limen-auth 0.0.0 → 0.0.1

package/dist/index-C6atwjEq.d.mts

@@ -1,65 +0,0 @@
-import { E as Session, F as RouteDescriptor, n as ClientPlugin } from "./define-plugin-Dv0xXIaH.mjs";
-
-//#region src/plugins/two-factor/types.d.ts
-type TwoFactorConfig = {
-  /** Called when sign-in requires a two-factor challenge. */onTwoFactorRedirect: () => void;
-};
-type VerifyInput = {
-  code: string;
-  method?: TwoFactorMethod;
-};
-type InitiateSetupInput = {
-  password: string;
-};
-type FinalizeSetupInput = {
-  code: string;
-};
-type DisableTwoFactorInput = {
-  password: string;
-};
-type SendOTPInput = {
-  email: string;
-};
-type TwoFactorSetupURI = {
-  uri: string;
-};
-type TwoFactorMethod = "totp" | "otp";
-//#endregion
-//#region src/plugins/two-factor/index.d.ts
-declare function twoFactorPlugin<TFields = unknown>(config: TwoFactorConfig): ClientPlugin<"two-factor", "/two-factor", [RouteDescriptor<InitiateSetupInput, TwoFactorSetupURI, {
-  readonly method: "POST";
-  readonly path: "/initiate-setup";
-}>, RouteDescriptor<FinalizeSetupInput, Session<TFields>, {
-  readonly method: "POST";
-  readonly path: "/finalize-setup";
-  readonly parseSession: true;
-}>, RouteDescriptor<DisableTwoFactorInput, Session<TFields>, {
-  readonly method: "POST";
-  readonly path: "/disable";
-  readonly parseSession: true;
-}>, RouteDescriptor<VerifyInput, Session<TFields>, {
-  readonly method: "POST";
-  readonly path: "/verify";
-  readonly parseSession: true;
-}>, RouteDescriptor<void, TwoFactorSetupURI, {
-  readonly method: "GET";
-  readonly path: "/totp/uri";
-  readonly as: "twoFactor.getTotpUri";
-}>, RouteDescriptor<void, string[], {
-  readonly method: "GET";
-  readonly path: "/backup-codes";
-  readonly as: "twoFactor.getBackupCodes";
-}>, RouteDescriptor<void, string[], {
-  readonly method: "PUT";
-  readonly path: "/backup-codes";
-  readonly as: "twoFactor.regenerateBackupCodes";
-}>, RouteDescriptor<SendOTPInput, {
-  message: string;
-}, {
-  readonly method: "POST";
-  readonly path: "/otp/send";
-  readonly as: "twoFactor.sendOTP";
-}>], Record<never, never>>;
-//#endregion
-export { SendOTPInput as a, TwoFactorSetupURI as c, InitiateSetupInput as i, VerifyInput as l, DisableTwoFactorInput as n, TwoFactorConfig as o, FinalizeSetupInput as r, TwoFactorMethod as s, twoFactorPlugin as t };
-//# sourceMappingURL=index-C6atwjEq.d.mts.map

package/dist/index-C6atwjEq.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index-C6atwjEq.d.mts","names":[],"sources":["../src/plugins/two-factor/types.ts","../src/plugins/two-factor/index.ts"],"mappings":";;;KAAY,eAAA;6DAEV,mBAAmB;AAAA;AAAA,KAGT,WAAA;EACV,IAAA;EACA,MAAA,GAAS,eAAe;AAAA;AAAA,KAGd,kBAAA;EACV,QAAQ;AAAA;AAAA,KAGE,kBAAA;EACV,IAAI;AAAA;AAAA,KAGM,qBAAA;EACV,QAAQ;AAAA;AAAA,KAGE,YAAA;EACV,KAAK;AAAA;AAAA,KAGK,iBAAA;EACV,GAAG;AAAA;AAAA,KAGO,eAAA;;;iBCjBI,eAAA,oBAAmC,MAAA,EAAQ,eAAA,8CAAe,eAAA,CAAA,kBAAA,EAAA,iBAAA;EAAA"}

package/dist/index-C9EuA9UZ.d.mts

@@ -1,32 +0,0 @@
-import { E as Session, F as RouteDescriptor, n as ClientPlugin } from "./define-plugin-Dv0xXIaH.mjs";
-import { c as BearerTokens, o as BearerPluginConfig } from "./index-B8SpHkSd.mjs";
-//#region src/plugins/session-jwt/types.d.ts
-type SessionJwtTokens = BearerTokens;
-type SessionJwtPluginConfig = BearerPluginConfig & {
-  /** Refresh once the access token is within this many seconds of expiry. Default 30. */expirySkewSeconds?: number;
-};
-type RefreshInput = {
-  refreshToken: string;
-};
-//#endregion
-//#region src/plugins/session-jwt/index.d.ts
-declare function sessionJwtPlugin<TFields = unknown>(config?: SessionJwtPluginConfig): ClientPlugin<"session-jwt", "", [RouteDescriptor<RefreshInput, Session<TFields>, {
-  readonly method: "POST";
-  readonly path: "/refresh";
-  readonly parseSession: true;
-  readonly expose: false;
-}>], {
-  sessionJwt: {
-    /**
-     * Get the current access token. If the token is expiring, refresh it.
-     * @returns The current access token or null if no token is found.
-     */
-    getAccessToken: () => Promise<string | null>;
-    refresh: () => Promise<SessionJwtTokens>;
-    getTokens: () => BearerTokens | null;
-    clear: () => void;
-  };
-}>;
-//#endregion
-export { SessionJwtPluginConfig as n, SessionJwtTokens as r, sessionJwtPlugin as t };
-//# sourceMappingURL=index-C9EuA9UZ.d.mts.map

package/dist/index-C9EuA9UZ.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index-C9EuA9UZ.d.mts","names":[],"sources":["../src/plugins/session-jwt/types.ts","../src/plugins/session-jwt/index.ts"],"mappings":";;;KAEY,gBAAA,GAAmB,YAAY;AAAA,KAE/B,sBAAA,GAAyB,kBAAkB;yFAErD,iBAAiB;AAAA;AAAA,KAGP,YAAA;EAAiB,YAAY;AAAA;;;iBCEzB,gBAAA,oBAAoC,MAAA,GAAQ,sBAAA,oCAA2B,eAAA,CAAA,YAAA,EAAA,OAAA,CAAA,OAAA;EAAA;;;;;;IDT3D;;;AAAe;0BCoDR,OAAA;mBATb,OAAA,CAAQ,gBAAA;qBAAD,YAAA"}

package/dist/index-Cgr2wHmM.d.mts

@@ -1,87 +0,0 @@
-import { E as Session, F as RouteDescriptor, n as ClientPlugin } from "./define-plugin-Dv0xXIaH.mjs";
-
-//#region src/plugins/credential/types.d.ts
-type SignInCredentialInput = {
-  /** Email or username, depending on what the server enables. */credential: string;
-  password: string; /** When true (default), issues a long-lived session. */
-  rememberMe?: boolean;
-};
-type SignUpCredentialInput = {
-  email: string;
-  password: string; /** Required when username-on-signup is enabled. */
-  username?: string; /** Optional profile fields the server records on the user. */
-  firstname?: string;
-  lastname?: string; /** Extra fields recorded on the user at registration. */
-  additionalFields?: Record<string, unknown>;
-};
-type ChangePasswordInput = {
-  currentPassword: string;
-  newPassword: string; /** Invalidate other sessions on success. Defaults to true. */
-  revokeOtherSessions?: boolean;
-};
-type SetPasswordInput = {
-  newPassword: string;
-  revokeOtherSessions?: boolean;
-};
-type RequestPasswordResetInput = {
-  email: string;
-};
-type ResetPasswordInput = {
-  token: string;
-  newPassword: string;
-};
-type CheckUsernameInput = {
-  username: string;
-};
-//#endregion
-//#region src/plugins/credential/index.d.ts
-declare function credentialPasswordPlugin<TFields = unknown>(): ClientPlugin<"credential-password", "/", [RouteDescriptor<SignInCredentialInput, Session<TFields>, {
-  readonly method: "POST";
-  readonly path: "/signin/credential";
-  readonly parseSession: true;
-  readonly as: "signIn.credential";
-  readonly defaults: {
-    readonly rememberMe: true;
-  };
-}>, RouteDescriptor<SignUpCredentialInput, Session<TFields>, {
-  readonly method: "POST";
-  readonly path: "/signup/credential";
-  readonly parseSession: true;
-  readonly as: "signUp.credential";
-}>, RouteDescriptor<RequestPasswordResetInput, {
-  message: string;
-}, {
-  readonly method: "POST";
-  readonly path: "/passwords/request-reset";
-  readonly as: "password.requestReset";
-}>, RouteDescriptor<ResetPasswordInput, {
-  message: string;
-}, {
-  readonly method: "POST";
-  readonly path: "/passwords/reset";
-  readonly as: "password.reset";
-}>, RouteDescriptor<ChangePasswordInput, Session<TFields>, {
-  readonly method: "POST";
-  readonly path: "/passwords/change";
-  readonly parseSession: true;
-  readonly defaults: {
-    readonly revokeOtherSessions: true;
-  };
-  readonly as: "password.change";
-}>, RouteDescriptor<SetPasswordInput, Session<TFields>, {
-  readonly method: "PUT";
-  readonly path: "/passwords";
-  readonly as: "password.set";
-  readonly parseSession: true;
-  readonly defaults: {
-    readonly revokeOtherSessions: true;
-  };
-}>, RouteDescriptor<CheckUsernameInput, boolean, {
-  readonly method: "POST";
-  readonly path: "/usernames/check";
-  readonly parse: (raw: unknown) => boolean;
-  readonly as: "username.checkAvailability";
-}>], Record<never, never>>;
-//#endregion
-export { ResetPasswordInput as a, SignUpCredentialInput as c, RequestPasswordResetInput as i, ChangePasswordInput as n, SetPasswordInput as o, CheckUsernameInput as r, SignInCredentialInput as s, credentialPasswordPlugin as t };
-//# sourceMappingURL=index-Cgr2wHmM.d.mts.map

