sentri 1.0.5 → 1.0.6

package/README.md

@@ -10,6 +10,7 @@ Auth and authorization library for Express + PostgreSQL. Provides JWT-based auth
 - [Quick Start](#quick-start)
 - [CLI](#cli)
 - [Configuration](#configuration)
+- [Custom Route Handlers](#custom-route-handlers)
 - [Adapter Interface](#adapter-interface)
 - [Pre-built Router](#pre-built-router)
 - [Middleware](#middleware)
@@ -115,6 +116,15 @@ export const auth = createAuth({
     // sameSite: 'strict',      // default: 'strict'
     // path: '/',               // default: '/'
   },
+
+  // router: {             // optional — replace built-in service logic per route
+  //   login: async (input) => { ... },
+  //   signup: async (input) => { ... },
+  //   refresh: async (refreshToken) => { ... },
+  //   logout: async (refreshToken) => { ... },
+  //   logoutAll: async (userId) => { ... },
+  //   assignRoles: async (userId, roles) => { ... },
+  // },
 });
 ```
 
@@ -124,6 +134,67 @@ When `cookie` is configured, the refresh token is stored in an httpOnly cookie a
 
 ---
 
+## Custom Route Handlers
+
+The `router` field in config lets you replace the built-in service logic for individual routes while the router still handles request parsing, input validation, and response formatting.
+
+Each key is optional — only override what you need. Any key you omit falls back to the built-in behaviour.
+
+```typescript
+import { createAuth, AuthError } from 'sentri';
+import type { AuthResult } from 'sentri';
+
+export const auth = createAuth({
+  secret: process.env.JWT_SECRET!,
+  validRoles: ['user', 'admin'] as const,
+  adapter: myAdapter,
+
+  router: {
+    // Add an OTP check before issuing tokens
+    login: async (input): Promise<AuthResult> => {
+      const otpVerified = await redis.get(`otp:${input.identifier}`);
+      if (!otpVerified) {
+        return { success: false, error: new AuthError('INVALID_CREDENTIALS', 'OTP required') };
+      }
+      return defaultLogin(input);
+    },
+
+    // Send a welcome email after signup
+    signup: async (input) => {
+      const result = await defaultSignup(input);
+      if (result.success) {
+        await emailService.sendWelcome(input.identifier);
+      }
+      return result;
+    },
+
+    // Audit-log every token rotation
+    refresh: async (refreshToken) => {
+      const result = await defaultRefresh(refreshToken);
+      if (result.success) {
+        await auditLog.record('token_rotated', result.user.id);
+      }
+      return result;
+    },
+  },
+});
+```
+
+### Available handler signatures
+
+| Key | Signature | Must return |
+|---|---|---|
+| `signup` | `(input: SignupInput) => Promise<SignupResult>` | `SignupResult` |
+| `login` | `(input: LoginInput) => Promise<AuthResult>` | `AuthResult` |
+| `refresh` | `(refreshToken: string) => Promise<RefreshResult>` | `RefreshResult` |
+| `logout` | `(refreshToken: string \| undefined) => Promise<void>` | `void` |
+| `logoutAll` | `(userId: string) => Promise<void>` | `void` |
+| `assignRoles` | `(userId: string, roles: string[]) => Promise<AssignRolesResult>` | `AssignRolesResult` |
+
+The router always validates the request body and URL parameters before calling any handler. Your function receives the already-validated, trimmed input.
+
+---
+
 ## Adapter Interface
 
 The adapter connects sentri to your database. Implement `AuthAdapter` for any ORM or data layer.
@@ -168,7 +239,7 @@ import { createAdapter } from './adapter.js';
 export const adapter = createAdapter(db);
 ```
 
-`createAdapter` throws an `AdapterConfigError` at runtime if called without a `db` argument.
+`createAdapter` throws `AuthError` with code `CONFIGURATION_ERROR` at runtime if called without a `db` argument.
 
