sentri 4.1.1 → 5.0.0

package/dist/adapters/express/index.d.cts

@@ -0,0 +1,308 @@
+import * as kysely from 'kysely';
+import { RequestHandler, Request, ErrorRequestHandler, Router } from 'express';
+import { AuthConfig, SentriLogger, ServerAuthConfig, AuthUser, CookieConfig, AccessCookieConfig, AuthHooks, RouterHandlers, RegisterInput, RegisterResult, LoginInput, AuthResult, RefreshResult, GetUserResult, ChangePasswordResult, AssignRolesResult, IdentifierInput, BulkIdentifiersResult } from '../../core/index.cjs';
+export { ApiResponse, ClientAuthConfig, IdentifierRecord, SENTRI_ERROR_STATUS, SentriError, SentriErrorCode } from '../../core/index.cjs';
+
+declare function protect(config: AuthConfig): RequestHandler;
+
+/**
+ * Returns a logger-aware `authorize` factory bound to the given logger and service name.
+ * Used internally by `createAuth()` and `createAuthRouter()` to inject logging.
+ * Not part of the public API.
+ *
+ * @internal
+ */
+declare function createAuthorize(logger: SentriLogger, service: string): <TRole extends string>(...allowedRoles: TRole[]) => RequestHandler;
+/**
+ * Express middleware factory for role-based access control (RBAC).
+ *
+ * Passes if the authenticated user (set by `protect()`) has **at least one**
+ * of the specified `allowedRoles`. Calls `next(SentriError)` with code `FORBIDDEN`
+ * if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
+ *
+ * Must be used **after** `protect()`.
+ *
+ * > **Logging** — when used via `auth.authorize()` from `createAuth()`, log entries
+ * > are emitted automatically using the logger configured in `AuthConfig`.
+ * > When called directly (standalone), no logging occurs.
+ *
+ * @param allowedRoles - One or more role strings. The user needs at least one of them.
+ * @returns An Express `RequestHandler` that enforces the role check.
+ *
+ * @example
+ * router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
+ */
+declare function authorize<TRole extends string>(...allowedRoles: TRole[]): RequestHandler;
+
+/** A function that determines whether the current request is permitted. */
+type PermitCheck = (request: Request) => boolean | Promise<boolean>;
+/**
+ * Options for {@link permit} when you need role-bypass alongside a resource check.
+ *
+ * @example
+ * // Admins can edit any post; others only their own
+ * auth.permit({
+ *   roles: ['admin'],
+ *   check: async (request) => {
+ *     const post = await db.findPost(request.params['id']);
+ *     return post?.authorId === request.user!.id;
+ *   },
+ * })
+ */
+interface PermitOptions<TRole extends string> {
+    /**
+     * Roles whose members are granted access without running `check`.
+     * Use for privileged roles like `'admin'` that should bypass ownership checks.
+     */
+    roles?: TRole[];
+    /**
+     * Permission check executed when the user has none of the bypass `roles`.
+     * Return `true` to allow, `false` to deny with `FORBIDDEN`.
+     * May be async — useful for database-backed ownership checks.
+     */
+    check: PermitCheck;
+}
+/**
+ * Returns a logger-aware `permit` factory bound to the given logger and service name.
+ * Used internally by `createAuth()` and `createAuthRouter()` to inject logging.
+ * Not part of the public API.
+ *
+ * @internal
+ */
+declare function createPermit(logger: SentriLogger, service: string): <TRole extends string>(optionsOrCheck: PermitOptions<TRole> | PermitCheck) => RequestHandler;
+/**
+ * Express middleware factory for resource-level permission checks.
+ *
+ * Must be used **after** `protect()`. Evaluates a check function against the
+ * current request; calls `next(SentriError)` with code `FORBIDDEN` if it returns `false`.
+ *
+ * Accepts either a bare check function or an options object with an optional
+ * `roles` list whose members bypass the check entirely.
