sentri 4.1.0 → 5.0.0

package/dist/index.d.ts

@@ -1,670 +1,2 @@
-import { Dialect } from 'kysely';
-import { Request, ErrorRequestHandler, RequestHandler, Router } from 'express';
-
-/**
- * Discriminant codes for built-in {@link SentriError} instances.
- *
- * - `INVALID_CREDENTIALS` — identifier or password did not match (intentionally vague to prevent user enumeration)
- * - `USER_NOT_FOUND` — an operation required a user that does not exist
- * - `USER_ALREADY_EXISTS` — registration was attempted with an identifier already in the database
- * - `IDENTIFIER_NOT_FOUND` — a referenced identifier ID does not exist or does not belong to the user
- * - `IDENTIFIER_ALREADY_EXISTS` — the identifier value is already taken by another user
- * - `TOKEN_EXPIRED` — the JWT was valid but its `exp` claim is in the past
- * - `TOKEN_INVALID` — the JWT could not be verified (bad signature, malformed, wrong type)
- * - `FORBIDDEN` — the user is authenticated but lacks the required role
- * - `UNAUTHORIZED` — no valid access token was present on the request, or the session was revoked
- * - `INVALID_ROLE` — a role name was used that is not in `validRoles`
- * - `VALIDATION_ERROR` — a required field was missing or had an invalid value
- * - `CONFIGURATION_ERROR` — `createAuth` was called with an invalid configuration
- *
- * When you extend {@link SentriError} for your own error types you can use any
- * string as `code` — it does not need to be one of these built-in values.
- */
-type SentriErrorCode = 'INVALID_CREDENTIALS' | 'USER_NOT_FOUND' | 'USER_ALREADY_EXISTS' | 'IDENTIFIER_NOT_FOUND' | 'IDENTIFIER_ALREADY_EXISTS' | 'TOKEN_EXPIRED' | 'TOKEN_INVALID' | 'FORBIDDEN' | 'UNAUTHORIZED' | 'INVALID_ROLE' | 'VALIDATION_ERROR' | 'CONFIGURATION_ERROR';
-/**
- * Default HTTP status codes for built-in error codes.
- * Custom codes not in this map default to 500.
- *
- * @internal
- */
-declare const SENTRI_ERROR_STATUS: Record<string, number>;
-/**
- * Base error class for all authentication and authorization failures in sentri.
- *
- * Every error thrown by sentri is an instance of `SentriError`. The `code`
- * property is a machine-readable string that lets you distinguish error
- * types without string-matching on the message. Built-in codes are listed
- * in {@link SentriErrorCode}; custom subclasses may use any string.
- *
- * The `statusCode` property holds the HTTP status that the built-in router
- * and `auth.errorHandler()` will use in the response. For built-in codes
- * it is derived automatically. Pass it explicitly when subclassing with a
- * custom code.
- *
- * ---
- *
- * **Extending SentriError**
- *
- * You can create application-specific error classes by extending `SentriError`.
- * Any subclass will be caught automatically by `auth.errorHandler()` because
- * `instanceof SentriError` is `true` for all subclasses.
- *
- * ```typescript
- * import { SentriError } from 'sentri';
- *
- * export class PaymentError extends SentriError {
- *   constructor(message: string) {
- *     super('PAYMENT_FAILED', message, 402);
- *   }
- * }
- *
- * router.post('/checkout', auth.protect(), async (req, res) => {
- *   const ok = await chargeCard(req.body.cardToken);
- *   if (!ok) throw new PaymentError('Card declined');
- *   res.json({ success: true });
- * });
- * ```
- *
- * ---
- *
- * **Error handling in custom routes**
- *
- * ```typescript
- * app.use('/auth', auth.router());
- * app.use('/api', apiRouter);
- *
- * // Mount after all routes — catches SentriError from sentri AND your subclasses
- * app.use(auth.errorHandler());
- * ```
- */
-declare class SentriError extends Error {
-    /**
-     * Machine-readable error code.
