sentri 1.1.2 → 2.1.0

package/dist/index.d.ts

@@ -1,18 +1,552 @@
-import type { AuthUser } from './types/auth.js';
+import { Dialect } from 'kysely';
+import { Request, ErrorRequestHandler, RequestHandler, Router } from 'express';
+
+/**
+ * Discriminant codes for built-in {@link SentriError} instances.
+ *
+ * - `INVALID_CREDENTIALS` — identifier or password did not match (intentionally vague to prevent user enumeration)
+ * - `USER_NOT_FOUND` — an operation required a user that does not exist
+ * - `USER_ALREADY_EXISTS` — registration was attempted with an identifier already in the database
+ * - `TOKEN_EXPIRED` — the JWT was valid but its `exp` claim is in the past
+ * - `TOKEN_INVALID` — the JWT could not be verified (bad signature, malformed, wrong type)
+ * - `FORBIDDEN` — the user is authenticated but lacks the required role
+ * - `UNAUTHORIZED` — no valid access token was present on the request, or the session was revoked
+ * - `INVALID_ROLE` — a role name was used that is not in `validRoles`
+ * - `VALIDATION_ERROR` — a required field was missing or had an invalid value
+ * - `CONFIGURATION_ERROR` — `createAuth` was called with an invalid configuration
+ *
+ * When you extend {@link SentriError} for your own error types you can use any
+ * string as `code` — it does not need to be one of these built-in values.
+ */
+type SentriErrorCode = 'INVALID_CREDENTIALS' | 'USER_NOT_FOUND' | 'USER_ALREADY_EXISTS' | 'TOKEN_EXPIRED' | 'TOKEN_INVALID' | 'FORBIDDEN' | 'UNAUTHORIZED' | 'INVALID_ROLE' | 'VALIDATION_ERROR' | 'CONFIGURATION_ERROR';
+/**
+ * Default HTTP status codes for built-in error codes.
+ * Custom codes not in this map default to 500.
+ *
+ * @internal
+ */
+declare const SENTRI_ERROR_STATUS: Record<string, number>;
+/**
+ * Base error class for all authentication and authorization failures in sentri.
+ *
+ * Every error thrown by sentri is an instance of `SentriError`. The `code`
+ * property is a machine-readable string that lets you distinguish error
+ * types without string-matching on the message. Built-in codes are listed
+ * in {@link SentriErrorCode}; custom subclasses may use any string.
+ *
+ * The `statusCode` property holds the HTTP status that the built-in router
+ * and `auth.errorHandler()` will use in the response. For built-in codes
+ * it is derived automatically. Pass it explicitly when subclassing with a
+ * custom code.
+ *
+ * ---
+ *
+ * **Extending SentriError**
+ *
+ * You can create application-specific error classes by extending `SentriError`.
+ * Any subclass will be caught automatically by `auth.errorHandler()` because
+ * `instanceof SentriError` is `true` for all subclasses.
+ *
+ * ```typescript
+ * import { SentriError } from 'sentri';
+ *
+ * export class PaymentError extends SentriError {
+ *   constructor(message: string) {
+ *     super('PAYMENT_FAILED', message, 402);
+ *   }
+ * }
+ *
+ * router.post('/checkout', auth.protect(), async (req, res) => {
+ *   const ok = await chargeCard(req.body.cardToken);
+ *   if (!ok) throw new PaymentError('Card declined');
+ *   res.json({ success: true });
+ * });
+ * ```
+ *
+ * ---
+ *
+ * **Error handling in custom routes**
+ *
+ * ```typescript
+ * app.use('/auth', auth.router());
+ * app.use('/api', apiRouter);
+ *
+ * // Mount after all routes — catches SentriError from sentri AND your subclasses
+ * app.use(auth.errorHandler());
+ * ```
+ */
+declare class SentriError extends Error {
+    /**
+     * Machine-readable error code.
+     * Built-in codes are defined by {@link SentriErrorCode}.
+     * Custom subclasses may use any string.
+     */
+    readonly code: string;
+    /**
+     * HTTP status code associated with this error.
+     * Derived automatically for built-in codes; pass it explicitly when
+     * subclassing with a custom `code`.
+     */
+    readonly statusCode: number;
+    constructor(code: SentriErrorCode | (string & {}), message: string, statusCode?: number);
+}
+
+interface ApiResponse<T = null> {
+    error: boolean;
+    statusCode: number;
+    message: string;
+    data: T | null;
+}
+interface AuthUser<TRole extends string = string> {
+    id: string;
+    identifier: string;
+    roles: TRole[];
+}
+type RegisterResult<TRole extends string = string> = {
+    success: true;
+    user: AuthUser<TRole>;
+} | {
+    success: false;
+    error: SentriError;
+};
+type AuthResult<TRole extends string = string> = {
+    success: true;
+    accessToken: string;
+    refreshToken: string;
+    user: AuthUser<TRole>;
+} | {
+    success: false;
+    error: SentriError;
+};
+type AssignRolesResult<TRole extends string = string> = {
+    success: true;
+    user: AuthUser<TRole>;
+} | {
+    success: false;
+    error: SentriError;
+};
+type GetUserResult<TRole extends string = string> = {
+    success: true;
+    user: AuthUser<TRole>;
+} | {
+    success: false;
+    error: SentriError;
+};
+type ChangeIdentifierResult<TRole extends string = string> = {
+    success: true;
+    user: AuthUser<TRole>;
+} | {
+    success: false;
+    error: SentriError;
+};
+type ChangePasswordResult = {
+    success: true;
+} | {
+    success: false;
+    error: SentriError;
+};
+type RefreshResult<TRole extends string = string> = {
+    success: true;
+    accessToken: string;
+    refreshToken: string;
+    user: AuthUser<TRole>;
+} | {
+    success: false;
+    error: SentriError;
+};
+interface RegisterInput<TRole extends string = string> {
+    identifier: string;
+    password: string;
+    roles?: TRole[];
+}
+interface LoginInput {
+    identifier: string;
+    password: string;
+}
+interface CookieConfig {
+    name?: string;
+    httpOnly?: boolean;
+    secure?: boolean;
+    sameSite?: 'strict' | 'lax' | 'none';
+    path?: string;
+}
+interface AccessCookieConfig {
+    name?: string;
+    secure?: boolean;
+    sameSite?: 'strict' | 'lax' | 'none';
+    path?: string;
+}
+interface AuthHooks {
+    onLogin?: (user: AuthUser) => void | Promise<void>;
+    onFailedLogin?: (identifier: string, error: SentriError) => void | Promise<void>;
+    onLogout?: (userId: string) => void | Promise<void>;
+}
+interface RouterHandlers {
+    register?: (input: RegisterInput) => Promise<RegisterResult>;
+    login?: (input: LoginInput) => Promise<AuthResult>;
+    refresh?: (refreshToken: string) => Promise<RefreshResult>;
+    logout?: (refreshToken: string | undefined) => Promise<void>;
+    logoutAll?: (userId: string) => Promise<void>;
+    assignRoles?: (userId: string, roles: string[]) => Promise<AssignRolesResult>;
+    changeIdentifier?: (userId: string, newIdentifier: string) => Promise<ChangeIdentifierResult>;
+    changePassword?: (userId: string, currentPassword: string, newPassword: string) => Promise<ChangePasswordResult>;
+}
+interface ServerAuthConfig<TRole extends string = string> {
+    mode: 'server';
+    /** Kysely Dialect (e.g. PostgresDialect, MysqlDialect, SqliteDialect). */
+    dialect: Dialect;
+    /**
+     * JWT signing secret.