 ---
 
@@ -284,11 +355,11 @@ Status:  200
 
 ### `auth.protect()`
 
-Verifies the `Authorization: Bearer <token>` header and injects `req.user` into the request.
+Verifies the `Authorization: Bearer <token>` header and injects `request.user` into the request.
 
 ```typescript
-router.get('/dashboard', auth.protect(), (req, res) => {
-  res.json(req.user); // { id, identifier, roles }
+router.get('/dashboard', auth.protect(), (request, response) => {
+  response.json(request.user); // { id, identifier, roles }
 });
 ```
 
@@ -341,43 +412,21 @@ router.delete(
 
 ## Programmatic API
 
-All methods are available on the auth client for use outside the built-in router.
+Token and password utilities are available on the auth client for use outside the built-in router.
 
 ```typescript
-// Auth
-const result = await auth.signup({ identifier: 'user@example.com', password: 'secret123' });
-const result = await auth.login({ identifier: 'user@example.com', password: 'secret123' });
-const result = await auth.refresh(refreshToken);
-await auth.logout(refreshToken);
-await auth.logoutAll(userId);
-
-// Roles
-const result = await auth.assignRoles(userId, ['admin']);
-// Merges with existing roles — result.user.roles has the full updated list
-
 // Token utilities
 const accessToken = auth.signAccessToken({ id, identifier, roles });
 const user = auth.verifyAccessToken(accessToken);         // throws AuthError if invalid
 const { sessionId } = auth.verifyRefreshToken(token);    // throws AuthError if invalid
+const refreshToken = auth.signRefreshToken(sessionId);
 
 // Password utilities
 const hash = await auth.hashPassword('secret123');
 const valid = await auth.verifyPassword('secret123', hash);
 ```
 
-All auth methods return a discriminated union — check `result.success` before accessing data:
-
-```typescript
-const result = await auth.login({ identifier, password });
-
-if (!result.success) {
-  console.error(result.error.code);   // 'INVALID_CREDENTIALS'
-  console.error(result.error.message);
-  return;
-}
-
-const { accessToken, refreshToken, user } = result;
-```
+`verifyAccessToken` and `verifyRefreshToken` throw `AuthError` with code `TOKEN_EXPIRED` or `TOKEN_INVALID` — wrap them in a try/catch or use the router which handles this automatically.
 
 ---
 
@@ -396,6 +445,7 @@ import type {
   ApiResponse,
   SignupInput,
   LoginInput,
+  RouterHandlers,
   UserRecord,
   SessionRecord,
   CreateUserData,
@@ -432,17 +482,17 @@ The built-in router converts all `AuthError` instances to the standard envelope
 ```typescript
 import { AuthError } from 'sentri';
 
-app.use((err, req, res, next) => {
-  if (err instanceof AuthError) {
+app.use((error, _request, response, next) => {
+  if (error instanceof AuthError) {
     const status =
-      err.code === 'UNAUTHORIZED' || err.code === 'TOKEN_EXPIRED' || err.code === 'TOKEN_INVALID' || err.code === 'INVALID_CREDENTIALS' ? 401
-      : err.code === 'FORBIDDEN' ? 403
-      : err.code === 'USER_NOT_FOUND' ? 404
-      : err.code === 'USER_ALREADY_EXISTS' ? 409
+      error.code === 'UNAUTHORIZED' || error.code === 'TOKEN_EXPIRED' || error.code === 'TOKEN_INVALID' || error.code === 'INVALID_CREDENTIALS' ? 401
+      : error.code === 'FORBIDDEN' ? 403
+      : error.code === 'USER_NOT_FOUND' ? 404
+      : error.code === 'USER_ALREADY_EXISTS' ? 409
       : 400;
 
-    return res.status(status).json({ error: true, statusCode: status, message: err.message, data: null });
+    return response.status(status).json({ error: true, statusCode: status, message: error.message, data: null });
   }
-  next(err);
+  next(error);
 });
 ```

