sentri 1.1.2 → 2.1.0

package/dist/types/auth.d.ts

@@ -1,450 +0,0 @@
-import type { SentriError, SentriErrorCode } from '../errors/AuthError.js';
-export type { SentriError };
-/** Standard API response envelope returned by all built-in router endpoints. */
-export interface ApiResponse<T = null> {
-    error: boolean;
-    statusCode: number;
-    message: string;
-    data: T | null;
-}
-/**
- * @internal Extended JWT payload decoded from an access token.
- * Includes `sessionId` which is not exposed on `req.user` but is used
- * by `protect()` to validate that the session is still active.
- */
-export interface AccessTokenPayload<TRole extends string = string> extends AuthUser<TRole> {
-    sessionId: string;
-}
-/** Maps a {@link SentriErrorCode} to its corresponding HTTP status code. */
-export declare function authErrorStatus(code: SentriErrorCode): number;
-/** Shape of a user row returned by the adapter — used internally by the library. */
-export interface UserRecord {
-    id: string;
-    /**
-     * The credential identifier for this user (email, username, phone number, etc.).
-     * The adapter decides which column(s) this maps to.
-     */
-    identifier: string;
-    passwordHash: string;
-    /** Role names currently assigned to the user. */
-    roles: string[];
-}
-/** Shape of a session row returned by the adapter. */
-export interface SessionRecord {
-    id: string;
-    userId: string;
-    expiresAt: Date;
-    createdAt: Date;
-}
-/** Data the library passes to the adapter when creating a new user. */
-export interface CreateUserData {
-    /**
-     * The credential identifier supplied at registration (email, username, phone, etc.).
-     * Store this in whichever column(s) your schema uses for login lookup.
-     */
-    identifier: string;
-    passwordHash: string;
-    /** Validated role names to assign at creation. */
-    roles: string[];
-}
-/**
- * The database adapter interface the library depends on.
- *
- * Implement this to connect the library to any ORM or data layer.
- *
- * The library uses a single `identifier` string for credentials — your adapter
- * decides what that means: email column, username column, phone column, or a
- * query across multiple columns.
- */
-export interface AuthAdapter {
-    user: {
-        /**
-         * Find a user by their login identifier.
-         *
-         * The adapter decides which column(s) to query — email, username, phone,
-         * or a combined lookup (`WHERE email = $1 OR username = $1`).
-         * Returns `null` if not found.
-         */
-        findByIdentifier(identifier: string): Promise<UserRecord | null>;
-        /** Find a user by their primary key. Returns `null` if not found. */
-        findById(id: string): Promise<UserRecord | null>;
-        /**
-         * Persist a new user with the given identifier, hashed password, and roles.
-         * The adapter maps `identifier` to the appropriate column(s) in your schema.
-         */
-        create(data: CreateUserData): Promise<{
-            id: string;
-        }>;
-        /**
-         * Replace the complete role list for a user.
-         * Called by `assignRoles` after merging the new roles with the existing ones.
-         */
-        updateRoles(userId: string, roles: string[]): Promise<void>;
-    };
-    session: {
-        /**
-         * Persist a new session and return its generated ID.
-         * `expiresAt` is computed from `refreshExpiresIn` in config.
-         */
-        create(data: {
-            userId: string;
-            expiresAt: Date;
-        }): Promise<{
-            id: string;
-        }>;
-        /**
-         * Find a session by its ID, including the associated user.
-         * Returns `null` if the session does not exist (i.e. has been revoked).
-         */
-        findById(sessionId: string): Promise<(SessionRecord & {
-            user: UserRecord;
-        }) | null>;
-        /** Delete a single session. Used during logout and token rotation. */
-        delete(sessionId: string): Promise<void>;
-        /** Delete all sessions belonging to a user. Used for "logout from all devices". */
-        deleteAllForUser(userId: string): Promise<void>;
-    };
-}
-/**
- * Custom service functions for the built-in auth router.
- *
- * Each key matches the internal service function name. When provided, the
- * custom function replaces the default service call for that route while the
- * router still handles request parsing, input validation, and response formatting.
- *
- * The function signatures mirror the internal services exactly but without the
- * `config` parameter — the library passes config at bind time.
- *
- * @example
- * createAuth({
- *   // ...