+     * - HS256/HS384/HS512: plain string, minimum 32 characters.
+     * - RS256/RS384/RS512: RSA private key in PEM format.
+     */
+    secret: string;
+    /**
+     * JWT signing algorithm.
+     * Use RS256/RS384/RS512 to enable the GET /keys endpoint for SSO.
+     * @default 'HS256'
+     */
+    algorithm?: 'HS256' | 'HS384' | 'HS512' | 'RS256' | 'RS384' | 'RS512';
+    validRoles: readonly TRole[];
+    /** @default '15m' */
+    accessExpiresIn?: string | number;
+    /** @default '7d' */
+    refreshExpiresIn?: string | number;
+    /** @default 12 */
+    saltRounds?: number;
+    apiKey?: string;
+    cookie?: CookieConfig;
+    accessCookie?: AccessCookieConfig;
+    hooks?: AuthHooks;
+    router?: RouterHandlers;
+    isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
+    /**
+     * Redis connection URL (e.g. `redis://localhost:6379`).
+     * When set, `auth.idempotencyMiddleware()` uses Redis as the cache backend
+     * instead of an in-memory Map — required for multi-process deployments.
+     */
+    redisUrl?: string;
+}
+interface ClientAuthConfig<TRole extends string = string> {
+    mode: 'client';
+    /** URL of the auth server's public key endpoint (e.g. https://auth.myapp.com/auth/keys). */
+    keyUri: string;
+    /** Optional — only needed for TypeScript type safety on authorize(). */
+    validRoles?: readonly TRole[];
+}
+type AuthConfig<TRole extends string = string> = ServerAuthConfig<TRole> | ClientAuthConfig<TRole>;
+
+/** A function that determines whether the current request is permitted. */
+type PermitCheck = (request: Request) => boolean | Promise<boolean>;
+/**
+ * Options for {@link permit} when you need role-bypass alongside a resource check.
+ *
+ * @example
+ * // Admins can edit any post; others only their own
+ * auth.permit({
+ *   roles: ['admin'],
+ *   check: async (request) => {
+ *     const post = await db.findPost(request.params['id']);
+ *     return post?.authorId === request.user!.id;
+ *   },
+ * })
+ */
+interface PermitOptions<TRole extends string> {
+    /**
+     * Roles whose members are granted access without running `check`.
+     * Use for privileged roles like `'admin'` that should bypass ownership checks.
+     */
+    roles?: TRole[];
+    /**
+     * Permission check executed when the user has none of the bypass `roles`.
+     * Return `true` to allow, `false` to deny with `FORBIDDEN`.
+     * May be async — useful for database-backed ownership checks.
+     */
+    check: PermitCheck;
+}
+
+/**
+ * Options for {@link createErrorHandler}.
+ */
+interface ErrorHandlerOptions {
+    /**
+     * Called for errors that are **not** a `SentriError` instance (or subclass).
+     *
+     * Use this to log unexpected server errors before the generic 500 response
+     * is sent. The error is passed as-is and may be any unknown value.
+     *
+     * @example
+     * app.use(auth.errorHandler({
+     *   onUnhandled: (err) => logger.error('Unhandled error', { err }),
+     * }));
+     */
+    onUnhandled?: (error: unknown) => void;
+}
+/**
+ * Creates an Express error-handling middleware that formats every `SentriError`
+ * (including subclasses) into the standard sentri response envelope:
+ *
+ * ```json
+ * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
+ * ```
+ *
+ * Prefer using `auth.errorHandler()` instead of calling this directly:
+ *
+ * ```typescript
+ * app.use('/auth', auth.router());
+ * app.use('/api', apiRouter);
+ *
+ * // Must come after all route/middleware registrations
+ * app.use(auth.errorHandler());
+ * ```
+ *
+ * ---
+ *
+ * **Works with built-in sentri errors and your own subclasses**
+ *
+ * Because `instanceof SentriError` matches any subclass, you can define
+ * application-specific error types and have them automatically formatted
+ * by this handler:
+ *
+ * ```typescript
+ * import { SentriError } from 'sentri';
+ *
+ * // Extend SentriError for domain-specific failures
+ * export class NotFoundError extends SentriError {
+ *   constructor(resource: string) {
+ *     super('NOT_FOUND', `${resource} not found`, 404);
+ *   }
+ * }
+ *
+ * export class PaymentError extends SentriError {
+ *   constructor(message: string) {
+ *     super('PAYMENT_FAILED', message, 402);
+ *   }
+ * }
+ *
+ * // All of the above are caught and formatted by one handler
+ * app.use(auth.errorHandler({
+ *   onUnhandled: (err) => console.error('Unexpected error:', err),
+ * }));
+ * ```
+ *
+ * @param options - Optional configuration (see {@link ErrorHandlerOptions}).
