or3-provider-basic-auth 0.0.1

package/dist/runtime/server/api/basic-auth/register.post.js

@@ -0,0 +1,112 @@
+import { randomUUID } from "node:crypto";
+import { createError, defineEventHandler, setCookie } from "h3";
+import { z } from "zod";
+import { clearAuthCookies, setAccessCookie, setRefreshCookie } from "../../lib/cookies.js";
+import { getBasicAuthConfig } from "../../lib/config.js";
+import {
+  createInvalidRequestError,
+  createInvalidCredentialsError
+} from "../../lib/errors.js";
+import { signAccessToken, signRefreshToken, hashRefreshToken } from "../../lib/jwt.js";
+import { hashPassword } from "../../lib/password.js";
+import { enforceBasicAuthRateLimit } from "../../lib/rate-limit.js";
+import {
+  createAccount,
+  createAuthSession,
+  findAccountByEmail,
+  normalizeEmail,
+  getSessionMetadataFromEvent
+} from "../../lib/session-store.js";
+import { enforceMutationOriginPolicy } from "../../lib/request-security.js";
+import { assertBasicAuthReady, noStore, parseBodyWithSchema } from "./_helpers.js";
+const registerSchema = z.object({
+  email: z.string().email().max(320),
+  password: z.string().min(8).max(512),
+  confirmPassword: z.string().min(8).max(512),
+  displayName: z.string().trim().min(1).max(120).optional(),
+  inviteToken: z.string().trim().min(1).max(4096).optional()
+}).refine((value) => value.password === value.confirmPassword, {
+  message: "Passwords must match"
+});
+function mapRegistrationErrorToHttp(reason) {
+  if (reason === "disabled") {
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Registration is currently disabled. Please contact an administrator."
+    });
+  }
+  throw createError({
+    statusCode: 403,
+    statusMessage: "A valid invite is required to register."
+  });
+}
+export async function handleRegister(event) {
+  assertBasicAuthReady(event);
+  noStore(event);
+  enforceMutationOriginPolicy(event);
+  enforceBasicAuthRateLimit(event, "basic-auth:register");
+  const body = await parseBodyWithSchema(event, registerSchema);
+  const email = normalizeEmail(body.email);
+  const existing = findAccountByEmail(email);
+  if (existing) {
+    throw createInvalidCredentialsError();
+  }
+  const runtimeConfig = useRuntimeConfig();
+  const mode = runtimeConfig.auth?.registrationMode ?? (runtimeConfig.auth?.autoProvision === false ? "disabled" : "open");
+  if (mode === "disabled") {
+    mapRegistrationErrorToHttp("disabled");
+  }
+  if (mode === "invite_only" && !body.inviteToken?.trim()) {
+    mapRegistrationErrorToHttp("invite_required");
+  }
+  const passwordHash = await hashPassword(body.password);
+  const account = createAccount({
+    email,
+    passwordHash,
+    displayName: body.displayName?.trim() || null
+  });
+  const config = getBasicAuthConfig();
+  if (config.refreshTtlSeconds <= 0 || config.accessTtlSeconds <= 0) {
+    throw createInvalidRequestError();
+  }
+  const sessionId = randomUUID();
+  const refreshToken = await signRefreshToken({
+    sub: account.id,
+    sid: sessionId,
+    ver: account.token_version
+  });
+  createAuthSession({
+    accountId: account.id,
+    sessionId,
+    refreshTokenHash: hashRefreshToken(refreshToken),
+    expiresAtMs: Date.now() + config.refreshTtlSeconds * 1e3,
+    metadata: getSessionMetadataFromEvent(event)
+  });
+  const accessToken = await signAccessToken({
+    sub: account.id,
+    sid: sessionId,
+    ver: account.token_version,
+    email: account.email,
+    display_name: account.display_name
+  });
+  setAccessCookie(event, accessToken, config.accessTtlSeconds);
+  setRefreshCookie(event, refreshToken, config.refreshTtlSeconds);
+  if (mode === "invite_only" && body.inviteToken?.trim()) {
+    setCookie(event, "or3_invite_token", body.inviteToken.trim(), {
+      httpOnly: true,
+      sameSite: "lax",
+      secure: process.env.NODE_ENV === "production",
+      path: "/",
+      maxAge: 10 * 60
+    });
+  }
+  return { ok: true };
+}
+export default defineEventHandler(async (event) => {
+  try {
+    return await handleRegister(event);
+  } catch (error) {
+    clearAuthCookies(event);
+    throw error;
+  }
+});

