ofauth-shared-core 0.1.0-alpha.0 → 0.2.0-alpha.0

package/dist/services/createContractOnlyOfauthServices.js

@@ -1,82 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createContractOnlyOfauthServices = createContractOnlyOfauthServices;
-function notImplemented(message) {
-    const error = {
-        code: 'AUTH_NOT_IMPLEMENTED',
-        message,
-        retryable: false,
-    };
-    throw error;
-}
-function createContractOnlyOfauthServices() {
-    return {
-        identityService: {
-            async verifyCredential() {
-                return notImplemented('identityService.verifyCredential not implemented yet');
-            },
-            async login() {
-                return notImplemented('identityService.login not implemented yet');
-            },
-            async logout() {
-                return notImplemented('identityService.logout not implemented yet');
-            },
-        },
-        sessionService: {
-            async createSession() {
-                return notImplemented('sessionService.createSession not implemented yet');
-            },
-            async refreshSession() {
-                return notImplemented('sessionService.refreshSession not implemented yet');
-            },
-            async revokeSession() {
-                return notImplemented('sessionService.revokeSession not implemented yet');
-            },
-            async getActiveSession() {
-                return notImplemented('sessionService.getActiveSession not implemented yet');
-            },
-        },
-        contextService: {
-            async listAssignments() {
-                return notImplemented('contextService.listAssignments not implemented yet');
-            },
-            async getActiveContext() {
-                return notImplemented('contextService.getActiveContext not implemented yet');
-            },
-            async switchContext() {
-                return notImplemented('contextService.switchContext not implemented yet');
-            },
-        },
-        authPolicyService: {
-            async getPolicySnapshot() {
-                return notImplemented('authPolicyService.getPolicySnapshot not implemented yet');
-            },
-            async getStepUpRequirement() {
-                return notImplemented('authPolicyService.getStepUpRequirement not implemented yet');
-            },
-            async evaluateStepUp() {
-                return notImplemented('authPolicyService.evaluateStepUp not implemented yet');
-            },
-            async enforceStepUp() {
-                return notImplemented('authPolicyService.enforceStepUp not implemented yet');
-            },
-            async markStepUpPassed() {
-                return notImplemented('authPolicyService.markStepUpPassed not implemented yet');
-            },
-        },
-        authAuditService: {
-            async appendEvent() {
-                return notImplemented('authAuditService.appendEvent not implemented yet');
-            },
-            async queryEvents() {
-                return notImplemented('authAuditService.queryEvents not implemented yet');
-            },
-            async listPendingReplay() {
-                return notImplemented('authAuditService.listPendingReplay not implemented yet');
-            },
-            async markReplayed() {
-                return notImplemented('authAuditService.markReplayed not implemented yet');
-            },
-        },
-    };
-}

package/dist/services/createDbAdapterOfauthServices.js

@@ -1,22 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createDbAdapterOfauthServices = createDbAdapterOfauthServices;
-const DbAdapterAuthAuditService_1 = require("./impl/DbAdapterAuthAuditService");
-const DbAdapterAuthPolicyService_1 = require("./impl/DbAdapterAuthPolicyService");
-const DbAdapterContextService_1 = require("./impl/DbAdapterContextService");
-const DbAdapterIdentityService_1 = require("./impl/DbAdapterIdentityService");
-const DbAdapterSessionService_1 = require("./impl/DbAdapterSessionService");
-async function createDbAdapterOfauthServices(db, options = {}) {
-    const authAuditService = new DbAdapterAuthAuditService_1.DbAdapterAuthAuditService(db, options);
-    const sessionService = new DbAdapterSessionService_1.DbAdapterSessionService(db, options);
-    const contextService = new DbAdapterContextService_1.DbAdapterContextService(db, authAuditService);
-    const authPolicyService = new DbAdapterAuthPolicyService_1.DbAdapterAuthPolicyService(db, authAuditService);
-    const identityService = new DbAdapterIdentityService_1.DbAdapterIdentityService(db, options, sessionService, contextService, authAuditService);
-    return {
-        identityService,
-        sessionService,
-        contextService,
-        authPolicyService,
-        authAuditService,
-    };
-}

package/dist/services/errors.js

@@ -1,20 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OfauthDomainError = void 0;
-exports.unauthorized = unauthorized;
-exports.invalidState = invalidState;
-class OfauthDomainError extends Error {
-    constructor(code, message, retryable = false) {
-        super(message);
-        this.code = code;
-        this.retryable = retryable;
-        this.name = 'OfauthDomainError';
-    }
-}
-exports.OfauthDomainError = OfauthDomainError;
-function unauthorized(code, message) {
-    return new OfauthDomainError(code, message, false);
-}
-function invalidState(message) {
-    return new OfauthDomainError('AUTH_NOT_IMPLEMENTED', message, false);
-}