+ * @returns An Express `ErrorRequestHandler` (4-argument middleware).
+ */
+declare function createErrorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
+
+interface IdempotencyOptions {
+    /** @default 300_000 (5 minutes) */
+    ttl?: number;
+    /** @default 'X-Idempotency-Key' */
+    header?: string;
+    /** @default ['POST', 'PUT', 'PATCH'] */
+    methods?: string[];
+    /**
+     * Max in-memory entries (ignored when redisUrl is set).
+     * @default 10_000
+     */
+    maxSize?: number;
+    /**
+     * Redis connection URL (e.g. `redis://localhost:6379`).
+     * When set, uses Redis as the cache backend instead of in-memory Map.
+     */
+    redisUrl?: string;
+}
+/**
+ * Middleware that deduplicates non-idempotent requests.
+ *
+ * When a request arrives with a matching idempotency key header, the cached
+ * response is replayed immediately — the handler is not called again.
+ * Responses are only cached for 2xx status codes.
+ *
+ * Two backends are available:
+ * - **In-memory** (default) — zero dependencies, single-process only.
+ * - **Redis** — set `redisUrl` to share state across processes/instances.
+ *
+ * When using `createAuthServer()`, prefer `auth.idempotencyMiddleware()` instead —
+ * it automatically inherits the `redisUrl` from server config.
+ *
+ * @example
+ * // Standalone usage
+ * app.use(createIdempotencyMiddleware({ ttl: 60_000 }));
+ *
+ * @example
+ * // Multi-process (Redis)
+ * app.use(createIdempotencyMiddleware({ redisUrl: 'redis://localhost:6379' }));
+ */
+declare function createIdempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
+
+interface AuthClient<TRole extends string = string> {
+    /** JWT authentication middleware. Reads Bearer token or access_token cookie. */
+    protect(): RequestHandler;
+    /** Role-based access middleware. Must follow protect(). */
+    authorize(...roles: TRole[]): RequestHandler;
+    /** Resource-level permission middleware. Must follow protect(). */
+    permit(check: PermitCheck): RequestHandler;
+    permit(options: PermitOptions<TRole>): RequestHandler;
+    /** Global error handler middleware. Mount after all routes. */
+    errorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
+}
+interface ServerAuthClient<TRole extends string = string> extends AuthClient<TRole> {
+    /** Hash a plain-text password. */
+    hashPassword(plain: string): Promise<string>;
+    /** Compare a plain-text password against a bcrypt hash. */
+    verifyPassword(plain: string, hash: string): Promise<boolean>;
+    /** Sign an access token. */
+    signAccessToken(payload: AuthUser<TRole>): string;
+    /** Sign a refresh token. */
+    signRefreshToken(sessionId: string): string;
+    /** Verify an access token. */
+    verifyAccessToken(token: string): AuthUser<TRole>;
+    /** Verify a refresh token. */
+    verifyRefreshToken(token: string): {
+        sessionId: string;
+    };
+    /** Extract the raw access token from an Express request. */
+    getCurrentAccessToken(request: Request): string | undefined;
+    /**
+     * Pre-built Express Router with auth endpoints:
+     * POST /register, POST /login, POST /refresh, POST /logout,
+     * POST /logout-all, GET /me, POST /users/:userId/roles,
+     * GET /keys (only when algorithm is RS256/RS384/RS512)
+     */
+    router(): Router;
+    /**
+     * Run database migrations to create sentri_users and sentri_sessions tables.
+     * Safe to call on every startup — uses IF NOT EXISTS.
+     */
+    migrate(): Promise<void>;
+    /**
+     * Idempotency middleware. Caches successful responses and replays them for
+     * duplicate requests with the same idempotency key header.
+     * Uses Redis backend when `redisUrl` is set in server config; otherwise in-memory.
+     */
+    idempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
+    /** Register a new user. */
+    register(input: RegisterInput<TRole>): Promise<RegisterResult<TRole>>;
+    /** Authenticate a user, returns access + refresh tokens. */
+    login(input: LoginInput): Promise<AuthResult<TRole>>;
+    /** Rotate a refresh token, returns new token pair. */
+    refresh(refreshToken: string): Promise<RefreshResult<TRole>>;
+    /** Invalidate the session associated with the given refresh token. */
+    logout(refreshToken: string): Promise<void>;
+    /** Invalidate all sessions for a user. */
+    logoutAll(userId: string): Promise<void>;
+    /** Fetch a user by ID. Returns `success: false` if not found. */
+    getUser(userId: string): Promise<GetUserResult<TRole>>;
+    /** Change a user's identifier (username/email). */
+    changeIdentifier(userId: string, newIdentifier: string): Promise<ChangeIdentifierResult<TRole>>;
+    /** Change a user's password and revoke all their sessions. */
+    changePassword(userId: string, currentPassword: string, newPassword: string): Promise<ChangePasswordResult>;
+    /** Add roles to a user (existing roles are preserved). */
+    assignRoles(userId: string, roles: TRole[]): Promise<AssignRolesResult<TRole>>;
+}
+interface ClientAuthClient<TRole extends string = string> extends AuthClient<TRole> {
+}
+/**
+ * Create a Sentri auth client.
+ *
+ * Pass `mode: 'server'` to get a full auth server with database, JWT signing,
+ * and built-in endpoints. Pass `mode: 'client'` to get a stateless verifier
+ * that validates tokens via the server's JWKS endpoint.
+ *
+ * For server mode with PostgreSQL, prefer `createAuthServer()` — it handles
+ * RSA key generation and database setup automatically.
