sentri 1.1.2 → 2.0.0

package/dist/index.js

@@ -1,5 +1 @@
-export { SentriError, AUTH_ERROR_STATUS } from './errors/AuthError.js';
-export { createAuth } from './client.js';
-export { createErrorHandler } from './middleware/errorHandler.js';
-export { register } from './services/auth.js';
-//# sourceMappingURL=index.js.map
+import W from'bcrypt';import K from'jsonwebtoken';import {Router}from'express';var Y=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500}),i=class extends Error{code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??Y[r]??500;}};async function D(e,r=12){return W.hash(e,r)}async function H(e,r){return W.compare(e,r)}var J=new WeakMap,Q=32,ee=10,re=31;function se(e){if(!e.secret||e.secret.trim().length===0)throw new i("CONFIGURATION_ERROR","secret must not be empty");if(e.secret.length<Q)throw new i("CONFIGURATION_ERROR",`secret must be at least ${Q} characters to be cryptographically safe`);let r=e.saltRounds??12;if(!Number.isInteger(r)||r<ee||r>re)throw new i("CONFIGURATION_ERROR",`saltRounds must be an integer between ${ee} and ${re}`);if(!e.validRoles||e.validRoles.length===0)throw new i("CONFIGURATION_ERROR","validRoles must contain at least one role");if(!e.adapter)throw new i("CONFIGURATION_ERROR","adapter is required")}function h(e){let r=J.get(e);if(r)return r;let t={secret:e.secret,accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",algorithm:e.algorithm??"HS256",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),adapter:e.adapter,cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return J.set(e,t),t}var Re=/^(\d+)([smhdw])$/,ge={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},te=new Map;function T(e){if(typeof e=="number")return e*1e3;let r=te.get(e);if(r!==void 0)return r;let t=Re.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=ge[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let a=parseInt(t[1],10)*s;return te.set(e,a),a}var oe=new Map,ne=new Map;function P(e){let r=oe.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},oe.set(e,r)),r}function ie(e,r,t,s){let a=`${t}:${s}`,n=ne.get(a);return n||(n={expiresIn:t,algorithm:s},ne.set(a,n)),K.sign(e,r,n)}function ae(e,r,t){try{let s=K.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new i("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof i?s:s instanceof K.TokenExpiredError?new i("TOKEN_EXPIRED","Token has expired"):new i("TOKEN_INVALID","Token is invalid or malformed")}}function x(e,r){let t=h(r),{access:s}=P(t.secret);return ie(e,s,t.accessExpiresIn,t.algorithm)}function v(e,r){let t=h(r),{refresh:s}=P(t.secret);return ie({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}function b(e,r){let t=h(r),{access:s}=P(t.secret);return ae(e,s,t.algorithm)}function N(e,r){let t=h(r),{refresh:s}=P(t.secret);return ae(e,s,t.algorithm)}function I(e){return h(e).cookieName}function E(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let a=e.indexOf(";",s),n=a===-1?e.length:a;if(e.startsWith(t,s))return e.slice(s+t.length,n);s=n+1;}}function O(e,r,t){let s=t.cookie??{},a=h(t),n=T(a.refreshExpiresIn);e.cookie(I(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:n});}function L(e,r){let t=r.cookie??{};e.clearCookie(I(r),{path:t.path??"/"});}function M(e){return h(e).accessCookieName}function S(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,a=h(t),n=T(a.accessExpiresIn);e.cookie(M(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:n});}function X(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(M(r),{path:t.path??"/"});}function _(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):E(e.headers.cookie,M(r))}async function Z(e,r){let t=h(r),s=e.roles??[],a=s.filter(u=>!t.validRolesSet.has(u));if(a.length>0)return {success:false,error:new i("INVALID_ROLE",`Invalid roles: ${a.join(", ")}`)};let n=e.identifier.trim();if(await t.adapter.user.findByIdentifier(n))return {success:false,error:new i("USER_ALREADY_EXISTS","User already exists")};let f=await D(e.password,t.saltRounds);return {success:true,user:{id:(await t.adapter.user.create({identifier:n,passwordHash:f,roles:s})).id,identifier:n,roles:s}}}async function ue(e,r){let t=h(r),s=await t.adapter.user.findByIdentifier(e.identifier.trim());if(!s)return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};if(!await H(e.password,s.passwordHash))return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};let n=new Date(Date.now()+T(t.refreshExpiresIn)),c=await t.adapter.session.create({userId:s.id,expiresAt:n}),f={id:s.id,identifier:s.identifier,roles:s.roles},m=x({id:s.id,identifier:s.identifier,roles:s.roles,sessionId:c.id},r),o=v(c.id,r);return {success:true,accessToken:m,refreshToken:o,user:f}}async function j(e,r){let t=h(r),s;try{({sessionId:s}=N(e,r));}catch(u){return u instanceof i?