package/dist/runtime/server/api/basic-auth/sign-in.post.d.ts

@@ -0,0 +1,8 @@
+import { type H3Event } from 'h3';
+export declare function handleSignIn(event: H3Event): Promise<{
+    ok: boolean;
+}>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    ok: boolean;
+}>>;
+export default _default;

package/dist/runtime/server/api/basic-auth/sign-in.post.js

@@ -0,0 +1,75 @@
+import { randomUUID } from "node:crypto";
+import { defineEventHandler } from "h3";
+import { z } from "zod";
+import { clearAuthCookies, setAccessCookie, setRefreshCookie } from "../../lib/cookies.js";
+import { getBasicAuthConfig } from "../../lib/config.js";
+import {
+  createInvalidCredentialsError,
+  createInvalidRequestError
+} from "../../lib/errors.js";
+import { signAccessToken, signRefreshToken, hashRefreshToken } from "../../lib/jwt.js";
+import { verifyPassword } from "../../lib/password.js";
+import { enforceBasicAuthRateLimit } from "../../lib/rate-limit.js";
+import {
+  createAuthSession,
+  findAccountByEmail,
+  normalizeEmail,
+  getSessionMetadataFromEvent
+} from "../../lib/session-store.js";
+import { enforceMutationOriginPolicy } from "../../lib/request-security.js";
+import { assertBasicAuthReady, noStore, parseBodyWithSchema } from "./_helpers.js";
+const signInSchema = z.object({
+  email: z.string().email().max(320),
+  // Sign-in must allow legacy short passwords; strength is enforced at set/change time.
+  password: z.string().min(1).max(512)
+});
+const DUMMY_PASSWORD_HASH = "$2a$12$1XCXpgmbzURDdc0AGJiAsemtT39PAw8WwV7fBOq6A5VQv6.qN6Va.";
+export async function handleSignIn(event) {
+  assertBasicAuthReady(event);
+  noStore(event);
+  enforceMutationOriginPolicy(event);
+  enforceBasicAuthRateLimit(event, "basic-auth:sign-in");
+  const input = await parseBodyWithSchema(event, signInSchema);
+  const email = normalizeEmail(input.email);
+  const account = findAccountByEmail(email);
+  if (!account) {
+    await verifyPassword(input.password, DUMMY_PASSWORD_HASH);
+    clearAuthCookies(event);
+    throw createInvalidCredentialsError();
+  }
+  const isPasswordValid = await verifyPassword(input.password, account.password_hash);
+  if (!isPasswordValid) {
+    clearAuthCookies(event);
+    throw createInvalidCredentialsError();
+  }
+  const config = getBasicAuthConfig();
+  if (config.refreshTtlSeconds <= 0 || config.accessTtlSeconds <= 0) {
+    throw createInvalidRequestError();
+  }
+  const sessionId = randomUUID();
+  const refreshToken = await signRefreshToken({
+    sub: account.id,
+    sid: sessionId,
+    ver: account.token_version
+  });
+  createAuthSession({
+    accountId: account.id,
+    sessionId,
+    refreshTokenHash: hashRefreshToken(refreshToken),
+    expiresAtMs: Date.now() + config.refreshTtlSeconds * 1e3,
+    metadata: getSessionMetadataFromEvent(event)
+  });
+  const accessToken = await signAccessToken({
+    sub: account.id,
+    sid: sessionId,
+    ver: account.token_version,
+    email: account.email,
+    display_name: account.display_name
+  });
+  setAccessCookie(event, accessToken, config.accessTtlSeconds);
+  setRefreshCookie(event, refreshToken, config.refreshTtlSeconds);
+  return { ok: true };
+}
+export default defineEventHandler(async (event) => {
+  return await handleSignIn(event);
+});

