v1.19.0

changelog.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 2026-04-20 - 1.19.0 - feat(oidc)
+persist hashed OIDC tokens, authorization codes, and user consent in smartdata storage
+
+- replace in-memory OIDC authorization code, access token, refresh token, and consent stores with SmartData document classes
+- store authorization codes and tokens as hashes instead of persisting plaintext values, with helpers for matching, expiration, and revocation
+- persist and merge user consent scopes when issuing authorization codes
+- add cleanup lifecycle management for expired OIDC state and stop the cleanup task when reception shuts down
+- add tests covering hashed code/token matching, authorization code usage, refresh token revocation, and consent scope merging
+
+## 2026-04-20 - 1.18.0 - feat(reception)
+persist email action tokens and registration sessions for authentication and signup flows
+
+- add persisted email action tokens for email login and password reset with one-time consumption and expiry cleanup
+- store registration sessions in the database so signup state, email validation, and SMS verification survive restarts
+- enforce password changes through either a valid reset token or the current password
+- add housekeeping jobs and tests for token/session expiry and state persistence
+
 ## 2026-04-20 - 1.17.1 - fix(docs)
 refresh module readmes and add repository license file
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@idp.global/idp.global",
-  "version": "1.17.1",
+  "version": "1.19.0",
   "description": "An identity provider software managing user authentications, registrations, and sessions.",
   "main": "dist_ts/index.js",
   "typings": "dist_ts/index.d.ts",

test/test.auth.node.ts

@@ -1,6 +1,8 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 
+import { EmailActionToken } from '../ts/reception/classes.emailactiontoken.js';
 import { LoginSession } from '../ts/reception/classes.loginsession.js';
+import { RegistrationSession } from '../ts/reception/classes.registrationsession.js';
 import { User } from '../ts/reception/classes.user.js';
 import * as plugins from '../ts/plugins.js';
 
@@ -12,6 +14,42 @@ const createTestLoginSession = () => {
   return loginSession;
 };
 
+const createTestEmailActionToken = () => {
+  const emailActionToken = new EmailActionToken();
+  emailActionToken.id = 'email-action-token';
+  emailActionToken.data.email = 'user@example.com';
+  emailActionToken.data.action = 'emailLogin';
+  emailActionToken.data.validUntil = Date.now() + 60_000;
+
+  let deleted = false;
+  (emailActionToken as EmailActionToken & { delete: () => Promise<void> }).delete = async () => {
+    deleted = true;
+  };
+
+  return {
+    emailActionToken,
+    wasDeleted: () => deleted,
+  };
+};
+
+const createTestRegistrationSession = () => {
+  const registrationSession = new RegistrationSession();
+  registrationSession.id = 'registration-session';
+  registrationSession.data.emailAddress = 'user@example.com';
+  registrationSession.data.validUntil = Date.now() + 60_000;
+
+  let deleted = false;
+  (registrationSession as RegistrationSession & { save: () => Promise<void> }).save = async () => undefined;
+  (registrationSession as RegistrationSession & { delete: () => Promise<void> }).delete = async () => {
+    deleted = true;
+  };
+
+  return {
+    registrationSession,
+    wasDeleted: () => deleted,
+  };
+};
+
 tap.test('hashes passwords with argon2 and verifies them', async () => {
   const passwordHash = await User.hashPassword('correct horse battery staple');
 
@@ -58,4 +96,45 @@ tap.test('persists transfer tokens as one-time hashes', async () => {
   expect(await loginSession.validateTransferToken(transferToken)).toBeFalse();
 });
 