{success:false,error:u}:{success:false,error:new i("TOKEN_INVALID","Invalid refresh token")}}let a=await t.adapter.session.findById(s);if(!a)return {success:false,error:new i("UNAUTHORIZED","Session not found or revoked")};if(a.expiresAt.getTime()<Date.now())return await t.adapter.session.delete(s),{success:false,error:new i("TOKEN_EXPIRED","Session has expired")};await t.adapter.session.delete(s);let n=new Date(Date.now()+T(t.refreshExpiresIn)),c=await t.adapter.session.create({userId:a.userId,expiresAt:n}),f={id:a.user.id,identifier:a.user.identifier,roles:a.user.roles},m=x({id:f.id,identifier:f.identifier,roles:f.roles,sessionId:c.id},r),o=v(c.id,r);return {success:true,accessToken:m,refreshToken:o,user:f}}async function ce(e,r){let t;try{({sessionId:t}=N(e,r));}catch{return}await h(r).adapter.session.delete(t);}async function de(e,r){await h(r).adapter.session.deleteAllForUser(e);}async function le(e,r,t){let s=h(t),a=r.filter(m=>!s.validRolesSet.has(m));if(a.length>0)return {success:false,error:new i("INVALID_ROLE",`Invalid roles: ${a.join(", ")}`)};let n=await s.adapter.user.findById(e);if(!n)return {success:false,error:new i("USER_NOT_FOUND","User not found")};let c=new Set(n.roles);for(let m of r)c.add(m);let f=Array.from(c);return await s.adapter.user.updateRoles(e,f),{success:true,user:{id:n.id,identifier:n.identifier,roles:f}}}function k(e){return async(r,t,s)=>{let a=_(r,e);if(!a)return s(new i("UNAUTHORIZED","Missing or malformed Authorization header"));try{let n=b(a,e);if(e.isTokenRevoked&&await e.isTokenRevoked(n.sessionId))return s(new i("UNAUTHORIZED","Token has been revoked"));r.user={id:n.id,identifier:n.identifier,roles:n.roles},s();}catch(n){if(n instanceof i&&n.code==="TOKEN_EXPIRED"){let c=E(r.headers.cookie,I(e));if(!c)return s(new i("UNAUTHORIZED","Token expired. Please login again."));try{let f=await j(c,e);if(!f.success)return s(new i("UNAUTHORIZED","Session expired. Please login again."));O(t,f.refreshToken,e),S(t,f.accessToken,e),t.setHeader("X-New-Access-Token",f.accessToken),r.user=f.user,s();}catch{s(new i("UNAUTHORIZED","Session expired. Please login again."));}}else s(n);}}}function F(...e){let r=`Requires one of roles: ${e.join(", ")}`;return (t,s,a)=>{if(!t.user)return a(new i("UNAUTHORIZED","Not authenticated"));let n=t.user.roles;if(!e.some(c=>n.includes(c)))return a(new i("FORBIDDEN",r));a();}}var Ae=new i("FORBIDDEN","You do not have permission to perform this action");function fe(e){let r=typeof e=="function"?{check:e}:e;return async(t,s,a)=>{if(!t.user)return a(new i("UNAUTHORIZED","Not authenticated"));if(r.roles&&r.roles.length>0){let n=t.user.roles;if(r.roles.some(c=>n.includes(c)))return a()}try{let n=r.check(t);(n instanceof Promise?await n:n)?a():a(Ae);}catch(n){a(n);}}}var pe=8,q=72,$=255;function y(e){return new i("VALIDATION_ERROR",e)}function C(e,r,t,s){e.status(r).json({error:false,statusCode:r,message:t,data:s});}function U(e,r){e.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}function z(e){if(e==null||typeof e!="object"||Array.isArray(e))throw new i("VALIDATION_ERROR","Request body is missing or not a JSON object. Did you apply express.json()?");return e}function Ie(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new i("UNAUTHORIZED","Invalid or missing API key")}function B(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}function he(e){let r=Router(),t=e,s=e.router?.register??(o=>Z(o,t)),a=e.router?.login??(o=>ue(o,t)),n=e.router?.refresh??(o=>j(o,t)),c=e.router?.logout??(o=>o!==void 0?ce(o,t):Promise.resolve()),f=e.router?.logoutAll??(o=>de(o,t)),m=e.router?.assignRoles??((o,u)=>le(o,u,t));return r.post("/register",async(o,u,p)=>{try{Ie(o,e);let d=z(o.body),{identifier:l,password:g,roles:A}=d;if(typeof l!="string"||l.trim().length===0)throw y("identifier is required and must be a non-empty string");if(l.length>$)throw y(`identifier must not exceed ${$} characters`);if(typeof g!="string"||g.length<pe)throw y(`password is required and must be at least ${pe} characters`);if(g.length>q)throw y(`password must not exceed ${q} characters`);if(A!==void 0&&!Array.isArray(A))throw y("roles must be an array of strings when provided");if(Array.isArray(A)&&!A.every(me=>typeof me=="string"))throw y("each role must be a string");let R=Array.isArray(A)?A:void 0,w=R!==void 0?{identifier:l.trim(),password:g,roles:R}:{identifier:l.trim(),password:g},V=await s(w);if(!V.success){U(u,V.error);return}C(u,201,"User registered successfully",{user:V.user});}catch(d){p(d);}}),r.post("/login",async(o,u,p)=>{try{let d=z(o.body),{identifier:l,password:g}=d;if(typeof l!="string"||l.trim().length===0)throw y("identifier is required and must be a non-empty string");if(l.length>$)throw y(`identifier must not exceed ${$} characters`);if(typeof g!="string"||g.length===0)throw y("password is required");if(g.length>q)throw y(`password must not exceed ${q} characters`);let A=l.trim(),R=await a({identifier:A,password:g});if(!R.success){B(()=>e.hooks?.onFailedLogin?.