package/dist/index-Cgr2wHmM.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index-Cgr2wHmM.d.mts","names":[],"sources":["../src/plugins/credential/types.ts","../src/plugins/credential/index.ts"],"mappings":";;;KAAY,qBAAA;iEAEV,UAAA;EACA,QAAA,UAH+B;EAK/B,UAAA;AAAA;AAAA,KAGU,qBAAA;EACV,KAAA;EACA,QAAA,UALU;EAOV,QAAA,WAJU;EAMV,SAAA;EACA,QAAA,WAEyB;EAAzB,gBAAA,GAAmB,MAAM;AAAA;AAAA,KAGf,mBAAA;EACV,eAAA;EACA,WAAA,UALA;EAOA,mBAAA;AAAA;AAAA,KAGU,gBAAA;EACV,WAAA;EACA,mBAAmB;AAAA;AAAA,KAGT,yBAAA;EACV,KAAK;AAAA;AAAA,KAGK,kBAAA;EACV,KAAA;EACA,WAAW;AAAA;AAAA,KAGD,kBAAA;EACV,QAAQ;AAAA;;;iBC7BM,wBAAA,iEAA0C,eAAA,CAAA,qBAAA,EAAA,OAAA,CAAA,OAAA;EAAA"}

package/dist/index-DV6YcNSu.d.mts

@@ -1,81 +0,0 @@
-import { F as RouteDescriptor, I as RouteHandler, n as ClientPlugin } from "./define-plugin-Dv0xXIaH.mjs";
-import { n as camelizeKeys } from "./helpers-CvmKjWi2.mjs";
-
-//#region src/plugins/oauth/types.d.ts
-type OAuthAuthorizeQuery = {
-  /** Where the server redirects the browser after a successful callback. */redirectUri?: string; /** Where the server redirects on a failed callback. Falls back to `redirectUri`. */
-  errorRedirectUri?: string;
-};
-type SignInOAuthInput = OAuthAuthorizeQuery & {
-  /** Provider id, e.g. `"google"` or `"github"`. */provider: string;
-  /**
-   * When true, skip auto-navigation and only resolve with the authorization
-   * URL — the caller is responsible for navigating the browser.
-   */
-  disableRedirect?: boolean;
-};
-type LinkOAuthInput = SignInOAuthInput;
-type OAuthAuthorizeResult = {
-  /** Provider authorization URL. */url: string; /** Whether the SDK navigated to `url`. */
-  redirect: boolean;
-};
-type OAuthAccount = {
-  provider: string;
-  providerAccountId: string;
-  scopes: string[];
-  accessTokenExpiresAt?: string;
-  createdAt: string;
-  updatedAt: string;
-};
-type OAuthTokens = {
-  accessToken: string;
-  refreshToken?: string;
-  idToken?: string;
-  accessTokenExpiresAt?: string;
-  scope?: string;
-};
-//#endregion
-//#region src/plugins/oauth/index.d.ts
-declare function oauthClientPlugin(): ClientPlugin<"oauth", "/oauth", [RouteDescriptor<SignInOAuthInput, OAuthAuthorizeResult, {
-  readonly method: "GET";
-  readonly path: "/:provider/authorize";
-  readonly as: "signIn.social";
-  readonly params: readonly ["provider"];
-  readonly handler: RouteHandler<SignInOAuthInput, OAuthAuthorizeResult>;
-}>, RouteDescriptor<SignInOAuthInput, OAuthAuthorizeResult, {
-  readonly method: "GET";
-  readonly path: "/:provider/link";
-  readonly as: "social.link";
-  readonly params: readonly ["provider"];
-  readonly handler: RouteHandler<SignInOAuthInput, OAuthAuthorizeResult>;
-}>, RouteDescriptor<{
-  provider: string;
-}, void, {
-  readonly method: "DELETE";
-  readonly path: "/:provider/unlink";
-  readonly as: "social.unlink";
-  readonly params: readonly ["provider"];
-}>, RouteDescriptor<void, OAuthAccount[], {
-  readonly method: "GET";
-  readonly path: "/accounts";
-  readonly as: "social.accounts";
-}>, RouteDescriptor<{
-  provider: string;
-}, OAuthTokens, {
-  readonly method: "GET";
-  readonly path: "/:provider/tokens";
-  readonly as: "social.tokens";
-  readonly params: readonly ["provider"];
-  readonly parse: typeof camelizeKeys;
-}>, RouteDescriptor<{
-  provider: string;
-}, OAuthTokens, {
-  readonly method: "POST";
-  readonly path: "/:provider/tokens/refresh";
-  readonly as: "social.refreshTokens";
-  readonly params: readonly ["provider"];
-  readonly parse: typeof camelizeKeys;
-}>], Record<never, never>>;
-//#endregion
-export { OAuthAuthorizeResult as a, OAuthAuthorizeQuery as i, LinkOAuthInput as n, OAuthTokens as o, OAuthAccount as r, SignInOAuthInput as s, oauthClientPlugin as t };
-//# sourceMappingURL=index-DV6YcNSu.d.mts.map

package/dist/index-DV6YcNSu.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index-DV6YcNSu.d.mts","names":[],"sources":["../src/plugins/oauth/types.ts","../src/plugins/oauth/index.ts"],"mappings":";;;;KAAY,mBAAA;4EAEV,WAAA;EAEA,gBAAgB;AAAA;AAAA,KAGN,gBAAA,GAAmB,mBAAmB;EALhD,kDAOA,QAAA;EAFU;;;;EAOV,eAAA;AAAA;AAAA,KAGU,cAAA,GAAiB,gBAAgB;AAAA,KAEjC,oBAAA;EALK,kCAOf,GAAA,UAJwB;EAMxB,QAAQ;AAAA;AAAA,KAGE,YAAA;EACV,QAAA;EACA,iBAAA;EACA,MAAA;EACA,oBAAA;EACA,SAAA;EACA,SAAA;AAAA;AAAA,KAGU,WAAA;EACV,WAAA;EACA,YAAA;EACA,OAAA;EACA,oBAAA;EACA,KAAA;AAAA;;;iBC7Bc,iBAAA,qDAAiB,gBAAA,EAAA,oBAAA;EAAA"}

package/dist/index-dEksIImj.d.mts

@@ -1,28 +0,0 @@
-import { E as Session, F as RouteDescriptor, n as ClientPlugin } from "./define-plugin-Dv0xXIaH.mjs";
-
-//#region src/plugins/magic-link/types.d.ts
-type RequestMagicLinkInput = {
-  email: string;
-  redirectUri?: string;
-  newUserRedirectUri?: string;
-  errorRedirectUri?: string;
-  meta?: Record<string, unknown>;
-};
-type VerifyMagicLinkInput = {
-  token: string;
-};
-//#endregion
-//#region src/plugins/magic-link/index.d.ts
-declare function magicLinkPlugin<TFields = unknown>(): ClientPlugin<"magic-link", "/magic-link", [RouteDescriptor<RequestMagicLinkInput, {
-  message: string;
-}, {
-  readonly method: "POST";
-  readonly path: "/signin";
-}>, RouteDescriptor<VerifyMagicLinkInput, Session<TFields>, {
-  readonly method: "GET";
-  readonly path: "/verify";
-  readonly parseSession: true;
-}>], Record<never, never>>;
-//#endregion
-export { RequestMagicLinkInput as n, VerifyMagicLinkInput as r, magicLinkPlugin as t };
-//# sourceMappingURL=index-dEksIImj.d.mts.map

package/dist/index-dEksIImj.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index-dEksIImj.d.mts","names":[],"sources":["../src/plugins/magic-link/types.ts","../src/plugins/magic-link/index.ts"],"mappings":";;;KAAY,qBAAA;EACV,KAAA;EACA,WAAA;EACA,kBAAA;EACA,gBAAA;EACA,IAAA,GAAO,MAAM;AAAA;AAAA,KAGH,oBAAA;EACV,KAAK;AAAA;;;iBCJS,eAAA,kEAAiC,eAAA,CAAA,qBAAA"}