+tap.test('consumes email action tokens exactly once', async () => {
+  const { emailActionToken, wasDeleted } = createTestEmailActionToken();
+  const plainToken = EmailActionToken.createOpaqueToken('emailLogin');
+  emailActionToken.data.tokenHash = EmailActionToken.hashToken(plainToken);
+
+  expect(await emailActionToken.consume(plainToken)).toBeTrue();
+  expect(wasDeleted()).toBeTrue();
+});
+
+tap.test('invalidates expired email action tokens', async () => {
+  const { emailActionToken, wasDeleted } = createTestEmailActionToken();
+  emailActionToken.data.tokenHash = EmailActionToken.hashToken('expired-token');
+  emailActionToken.data.validUntil = Date.now() - 1;
+
+  expect(await emailActionToken.consume('expired-token')).toBeFalse();
+  expect(wasDeleted()).toBeTrue();
+});
+
+tap.test('persists registration token validation and sms verification state', async () => {
+  const { registrationSession } = createTestRegistrationSession();
+  const emailToken = 'registration-token';
+  registrationSession.data.hashedEmailToken = RegistrationSession.hashToken(emailToken);
+
+  expect(await registrationSession.validateEmailToken(emailToken)).toBeTrue();
+  expect(registrationSession.data.status).toEqual('emailValidated');
+  expect(registrationSession.data.collectedData.userData.email).toEqual('user@example.com');
+
+  registrationSession.data.smsCodeHash = RegistrationSession.hashToken('123456');
+  expect(await registrationSession.validateSmsCode('123456')).toBeTrue();
+  expect(registrationSession.data.status).toEqual('mobileVerified');
+});
+
+tap.test('removes expired registration sessions on token validation', async () => {
+  const { registrationSession, wasDeleted } = createTestRegistrationSession();
+  registrationSession.data.hashedEmailToken = RegistrationSession.hashToken('expired-registration');
+  registrationSession.data.validUntil = Date.now() - 1;
+
+  expect(await registrationSession.validateEmailToken('expired-registration')).toBeFalse();
+  expect(wasDeleted()).toBeTrue();
+});
+
 export default tap.start();

test/test.oidc.node.ts

@@ -0,0 +1,76 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+
+import { OidcAccessToken } from '../ts/reception/classes.oidcaccesstoken.js';
+import { OidcAuthorizationCode } from '../ts/reception/classes.oidcauthorizationcode.js';
+import { OidcRefreshToken } from '../ts/reception/classes.oidcrefreshtoken.js';
+import { OidcUserConsent } from '../ts/reception/classes.oidcuserconsent.js';
+
+tap.test('stores authorization codes as hashes and marks them used', async () => {
+  const authCode = new OidcAuthorizationCode();
+  authCode.id = 'oidc-auth-code';
+  authCode.data.codeHash = OidcAuthorizationCode.hashCode('plain-auth-code');
+
+  let saveCount = 0;
+  (authCode as OidcAuthorizationCode & { save: () => Promise<void> }).save = async () => {
+    saveCount++;
+  };
+
+  expect(authCode.matchesCode('plain-auth-code')).toBeTrue();
+  expect(authCode.matchesCode('wrong-code')).toBeFalse();
+
+  await authCode.markUsed();
+  expect(authCode.data.used).toBeTrue();
+  expect(saveCount).toEqual(1);
+});
+
+tap.test('stores access tokens without plaintext persistence', async () => {
+  const accessToken = new OidcAccessToken();
+  accessToken.id = 'oidc-access-token';
+  accessToken.data.tokenHash = OidcAccessToken.hashToken('plain-access-token');
+  accessToken.data.expiresAt = Date.now() + 60_000;
+
+  expect(accessToken.matchesToken('plain-access-token')).toBeTrue();
+  expect(accessToken.matchesToken('different-access-token')).toBeFalse();
+  expect(accessToken.isExpired()).toBeFalse();
+});
+
+tap.test('revokes persisted refresh tokens', async () => {
+  const refreshToken = new OidcRefreshToken();
+  refreshToken.id = 'oidc-refresh-token';
+  refreshToken.data.tokenHash = OidcRefreshToken.hashToken('plain-refresh-token');
+  refreshToken.data.expiresAt = Date.now() + 60_000;
+
+  let saveCount = 0;
+  (refreshToken as OidcRefreshToken & { save: () => Promise<void> }).save = async () => {
+    saveCount++;
+  };
+
+  expect(refreshToken.matchesToken('plain-refresh-token')).toBeTrue();
+  expect(refreshToken.data.revoked).toBeFalse();
+
+  await refreshToken.revoke();
+  expect(refreshToken.data.revoked).toBeTrue();
+  expect(saveCount).toEqual(1);
+});
+
+tap.test('merges user consent scopes without duplicates', async () => {
+  const consent = new OidcUserConsent();
+  consent.id = 'oidc-consent';
+  consent.data.userId = 'user-1';
+  consent.data.clientId = 'client-1';
+  consent.data.scopes = ['openid'];
+
+  let saveCount = 0;
+  (consent as OidcUserConsent & { save: () => Promise<void> }).save = async () => {
+    saveCount++;
+  };
+
+  await consent.grantScopes(['openid', 'email', 'profile']);
+
+  expect(consent.data.scopes.sort()).toEqual(['email', 'openid', 'profile']);
+  expect(consent.data.grantedAt).toBeGreaterThan(0);
+  expect(consent.data.updatedAt).toBeGreaterThan(0);
+  expect(saveCount).toEqual(1);
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@idp.global/idp.global',
-  version: '1.17.1',
+  version: '1.19.0',
   description: 'An identity provider software managing user authentications, registrations, and sessions.'
 }