(A,R.error)),U(u,R.error);return}B(()=>e.hooks?.onLogin?.(R.user)),O(u,R.refreshToken,e),S(u,R.accessToken,e),C(u,200,"Login successful",{accessToken:R.accessToken,user:R.user});}catch(d){p(d);}}),r.post("/refresh",async(o,u,p)=>{try{let d=E(o.headers.cookie,I(e));if(!d)throw new i("UNAUTHORIZED","Refresh token cookie is missing");let l=await n(d);if(!l.success){L(u,e),U(u,l.error);return}O(u,l.refreshToken,e),S(u,l.accessToken,e),C(u,200,"Token refreshed",{accessToken:l.accessToken});}catch(d){p(d);}}),r.post("/logout",async(o,u,p)=>{try{let d=E(o.headers.cookie,I(e));await c(d),L(u,e),X(u,e),C(u,200,"Logged out",null);}catch(d){p(d);}}),r.post("/logout-all",k(e),async(o,u,p)=>{try{let d=o.user.id;await f(d),B(()=>e.hooks?.onLogout?.(d)),L(u,e),X(u,e),C(u,200,"All sessions revoked",null);}catch(d){p(d);}}),r.get("/me",k(e),(o,u)=>{C(u,200,"OK",o.user);}),r.post("/users/:userId/roles",k(e),F("admin"),async(o,u,p)=>{try{let d=z(o.body),{roles:l}=d,g=o.params.userId,A=typeof g=="string"?g:void 0;if(!A)throw y("userId is required");if(!Array.isArray(l)||l.length===0)throw y("roles must be a non-empty array of strings");if(!l.every(w=>typeof w=="string"))throw y("each role must be a string");let R=await m(A,l);if(!R.success){U(u,R.error);return}C(u,200,"Roles assigned successfully",{user:R.user});}catch(d){p(d);}}),r.use((o,u,p,d)=>{o instanceof i?U(p,o):p.status(500).json({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}),r}function G(e){return (r,t,s,a)=>{if(r instanceof i){s.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.status(500).json({error:true,statusCode:500,message:"Internal server error",data:null});}}function Ce(e){se(e);let r=h(e);return {protect:()=>k(e),authorize:(...t)=>F(...t),permit:t=>fe(t),hashPassword:t=>D(t,r.saltRounds),verifyPassword:(t,s)=>H(t,s),signAccessToken:t=>x(t,e),signRefreshToken:t=>v(t,e),verifyAccessToken:t=>b(t,e),verifyRefreshToken:t=>N(t,e),getCurrentAccessToken:t=>_(t,e),router:()=>he(e),errorHandler:t=>G(t)}}function we(e){let r=e?.ttl??3e5,t=Math.max(r,5e3),s=(e?.header??"X-Idempotency-Key").toLowerCase(),a=new Set((e?.methods??["POST","PUT","PATCH"]).map(m=>m.toUpperCase())),n=e?.maxSize??1e4,c=new Map,f=setInterval(()=>{let m=Date.now();for(let[o,u]of c)u.expiresAt<=m&&c.delete(o);},t);return typeof f=="object"&&f!==null&&"unref"in f&&f.unref(),(m,o,u)=>{let p=m.headers[s];if(!p||typeof p!="string"||!a.has(m.method))return u();m.requestId=p,o.setHeader("X-Request-Id",p);let d=Date.now(),l=c.get(p);if(l&&l.expiresAt>d)return o.setHeader("X-Idempotent-Replayed","true"),o.status(l.statusCode).json(l.body);let g=o.json.bind(o);o.json=function(R){if(o.statusCode>=200&&o.statusCode<300){if(c.size>=n){let w=c.keys().next().value;w!==void 0&&c.delete(w);}c.set(p,{statusCode:o.statusCode,body:R,expiresAt:Date.now()+r});}return g(R)},u();}}export{Y as AUTH_ERROR_STATUS,i as SentriError,Ce as createAuth,G as createErrorHandler,we as createIdempotencyMiddleware,_ as getCurrentAccessToken,Z as register};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sentri",
-  "version": "1.1.2",
+  "version": "2.0.0",
   "description": "Personal auth/authorization library for Express + Postgres",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -20,7 +20,8 @@
     "templates"
   ],
   "scripts": {
-    "build": "tsc",
+    "build": "tsup",
+    "build:types": "tsc --emitDeclarationOnly",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage"
@@ -44,18 +45,24 @@
     "@vitest/coverage-v8": "^4.1.9",
     "express": "^5.2.1",
     "supertest": "^7.2.2",
+    "tsup": "^8.5.1",
     "tsx": "^4.22.4",
     "typescript": "^6.0.3",
     "vitest": "^4.1.9"
   },
   "dependencies": {
-    "@prisma/adapter-pg": "^7.8.0",
-    "@prisma/client": "^7.8.0",
     "bcrypt": "^6.0.0",
-    "jsonwebtoken": "^9.0.3",
-    "sentri": "^1.0.6"
+    "jsonwebtoken": "^9.0.3"
   },
   "peerDependencies": {
     "express": ">=4.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@prisma/client": {
+      "optional": true
+    },
+    "drizzle-orm": {
+      "optional": true
+    }
   }
 }

package/templates/drizzle/auth.ts

@@ -13,11 +13,23 @@ export const auth = createAuth({
   secret: process.env.JWT_SECRET!,
   validRoles: ['user', 'admin'] as const,
   adapter: createAdapter(db),
-  // accessExpiresIn: '15m',
+  accessExpiresIn: '5m',  // short-lived; silent refresh happens automatically in protect()
   // refreshExpiresIn: '7d',
   // algorithm: 'HS256',
   // saltRounds: 12,
   // apiKey: process.env.REGISTER_API_KEY, // when set, POST /register requires X-Api-Key header
+
+  // Access token stored in a non-httpOnly cookie — browser JS can read it via
+  // document.cookie or getCurrentAccessToken(req). protect() reads from this
+  // cookie automatically when no Authorization header is present.
