viyv-db-auth 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 viyv
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/credential-store.d.ts

@@ -0,0 +1,9 @@
+import type { ICredentialStore, StoredCredentials } from './types.js';
+export declare class FileCredentialStore implements ICredentialStore {
+    private readonly filePath;
+    constructor(dir?: string);
+    load(): Promise<StoredCredentials | null>;
+    save(credentials: StoredCredentials): Promise<void>;
+    clear(): Promise<void>;
+}
+//# sourceMappingURL=credential-store.d.ts.map

package/dist/credential-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.d.ts","sourceRoot":"","sources":["../src/credential-store.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAKtE,qBAAa,mBAAoB,YAAW,gBAAgB;IAC3D,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,GAAG,CAAC,EAAE,MAAM;IAIlB,IAAI,IAAI,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IASzC,IAAI,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAanD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAO5B"}

package/dist/credential-store.js

@@ -0,0 +1,40 @@
+import { mkdir, readFile, rename, unlink, writeFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { dirname, join } from 'node:path';
+const DEFAULT_DIR = join(homedir(), '.viyv');
+const DEFAULT_FILE = 'credentials.json';
+export class FileCredentialStore {
+    filePath;
+    constructor(dir) {
+        this.filePath = join(dir ?? DEFAULT_DIR, DEFAULT_FILE);
+    }
+    async load() {
+        try {
+            const data = await readFile(this.filePath, 'utf-8');
+            return JSON.parse(data);
+        }
+        catch {
+            return null;
+        }
+    }
+    async save(credentials) {
+        const dir = dirname(this.filePath);
+        await mkdir(dir, { recursive: true, mode: 0o700 });
+        // Atomic write: write to tmp file then rename
+        const tmpPath = `${this.filePath}.tmp`;
+        await writeFile(tmpPath, JSON.stringify(credentials, null, '\t'), {
+            encoding: 'utf-8',
+            mode: 0o600,
+        });
+        await rename(tmpPath, this.filePath);
+    }
+    async clear() {
+        try {
+            await unlink(this.filePath);
+        }
+        catch {
+            // File may not exist, that's fine
+        }
+    }
+}
+//# sourceMappingURL=credential-store.js.map

package/dist/credential-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.js","sourceRoot":"","sources":["../src/credential-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAG1C,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;AAC7C,MAAM,YAAY,GAAG,kBAAkB,CAAC;AAExC,MAAM,OAAO,mBAAmB;IACd,QAAQ,CAAS;IAElC,YAAY,GAAY;QACvB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,IAAI,WAAW,EAAE,YAAY,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,IAAI;QACT,IAAI,CAAC;YACJ,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACpD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAsB,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,WAA8B;QACxC,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAEnD,8CAA8C;QAC9C,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,QAAQ,MAAM,CAAC;QACvC,MAAM,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;YACjE,QAAQ,EAAE,OAAO;YACjB,IAAI,EAAE,KAAK;SACX,CAAC,CAAC;QACH,MAAM,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,KAAK;QACV,IAAI,CAAC;YACJ,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACR,kCAAkC;QACnC,CAAC;IACF,CAAC;CACD"}

package/dist/device-code-auth.d.ts

@@ -0,0 +1,13 @@
+import type { ICredentialStore, UserInfo } from './types.js';
+export declare class DeviceCodeAuth {
+    private readonly serverUrl;
+    private readonly store;
+    constructor(serverUrl: string, store: ICredentialStore);
+    login(): Promise<{
+        user: UserInfo;
+    }>;
+    private openBrowser;
+    private pollForToken;
+    private fetchUserInfo;
+}
+//# sourceMappingURL=device-code-auth.d.ts.map

package/dist/device-code-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code-auth.d.ts","sourceRoot":"","sources":["../src/device-code-auth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAEX,gBAAgB,EAIhB,QAAQ,EAER,MAAM,YAAY,CAAC;AAEpB,qBAAa,cAAc;IAEzB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,KAAK;gBADL,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,gBAAgB;IAGnC,KAAK,IAAI,OAAO,CAAC;QAAE,IAAI,EAAE,QAAQ,CAAA;KAAE,CAAC;IAsC1C,OAAO,CAAC,WAAW;YASL,YAAY;YA0CZ,aAAa;CAgB3B"}