package/dist/runtime/server/api/basic-auth/sign-out.post.d.ts

@@ -0,0 +1,8 @@
+import { type H3Event } from 'h3';
+export declare function handleSignOut(event: H3Event): Promise<{
+    ok: boolean;
+}>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    ok: boolean;
+}>>;
+export default _default;

package/dist/runtime/server/api/basic-auth/sign-out.post.js

@@ -0,0 +1,37 @@
+import { defineEventHandler } from "h3";
+import { clearAuthCookies } from "../../lib/cookies.js";
+import {
+  getAccessTokenFromEvent,
+  getRefreshTokenFromEvent,
+  verifyAccessToken,
+  verifyRefreshToken
+} from "../../lib/jwt.js";
+import { enforceBasicAuthRateLimit } from "../../lib/rate-limit.js";
+import { revokeSessionById } from "../../lib/session-store.js";
+import { enforceMutationOriginPolicy } from "../../lib/request-security.js";
+import { assertBasicAuthReady, noStore } from "./_helpers.js";
+export async function handleSignOut(event) {
+  assertBasicAuthReady(event);
+  noStore(event);
+  enforceMutationOriginPolicy(event);
+  enforceBasicAuthRateLimit(event, "basic-auth:sign-out");
+  const refreshToken = getRefreshTokenFromEvent(event);
+  if (refreshToken) {
+    const refreshClaims = await verifyRefreshToken(refreshToken);
+    if (refreshClaims) {
+      revokeSessionById(refreshClaims.sid);
+    }
+  }
+  const accessToken = getAccessTokenFromEvent(event);
+  if (accessToken) {
+    const accessClaims = await verifyAccessToken(accessToken);
+    if (accessClaims) {
+      revokeSessionById(accessClaims.sid);
+    }
+  }
+  clearAuthCookies(event);
+  return { ok: true };
+}
+export default defineEventHandler(async (event) => {
+  return await handleSignOut(event);
+});

package/dist/runtime/server/auth/basic-auth-provider.d.ts

@@ -0,0 +1,2 @@
+import type { AuthProvider } from '~~/server/auth/types';
+export declare const basicAuthProvider: AuthProvider;

package/dist/runtime/server/auth/basic-auth-provider.js

@@ -0,0 +1,41 @@
+import { BASIC_AUTH_PROVIDER_ID } from "../../lib/constants.js";
+import { getAccessTokenFromEvent, verifyAccessToken } from "../lib/jwt.js";
+import {
+  findAccountById,
+  findSessionById,
+  isSessionUsable
+} from "../lib/session-store.js";
+export const basicAuthProvider = {
+  name: BASIC_AUTH_PROVIDER_ID,
+  async getSession(event) {
+    const accessToken = getAccessTokenFromEvent(event);
+    if (!accessToken) {
+      return null;
+    }
+    const payload = await verifyAccessToken(accessToken);
+    if (!payload) {
+      return null;
+    }
+    const session = findSessionById(payload.sid);
+    if (!isSessionUsable(session)) {
+      return null;
+    }
+    const account = findAccountById(payload.sub);
+    if (!account) {
+      return null;
+    }
+    if (account.token_version !== payload.ver) {
+      return null;
+    }
+    return {
+      provider: BASIC_AUTH_PROVIDER_ID,
+      user: {
+        id: payload.sub,
+        email: payload.email ?? account.email,
+        displayName: payload.display_name ?? account.display_name ?? void 0
+      },
+      expiresAt: new Date((payload.exp ?? 0) * 1e3),
+      claims: payload
+    };
+  }
+};

package/dist/runtime/server/auth/index.d.ts

@@ -0,0 +1 @@
+export { basicAuthProvider } from './basic-auth-provider.js';