ts/reception/classes.emailactiontoken.ts

@@ -0,0 +1,49 @@
+import * as plugins from '../plugins.js';
+import { LoginSessionManager } from './classes.loginsessionmanager.js';
+
+@plugins.smartdata.Manager()
+export class EmailActionToken extends plugins.smartdata.SmartDataDbDoc<
+  EmailActionToken,
+  plugins.idpInterfaces.data.IEmailActionToken,
+  LoginSessionManager
+> {
+  public static hashToken(tokenArg: string) {
+    return plugins.smarthash.sha256FromStringSync(tokenArg);
+  }
+
+  public static createOpaqueToken(actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction) {
+    return `${actionArg}_${plugins.crypto.randomBytes(32).toString('base64url')}`;
+  }
+
+  @plugins.smartdata.unI()
+  public id: string;
+
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IEmailActionToken['data'] = {
+    email: '',
+    action: 'emailLogin',
+    tokenHash: '',
+    validUntil: 0,
+    createdAt: 0,
+  };
+
+  public isExpired() {
+    return this.data.validUntil < Date.now();
+  }
+
+  public matchesToken(tokenArg: string) {
+    return this.data.tokenHash === EmailActionToken.hashToken(tokenArg);
+  }
+
+  public async consume(tokenArg: string) {
+    if (this.isExpired() || !this.matchesToken(tokenArg)) {
+      if (this.isExpired()) {
+        await this.delete();
+      }
+      return false;
+    }
+
+    await this.delete();
+    return true;
+  }
+}

ts/reception/classes.housekeeping.ts

@@ -34,6 +34,46 @@ export class ReceptionHousekeeping {
       '2 * * * * *'
     );
 
+    this.taskmanager.addAndScheduleTask(
+      new plugins.taskbuffer.Task({
+        name: 'expiredEmailActionTokens',
+        taskFunction: async () => {
+          const expiredEmailActionTokens =
+            await this.receptionRef.loginSessionManager.CEmailActionToken.getInstances({
+              data: {
+                validUntil: {
+                  $lt: Date.now(),
+                } as any,
+              },
+            });
+          for (const emailActionToken of expiredEmailActionTokens) {
+            await emailActionToken.delete();
+          }
+        },
+      }),
+      '2 * * * * *'
+    );
+
+    this.taskmanager.addAndScheduleTask(
+      new plugins.taskbuffer.Task({
+        name: 'expiredRegistrationSessions',
+        taskFunction: async () => {
+          const expiredRegistrationSessions =
+            await this.receptionRef.registrationSessionManager.CRegistrationSession.getInstances({
+              data: {
+                validUntil: {
+                  $lt: Date.now(),
+                } as any,
+              },
+            });
+          for (const registrationSession of expiredRegistrationSessions) {
+            await registrationSession.delete();
+          }
+        },
+      }),
+      '2 * * * * *'
+    );
+
     this.taskmanager.start();
     logger.log('info', 'housekeeping started');
   }