+ *
+ * **Performance:** when `check` returns a plain `boolean` (not a Promise) no
+ * extra microtask is queued — the result is handled synchronously. Async checks
+ * are awaited normally.
+ *
+ * > **Logging** — when used via `auth.permit()` from `createAuth()`, log entries
+ * > are emitted automatically using the logger configured in `AuthConfig`.
+ * > When called directly (standalone), no logging occurs.
+ *
+ * @example
+ * // Simple ownership check (sync — zero async overhead)
+ * router.put('/users/:id',
+ *   auth.protect(),
+ *   auth.permit((request) => request.user!.id === request.params['id']),
+ *   updateUserHandler,
+ * );
+ *
+ * @example
+ * // Admins bypass the check; others must own the post (async DB lookup)
+ * router.delete('/posts/:id',
+ *   auth.protect(),
+ *   auth.permit({
+ *     roles: ['admin'],
+ *     check: async (request) => {
+ *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
+ *       return post?.authorId === request.user!.id;
+ *     },
+ *   }),
+ *   deletePostHandler,
+ * );
+ */
+declare function permit<TRole extends string>(optionsOrCheck: PermitOptions<TRole> | PermitCheck): RequestHandler;
+
+/**
+ * Options for {@link createErrorHandler}.
+ */
+interface ErrorHandlerOptions {
+    /**
+     * Called for errors that are **not** a `SentriError` instance (or subclass).
+     *
+     * Use this to log unexpected server errors before the generic 500 response
+     * is sent. The error is passed as-is and may be any unknown value.
+     *
+     * @example
+     * app.use(auth.errorHandler({
+     *   onUnhandled: (err) => logger.error('Unhandled error', { err }),
+     * }));
+     */
+    onUnhandled?: (error: unknown) => void;
+}
+/**
+ * Creates an Express error-handling middleware that formats every `SentriError`
+ * (including subclasses) into the standard sentri response envelope:
+ *
+ * ```json
+ * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
+ * ```
+ *
+ * Prefer using `auth.errorHandler()` instead of calling this directly:
+ *
+ * ```typescript
+ * app.use('/auth', auth.router());
+ * app.use('/api', apiRouter);
+ *
+ * // Must come after all route/middleware registrations
+ * app.use(auth.errorHandler());
+ * ```
+ *
+ * ---
+ *
+ * **Works with built-in sentri errors and your own subclasses**
+ *
+ * Because `instanceof SentriError` matches any subclass, you can define
+ * application-specific error types and have them automatically formatted
+ * by this handler:
+ *
+ * ```typescript
+ * import { SentriError } from 'sentri';
+ *
+ * // Extend SentriError for domain-specific failures
+ * export class NotFoundError extends SentriError {
+ *   constructor(resource: string) {
+ *     super('NOT_FOUND', `${resource} not found`, 404);
+ *   }
+ * }
+ *
+ * export class PaymentError extends SentriError {
+ *   constructor(message: string) {
+ *     super('PAYMENT_FAILED', message, 402);
+ *   }
+ * }
+ *
+ * // All of the above are caught and formatted by one handler
+ * app.use(auth.errorHandler({
+ *   onUnhandled: (err) => console.error('Unexpected error:', err),
+ * }));
+ * ```
+ *
+ * @param options - Optional configuration (see {@link ErrorHandlerOptions}).
+ * @returns An Express `ErrorRequestHandler` (4-argument middleware).
+ */
+declare function createErrorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
+
+interface IdempotencyOptions {
+    /** @default 300_000 (5 minutes) */
+    ttl?: number;
+    /** @default 'X-Idempotency-Key' */
+    header?: string;
+    /** @default ['POST', 'PUT', 'PATCH'] */
+    methods?: string[];
+    /**
+     * Max in-memory entries (ignored when redisUrl is set).