package/dist/runtime/server/auth/index.js

@@ -0,0 +1 @@
+export { basicAuthProvider } from "./basic-auth-provider.js";

package/dist/runtime/server/db/client.d.ts

@@ -0,0 +1,3 @@
+import Database from 'better-sqlite3';
+export declare function getBasicAuthDb(): Database.Database;
+export declare function resetBasicAuthDbForTests(): void;

package/dist/runtime/server/db/client.js

@@ -0,0 +1,106 @@
+import { dirname } from "node:path";
+import { chmodSync, mkdirSync } from "node:fs";
+import Database from "better-sqlite3";
+import { getBasicAuthConfig } from "../lib/config.js";
+let dbSingleton = null;
+const DB_DIR_MODE = 448;
+const DB_FILE_MODE = 384;
+function hardenDbDirectoryPermissions(dbPath) {
+  if (dbPath === ":memory:" || process.platform === "win32") return;
+  const dir = dirname(dbPath);
+  mkdirSync(dir, { recursive: true, mode: DB_DIR_MODE });
+  chmodSync(dir, DB_DIR_MODE);
+}
+function hardenDbFilePermissions(dbPath) {
+  if (dbPath === ":memory:" || process.platform === "win32") return;
+  chmodSync(dbPath, DB_FILE_MODE);
+}
+function runMigrations(db) {
+  const versionRow = db.prepare("PRAGMA user_version").get();
+  const version = typeof versionRow?.user_version === "number" ? versionRow.user_version : 0;
+  if (version < 1) {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS basic_auth_accounts (
+        id TEXT PRIMARY KEY,
+        email TEXT NOT NULL UNIQUE,
+        password_hash TEXT NOT NULL,
+        display_name TEXT,
+        token_version INTEGER NOT NULL DEFAULT 0,
+        created_at INTEGER NOT NULL,
+        updated_at INTEGER NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS basic_auth_sessions (
+        id TEXT PRIMARY KEY,
+        account_id TEXT NOT NULL,
+        refresh_token_hash TEXT NOT NULL,
+        expires_at INTEGER NOT NULL,
+        revoked_at INTEGER,
+        created_at INTEGER NOT NULL,
+        rotated_from_session_id TEXT,
+        replaced_by_session_id TEXT,
+        ip_address TEXT,
+        user_agent TEXT,
+        FOREIGN KEY(account_id) REFERENCES basic_auth_accounts(id)
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_basic_auth_sessions_account_id
+        ON basic_auth_sessions(account_id);
+      CREATE INDEX IF NOT EXISTS idx_basic_auth_sessions_expires_at
+        ON basic_auth_sessions(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_basic_auth_sessions_rotated_from
+        ON basic_auth_sessions(rotated_from_session_id);
+    `);
+    db.pragma("user_version = 1");
+  }
+  if (version < 2) {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS basic_auth_rate_limits (
+        key TEXT PRIMARY KEY,
+        subject TEXT NOT NULL,
+        operation TEXT NOT NULL,
+        window_started_at INTEGER NOT NULL,
+        request_count INTEGER NOT NULL,
+        updated_at INTEGER NOT NULL
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_basic_auth_rate_limits_updated_at
+        ON basic_auth_rate_limits(updated_at);
+    `);
+    db.pragma("user_version = 2");
+  }
+}
+export function getBasicAuthDb() {
+  if (dbSingleton) return dbSingleton;
+  const config = getBasicAuthConfig();
+  if (config.dbPath !== ":memory:") {
+    try {
+      hardenDbDirectoryPermissions(config.dbPath);
+    } catch (error) {
+      throw new Error(
+        `[basic-auth] Failed to secure DB directory permissions for "${dirname(config.dbPath)}": ${error.message}`
+      );
+    }
+  }
+  const db = new Database(config.dbPath);
+  db.pragma("journal_mode = WAL");
+  db.pragma("foreign_keys = ON");
+  if (config.dbPath !== ":memory:") {
+    try {
+      hardenDbFilePermissions(config.dbPath);
+    } catch (error) {
+      db.close();
+      throw new Error(
+        `[basic-auth] Failed to secure DB file permissions for "${config.dbPath}": ${error.message}`
+      );
+    }
+  }
+  runMigrations(db);
+  dbSingleton = db;
+  return dbSingleton;
+}
+export function resetBasicAuthDbForTests() {
+  if (!dbSingleton) return;
+  dbSingleton.close();
+  dbSingleton = null;
+}