package/dist/index.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.mts","names":[],"sources":["../src/version.ts","../src/client.ts","../src/normalize.ts","../src/serialize.ts"],"mappings":";;;;cAEa,OAAA;;;iBCYG,gBAAA,gCAAgD,eAAA,qCAC9D,IAAA,EAAM,uBAAA,CAAwB,OAAA,EAAS,OAAA,IACtC,UAAA,CAAW,OAAA,EAAS,OAAA;;;;;;ADdvB;;iBEMgB,aAAA,cAA2B,GAAA,EAAK,MAAA,oBAA0B,IAAA,CAAK,CAAA;AAAA,iBAQ/D,mBAAA,cAAiC,GAAA,YAAe,OAAO,CAAC,CAAA;;;;;;;AFdxE;;;iBGOgB,gBAAA,CAAiB,KAAc"}

package/dist/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.mjs","names":["pkg.version"],"sources":["../package.json","../src/version.ts"],"sourcesContent":["","import pkg from \"../package.json\";\n\nexport const VERSION = pkg.version;\n"],"mappings":";;;;;;;ACEA,MAAa,UAAUA"}

package/dist/plugins/credential/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/credential/index.ts"],"sourcesContent":["import { defineClientPlugin, defineRoutes } from \"../../define-plugin\";\nimport { route } from \"../../route\";\nimport type { Session } from \"../../types\";\nimport type {\n  ChangePasswordInput,\n  CheckUsernameInput,\n  RequestPasswordResetInput,\n  ResetPasswordInput,\n  SetPasswordInput,\n  SignInCredentialInput,\n  SignUpCredentialInput,\n} from \"./types\";\n\nexport function credentialPasswordPlugin<TFields = unknown>() {\n  const routes = defineRoutes(\n    route<SignInCredentialInput, Session<TFields>>()({\n      method: \"POST\",\n      path: \"/signin/credential\",\n      parseSession: true,\n      as: \"signIn.credential\",\n      defaults: { rememberMe: true },\n    }),\n    route<SignUpCredentialInput, Session<TFields>>()({\n      method: \"POST\",\n      path: \"/signup/credential\",\n      parseSession: true,\n      as: \"signUp.credential\",\n    }),\n    route<RequestPasswordResetInput, { message: string }>()({\n      method: \"POST\",\n      path: \"/passwords/request-reset\",\n      as: \"password.requestReset\",\n    }),\n    route<ResetPasswordInput, { message: string }>()({\n      method: \"POST\",\n      path: \"/passwords/reset\",\n      as: \"password.reset\",\n    }),\n    route<ChangePasswordInput, Session<TFields>>()({\n      method: \"POST\",\n      path: \"/passwords/change\",\n      parseSession: true,\n      defaults: { revokeOtherSessions: true },\n      as: \"password.change\",\n    }),\n    route<SetPasswordInput, Session<TFields>>()({\n      method: \"PUT\",\n      path: \"/passwords\",\n      as: \"password.set\",\n      parseSession: true,\n      defaults: { revokeOtherSessions: true },\n    }),\n    route<CheckUsernameInput, boolean>()({\n      method: \"POST\",\n      path: \"/usernames/check\",\n      parse: (raw) => (raw as { available: boolean }).available,\n      as: \"username.checkAvailability\",\n    }),\n  );\n\n  return defineClientPlugin({\n    id: \"credential-password\",\n    basePath: \"/\",\n    routes,\n  });\n}\n\nexport type {\n  ChangePasswordInput,\n  CheckUsernameInput,\n  RequestPasswordResetInput,\n  ResetPasswordInput,\n  SetPasswordInput,\n  SignInCredentialInput,\n  SignUpCredentialInput,\n} from \"./types\";\n"],"mappings":";;;AAaA,SAAgB,2BAA8C;CA+C5D,OAAO,mBAAmB;EACxB,IAAI;EACJ,UAAU;EACV,QAjDa,aACb,MAA+C,CAAC,CAAC;GAC/C,QAAQ;GACR,MAAM;GACN,cAAc;GACd,IAAI;GACJ,UAAU,EAAE,YAAY,KAAK;EAC/B,CAAC,GACD,MAA+C,CAAC,CAAC;GAC/C,QAAQ;GACR,MAAM;GACN,cAAc;GACd,IAAI;EACN,CAAC,GACD,MAAsD,CAAC,CAAC;GACtD,QAAQ;GACR,MAAM;GACN,IAAI;EACN,CAAC,GACD,MAA+C,CAAC,CAAC;GAC/C,QAAQ;GACR,MAAM;GACN,IAAI;EACN,CAAC,GACD,MAA6C,CAAC,CAAC;GAC7C,QAAQ;GACR,MAAM;GACN,cAAc;GACd,UAAU,EAAE,qBAAqB,KAAK;GACtC,IAAI;EACN,CAAC,GACD,MAA0C,CAAC,CAAC;GAC1C,QAAQ;GACR,MAAM;GACN,IAAI;GACJ,cAAc;GACd,UAAU,EAAE,qBAAqB,KAAK;EACxC,CAAC,GACD,MAAmC,CAAC,CAAC;GACnC,QAAQ;GACR,MAAM;GACN,QAAQ,QAAS,IAA+B;GAChD,IAAI;EACN,CAAC,CAMI;CACP,CAAC;AACH"}

package/dist/plugins/magic-link/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/magic-link/index.ts"],"sourcesContent":["import { defineClientPlugin, defineRoutes } from \"../../define-plugin\";\nimport { route } from \"../../route\";\nimport type { Session } from \"../../types\";\nimport type { RequestMagicLinkInput, VerifyMagicLinkInput } from \"./types\";\n\nexport function magicLinkPlugin<TFields = unknown>() {\n  const routes = defineRoutes(\n    route<RequestMagicLinkInput, { message: string }>()({\n      method: \"POST\",\n      path: \"/signin\",\n    }),\n    route<VerifyMagicLinkInput, Session<TFields>>()({\n      method: \"GET\",\n      path: \"/verify\",\n      parseSession: true,\n    }),\n  );\n\n  return defineClientPlugin({\n    id: \"magic-link\",\n    basePath: \"/magic-link\",\n    routes,\n  });\n}\n\nexport type { RequestMagicLinkInput, VerifyMagicLinkInput } from \"./types\";\n"],"mappings":";;;AAKA,SAAgB,kBAAqC;CAanD,OAAO,mBAAmB;EACxB,IAAI;EACJ,UAAU;EACV,QAfa,aACb,MAAkD,CAAC,CAAC;GAClD,QAAQ;GACR,MAAM;EACR,CAAC,GACD,MAA8C,CAAC,CAAC;GAC9C,QAAQ;GACR,MAAM;GACN,cAAc;EAChB,CAAC,CAMI;CACP,CAAC;AACH"}