+ *
+ * @example
+ * // Server mode
+ * const auth = createAuth({
+ *   mode: 'server',
+ *   dialect: new PostgresDialect({ pool: new Pool({ connectionString: DATABASE_URL }) }),
+ *   secret: process.env.JWT_SECRET!,
+ *   validRoles: ['user', 'admin'] as const,
+ * });
+ *
+ * @example
+ * // Client mode
+ * const auth = createAuth({
+ *   mode: 'client',
+ *   keyUri: 'https://auth.myapp.com/auth/keys',
+ * });
+ */
+declare function createAuth<TRole extends string = string>(config: ServerAuthConfig<TRole>): ServerAuthClient<TRole>;
+declare function createAuth<TRole extends string = string>(config: ClientAuthConfig<TRole>): ClientAuthClient<TRole>;
+
+type PostgresConfig = {
+    connectionString: string;
+    max?: number;
+} | {
+    host?: string;
+    port?: number;
+    database: string;
+    user: string;
+    password: string;
+    max?: number;
+};
+
+interface CreateServerOptions<TRole extends string = string> {
+    validRoles: readonly TRole[];
+    db: PostgresConfig;
+    accessExpiresIn?: string | number;
+    refreshExpiresIn?: string | number;
+    saltRounds?: number;
+    apiKey?: string;
+    cookie?: CookieConfig;
+    accessCookie?: AccessCookieConfig;
+    hooks?: AuthHooks;
+    router?: RouterHandlers;
+    isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
+    /**
+     * Redis connection URL (e.g. `redis://localhost:6379`).
+     * When set, `auth.idempotencyMiddleware()` uses Redis as the cache backend.
+     */
+    redisUrl?: string;
+}
+/**
+ * Create a Sentri auth server for PostgreSQL.
+ *
+ * Convenience wrapper over `createAuth()` that:
+ * - Accepts plain PostgreSQL connection params instead of a Kysely dialect
+ * - Generates an RSA-2048 key pair at startup (RS256, ephemeral per process)
+ * - Exposes `GET /keys` (JWKS) automatically for SSO with client-mode apps
+ *
+ * @example
+ * const auth = createAuthServer({
+ *   validRoles: ['user', 'admin'] as const,
+ *   db: { connectionString: process.env.DATABASE_URL! },
+ * });
+ * await auth.migrate();
+ * app.use('/auth', auth.router());
+ *
+ * @example
+ * // With Redis idempotency cache (multi-process deployments)
+ * const auth = createAuthServer({
+ *   validRoles: ['user', 'admin'] as const,
+ *   db: { connectionString: process.env.DATABASE_URL! },
+ *   redisUrl: process.env.REDIS_URL,
+ * });
+ * app.use(auth.idempotencyMiddleware());
+ */
+declare function createAuthServer<TRole extends string = string>(options: CreateServerOptions<TRole>): ServerAuthClient<TRole>;
+
+/**
+ * Extract the raw access token string from an Express request.
+ * Reads `Authorization: Bearer <token>` header first; falls back to the
+ * `access_token` cookie (or the name set in `accessCookie.name`).
+ * Returns `undefined` when no token is present.
+ */
+declare function getCurrentAccessToken(request: Request, config: ServerAuthConfig): string | undefined;
+
+declare function register(input: RegisterInput, config: ServerAuthConfig): Promise<RegisterResult>;
+
 declare global {
     namespace Express {
         interface Request {
             user?: AuthUser;
+            requestId?: string;
         }
     }
 }
-export type { AuthConfig, CookieConfig, AuthUser, ApiResponse, AuthAdapter, UserRecord, SessionRecord, CreateUserData, RouterHandlers, RegisterInput, LoginInput, RegisterResult, AuthResult, RefreshResult, AssignRolesResult, } from './types/auth.js';
-export type { SentriErrorCode } from './errors/AuthError.js';
-export type { AuthClient } from './client.js';
-export type { ErrorHandlerOptions } from './middleware/errorHandler.js';
-export { SentriError, AUTH_ERROR_STATUS } from './errors/AuthError.js';
-export { createAuth } from './client.js';
-export { createErrorHandler } from './middleware/errorHandler.js';
-export { register } from './services/auth.js';
-export type { PermitCheck, PermitOptions } from './middleware/permit.js';
-//# sourceMappingURL=index.d.ts.map
+
+export { type AccessCookieConfig, type ApiResponse, type AssignRolesResult, type AuthClient, type AuthConfig, type AuthHooks, type AuthResult, type AuthUser, type ChangeIdentifierResult, type ChangePasswordResult, type ClientAuthClient, type ClientAuthConfig, type CookieConfig, type CreateServerOptions, type ErrorHandlerOptions, type GetUserResult, type IdempotencyOptions, type LoginInput, type PermitCheck, type PermitOptions, type PostgresConfig, type RefreshResult, type RegisterInput, type RegisterResult, type RouterHandlers, SENTRI_ERROR_STATUS, SentriError, type SentriErrorCode, type ServerAuthClient, type ServerAuthConfig, createAuth, createAuthServer, createErrorHandler, createIdempotencyMiddleware, getCurrentAccessToken, register };

package/dist/index.js

@@ -1,5 +1 @@
-export { SentriError, AUTH_ERROR_STATUS } from './errors/AuthError.js';
-export { createAuth } from './client.js';
-export { createErrorHandler } from './middleware/errorHandler.js';
-export { register } from './services/auth.js';
-//# sourceMappingURL=index.js.map