package/dist/client.d.ts

@@ -1,5 +1,5 @@
 import type { PermitCheck, PermitOptions } from './middleware/permit.js';
-import type { AssignRolesResult, AuthConfig, AuthResult, AuthUser, LoginInput, RefreshResult, SignupInput, SignupResult } from './types/auth.js';
+import type { AuthConfig, AuthUser } from './types/auth.js';
 import type { RequestHandler, Router } from 'express';
 /**
  * The bound auth client returned by {@link createAuth}.
@@ -8,52 +8,9 @@ import type { RequestHandler, Router } from 'express';
  * you never need to pass config around yourself.
  *
  * `TRole` is inferred from `validRoles` and narrows role strings to your
- * application's exact union type everywhere (signup, authorize, req.user, etc.).
+ * application's exact union type everywhere (authorize, req.user, etc.).
  */
 export interface AuthClient<TRole extends string = string> {
-    /**
-     * Register a new user.
-     *
-     * Validates that every requested role is in `validRoles`, rejects duplicate
-     * identifiers, hashes the password, creates the user record, and returns the
-     * created user. No tokens are issued — call `login` after signup.
-     */
-    signup(input: SignupInput<TRole>): Promise<SignupResult<TRole>>;
-    /**
-     * Authenticate an existing user by email and password.
-     *
-     * On success, creates a new session and returns an access + refresh token pair.
-     * Returns `{ success: false, error }` with code `INVALID_CREDENTIALS` on any
-     * mismatch (intentionally vague to prevent user enumeration).
-     */
-    login(input: LoginInput): Promise<AuthResult<TRole>>;
-    /**
-     * Exchange a valid refresh token for a new access + refresh token pair.
-     *
-     * Verifies the JWT, looks up the session in the database, checks expiry,
-     * then **rotates** the session: the old session is deleted and a new one is
-     * created. Old refresh tokens are immediately invalidated.
-     */
-    refresh(refreshToken: string): Promise<RefreshResult<TRole>>;
-    /**
-     * Invalidate a single session identified by the refresh token.
-     *
-     * Safe to call even if the token is already expired — it will simply
-     * attempt a DB delete and resolve.
-     */
-    logout(refreshToken: string): Promise<void>;
-    /**
-     * Delete all sessions for a user, effectively logging them out of every device.
-     *
-     * @param userId - The user's primary key as stored in the database.
-     */
-    logoutAll(userId: string): Promise<void>;
-    /**
-     * Add roles to another user. Merges the given roles with the user's existing
-     * roles (no duplicates). The built-in router exposes this as
-     * `POST /users/:userId/roles` and restricts it to users with the `admin` role.
-     */
-    assignRoles(userId: string, roles: string[]): Promise<AssignRolesResult<TRole>>;
     /**
      * Express middleware factory that enforces authentication.
      *
@@ -77,36 +34,6 @@ export interface AuthClient<TRole extends string = string> {
      * router.delete('/posts/:id', auth.protect(), auth.authorize('admin'), handler);
      */
     authorize(...roles: TRole[]): RequestHandler;
-    /** Hash a plain-text password using the configured `saltRounds`. */
-    hashPassword(plain: string): Promise<string>;
-    /** Compare a plain-text password against a stored bcrypt hash. */
-    verifyPassword(plain: string, hash: string): Promise<boolean>;
-    /** Sign an access token for the given user payload. */
-    signAccessToken(payload: AuthUser<TRole>): string;
-    /** Sign a refresh token bound to a session ID. */
-    signRefreshToken(sessionId: string): string;
-    /** Verify and decode an access token. Throws `AuthError` if invalid or expired. */
-    verifyAccessToken(token: string): AuthUser<TRole>;
-    /** Verify and decode a refresh token. Throws `AuthError` if invalid or expired. */
-    verifyRefreshToken(token: string): {
-        sessionId: string;
-    };
-    /**
-     * Returns a pre-built Express Router with all standard auth endpoints mounted:
-     *
-     * - `POST /signup` — register, returns `{ user }`
-     * - `POST /login` — authenticate, sets refresh token cookie, returns `{ accessToken, user }`
-     * - `POST /refresh` — reads refresh token from cookie, returns `{ accessToken }`
-     * - `POST /logout` — invalidate current session
-     * - `POST /logout-all` — invalidate all sessions (requires valid access token)
-     *
-     * Requires `express.json()` to be applied before the router.
-     *
-     * @example
-     * app.use(express.json());
-     * app.use('/auth', auth.router());
-     */
-    router(): Router;
     /**
      * Express middleware factory for resource-level permission checks.
      *
@@ -140,6 +67,38 @@ export interface AuthClient<TRole extends string = string> {
      */
     permit(check: PermitCheck): RequestHandler;
     permit(options: PermitOptions<TRole>): RequestHandler;
+    /** Hash a plain-text password using the configured `saltRounds`. */
+    hashPassword(plain: string): Promise<string>;
+    /** Compare a plain-text password against a stored bcrypt hash. */
+    verifyPassword(plain: string, hash: string): Promise<boolean>;
+    /** Sign an access token for the given user payload. */
+    signAccessToken(payload: AuthUser<TRole>): string;
+    /** Sign a refresh token bound to a session ID. */
+    signRefreshToken(sessionId: string): string;
+    /** Verify and decode an access token. Throws `AuthError` if invalid or expired. */
+    verifyAccessToken(token: string): AuthUser<TRole>;
+    /** Verify and decode a refresh token. Throws `AuthError` if invalid or expired. */
+    verifyRefreshToken(token: string): {
+        sessionId: string;
+    };
+    /**
+     * Returns a pre-built Express Router with all standard auth endpoints mounted:
+     *
+     * - `POST /signup` — register a user, returns `{ user }`
+     * - `POST /login` — authenticate, sets refresh token cookie, returns `{ accessToken, user }`
+     * - `POST /refresh` — reads refresh token from cookie, returns `{ accessToken }`
+     * - `POST /logout` — invalidate current session
+     * - `POST /logout-all` — invalidate all sessions (requires valid access token)
+     * - `GET  /me` — return the authenticated user
+     * - `POST /users/:userId/roles` — assign roles (requires admin)
+     *
+     * Requires `express.json()` to be applied before the router.
+     *
+     * @example
+     * app.use(express.json());
+     * app.use('/auth', auth.router());
+     */
+    router(): Router;
 }
 /**
  * Create a fully configured auth client for your application.