-     * Built-in codes are defined by {@link SentriErrorCode}.
-     * Custom subclasses may use any string.
-     */
-    readonly code: string;
-    /**
-     * HTTP status code associated with this error.
-     * Derived automatically for built-in codes; pass it explicitly when
-     * subclassing with a custom `code`.
-     */
-    readonly statusCode: number;
-    constructor(code: SentriErrorCode | (string & {}), message: string, statusCode?: number);
-}
-
-/**
- * Minimal structured logger interface accepted by Sentri.
- *
- * Compatible out-of-the-box with **pino**, **winston**, and **console** — all
- * three expose `info`, `warn`, and `error` methods that accept an object argument.
- *
- * Pass an instance via `logger` in `ServerAuthConfig` or `ClientAuthConfig`.
- * When omitted, Sentri produces no log output (no-op default).
- *
- * Each call receives a plain `Record<string, unknown>` containing structured
- * fields — never a pre-formatted string — so your logger controls serialisation,
- * output destination, and timestamp format.
- *
- * @example
- * // pino
- * import pino from 'pino';
- * const auth = createAuth({ ..., logger: pino() });
- *
- * @example
- * // winston
- * import winston from 'winston';
- * const auth = createAuth({ ..., logger: winston.createLogger({ ... }) });
- *
- * @example
- * // console (zero setup, useful for development)
- * const auth = createAuth({ ..., logger: console });
- */
-interface SentriLogger {
-    info(data: Record<string, unknown>): void;
-    warn(data: Record<string, unknown>): void;
-    error(data: Record<string, unknown>): void;
-}
-
-interface ApiResponse<T = null> {
-    error: boolean;
-    statusCode: number;
-    message: string;
-    data: T | null;
-}
-/** A single identifier entry belonging to a user. */
-interface IdentifierRecord {
-    id: string;
-    type: string;
-    value: string;
-    isPrimary: boolean;
-}
-/**
- * The authenticated user shape. `identifier` and `identifierType` always
- * reflect the primary identifier. `identifiers` is populated only when the
- * full user object is fetched (e.g. GET /me) and is absent from JWT payloads.
- */
-interface AuthUser<TRole extends string = string> {
-    id: string;
-    /** Primary identifier value — embedded in the JWT payload. */
-    identifier: string;
-    /** Type of the primary identifier (e.g. 'email', 'username'). */
-    identifierType: string;
-    roles: TRole[];
-    /** All identifiers for this user. Only present in full user responses, not in JWT. */
-    identifiers?: IdentifierRecord[];
-}
-/** Input for a single identifier entry. */
-interface IdentifierInput {
-    /** Arbitrary label such as 'email', 'username', or 'phone'. */
-    type: string;
-    /** The globally unique identifier value. */
-    value: string;
-}
-type RegisterResult<TRole extends string = string> = {
-    success: true;
-    user: AuthUser<TRole>;
-} | {
-    success: false;
-    error: SentriError;
-};
-type AuthResult<TRole extends string = string> = {
-    success: true;
-    accessToken: string;
-    refreshToken: string;
-    user: AuthUser<TRole>;
-} | {
-    success: false;
-    error: SentriError;
-};
-type AssignRolesResult<TRole extends string = string> = {
-    success: true;
-    user: AuthUser<TRole>;
-} | {
-    success: false;
-    error: SentriError;
-};
-type GetUserResult<TRole extends string = string> = {
-    success: true;
-    user: AuthUser<TRole>;
-} | {
-    success: false;
-    error: SentriError;
-};
-type BulkIdentifiersResult = {
-    success: true;
-    identifiers: IdentifierRecord[];
-} | {
-    success: false;
-    error: SentriError;
-};
-type ChangePrimaryResult = {
-    success: true;
-    identifiers: IdentifierRecord[];
-} | {
-    success: false;
-    error: SentriError;
-};
-type ChangePasswordResult = {
-    success: true;
-} | {
-    success: false;
-    error: SentriError;
-};
-type RefreshResult<TRole extends string = string> = {
-    success: true;
-    accessToken: string;
-    refreshToken: string;
-    user: AuthUser<TRole>;
-} | {
-    success: false;
-    error: SentriError;
-};
-interface RegisterInput<TRole extends string = string> {
-    /**
-     * One or more identifiers for the new user. The first entry becomes the
-     * primary identifier (embedded in the JWT payload). All values must be
-     * globally unique. At least one identifier is required.