+  accessCookie: {
+    secure: process.env.NODE_ENV === 'production',
+    // name: 'access_token',
+    // sameSite: 'strict',
+    // path: '/',
+  },
+
+  // Refresh token stored in an httpOnly cookie — not readable by JS.
   cookie: {
     secure: process.env.NODE_ENV === 'production',
     // name: 'refresh_token',
@@ -25,9 +37,31 @@ export const auth = createAuth({
     // sameSite: 'strict',
     // path: '/',
   },
+
+  // hooks: {
+  //   // Fired after every successful login — good for audit logs, notifications.
+  //   onLogin: async (user) => {
+  //     await auditLog.record('login', user.id);
+  //   },
+  //   // Fired after every failed login — good for rate limiting, alerting.
+  //   onFailedLogin: (identifier, error) => {
+  //     rateLimiter.hit(`login:${identifier}`);
+  //   },
+  //   // Fired after logout (single session or all sessions).
+  //   onLogout: async (userId) => {
+  //     await cache.invalidate(userId);
+  //   },
+  // },
+
+  // isTokenRevoked: async (sessionId) => {
+  //   // Optional: immediate revocation via Redis (called on every protected request).
+  //   // Keep this fast — a slow check negates the performance benefit of stateless JWTs.
+  //   return await redis.sismember('revoked_sessions', sessionId);
+  // },
+
   // router: {
   //   register: async (input) => {
-  //     // custom register logic — must return SignupResult
+  //     // custom register logic — must return RegisterResult
   //   },
   //   login: async (input) => {
   //     // custom login logic — must return AuthResult
@@ -50,19 +84,28 @@ export const auth = createAuth({
 // --- Express app setup ---
 //
 // import express from 'express';
-// import { SentriError } from 'sentri';
+// import { SentriError, createIdempotencyMiddleware, getCurrentAccessToken } from 'sentri';
 //
 // const app = express();
 // app.use(express.json());
 //
+// // Optional: make create/update operations idempotent via X-Idempotency-Key header
+// app.use(createIdempotencyMiddleware());
+//
 // // Mount the auth router (POST /auth/register, /auth/login, etc.)
 // app.use('/auth', auth.router());
 //
-// // Your own routes — throw SentriError (or any subclass) and errorHandler catches them
+// // Your own routes — protect() reads token from Authorization header OR access_token cookie
 // app.get('/protected', auth.protect(), (req, res) => {
 //   res.json(req.user);
 // });
 //
+// // Read the raw access token if needed (header → cookie fallback)
+// app.get('/debug', (req, res) => {
+//   const token = auth.getCurrentAccessToken(req); // or: getCurrentAccessToken(req, config)
+//   res.json({ hasToken: !!token });
+// });
+//
 // // Domain-specific error by extending SentriError
 // class NotFoundError extends SentriError {
 //   constructor(resource: string) {

package/templates/prisma/auth.ts

@@ -16,11 +16,23 @@ export const auth = createAuth({
   secret: process.env.JWT_SECRET!,
   validRoles: ['user', 'admin'] as const,
   adapter: createAdapter(prisma),
-  // accessExpiresIn: '15m',
+  accessExpiresIn: '5m',  // short-lived; silent refresh happens automatically in protect()
   // refreshExpiresIn: '7d',
   // algorithm: 'HS256',
   // saltRounds: 12,
   // apiKey: process.env.REGISTER_API_KEY, // when set, POST /register requires X-Api-Key header
+
+  // Access token stored in a non-httpOnly cookie — browser JS can read it via
+  // document.cookie or getCurrentAccessToken(req). protect() reads from this
+  // cookie automatically when no Authorization header is present.
+  accessCookie: {
+    secure: process.env.NODE_ENV === 'production',
+    // name: 'access_token',
+    // sameSite: 'strict',
+    // path: '/',
+  },
+
+  // Refresh token stored in an httpOnly cookie — not readable by JS.
   cookie: {
     secure: process.env.NODE_ENV === 'production',
     // name: 'refresh_token',
@@ -28,9 +40,31 @@ export const auth = createAuth({
     // sameSite: 'strict',
     // path: '/',
   },
+
+  // hooks: {
+  //   // Fired after every successful login — good for audit logs, notifications.