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,KAAK,EACV,iBAAiB,EACjB,UAAU,EACV,UAAU,EACV,QAAQ,EACR,UAAU,EACV,aAAa,EACb,WAAW,EACX,YAAY,EACb,MAAM,iBAAiB,CAAC;AACzB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEtD;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACvD;;;;;;OAMG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;IAEhE;;;;;;OAMG;IACH,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAErD;;;;;;OAMG;IACH,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IAE7D;;;;;OAKG;IACH,MAAM,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5C;;;;OAIG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC;;;;OAIG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC;IAEhF;;;;;;;;;;OAUG;IACH,OAAO,IAAI,cAAc,CAAC;IAE1B;;;;;;;;;OASG;IACH,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC;IAE7C,oEAAoE;IACpE,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7C,kEAAkE;IAClE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE9D,uDAAuD;IACvD,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC;IAElD,kDAAkD;IAClD,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5C,mFAAmF;IACnF,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,mFAAmF;IACnF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAEzD;;;;;;;;;;;;;;OAcG;IACH,MAAM,IAAI,MAAM,CAAC;IAEjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,cAAc,CAAC;CACvD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,EACtD,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GACxB,UAAU,CAAC,KAAK,CAAC,CAsBnB"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEtD;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACvD;;;;;;;;;;OAUG;IACH,OAAO,IAAI,cAAc,CAAC;IAE1B;;;;;;;;;OASG;IACH,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC;IAE7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,cAAc,CAAC;IAEtD,oEAAoE;IACpE,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7C,kEAAkE;IAClE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE9D,uDAAuD;IACvD,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC;IAElD,kDAAkD;IAClD,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5C,mFAAmF;IACnF,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,mFAAmF;IACnF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAEzD;;;;;;;;;;;;;;;;OAgBG;IACH,MAAM,IAAI,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,EACtD,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GACxB,UAAU,CAAC,KAAK,CAAC,CAgBnB"}

package/dist/client.js

@@ -1,7 +1,6 @@
 import { hashPassword, verifyPassword } from './libs/hash.js';
 import { signAccessToken, signRefreshToken, verifyAccessToken, verifyRefreshToken } from './libs/token.js';
 import { resolveConfig, validateConfig } from './libs/config.js';
-import { signup, login, refresh, logout, logoutAll, assignRoles } from './services/auth.js';
 import { protect } from './middleware/protect.js';
 import { authorize } from './middleware/authorize.js';
 import { permit } from './middleware/permit.js';
@@ -29,12 +28,6 @@ export function createAuth(config) {
     validateConfig(config);
     const resolved = resolveConfig(config);
     return {
-        signup: (input) => signup(input, config),
-        login: (input) => login(input, config),
-        refresh: (refreshToken) => refresh(refreshToken, config),
-        logout: (refreshToken) => logout(refreshToken, config),
-        logoutAll: (userId) => logoutAll(userId, config),
-        assignRoles: (userId, roles) => assignRoles(userId, roles, config),
         protect: () => protect(config),
         authorize: (...roles) => authorize(...roles),
         hashPassword: (plain) => hashPassword(plain, resolved.saltRounds),