+import Re from'bcrypt';import H from'jsonwebtoken';import {generateKeyPairSync,randomUUID,createPublicKey,createPrivateKey}from'crypto';import {Kysely,sql,PostgresDialect}from'kysely';import {Router}from'express';import {Redis}from'ioredis';import {Pool}from'pg';var pe=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500}),i=class extends Error{code;statusCode;constructor(r,s,t){super(s),this.name="SentriError",this.code=r,this.statusCode=t??pe[r]??500;}};async function D(e,r=12){return Re.hash(e,r)}async function K(e,r){return Re.compare(e,r)}var ye=new Map,we=new Map,nr=3600*1e3;function Ce(e){let r=ye.get(e);if(!r){let s=createPrivateKey(e),t=createPublicKey(s),n=t.export({format:"jwk"}),o=Buffer.from(e).slice(0,8).toString("base64url"),c={...n,use:"sig",kid:o};r={kid:o,publicKey:t,jwk:c},ye.set(e,r);}return r}function ke(e){let{jwk:r}=Ce(e);return {keys:[r]}}function Ie(e){return Ce(e).publicKey}async function Se(e){let r=Date.now(),s=we.get(e);if(s&&r-s.fetchedAt<nr)return s.publicKey;let t=await fetch(e);if(!t.ok)throw new i("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${t.status}`);let n=await t.json();if(!n.keys||n.keys.length===0)throw new i("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let o=n.keys[0],c=createPublicKey({key:o,format:"jwk"});return we.set(e,{publicKey:c,fetchedAt:r}),c}var Te=new WeakMap,ve=32,Ee=10,xe=31;function _e(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new i("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new i("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<ve)throw new i("CONFIGURATION_ERROR",`secret must be at least ${ve} characters for HMAC algorithms`);let t=e.saltRounds??12;if(!Number.isInteger(t)||t<Ee||t>xe)throw new i("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Ee} and ${xe}`);if(!e.validRoles||e.validRoles.length===0)throw new i("CONFIGURATION_ERROR","validRoles must contain at least one role");if(!e.dialect)throw new i("CONFIGURATION_ERROR","dialect is required in server mode")}function p(e){let r=Te.get(e);if(r)return r;let s={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return Te.set(e,s),s}var or=/^(\d+)([smhdw])$/,ir={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},be=new Map;function x(e){if(typeof e=="number")return e*1e3;let r=be.get(e);if(r!==void 0)return r;let s=or.exec(e);if(!s?.[1]||!s?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let t=ir[s[2]];if(t===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let n=parseInt(s[1],10)*t;return be.set(e,n),n}var Pe=new Map,Oe=new Map,Ne=new Map;function Ue(e){return e.startsWith("RS")||e.startsWith("PS")}function De(e){let r=Pe.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},Pe.set(e,r)),r}function cr(e){let r=Oe.get(e);return r||(r=createPrivateKey(e),Oe.set(e,r)),r}function Ke(e){let r=p(e);if(Ue(r.algorithm)){let n=cr(e.secret);return {accessKey:n,refreshKey:n}}let{access:s,refresh:t}=De(e.secret);return {accessKey:s,refreshKey:t}}function He(e,r){let s=p(e);if(Ue(s.algorithm))return Ie(e.secret);let{access:t,refresh:n}=De(e.secret);return r==="access"?t:n}function je(e,r,s,t){let n=`${s}:${t}`,o=Ne.get(n);return o||(o={expiresIn:s,algorithm:t},Ne.set(n,o)),H.sign(e,r,o)}function Le(e,r,s){try{let t=H.verify(e,r,{algorithms:[s]});if(typeof t=="string"||t===null)throw new i("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof i?t:t instanceof H.TokenExpiredError?new i("TOKEN_EXPIRED","Token has expired"):new i("TOKEN_INVALID","Token is invalid or malformed")}}function j(e,r){let s=p(r),{accessKey:t}=Ke(r);return je(e,t,s.accessExpiresIn,s.algorithm)}function L(e,r){let s=p(r),{refreshKey:t}=Ke(r);return je({sessionId:e},t,s.refreshExpiresIn,s.algorithm)}function z(e,r){let s=p(r),t=He(r,"access");return Le(e,t,s.algorithm)}function F(e,r){let s=p(r),t=He(r,"refresh");return Le(e,t,s.algorithm)}function Fe(e,r){try{let s=H.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof s=="string"||s===null)throw new i("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof i?s:s instanceof H.TokenExpiredError?new i("TOKEN_EXPIRED","Token has expired"):new i("TOKEN_INVALID","Token is invalid or malformed")}}function E(e){return p(e).cookieName}function b(e,r){if(!e)return;let s=`${r}=`,t=0;for(;t<e.length;){for(;t<e.length&&e[t]===" ";)t++;let n=e.indexOf(";",t),o=n===-1?e.length:n;if(e.startsWith(s,t))return e.slice(t+s.length,o);t=o+1;}}function q(e,r,s){let t=s.cookie??{},n=p(s),o=x(n.refreshExpiresIn);e.cookie(E(s),r,{httpOnly:t.httpOnly??true,secure:t.secure??false,sameSite:t.sameSite??"strict",path:t.path??"/",maxAge:o});}function W(e,r){let s=r.cookie??{};e.clearCookie(E(r),{path:s.path??"/"});}function ce(e){return p(e).accessCookieName}function M(e,r,s){if(!s.accessCookie)return;let t=s.accessCookie,n=p(s),o=x(n.accessExpiresIn);e.cookie(ce(s),r,{httpOnly:false,secure:t.secure??false,sameSite:t.sameSite??"strict",path:t.path??"/",maxAge:o});}function ue(e,r){if(!r.accessCookie)return;let s=r.accessCookie;e.clearCookie(ce(r),{path:s.path??"/"});}function $(e,r){let s=e.headers.authorization;return s?.startsWith("Bearer ")?s.slice(7):b(e.headers.cookie,ce(r))}var qe=new Map;function k(e){let r=qe.get(e);return r||(r=new Kysely({dialect:e}),qe.set(e,r)),r}function de(e){try{return JSON.parse(e)}catch{return []}}function $e(e){return JSON.stringify(e)}async function Z(e,r){let s=await e.selectFrom("sentri_users").selectAll().where("identifier","=",r).executeTakeFirst();return s?