package/dist/services/impl/DbAdapterAuthAuditService.js

@@ -1,107 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterAuthAuditService = void 0;
-const schemas_1 = require("../../data/schemas");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterAuthAuditService {
-    constructor(db, options) {
-        this.db = db;
-        this.options = options;
-        this.newId = (0, runtimeSupport_1.makeIdFactory)('auth-audit');
-    }
-    async appendEvent(event) {
-        const row = {
-            id: event.eventId || this.newId(),
-            eventType: event.eventType,
-            identityId: event.identityId ?? null,
-            sessionId: event.sessionId ?? null,
-            tenantId: event.scopeRef?.tenantId ?? null,
-            branchId: event.scopeRef?.branchId ?? null,
-            scopeAttributes: event.scopeRef?.attributes ?? null,
-            result: event.result,
-            reasonCode: event.reasonCode ?? null,
-            timestamp: event.timestamp,
-            syncStatus: event.syncStatus ?? 'pending',
-            replayedAt: event.replayedAt ?? null,
-            version: 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-            deleted: false,
-        };
-        await this.db.create(schemas_1.OFAUTH_TABLES.auditEvents, row);
-        await (0, runtimeSupport_1.emitAuthActivity)(this.options, event);
-    }
-    async queryEvents(query) {
-        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.auditEvents, {
-            filters: { deleted: false },
-            sort: [{ field: 'timestamp', direction: 'desc' }],
-        });
-        return rows
-            .filter((row) => (query.identityId ? row.identityId === query.identityId : true))
-            .filter((row) => (query.sessionId ? row.sessionId === query.sessionId : true))
-            .filter((row) => (query.eventTypes?.length ? query.eventTypes.includes(row.eventType) : true))
-            .filter((row) => (query.fromTimestamp ? row.timestamp >= query.fromTimestamp : true))
-            .filter((row) => (query.toTimestamp ? row.timestamp <= query.toTimestamp : true))
-            .map((row) => ({
-            eventId: row.id,
-            eventType: row.eventType,
-            identityId: row.identityId ?? undefined,
-            sessionId: row.sessionId ?? undefined,
-            scopeRef: row.tenantId || row.branchId || row.scopeAttributes
-                ? {
-                    ...(row.tenantId ? { tenantId: row.tenantId } : {}),
-                    ...(row.branchId ? { branchId: row.branchId } : {}),
-                    ...(row.scopeAttributes ? { attributes: row.scopeAttributes } : {}),
-                }
-                : undefined,
-            result: row.result,
-            reasonCode: row.reasonCode ?? undefined,
-            timestamp: row.timestamp,
-            syncStatus: row.syncStatus ?? 'pending',
-            replayedAt: row.replayedAt ?? undefined,
-        }));
-    }
-    async listPendingReplay(query = {}) {
-        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.auditEvents, {
-            filters: { deleted: false },
-            sort: [{ field: 'timestamp', direction: 'asc' }],
-        });
-        return rows
-            .filter((row) => row.syncStatus !== 'replayed')
-            .slice(0, query.limit ?? rows.length)
-            .map((row) => ({
-            eventId: row.id,
-            eventType: row.eventType,
-            identityId: row.identityId ?? undefined,
-            sessionId: row.sessionId ?? undefined,
-            scopeRef: row.tenantId || row.branchId || row.scopeAttributes
-                ? {
-                    ...(row.tenantId ? { tenantId: row.tenantId } : {}),
-                    ...(row.branchId ? { branchId: row.branchId } : {}),
-                    ...(row.scopeAttributes ? { attributes: row.scopeAttributes } : {}),
-                }
-                : undefined,
-            result: row.result,
-            reasonCode: row.reasonCode ?? undefined,
-            timestamp: row.timestamp,
-            syncStatus: row.syncStatus ?? 'pending',
-            replayedAt: row.replayedAt ?? undefined,
-        }));
-    }
-    async markReplayed(eventIds, replayedAt = (0, runtimeSupport_1.nowIso)()) {
-        let updatedCount = 0;
-        for (const eventId of eventIds) {
-            const row = await this.db.get(schemas_1.OFAUTH_TABLES.auditEvents, eventId);
-            if (!row || row.deleted || row.syncStatus === 'replayed')
-                continue;
-            await this.db.update(schemas_1.OFAUTH_TABLES.auditEvents, eventId, {
-                syncStatus: 'replayed',
-                replayedAt,
-                version: row.version + 1,
-                lastModified: (0, runtimeSupport_1.nowIso)(),
-            });
-            updatedCount += 1;
-        }
-        return updatedCount;
-    }
-}
-exports.DbAdapterAuthAuditService = DbAdapterAuthAuditService;