- *   router: {
- *     login: async (input) => {
- *       // add OTP check, custom user lookup, etc.
- *       // must return AuthResult
- *     },
- *     register: async (input) => {
- *       // send welcome email, set default profile, etc.
- *       // must return RegisterResult
- *     },
- *   },
- * });
- */
-export interface RouterHandlers {
-    /**
-     * Replaces the default register service (`POST /register`).
-     *
-     * The router validates the request body (identifier, password, roles) first,
-     * then calls this function with the parsed input. Must return a `RegisterResult`.
-     * If omitted, the library's built-in registration logic runs instead.
-     *
-     * @example
-     * register: async (input) => {
-     *   const result = await defaultRegister(input);
-     *   if (result.success) {
-     *     await emailService.sendWelcome(input.identifier);
-     *   }
-     *   return result;
-     * }
-     */
-    register?: (input: RegisterInput) => Promise<RegisterResult>;
-    /**
-     * Replaces the default login service.
-     *
-     * The router validates the request body (identifier, password) first,
-     * then calls this function with the parsed input. Must return an `AuthResult`.
-     * If omitted, the library's built-in login logic runs instead.
-     *
-     * @example
-     * login: async (input) => {
-     *   // verify OTP before issuing tokens
-     *   const otpValid = await redis.get(`otp:${input.identifier}`);
-     *   if (!otpValid) {
-     *     return { success: false, error: new SentriError('INVALID_CREDENTIALS', 'OTP required') };
-     *   }
-     *   return defaultLogin(input);
-     * }
-     */
-    login?: (input: LoginInput) => Promise<AuthResult>;
-    /**
-     * Replaces the default refresh service.
-     *
-     * Receives the raw refresh token string extracted from the cookie.
-     * Must return a `RefreshResult`. If omitted, the built-in session-rotation
-     * logic runs instead.
-     *
-     * @example
-     * refresh: async (refreshToken) => {
-     *   const result = await defaultRefresh(refreshToken);
-     *   if (result.success) {
-     *     await auditLog.record('token_rotated', result.user.id);
-     *   }
-     *   return result;
-     * }
-     */
-    refresh?: (refreshToken: string) => Promise<RefreshResult>;
-    /**
-     * Replaces the default logout service.
-     *
-     * Receives the raw refresh token from the cookie, or `undefined` if no cookie
-     * was present. The router clears the cookie after this function resolves.
-     * If omitted, the built-in session deletion logic runs instead.
-     *
-     * @example
-     * logout: async (refreshToken) => {
-     *   if (refreshToken) {
-     *     await defaultLogout(refreshToken);
-     *     await auditLog.record('logout', refreshToken);
-     *   }
-     * }
-     */
-    logout?: (refreshToken: string | undefined) => Promise<void>;
-    /**
-     * Replaces the default logoutAll service.
-     *
-     * Receives the authenticated user's ID (from `req.user`, set by `protect()`).
-     * If omitted, the built-in "delete all sessions" logic runs instead.
-     *
-     * @example
-     * logoutAll: async (userId) => {
-     *   await defaultLogoutAll(userId);
-     *   await notifyService.push(userId, 'You have been signed out from all devices.');
-     * }
-     */
-    logoutAll?: (userId: string) => Promise<void>;
-    /**
-     * Replaces the default assignRoles service.
-     *
-     * The router validates the request body and params first, then calls this
-     * function with the target `userId` and the validated `roles` array.
-     * Must return an `AssignRolesResult`. If omitted, the built-in role-merge
-     * logic runs instead.
-     *
-     * @example
-     * assignRoles: async (userId, roles) => {
-     *   const result = await defaultAssignRoles(userId, roles);
-     *   if (result.success) {
-     *     await auditLog.record('roles_assigned', { userId, roles });
-     *   }
-     *   return result;
-     * }
-     */
-    assignRoles?: (userId: string, roles: string[]) => Promise<AssignRolesResult>;
-}
-/**
- * Configuration passed to {@link createAuth}.
- *
- * Only `secret`, `validRoles`, and `adapter` are required.
- * All other fields have sensible defaults.
- *
- * @example
- * createAuth({
- *   secret: process.env.JWT_SECRET!,
- *   validRoles: ['user', 'admin'] as const,
- *   adapter: myAdapter,
- * });
- */
-export interface AuthConfig<TRole extends string = string> {
-    /** Secret used to sign JWT tokens. Must not be empty. Keep this in an env variable. */
-    secret: string;
-    /**
-     * How long access tokens are valid.