+     * @default 10_000
+     */
+    maxSize?: number;
+    /**
+     * Redis connection URL (e.g. `redis://localhost:6379`).
+     * When set, uses Redis as the cache backend instead of in-memory Map.
+     */
+    redisUrl?: string;
+}
+/**
+ * Middleware that deduplicates non-idempotent requests.
+ *
+ * When a request arrives with a matching idempotency key header, the cached
+ * response is replayed immediately — the handler is not called again.
+ * Responses are only cached for 2xx status codes.
+ *
+ * Two backends are available:
+ * - **In-memory** (default) — zero dependencies, single-process only.
+ * - **Redis** — set `redisUrl` to share state across processes/instances.
+ *
+ * When using `createAuthServer()`, prefer `auth.idempotencyMiddleware()` instead —
+ * it automatically inherits the `redisUrl` from server config.
+ *
+ * @example
+ * // Standalone usage
+ * app.use(createIdempotencyMiddleware({ ttl: 60_000 }));
+ *
+ * @example
+ * // Multi-process (Redis)
+ * app.use(createIdempotencyMiddleware({ redisUrl: 'redis://localhost:6379' }));
+ */
+declare function createIdempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
+
+/**
+ * Extract the raw access token string from an Express request.
+ * Reads `Authorization: Bearer <token>` header first; falls back to the
+ * `access_token` cookie (or the name set in `accessCookie.name`).
+ * Returns `undefined` when no token is present.
+ */
+declare function getCurrentAccessToken(request: Request, config: ServerAuthConfig): string | undefined;
+
+declare function createAuthRouter<TRole extends string>(config: ServerAuthConfig<TRole>): Router;
+
+declare global {
+    namespace Express {
+        interface Request {
+            user?: AuthUser;
+            requestId?: string;
+        }
+    }
+}
+interface CreateExpressServerOptions<TRole extends string = string> {
+    mode: 'server';
+    validRoles: readonly TRole[];
+    dialect: kysely.Dialect;
+    accessExpiresIn?: string | number;
+    refreshExpiresIn?: string | number;
+    saltRounds?: number;
+    apiKey?: string;
+    cookie?: CookieConfig;
+    accessCookie?: AccessCookieConfig;
+    hooks?: AuthHooks;
+    router?: RouterHandlers;
+    isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
+    redisUrl?: string;
+    logger?: SentriLogger;
+    loggerService?: string;
+}
+interface CreateExpressClientOptions<TRole extends string = string> {
+    mode: 'client';
+    keyUri: string;
+    validRoles?: readonly TRole[];
+    logger?: SentriLogger;
+    loggerService?: string;
+}
+interface AuthExpressClient<TRole extends string = string> {
+    protect(): RequestHandler;
+    authorize(...roles: TRole[]): RequestHandler;
+    permit(check: PermitCheck): RequestHandler;
+    permit(options: PermitOptions<TRole>): RequestHandler;
+    errorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
+}
+interface ServerAuthExpressClient<TRole extends string = string> extends AuthExpressClient<TRole> {
+    hashPassword(plain: string): Promise<string>;
+    verifyPassword(plain: string, hash: string): Promise<boolean>;
+    signAccessToken(payload: AuthUser<TRole>): string;
+    signRefreshToken(sessionId: string): string;
+    verifyAccessToken(token: string): AuthUser<TRole>;
+    verifyRefreshToken(token: string): {
+        sessionId: string;
+    };
+    getCurrentAccessToken(request: Request): string | undefined;
+    router(): Router;
+    migrate(): Promise<void>;
+    idempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
+    register(input: RegisterInput<TRole>): Promise<RegisterResult<TRole>>;
+    login(input: LoginInput): Promise<AuthResult<TRole>>;