package/dist/services/impl/DbAdapterAuthPolicyService.js

@@ -1,114 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterAuthPolicyService = void 0;
-const SessionContract_1 = require("../../contracts/SessionContract");
-const schemas_1 = require("../../data/schemas");
-const errors_1 = require("../errors");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterAuthPolicyService {
-    constructor(db, authAuditService) {
-        this.db = db;
-        this.authAuditService = authAuditService;
-        this.newEventId = (0, runtimeSupport_1.makeIdFactory)('auth-event');
-    }
-    async getActiveSessionOrThrow(sessionId) {
-        const row = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
-        if (!row || row.deleted || row.revokedAt || (0, runtimeSupport_1.isPast)(row.expiresAt)) {
-            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
-        }
-        return row;
-    }
-    async getPolicySnapshot() {
-        const profiles = await this.db.query(schemas_1.OFAUTH_TABLES.policyProfiles, {
-            filters: { deleted: false },
-            sort: [{ field: 'lastModified', direction: 'desc' }],
-        });
-        const stepups = await this.db.query(schemas_1.OFAUTH_TABLES.policyStepups, {
-            filters: { deleted: false },
-            sort: [{ field: 'lastModified', direction: 'desc' }],
-        });
-        return {
-            profiles: profiles.length > 0
-                ? profiles.map((p) => ({
-                    profileId: p.profileId,
-                    defaultAssuranceLevel: p.defaultAssuranceLevel,
-                    lockoutPolicyRef: p.lockoutPolicyRef,
-                }))
-                : (0, runtimeSupport_1.fallbackPolicyProfiles)(),
-            stepUpRequirements: stepups.map((s) => ({
-                actionRef: s.actionRef,
-                requiredAssuranceLevel: s.requiredAssuranceLevel,
-                reauthWindowSeconds: s.reauthWindowSeconds ?? undefined,
-            })),
-            version: '1',
-            updatedAt: (0, runtimeSupport_1.nowIso)(),
-        };
-    }
-    async getStepUpRequirement(actionRef) {
-        const row = await this.db.query(schemas_1.OFAUTH_TABLES.policyStepups, {
-            filters: { actionRef, deleted: false },
-            limit: 1,
-        });
-        if (!row[0])
-            return null;
-        return {
-            actionRef: row[0].actionRef,
-            requiredAssuranceLevel: row[0].requiredAssuranceLevel,
-            reauthWindowSeconds: row[0].reauthWindowSeconds ?? undefined,
-        };
-    }
-    async evaluateStepUp(sessionId, actionRef) {
-        const session = await this.getActiveSessionOrThrow(sessionId);
-        const requirement = await this.getStepUpRequirement(actionRef);
-        const requiredAssuranceLevel = requirement?.requiredAssuranceLevel ?? 'basic';
-        const requiresStepUp = !(0, SessionContract_1.isAssuranceLevelAtLeast)(session.assuranceLevel, requiredAssuranceLevel);
-        return {
-            actionRef,
-            requiredAssuranceLevel,
-            currentAssuranceLevel: session.assuranceLevel,
-            requiresStepUp,
-            reauthWindowSeconds: requirement?.reauthWindowSeconds,
-        };
-    }
-    async enforceStepUp(sessionId, actionRef) {
-        const session = await this.getActiveSessionOrThrow(sessionId);
-        const evalResult = await this.evaluateStepUp(sessionId, actionRef);
-        if (!evalResult.requiresStepUp)
-            return;
-        await this.authAuditService.appendEvent({
-            eventId: this.newEventId(),
-            eventType: 'STEP_UP_CHALLENGED',
-            identityId: session.identityId,
-            sessionId,
-            result: 'failed',
-            reasonCode: 'AUTH_STEP_UP_REQUIRED',
-            timestamp: (0, runtimeSupport_1.nowIso)(),
-        });
-        throw (0, errors_1.unauthorized)('AUTH_STEP_UP_REQUIRED', `Step-up required for action '${actionRef}' (needs ${evalResult.requiredAssuranceLevel})`);
-    }
-    async markStepUpPassed(sessionId, actionRef) {
-        const session = await this.getActiveSessionOrThrow(sessionId);
-        const requirement = await this.getStepUpRequirement(actionRef);
-        const targetAssurance = requirement?.requiredAssuranceLevel ?? 'elevated';
-        await this.db.update(schemas_1.OFAUTH_TABLES.sessions, sessionId, {
-            assuranceLevel: targetAssurance,
-            version: session.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-        await this.authAuditService.appendEvent({
-            eventId: this.newEventId(),
-            eventType: 'STEP_UP_PASSED',
-            identityId: session.identityId,
-            sessionId,
-            result: 'success',
-            reasonCode: actionRef,
-            timestamp: (0, runtimeSupport_1.nowIso)(),
-        });
-        const active = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
-        const assignment = active ? await (0, runtimeSupport_1.getAssignmentById)(this.db, active.activeAssignmentId) : null;
-        if (!active)
-            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
-        return (0, runtimeSupport_1.toSessionRef)(active, assignment ?? undefined);
-    }
-}
-exports.DbAdapterAuthPolicyService = DbAdapterAuthPolicyService;