package/dist/plugins/oauth/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/oauth/index.ts"],"sourcesContent":["import { defineClientPlugin, defineRoutes } from \"../../define-plugin\";\nimport { camelizeKeys } from \"../../helpers\";\nimport { route, type RouteHandler } from \"../../route\";\nimport type { LinkOAuthInput, OAuthAccount, OAuthAuthorizeResult, OAuthTokens, SignInOAuthInput } from \"./types\";\n\nconst fetchThenRedirect: RouteHandler<SignInOAuthInput, OAuthAuthorizeResult> = async (ctx, input, http) => {\n  const { disableRedirect, ...rest } = input;\n  const { url } = await http<{ url: string }>(rest);\n  return { url, redirect: disableRedirect === true ? false : ctx.redirect(url) };\n};\n\nexport function oauthClientPlugin() {\n  const routes = defineRoutes(\n    route<SignInOAuthInput, OAuthAuthorizeResult>()({\n      method: \"GET\",\n      path: \"/:provider/authorize\",\n      as: \"signIn.social\",\n      params: [\"provider\"],\n      handler: fetchThenRedirect,\n    }),\n    route<LinkOAuthInput, OAuthAuthorizeResult>()({\n      method: \"GET\",\n      path: \"/:provider/link\",\n      as: \"social.link\",\n      params: [\"provider\"],\n      handler: fetchThenRedirect,\n    }),\n    route<{ provider: string }, void>()({\n      method: \"DELETE\",\n      path: \"/:provider/unlink\",\n      as: \"social.unlink\",\n      params: [\"provider\"],\n    }),\n    route<void, OAuthAccount[]>()({\n      method: \"GET\",\n      path: \"/accounts\",\n      as: \"social.accounts\",\n    }),\n    route<{ provider: string }, OAuthTokens>()({\n      method: \"GET\",\n      path: \"/:provider/tokens\",\n      as: \"social.tokens\",\n      params: [\"provider\"],\n      parse: camelizeKeys,\n    }),\n    route<{ provider: string }, OAuthTokens>()({\n      method: \"POST\",\n      path: \"/:provider/tokens/refresh\",\n      as: \"social.refreshTokens\",\n      params: [\"provider\"],\n      parse: camelizeKeys,\n    }),\n  );\n\n  return defineClientPlugin({\n    id: \"oauth\",\n    basePath: \"/oauth\",\n    routes,\n  });\n}\n\nexport type {\n  LinkOAuthInput,\n  OAuthAccount,\n  OAuthAuthorizeQuery,\n  OAuthAuthorizeResult,\n  OAuthTokens,\n  SignInOAuthInput,\n} from \"./types\";\n"],"mappings":";;;;AAKA,MAAM,oBAA0E,OAAO,KAAK,OAAO,SAAS;CAC1G,MAAM,EAAE,iBAAiB,GAAG,SAAS;CACrC,MAAM,EAAE,QAAQ,MAAM,KAAsB,IAAI;CAChD,OAAO;EAAE;EAAK,UAAU,oBAAoB,OAAO,QAAQ,IAAI,SAAS,GAAG;CAAE;AAC/E;AAEA,SAAgB,oBAAoB;CA2ClC,OAAO,mBAAmB;EACxB,IAAI;EACJ,UAAU;EACV,QA7Ca,aACb,MAA8C,CAAC,CAAC;GAC9C,QAAQ;GACR,MAAM;GACN,IAAI;GACJ,QAAQ,CAAC,UAAU;GACnB,SAAS;EACX,CAAC,GACD,MAA4C,CAAC,CAAC;GAC5C,QAAQ;GACR,MAAM;GACN,IAAI;GACJ,QAAQ,CAAC,UAAU;GACnB,SAAS;EACX,CAAC,GACD,MAAkC,CAAC,CAAC;GAClC,QAAQ;GACR,MAAM;GACN,IAAI;GACJ,QAAQ,CAAC,UAAU;EACrB,CAAC,GACD,MAA4B,CAAC,CAAC;GAC5B,QAAQ;GACR,MAAM;GACN,IAAI;EACN,CAAC,GACD,MAAyC,CAAC,CAAC;GACzC,QAAQ;GACR,MAAM;GACN,IAAI;GACJ,QAAQ,CAAC,UAAU;GACnB,OAAO;EACT,CAAC,GACD,MAAyC,CAAC,CAAC;GACzC,QAAQ;GACR,MAAM;GACN,IAAI;GACJ,QAAQ,CAAC,UAAU;GACnB,OAAO;EACT,CAAC,CAMI;CACP,CAAC;AACH"}

package/dist/plugins/two-factor/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/two-factor/index.ts"],"sourcesContent":["import { defineClientPlugin, defineRoutes } from \"../../define-plugin\";\nimport { route } from \"../../route\";\nimport type { Session } from \"../../types\";\nimport type {\n  DisableTwoFactorInput,\n  FinalizeSetupInput,\n  InitiateSetupInput,\n  SendOTPInput,\n  TwoFactorConfig,\n  TwoFactorSetupURI,\n  VerifyInput,\n} from \"./types\";\n\nexport function twoFactorPlugin<TFields = unknown>(config: TwoFactorConfig) {\n  const routes = defineRoutes(\n    route<InitiateSetupInput, TwoFactorSetupURI>()({\n      method: \"POST\",\n      path: \"/initiate-setup\",\n    }),\n    route<FinalizeSetupInput, Session<TFields>>()({\n      method: \"POST\",\n      path: \"/finalize-setup\",\n      parseSession: true,\n    }),\n    route<DisableTwoFactorInput, Session<TFields>>()({\n      method: \"POST\",\n      path: \"/disable\",\n      parseSession: true,\n    }),\n    route<VerifyInput, Session<TFields>>()({\n      method: \"POST\",\n      path: \"/verify\",\n      parseSession: true,\n    }),\n    route<void, TwoFactorSetupURI>()({\n      method: \"GET\",\n      path: \"/totp/uri\",\n      as: \"twoFactor.getTotpUri\",\n    }),\n    route<void, string[]>()({\n      method: \"GET\",\n      path: \"/backup-codes\",\n      as: \"twoFactor.getBackupCodes\",\n    }),\n    route<void, string[]>()({\n      method: \"PUT\",\n      path: \"/backup-codes\",\n      as: \"twoFactor.regenerateBackupCodes\",\n    }),\n    route<SendOTPInput, { message: string }>()({\n      method: \"POST\",\n      path: \"/otp/send\",\n      as: \"twoFactor.sendOTP\",\n    }),\n  );\n\n  return defineClientPlugin({\n    id: \"two-factor\",\n    basePath: \"/two-factor\",\n    routes,\n    hooks: {\n      afterResponse: [\n        {\n          match: \"/signin/credential\",\n          run: (ctx) => {\n            const body = ctx.body as Record<string, unknown>;\n            if (body[\"two_factor_required\"] === true) {\n              config.onTwoFactorRedirect();\n            }\n            return ctx;\n          },\n        },\n      ],\n    },\n  });\n}\n\nexport type {\n  DisableTwoFactorInput,\n  FinalizeSetupInput,\n  InitiateSetupInput,\n  SendOTPInput,\n  TwoFactorConfig,\n  TwoFactorMethod,\n  TwoFactorSetupURI,\n  VerifyInput,\n} from \"./types\";\n"],"mappings":";;;AAaA,SAAgB,gBAAmC,QAAyB;CA2C1E,OAAO,mBAAmB;EACxB,IAAI;EACJ,UAAU;EACV,QA7Ca,aACb,MAA6C,CAAC,CAAC;GAC7C,QAAQ;GACR,MAAM;EACR,CAAC,GACD,MAA4C,CAAC,CAAC;GAC5C,QAAQ;GACR,MAAM;GACN,cAAc;EAChB,CAAC,GACD,MAA+C,CAAC,CAAC;GAC/C,QAAQ;GACR,MAAM;GACN,cAAc;EAChB,CAAC,GACD,MAAqC,CAAC,CAAC;GACrC,QAAQ;GACR,MAAM;GACN,cAAc;EAChB,CAAC,GACD,MAA+B,CAAC,CAAC;GAC/B,QAAQ;GACR,MAAM;GACN,IAAI;EACN,CAAC,GACD,MAAsB,CAAC,CAAC;GACtB,QAAQ;GACR,MAAM;GACN,IAAI;EACN,CAAC,GACD,MAAsB,CAAC,CAAC;GACtB,QAAQ;GACR,MAAM;GACN,IAAI;EACN,CAAC,GACD,MAAyC,CAAC,CAAC;GACzC,QAAQ;GACR,MAAM;GACN,IAAI;EACN,CAAC,CAMI;EACL,OAAO,EACL,eAAe,CACb;GACE,OAAO;GACP,MAAM,QAAQ;IAEZ,IADa,IAAI,KACR,2BAA2B,MAClC,OAAO,oBAAoB;IAE7B,OAAO;GACT;EACF,CACF,EACF;CACF,CAAC;AACH"}

package/dist/react/index.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/react/react-store.ts","../../src/react/index.ts"],"mappings":";;;;iBAGgB,QAAA,mBAA2B,KAAA,EAAO,KAAA,EAAO,SAAA,GAAY,UAAA,CAAW,SAAA;;;AAAhF;;;AAAA,KCOY,eAAA,0BAAyC,eAAA,yBAAwC,QAAA,CAC3F,UAAA,CAAW,OAAA,EAAS,OAAA;EDRmC;;;;ECarD,UAAA,QAAkB,YAAA,CAAa,OAAA;AAAA;;;;iBAOnB,gBAAA,gCAAgD,eAAA,qCAC9D,IAAA,EAAM,uBAAA,CAAwB,OAAA,EAAS,OAAA,IACtC,eAAA,CAAgB,OAAA,EAAS,OAAA"}