ts/reception/classes.loginsessionmanager.ts

@@ -1,4 +1,5 @@
 import * as plugins from '../plugins.js';
+import { EmailActionToken } from './classes.emailactiontoken.js';
 import { LoginSession, type TRefreshTokenValidationResult } from './classes.loginsession.js';
 import { Reception } from './classes.reception.js';
 import { logger } from './logging.js';
@@ -10,18 +11,11 @@ export class LoginSessionManager {
     return this.receptionRef.db.smartdataDb;
   }
 
+  public CEmailActionToken = plugins.smartdata.setDefaultManagerForDoc(this, EmailActionToken);
   public CLoginSession = plugins.smartdata.setDefaultManagerForDoc(this, LoginSession);
 
-  public loginSessions = new plugins.lik.ObjectMap<LoginSession>();
-
   public typedRouter = new plugins.typedrequest.TypedRouter();
 
-  public emailTokenMap = new plugins.lik.ObjectMap<{
-    email: string;
-    token: string;
-    action: 'emailLogin' | 'passwordReset';
-  }>();
-
   constructor(receptionRefArg: Reception) {
     this.receptionRef = receptionRefArg;
     this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
@@ -55,7 +49,6 @@ export class LoginSessionManager {
             }
 
             const loginSession = await LoginSession.createLoginSessionForUser(user);
-            this.loginSessions.add(loginSession);
             const refreshToken = await loginSession.getRefreshToken();
             if (!refreshToken) {
               throw new plugins.typedrequest.TypedResponseError('Could not create login session');
@@ -84,33 +77,21 @@ export class LoginSessionManager {
           });
           if (existingUser) {
             logger.log('info', `loginWithEmail found user: ${existingUser.data.email}`);
-            this.emailTokenMap.findOneAndRemoveSync(
+            const loginEmailToken = await this.createEmailActionToken(
-              (itemArg) => itemArg.email === existingUser.data.email
+              existingUser.data.email,
+              'emailLogin'
             );
-            const loginEmailToken = plugins.smartunique.uuid4();
-            this.emailTokenMap.add({
-              email: existingUser.data.email,
-              token: loginEmailToken,
-              action: 'emailLogin',
-            });
-            // lets make sure its only valid for 10 minutes
-            plugins.smartdelay.delayFor(600000, null, true).then(() => {
-              this.emailTokenMap.findOneAndRemoveSync(
-                (itemArg) => itemArg.token === loginEmailToken
-              );
-            });
             this.receptionRef.receptionMailer.sendLoginWithEMailMail(existingUser, loginEmailToken);
+            return {
+              status: 'ok',
+              testOnlyToken: process.env.TEST_MODE ? loginEmailToken : undefined,
+            };
           } else {
             logger.log('info', `loginWithEmail did not find user: ${requestDataArg.email}`);
           }
-          const testOnlyToken =
-            process.env.TEST_MODE && existingUser
-              ? this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
-                  ?.token
-              : undefined;
           return {
             status: 'ok',
-            testOnlyToken,
+            testOnlyToken: undefined,
           };
         }
       )
@@ -120,9 +101,11 @@ export class LoginSessionManager {
       new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmailAfterEmailTokenAquired>(
         'loginWithEmailAfterEmailTokenAquired',
         async (requestArg) => {
-          const tokenObject = this.emailTokenMap.findSync((itemArg) => {
+          const tokenObject = await this.consumeEmailActionToken(
-            return itemArg.email === requestArg.email && itemArg.token === requestArg.token;
+            requestArg.email,
-          });
+            requestArg.token,
+            'emailLogin'
+          );
           if (tokenObject) {
             const user = await this.receptionRef.userManager.CUser.getInstance({
               data: {
@@ -133,7 +116,6 @@ export class LoginSessionManager {
               throw new plugins.typedrequest.TypedResponseError('User not found');
             }
             const loginSession = await LoginSession.createLoginSessionForUser(user);
-            this.loginSessions.add(loginSession);
             const refreshToken = await loginSession.getRefreshToken();
             if (!refreshToken) {
               throw new plugins.typedrequest.TypedResponseError('Could not create login session');