+    refresh(refreshToken: string): Promise<RefreshResult<TRole>>;
+    logout(refreshToken: string): Promise<void>;
+    logoutAll(userId: string): Promise<void>;
+    getUser(userId: string): Promise<GetUserResult<TRole>>;
+    changePassword(userId: string, currentPassword: string, newPassword: string): Promise<ChangePasswordResult>;
+    assignRoles(userId: string, roles: TRole[]): Promise<AssignRolesResult<TRole>>;
+    bulkCreateIdentifiers(userId: string, identifiers: IdentifierInput[]): Promise<BulkIdentifiersResult>;
+    bulkUpdateIdentifiers(userId: string, updates: Array<{
+        id: string;
+        type: string;
+        value: string;
+    }>): Promise<BulkIdentifiersResult>;
+    bulkDeleteIdentifiers(userId: string, ids: string[]): Promise<BulkIdentifiersResult>;
+}
+type ClientAuthExpressClient<TRole extends string = string> = AuthExpressClient<TRole>;
+declare function createAuthExpress<TRole extends string = string>(options: CreateExpressServerOptions<TRole>): ServerAuthExpressClient<TRole>;
+declare function createAuthExpress<TRole extends string = string>(options: CreateExpressClientOptions<TRole>): ClientAuthExpressClient<TRole>;
+
+export { AccessCookieConfig, AssignRolesResult, AuthConfig, type AuthExpressClient, AuthHooks, AuthResult, AuthUser, BulkIdentifiersResult, ChangePasswordResult, type ClientAuthExpressClient, CookieConfig, type CreateExpressClientOptions, type CreateExpressServerOptions, type ErrorHandlerOptions, GetUserResult, type IdempotencyOptions, IdentifierInput, LoginInput, type PermitCheck, type PermitOptions, RefreshResult, RegisterInput, RegisterResult, RouterHandlers, SentriLogger, ServerAuthConfig, type ServerAuthExpressClient, authorize, createAuthExpress, createAuthRouter, createAuthorize, createErrorHandler, createIdempotencyMiddleware, createPermit, getCurrentAccessToken, permit, protect };

package/dist/adapters/express/index.d.ts

@@ -0,0 +1,308 @@
+import * as kysely from 'kysely';
+import { RequestHandler, Request, ErrorRequestHandler, Router } from 'express';
+import { AuthConfig, SentriLogger, ServerAuthConfig, AuthUser, CookieConfig, AccessCookieConfig, AuthHooks, RouterHandlers, RegisterInput, RegisterResult, LoginInput, AuthResult, RefreshResult, GetUserResult, ChangePasswordResult, AssignRolesResult, IdentifierInput, BulkIdentifiersResult } from '../../core/index.js';
+export { ApiResponse, ClientAuthConfig, IdentifierRecord, SENTRI_ERROR_STATUS, SentriError, SentriErrorCode } from '../../core/index.js';
+
+declare function protect(config: AuthConfig): RequestHandler;
+
+/**
+ * Returns a logger-aware `authorize` factory bound to the given logger and service name.
+ * Used internally by `createAuth()` and `createAuthRouter()` to inject logging.
+ * Not part of the public API.
+ *
+ * @internal
+ */
+declare function createAuthorize(logger: SentriLogger, service: string): <TRole extends string>(...allowedRoles: TRole[]) => RequestHandler;
+/**
+ * Express middleware factory for role-based access control (RBAC).
+ *
+ * Passes if the authenticated user (set by `protect()`) has **at least one**
+ * of the specified `allowedRoles`. Calls `next(SentriError)` with code `FORBIDDEN`
+ * if no roles match, or `UNAUTHORIZED` if `req.user` is absent.
+ *
+ * Must be used **after** `protect()`.
+ *
+ * > **Logging** — when used via `auth.authorize()` from `createAuth()`, log entries
+ * > are emitted automatically using the logger configured in `AuthConfig`.
+ * > When called directly (standalone), no logging occurs.
+ *
+ * @param allowedRoles - One or more role strings. The user needs at least one of them.
+ * @returns An Express `RequestHandler` that enforces the role check.