package/dist/react/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.mjs","names":["createCoreClient"],"sources":["../../src/react/react-store.ts","../../src/react/index.ts"],"sourcesContent":["import type { Store, StoreValue } from \"nanostores\";\nimport { useCallback, useRef, useSyncExternalStore } from \"react\";\n\nexport function useStore<SomeStore extends Store>(store: SomeStore): StoreValue<SomeStore> {\n  type Value = StoreValue<SomeStore>;\n\n  const snapshotRef = useRef<Value | undefined>(store.get());\n\n  const subscribe = useCallback(\n    (onChange: () => void) => {\n      const emitValue = (value: Value): void => {\n        if (snapshotRef.current === value) {\n          return;\n        }\n        snapshotRef.current = value;\n        onChange();\n      };\n      // Resync before listening: the value may have changed between render and\n      // this effect, and `listen` does not fire for the current value.\n      emitValue(store.value);\n      return store.listen(emitValue);\n    },\n    [store],\n  );\n\n  const get = (): Value => snapshotRef.current as Value;\n\n  return useSyncExternalStore(subscribe, get, get);\n}\n","import { createAuthClient as createCoreClient } from \"../client\";\nimport type { AnyClientPlugin } from \"../define-plugin\";\nimport type { SessionState } from \"../session-store\";\nimport type { Prettify } from \"../type-utils\";\nimport type { AuthClient, CreateAuthClientOptions } from \"../types\";\nimport { useStore } from \"./react-store\";\n\n/**\n * An {@link AuthClient} augmented with React hooks.\n */\nexport type ReactAuthClient<Plugins extends readonly AnyClientPlugin[], TFields = unknown> = Prettify<\n  AuthClient<Plugins, TFields> & {\n    /**\n     * Reactively read the session store. Re-renders the component whenever\n     * `{ data, isPending, error }` changes.\n     */\n    useSession: () => SessionState<TFields>;\n  }\n>;\n\n/**\n * Create a Limen auth client with React hooks attached.\n */\nexport function createAuthClient<const Plugins extends readonly AnyClientPlugin[] = readonly [], TFields = unknown>(\n  opts: CreateAuthClientOptions<Plugins, TFields>,\n): ReactAuthClient<Plugins, TFields> {\n  const client = createCoreClient<Plugins, TFields>(opts);\n  const useSession = (): SessionState<TFields> => useStore(client.$session);\n\n  return Object.assign(client, { useSession }) as ReactAuthClient<Plugins, TFields>;\n}\n\nexport type { SessionState, SessionStore } from \"../session-store\";\nexport type { AuthClient, CreateAuthClientOptions, Session, User } from \"../types\";\nexport { useStore } from \"./react-store\";\n"],"mappings":";;;AAGA,SAAgB,SAAkC,OAAyC;CAGzF,MAAM,cAAc,OAA0B,MAAM,IAAI,CAAC;CAEzD,MAAM,YAAY,aACf,aAAyB;EACxB,MAAM,aAAa,UAAuB;GACxC,IAAI,YAAY,YAAY,OAC1B;GAEF,YAAY,UAAU;GACtB,SAAS;EACX;EAGA,UAAU,MAAM,KAAK;EACrB,OAAO,MAAM,OAAO,SAAS;CAC/B,GACA,CAAC,KAAK,CACR;CAEA,MAAM,YAAmB,YAAY;CAErC,OAAO,qBAAqB,WAAW,KAAK,GAAG;AACjD;;;;;;ACLA,SAAgB,iBACd,MACmC;CACnC,MAAM,SAASA,mBAAmC,IAAI;CACtD,MAAM,mBAA0C,SAAS,OAAO,QAAQ;CAExE,OAAO,OAAO,OAAO,QAAQ,EAAE,WAAW,CAAC;AAC7C"}

package/dist/route-DGxvFqWl.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"route-DGxvFqWl.mjs","names":[],"sources":["../src/route.ts"],"sourcesContent":["import type { RouteContext } from \"./context\";\nimport type { LimenError } from \"./errors\";\nimport type { HTTPMethod } from \"./types\";\n\ndeclare const INPUT: unique symbol;\ndeclare const OUTPUT: unique symbol;\n\n/**\n * Runs the route's default HTTP request and parser without session effects.\n * Pass an input override when a handler needs to omit client-only fields.\n */\nexport type HttpRunner<I> = <R = unknown>(input?: I) => Promise<R>;\n\n/**\n * Custom route behavior for flows that need more than the default request\n * pipeline.\n */\nexport type RouteHandler<I, O, TFields = unknown> = (\n  ctx: RouteContext<TFields>,\n  input: I,\n  http: HttpRunner<I>,\n) => Promise<O>;\n\n/**\n * Per-call options accepted as the final argument of every generated route\n * method.\n */\nexport type RouteCallOptions<O = unknown> = {\n  /** Invoked with the resolved value after the call succeeds. */\n  onSuccess?: (data: O) => void;\n  /** Invoked with the error just before it is re-thrown. */\n  onError?: (error: LimenError) => void;\n};\n\n/**\n * Declarative client route definition. The public client chain is derived from\n * `path` unless `as` is provided.\n */\nexport type RouteDef<I, O> = {\n  method: HTTPMethod;\n  path: `/${string}`;\n\n  /** Dotted client chain override, e.g. `\"twoFactor.getTotpUri\"`. */\n  as?: string;\n\n  /** Merged under the caller's input before serialization. */\n  defaults?: Partial<I>;\n  /** SDK input → wire body/query. Defaults to shallow camelCase → snake_case. */\n  serialize?: (input: I) => unknown;\n  /** Raw response → typed output. Ignored when `parseSession` is set. */\n  parse?: (raw: unknown) => O;\n  /**\n   * Parse the response as a session and store it when it contains a `user`.\n   * Set `skipStore` to return the parsed session without writing it.\n   */\n  parseSession?: boolean;\n  /** Resolve `path` from the client base path instead of the plugin base path. */\n  absolute?: boolean;\n\n  /** Input keys used as `:param` path values. */\n  params?: readonly (keyof I & string)[];\n\n  /** For `parseSession` routes, skip the session-store write. */\n  skipStore?: boolean;\n  /** Clear the session store on success. */\n  clearSession?: boolean;\n  /** Revalidate the session after success. */\n  refetchSession?: boolean;\n\n  /** Set `false` to keep the route out of the public client API. */\n  expose?: boolean;\n\n  /** Override the default route call behavior. */\n  handler?: RouteHandler<I, O>;\n};\n\n/**\n * A route definition carrying its input and output types for inference.\n */\nexport type RouteDescriptor<I, O, D extends RouteDef<I, O> = RouteDef<I, O>> = D & {\n  readonly [INPUT]: I;\n  readonly [OUTPUT]: O;\n};\n\n/**\n * Loose route-descriptor constraint for route tuples and plugin definitions.\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any -- accepts any route descriptor\nexport type AnyRouteDescriptor = RouteDescriptor<any, any, any>;\n\n/**\n * Route definition with erased input/output types but typed fields.\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any -- erases route I/O only\nexport type AnyRoute = RouteDef<any, any>;\n\nexport type InputOf<R> = R extends { readonly [INPUT]: infer I } ? I : never;\nexport type OutputOf<R> = R extends { readonly [OUTPUT]: infer O } ? O : never;\n\n/**\n * Define an HTTP-backed client method for a plugin. The input/output types\n * become the generated method's argument and resolved value.\n *\n * @example\n *   route<VerifyInput, Session<TFields>>()({\n *     method: \"POST\",\n *     path: \"/verify\",\n *     parseSession: true,\n *   })\n */\nexport function route<I = void, O = unknown>() {\n  return <const D extends RouteDef<I, O>>(def: D): RouteDescriptor<I, O, D> => def as RouteDescriptor<I, O, D>;\n}\n"],"mappings":";;;;;;;;;;;;AA8GA,SAAgB,QAA+B;CAC7C,QAAwC,QAAqC;AAC/E"}