{id:s.id,identifier:s.identifier,passwordHash:s.password_hash,roles:de(s.roles)}:null}async function J(e,r){let s=await e.selectFrom("sentri_users").selectAll().where("id","=",r).executeTakeFirst();return s?{id:s.id,identifier:s.identifier,passwordHash:s.password_hash,roles:de(s.roles)}:null}async function Je(e,r){let s=randomUUID();return await e.insertInto("sentri_users").values({id:s,identifier:r.identifier,password_hash:r.passwordHash,roles:$e(r.roles)}).execute(),{id:s}}async function Ge(e,r,s){await e.updateTable("sentri_users").set({identifier:s}).where("id","=",r).execute();}async function Xe(e,r,s){await e.updateTable("sentri_users").set({password_hash:s}).where("id","=",r).execute();}async function Ve(e,r,s){await e.updateTable("sentri_users").set({roles:$e(s)}).where("id","=",r).execute();}async function le(e,r){let s=randomUUID();return await e.insertInto("sentri_sessions").values({id:s,user_id:r.userId,expires_at:r.expiresAt}).execute(),{id:s}}async function Be(e,r){let s=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.created_at as session_created_at","u.id as user_id_col","u.identifier","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return s?{id:s.session_id,userId:s.user_id,expiresAt:new Date(s.expires_at),createdAt:new Date(s.session_created_at),user:{id:s.user_id_col,identifier:s.identifier,passwordHash:s.password_hash,roles:de(s.roles)}}:null}async function Y(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}async function fe(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}async function G(e,r){let s=p(r),t=k(r.dialect),n=e.roles??[],o=n.filter(w=>!s.validRolesSet.has(w));if(o.length>0)return {success:false,error:new i("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let c=e.identifier.trim();if(await Z(t,c))return {success:false,error:new i("USER_ALREADY_EXISTS","User already exists")};let g=await D(e.password,s.saltRounds);return {success:true,user:{id:(await Je(t,{identifier:c,passwordHash:g,roles:n})).id,identifier:c,roles:n}}}async function Q(e,r){let s=p(r),t=k(r.dialect),n=await Z(t,e.identifier.trim());if(!n)return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};if(!await K(e.password,n.passwordHash))return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};let c=new Date(Date.now()+x(s.refreshExpiresIn)),d=await le(t,{userId:n.id,expiresAt:c}),g={id:n.id,identifier:n.identifier,roles:n.roles},m=j({id:n.id,identifier:n.identifier,roles:n.roles,sessionId:d.id},r),w=L(d.id,r);return {success:true,accessToken:m,refreshToken:w,user:g}}async function _(e,r){let s=p(r),t=k(r.dialect),n;try{({sessionId:n}=F(e,r));}catch(v){return v instanceof i?{success:false,error:v}:{success:false,error:new i("TOKEN_INVALID","Invalid refresh token")}}let o=await Be(t,n);if(!o)return {success:false,error:new i("UNAUTHORIZED","Session not found or revoked")};if(o.expiresAt.getTime()<Date.now())return await Y(t,n),{success:false,error:new i("TOKEN_EXPIRED","Session has expired")};await Y(t,n);let c=new Date(Date.now()+x(s.refreshExpiresIn)),d=await le(t,{userId:o.userId,expiresAt:c}),g={id:o.user.id,identifier:o.user.identifier,roles:o.user.roles},m=j({id:g.id,identifier:g.identifier,roles:g.roles,sessionId:d.id},r),w=L(d.id,r);return {success:true,accessToken:m,refreshToken:w,user:g}}async function ee(e,r){let s=k(r.dialect),t;try{({sessionId:t}=F(e,r));}catch{return}await Y(s,t);}async function re(e,r){let s=k(r.dialect);await fe(s,e);}async function ze(e,r){let s=k(r.dialect),t=await J(s,e);return t?{success:true,user:{id:t.id,identifier:t.identifier,roles:t.roles}}:{success:false,error:new i("USER_NOT_FOUND","User not found")}}async function te(e,r,s){let t=k(s.dialect),n=await J(t,e);if(!n)return {success:false,error:new i("USER_NOT_FOUND","User not found")};let o=r.trim();return await Z(t,o)?{success:false,error:new i("USER_ALREADY_EXISTS","Identifier already taken")}:(await Ge(t,e,o),{success:true,user:{id:n.id,identifier:o,roles:n.roles}})}async function se(e,r,s,t){let n=p(t),o=k(t.dialect),c=await J(o,e);if(!c)return {success:false,error:new i("USER_NOT_FOUND","User not found")};if(!await K(r,c.passwordHash))return {success:false,error:new i("INVALID_CREDENTIALS","Invalid credentials")};let g=await D(s,n.saltRounds);return await Xe(o,e,g),await fe(o,e),{success:true}}async function ne(e,r,s){let t=p(s),n=k(s.dialect),o=r.filter(m=>!t.validRolesSet.has(m));if(o.length>0)return {success:false,error:new i("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let c=await J(n,e);if(!c)return {success:false,error:new i("USER_NOT_FOUND","User not found")};let d=new Set(c.roles);for(let m of r)d.add(m);let g=Array.from(d);return await Ve(n,e,g),{success:true,user:{id:c.id,identifier:c.identifier,roles:g}}}function S(e){return e.mode==="client"?dr(e.keyUri):lr(e)}function dr(e){return async(r,s,t)=>{let n=r.headers.authorization,o=n?.startsWith("Bearer ")?n.slice(7):void 0;if(!o)return t(new i("UNAUTHORIZED","Missing or malformed Authorization header"));try{let c=await Se(e),d=Fe(o,c);r.user={id:d.id,identifier:d.identifier,roles:d.roles},t();}catch(c){t(c);}}}function lr(e){return async(r,s,t)=>{let n=$(r,e);if(!n)return t(new i("UNAUTHORIZED","Missing or malformed Authorization header"));try{let o=z(n,e);if(e.isTokenRevoked&&await e.isTokenRevoked(o.sessionId))return t(new i("UNAUTHORIZED","Token