-     */
-    identifiers: IdentifierInput[];
-    password: string;
-    roles?: TRole[];
-}
-interface LoginInput {
-    /** Any of the user's identifier values — Sentri searches all types. */
-    identifier: string;
-    password: string;
-}
-interface CookieConfig {
-    name?: string;
-    httpOnly?: boolean;
-    secure?: boolean;
-    sameSite?: 'strict' | 'lax' | 'none';
-    path?: string;
-}
-interface AccessCookieConfig {
-    name?: string;
-    secure?: boolean;
-    sameSite?: 'strict' | 'lax' | 'none';
-    path?: string;
-}
-interface AuthHooks {
-    onLogin?: (user: AuthUser) => void | Promise<void>;
-    onFailedLogin?: (identifier: string, error: SentriError) => void | Promise<void>;
-    onLogout?: (userId: string) => void | Promise<void>;
-}
-interface RouterHandlers {
-    register?: (input: RegisterInput) => Promise<RegisterResult>;
-    login?: (input: LoginInput) => Promise<AuthResult>;
-    refresh?: (refreshToken: string) => Promise<RefreshResult>;
-    logout?: (refreshToken: string | undefined) => Promise<void>;
-    logoutAll?: (userId: string) => Promise<void>;
-    assignRoles?: (userId: string, roles: string[]) => Promise<AssignRolesResult>;
-    bulkCreateIdentifiers?: (userId: string, identifiers: IdentifierInput[]) => Promise<BulkIdentifiersResult>;
-    bulkUpdateIdentifiers?: (userId: string, updates: Array<{
-        id: string;
-        type: string;
-        value: string;
-    }>) => Promise<BulkIdentifiersResult>;
-    bulkDeleteIdentifiers?: (userId: string, ids: string[]) => Promise<BulkIdentifiersResult>;
-    changePrimaryIdentifier?: (userId: string, identifierId: string) => Promise<ChangePrimaryResult>;
-    changePassword?: (userId: string, currentPassword: string, newPassword: string) => Promise<ChangePasswordResult>;
-}
-interface ServerAuthConfig<TRole extends string = string> {
-    mode: 'server';
-    /** Kysely Dialect (e.g. PostgresDialect, MysqlDialect, SqliteDialect). */
-    dialect: Dialect;
-    /**
-     * JWT signing secret.
-     * - HS256/HS384/HS512: plain string, minimum 32 characters.
-     * - RS256/RS384/RS512: RSA private key in PEM format.
-     */
-    secret: string;
-    /**
-     * JWT signing algorithm.
-     * Use RS256/RS384/RS512 to enable the GET /keys endpoint for SSO.
-     * @default 'HS256'
-     */
-    algorithm?: 'HS256' | 'HS384' | 'HS512' | 'RS256' | 'RS384' | 'RS512';
-    validRoles: readonly TRole[];
-    /** @default '15m' */
-    accessExpiresIn?: string | number;
-    /** @default '7d' */
-    refreshExpiresIn?: string | number;
-    /** @default 12 */
-    saltRounds?: number;
-    apiKey?: string;
-    cookie?: CookieConfig;
-    accessCookie?: AccessCookieConfig;
-    hooks?: AuthHooks;
-    router?: RouterHandlers;
-    isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
-    /**
-     * Redis connection URL (e.g. `redis://localhost:6379`).