package/dist/device-code-auth.js

@@ -0,0 +1,98 @@
+import { execFile } from 'node:child_process';
+import { platform } from 'node:os';
+export class DeviceCodeAuth {
+    serverUrl;
+    store;
+    constructor(serverUrl, store) {
+        this.serverUrl = serverUrl;
+        this.store = store;
+    }
+    async login() {
+        // 1. Request device code
+        const deviceRes = await fetch(`${this.serverUrl}/oauth/device/code`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+        });
+        if (!deviceRes.ok) {
+            throw new Error(`Device code request failed (${deviceRes.status})`);
+        }
+        const device = (await deviceRes.json());
+        // 2. Display instructions
+        const url = device.verificationUriComplete ?? device.verificationUri;
+        process.stderr.write(`\nVisit ${url}\n`);
+        process.stderr.write(`and enter code: ${device.userCode}\n\n`);
+        // 3. Try to open browser
+        this.openBrowser(url);
+        // 4. Poll for token
+        const tokens = await this.pollForToken(device);
+        // 5. Fetch user info
+        const user = await this.fetchUserInfo(tokens.accessToken);
+        // 6. Save credentials
+        const credentials = {
+            tokens,
+            user,
+            serverUrl: this.serverUrl,
+        };
+        await this.store.save(credentials);
+        return { user };
+    }
+    openBrowser(url) {
+        const cmd = platform() === 'darwin' ? 'open' : platform() === 'win32' ? 'cmd' : 'xdg-open';
+        const cmdArgs = platform() === 'win32' ? ['/c', 'start', '', url] : [url];
+        execFile(cmd, cmdArgs, () => {
+            // Ignore errors — user can open manually
+        });
+    }
+    async pollForToken(device) {
+        const deadline = Date.now() + device.expiresIn * 1000;
+        const interval = Math.max(device.interval, 5) * 1000;
+        while (Date.now() < deadline) {
+            await sleep(interval);
+            const res = await fetch(`${this.serverUrl}/oauth/token`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                    device_code: device.deviceCode,
+                }),
+            });
+            if (res.ok) {
+                const data = (await res.json());
+                return {
+                    accessToken: data.access_token,
+                    refreshToken: data.refresh_token,
+                    expiresAt: Date.now() + data.expires_in * 1000,
+                    tokenType: data.token_type,
+                };
+            }
+            const body = (await res.json());
+            if (body.error === 'authorization_pending') {
+                continue;
+            }
+            if (body.error === 'slow_down') {
+                await sleep(5000);
+                continue;
+            }
+            throw new Error(`Device code auth failed: ${body.error ?? res.statusText}`);
+        }
+        throw new Error('Device code expired. Please try again.');
+    }
+    async fetchUserInfo(accessToken) {
+        const res = await fetch(`${this.serverUrl}/oauth/userinfo`, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        if (!res.ok) {
+            throw new Error(`Failed to fetch user info (${res.status})`);
+        }
+        const data = (await res.json());
+        return {
+            id: data.id,
+            email: data.email,
+            tenantId: data.tenant_id,
+        };
+    }
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=device-code-auth.js.map