@@ -213,23 +195,13 @@ export class LoginSessionManager {
             },
           });
           if (existingUser) {
-            this.emailTokenMap.findOneAndRemoveSync(
+            const resetToken = await this.createEmailActionToken(
-              (itemArg) => itemArg.email === existingUser.data.email
+              existingUser.data.email,
+              'passwordReset'
             );
-            this.emailTokenMap.add({
-              email: existingUser.data.email,
-              token: plugins.smartunique.shortId(),
-              action: 'passwordReset',
-            });
-            plugins.smartdelay.delayFor(600000, null, true).then(() => {
-              this.emailTokenMap.findOneAndRemoveSync(
-                (itemArg) => itemArg.email === existingUser.data.email
-              );
-            });
             this.receptionRef.receptionMailer.sendPasswordResetMail(
               existingUser,
-              this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
+              resetToken
-                .token
             );
           }
           // note: we always return ok here, since we don't want to give any indication as to wether a user is already registered with us.
@@ -244,6 +216,43 @@ export class LoginSessionManager {
       new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_SetNewPassword>(
         'setNewPassword',
         async (requestData) => {
+          const user = await this.receptionRef.userManager.CUser.getInstance({
+            data: {
+              email: requestData.email,
+            },
+          });
+
+          if (!user) {
+            throw new plugins.typedrequest.TypedResponseError('User not found');
+          }
+
+          if (requestData.tokenArg) {
+            const tokenObject = await this.consumeEmailActionToken(
+              requestData.email,
+              requestData.tokenArg,
+              'passwordReset'
+            );
+            if (!tokenObject) {
+              throw new plugins.typedrequest.TypedResponseError('Password reset token invalid');
+            }
+          } else if (requestData.oldPassword) {
+            const passwordOk = await this.receptionRef.userManager.CUser.verifyPassword(
+              requestData.oldPassword,
+              user.data.passwordHash
+            );
+            if (!passwordOk) {
+              throw new plugins.typedrequest.TypedResponseError('Old password invalid');
+            }
+          } else {
+            throw new plugins.typedrequest.TypedResponseError(
+              'Either a reset token or the old password is required'
+            );
+          }
+
+          user.data.passwordHash = await this.receptionRef.userManager.CUser.hashPassword(
+            requestData.newPassword
+          );
+          await user.save();
           return {
             status: 'ok',
           };
@@ -393,4 +402,50 @@ export class LoginSessionManager {
     const isValid = await loginSession.validateTransferToken(transferTokenArg);
     return isValid ? loginSession : null;
   }
+
+  public async createEmailActionToken(
+    emailArg: string,
+    actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction
+  ) {
+    const existingTokens = await this.CEmailActionToken.getInstances({
+      'data.email': emailArg,
+      'data.action': actionArg,
+    });
+
+    for (const existingToken of existingTokens) {
+      await existingToken.delete();
+    }
+
+    const plainToken = EmailActionToken.createOpaqueToken(actionArg);
+    const emailActionToken = new EmailActionToken();
+    emailActionToken.id = plugins.smartunique.shortId();
+    emailActionToken.data = {
+      email: emailArg,
+      action: actionArg,
+      tokenHash: EmailActionToken.hashToken(plainToken),
+      validUntil: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 }),
+      createdAt: Date.now(),
+    };
+    await emailActionToken.save();
+    return plainToken;
+  }
+
+  public async consumeEmailActionToken(
+    emailArg: string,
+    tokenArg: string,
+    actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction
+  ) {
+    const emailActionToken = await this.CEmailActionToken.getInstance({
+      'data.email': emailArg,
+      'data.action': actionArg,
+      'data.tokenHash': EmailActionToken.hashToken(tokenArg),
+    });
+
+    if (!emailActionToken) {
+      return null;
+    }
+
+    const consumed = await emailActionToken.consume(tokenArg);
+    return consumed ? emailActionToken : null;
+  }
 }