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC3G,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAC5F,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAwK1D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,UAAU,CACxB,MAAyB;IAEzB,cAAc,CAAC,MAAoB,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAoB,CAAC,CAAC;IAErD,OAAO;QACL,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,KAAoB,EAAE,MAAoB,CAAiC;QACrG,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,MAAoB,CAA+B;QAClF,OAAO,EAAE,CAAC,YAAY,EAAE,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,MAAoB,CAAkC;QACvG,MAAM,EAAE,CAAC,YAAY,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,MAAoB,CAAC;QACpE,SAAS,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAoB,CAAC;QAC9D,WAAW,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,MAAoB,CAAsC;QACrH,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAoB,CAAC;QAC5C,SAAS,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;QAC5C,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC;QACjE,cAAc,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,KAAK,EAAE,IAAI,CAAC;QAC5D,eAAe,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,eAAe,CAAC,OAAmB,EAAE,MAAoB,CAAC;QACxF,gBAAgB,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAoB,CAAC;QAClF,iBAAiB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAoB,CAAoB;QAC/F,kBAAkB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAoB,CAAC;QAC9E,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;QACtC,MAAM,EAAE,CAAC,cAAkD,EAAE,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC;KACvF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC3G,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAgH1D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,UAAU,CACxB,MAAyB;IAEzB,cAAc,CAAC,MAAoB,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAoB,CAAC,CAAC;IAErD,OAAO;QACL,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAoB,CAAC;QAC5C,SAAS,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;QAC5C,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC;QACjE,cAAc,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,KAAK,EAAE,IAAI,CAAC;QAC5D,eAAe,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,eAAe,CAAC,OAAmB,EAAE,MAAoB,CAAC;QACxF,gBAAgB,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAoB,CAAC;QAClF,iBAAiB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAoB,CAAoB;QAC/F,kBAAkB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAoB,CAAC;QAC9E,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;QACtC,MAAM,EAAE,CAAC,cAAkD,EAAE,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC;KACvF,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -6,7 +6,7 @@ declare global {
         }
     }
 }
-export type { AuthConfig, CookieConfig, AuthUser, AuthResult, SignupResult, AssignRolesResult, RefreshResult, ApiResponse, SignupInput, LoginInput, AuthAdapter, UserRecord, SessionRecord, CreateUserData, } from './types/auth.js';
+export type { AuthConfig, CookieConfig, AuthUser, ApiResponse, AuthAdapter, UserRecord, SessionRecord, CreateUserData, RouterHandlers, SignupInput, LoginInput, SignupResult, AuthResult, RefreshResult, AssignRolesResult, } from './types/auth.js';
 export type { AuthErrorCode } from './errors/AuthError.js';
 export type { AuthClient } from './client.js';
 export { AuthError } from './errors/AuthError.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAIhD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,QAAQ,CAAC;SACjB;KACF;CACF;AAED,YAAY,EACV,UAAU,EACV,YAAY,EACZ,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,iBAAiB,EACjB,aAAa,EACb,WAAW,EACX,WAAW,EACX,UAAU,EACV,WAAW,EACX,UAAU,EACV,aAAa,EACb,cAAc,GACf,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAIhD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,QAAQ,CAAC;SACjB;KACF;CACF;AAED,YAAY,EACV,UAAU,EACV,YAAY,EACZ,QAAQ,EACR,WAAW,EACX,WAAW,EACX,UAAU,EACV,aAAa,EACb,cAAc,EACd,cAAc,EACd,WAAW,EACX,UAAU,EACV,YAAY,EACZ,UAAU,EACV,aAAa,EACb,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AA+BA,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAgCA,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC"}