package/dist/session-jwt-DgLdMQxP.mjs

@@ -1,129 +0,0 @@
-import { a as SET_REFRESH_TOKEN_HEADER, i as SET_AUTH_TOKEN_HEADER } from "./constants-CsR2pQ_9.mjs";
-import { t as LimenError } from "./errors-4YJYt6f0.mjs";
-import { n as defineRoutes, t as defineClientPlugin } from "./define-plugin-C7WOGU4b.mjs";
-import { t as route } from "./route-DGxvFqWl.mjs";
-import { i as resolveDefaultStorage } from "./bearer-Cqmrmjjf.mjs";
-//#region src/plugins/session-jwt/jwt.ts
-/**
-* Read the `exp` (seconds since epoch) from a JWT without verifying its
-* signature — the server is the source of truth; the client only needs expiry
-* to decide when to refresh. Returns `null` for anything malformed.
-*/
-function decodeJwtExp(token) {
-	const payload = token.split(".")[1];
-	if (!payload) return null;
-	try {
-		const b64 = payload.replace(/-/g, "+").replace(/_/g, "/");
-		const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
-		const claims = JSON.parse(atob(padded));
-		return typeof claims.exp === "number" ? claims.exp : null;
-	} catch {
-		return null;
-	}
-}
-function isExpiring(token, skewMs) {
-	const exp = decodeJwtExp(token);
-	if (exp === null) return true;
-	return exp * 1e3 - skewMs <= Date.now();
-}
-function tokensFromHeaders(headers) {
-	const accessToken = headers.get(SET_AUTH_TOKEN_HEADER);
-	if (!accessToken) return null;
-	const tokens = { accessToken };
-	const refreshToken = headers.get(SET_REFRESH_TOKEN_HEADER);
-	if (refreshToken) tokens.refreshToken = refreshToken;
-	return tokens;
-}
-//#endregion
-//#region src/plugins/session-jwt/index.ts
-function sessionJwtPlugin(config = {}) {
-	const store = config.storage ?? resolveDefaultStorage(config.storageKey ?? "limen.tokens");
-	const skewMs = (config.expirySkewSeconds ?? 30) * 1e3;
-	const refreshRoute = route()({
-		method: "POST",
-		path: "/refresh",
-		parseSession: true,
-		expose: false
-	});
-	let ctx;
-	let run;
-	let inFlight = null;
-	const runRefresh = async () => {
-		const current = store.get();
-		if (!current?.refreshToken) throw new LimenError("No refresh token found", 401, "unauthorized");
-		try {
-			await run(refreshRoute, { refreshToken: current.refreshToken });
-			const tokens = store.get();
-			if (!tokens?.accessToken) throw new LimenError("Refresh did not return a valid access token", 500, "unknown");
-			return tokens;
-		} catch (err) {
-			store.clear();
-			ctx.setSession(null);
-			throw err;
-		}
-	};
-	const refresh = () => {
-		if (!inFlight) inFlight = runRefresh().finally(() => {
-			inFlight = null;
-		});
-		return inFlight;
-	};
-	const getAccessToken = async () => {
-		const current = store.get();
-		if (!current?.accessToken) return null;
-		if (!isExpiring(current.accessToken, skewMs)) return current.accessToken;
-		if (!current.refreshToken) return null;
-		return (await refresh()).accessToken;
-	};
-	const applyAuthHeader = async (req) => {
-		if (req.headers.has("Authorization")) return;
-		const token = await getAccessToken().catch(() => null);
-		if (token) req.headers.set("Authorization", `Bearer ${token}`);
-	};
-	return defineClientPlugin({
-		id: "session-jwt",
-		routes: defineRoutes(refreshRoute),
-		actions: (pluginCtx, pluginRun) => {
-			ctx = pluginCtx;
-			run = pluginRun;
-			return { sessionJwt: {
-				/**
-				* Get the current access token. If the token is expiring, refresh it.
-				* @returns The current access token or null if no token is found.
-				*/
-				getAccessToken,
-				refresh,
-				getTokens: () => store.get(),
-				clear: () => store.clear()
-			} };
-		},
-		hooks: {
-			beforeRequest: [{
-				match: (route) => route.path !== "/refresh",
-				run: async (req) => {
-					await applyAuthHeader(req);
-					return req;
-				}
-			}],
-			afterResponse: [{
-				allowOnFailure: true,
-				run: (res) => {
-					const tokens = tokensFromHeaders(res.headers);
-					if (tokens) store.set(tokens);
-					return res;
-				}
-			}, {
-				match: ["/signout", "/revoke-sessions"],
-				allowOnFailure: true,
-				run: (res) => {
-					store.clear();
-					return res;
-				}
-			}]
-		}
-	});
-}
-//#endregion
-export { sessionJwtPlugin as t };
-
-//# sourceMappingURL=session-jwt-DgLdMQxP.mjs.map

package/dist/session-jwt-DgLdMQxP.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"session-jwt-DgLdMQxP.mjs","names":[],"sources":["../src/plugins/session-jwt/jwt.ts","../src/plugins/session-jwt/index.ts"],"sourcesContent":["import { SET_AUTH_TOKEN_HEADER, SET_REFRESH_TOKEN_HEADER } from \"../../constants\";\nimport type { SessionJwtTokens } from \"./types\";\n\n/**\n * Read the `exp` (seconds since epoch) from a JWT without verifying its\n * signature — the server is the source of truth; the client only needs expiry\n * to decide when to refresh. Returns `null` for anything malformed.\n */\nexport function decodeJwtExp(token: string): number | null {\n  const payload = token.split(\".\")[1];\n  if (!payload) {\n    return null;\n  }\n  try {\n    const b64 = payload.replace(/-/g, \"+\").replace(/_/g, \"/\");\n    const padded = b64 + \"=\".repeat((4 - (b64.length % 4)) % 4);\n    const claims = JSON.parse(atob(padded)) as { exp?: unknown };\n    return typeof claims.exp === \"number\" ? claims.exp : null;\n  } catch {\n    return null;\n  }\n}\n\nexport function isExpiring(token: string, skewMs: number): boolean {\n  const exp = decodeJwtExp(token);\n  if (exp === null) {\n    return true;\n  }\n  return exp * 1000 - skewMs <= Date.now();\n}\n\nexport function tokensFromHeaders(headers: Headers): SessionJwtTokens | null {\n  const accessToken = headers.get(SET_AUTH_TOKEN_HEADER);\n  if (!accessToken) {\n    return null;\n  }\n\n  const tokens: SessionJwtTokens = { accessToken };\n  const refreshToken = headers.get(SET_REFRESH_TOKEN_HEADER);\n  if (refreshToken) {\n    tokens.refreshToken = refreshToken;\n  }\n  return tokens;\n}\n","import { DEFAULT_TOKEN_STORAGE_KEY } from \"../../constants\";\nimport type { AnyRouteContext } from \"../../context\";\nimport { defineClientPlugin, defineRoutes, type RunRoute } from \"../../define-plugin\";\nimport { LimenError } from \"../../errors\";\nimport { route } from \"../../route\";\nimport type { Session } from \"../../types\";\nimport { resolveDefaultStorage } from \"../bearer\";\nimport { DEFAULT_EXPIRY_SKEW_SECONDS } from \"./constants\";\nimport { isExpiring, tokensFromHeaders } from \"./jwt\";\nimport type { RefreshInput, SessionJwtPluginConfig, SessionJwtTokens } from \"./types\";\n\nexport function sessionJwtPlugin<TFields = unknown>(config: SessionJwtPluginConfig = {}) {\n  const store = config.storage ?? resolveDefaultStorage(config.storageKey ?? DEFAULT_TOKEN_STORAGE_KEY);\n  const skewMs = (config.expirySkewSeconds ?? DEFAULT_EXPIRY_SKEW_SECONDS) * 1000;\n\n  const refreshRoute = route<RefreshInput, Session<TFields>>()({\n    method: \"POST\",\n    path: \"/refresh\",\n    parseSession: true,\n    expose: false,\n  });\n\n  let ctx!: AnyRouteContext;\n  let run!: RunRoute;\n  let inFlight: Promise<SessionJwtTokens> | null = null;\n\n  const runRefresh = async (): Promise<SessionJwtTokens> => {\n    const current = store.get();\n    if (!current?.refreshToken) {\n      throw new LimenError(\"No refresh token found\", 401, \"unauthorized\");\n    }\n    try {\n      await run(refreshRoute, { refreshToken: current.refreshToken });\n      const tokens = store.get();\n      if (!tokens?.accessToken) {\n        throw new LimenError(\"Refresh did not return a valid access token\", 500, \"unknown\");\n      }\n      return tokens;\n    } catch (err) {\n      store.clear();\n      ctx.setSession(null);\n      throw err;\n    }\n  };\n\n  const refresh = (): Promise<SessionJwtTokens> => {\n    if (!inFlight) {\n      inFlight = runRefresh().finally(() => {\n        inFlight = null;\n      });\n    }\n    return inFlight;\n  };\n\n  const getAccessToken = async (): Promise<string | null> => {\n    const current = store.get();\n    if (!current?.accessToken) {\n      return null;\n    }\n\n    if (!isExpiring(current.accessToken, skewMs)) {\n      return current.accessToken;\n    }\n\n    if (!current.refreshToken) {\n      return null;\n    }\n    return (await refresh()).accessToken;\n  };\n\n  const applyAuthHeader = async (req: { headers: Headers }): Promise<void> => {\n    if (req.headers.has(\"Authorization\")) {\n      return;\n    }\n    const token = await getAccessToken().catch(() => null);\n    if (token) {\n      req.headers.set(\"Authorization\", `Bearer ${token}`);\n    }\n  };\n\n  return defineClientPlugin({\n    id: \"session-jwt\",\n    routes: defineRoutes(refreshRoute),\n    actions: (pluginCtx, pluginRun) => {\n      ctx = pluginCtx;\n      run = pluginRun;\n      return {\n        sessionJwt: {\n          /**\n           * Get the current access token. If the token is expiring, refresh it.\n           * @returns The current access token or null if no token is found.\n           */\n          getAccessToken,\n          refresh,\n          getTokens: () => store.get(),\n          clear: () => store.clear(),\n        },\n      };\n    },\n    hooks: {\n      beforeRequest: [\n        {\n          match: (route) => route.path !== \"/refresh\",\n          run: async (req) => {\n            await applyAuthHeader(req);\n            return req;\n          },\n        },\n      ],\n      afterResponse: [\n        {\n          allowOnFailure: true,\n          run: (res) => {\n            const tokens = tokensFromHeaders(res.headers);\n            if (tokens) {\n              store.set(tokens);\n            }\n            return res;\n          },\n        },\n        {\n          match: [\"/signout\", \"/revoke-sessions\"],\n          allowOnFailure: true,\n          run: (res) => {\n            store.clear();\n            return res;\n          },\n        },\n      ],\n    },\n  });\n}\n\nexport type { SessionJwtPluginConfig, SessionJwtTokens } from \"./types\";\n"],"mappings":";;;;;;;;;;;AAQA,SAAgB,aAAa,OAA8B;CACzD,MAAM,UAAU,MAAM,MAAM,GAAG,CAAC,CAAC;CACjC,IAAI,CAAC,SACH,OAAO;CAET,IAAI;EACF,MAAM,MAAM,QAAQ,QAAQ,MAAM,GAAG,CAAC,CAAC,QAAQ,MAAM,GAAG;EACxD,MAAM,SAAS,MAAM,IAAI,QAAQ,IAAK,IAAI,SAAS,KAAM,CAAC;EAC1D,MAAM,SAAS,KAAK,MAAM,KAAK,MAAM,CAAC;EACtC,OAAO,OAAO,OAAO,QAAQ,WAAW,OAAO,MAAM;CACvD,QAAQ;EACN,OAAO;CACT;AACF;AAEA,SAAgB,WAAW,OAAe,QAAyB;CACjE,MAAM,MAAM,aAAa,KAAK;CAC9B,IAAI,QAAQ,MACV,OAAO;CAET,OAAO,MAAM,MAAO,UAAU,KAAK,IAAI;AACzC;AAEA,SAAgB,kBAAkB,SAA2C;CAC3E,MAAM,cAAc,QAAQ,IAAI,qBAAqB;CACrD,IAAI,CAAC,aACH,OAAO;CAGT,MAAM,SAA2B,EAAE,YAAY;CAC/C,MAAM,eAAe,QAAQ,IAAI,wBAAwB;CACzD,IAAI,cACF,OAAO,eAAe;CAExB,OAAO;AACT;;;AChCA,SAAgB,iBAAoC,SAAiC,CAAC,GAAG;CACvF,MAAM,QAAQ,OAAO,WAAW,sBAAsB,OAAO,cAAA,cAAuC;CACpG,MAAM,UAAU,OAAO,qBAAA,MAAoD;CAE3E,MAAM,eAAe,MAAsC,CAAC,CAAC;EAC3D,QAAQ;EACR,MAAM;EACN,cAAc;EACd,QAAQ;CACV,CAAC;CAED,IAAI;CACJ,IAAI;CACJ,IAAI,WAA6C;CAEjD,MAAM,aAAa,YAAuC;EACxD,MAAM,UAAU,MAAM,IAAI;EAC1B,IAAI,CAAC,SAAS,cACZ,MAAM,IAAI,WAAW,0BAA0B,KAAK,cAAc;EAEpE,IAAI;GACF,MAAM,IAAI,cAAc,EAAE,cAAc,QAAQ,aAAa,CAAC;GAC9D,MAAM,SAAS,MAAM,IAAI;GACzB,IAAI,CAAC,QAAQ,aACX,MAAM,IAAI,WAAW,+CAA+C,KAAK,SAAS;GAEpF,OAAO;EACT,SAAS,KAAK;GACZ,MAAM,MAAM;GACZ,IAAI,WAAW,IAAI;GACnB,MAAM;EACR;CACF;CAEA,MAAM,gBAA2C;EAC/C,IAAI,CAAC,UACH,WAAW,WAAW,CAAC,CAAC,cAAc;GACpC,WAAW;EACb,CAAC;EAEH,OAAO;CACT;CAEA,MAAM,iBAAiB,YAAoC;EACzD,MAAM,UAAU,MAAM,IAAI;EAC1B,IAAI,CAAC,SAAS,aACZ,OAAO;EAGT,IAAI,CAAC,WAAW,QAAQ,aAAa,MAAM,GACzC,OAAO,QAAQ;EAGjB,IAAI,CAAC,QAAQ,cACX,OAAO;EAET,QAAQ,MAAM,QAAQ,EAAA,CAAG;CAC3B;CAEA,MAAM,kBAAkB,OAAO,QAA6C;EAC1E,IAAI,IAAI,QAAQ,IAAI,eAAe,GACjC;EAEF,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC,YAAY,IAAI;EACrD,IAAI,OACF,IAAI,QAAQ,IAAI,iBAAiB,UAAU,OAAO;CAEtD;CAEA,OAAO,mBAAmB;EACxB,IAAI;EACJ,QAAQ,aAAa,YAAY;EACjC,UAAU,WAAW,cAAc;GACjC,MAAM;GACN,MAAM;GACN,OAAO,EACL,YAAY;;;;;IAKV;IACA;IACA,iBAAiB,MAAM,IAAI;IAC3B,aAAa,MAAM,MAAM;GAC3B,EACF;EACF;EACA,OAAO;GACL,eAAe,CACb;IACE,QAAQ,UAAU,MAAM,SAAS;IACjC,KAAK,OAAO,QAAQ;KAClB,MAAM,gBAAgB,GAAG;KACzB,OAAO;IACT;GACF,CACF;GACA,eAAe,CACb;IACE,gBAAgB;IAChB,MAAM,QAAQ;KACZ,MAAM,SAAS,kBAAkB,IAAI,OAAO;KAC5C,IAAI,QACF,MAAM,IAAI,MAAM;KAElB,OAAO;IACT;GACF,GACA;IACE,OAAO,CAAC,YAAY,kBAAkB;IACtC,gBAAgB;IAChB,MAAM,QAAQ;KACZ,MAAM,MAAM;KACZ,OAAO;IACT;GACF,CACF;EACF;CACF,CAAC;AACH"}