-     * When set, `auth.idempotencyMiddleware()` uses Redis as the cache backend
-     * instead of an in-memory Map — required for multi-process deployments.
-     */
-    redisUrl?: string;
-    /**
-     * Structured logger instance. Compatible with pino, winston, or console.
-     * When omitted, Sentri produces no log output.
-     */
-    logger?: SentriLogger;
-    /**
-     * Service name embedded in every log entry.
-     * @default 'sentri'
-     */
-    loggerService?: string;
-}
-interface ClientAuthConfig<TRole extends string = string> {
-    mode: 'client';
-    /** URL of the auth server's public key endpoint (e.g. https://auth.myapp.com/auth/keys). */
-    keyUri: string;
-    /** Optional — only needed for TypeScript type safety on authorize(). */
-    validRoles?: readonly TRole[];
-    /**
-     * Structured logger instance. Compatible with pino, winston, or console.
-     * When omitted, Sentri produces no log output.
-     */
-    logger?: SentriLogger;
-    /**
-     * Service name embedded in every log entry.
-     * @default 'sentri'
-     */
-    loggerService?: string;
-}
-type AuthConfig<TRole extends string = string> = ServerAuthConfig<TRole> | ClientAuthConfig<TRole>;
-
-/** A function that determines whether the current request is permitted. */
-type PermitCheck = (request: Request) => boolean | Promise<boolean>;
-/**
- * Options for {@link permit} when you need role-bypass alongside a resource check.
- *
- * @example
- * // Admins can edit any post; others only their own
- * auth.permit({
- *   roles: ['admin'],
- *   check: async (request) => {
- *     const post = await db.findPost(request.params['id']);
- *     return post?.authorId === request.user!.id;
- *   },
- * })
- */
-interface PermitOptions<TRole extends string> {
-    /**
-     * Roles whose members are granted access without running `check`.
-     * Use for privileged roles like `'admin'` that should bypass ownership checks.
-     */
-    roles?: TRole[];
-    /**
-     * Permission check executed when the user has none of the bypass `roles`.
-     * Return `true` to allow, `false` to deny with `FORBIDDEN`.
-     * May be async — useful for database-backed ownership checks.
-     */
-    check: PermitCheck;
-}
-
-/**
- * Options for {@link createErrorHandler}.
- */
-interface ErrorHandlerOptions {
-    /**
-     * Called for errors that are **not** a `SentriError` instance (or subclass).
-     *
-     * Use this to log unexpected server errors before the generic 500 response
-     * is sent. The error is passed as-is and may be any unknown value.
-     *
-     * @example
-     * app.use(auth.errorHandler({
-     *   onUnhandled: (err) => logger.error('Unhandled error', { err }),
-     * }));
-     */
-    onUnhandled?: (error: unknown) => void;
-}
-/**
- * Creates an Express error-handling middleware that formats every `SentriError`
- * (including subclasses) into the standard sentri response envelope:
- *
- * ```json
- * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
- * ```
- *
- * Prefer using `auth.errorHandler()` instead of calling this directly:
- *
- * ```typescript
- * app.use('/auth', auth.router());
- * app.use('/api', apiRouter);
- *
- * // Must come after all route/middleware registrations
- * app.use(auth.errorHandler());
- * ```
- *
- * ---
- *
- * **Works with built-in sentri errors and your own subclasses**
- *
- * Because `instanceof SentriError` matches any subclass, you can define
- * application-specific error types and have them automatically formatted
- * by this handler:
- *
- * ```typescript
- * import { SentriError } from 'sentri';
- *
- * // Extend SentriError for domain-specific failures
- * export class NotFoundError extends SentriError {
- *   constructor(resource: string) {
- *     super('NOT_FOUND', `${resource} not found`, 404);
- *   }
- * }
- *
- * export class PaymentError extends SentriError {
- *   constructor(message: string) {
- *     super('PAYMENT_FAILED', message, 402);
- *   }
- * }
- *
- * // All of the above are caught and formatted by one handler
- * app.use(auth.errorHandler({
- *   onUnhandled: (err) => console.error('Unexpected error:', err),
- * }));
- * ```
- *
- * @param options - Optional configuration (see {@link ErrorHandlerOptions}).