+ *
+ * @example
+ * router.delete('/posts/:id', protect(config), authorize('admin', 'moderator'), handler);
+ */
+declare function authorize<TRole extends string>(...allowedRoles: TRole[]): RequestHandler;
+
+/** A function that determines whether the current request is permitted. */
+type PermitCheck = (request: Request) => boolean | Promise<boolean>;
+/**
+ * Options for {@link permit} when you need role-bypass alongside a resource check.
+ *
+ * @example
+ * // Admins can edit any post; others only their own
+ * auth.permit({
+ *   roles: ['admin'],
+ *   check: async (request) => {
+ *     const post = await db.findPost(request.params['id']);
+ *     return post?.authorId === request.user!.id;
+ *   },
+ * })
+ */
+interface PermitOptions<TRole extends string> {
+    /**
+     * Roles whose members are granted access without running `check`.
+     * Use for privileged roles like `'admin'` that should bypass ownership checks.
+     */
+    roles?: TRole[];
+    /**
+     * Permission check executed when the user has none of the bypass `roles`.
+     * Return `true` to allow, `false` to deny with `FORBIDDEN`.
+     * May be async — useful for database-backed ownership checks.
+     */
+    check: PermitCheck;
+}
+/**
+ * Returns a logger-aware `permit` factory bound to the given logger and service name.
+ * Used internally by `createAuth()` and `createAuthRouter()` to inject logging.
+ * Not part of the public API.
+ *
+ * @internal
+ */
+declare function createPermit(logger: SentriLogger, service: string): <TRole extends string>(optionsOrCheck: PermitOptions<TRole> | PermitCheck) => RequestHandler;
+/**
+ * Express middleware factory for resource-level permission checks.
+ *
+ * Must be used **after** `protect()`. Evaluates a check function against the
+ * current request; calls `next(SentriError)` with code `FORBIDDEN` if it returns `false`.
+ *
+ * Accepts either a bare check function or an options object with an optional
+ * `roles` list whose members bypass the check entirely.
+ *
+ * **Performance:** when `check` returns a plain `boolean` (not a Promise) no
+ * extra microtask is queued — the result is handled synchronously. Async checks
+ * are awaited normally.
+ *
+ * > **Logging** — when used via `auth.permit()` from `createAuth()`, log entries
+ * > are emitted automatically using the logger configured in `AuthConfig`.
+ * > When called directly (standalone), no logging occurs.
+ *
+ * @example
+ * // Simple ownership check (sync — zero async overhead)
+ * router.put('/users/:id',
+ *   auth.protect(),
+ *   auth.permit((request) => request.user!.id === request.params['id']),
+ *   updateUserHandler,
+ * );
+ *
+ * @example
+ * // Admins bypass the check; others must own the post (async DB lookup)
+ * router.delete('/posts/:id',
+ *   auth.protect(),
+ *   auth.permit({
+ *     roles: ['admin'],
+ *     check: async (request) => {
+ *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
+ *       return post?.authorId === request.user!.id;
+ *     },
+ *   }),
+ *   deletePostHandler,
+ * );
+ */
+declare function permit<TRole extends string>(optionsOrCheck: PermitOptions<TRole> | PermitCheck): RequestHandler;
+
+/**
+ * Options for {@link createErrorHandler}.
+ */
+interface ErrorHandlerOptions {
+    /**
+     * Called for errors that are **not** a `SentriError` instance (or subclass).
+     *
+     * Use this to log unexpected server errors before the generic 500 response
+     * is sent. The error is passed as-is and may be any unknown value.