has been revoked"));r.user={id:o.id,identifier:o.identifier,roles:o.roles},t();}catch(o){if(o instanceof i&&o.code==="TOKEN_EXPIRED"){let c=b(r.headers.cookie,E(e));if(!c)return t(new i("UNAUTHORIZED","Token expired. Please login again."));try{let d=await _(c,e);if(!d.success)return t(new i("UNAUTHORIZED","Session expired. Please login again."));q(s,d.refreshToken,e),M(s,d.accessToken,e),s.setHeader("X-New-Access-Token",d.accessToken),r.user=d.user,t();}catch{t(new i("UNAUTHORIZED","Session expired. Please login again."));}}else t(o);}}}function X(...e){let r=`Requires one of roles: ${e.join(", ")}`;return (s,t,n)=>{if(!s.user)return n(new i("UNAUTHORIZED","Not authenticated"));let o=s.user.roles;if(!e.some(c=>o.includes(c)))return n(new i("FORBIDDEN",r));n();}}var fr=new i("FORBIDDEN","You do not have permission to perform this action");function V(e){let r=typeof e=="function"?{check:e}:e;return async(s,t,n)=>{if(!s.user)return n(new i("UNAUTHORIZED","Not authenticated"));if(r.roles&&r.roles.length>0){let o=s.user.roles;if(r.roles.some(c=>o.includes(c)))return n()}try{let o=r.check(s);(o instanceof Promise?await o:o)?n():n(fr);}catch(o){n(o);}}}function P(e){return (r,s,t,n)=>{if(r instanceof i){t.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),t.status(500).json({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}var oe=8,O=72,N=255;function y(e){return new i("VALIDATION_ERROR",e)}function T(e,r,s,t){e.status(r).json({error:false,statusCode:r,message:s,data:t});}function U(e,r){e.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}function B(e){if(e==null||typeof e!="object"||Array.isArray(e))throw new i("VALIDATION_ERROR","Request body is missing or not a JSON object. Did you apply express.json()?");return e}function hr(e,r){if(!r.apiKey)return;let s=e.headers["x-api-key"];if(typeof s!="string"||s!==r.apiKey)throw new i("UNAUTHORIZED","Invalid or missing API key")}function ge(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}function mr(e){return e.startsWith("RS")||e.startsWith("PS")}function We(e){let r=Router(),s=e,t=p(s),n=e.router?.register??(a=>G(a,s)),o=e.router?.login??(a=>Q(a,s)),c=e.router?.refresh??(a=>_(a,s)),d=e.router?.logout??(a=>a!==void 0?ee(a,s):Promise.resolve()),g=e.router?.logoutAll??(a=>re(a,s)),m=e.router?.assignRoles??((a,u)=>ne(a,u,s)),w=e.router?.changeIdentifier??((a,u)=>te(a,u,s)),v=e.router?.changePassword??((a,u,R)=>se(a,u,R,s));mr(t.algorithm)&&r.get("/keys",(a,u)=>{u.setHeader("Cache-Control","public, max-age=3600"),u.json(ke(e.secret));}),r.post("/register",async(a,u,R)=>{try{hr(a,e);let l=B(a.body),{identifier:f,password:h,roles:A}=l;if(typeof f!="string"||f.trim().length===0)throw y("identifier is required and must be a non-empty string");if(f.length>N)throw y(`identifier must not exceed ${N} characters`);if(typeof h!="string"||h.length<oe)throw y(`password is required and must be at least ${oe} characters`);if(h.length>O)throw y(`password must not exceed ${O} characters`);if(A!==void 0&&!Array.isArray(A))throw y("roles must be an array of strings when provided");if(Array.isArray(A)&&!A.every(tr=>typeof tr=="string"))throw y("each role must be a string");let C=Array.isArray(A)?A:void 0,ie=C!==void 0?{identifier:f.trim(),password:h,roles:C}:{identifier:f.trim(),password:h},ae=await n(ie);if(!ae.success){U(u,ae.error);return}T(u,201,"User registered successfully",{user:ae.user});}catch(l){R(l);}}),r.post("/login",async(a,u,R)=>{try{let l=B(a.body),{identifier:f,password:h}=l;if(typeof f!="string"||f.trim().length===0)throw y("identifier is required and must be a non-empty string");if(f.length>N)throw y(`identifier must not exceed ${N} characters`);if(typeof h!="string"||h.length===0)throw y("password is required");if(h.length>O)throw y(`password must not exceed ${O} characters`);let A=f.trim(),C=await o({identifier:A,password:h});if(!C.success){ge(()=>e.hooks?.onFailedLogin?.(A,C.error)),U(u,C.error);return}ge(()=>e.hooks?.onLogin?.(C.user)),q(u,C.refreshToken,e),M(u,C.accessToken,e),T(u,200,"Login successful",{accessToken:C.accessToken,user:C.user});}catch(l){R(l);}}),r.post("/refresh",async(a,u,R)=>{try{let l=b(a.headers.cookie,E(e));if(!l)throw new i("UNAUTHORIZED","Refresh token cookie is missing");let f=await c(l);if(!f.success){W(u,e),U(u,f.error);return}q(u,f.refreshToken,e),M(u,f.accessToken,e),T(u,200,"Token refreshed",{accessToken:f.accessToken});}catch(l){R(l);}}),r.post("/logout",async(a,u,R)=>{try{let l=b(a.headers.cookie,E(e));await d(l),W(u,e),ue(u,e),T(u,200,"Logged out",null);}catch(l){R(l);}}),r.post("/logout-all",S(e),async(a,u,R)=>{try{let l=a.user.id;await g(l),ge(()=>e.hooks?.onLogout?.(l)),W(u,e),ue(u,e),T(u,200,"All sessions revoked",null);}catch(l){R(l);}}),r.get("/me",S(e),(a,u)=>{T(u,200,"OK",a.user);});let I=V(a=>!!a.user);return r.patch("/me/identifier",S(e),I,async(a,u,R)=>{try{let l=B(a.body),{newIdentifier:f}=l;if(typeof f!="string"||f.trim().length===0)throw y("newIdentifier is required and must be a non-empty string");if(f.length>N)throw y(`newIdentifier must not exceed ${N} characters`);let h=await w(a.user.id,f);if(!h.success){U(u,h.error);return}T(u,200,"Identifier updated successfully",{user:h.user});}catch(l){R(l);}}),r.patch("/me/password",S(e),I,async(a,u,R)=>{try{let l=B(a.body),{currentPassword:f,newPassword:h}=l;if(typeof f!