- * @returns An Express `ErrorRequestHandler` (4-argument middleware).
- */
-declare function createErrorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
-
-interface IdempotencyOptions {
-    /** @default 300_000 (5 minutes) */
-    ttl?: number;
-    /** @default 'X-Idempotency-Key' */
-    header?: string;
-    /** @default ['POST', 'PUT', 'PATCH'] */
-    methods?: string[];
-    /**
-     * Max in-memory entries (ignored when redisUrl is set).
-     * @default 10_000
-     */
-    maxSize?: number;
-    /**
-     * Redis connection URL (e.g. `redis://localhost:6379`).
-     * When set, uses Redis as the cache backend instead of in-memory Map.
-     */
-    redisUrl?: string;
-}
-/**
- * Middleware that deduplicates non-idempotent requests.
- *
- * When a request arrives with a matching idempotency key header, the cached
- * response is replayed immediately — the handler is not called again.
- * Responses are only cached for 2xx status codes.
- *
- * Two backends are available:
- * - **In-memory** (default) — zero dependencies, single-process only.
- * - **Redis** — set `redisUrl` to share state across processes/instances.
- *
- * When using `createAuthServer()`, prefer `auth.idempotencyMiddleware()` instead —
- * it automatically inherits the `redisUrl` from server config.
- *
- * @example
- * // Standalone usage
- * app.use(createIdempotencyMiddleware({ ttl: 60_000 }));
- *
- * @example
- * // Multi-process (Redis)
- * app.use(createIdempotencyMiddleware({ redisUrl: 'redis://localhost:6379' }));
- */
-declare function createIdempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
-
-interface AuthClient<TRole extends string = string> {
-    /** JWT authentication middleware. Reads Bearer token or access_token cookie. */
-    protect(): RequestHandler;
-    /** Role-based access middleware. Must follow protect(). */
-    authorize(...roles: TRole[]): RequestHandler;
-    /** Resource-level permission middleware. Must follow protect(). */
-    permit(check: PermitCheck): RequestHandler;
-    permit(options: PermitOptions<TRole>): RequestHandler;
-    /** Global error handler middleware. Mount after all routes. */
-    errorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
-}
-interface ServerAuthClient<TRole extends string = string> extends AuthClient<TRole> {
-    /** Hash a plain-text password. */
-    hashPassword(plain: string): Promise<string>;
-    /** Compare a plain-text password against a bcrypt hash. */
-    verifyPassword(plain: string, hash: string): Promise<boolean>;
-    /** Sign an access token. */
-    signAccessToken(payload: AuthUser<TRole>): string;
-    /** Sign a refresh token. */
-    signRefreshToken(sessionId: string): string;
-    /** Verify an access token. */
-    verifyAccessToken(token: string): AuthUser<TRole>;
-    /** Verify a refresh token. */
-    verifyRefreshToken(token: string): {
-        sessionId: string;
-    };
-    /** Extract the raw access token from an Express request. */
-    getCurrentAccessToken(request: Request): string | undefined;
-    /**
-     * Pre-built Express Router with auth endpoints.
-     * See README for the full endpoint list.
-     */
-    router(): Router;
-    /**
-     * Run database migrations to create sentri_users, sentri_sessions, and
-     * sentri_identifiers tables. Safe to call on every startup — uses IF NOT EXISTS.
-     */
-    migrate(): Promise<void>;
-    /**
-     * Idempotency middleware. Caches successful responses and replays them for
-     * duplicate requests with the same idempotency key header.
-     * Uses Redis backend when `redisUrl` is set in server config; otherwise in-memory.