+  //   onLogin: async (user) => {
+  //     await auditLog.record('login', user.id);
+  //   },
+  //   // Fired after every failed login — good for rate limiting, alerting.
+  //   onFailedLogin: (identifier, error) => {
+  //     rateLimiter.hit(`login:${identifier}`);
+  //   },
+  //   // Fired after logout (single session or all sessions).
+  //   onLogout: async (userId) => {
+  //     await cache.invalidate(userId);
+  //   },
+  // },
+
+  // isTokenRevoked: async (sessionId) => {
+  //   // Optional: immediate revocation via Redis (called on every protected request).
+  //   // Keep this fast — a slow check negates the performance benefit of stateless JWTs.
+  //   return await redis.sismember('revoked_sessions', sessionId);
+  // },
+
   // router: {
   //   register: async (input) => {
-  //     // custom register logic — must return SignupResult
+  //     // custom register logic — must return RegisterResult
   //   },
   //   login: async (input) => {
   //     // custom login logic — must return AuthResult
@@ -53,19 +87,28 @@ export const auth = createAuth({
 // --- Express app setup ---
 //
 // import express from 'express';
-// import { SentriError } from 'sentri';
+// import { SentriError, createIdempotencyMiddleware, getCurrentAccessToken } from 'sentri';
 //
 // const app = express();
 // app.use(express.json());
 //
+// // Optional: make create/update operations idempotent via X-Idempotency-Key header
+// app.use(createIdempotencyMiddleware());
+//
 // // Mount the auth router (POST /auth/register, /auth/login, etc.)
 // app.use('/auth', auth.router());
 //
-// // Your own routes — throw SentriError (or any subclass) and errorHandler catches them
+// // Your own routes — protect() reads token from Authorization header OR access_token cookie
 // app.get('/protected', auth.protect(), (req, res) => {
 //   res.json(req.user);
 // });
 //
+// // Read the raw access token if needed (header → cookie fallback)
+// app.get('/debug', (req, res) => {
+//   const token = auth.getCurrentAccessToken(req); // or: getCurrentAccessToken(req, config)
+//   res.json({ hasToken: !!token });
+// });
+//
 // // Domain-specific error by extending SentriError
 // class NotFoundError extends SentriError {
 //   constructor(resource: string) {

package/dist/cli.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACtF,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE1D,MAAM,QAAQ,GAAG,CAAC,UAAU,CAAU,CAAC;AAGvC,MAAM,IAAI,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAU,CAAC;AAG5C,SAAS,IAAI;IACX,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;CAUb,CAAC,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CACzB,YAAoB,EACpB,WAAmB,EACnB,eAAuB,EACvB,KAAa;IAEb,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO;IACtC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,YAAY,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,EAAE,CAAC,CAAC;IAClC,CAAC;SAAM,CAAC;QACN,MAAM,eAAe,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAC5D,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC;QAC9E,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;YACrB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC1D,MAAM,QAAQ,GAAG,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YACpD,aAAa,CAAC,WAAW,EAAE,QAAQ,CAAC,OAAO,EAAE,GAAG,MAAM,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,oBAAoB,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,GAAuB;IACvC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAU,CAAC,EAAE,CAAC;QACvC,OAAO,CAAC,KAAK,CAAC,mDAAmD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,iBAAiB,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC;IAClE,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;IACzE,MAAM,kBAAkB,GAAG,IAAI,CAAC,oBAAoB,EAAE,YAAY,CAAC,CAAC;IACpE,MAAM,eAAe,GAAG,IAAI,CAAC,oBAAoB,EAAE,SAAS,CAAC,CAAC;IAC9D,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;IAExE,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,yBAAyB,GAAG,uCAAuC,CAAC,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,UAAU,CAAC,kBAAkB,CAAC,IAAI,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QAClE,OAAO,CAAC,KAAK,CAAC,6FAA6F,CAAC,CAAC;QAC7G,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,SAAS,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,YAAY,CAAC,IAAI,CAAC,iBAAiB,EAAE,YAAY,CAAC,EAAE,kBAAkB,CAAC,CAAC;IACxE,YAAY,CAAC,IAAI,CAAC,iBAAiB,EAAE,SAAS,CAAC,EAAE,eAAe,CAAC,CAAC;IAClE,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;IAE9C,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;QACrB,kBAAkB,CAChB,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,eAAe,CAAC,EAC7D,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,eAAe,CAAC,EAC9C,QAAQ,EACR,sBAAsB,CACvB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,kBAAkB,CAChB,IAAI,CAAC,iBAAiB,EAAE,WAAW,CAAC,EACpC,IAAI,CAAC,oBAAoB,EAAE,WAAW,CAAC,EACvC,SAAS,EACT,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACnC,SAAS,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,aAAa,CACX,iBAAiB,EACjB,kGAAkG,CACnG,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC1C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC3B,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,iFAAiF,CAAC,CAAC;QAC/F,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAC;IACxF,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,uFAAuF,CAAC,CAAC;QACrG,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAC;QACtF,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;IACvD,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,EAAE,AAAD,EAAG,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;AAE5C,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;IACzD,IAAI,EAAE,CAAC;IACP,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAkB,CAAC,EAAE,CAAC;IAC3C,OAAO,CAAC,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;IAC7C,IAAI,EAAE,CAAC;IACP,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IACnD,IAAI,EAAE,CAAC;IACP,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,IAAI,OAAO,KAAK,UAAU;IAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC"}

package/dist/client.d.ts

@@ -1,160 +0,0 @@
-import type { PermitCheck, PermitOptions } from './middleware/permit.js';
-import type { ErrorHandlerOptions } from './middleware/errorHandler.js';
-import type { AuthConfig, AuthUser } from './types/auth.js';
-import type { ErrorRequestHandler, RequestHandler, Router } from 'express';
-/**
- * The bound auth client returned by {@link createAuth}.