package/dist/services/impl/DbAdapterContextService.js

@@ -1,79 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterContextService = void 0;
-const schemas_1 = require("../../data/schemas");
-const errors_1 = require("../errors");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterContextService {
-    constructor(db, authAuditService) {
-        this.db = db;
-        this.authAuditService = authAuditService;
-        this.newEventId = (0, runtimeSupport_1.makeIdFactory)('auth-event');
-    }
-    async listAssignments(identityId) {
-        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.assignments, {
-            filters: { identityId, deleted: false },
-            sort: [{ field: 'lastModified', direction: 'desc' }],
-        });
-        return rows.map(runtimeSupport_1.toAssignment);
-    }
-    async getActiveContext(sessionId) {
-        const session = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
-        if (!session || session.deleted || session.revokedAt || !session.activeAssignmentId)
-            return null;
-        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, session.activeAssignmentId);
-        if (!assignment)
-            return null;
-        return {
-            sessionId,
-            assignmentId: assignment.id,
-            scopeRef: {
-                ...(assignment.tenantId ? { tenantId: assignment.tenantId } : {}),
-                ...(assignment.branchId ? { branchId: assignment.branchId } : {}),
-                ...(assignment.scopeAttributes ? { attributes: assignment.scopeAttributes } : {}),
-            },
-        };
-    }
-    async switchContext(input) {
-        const session = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, input.sessionId);
-        if (!session || session.deleted || session.revokedAt)
-            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
-        const target = await (0, runtimeSupport_1.getAssignmentById)(this.db, input.targetAssignmentId);
-        if (!target || target.identityId !== session.identityId) {
-            throw (0, errors_1.unauthorized)('AUTH_CONTEXT_FORBIDDEN', 'Requested context is not assigned to this identity');
-        }
-        const updatedSession = await this.db.update(schemas_1.OFAUTH_TABLES.sessions, input.sessionId, {
-            activeAssignmentId: target.id,
-            version: session.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-        await this.authAuditService.appendEvent({
-            eventId: this.newEventId(),
-            eventType: 'CONTEXT_SWITCHED',
-            identityId: session.identityId,
-            sessionId: input.sessionId,
-            scopeRef: {
-                ...(target.tenantId ? { tenantId: target.tenantId } : {}),
-                ...(target.branchId ? { branchId: target.branchId } : {}),
-                ...(target.scopeAttributes ? { attributes: target.scopeAttributes } : {}),
-            },
-            result: 'success',
-            reasonCode: input.reasonCode,
-            timestamp: updatedSession.lastModified,
-        });
-        return {
-            activeContext: {
-                sessionId: input.sessionId,
-                assignmentId: target.id,
-                scopeRef: {
-                    ...(target.tenantId ? { tenantId: target.tenantId } : {}),
-                    ...(target.branchId ? { branchId: target.branchId } : {}),
-                    ...(target.scopeAttributes ? { attributes: target.scopeAttributes } : {}),
-                },
-            },
-            requiresStepUp: false,
-            reasonCode: input.reasonCode,
-        };
-    }
-}
-exports.DbAdapterContextService = DbAdapterContextService;