ts/reception/classes.oidcaccesstoken.ts

@@ -0,0 +1,34 @@
+import * as plugins from '../plugins.js';
+import type { OidcManager } from './classes.oidcmanager.js';
+
+@plugins.smartdata.Manager()
+export class OidcAccessToken extends plugins.smartdata.SmartDataDbDoc<
+  OidcAccessToken,
+  plugins.idpInterfaces.data.IOidcAccessToken,
+  OidcManager
+> {
+  public static hashToken(tokenArg: string) {
+    return plugins.smarthash.sha256FromStringSync(tokenArg);
+  }
+
+  @plugins.smartdata.unI()
+  public id: string;
+
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IOidcAccessToken['data'] = {
+    tokenHash: '',
+    clientId: '',
+    userId: '',
+    scopes: [],
+    expiresAt: 0,
+    issuedAt: 0,
+  };
+
+  public isExpired() {
+    return this.data.expiresAt < Date.now();
+  }
+
+  public matchesToken(tokenArg: string) {
+    return this.data.tokenHash === OidcAccessToken.hashToken(tokenArg);
+  }
+}

ts/reception/classes.oidcauthorizationcode.ts

@@ -0,0 +1,44 @@
+import * as plugins from '../plugins.js';
+import type { OidcManager } from './classes.oidcmanager.js';
+
+@plugins.smartdata.Manager()
+export class OidcAuthorizationCode extends plugins.smartdata.SmartDataDbDoc<
+  OidcAuthorizationCode,
+  plugins.idpInterfaces.data.IAuthorizationCode,
+  OidcManager
+> {
+  public static hashCode(codeArg: string) {
+    return plugins.smarthash.sha256FromStringSync(codeArg);
+  }
+
+  @plugins.smartdata.unI()
+  public id: string;
+
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IAuthorizationCode['data'] = {
+    codeHash: '',
+    clientId: '',
+    userId: '',
+    scopes: [],
+    redirectUri: '',
+    codeChallenge: undefined,
+    codeChallengeMethod: undefined,
+    nonce: undefined,
+    expiresAt: 0,
+    issuedAt: 0,
+    used: false,
+  };
+
+  public isExpired() {
+    return this.data.expiresAt < Date.now();
+  }
+
+  public matchesCode(codeArg: string) {
+    return this.data.codeHash === OidcAuthorizationCode.hashCode(codeArg);
+  }
+
+  public async markUsed() {
+    this.data.used = true;
+    await this.save();
+  }
+}

ts/reception/classes.oidcmanager.ts

@@ -1,6 +1,10 @@
 import * as plugins from '../plugins.js';
 import type { Reception } from './classes.reception.js';
 import type { App } from './classes.app.js';
+import { OidcAccessToken } from './classes.oidcaccesstoken.js';
+import { OidcAuthorizationCode } from './classes.oidcauthorizationcode.js';
+import { OidcRefreshToken } from './classes.oidcrefreshtoken.js';
+import { OidcUserConsent } from './classes.oidcuserconsent.js';
 