package/dist/runtime/server/db/schema.d.ts

@@ -0,0 +1,21 @@
+export interface BasicAuthAccount {
+    id: string;
+    email: string;
+    password_hash: string;
+    display_name: string | null;
+    token_version: number;
+    created_at: number;
+    updated_at: number;
+}
+export interface BasicAuthSession {
+    id: string;
+    account_id: string;
+    refresh_token_hash: string;
+    expires_at: number;
+    revoked_at: number | null;
+    created_at: number;
+    rotated_from_session_id: string | null;
+    replaced_by_session_id: string | null;
+    ip_address: string | null;
+    user_agent: string | null;
+}

package/dist/runtime/server/lib/config.d.ts

@@ -0,0 +1,22 @@
+export declare const BASIC_AUTH_INSECURE_DEV_ESCAPE_HATCH_ENV = "OR3_BASIC_AUTH_ALLOW_INSECURE_DEV";
+export interface BasicAuthConfig {
+    providerId: string;
+    enabled: boolean;
+    strict: boolean;
+    jwtSecret: string;
+    refreshSecret: string;
+    accessTtlSeconds: number;
+    refreshTtlSeconds: number;
+    dbPath: string;
+    bootstrapEmail?: string;
+    bootstrapPassword?: string;
+}
+export interface BasicAuthConfigDiagnostics {
+    isValid: boolean;
+    errors: string[];
+    warnings: string[];
+    config: BasicAuthConfig;
+}
+export declare function isBasicAuthInsecureDevEscapeHatchEnabled(): boolean;
+export declare function getBasicAuthConfig(runtimeConfig?: ReturnType<typeof useRuntimeConfig>): BasicAuthConfig;
+export declare function validateBasicAuthConfig(runtimeConfig?: ReturnType<typeof useRuntimeConfig>): BasicAuthConfigDiagnostics;