package/dist/libs/config.d.ts

@@ -1,4 +1,9 @@
 import type { AuthAdapter, AuthConfig } from '../types/auth.js';
+/**
+ * Fully-resolved configuration with all optional fields filled in by
+ * their defaults. Produced by {@link resolveConfig} and used internally
+ * wherever the library needs guaranteed values.
+ */
 export interface ResolvedConfig {
     secret: string;
     accessExpiresIn: string | number;
@@ -9,10 +14,49 @@ export interface ResolvedConfig {
     adapter: AuthAdapter;
 }
 /**
- * Validates config at startup so misconfiguration is caught immediately,
+ * Validate configuration at startup so misconfiguration is caught immediately,
  * not at the first login attempt.
+ *
+ * Throws {@link AuthError} with code `CONFIGURATION_ERROR` for any of:
+ * - `secret` missing or shorter than 32 characters
+ * - `saltRounds` outside the range 10–31
+ * - `validRoles` is empty or missing
+ * - `adapter` is missing
+ *
+ * @param config - The raw config passed to {@link createAuth}.
+ * @throws {AuthError} With code `CONFIGURATION_ERROR` on any invalid field.
  */
 export declare function validateConfig(config: AuthConfig): void;
+/**
+ * Merge a partial {@link AuthConfig} with library defaults and return a
+ * fully-resolved configuration object.
+ *
+ * Does **not** validate the config — call {@link validateConfig} first.
+ *
+ * Defaults applied:
+ * - `accessExpiresIn` → `'15m'`
+ * - `refreshExpiresIn` → `'7d'`
+ * - `algorithm` → `'HS256'`
+ * - `saltRounds` → `12`
+ *
+ * @param partial - The raw config passed to {@link createAuth}.
+ * @returns A {@link ResolvedConfig} with every field guaranteed to be present.
+ */
 export declare function resolveConfig(partial: AuthConfig): ResolvedConfig;
+/**
+ * Convert a duration string or a number of seconds into milliseconds.
+ *
+ * Supported unit suffixes: `s` (seconds), `m` (minutes), `h` (hours),
+ * `d` (days), `w` (weeks). Numeric inputs are treated as seconds.
+ *
+ * @example
+ * parseExpiry('15m')  // 900_000
+ * parseExpiry('7d')   // 604_800_000
+ * parseExpiry(60)     // 60_000
+ *
+ * @param expiresIn - A duration string (e.g. `'15m'`, `'7d'`) or a number of seconds.
+ * @returns The equivalent duration in milliseconds.
+ * @throws {Error} If the string format is unrecognised.
+ */
 export declare function parseExpiry(expiresIn: string | number): number;
 //# sourceMappingURL=config.d.ts.map

package/dist/libs/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/libs/config.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEhE,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAAC;IAClC,SAAS,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B,OAAO,EAAE,WAAW,CAAC;CACtB;AAMD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CA0BvD;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,UAAU,GAAG,cAAc,CAUjE;AAGD,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAkB9D"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/libs/config.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEhE;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAAC;IAClC,SAAS,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B,OAAO,EAAE,WAAW,CAAC;CACtB;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CA0BvD;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,UAAU,GAAG,cAAc,CAUjE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAkB9D"}

