAO,EAAE,OAAO,GAAG,UAAU;AAAA,MACjC,OAAO;AACH,cAAM,GAAG,OAAO,cAAc,EAAE,IAAI,EAAE,OAAO,OAAO,QAAQ,EAAE,CAAC,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC;AAClG,eAAO,EAAE,OAAO,OAAO,QAAQ,GAAG,WAAW,OAAO,UAAU;AAAA,MAClE;AAAA,IACF;AAEA,YAAQ,eAAe,OAAO,QAAgB;AAC5C,YAAM,MAAM,KAAK,IAAI;AACrB,UAAI,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC,EAAE,MAAM,CAAC;AAC/F,UAAI,SAAS,QAAQ,CAAC;AACtB,UAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAAA,EACF;AAEA,SAAO;AACT;",
+  "sourcesContent": ["import type { AuthAdapter, User } from \"./index.js\";\r\n\r\n/**\r\n * Creates a Drizzle ORM adapter.\r\n * \r\n * Works with any Drizzle-supported database (PostgreSQL, MySQL, SQLite)\r\n * by using the standard drizzle-orm `db` instance and table definition.\r\n * \r\n * @param db - The Drizzle database instance.\r\n * @param table - The Drizzle table representing users.\r\n * @param eq - The Drizzle `eq` operator (imported from `drizzle-orm`).\r\n * @param rateLimitTable - Optional Drizzle table for rate limiting tracking.\r\n * @returns An AuthAdapter compliant object.\r\n */\r\nexport function createDrizzleAdapter<TUser extends User = User>(\r\n  db: any,\r\n  table: any,\r\n  eq: any,\r\n  rateLimitTable?: any\r\n): AuthAdapter<TUser> {\r\n  const adapter: AuthAdapter<TUser> = {\r\n    async createUser(data: any) {\r\n      const dataToSave = { id: data.id || globalThis.crypto.randomUUID(), ...data };\r\n      const results = await db.insert(table).values(dataToSave).returning();\r\n      return results[0] as TUser;\r\n    },\r\n\r\n    async findUserByEmail(email: string) {\r\n      const results = await db.select().from(table).where(eq(table.email, email)).limit(1);\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async findUserById(id: string) {\r\n      const results = await db.select().from(table).where(eq(table.id, id)).limit(1);\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async updateUser(id: string, data: Partial<TUser>) {\r\n      const results = await db.update(table).set(data).where(eq(table.id, id)).returning();\r\n      return (results[0] || null) as TUser | null;\r\n    },\r\n\r\n    async linkOAuthAccount(userId: string, provider: string, providerId: string) {\r\n      await db.update(table)\r\n        .set({\r\n          oauthProvider: provider,\r\n          oauthId: providerId,\r\n        })\r\n        .where(eq(table.id, userId));\r\n    },\r\n\r\n    async invalidateSession(userId: string) {\r\n      await db.update(table)\r\n        .set({\r\n          sessionVersion: (table.sessionVersion || 0) + 1,\r\n        })\r\n        .where(eq(table.id, userId));\r\n    },\r\n  };\r\n\r\n  if (rateLimitTable) {\r\n    adapter.incrementRateLimit = async (key: string, windowMs: number) => {\r\n      const now = Date.now();\r\n      const resetTime = now + windowMs;\r\n      \r\n      let records = await db.select().from(rateLimitTable).where(eq(rateLimitTable.key, key)).limit(1);\r\n      let record = records[0];\r\n      \r\n      if (!record || now > record.resetTime) {\r\n          if (record) {\r\n              await db.update(rateLimitTable).set({ count: 1, resetTime }).where(eq(rateLimitTable.key, key));\r\n          } else {\r\n              await db.insert(rateLimitTable).values({ key, count: 1, resetTime });\r\n          }\r\n          return { count: 1, resetTime };\r\n      } else {\r\n          await db.update(rateLimitTable).set({ count: record.count + 