package/dist/device-code-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code-auth.js","sourceRoot":"","sources":["../src/device-code-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAWnC,MAAM,OAAO,cAAc;IAER;IACA;IAFlB,YACkB,SAAiB,EACjB,KAAuB;QADvB,cAAS,GAAT,SAAS,CAAQ;QACjB,UAAK,GAAL,KAAK,CAAkB;IACtC,CAAC;IAEJ,KAAK,CAAC,KAAK;QACV,yBAAyB;QACzB,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,oBAAoB,EAAE;YACpE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;SAC/C,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,+BAA+B,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,MAAM,SAAS,CAAC,IAAI,EAAE,CAAuB,CAAC;QAE9D,0BAA0B;QAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,uBAAuB,IAAI,MAAM,CAAC,eAAe,CAAC;QACrE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,MAAM,CAAC,QAAQ,MAAM,CAAC,CAAC;QAE/D,yBAAyB;QACzB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAEtB,oBAAoB;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAE/C,qBAAqB;QACrB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAE1D,sBAAsB;QACtB,MAAM,WAAW,GAAsB;YACtC,MAAM;YACN,IAAI;YACJ,SAAS,EAAE,IAAI,CAAC,SAAS;SACzB,CAAC;QACF,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAEnC,OAAO,EAAE,IAAI,EAAE,CAAC;IACjB,CAAC;IAEO,WAAW,CAAC,GAAW;QAC9B,MAAM,GAAG,GAAG,QAAQ,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE,KAAK,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC;QAC3F,MAAM,OAAO,GAAG,QAAQ,EAAE,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAE1E,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE;YAC3B,yCAAyC;QAC1C,CAAC,CAAC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,MAA0B;QACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;QACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;QAErD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC9B,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;YAEtB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,cAAc,EAAE;gBACxD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACpB,UAAU,EAAE,8CAA8C;oBAC1D,WAAW,EAAE,MAAM,CAAC,UAAU;iBAC9B,CAAC;aACF,CAAC,CAAC;YAEH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;gBACjD,OAAO;oBACN,WAAW,EAAE,IAAI,CAAC,YAAY;oBAC9B,YAAY,EAAE,IAAI,CAAC,aAAa;oBAChC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;oBAC9C,SAAS,EAAE,IAAI,CAAC,UAAU;iBAC1B,CAAC;YACH,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;YAEtD,IAAI,IAAI,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;gBAC5C,SAAS;YACV,CAAC;YACD,IAAI,IAAI,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;gBAChC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;gBAClB,SAAS;YACV,CAAC;YAED,MAAM,IAAI,KAAK,CAAC,4BAA4B,IAAI,CAAC,KAAK,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC3D,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,WAAmB;QAC9C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,iBAAiB,EAAE;YAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;SACnD,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAqB,CAAC;QACpD,OAAO;YACN,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,QAAQ,EAAE,IAAI,CAAC,SAAS;SACxB,CAAC;IACH,CAAC;CACD;AAED,SAAS,KAAK,CAAC,EAAU;IACxB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export { FileCredentialStore } from './credential-store.js';
+export { DeviceCodeAuth } from './device-code-auth.js';
+export { getValidToken, isTokenExpired, refreshTokens } from './token-refresh.js';
+export type { ICredentialStore, StoredCredentials, TokenSet, UserInfo, DeviceCodeResponse, TokenResponse, UserInfoResponse, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAClF,YAAY,EACX,gBAAgB,EAChB,iBAAiB,EACjB,QAAQ,EACR,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,gBAAgB,GAChB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { FileCredentialStore } from './credential-store.js';
+export { DeviceCodeAuth } from './device-code-auth.js';
+export { getValidToken, isTokenExpired, refreshTokens } from './token-refresh.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/token-refresh.d.ts

@@ -0,0 +1,11 @@
+import type { ICredentialStore, StoredCredentials, TokenSet } from './types.js';
+export declare function isTokenExpired(tokens: TokenSet): boolean;
+export declare function refreshTokens(credentials: StoredCredentials, store: ICredentialStore): Promise<TokenSet>;
+/**
+ * Returns a valid access token, refreshing if expired.
+ */
+export declare function getValidToken(store: ICredentialStore): Promise<{
+    token: string;
+    credentials: StoredCredentials;
+} | null>;
+//# sourceMappingURL=token-refresh.d.ts.map

package/dist/token-refresh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-refresh.d.ts","sourceRoot":"","sources":["../src/token-refresh.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAiB,QAAQ,EAAE,MAAM,YAAY,CAAC;AAI/F,wBAAgB,cAAc,CAAC,MAAM,EAAE,QAAQ,GAAG,OAAO,CAExD;AAED,wBAAsB,aAAa,CAClC,WAAW,EAAE,iBAAiB,EAC9B,KAAK,EAAE,gBAAgB,GACrB,OAAO,CAAC,QAAQ,CAAC,CA4BnB;AAED;;GAEG;AACH,wBAAsB,aAAa,CAClC,KAAK,EAAE,gBAAgB,GACrB,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,iBAAiB,CAAA;CAAE,GAAG,IAAI,CAAC,CAWnE"}