package/dist/libs/config.js

@@ -3,8 +3,17 @@ const MIN_SECRET_LENGTH = 32;
 const MIN_SALT_ROUNDS = 10;
 const MAX_SALT_ROUNDS = 31;
 /**
- * Validates config at startup so misconfiguration is caught immediately,
+ * Validate configuration at startup so misconfiguration is caught immediately,
  * not at the first login attempt.
+ *
+ * Throws {@link AuthError} with code `CONFIGURATION_ERROR` for any of:
+ * - `secret` missing or shorter than 32 characters
+ * - `saltRounds` outside the range 10–31
+ * - `validRoles` is empty or missing
+ * - `adapter` is missing
+ *
+ * @param config - The raw config passed to {@link createAuth}.
+ * @throws {AuthError} With code `CONFIGURATION_ERROR` on any invalid field.
  */
 export function validateConfig(config) {
     if (!config.secret || config.secret.trim().length === 0) {
@@ -24,6 +33,21 @@ export function validateConfig(config) {
         throw new AuthError('CONFIGURATION_ERROR', 'adapter is required');
     }
 }
+/**
+ * Merge a partial {@link AuthConfig} with library defaults and return a
+ * fully-resolved configuration object.
+ *
+ * Does **not** validate the config — call {@link validateConfig} first.
+ *
+ * Defaults applied:
+ * - `accessExpiresIn` → `'15m'`
+ * - `refreshExpiresIn` → `'7d'`
+ * - `algorithm` → `'HS256'`
+ * - `saltRounds` → `12`
+ *
+ * @param partial - The raw config passed to {@link createAuth}.
+ * @returns A {@link ResolvedConfig} with every field guaranteed to be present.
+ */
 export function resolveConfig(partial) {
     return {
         secret: partial.secret,
@@ -35,7 +59,21 @@ export function resolveConfig(partial) {
         adapter: partial.adapter,
     };
 }
-// Parses '15m', '7d', '1h', '30s', '2w' → milliseconds
+/**
+ * Convert a duration string or a number of seconds into milliseconds.
+ *
+ * Supported unit suffixes: `s` (seconds), `m` (minutes), `h` (hours),
+ * `d` (days), `w` (weeks). Numeric inputs are treated as seconds.
+ *
+ * @example
+ * parseExpiry('15m')  // 900_000
+ * parseExpiry('7d')   // 604_800_000
+ * parseExpiry(60)     // 60_000
+ *
+ * @param expiresIn - A duration string (e.g. `'15m'`, `'7d'`) or a number of seconds.
+ * @returns The equivalent duration in milliseconds.
+ * @throws {Error} If the string format is unrecognised.
+ */
 export function parseExpiry(expiresIn) {
     if (typeof expiresIn === 'number')
         return expiresIn * 1000;

package/dist/libs/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/libs/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAanD,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,MAAkB;IAC/C,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,0BAA0B,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;QAC7C,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,2BAA2B,iBAAiB,0CAA0C,CACvF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,eAAe,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;QAClG,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,yCAAyC,eAAe,QAAQ,eAAe,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,2CAA2C,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAAmB;IAC/C,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,KAAK;QACjD,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,IAAI,IAAI;QAClD,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO;QACvC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,EAAE;QACpC,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;KACzB,CAAC;AACJ,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,WAAW,CAAC,SAA0B;IACpD,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,OAAO,SAAS,GAAG,IAAI,CAAC;IAC3D,MAAM,WAAW,GAA2B;QAC1C,CAAC,EAAE,KAAK;QACR,CAAC,EAAE,MAAM;QACT,CAAC,EAAE,SAAS;QACZ,CAAC,EAAE,UAAU;QACb,CAAC,EAAE,WAAW;KACf,CAAC;IACF,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,gCAAgC,CAAC,CAAC;IACpF,CAAC;IACD,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,gCAAgC,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC;AACvC,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/libs/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAkBnD,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,cAAc,CAAC,MAAkB;IAC/C,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,0BAA0B,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;QAC7C,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,2BAA2B,iBAAiB,0CAA0C,CACvF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,eAAe,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;QAClG,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,yCAAyC,eAAe,QAAQ,eAAe,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,2CAA2C,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,aAAa,CAAC,OAAmB;IAC/C,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,KAAK;QACjD,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,IAAI,IAAI;QAClD,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO;QACvC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,EAAE;QACpC,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;KACzB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,WAAW,CAAC,SAA0B;IACpD,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,OAAO,SAAS,GAAG,IAAI,CAAC;IAC3D,MAAM,WAAW,GAA2B;QAC1C,CAAC,EAAE,KAAK;QACR,CAAC,EAAE,MAAM;QACT,CAAC,EAAE,SAAS;QACZ,CAAC,EAAE,UAAU;QACb,CAAC,EAAE,WAAW;KACf,CAAC;IACF,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,gCAAgC,CAAC,CAAC;IACpF,CAAC;IACD,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,gCAAgC,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC;AACvC,CAAC"}

package/dist/libs/hash.d.ts

@@ -1,3 +1,17 @@
+/**
+ * Hash a plain-text password using bcrypt.
+ *
+ * @param plain - The raw password string supplied by the user.
+ * @param saltRounds - bcrypt cost factor; higher values increase security at the cost of speed.
+ * @returns The bcrypt hash string to persist in the database.
+ */
 export declare function hashPassword(plain: string, saltRounds?: number): Promise<string>;
+/**
+ * Compare a plain-text password against a stored bcrypt hash.
+ *
+ * @param plain - The raw password string to verify.
+ * @param hash - The stored bcrypt hash from the database.
+ * @returns `true` if the password matches the hash, `false` otherwise.
+ */
 export declare function verifyPassword(plain: string, hash: string): Promise<boolean>;
 //# sourceMappingURL=hash.d.ts.map