="string"||f.length===0)throw y("currentPassword is required");if(typeof h!="string"||h.length<oe)throw y(`newPassword must be at least ${oe} characters`);if(h.length>O)throw y(`newPassword must not exceed ${O} characters`);if(f===h)throw y("newPassword must be different from currentPassword");let A=await v(a.user.id,f,h);if(!A.success){U(u,A.error);return}T(u,200,"Password updated successfully. All sessions have been revoked.",null);}catch(l){R(l);}}),r.post("/users/:userId/roles",S(e),X("admin"),async(a,u,R)=>{try{let l=B(a.body),{roles:f}=l,h=a.params.userId,A=typeof h=="string"?h:void 0;if(!A)throw y("userId is required");if(!Array.isArray(f)||f.length===0)throw y("roles must be a non-empty array of strings");if(!f.every(ie=>typeof ie=="string"))throw y("each role must be a string");let C=await m(A,f);if(!C.success){U(u,C.error);return}T(u,200,"Roles assigned successfully",{user:C.user});}catch(l){R(l);}}),r.use(P()),r}var Ze=new Map;function Ye(e){let r=Ze.get(e);return r||(r=new Redis(e,{lazyConnect:false,enableOfflineQueue:false}),Ze.set(e,r)),r}function he(e){let r=e?.ttl??3e5,s=(e?.header??"X-Idempotency-Key").toLowerCase(),t=new Set((e?.methods??["POST","PUT","PATCH"]).map(o=>o.toUpperCase())),n=e?.redisUrl;return n?Rr(n,r,s,t):yr(r,s,t,e?.maxSize??1e4)}function Rr(e,r,s,t){let n=Ye(e),o="sentri:idempotency:";return async(c,d,g)=>{let m=c.headers[s];if(!m||typeof m!="string"||!t.has(c.method))return g();c.requestId=m,d.setHeader("X-Request-Id",m);let w=await n.get(`${o}${m}`);if(w){let I=JSON.parse(w);return d.setHeader("X-Idempotent-Replayed","true"),d.status(I.statusCode).json(I.body)}let v=d.json.bind(d);d.json=function(a){if(d.statusCode>=200&&d.statusCode<300){let u={statusCode:d.statusCode,body:a,expiresAt:Date.now()+r};n.set(`${o}${m}`,JSON.stringify(u),"PX",r).catch(()=>{});}return v(a)},g();}}function yr(e,r,s,t){let n=Math.max(e,5e3),o=new Map,c=setInterval(()=>{let d=Date.now();for(let[g,m]of o)m.expiresAt<=d&&o.delete(g);},n);return typeof c=="object"&&c!==null&&"unref"in c&&c.unref(),(d,g,m)=>{let w=d.headers[r];if(!w||typeof w!="string"||!s.has(d.method))return m();d.requestId=w,g.setHeader("X-Request-Id",w);let v=Date.now(),I=o.get(w);if(I&&I.expiresAt>v)return g.setHeader("X-Idempotent-Replayed","true"),g.status(I.statusCode).json(I.body);let a=g.json.bind(g);g.json=function(R){if(g.statusCode>=200&&g.statusCode<300){if(o.size>=t){let l=o.keys().next().value;l!==void 0&&o.delete(l);}o.set(w,{statusCode:g.statusCode,body:R,expiresAt:Date.now()+e});}return a(R)},m();}}async function er(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("identifier","varchar(255)",r=>r.notNull().unique()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute();}function me(e){if(_e(e),e.mode==="client")return {protect:()=>S(e),authorize:(...t)=>X(...t),permit:t=>V(t),errorHandler:t=>P(t)};let r=e,s=p(r);return {protect:()=>S(r),authorize:(...t)=>X(...t),permit:t=>V(t),hashPassword:t=>D(t,s.saltRounds),verifyPassword:(t,n)=>K(t,n),signAccessToken:t=>j(t,r),signRefreshToken:t=>L(t,r),verifyAccessToken:t=>z(t,r),verifyRefreshToken:t=>F(t,r),getCurrentAccessToken:t=>$(t,r),router:()=>We(r),migrate:()=>er(k(r.dialect)),errorHandler:t=>P(t),idempotencyMiddleware:t=>he({...t,...r.redisUrl!==void 0&&{redisUrl:r.redisUrl}}),register:t=>G(t,r),login:t=>Q(t,r),refresh:t=>_(t,r),logout:t=>ee(t,r),logoutAll:t=>re(t,r),getUser:t=>ze(t,r),changeIdentifier:(t,n)=>te(t,n,r),changePassword:(t,n,o)=>se(t,n,o,r),assignRoles:(t,n)=>ne(t,n,r)}}function rr(e){return new PostgresDialect({pool:new Pool(e)})}function kr(e){let{privateKey:r}=generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),s={mode:"server",dialect:rr(e.db),secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl}};return me(s)}export{pe as SENTRI_ERROR_STATUS,i as SentriError,me as createAuth,kr as createAuthServer,P as createErrorHandler,he as createIdempotencyMiddleware,$ as getCurrentAccessToken,G as register};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sentri",
-  "version": "1.1.2",
+  "version": "2.1.0",
   "description": "Personal auth/authorization library for Express + Postgres",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -16,11 +16,11 @@
   },
   "files": [
     "dist",
-    "bin",
-    "templates"
+    "bin"
   ],
   "scripts": {
-    "build": "tsc",
+    "build": "tsup",
+    "build:types": "tsc --emitDeclarationOnly",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage"
@@ -40,20 +40,22 @@
     "@types/express": "^5.0.6",
     "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "^22.20.0",
+    "@types/pg": "^8.11.10",
     "@types/supertest": "^7.2.0",
     "@vitest/coverage-v8": "^4.1.9",
     "express": "^5.2.1",
     "supertest": "^7.2.2",
+    "tsup": "^8.5.1",
     "tsx": "^4.22.4",
     "typescript": "^6.0.3",
     "vitest": "^4.1.9"
   },
   "dependencies": {
-    "@prisma/adapter-pg": "^7.8.0",
-    "@prisma/client": "^7.8.0",
     "bcrypt": "^6.0.0",
+    "ioredis": "^5.11.1",
     "jsonwebtoken": "^9.0.3",
-    "sentri": "^1.0.6"
+    "kysely": "^0.27.4",
+    "pg": "^8.13.1"
   },
   "peerDependencies": {
     "express": ">=4.0.0"

package/dist/cli.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}