-     * Accepts a duration string (`'15m'`, `'1h'`) or seconds as a number.
-     * @default '15m'
-     */
-    accessExpiresIn?: string | number;
-    /**
-     * How long refresh tokens / sessions are valid.
-     * Accepts a duration string (`'7d'`, `'30d'`) or seconds as a number.
-     * @default '7d'
-     */
-    refreshExpiresIn?: string | number;
-    /**
-     * HMAC signing algorithm used for JWTs.
-     * @default 'HS256'
-     */
-    algorithm?: 'HS256' | 'HS384' | 'HS512';
-    /**
-     * bcrypt cost factor. Higher = slower hashing but more secure.
-     * @default 12
-     */
-    saltRounds?: number;
-    /**
-     * Exhaustive list of role names your application uses.
-     * Registration will be rejected with `INVALID_ROLE` if a role outside this list is requested.
-     * Use `as const` to get TypeScript union-type safety on `authorize()`.
-     *
-     * @example
-     * validRoles: ['user', 'admin', 'moderator'] as const
-     */
-    validRoles: readonly TRole[];
-    /** ORM adapter that connects the library to your database. */
-    adapter: AuthAdapter;
-    /**
-     * API key required to call `POST /register`.
-     *
-     * When set, the `/register` endpoint expects an `X-Api-Key` header whose
-     * value matches this string exactly. Requests without the header, or with
-     * the wrong value, are rejected with HTTP 401 (`UNAUTHORIZED`).
-     *
-     * Use this to restrict self-registration — for example, only your own
-     * back-office service or admin panel should be able to create new accounts,
-     * so you never expose user registration to arbitrary callers.
-     *
-     * @example
-     * createAuth({
-     *   // ...
-     *   apiKey: process.env.REGISTER_API_KEY!,
-     * });
-     *
-     * // Client must send:
-     * // POST /auth/register
-     * // X-Api-Key: <value of REGISTER_API_KEY>
-     */
-    apiKey?: string;
-    /**
-     * Custom service functions for individual routes in the built-in auth router.
-     *
-     * The router still handles request parsing, validation, and response formatting.
-     * Only the core service logic is replaced by your function.
-     *
-     * @example
-     * createAuth({
-     *   // ...
-     *   router: {
-     *     login: async (input) => {
-     *       // verify OTP, then delegate to default or return custom result
-     *       return { success: true, accessToken, refreshToken, user };
-     *     },
-     *     register: async (input) => {
-     *       // send welcome email after successful registration
-     *       const result = await defaultRegister(input);
-     *       if (result.success) await emailService.sendWelcome(input.identifier);
-     *       return result;
-     *     },
-     *   },
-     * });
-     */
-    router?: RouterHandlers;
-    /**
-     * When set, the built-in router (`auth.router()`) stores the refresh token
-     * in an httpOnly cookie instead of returning it in the response body.
-     *
-     * The `refreshToken` field is omitted from `/login` and `/refresh` responses.
-     * The `/logout` and `/logout-all` routes automatically clear the cookie.
-     *
-     * No extra middleware (e.g. `cookie-parser`) is required.
-     *
-     * @example
-     * createAuth({
-     *   // ...
-     *   cookie: { secure: process.env.NODE_ENV === 'production' },
-     * });
-     */
-    cookie?: CookieConfig;
-}
-/**
- * Cookie settings for storing the refresh token in an httpOnly cookie.
- * All fields are optional — defaults are chosen for security.
- */
-export interface CookieConfig {
-    /**
-     * Name of the cookie.
-     * @default 'refresh_token'
-     */
-    name?: string;
-    /**
-     * Prevents JavaScript from reading the cookie (`document.cookie`).
-     * @default true
-     */
-    httpOnly?: boolean;
-    /**
-     * Restricts the cookie to HTTPS connections.
-     * Set to `true` in production.
-     * @default false
-     */
-    secure?: boolean;
-    /**
-     * Controls cross-site request behaviour.
-     * @default 'strict'
-     */
-    sameSite?: 'strict' | 'lax' | 'none';
-    /**
-     * URL path the cookie is scoped to.