+     *
+     * @example
+     * app.use(auth.errorHandler({
+     *   onUnhandled: (err) => logger.error('Unhandled error', { err }),
+     * }));
+     */
+    onUnhandled?: (error: unknown) => void;
+}
+/**
+ * Creates an Express error-handling middleware that formats every `SentriError`
+ * (including subclasses) into the standard sentri response envelope:
+ *
+ * ```json
+ * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
+ * ```
+ *
+ * Prefer using `auth.errorHandler()` instead of calling this directly:
+ *
+ * ```typescript
+ * app.use('/auth', auth.router());
+ * app.use('/api', apiRouter);
+ *
+ * // Must come after all route/middleware registrations
+ * app.use(auth.errorHandler());
+ * ```
+ *
+ * ---
+ *
+ * **Works with built-in sentri errors and your own subclasses**
+ *
+ * Because `instanceof SentriError` matches any subclass, you can define
+ * application-specific error types and have them automatically formatted
+ * by this handler:
+ *
+ * ```typescript
+ * import { SentriError } from 'sentri';
+ *
+ * // Extend SentriError for domain-specific failures
+ * export class NotFoundError extends SentriError {
+ *   constructor(resource: string) {
+ *     super('NOT_FOUND', `${resource} not found`, 404);
+ *   }
+ * }
+ *
+ * export class PaymentError extends SentriError {
+ *   constructor(message: string) {
+ *     super('PAYMENT_FAILED', message, 402);
+ *   }
+ * }
+ *
+ * // All of the above are caught and formatted by one handler
+ * app.use(auth.errorHandler({
+ *   onUnhandled: (err) => console.error('Unexpected error:', err),
+ * }));
+ * ```
+ *
+ * @param options - Optional configuration (see {@link ErrorHandlerOptions}).
+ * @returns An Express `ErrorRequestHandler` (4-argument middleware).
+ */
+declare function createErrorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
+
+interface IdempotencyOptions {
+    /** @default 300_000 (5 minutes) */
+    ttl?: number;
+    /** @default 'X-Idempotency-Key' */
+    header?: string;
+    /** @default ['POST', 'PUT', 'PATCH'] */
+    methods?: string[];
+    /**
+     * Max in-memory entries (ignored when redisUrl is set).
+     * @default 10_000
+     */
+    maxSize?: number;
+    /**
+     * Redis connection URL (e.g. `redis://localhost:6379`).
+     * When set, uses Redis as the cache backend instead of in-memory Map.
+     */
+    redisUrl?: string;
+}
+/**
+ * Middleware that deduplicates non-idempotent requests.
+ *
+ * When a request arrives with a matching idempotency key header, the cached
+ * response is replayed immediately — the handler is not called again.
+ * Responses are only cached for 2xx status codes.
+ *
+ * Two backends are available:
+ * - **In-memory** (default) — zero dependencies, single-process only.
+ * - **Redis** — set `redisUrl` to share state across processes/instances.
+ *
+ * When using `createAuthServer()`, prefer `auth.idempotencyMiddleware()` instead —
+ * it automatically inherits the `redisUrl` from server config.
+ *
+ * @example
+ * // Standalone usage
+ * app.use(createIdempotencyMiddleware({ ttl: 60_000 }));
+ *
+ * @example
+ * // Multi-process (Redis)
+ * app.use(createIdempotencyMiddleware({ redisUrl: 'redis://localhost:6379' }));
+ */
+declare function createIdempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
+
+/**
+ * Extract the raw access token string from an Express request.
+ * Reads `Authorization: Bearer <token>` header first; falls back to the
+ * `access_token` cookie (or the name set in `accessCookie.name`).
+ * Returns `undefined` when no token is present.