package/dist/runtime/server/lib/config.js

@@ -0,0 +1,94 @@
+import { resolve } from "node:path";
+import {
+  BASIC_AUTH_PROVIDER_ID,
+  DEFAULT_ACCESS_TTL_SECONDS,
+  DEFAULT_REFRESH_TTL_SECONDS
+} from "../../lib/constants.js";
+export const BASIC_AUTH_INSECURE_DEV_ESCAPE_HATCH_ENV = "OR3_BASIC_AUTH_ALLOW_INSECURE_DEV";
+function parsePositiveInt(input, fallback) {
+  if (!input) return fallback;
+  const parsed = Number(input);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return fallback;
+  }
+  return Math.floor(parsed);
+}
+function isStrictMode(runtimeConfig) {
+  if (process.env.OR3_STRICT_CONFIG === "true") return true;
+  if (process.env.NODE_ENV === "production") return true;
+  return runtimeConfig.auth?.strict === true;
+}
+export function isBasicAuthInsecureDevEscapeHatchEnabled() {
+  return process.env.NODE_ENV !== "production" && process.env[BASIC_AUTH_INSECURE_DEV_ESCAPE_HATCH_ENV] === "true";
+}
+export function getBasicAuthConfig(runtimeConfig) {
+  const config = runtimeConfig ?? useRuntimeConfig();
+  const enabled = config.auth?.enabled === true;
+  const providerId = config.auth?.provider || BASIC_AUTH_PROVIDER_ID;
+  const cwd = process.cwd();
+  const configuredDbPath = process.env.OR3_BASIC_AUTH_DB_PATH;
+  const dbPath = configuredDbPath ? configuredDbPath === ":memory:" ? ":memory:" : resolve(cwd, configuredDbPath) : resolve(cwd, ".data/or3-basic-auth.sqlite");
+  const jwtSecret = process.env.OR3_BASIC_AUTH_JWT_SECRET ?? "";
+  const refreshSecret = process.env.OR3_BASIC_AUTH_REFRESH_SECRET ?? "";
+  return {
+    providerId,
+    enabled,
+    strict: isStrictMode(config),
+    jwtSecret,
+    refreshSecret,
+    accessTtlSeconds: parsePositiveInt(
+      process.env.OR3_BASIC_AUTH_ACCESS_TTL_SECONDS,
+      DEFAULT_ACCESS_TTL_SECONDS
+    ),
+    refreshTtlSeconds: parsePositiveInt(
+      process.env.OR3_BASIC_AUTH_REFRESH_TTL_SECONDS,
+      DEFAULT_REFRESH_TTL_SECONDS
+    ),
+    dbPath,
+    bootstrapEmail: process.env.OR3_BASIC_AUTH_BOOTSTRAP_EMAIL,
+    bootstrapPassword: process.env.OR3_BASIC_AUTH_BOOTSTRAP_PASSWORD
+  };
+}
+export function validateBasicAuthConfig(runtimeConfig) {
+  const config = getBasicAuthConfig(runtimeConfig);
+  const errors = [];
+  const warnings = [];
+  if (!config.enabled) {
+    warnings.push("auth.enabled=false; basic-auth provider registration skipped.");
+  }
+  if (config.providerId !== BASIC_AUTH_PROVIDER_ID) {
+    warnings.push(`auth.provider=${config.providerId}; basic-auth provider remains idle.`);
+  }
+  if (!config.jwtSecret) {
+    errors.push("Missing OR3_BASIC_AUTH_JWT_SECRET.");
+  }
+  if (!config.refreshSecret) {
+    errors.push("Missing OR3_BASIC_AUTH_REFRESH_SECRET.");
+  }
+  if (config.accessTtlSeconds > DEFAULT_ACCESS_TTL_SECONDS) {
+    warnings.push(
+      `OR3_BASIC_AUTH_ACCESS_TTL_SECONDS=${config.accessTtlSeconds} is above recommended ${DEFAULT_ACCESS_TTL_SECONDS}s.`
+    );
+  }
+  if (config.refreshTtlSeconds <= config.accessTtlSeconds) {
+    warnings.push(
+      "Refresh TTL should be greater than access TTL for practical session refresh behavior."
+    );
+  }
+  if (config.bootstrapEmail && !config.bootstrapPassword || !config.bootstrapEmail && config.bootstrapPassword) {
+    warnings.push(
+      "Bootstrap account is partially configured. Set both OR3_BASIC_AUTH_BOOTSTRAP_EMAIL and OR3_BASIC_AUTH_BOOTSTRAP_PASSWORD."
+    );
+  }
+  if ((process.env.OR3_BASIC_AUTH_RATE_LIMIT_BACKEND ?? "").trim().toLowerCase() === "memory") {
+    warnings.push(
+      "OR3_BASIC_AUTH_RATE_LIMIT_BACKEND=memory uses per-process rate limiting and is unsafe for clustered deployments."
+    );
+  }
+  return {
+    isValid: errors.length === 0,
+    errors,
+    warnings,
+    config
+  };
+}

package/dist/runtime/server/lib/cookies.d.ts

@@ -0,0 +1,4 @@
+import { type H3Event } from 'h3';
+export declare function setAccessCookie(event: H3Event, token: string, maxAgeSeconds: number): void;
+export declare function setRefreshCookie(event: H3Event, token: string, maxAgeSeconds: number): void;
+export declare function clearAuthCookies(event: H3Event): void;