- *
- * All methods are pre-configured with the options passed to `createAuth` —
- * you never need to pass config around yourself.
- *
- * `TRole` is inferred from `validRoles` and narrows role strings to your
- * application's exact union type everywhere (authorize, req.user, etc.).
- */
-export interface AuthClient<TRole extends string = string> {
-    /**
-     * Express middleware factory that enforces authentication.
-     *
-     * Reads the `Authorization: Bearer <token>` header, verifies the access token,
-     * confirms the session is still active in the database, and injects the decoded
-     * payload as `request.user`. Calls `next(SentriError)` on any failure.
-     *
-     * @example
-     * router.get('/me', auth.protect(), (request, response) => {
-     *   response.json(request.user);
-     * });
-     */
-    protect(): RequestHandler;
-    /**
-     * Express middleware factory that enforces role-based access.
-     *
-     * Must be used **after** `protect()`. Passes if the authenticated user has
-     * at least one of the specified roles; otherwise calls `next(SentriError)` with
-     * code `FORBIDDEN`.
-     *
-     * @example
-     * router.delete('/posts/:id', auth.protect(), auth.authorize('admin'), handler);
-     */
-    authorize(...roles: TRole[]): RequestHandler;
-    /**
-     * Express middleware factory for resource-level permission checks.
-     *
-     * Must be used **after** `protect()`. Evaluates a check function against the
-     * current request and calls `next(SentriError)` with `FORBIDDEN` if it returns `false`.
-     *
-     * Accepts either a bare check function or an options object with an optional
-     * `roles` list whose members bypass the check entirely.
-     *
-     * @example
-     * // User can only update their own profile
-     * router.put('/users/:id',
-     *   auth.protect(),
-     *   auth.permit((request) => request.user!.id === request.params['id']),
-     *   handler,
-     * );
-     *
-     * @example
-     * // Admins bypass the check; others must own the resource
-     * router.delete('/posts/:id',
-     *   auth.protect(),
-     *   auth.permit({
-     *     roles: ['admin'],
-     *     check: async (request) => {
-     *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
-     *       return post?.authorId === request.user!.id;
-     *     },
-     *   }),
-     *   handler,
-     * );
-     */
-    permit(check: PermitCheck): RequestHandler;
-    permit(options: PermitOptions<TRole>): RequestHandler;
-    /** Hash a plain-text password using the configured `saltRounds`. */
-    hashPassword(plain: string): Promise<string>;
-    /** Compare a plain-text password against a stored bcrypt hash. */
-    verifyPassword(plain: string, hash: string): Promise<boolean>;
-    /** Sign an access token for the given user payload. */
-    signAccessToken(payload: AuthUser<TRole>): string;
-    /** Sign a refresh token bound to a session ID. */
-    signRefreshToken(sessionId: string): string;
-    /** Verify and decode an access token. Throws `SentriError` if invalid or expired. */
-    verifyAccessToken(token: string): AuthUser<TRole>;
-    /** Verify and decode a refresh token. Throws `SentriError` if invalid or expired. */
-    verifyRefreshToken(token: string): {
-        sessionId: string;
-    };
-    /**
-     * Returns a pre-built Express Router with all standard auth endpoints mounted.
-     *
-     * Endpoints:
-     * - `POST /register` — register a new user. Requires `X-Api-Key` header when `config.apiKey` is set.
-     * - `POST /login` — authenticate, sets refresh token cookie, returns `{ accessToken, user }`
-     * - `POST /refresh` — rotate refresh token, returns new `{ accessToken }`
-     * - `POST /logout` — delete the current session; the bound access token is immediately rejected by `protect()`
-     * - `POST /logout-all` — delete all sessions for the user (requires valid access token)
-     * - `GET  /me` — return the authenticated user
-     * - `POST /users/:userId/roles` — assign roles (requires admin)
-     *
-     * Requires `express.json()` before the router.
-     *
-     * @example
-     * app.use(express.json());
-     * app.use('/auth', auth.router());
-     */
-    router(): Router;
-    /**
-     * Returns an Express error-handling middleware that formats every `SentriError`
-     * (and any subclass) into the standard sentri response envelope:
-     *
-     * ```json
-     * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
-     * ```
-     *
-     * Mount it **after all your routes** so it acts as the global catch-all for
-     * both sentri errors and your own `SentriError` subclasses.