 /**
  * OidcManager handles OpenID Connect (OIDC) server functionality
@@ -12,25 +16,31 @@ export class OidcManager {
     return this.receptionRef.db.smartdataDb;
   }
 
-  // In-memory store for authorization codes (short-lived, 10 min TTL)
+  public COidcAuthorizationCode = plugins.smartdata.setDefaultManagerForDoc(
-  private authorizationCodes = new Map<string, plugins.idpInterfaces.data.IAuthorizationCode>();
+    this,
+    OidcAuthorizationCode
+  );
 
-  // In-memory store for access tokens (for validation)
+  public COidcAccessToken = plugins.smartdata.setDefaultManagerForDoc(this, OidcAccessToken);
-  private accessTokens = new Map<string, plugins.idpInterfaces.data.IOidcAccessToken>();
 
-  // In-memory store for refresh tokens
+  public COidcRefreshToken = plugins.smartdata.setDefaultManagerForDoc(this, OidcRefreshToken);
-  private refreshTokens = new Map<string, plugins.idpInterfaces.data.IOidcRefreshToken>();
 
-  // In-memory store for user consents (should be persisted later)
+  public COidcUserConsent = plugins.smartdata.setDefaultManagerForDoc(this, OidcUserConsent);
-  private userConsents = new Map<string, plugins.idpInterfaces.data.IUserConsent>();
+
+  private cleanupInterval: ReturnType<typeof setInterval> | null = null;
 
   constructor(receptionRefArg: Reception) {
     this.receptionRef = receptionRefArg;
-
-    // Start cleanup task for expired codes/tokens
     this.startCleanupTask();
   }
 
+  public async stop() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+
   /**
    * Get the OIDC Discovery Document
    */
@@ -174,9 +184,11 @@ export class OidcManager {
     codeChallenge?: string,
     nonce?: string
   ): Promise<string> {
-    const code = plugins.smartunique.shortId(32);
+    const code = this.createOpaqueToken();
-    const authCode: plugins.idpInterfaces.data.IAuthorizationCode = {
+    const authCode = new OidcAuthorizationCode();
-      code,
+    authCode.id = plugins.smartunique.shortId(12);
+    authCode.data = {
+      codeHash: OidcAuthorizationCode.hashCode(code),
       clientId,
       userId,
       scopes,
@@ -184,11 +196,13 @@ export class OidcManager {
       codeChallenge,
       codeChallengeMethod: codeChallenge ? 'S256' : undefined,
       nonce,
-      expiresAt: Date.now() + 10 * 60 * 1000, // 10 minutes
+      expiresAt: Date.now() + 10 * 60 * 1000,
+      issuedAt: Date.now(),
       used: false,
     };
 
-    this.authorizationCodes.set(code, authCode);
+    await authCode.save();
+    await this.upsertUserConsent(userId, clientId, scopes);
     return code;
   }
 
@@ -261,50 +275,48 @@ export class OidcManager {
     }
 
     // Find and validate authorization code
-    const authCode = this.authorizationCodes.get(code);
+    const authCode = await this.getAuthorizationCodeByCode(code);
     if (!authCode) {
       return this.tokenErrorResponse('invalid_grant', 'Invalid authorization code');
     }
 
-    if (authCode.used) {
+    if (authCode.data.used) {
-      // Code reuse attack - revoke all tokens for this code
-      this.authorizationCodes.delete(code);
       return this.tokenErrorResponse('invalid_grant', 'Authorization code already used');
     }
 
-    if (authCode.expiresAt < Date.now()) {
+    if (authCode.isExpired()) {
-      this.authorizationCodes.delete(code);
+      await authCode.delete();
       return this.tokenErrorResponse('invalid_grant', 'Authorization code expired');
     }
 
-    if (authCode.clientId !== app.data.oauthCredentials.clientId) {
+    if (authCode.data.clientId !== app.data.oauthCredentials.clientId) {
       return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
     }
 