package/dist/solid/index.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/solid/solid-store.ts","../../src/solid/index.ts"],"mappings":";;;;;iBAKgB,QAAA,mBAA2B,KAAA,gBAAqB,UAAA,CAAW,SAAA,GACzE,KAAA,EAAO,SAAA,GACN,QAAA,CAAS,KAAA;;;AAFZ;;;AAAA,KCMY,eAAA,0BAAyC,eAAA,yBAAwC,QAAA,CAC3F,UAAA,CAAW,OAAA,EAAS,OAAA;EDPqD;;;;ECYvE,UAAA,QAAkB,QAAA,CAAS,YAAA,CAAa,OAAA;AAAA;;;;iBAO5B,gBAAA,gCAAgD,eAAA,qCAC9D,IAAA,EAAM,uBAAA,CAAwB,OAAA,EAAS,OAAA,IACtC,eAAA,CAAgB,OAAA,EAAS,OAAA"}

package/dist/solid/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.mjs","names":["createCoreClient"],"sources":["../../src/solid/solid-store.ts","../../src/solid/index.ts"],"sourcesContent":["import type { Store, StoreValue } from \"nanostores\";\nimport type { Accessor } from \"solid-js\";\nimport { onCleanup } from \"solid-js\";\nimport { createStore, reconcile } from \"solid-js/store\";\n\nexport function useStore<SomeStore extends Store, Value extends StoreValue<SomeStore>>(\n  store: SomeStore,\n): Accessor<Value> {\n  // Activate the store so `get()` is populated, then hand off to the real\n  // subscriber and unbind — avoids a dangling activation (https://github.com/nanostores/solid/issues/19).\n  const unbindActivation = store.listen(() => {});\n\n  const [state, setState] = createStore({ value: store.get() as Value });\n\n  // `reconcile` diffs each update so only changed paths re-trigger (fine-grained).\n  const unsubscribe = store.subscribe((value) => {\n    setState(\"value\", reconcile(value as Value));\n  });\n\n  onCleanup(() => unsubscribe());\n  unbindActivation();\n\n  return () => state.value;\n}\n","import type { Accessor } from \"solid-js\";\nimport { createAuthClient as createCoreClient } from \"../client\";\nimport type { AnyClientPlugin } from \"../define-plugin\";\nimport type { SessionState } from \"../session-store\";\nimport type { Prettify } from \"../type-utils\";\nimport type { AuthClient, CreateAuthClientOptions } from \"../types\";\nimport { useStore } from \"./solid-store\";\n\n/**\n * An {@link AuthClient} augmented with Solid primitives.\n */\nexport type SolidAuthClient<Plugins extends readonly AnyClientPlugin[], TFields = unknown> = Prettify<\n  AuthClient<Plugins, TFields> & {\n    /**\n     * Reactively read the session store as a Solid accessor. Updates whenever\n     * `{ data, isPending, error }` changes.\n     */\n    useSession: () => Accessor<SessionState<TFields>>;\n  }\n>;\n\n/**\n * Create a Limen auth client with Solid primitives attached.\n */\nexport function createAuthClient<const Plugins extends readonly AnyClientPlugin[] = readonly [], TFields = unknown>(\n  opts: CreateAuthClientOptions<Plugins, TFields>,\n): SolidAuthClient<Plugins, TFields> {\n  const client = createCoreClient<Plugins, TFields>(opts);\n  const useSession = (): Accessor<SessionState<TFields>> => useStore(client.$session);\n\n  return Object.assign(client, { useSession }) as SolidAuthClient<Plugins, TFields>;\n}\n\nexport type { SessionState, SessionStore } from \"../session-store\";\nexport type { AuthClient, CreateAuthClientOptions, Session, User } from \"../types\";\nexport { useStore } from \"./solid-store\";\n"],"mappings":";;;;AAKA,SAAgB,SACd,OACiB;CAGjB,MAAM,mBAAmB,MAAM,aAAa,CAAC,CAAC;CAE9C,MAAM,CAAC,OAAO,YAAY,YAAY,EAAE,OAAO,MAAM,IAAI,EAAW,CAAC;CAGrE,MAAM,cAAc,MAAM,WAAW,UAAU;EAC7C,SAAS,SAAS,UAAU,KAAc,CAAC;CAC7C,CAAC;CAED,gBAAgB,YAAY,CAAC;CAC7B,iBAAiB;CAEjB,aAAa,MAAM;AACrB;;;;;;ACCA,SAAgB,iBACd,MACmC;CACnC,MAAM,SAASA,mBAAmC,IAAI;CACtD,MAAM,mBAAoD,SAAS,OAAO,QAAQ;CAElF,OAAO,OAAO,OAAO,QAAQ,EAAE,WAAW,CAAC;AAC7C"}