-     *
-     * @example
-     * import { SentriError } from 'sentri';
-     *
-     * // Define app-specific errors by extending SentriError
-     * class NotFoundError extends SentriError {
-     *   constructor(resource: string) {
-     *     super('NOT_FOUND', `${resource} not found`, 404);
-     *   }
-     * }
-     *
-     * app.use('/auth', auth.router());
-     * app.use('/api', apiRouter);
-     *
-     * // Catches errors from sentri AND your own subclasses
-     * app.use(auth.errorHandler());
-     *
-     * @example
-     * // With optional unhandled-error logger
-     * app.use(auth.errorHandler({
-     *   onUnhandled: (err) => logger.error('Unexpected error', { err }),
-     * }));
-     */
-    errorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
-}
-/**
- * Create a fully configured auth client for your application.
- *
- * Pass your config once here and use the returned client everywhere — it
- * binds all library functions to your settings so you never need to pass
- * config manually.
- *
- * The generic parameter `TRole` is inferred automatically from `validRoles`
- * when you use `as const`:
- *
- * @example
- * export const auth = createAuth({
- *   secret: process.env.JWT_SECRET!,
- *   validRoles: ['user', 'admin', 'moderator'] as const,
- *   adapter: myAdapter,
- * });
- *
- * // auth.authorize('admin') is type-safe — 'superuser' would be a compile error.
- */
-export declare function createAuth<TRole extends string = string>(config: AuthConfig<TRole>): AuthClient<TRole>;
-//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACxE,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAE3E;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACvD;;;;;;;;;;;OAWG;IACH,OAAO,IAAI,cAAc,CAAC;IAE1B;;;;;;;;;OASG;IACH,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC;IAE7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,cAAc,CAAC;IAEtD,oEAAoE;IACpE,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7C,kEAAkE;IAClE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE9D,uDAAuD;IACvD,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC;IAElD,kDAAkD;IAClD,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5C,qFAAqF;IACrF,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,qFAAqF;IACrF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAEzD;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,IAAI,MAAM,CAAC;IAEjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACH,YAAY,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,mBAAmB,CAAC;CAClE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,EACtD,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GACxB,UAAU,CAAC,KAAK,CAAC,CAiBnB"}

package/dist/client.js

@@ -1,45 +0,0 @@
-import { hashPassword, verifyPassword } from './libs/hash.js';
-import { signAccessToken, signRefreshToken, verifyAccessToken, verifyRefreshToken } from './libs/token.js';
-import { resolveConfig, validateConfig } from './libs/config.js';
-import { protect } from './middleware/protect.js';
-import { authorize } from './middleware/authorize.js';
-import { permit } from './middleware/permit.js';
-import { createAuthRouter } from './middleware/router.js';
-import { createErrorHandler } from './middleware/errorHandler.js';
-/**
- * Create a fully configured auth client for your application.
- *
- * Pass your config once here and use the returned client everywhere — it
- * binds all library functions to your settings so you never need to pass
- * config manually.
- *
- * The generic parameter `TRole` is inferred automatically from `validRoles`
- * when you use `as const`:
- *
- * @example
- * export const auth = createAuth({
- *   secret: process.env.JWT_SECRET!,
- *   validRoles: ['user', 'admin', 'moderator'] as const,
- *   adapter: myAdapter,
- * });
- *
- * // auth.authorize('admin') is type-safe — 'superuser' would be a compile error.
- */
-export function createAuth(config) {
-    validateConfig(config);
-    const resolved = resolveConfig(config);
-    return {
-        protect: () => protect(config),
-        authorize: (...roles) => authorize(...roles),
-        permit: (optionsOrCheck) => permit(optionsOrCheck),
-        hashPassword: (plain) => hashPassword(plain, resolved.saltRounds),
-        verifyPassword: (plain, hash) => verifyPassword(plain, hash),
-        signAccessToken: (payload) => signAccessToken(payload, config),
-        signRefreshToken: (sessionId) => signRefreshToken(sessionId, config),
-        verifyAccessToken: (token) => verifyAccessToken(token, config),
-        verifyRefreshToken: (token) => verifyRefreshToken(token, config),
-        router: () => createAuthRouter(config),
-        errorHandler: (options) => createErrorHandler(options),
-    };
-}
-//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC3G,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAsJlE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,UAAU,CACxB,MAAyB;IAEzB,cAAc,CAAC,MAAoB,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAoB,CAAC,CAAC;IAErD,OAAO;QACL,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAoB,CAAC;QAC5C,SAAS,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;QAC5C,MAAM,EAAE,CAAC,cAAkD,EAAE,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC;QACtF,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC;QACjE,cAAc,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,KAAK,EAAE,IAAI,CAAC;QAC5D,eAAe,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,eAAe,CAAC,OAAmB,EAAE,MAAoB,CAAC;QACxF,gBAAgB,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAoB,CAAC;QAClF,iBAAiB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAoB,CAAoB;QAC/F,kBAAkB,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAoB,CAAC;QAC9E,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;QACtC,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,kBAAkB,CAAC,OAAO,CAAC;KACvD,CAAC;AACJ,CAAC"}

package/dist/errors/AuthError.d.ts

@@ -1,99 +0,0 @@
-/**
- * Discriminant codes for built-in {@link SentriError} instances.