1 }).where(eq(rateLimitTable.key, key));\r\n          return { count: record.count + 1, resetTime: record.resetTime };\r\n      }\r\n    };\r\n\r\n    adapter.getRateLimit = async (key: string) => {\r\n      const now = Date.now();\r\n      let records = await db.select().from(rateLimitTable).where(eq(rateLimitTable.key, key)).limit(1);\r\n      let record = records[0];\r\n      if (!record || now > record.resetTime) return null;\r\n      return { count: record.count, resetTime: record.resetTime };\r\n    };\r\n  }\r\n\r\n  return adapter;\r\n}\r\n"],
+  "mappings": "AAcO,SAAS,qBACd,IACA,OACA,IACA,gBACoB;AACpB,QAAM,UAA8B;AAAA,IAClC,MAAM,WAAW,MAAW;AAC1B,YAAM,aAAa,EAAE,IAAI,KAAK,MAAM,WAAW,OAAO,WAAW,GAAG,GAAG,KAAK;AAC5E,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,OAAO,UAAU,EAAE,UAAU;AACpE,aAAO,QAAQ,CAAC;AAAA,IAClB;AAAA,IAEA,MAAM,gBAAgB,OAAe;AACnC,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,OAAO,KAAK,CAAC,EAAE,MAAM,CAAC;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,aAAa,IAAY;AAC7B,YAAM,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,MAAM,CAAC;AAC7E,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,WAAW,IAAY,MAAsB;AACjD,YAAM,UAAU,MAAM,GAAG,OAAO,KAAK,EAAE,IAAI,IAAI,EAAE,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC,EAAE,UAAU;AACnF,aAAQ,QAAQ,CAAC,KAAK;AAAA,IACxB;AAAA,IAEA,MAAM,iBAAiB,QAAgB,UAAkB,YAAoB;AAC3E,YAAM,GAAG,OAAO,KAAK,EAClB,IAAI;AAAA,QACH,eAAe;AAAA,QACf,SAAS;AAAA,MACX,CAAC,EACA,MAAM,GAAG,MAAM,IAAI,MAAM,CAAC;AAAA,IAC/B;AAAA,IAEA,MAAM,kBAAkB,QAAgB;AACtC,YAAM,GAAG,OAAO,KAAK,EAClB,IAAI;AAAA,QACH,iBAAiB,MAAM,kBAAkB,KAAK;AAAA,MAChD,CAAC,EACA,MAAM,GAAG,MAAM,IAAI,MAAM,CAAC;AAAA,IAC/B;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,YAAQ,qBAAqB,OAAO,KAAa,aAAqB;AACpE,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,YAAY,MAAM;AAExB,UAAI,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC,EAAE,MAAM,CAAC;AAC/F,UAAI,SAAS,QAAQ,CAAC;AAEtB,UAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACnC,YAAI,QAAQ;AACR,gBAAM,GAAG,OAAO,cAAc,EAAE,IAAI,EAAE,OAAO,GAAG,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC;AAAA,QAClG,OAAO;AACH,gBAAM,GAAG,OAAO,cAAc,EAAE,OAAO,EAAE,KAAK,OAAO,GAAG,UAAU,CAAC;AAAA,QACvE;AACA,eAAO,EAAE,OAAO,GAAG,UAAU;AAAA,MACjC,OAAO;AACH,cAAM,GAAG,OAAO,cAAc,EAAE,IAAI,EAAE,OAAO,OAAO,QAAQ,EAAE,CAAC,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC;AAClG,eAAO,EAAE,OAAO,OAAO,QAAQ,GAAG,WAAW,OAAO,UAAU;AAAA,MAClE;AAAA,IACF;AAEA,YAAQ,eAAe,OAAO,QAAgB;AAC5C,YAAM,MAAM,KAAK,IAAI;AACrB,UAAI,UAAU,MAAM,GAAG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,GAAG,eAAe,KAAK,GAAG,CAAC,EAAE,MAAM,CAAC;AAC/F,UAAI,SAAS,QAAQ,CAAC;AACtB,UAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,aAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAO,UAAU;AAAA,IAC5D;AAAA,EACF;AAEA,SAAO;AACT;",
   "names": []
 }

package/dist/auth/adapters/index.cjs.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/auth/adapters/index.ts"],
-  "sourcesContent": ["export interface BaseUser {\r\n  id: string;\r\n  email: string;\r\n  passwordHash?: string;\r\n  role?: string;\r\n}\r\n\r\n// Allows any extended fields natively (like nin, bvn, maritalStatus, etc.)\r\nexport type User<TExtended = Record<string, any>> = BaseUser & TExtended;\r\n\r\nexport interface AuthAdapter<TUser = User> {\r\n  createUser: (data: any) => Promise<TUser>;\r\n  findUserByEmail: (email: string) => Promise<TUser | null>;\r\n  findUserById: (id: string) => Promise<TUser | null>;\r\n  updateUser?: (id: string, data: Partial<TUser>) => Promise<TUser | null>;\r\n  linkOAuthAccount: (userId: string, provider: string, providerId: string) => Promise<void>;\r\n  incrementRateLimit?: (key: string, windowMs: number) => Promise<{ count: number; resetTime: number }>;\r\n  getRateLimit?: (key: string) => Promise<{ count: number; resetTime: number } | null>;\r\n}\r\n"],