-     */
-    idempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
-    /** Register a new user with one or more identifiers. */
-    register(input: RegisterInput<TRole>): Promise<RegisterResult<TRole>>;
-    /** Authenticate a user by any of their identifier values, returns access + refresh tokens. */
-    login(input: LoginInput): Promise<AuthResult<TRole>>;
-    /** Rotate a refresh token, returns new token pair. */
-    refresh(refreshToken: string): Promise<RefreshResult<TRole>>;
-    /** Invalidate the session associated with the given refresh token. */
-    logout(refreshToken: string): Promise<void>;
-    /** Invalidate all sessions for a user. */
-    logoutAll(userId: string): Promise<void>;
-    /** Fetch a user by ID, including all their identifiers. Returns `success: false` if not found. */
-    getUser(userId: string): Promise<GetUserResult<TRole>>;
-    /** Change a user's password and revoke all their sessions. */
-    changePassword(userId: string, currentPassword: string, newPassword: string): Promise<ChangePasswordResult>;
-    /** Add roles to a user (existing roles are preserved). */
-    assignRoles(userId: string, roles: TRole[]): Promise<AssignRolesResult<TRole>>;
-    /** Add new identifiers to a user in bulk. Returns the full updated identifier list. */
-    bulkCreateIdentifiers(userId: string, identifiers: IdentifierInput[]): Promise<BulkIdentifiersResult>;
-    /** Update type and value for multiple identifiers in bulk. Returns the full updated identifier list. */
-    bulkUpdateIdentifiers(userId: string, updates: Array<{
-        id: string;
-        type: string;
-        value: string;
-    }>): Promise<BulkIdentifiersResult>;
-    /** Delete multiple identifiers by ID. At least one identifier must remain. Returns the remaining list. */
-    bulkDeleteIdentifiers(userId: string, ids: string[]): Promise<BulkIdentifiersResult>;
-    /** Change which identifier is marked as primary (embedded in JWT on next login/refresh). */
-    changePrimaryIdentifier(userId: string, identifierId: string): Promise<ChangePrimaryResult>;
-}
-interface ClientAuthClient<TRole extends string = string> extends AuthClient<TRole> {
-}
-/**
- * Create a Sentri auth client.
- *
- * Pass `mode: 'server'` to get a full auth server with database, JWT signing,
- * and built-in endpoints. Pass `mode: 'client'` to get a stateless verifier
- * that validates tokens via the server's JWKS endpoint.
- *
- * For server mode with PostgreSQL, prefer `createAuthServer()` — it handles
- * RSA key generation and database setup automatically.
- *
- * @example
- * // Server mode
- * const auth = createAuth({
- *   mode: 'server',
- *   dialect: new PostgresDialect({ pool: new Pool({ connectionString: DATABASE_URL }) }),
- *   secret: process.env.JWT_SECRET!,
- *   validRoles: ['user', 'admin'] as const,
- * });
- *
- * @example
- * // Client mode
- * const auth = createAuth({
- *   mode: 'client',
- *   keyUri: 'https://auth.myapp.com/auth/keys',
- * });
- */
-declare function createAuth<TRole extends string = string>(config: ServerAuthConfig<TRole>): ServerAuthClient<TRole>;
-declare function createAuth<TRole extends string = string>(config: ClientAuthConfig<TRole>): ClientAuthClient<TRole>;
-
-type PostgresConfig = {
-    connectionString: string;
-    max?: number;
-} | {
-    host?: string;
-    port?: number;
-    database: string;
-    user: string;
-    password: string;
-    max?: number;
-};
-
-interface CreateServerOptions<TRole extends string = string> {
-    validRoles: readonly TRole[];
-    db: PostgresConfig;
-    accessExpiresIn?: string | number;
-    refreshExpiresIn?: string | number;
-    saltRounds?: number;
-    apiKey?: string;
-    cookie?: CookieConfig;
-    accessCookie?: AccessCookieConfig;
-    hooks?: AuthHooks;
-    router?: RouterHandlers;
-    isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
-    /**
-     * Redis connection URL (e.g. `redis://localhost:6379`).