package/dist/token-refresh.js

@@ -0,0 +1,44 @@
+const EXPIRY_BUFFER_MS = 60_000; // Refresh 1 minute before expiry
+export function isTokenExpired(tokens) {
+    return Date.now() >= tokens.expiresAt - EXPIRY_BUFFER_MS;
+}
+export async function refreshTokens(credentials, store) {
+    if (!credentials.tokens.refreshToken) {
+        throw new Error('No refresh token available. Please login again.');
+    }
+    const response = await fetch(`${credentials.serverUrl}/oauth/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            grant_type: 'refresh_token',
+            refresh_token: credentials.tokens.refreshToken,
+        }),
+    });
+    if (!response.ok) {
+        throw new Error(`Token refresh failed (${response.status}). Please login again.`);
+    }
+    const data = (await response.json());
+    const newTokens = {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token ?? credentials.tokens.refreshToken,
+        expiresAt: Date.now() + data.expires_in * 1000,
+        tokenType: data.token_type,
+    };
+    await store.save({ ...credentials, tokens: newTokens });
+    return newTokens;
+}
+/**
+ * Returns a valid access token, refreshing if expired.
+ */
+export async function getValidToken(store) {
+    const credentials = await store.load();
+    if (!credentials)
+        return null;
+    if (!isTokenExpired(credentials.tokens)) {
+        return { token: credentials.tokens.accessToken, credentials };
+    }
+    const newTokens = await refreshTokens(credentials, store);
+    const updated = { ...credentials, tokens: newTokens };
+    return { token: updated.tokens.accessToken, credentials: updated };
+}
+//# sourceMappingURL=token-refresh.js.map

package/dist/token-refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-refresh.js","sourceRoot":"","sources":["../src/token-refresh.ts"],"names":[],"mappings":"AAEA,MAAM,gBAAgB,GAAG,MAAM,CAAC,CAAC,iCAAiC;AAElE,MAAM,UAAU,cAAc,CAAC,MAAgB;IAC9C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,SAAS,GAAG,gBAAgB,CAAC;AAC1D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAClC,WAA8B,EAC9B,KAAuB;IAEvB,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,WAAW,CAAC,SAAS,cAAc,EAAE;QACpE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACpB,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,WAAW,CAAC,MAAM,CAAC,YAAY;SAC9C,CAAC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,wBAAwB,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;IACtD,MAAM,SAAS,GAAa;QAC3B,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,YAAY,EAAE,IAAI,CAAC,aAAa,IAAI,WAAW,CAAC,MAAM,CAAC,YAAY;QACnE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;QAC9C,SAAS,EAAE,IAAI,CAAC,UAAU;KAC1B,CAAC;IAEF,MAAM,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACxD,OAAO,SAAS,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAClC,KAAuB;IAEvB,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,OAAO,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,WAAW,EAAE,WAAW,EAAE,CAAC;IAC/D,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,EAAE,GAAG,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACtD,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;AACpE,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,48 @@
+/** OAuth token set */
+export interface TokenSet {
+    accessToken: string;
+    refreshToken?: string;
+    expiresAt: number;
+    tokenType: string;
+}
+/** User info from the auth server */
+export interface UserInfo {
+    id: string;
+    email: string;
+    tenantId: string;
+}
+/** Stored credentials (persisted to disk) */
+export interface StoredCredentials {
+    tokens: TokenSet;
+    user: UserInfo;
+    serverUrl: string;
+}
+/** Credential storage interface */
+export interface ICredentialStore {
+    load(): Promise<StoredCredentials | null>;
+    save(credentials: StoredCredentials): Promise<void>;
+    clear(): Promise<void>;
+}
+/** Device code response from auth server */
+export interface DeviceCodeResponse {
+    deviceCode: string;
+    userCode: string;
+    verificationUri: string;
+    verificationUriComplete?: string;
+    expiresIn: number;
+    interval: number;
+}
+/** Token response from auth server */
+export interface TokenResponse {
+    access_token: string;
+    refresh_token?: string;
+    expires_in: number;
+    token_type: string;
+}
+/** User info response from auth server */
+export interface UserInfoResponse {
+    id: string;
+    email: string;
+    tenant_id: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,sBAAsB;AACtB,MAAM,WAAW,QAAQ;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CAClB;AAED,qCAAqC;AACrC,MAAM,WAAW,QAAQ;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6CAA6C;AAC7C,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,QAAQ,CAAC;IACjB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CAClB;AAED,mCAAmC;AACnC,MAAM,WAAW,gBAAgB;IAChC,IAAI,IAAI,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACvB;AAED,4CAA4C;AAC5C,MAAM,WAAW,kBAAkB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,sCAAsC;AACtC,MAAM,WAAW,aAAa;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,0CAA0C;AAC1C,MAAM,WAAW,gBAAgB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CAClB"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "viyv-db-auth",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "Authentication implementation for viyv-db",
+  "license": "MIT",
+  "author": "viyv",
+  "engines": {
+    "node": ">=20"
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "!dist/__tests__"
+  ],
+  "dependencies": {
+    "viyv-db-core": "0.1.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "vitest": "^2.1.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "clean": "rm -rf dist"
+  }
+}