- *
- * - `INVALID_CREDENTIALS` — identifier or password did not match (intentionally vague to prevent user enumeration)
- * - `USER_NOT_FOUND` — an operation required a user that does not exist
- * - `USER_ALREADY_EXISTS` — registration was attempted with an identifier already in the database
- * - `TOKEN_EXPIRED` — the JWT was valid but its `exp` claim is in the past
- * - `TOKEN_INVALID` — the JWT could not be verified (bad signature, malformed, wrong type)
- * - `FORBIDDEN` — the user is authenticated but lacks the required role
- * - `UNAUTHORIZED` — no valid access token was present on the request, or the session was revoked
- * - `INVALID_ROLE` — a role name was used that is not in `validRoles`
- * - `VALIDATION_ERROR` — a required field was missing or had an invalid value
- * - `CONFIGURATION_ERROR` — `createAuth` was called with an invalid configuration
- *
- * When you extend {@link SentriError} for your own error types you can use any
- * string as `code` — it does not need to be one of these built-in values.
- */
-export type SentriErrorCode = 'INVALID_CREDENTIALS' | 'USER_NOT_FOUND' | 'USER_ALREADY_EXISTS' | 'TOKEN_EXPIRED' | 'TOKEN_INVALID' | 'FORBIDDEN' | 'UNAUTHORIZED' | 'INVALID_ROLE' | 'VALIDATION_ERROR' | 'CONFIGURATION_ERROR';
-/**
- * Default HTTP status codes for built-in error codes.
- * Custom codes that are not in this map default to 500.
- *
- * @internal
- */
-export declare const AUTH_ERROR_STATUS: Record<string, number>;
-/**
- * Base error class for all authentication and authorization failures in sentri.
- *
- * Every error thrown by sentri is an instance of `SentriError`. The `code`
- * property is a machine-readable string that lets you distinguish error
- * types without string-matching on the message. Built-in codes are listed
- * in {@link SentriErrorCode}; custom subclasses may use any string.
- *
- * The `statusCode` property holds the HTTP status that the built-in router
- * and `auth.errorHandler()` will use in the response. For built-in codes
- * it is derived automatically. Pass it explicitly when subclassing with a
- * custom code.
- *
- * ---
- *
- * **Extending SentriError**
- *
- * You can create application-specific error classes by extending `SentriError`.
- * Any subclass will be caught automatically by `auth.errorHandler()` because
- * `instanceof SentriError` is `true` for all subclasses.
- *
- * ```typescript
- * import { SentriError } from 'sentri';
- *
- * // Domain error with a custom code and explicit HTTP status
- * export class PaymentError extends SentriError {
- *   constructor(message: string) {
- *     super('PAYMENT_FAILED', message, 402);
- *   }
- * }
- *
- * // Throw it anywhere in your routes — auth.errorHandler() catches it
- * router.post('/checkout', auth.protect(), async (req, res) => {
- *   const ok = await chargeCard(req.body.cardToken);
- *   if (!ok) throw new PaymentError('Card declined');
- *   res.json({ success: true });
- * });
- * ```
- *
- * ---
- *
- * **Error handling in custom routes**
- *
- * ```typescript
- * app.use('/auth', auth.router());
- * app.use('/api', apiRouter);
- *
- * // Mount after all routes — catches SentriError from sentri AND your subclasses
- * app.use(auth.errorHandler());
- * ```
- */
-export declare class SentriError extends Error {
-    /**
-     * Machine-readable error code.
-     * Built-in codes are defined by {@link SentriErrorCode}.
-     * Custom subclasses may use any string.
-     */
-    readonly code: string;
-    /**
-     * HTTP status code associated with this error.
-     * Derived automatically for built-in codes; pass it explicitly when
-     * subclassing with a custom `code`.
-     */
-    readonly statusCode: number;
-    /**
-     * @param code - Machine-readable error code. Use a built-in {@link SentriErrorCode}
-     *   or any string for custom subclasses.
-     * @param message - Human-readable description of the error.
-     * @param statusCode - HTTP status to use in the response. For built-in codes
-     *   this is derived automatically; for custom codes it defaults to `500`.
-     */
-    constructor(code: SentriErrorCode | (string & {}), message: string, statusCode?: number);
-}
-//# sourceMappingURL=AuthError.d.ts.map

package/dist/errors/AuthError.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"AuthError.d.ts","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,MAAM,eAAe,GACvB,qBAAqB,GACrB,gBAAgB,GAChB,qBAAqB,GACrB,eAAe,GACf,eAAe,GACf,WAAW,GACX,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,qBAAqB,CAAC;AAE1B;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAWpD,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,qBAAa,WAAY,SAAQ,KAAK;IACpC;;;;OAIG;IACH,SAAgB,IAAI,EAAE,MAAM,CAAC;IAE7B;;;;OAIG;IACH,SAAgB,UAAU,EAAE,MAAM,CAAC;IAEnC;;;;;;OAMG;gBAED,IAAI,EAAE,eAAe,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,EACrC,OAAO,EAAE,MAAM,EACf,UAAU,CAAC,EAAE,MAAM;CAOtB"}