-     * @default '/'
-     */
-    path?: string;
-}
-/**
- * The user payload injected as `req.user` after `protect()` runs.
- *
- * Access tokens issued by sentri >= 1.1.0 embed a `sessionId` that is
- * validated against the database on every request. Tokens from older
- * versions that lack this claim are accepted but bypass session validation.
- */
-export interface AuthUser<TRole extends string = string> {
-    id: string;
-    /**
-     * The credential identifier for this user (email, username, phone, etc.).
-     * Reflects whatever value was passed as `identifier` at registration or login.
-     */
-    identifier: string;
-    roles: TRole[];
-}
-/** Return type of `register`. */
-export type RegisterResult<TRole extends string = string> = {
-    success: true;
-    user: AuthUser<TRole>;
-} | {
-    success: false;
-    error: SentriError;
-};
-/** Return type of `login`. */
-export type AuthResult<TRole extends string = string> = {
-    success: true;
-    accessToken: string;
-    refreshToken: string;
-    user: AuthUser<TRole>;
-} | {
-    success: false;
-    error: SentriError;
-};
-/** Return type of `assignRoles`. */
-export type AssignRolesResult<TRole extends string = string> = {
-    success: true;
-    user: AuthUser<TRole>;
-} | {
-    success: false;
-    error: SentriError;
-};
-/** Return type of `refresh`. */
-export type RefreshResult<TRole extends string = string> = {
-    success: true;
-    accessToken: string;
-    refreshToken: string;
-    user: AuthUser<TRole>;
-} | {
-    success: false;
-    error: SentriError;
-};
-/** Input for `register`. */
-export interface RegisterInput<TRole extends string = string> {
-    /**
-     * The user's login credential — email, username, phone number, or any unique string.
-     * The adapter maps this to the appropriate column in your database.
-     */
-    identifier: string;
-    password: string;
-    /** Roles to assign at creation. Must be a subset of `validRoles`. */
-    roles?: TRole[];
-}
-/** Input for `login`. */
-export interface LoginInput {
-    /**
-     * The user's login credential — email, username, phone number, or any unique string.
-     * The adapter's `findByIdentifier` handles the lookup.
-     */
-    identifier: string;
-    password: string;
-}
-//# sourceMappingURL=auth.d.ts.map

package/dist/types/auth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/types/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAE3E,YAAY,EAAE,WAAW,EAAE,CAAC;AAE5B,gFAAgF;AAChF,MAAM,WAAW,WAAW,CAAC,CAAC,GAAG,IAAI;IACnC,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;CAChB;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,CAAE,SAAQ,QAAQ,CAAC,KAAK,CAAC;IACxF,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,4EAA4E;AAC5E,wBAAgB,eAAe,CAAC,IAAI,EAAE,eAAe,GAAG,MAAM,CAkB7D;AAID,oFAAoF;AACpF,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,sDAAsD;AACtD,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,uEAAuE;AACvE,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,kDAAkD;IAClD,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAID;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE;QACJ;;;;;;WAMG;QACH,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;QACjE,qEAAqE;QACrE,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;QACjD;;;WAGG;QACH,MAAM,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACtD;;;WAGG;QACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAC7D,CAAC;IACF,OAAO,EAAE;QACP;;;WAGG;QACH,MAAM,CAAC,IAAI,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,IAAI,CAAA;SAAE,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAC3E;;;WAGG;QACH,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,aAAa,GAAG;YAAE,IAAI,EAAE,UAAU,CAAA;SAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QACpF,sEAAsE;QACtE,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QACzC,mFAAmF;QACnF,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KACjD,CAAC;CACH;AAID;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;;;;;;;;;;;OAeG;IACH,