-     * When set, `auth.idempotencyMiddleware()` uses Redis as the cache backend.
-     */
-    redisUrl?: string;
-    /**
-     * Structured logger for all auth events.
-     * Accepts any object with `info`, `warn`, `error` methods (pino, winston, console).
-     * When omitted, sentri produces no log output.
-     */
-    logger?: SentriLogger;
-    /**
-     * Service name added to every log entry as `service`.
-     * Defaults to `'sentri'`.
-     */
-    loggerService?: string;
-}
-/**
- * Create a Sentri auth server for PostgreSQL.
- *
- * Convenience wrapper over `createAuth()` that:
- * - Accepts plain PostgreSQL connection params instead of a Kysely dialect
- * - Generates an RSA-2048 key pair at startup (RS256, ephemeral per process)
- * - Exposes `GET /keys` (JWKS) automatically for SSO with client-mode apps
- *
- * @example
- * const auth = createAuthServer({
- *   validRoles: ['user', 'admin'] as const,
- *   db: { connectionString: process.env.DATABASE_URL! },
- * });
- * await auth.migrate();
- * app.use('/auth', auth.router());
- *
- * @example
- * // With Redis idempotency cache (multi-process deployments)
- * const auth = createAuthServer({
- *   validRoles: ['user', 'admin'] as const,
- *   db: { connectionString: process.env.DATABASE_URL! },
- *   redisUrl: process.env.REDIS_URL,
- * });
- * app.use(auth.idempotencyMiddleware());
- */
-declare function createAuthServer<TRole extends string = string>(options: CreateServerOptions<TRole>): ServerAuthClient<TRole>;
-
-/**
- * Extract the raw access token string from an Express request.
- * Reads `Authorization: Bearer <token>` header first; falls back to the
- * `access_token` cookie (or the name set in `accessCookie.name`).
- * Returns `undefined` when no token is present.
- */
-declare function getCurrentAccessToken(request: Request, config: ServerAuthConfig): string | undefined;
-
-declare function register(input: RegisterInput, config: ServerAuthConfig): Promise<RegisterResult>;
-
-declare global {
-    namespace Express {
-        interface Request {
-            user?: AuthUser;
-            requestId?: string;
-        }
-    }
-}
-
-export { type AccessCookieConfig, type ApiResponse, type AssignRolesResult, type AuthClient, type AuthConfig, type AuthHooks, type AuthResult, type AuthUser, type BulkIdentifiersResult, type ChangePasswordResult, type ChangePrimaryResult, type ClientAuthClient, type ClientAuthConfig, type CookieConfig, type CreateServerOptions, type ErrorHandlerOptions, type GetUserResult, type IdempotencyOptions, type IdentifierInput, type IdentifierRecord, type LoginInput, type PermitCheck, type PermitOptions, type PostgresConfig, type RefreshResult, type RegisterInput, type RegisterResult, type RouterHandlers, SENTRI_ERROR_STATUS, SentriError, type SentriErrorCode, type SentriLogger, type ServerAuthClient, type ServerAuthConfig, createAuth, createAuthServer, createErrorHandler, createIdempotencyMiddleware, getCurrentAccessToken, register };
+export { AccessCookieConfig, ApiResponse, AssignRolesResult, AuthConfig, AuthHooks, AuthResult, AuthUser, BulkIdentifiersResult, ChangePasswordResult, ClientAuthConfig, CookieConfig, GetUserResult, IdentifierInput, IdentifierRecord, LoginInput, RefreshResult, RegisterInput, RegisterResult, RouterHandlers, SENTRI_ERROR_STATUS, SentriError, SentriErrorCode, SentriLogger, ServerAuthConfig } from './core/index.js';
+import 'kysely';