+  "sourcesContent": ["export interface BaseUser {\r\n  id: string;\r\n  email: string;\r\n  passwordHash?: string;\r\n  role?: string;\r\n  sessionVersion?: number;\r\n}\r\n\r\n// Allows any extended fields natively (like nin, bvn, maritalStatus, etc.)\r\nexport type User<TExtended = Record<string, any>> = BaseUser & TExtended;\r\n\r\nexport interface AuthAdapter<TUser = User> {\r\n  createUser: (data: any) => Promise<TUser>;\r\n  findUserByEmail: (email: string) => Promise<TUser | null>;\r\n  findUserById: (id: string) => Promise<TUser | null>;\r\n  updateUser?: (id: string, data: Partial<TUser>) => Promise<TUser | null>;\r\n  linkOAuthAccount: (userId: string, provider: string, providerId: string) => Promise<void>;\r\n  incrementRateLimit?: (key: string, windowMs: number) => Promise<{ count: number; resetTime: number }>;\r\n  getRateLimit?: (key: string) => Promise<{ count: number; resetTime: number } | null>;\r\n  invalidateSession?: (userId: string) => Promise<void>;\r\n}\r\n"],
   "mappings": ";;;;;;;;;;;;;;AAAA;AAAA;",
   "names": []
 }

package/dist/auth/adapters/index.d.ts

@@ -3,6 +3,7 @@ export interface BaseUser {
     email: string;
     passwordHash?: string;
     role?: string;
+    sessionVersion?: number;
 }
 export type User<TExtended = Record<string, any>> = BaseUser & TExtended;
 export interface AuthAdapter<TUser = User> {
@@ -19,5 +20,6 @@ export interface AuthAdapter<TUser = User> {
         count: number;
         resetTime: number;
     } | null>;
+    invalidateSession?: (userId: string) => Promise<void>;
 }
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/adapters/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/adapters/index.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAGD,MAAM,MAAM,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,QAAQ,GAAG,SAAS,CAAC;AAEzE,MAAM,WAAW,WAAW,CAAC,KAAK,GAAG,IAAI;IACvC,UAAU,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;IAC1C,eAAe,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAC1D,YAAY,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IACpD,UAAU,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IACzE,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1F,kBAAkB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtG,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CACtF"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/adapters/index.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAGD,MAAM,MAAM,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,QAAQ,GAAG,SAAS,CAAC;AAEzE,MAAM,WAAW,WAAW,CAAC,KAAK,GAAG,IAAI;IACvC,UAAU,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;IAC1C,eAAe,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAC1D,YAAY,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IACpD,UAAU,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IACzE,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1F,kBAAkB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtG,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;IACrF,iBAAiB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACvD"}