package/dist/services/impl/DbAdapterIdentityService.js

@@ -1,146 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterIdentityService = void 0;
-const schemas_1 = require("../../data/schemas");
-const errors_1 = require("../errors");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterIdentityService {
-    constructor(db, options, sessionService, contextService, authAuditService) {
-        this.db = db;
-        this.options = options;
-        this.sessionService = sessionService;
-        this.contextService = contextService;
-        this.authAuditService = authAuditService;
-        this.newEventId = (0, runtimeSupport_1.makeIdFactory)('auth-event');
-    }
-    async findIdentityByPrincipal(principal) {
-        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.identities, {
-            filters: { principal, deleted: false },
-            limit: 1,
-        });
-        return rows[0] ?? null;
-    }
-    async persistFailedAttempt(identity) {
-        const failedAttempts = identity.failedAttempts + 1;
-        const lockoutTriggered = failedAttempts >= runtimeSupport_1.DEFAULT_LOCKOUT_THRESHOLD;
-        const lockoutUntil = lockoutTriggered ? (0, runtimeSupport_1.plusSecondsIso)((0, runtimeSupport_1.nowIso)(), runtimeSupport_1.DEFAULT_LOCKOUT_COOLDOWN_SECONDS) : null;
-        const status = lockoutTriggered ? 'locked' : identity.status;
-        return this.db.update(schemas_1.OFAUTH_TABLES.identities, identity.id, {
-            failedAttempts,
-            lockoutUntil,
-            status,
-            version: identity.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-    }
-    async clearFailedAttempt(identity) {
-        if (identity.failedAttempts === 0 && !identity.lockoutUntil && identity.status === 'active')
-            return;
-        await this.db.update(schemas_1.OFAUTH_TABLES.identities, identity.id, {
-            failedAttempts: 0,
-            lockoutUntil: null,
-            status: 'active',
-            version: identity.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-    }
-    async emitAudit(event) {
-        await this.authAuditService.appendEvent(event);
-    }
-    async verifyCredential(input) {
-        const identity = await this.findIdentityByPrincipal(input.principal);
-        if (!identity) {
-            await this.emitAudit({
-                eventId: this.newEventId(),
-                eventType: 'LOGIN_FAILED',
-                result: 'failed',
-                reasonCode: 'INVALID_CREDENTIAL',
-                timestamp: (0, runtimeSupport_1.nowIso)(),
-            });
-            return { ok: false, reasonCode: 'INVALID_CREDENTIAL', retryable: true };
-        }
-        if (identity.status === 'disabled') {
-            await this.emitAudit({
-                eventId: this.newEventId(),
-                eventType: 'LOGIN_FAILED',
-                identityId: identity.id,
-                result: 'failed',
-                reasonCode: 'IDENTITY_DISABLED',
-                timestamp: (0, runtimeSupport_1.nowIso)(),
-            });
-            return { ok: false, reasonCode: 'IDENTITY_DISABLED', retryable: false };
-        }
-        if (identity.lockoutUntil && !(0, runtimeSupport_1.isPast)(identity.lockoutUntil)) {
-            await this.emitAudit({
-                eventId: this.newEventId(),
-                eventType: 'LOCKOUT_TRIGGERED',
-                identityId: identity.id,
-                result: 'failed',
-                reasonCode: 'IDENTITY_LOCKED',
-                timestamp: (0, runtimeSupport_1.nowIso)(),
-            });
-            return { ok: false, reasonCode: 'IDENTITY_LOCKED', retryable: false };
-        }
-        const verified = await (0, runtimeSupport_1.verifySecret)(this.options.platformAdapter, input.secret, identity.secretHash);
-        if (!verified) {
-            const afterFail = await this.persistFailedAttempt(identity);
-            const reasonCode = afterFail.status === 'locked' ? 'IDENTITY_LOCKED' : 'INVALID_CREDENTIAL';
-            await this.emitAudit({
-                eventId: this.newEventId(),
-                eventType: reasonCode === 'IDENTITY_LOCKED' ? 'LOCKOUT_TRIGGERED' : 'LOGIN_FAILED',
-                identityId: identity.id,
-                result: 'failed',
-                reasonCode,
-                timestamp: (0, runtimeSupport_1.nowIso)(),
-            });
-            return { ok: false, reasonCode, retryable: reasonCode === 'INVALID_CREDENTIAL' };
-        }
-        await this.clearFailedAttempt(identity);
-        const assignments = await this.contextService.listAssignments(identity.id);
-        await this.emitAudit({
-            eventId: this.newEventId(),
-            eventType: 'LOGIN_SUCCESS',
-            identityId: identity.id,
-            scopeRef: input.scopeRef,
-            result: 'success',
-            timestamp: (0, runtimeSupport_1.nowIso)(),
-        });
-        return {
-            ok: true,
-            identity: (0, runtimeSupport_1.toIdentityRef)(identity),
-            assignments,
-        };
-    }
-    async login(input) {
-        const verified = await this.verifyCredential({
-            principal: input.principal,
-            secret: input.secret,
-            verifyMethod: input.verifyMethod,
-        });
-        if (!verified.ok) {
-            throw (0, errors_1.unauthorized)('AUTH_INVALID_CREDENTIAL', `Authentication failed: ${verified.reasonCode}`);
-        }
-        const defaultAssignment = [...verified.assignments].sort((a, b) => a.assignmentId.localeCompare(b.assignmentId))[0];
-        const session = await this.sessionService.createSession({
-            identityId: verified.identity.identityId,
-            assignmentId: defaultAssignment?.assignmentId,
-            assuranceLevel: 'basic',
-        });
-        return {
-            identity: verified.identity,
-            sessionId: session.sessionId,
-        };
-    }
-    async logout(sessionId) {
-        await this.sessionService.revokeSession({ sessionId, reasonCode: 'LOGOUT' });
-        await this.emitAudit({
-            eventId: this.newEventId(),
-            eventType: 'SESSION_REVOKED',
-            sessionId,
-            result: 'success',
-            reasonCode: 'LOGOUT',
-            timestamp: (0, runtimeSupport_1.nowIso)(),
-        });
-    }
-}
-exports.DbAdapterIdentityService = DbAdapterIdentityService;