package/dist/svelte/index.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/svelte/index.ts"],"mappings":";;;;;;;KAUY,gBAAA,0BAA0C,eAAA,yBAAwC,QAAA,CAC5F,UAAA,CAAW,OAAA,EAAS,OAAA;EAAA;;;;EAKlB,UAAA,QAAkB,QAAA,CAAS,YAAA,CAAa,OAAA;AAAA;;;;;;;;iBAW5B,gBAAA,gCAAgD,eAAA,qCAC9D,IAAA,EAAM,uBAAA,CAAwB,OAAA,EAAS,OAAA,IACtC,gBAAA,CAAiB,OAAA,EAAS,OAAA"}

package/dist/svelte/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.mjs","names":["createCoreClient"],"sources":["../../src/svelte/index.ts"],"sourcesContent":["import type { Readable } from \"svelte/store\";\nimport { createAuthClient as createCoreClient } from \"../client\";\nimport type { AnyClientPlugin } from \"../define-plugin\";\nimport type { SessionState } from \"../session-store\";\nimport type { Prettify } from \"../type-utils\";\nimport type { AuthClient, CreateAuthClientOptions } from \"../types\";\n\n/**\n * An {@link AuthClient} augmented with Svelte stores.\n */\nexport type SvelteAuthClient<Plugins extends readonly AnyClientPlugin[], TFields = unknown> = Prettify<\n  AuthClient<Plugins, TFields> & {\n    /**\n     * The reactive session as a Svelte readable store. Use it with `$`:\n     * `$session.data`, `$session.isPending`, `$session.error`.\n     */\n    useSession: () => Readable<SessionState<TFields>>;\n  }\n>;\n\n/**\n * Create a Limen auth client with Svelte stores attached.\n *\n * nanostores stores already satisfy Svelte's store contract (`subscribe(run)`\n * fires immediately and returns an unsubscribe), so `useSession` returns the\n * reactive `$session` store directly — no wrapper.\n */\nexport function createAuthClient<const Plugins extends readonly AnyClientPlugin[] = readonly [], TFields = unknown>(\n  opts: CreateAuthClientOptions<Plugins, TFields>,\n): SvelteAuthClient<Plugins, TFields> {\n  const client = createCoreClient<Plugins, TFields>(opts);\n  const useSession = (): Readable<SessionState<TFields>> =>\n    client.$session as unknown as Readable<SessionState<TFields>>;\n\n  return Object.assign(client, { useSession }) as SvelteAuthClient<Plugins, TFields>;\n}\n\nexport type { SessionState, SessionStore } from \"../session-store\";\nexport type { AuthClient, CreateAuthClientOptions, Session, User } from \"../types\";\n"],"mappings":";;;;;;;;;AA2BA,SAAgB,iBACd,MACoC;CACpC,MAAM,SAASA,mBAAmC,IAAI;CACtD,MAAM,mBACJ,OAAO;CAET,OAAO,OAAO,OAAO,QAAQ,EAAE,WAAW,CAAC;AAC7C"}

package/dist/vue/index.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/vue/vue-store.ts","../../src/vue/index.ts"],"mappings":";;;;;;KAKY,aAAA,UAAuB,YAAA,CAAa,gBAAA,CAAiB,UAAA,CAAW,KAAA;;AAA5E;;;;;;;;iBAWgB,QAAA,mBAA2B,KAAA,EAAO,KAAA,EAAO,SAAA,GAAY,aAAA,CAAc,UAAA,CAAW,SAAA;;;AAX9F;;;AAAA,KCMY,aAAA,0BAAuC,eAAA,yBAAwC,QAAA,CACzF,UAAA,CAAW,OAAA,EAAS,OAAA;EDP2C;;;;ECY7D,UAAA,QAAkB,aAAA,CAAc,YAAA,CAAa,OAAA;AAAA;;;;iBAOjC,gBAAA,gCAAgD,eAAA,qCAC9D,IAAA,EAAM,uBAAA,CAAwB,OAAA,EAAS,OAAA,IACtC,aAAA,CAAc,OAAA,EAAS,OAAA"}

package/dist/vue/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.mjs","names":["createCoreClient"],"sources":["../../src/vue/vue-store.ts","../../src/vue/index.ts"],"sourcesContent":["import type { Store, StoreValue } from \"nanostores\";\nimport type { DeepReadonly, ShallowRef, UnwrapNestedRefs } from \"vue\";\nimport { getCurrentScope, onScopeDispose, readonly, shallowRef } from \"vue\";\n\n/** What {@link useStore} returns: a readonly reactive ref of the store value. */\nexport type ReactiveValue<Value> = DeepReadonly<UnwrapNestedRefs<ShallowRef<Value>>>;\n\n/**\n * Subscribe a Vue component to a nanostores store.\n *\n * Modeled on `@nanostores/vue`'s `useStore`: a `shallowRef` mirrors the store\n * value, `subscribe` keeps it in sync (firing once immediately), and the\n * listener is torn down on scope dispose. On the server (no `window`) it reads\n * once without subscribing, so a store seeded with `initialSession` renders\n * without leaving a subscription behind.\n */\nexport function useStore<SomeStore extends Store>(store: SomeStore): ReactiveValue<StoreValue<SomeStore>> {\n  type Value = StoreValue<SomeStore>;\n\n  const state = shallowRef<Value>(store.get());\n\n  if (typeof window !== \"undefined\") {\n    const unsubscribe = store.subscribe((value) => {\n      state.value = value;\n    });\n    if (getCurrentScope()) {\n      onScopeDispose(unsubscribe);\n    }\n  }\n\n  return readonly(state);\n}\n","import { createAuthClient as createCoreClient } from \"../client\";\nimport type { AnyClientPlugin } from \"../define-plugin\";\nimport type { SessionState } from \"../session-store\";\nimport type { Prettify } from \"../type-utils\";\nimport type { AuthClient, CreateAuthClientOptions } from \"../types\";\nimport type { ReactiveValue } from \"./vue-store\";\nimport { useStore } from \"./vue-store\";\n\n/**\n * An {@link AuthClient} augmented with Vue composables.\n */\nexport type VueAuthClient<Plugins extends readonly AnyClientPlugin[], TFields = unknown> = Prettify<\n  AuthClient<Plugins, TFields> & {\n    /**\n     * Reactively read the session store as a readonly ref. Updates whenever\n     * `{ data, isPending, error }` changes.\n     */\n    useSession: () => ReactiveValue<SessionState<TFields>>;\n  }\n>;\n\n/**\n * Create a Limen auth client with Vue composables attached.\n */\nexport function createAuthClient<const Plugins extends readonly AnyClientPlugin[] = readonly [], TFields = unknown>(\n  opts: CreateAuthClientOptions<Plugins, TFields>,\n): VueAuthClient<Plugins, TFields> {\n  const client = createCoreClient<Plugins, TFields>(opts);\n  const useSession = (): ReactiveValue<SessionState<TFields>> => useStore(client.$session);\n\n  return Object.assign(client, { useSession }) as VueAuthClient<Plugins, TFields>;\n}\n\nexport type { SessionState, SessionStore } from \"../session-store\";\nexport type { AuthClient, CreateAuthClientOptions, Session, User } from \"../types\";\nexport { useStore } from \"./vue-store\";\nexport type { ReactiveValue } from \"./vue-store\";\n"],"mappings":";;;;;;;;;;;;AAgBA,SAAgB,SAAkC,OAAwD;CAGxG,MAAM,QAAQ,WAAkB,MAAM,IAAI,CAAC;CAE3C,IAAI,OAAO,WAAW,aAAa;EACjC,MAAM,cAAc,MAAM,WAAW,UAAU;GAC7C,MAAM,QAAQ;EAChB,CAAC;EACD,IAAI,gBAAgB,GAClB,eAAe,WAAW;CAE9B;CAEA,OAAO,SAAS,KAAK;AACvB;;;;;;ACPA,SAAgB,iBACd,MACiC;CACjC,MAAM,SAASA,mBAAmC,IAAI;CACtD,MAAM,mBAAyD,SAAS,OAAO,QAAQ;CAEvF,OAAO,OAAO,OAAO,QAAQ,EAAE,WAAW,CAAC;AAC7C"}