package/dist/runtime/server/lib/cookies.js

@@ -0,0 +1,42 @@
+import { setCookie, deleteCookie } from "h3";
+import {
+  ACCESS_COOKIE_NAME,
+  ACCESS_COOKIE_PATH,
+  REFRESH_COOKIE_NAME,
+  REFRESH_COOKIE_PATH
+} from "../../lib/constants.js";
+function isProduction() {
+  return process.env.NODE_ENV === "production";
+}
+export function setAccessCookie(event, token, maxAgeSeconds) {
+  setCookie(event, ACCESS_COOKIE_NAME, token, {
+    httpOnly: true,
+    sameSite: "lax",
+    secure: isProduction(),
+    path: ACCESS_COOKIE_PATH,
+    maxAge: maxAgeSeconds
+  });
+}
+export function setRefreshCookie(event, token, maxAgeSeconds) {
+  setCookie(event, REFRESH_COOKIE_NAME, token, {
+    httpOnly: true,
+    sameSite: "lax",
+    secure: isProduction(),
+    path: REFRESH_COOKIE_PATH,
+    maxAge: maxAgeSeconds
+  });
+}
+export function clearAuthCookies(event) {
+  deleteCookie(event, ACCESS_COOKIE_NAME, {
+    httpOnly: true,
+    sameSite: "lax",
+    secure: isProduction(),
+    path: ACCESS_COOKIE_PATH
+  });
+  deleteCookie(event, REFRESH_COOKIE_NAME, {
+    httpOnly: true,
+    sameSite: "lax",
+    secure: isProduction(),
+    path: REFRESH_COOKIE_PATH
+  });
+}

package/dist/runtime/server/lib/errors.d.ts

@@ -0,0 +1,4 @@
+export declare function createInvalidCredentialsError(): import("h3").H3Error<unknown>;
+export declare function createSessionExpiredError(): import("h3").H3Error<unknown>;
+export declare function createInvalidRequestError(): import("h3").H3Error<unknown>;
+export declare function createAuthNotConfiguredError(): import("h3").H3Error<unknown>;

package/dist/runtime/server/lib/errors.js

@@ -0,0 +1,25 @@
+import { createError } from "h3";
+export function createInvalidCredentialsError() {
+  return createError({
+    statusCode: 401,
+    statusMessage: "Invalid credentials"
+  });
+}
+export function createSessionExpiredError() {
+  return createError({
+    statusCode: 401,
+    statusMessage: "Session expired"
+  });
+}
+export function createInvalidRequestError() {
+  return createError({
+    statusCode: 400,
+    statusMessage: "Invalid request"
+  });
+}
+export function createAuthNotConfiguredError() {
+  return createError({
+    statusCode: 503,
+    statusMessage: "Authentication provider is not configured"
+  });
+}

package/dist/runtime/server/lib/jwt.d.ts

@@ -0,0 +1,37 @@
+import { getCookie } from 'h3';
+import { type JwtPayload } from 'jsonwebtoken';
+interface AccessClaimsInput {
+    sub: string;
+    sid: string;
+    ver: number;
+    email?: string;
+    display_name?: string | null;
+}
+export interface BasicAccessTokenClaims extends JwtPayload {
+    sub: string;
+    sid: string;
+    ver: number;
+    typ: 'access';
+    email?: string;
+    display_name?: string | null;
+}
+interface RefreshClaimsInput {
+    sub: string;
+    sid: string;
+    ver: number;
+}
+export interface BasicRefreshTokenClaims extends JwtPayload {
+    sub: string;
+    sid: string;
+    ver: number;
+    jti: string;
+    typ: 'refresh';
+}
+export declare function signAccessToken(input: AccessClaimsInput): Promise<string>;
+export declare function signRefreshToken(input: RefreshClaimsInput): Promise<string>;
+export declare function verifyAccessToken(token: string): Promise<BasicAccessTokenClaims | null>;
+export declare function verifyRefreshToken(token: string): Promise<BasicRefreshTokenClaims | null>;
+export declare function getAccessTokenFromEvent(event: Parameters<typeof getCookie>[0]): string | null;
+export declare function getRefreshTokenFromEvent(event: Parameters<typeof getCookie>[0]): string | null;
+export declare function hashRefreshToken(token: string): string;
+export {};