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;IAE7D;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IAEnD;;;;;;;;;;;;;;;OAeG;IACH,OAAO,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,aAAa,CAAC,CAAC;IAE3D;;;;;;;;;;;;;;OAcG;IACH,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7D;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9C;;;;;;;;;;;;;;;;OAgBG;IACH,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,iBAAiB,CAAC,CAAC;CAC/E;AAID;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACvD,uFAAuF;IACvF,MAAM,EAAE,MAAM,CAAC;IACf;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAClC;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACnC;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;IACxC;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;;;OAOG;IACH,UAAU,EAAE,SAAS,KAAK,EAAE,CAAC;IAC7B,8DAA8D;IAC9D,OAAO,EAAE,WAAW,CAAC;IACrB;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB;;;;;;;;;;;;;;OAcG;IACH,MAAM,CAAC,EAAE,YAAY,CAAC;CACvB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;OAIG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAID;;;;;;GAMG;AACH,MAAM,WAAW,QAAQ,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACrD,EAAE,EAAE,MAAM,CAAC;IACX;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,KAAK,EAAE,CAAC;CAChB;AAED,iCAAiC;AACjC,MAAM,MAAM,cAAc,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,IACpD;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;CAAE,GACxC;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,CAAC;AAE3C,8BAA8B;AAC9B,MAAM,MAAM,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,IAChD;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,WAAW,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;CAAE,GACnF;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,CAAC;AAE3C,oCAAoC;AACpC,MAAM,MAAM,iBAAiB,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,IACvD;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;CAAE,GACxC;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,CAAC;AAE3C,gCAAgC;AAChC,MAAM,MAAM,aAAa,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,IACnD;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,WAAW,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;CAAE,GACnF;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,CAAC;AAE3C,4BAA4B;AAC5B,MAAM,WAAW,aAAa,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IAC1D;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,qEAAqE;IACrE,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;CACjB;AAED,yBAAyB;AACzB,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/types/auth.js

@@ -1,21 +0,0 @@
-/** Maps a {@link SentriErrorCode} to its corresponding HTTP status code. */
-export function authErrorStatus(code) {
-    switch (code) {
-        case 'UNAUTHORIZED':
-        case 'INVALID_CREDENTIALS':
-        case 'TOKEN_EXPIRED':
-        case 'TOKEN_INVALID':
-            return 401;
-        case 'FORBIDDEN':
-            return 403;
-        case 'USER_NOT_FOUND':
-            return 404;
-        case 'USER_ALREADY_EXISTS':
-            return 409;
-        case 'CONFIGURATION_ERROR':
-            return 500;
-        default:
-            return 400;
-    }
-}
-//# sourceMappingURL=auth.js.map

package/dist/types/auth.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/types/auth.ts"],"names":[],"mappings":"AAqBA,4EAA4E;AAC5E,MAAM,UAAU,eAAe,CAAC,IAAqB;IACnD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,cAAc,CAAC;QACpB,KAAK,qBAAqB,CAAC;QAC3B,KAAK,eAAe,CAAC;QACrB,KAAK,eAAe;YAClB,OAAO,GAAG,CAAC;QACb,KAAK,WAAW;YACd,OAAO,GAAG,CAAC;QACb,KAAK,gBAAgB;YACnB,OAAO,GAAG,CAAC;QACb,KAAK,qBAAqB;YACxB,OAAO,GAAG,CAAC;QACb,KAAK,qBAAqB;YACxB,OAAO,GAAG,CAAC;QACb;YACE,OAAO,GAAG,CAAC;IACf,CAAC;AACH,CAAC"}

package/templates/drizzle/adapter.ts

@@ -1,154 +0,0 @@
-// sentri — Drizzle adapter template
-// Generated by: npx sentri generate drizzle
-//
-// Adjust the import paths to match your project structure.
-// This template assumes tables: users, roles, userRoles, sessions.
-// Column names follow the sentri Drizzle schema convention.