+ */
+declare function getCurrentAccessToken(request: Request, config: ServerAuthConfig): string | undefined;
+
+declare function createAuthRouter<TRole extends string>(config: ServerAuthConfig<TRole>): Router;
+
+declare global {
+    namespace Express {
+        interface Request {
+            user?: AuthUser;
+            requestId?: string;
+        }
+    }
+}
+interface CreateExpressServerOptions<TRole extends string = string> {
+    mode: 'server';
+    validRoles: readonly TRole[];
+    dialect: kysely.Dialect;
+    accessExpiresIn?: string | number;
+    refreshExpiresIn?: string | number;
+    saltRounds?: number;
+    apiKey?: string;
+    cookie?: CookieConfig;
+    accessCookie?: AccessCookieConfig;
+    hooks?: AuthHooks;
+    router?: RouterHandlers;
+    isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
+    redisUrl?: string;
+    logger?: SentriLogger;
+    loggerService?: string;
+}
+interface CreateExpressClientOptions<TRole extends string = string> {
+    mode: 'client';
+    keyUri: string;
+    validRoles?: readonly TRole[];
+    logger?: SentriLogger;
+    loggerService?: string;
+}
+interface AuthExpressClient<TRole extends string = string> {
+    protect(): RequestHandler;
+    authorize(...roles: TRole[]): RequestHandler;
+    permit(check: PermitCheck): RequestHandler;
+    permit(options: PermitOptions<TRole>): RequestHandler;
+    errorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
+}
+interface ServerAuthExpressClient<TRole extends string = string> extends AuthExpressClient<TRole> {
+    hashPassword(plain: string): Promise<string>;
+    verifyPassword(plain: string, hash: string): Promise<boolean>;
+    signAccessToken(payload: AuthUser<TRole>): string;
+    signRefreshToken(sessionId: string): string;
+    verifyAccessToken(token: string): AuthUser<TRole>;
+    verifyRefreshToken(token: string): {
+        sessionId: string;
+    };
+    getCurrentAccessToken(request: Request): string | undefined;
+    router(): Router;
+    migrate(): Promise<void>;
+    idempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
+    register(input: RegisterInput<TRole>): Promise<RegisterResult<TRole>>;
+    login(input: LoginInput): Promise<AuthResult<TRole>>;
+    refresh(refreshToken: string): Promise<RefreshResult<TRole>>;
+    logout(refreshToken: string): Promise<void>;
+    logoutAll(userId: string): Promise<void>;
+    getUser(userId: string): Promise<GetUserResult<TRole>>;
+    changePassword(userId: string, currentPassword: string, newPassword: string): Promise<ChangePasswordResult>;
+    assignRoles(userId: string, roles: TRole[]): Promise<AssignRolesResult<TRole>>;
+    bulkCreateIdentifiers(userId: string, identifiers: IdentifierInput[]): Promise<BulkIdentifiersResult>;
+    bulkUpdateIdentifiers(userId: string, updates: Array<{
+        id: string;
+        type: string;
+        value: string;
+    }>): Promise<BulkIdentifiersResult>;
+    bulkDeleteIdentifiers(userId: string, ids: string[]): Promise<BulkIdentifiersResult>;
+}
+type ClientAuthExpressClient<TRole extends string = string> = AuthExpressClient<TRole>;
+declare function createAuthExpress<TRole extends string = string>(options: CreateExpressServerOptions<TRole>): ServerAuthExpressClient<TRole>;
+declare function createAuthExpress<TRole extends string = string>(options: CreateExpressClientOptions<TRole>): ClientAuthExpressClient<TRole>;
+
+export { AccessCookieConfig, AssignRolesResult, AuthConfig, type AuthExpressClient, AuthHooks, AuthResult, AuthUser, BulkIdentifiersResult, ChangePasswordResult, type ClientAuthExpressClient, CookieConfig, type CreateExpressClientOptions, type CreateExpressServerOptions, type ErrorHandlerOptions, GetUserResult, type IdempotencyOptions, IdentifierInput, LoginInput, type PermitCheck, type PermitOptions, RefreshResult, RegisterInput, RegisterResult, RouterHandlers, SentriLogger, ServerAuthConfig, type ServerAuthExpressClient, authorize, createAuthExpress, createAuthRouter, createAuthorize, createErrorHandler, createIdempotencyMiddleware, createPermit, getCurrentAccessToken, permit, protect };