package/dist/services/impl/DbAdapterSessionService.js

@@ -1,63 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterSessionService = void 0;
-const schemas_1 = require("../../data/schemas");
-const errors_1 = require("../errors");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterSessionService {
-    constructor(db, options) {
-        this.db = db;
-        this.options = options;
-        this.newId = (0, runtimeSupport_1.makeIdFactory)('auth-session');
-    }
-    async createSession(input) {
-        const issuedAt = (0, runtimeSupport_1.nowIso)();
-        const expiresAt = (0, runtimeSupport_1.plusSecondsIso)(issuedAt, input.ttlSeconds ?? runtimeSupport_1.DEFAULT_SESSION_TTL_SECONDS);
-        const created = await this.db.create(schemas_1.OFAUTH_TABLES.sessions, {
-            id: this.newId(),
-            identityId: input.identityId,
-            activeAssignmentId: input.assignmentId ?? null,
-            assuranceLevel: input.assuranceLevel ?? 'basic',
-            issuedAt,
-            expiresAt,
-            revokedAt: null,
-            version: 1,
-            lastModified: issuedAt,
-            deleted: false,
-        });
-        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, created.activeAssignmentId);
-        this.options.logger?.logInfo('[ofauth] session created', { sessionId: created.id, identityId: created.identityId });
-        return (0, runtimeSupport_1.toSessionRef)(created, assignment);
-    }
-    async refreshSession(input) {
-        const current = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, input.sessionId);
-        if (!current || current.deleted || current.revokedAt)
-            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
-        const refreshed = await this.db.update(schemas_1.OFAUTH_TABLES.sessions, input.sessionId, {
-            expiresAt: (0, runtimeSupport_1.plusSecondsIso)((0, runtimeSupport_1.nowIso)(), input.ttlSeconds ?? runtimeSupport_1.DEFAULT_SESSION_TTL_SECONDS),
-            version: current.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, refreshed.activeAssignmentId);
-        return (0, runtimeSupport_1.toSessionRef)(refreshed, assignment);
-    }
-    async revokeSession(input) {
-        const current = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, input.sessionId);
-        if (!current || current.deleted || current.revokedAt)
-            return;
-        await this.db.update(schemas_1.OFAUTH_TABLES.sessions, input.sessionId, {
-            revokedAt: (0, runtimeSupport_1.nowIso)(),
-            version: current.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-        this.options.logger?.logInfo('[ofauth] session revoked', { sessionId: input.sessionId, reasonCode: input.reasonCode ?? null });
-    }
-    async getActiveSession(sessionId) {
-        const row = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
-        if (!row || row.deleted || row.revokedAt || (0, runtimeSupport_1.isPast)(row.expiresAt))
-            return null;
-        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, row.activeAssignmentId);
-        return (0, runtimeSupport_1.toSessionRef)(row, assignment);
-    }
-}
-exports.DbAdapterSessionService = DbAdapterSessionService;