-//
-// Replace NodePgDatabase with the type that matches your Drizzle driver:
-//   import { type NodePgDatabase } from 'drizzle-orm/node-postgres';  (default)
-//   import { type LibSQLDatabase }  from 'drizzle-orm/libsql';
-//   import { type MySql2Database }  from 'drizzle-orm/mysql2';
-
-import { eq } from 'drizzle-orm';
-import type { NodePgDatabase } from 'drizzle-orm/node-postgres';
-import { AuthError, type AuthAdapter } from 'sentri';
-import { users, roles, userRoles, sessions } from './schema.js';
-
-export function createAdapter(db: NodePgDatabase): AuthAdapter {
-  if (!db) {
-    throw new AuthError(
-      'CONFIGURATION_ERROR',
-      'createAdapter requires a Drizzle db instance. Did you forget to pass it?\n' +
-      'Example: createAdapter(db)',
-    );
-  }
-  return {
-    user: {
-      async findByIdentifier(identifier) {
-        const rows = await db
-          .select({
-            id: users.id,
-            identifier: users.identifier,
-            passwordHash: users.passwordHash,
-            roleName: roles.name,
-          })
-          .from(users)
-          .leftJoin(userRoles, eq(users.id, userRoles.userId))
-          .leftJoin(roles, eq(userRoles.roleId, roles.id))
-          .where(eq(users.identifier, identifier));
-
-        if (rows.length === 0) return null;
-        return {
-          id: rows[0]!.id,
-          identifier: rows[0]!.identifier,
-          passwordHash: rows[0]!.passwordHash,
-          roles: rows.flatMap((row) => (row.roleName ? [row.roleName] : [])),
-        };
-      },
-
-      async findById(id) {
-        const rows = await db
-          .select({
-            id: users.id,
-            identifier: users.identifier,
-            passwordHash: users.passwordHash,
-            roleName: roles.name,
-          })
-          .from(users)
-          .leftJoin(userRoles, eq(users.id, userRoles.userId))
-          .leftJoin(roles, eq(userRoles.roleId, roles.id))
-          .where(eq(users.id, id));
-
-        if (rows.length === 0) return null;
-        return {
-          id: rows[0]!.id,
-          identifier: rows[0]!.identifier,
-          passwordHash: rows[0]!.passwordHash,
-          roles: rows.flatMap((row) => (row.roleName ? [row.roleName] : [])),
-        };
-      },
-
-      async create({ identifier, passwordHash, roles: roleNames }) {
-        const [user] = await db
-          .insert(users)
-          .values({ identifier, passwordHash })
-          .returning({ id: users.id });
-
-        if (roleNames.length > 0) {
-          await Promise.all(
-            roleNames.map(async (name) => {
-              const existing = await db.select().from(roles).where(eq(roles.name, name));
-              const role = existing[0] ?? (await db.insert(roles).values({ name }).returning())[0];
-              await db.insert(userRoles).values({ userId: user!.id, roleId: role!.id });
-            }),
-          );
-        }
-        return { id: user!.id };
-      },
-
-      async updateRoles(userId, roleNames) {
-        await db.delete(userRoles).where(eq(userRoles.userId, userId));
-        await Promise.all(
-          roleNames.map(async (name) => {
-            const existing = await db.select().from(roles).where(eq(roles.name, name));
-            const role = existing[0] ?? (await db.insert(roles).values({ name }).returning())[0];
-            await db.insert(userRoles).values({ userId, roleId: role!.id });
-          }),
-        );
-      },
-    },
-
-    session: {
-      async create({ userId, expiresAt }) {
-        const [session] = await db
-          .insert(sessions)
-          .values({ userId, expiresAt })
-          .returning({ id: sessions.id });
-        return { id: session!.id };
-      },
-
-      async findById(sessionId) {
-        const rows = await db
-          .select({
-            sessionId: sessions.id,
-            sessionUserId: sessions.userId,
-            sessionExpiresAt: sessions.expiresAt,
-            sessionCreatedAt: sessions.createdAt,
-            userId: users.id,
-            identifier: users.identifier,
-            passwordHash: users.passwordHash,
-            roleName: roles.name,
-          })
-          .from(sessions)
-          .innerJoin(users, eq(sessions.userId, users.id))
-          .leftJoin(userRoles, eq(users.id, userRoles.userId))
-          .leftJoin(roles, eq(userRoles.roleId, roles.id))
-          .where(eq(sessions.id, sessionId));
-
-        if (rows.length === 0) return null;
-        const first = rows[0]!;
-        return {
-          id: first.sessionId,
-          userId: first.sessionUserId,
-          expiresAt: first.sessionExpiresAt,
-          createdAt: first.sessionCreatedAt,
-          user: {
-            id: first.userId,
-            identifier: first.identifier,
-            passwordHash: first.passwordHash,
-            roles: rows.flatMap((row) => (row.roleName ? [row.roleName] : [])),
-          },
-        };
-      },
-
-      async delete(sessionId) {
-        await db.delete(sessions).where(eq(sessions.id, sessionId));
-      },
-
-      async deleteAllForUser(userId) {
-        await db.delete(sessions).where(eq(sessions.userId, userId));
-      },
-    },
-  };
-}