package/dist/libs/hash.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/libs/hash.ts"],"names":[],"mappings":"AAEA,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,SAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAElF;AAED,wBAAsB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAElF"}
+{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/libs/hash.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,SAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAElF;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAElF"}

package/dist/libs/hash.js

@@ -1,7 +1,21 @@
 import bcrypt from 'bcrypt';
+/**
+ * Hash a plain-text password using bcrypt.
+ *
+ * @param plain - The raw password string supplied by the user.
+ * @param saltRounds - bcrypt cost factor; higher values increase security at the cost of speed.
+ * @returns The bcrypt hash string to persist in the database.
+ */
 export async function hashPassword(plain, saltRounds = 12) {
     return bcrypt.hash(plain, saltRounds);
 }
+/**
+ * Compare a plain-text password against a stored bcrypt hash.
+ *
+ * @param plain - The raw password string to verify.
+ * @param hash - The stored bcrypt hash from the database.
+ * @returns `true` if the password matches the hash, `false` otherwise.
+ */
 export async function verifyPassword(plain, hash) {
     return bcrypt.compare(plain, hash);
 }

package/dist/libs/hash.js.map

@@ -1 +1 @@
-{"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/libs/hash.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,UAAU,GAAG,EAAE;IAC/D,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAa,EAAE,IAAY;IAC9D,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC"}
+{"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/libs/hash.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,UAAU,GAAG,EAAE;IAC/D,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;AACxC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAa,EAAE,IAAY;IAC9D,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC"}

package/dist/libs/token.d.ts

@@ -1,7 +1,44 @@
 import type { AuthConfig, AuthUser } from '../types/auth.js';
+/**
+ * Sign a short-lived access token containing the user's identity and roles.
+ *
+ * Uses the access-specific secret derived from config and the configured
+ * `accessExpiresIn` duration and HMAC algorithm.
+ *
+ * @param payload - The {@link AuthUser} payload to embed (id, identifier, roles).
+ * @param config - Auth configuration used to derive the secret and options.
+ * @returns Compact JWT string.
+ */
 export declare function signAccessToken(payload: AuthUser, config: AuthConfig): string;
+/**
+ * Sign a long-lived refresh token bound to a specific session ID.
+ *
+ * Uses the refresh-specific secret derived from config and the configured
+ * `refreshExpiresIn` duration. The session ID is embedded as the sole claim
+ * so the token can be used to look up and rotate the session.
+ *
+ * @param sessionId - The database session ID to bind to this token.
+ * @param config - Auth configuration used to derive the secret and options.
+ * @returns Compact JWT string.
+ */
 export declare function signRefreshToken(sessionId: string, config: AuthConfig): string;
+/**
+ * Verify an access token and return its decoded {@link AuthUser} payload.
+ *
+ * @param token - Compact JWT access token string.
+ * @param config - Auth configuration used to derive the secret and algorithm.
+ * @returns Decoded `AuthUser` payload (id, identifier, roles).
+ * @throws {AuthError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
+ */
 export declare function verifyAccessToken(token: string, config: AuthConfig): AuthUser;
+/**
+ * Verify a refresh token and return the embedded session ID.
+ *
+ * @param token - Compact JWT refresh token string.
+ * @param config - Auth configuration used to derive the secret and algorithm.
+ * @returns Object with `sessionId` matching the one passed to {@link signRefreshToken}.
+ * @throws {AuthError} With `TOKEN_EXPIRED` if expired, `TOKEN_INVALID` otherwise.
+ */
 export declare function verifyRefreshToken(token: string, config: AuthConfig): {
     sessionId: string;
 };

package/dist/libs/token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AA2C7D,wBAAgB,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAI7E;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAI9E;AAED,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,QAAQ,CAI7E;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,CAI3F"}
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/libs/token.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAqE7D;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAI7E;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAI9E;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,QAAQ,CAI7E;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,CAI3F"}