-    if (authCode.redirectUri !== redirectUri) {
+    if (authCode.data.redirectUri !== redirectUri) {
       return this.tokenErrorResponse('invalid_grant', 'Redirect URI mismatch');
     }
 
     // Verify PKCE if code challenge was used
-    if (authCode.codeChallenge) {
+    if (authCode.data.codeChallenge) {
       if (!codeVerifier) {
         return this.tokenErrorResponse('invalid_grant', 'Code verifier required');
       }
       const expectedChallenge = this.generateS256Challenge(codeVerifier);
-      if (expectedChallenge !== authCode.codeChallenge) {
+      if (expectedChallenge !== authCode.data.codeChallenge) {
         return this.tokenErrorResponse('invalid_grant', 'Invalid code verifier');
       }
     }
 
     // Mark code as used
-    authCode.used = true;
+    await authCode.markUsed();
 
     // Generate tokens
     const tokens = await this.generateTokens(
-      authCode.userId,
+      authCode.data.userId,
       app.data.oauthCredentials.clientId,
-      authCode.scopes,
+      authCode.data.scopes,
-      authCode.nonce
+      authCode.data.nonce
     );
 
     return new Response(JSON.stringify(tokens), {
@@ -330,31 +342,30 @@ export class OidcManager {
       return this.tokenErrorResponse('invalid_request', 'Missing refresh_token');
     }
 
-    const tokenHash = await plugins.smarthash.sha256FromString(refreshToken);
+    const storedToken = await this.getRefreshTokenByToken(refreshToken);
-    const storedToken = this.refreshTokens.get(tokenHash);
 
     if (!storedToken) {
       return this.tokenErrorResponse('invalid_grant', 'Invalid refresh token');
     }
 
-    if (storedToken.revoked) {
+    if (storedToken.data.revoked) {
       return this.tokenErrorResponse('invalid_grant', 'Refresh token has been revoked');
     }
 
-    if (storedToken.expiresAt < Date.now()) {
+    if (storedToken.isExpired()) {
-      this.refreshTokens.delete(tokenHash);
+      await storedToken.delete();
       return this.tokenErrorResponse('invalid_grant', 'Refresh token expired');
     }
 
-    if (storedToken.clientId !== app.data.oauthCredentials.clientId) {
+    if (storedToken.data.clientId !== app.data.oauthCredentials.clientId) {
       return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
     }
 
     // Generate new tokens (without new refresh token by default)
     const tokens = await this.generateTokens(
-      storedToken.userId,
+      storedToken.data.userId,
-      storedToken.clientId,
+      storedToken.data.clientId,
-      storedToken.scopes,
+      storedToken.data.scopes,
       undefined,
       false // Don't generate new refresh token
     );
@@ -384,18 +395,18 @@ export class OidcManager {
     const refreshTokenLifetime = 30 * 24 * 3600; // 30 days
 
     // Generate access token
-    const accessToken = plugins.smartunique.shortId(32);
+    const accessToken = this.createOpaqueToken();
-    const accessTokenHash = await plugins.smarthash.sha256FromString(accessToken);
+    const accessTokenData = new OidcAccessToken();
-    const accessTokenData: plugins.idpInterfaces.data.IOidcAccessToken = {
+    accessTokenData.id = plugins.smartunique.shortId(12);
-      id: plugins.smartunique.shortId(8),
+    accessTokenData.data = {
-      tokenHash: accessTokenHash,
+      tokenHash: OidcAccessToken.hashToken(accessToken),
       clientId,
       userId,
       scopes,
       expiresAt: now + accessTokenLifetime * 1000,
       issuedAt: now,
     };
-    this.accessTokens.set(accessTokenHash, accessTokenData);
+    await accessTokenData.save();
 
     // Generate ID token (JWT)
     const idToken = await this.generateIdToken(userId, clientId, scopes, nonce);
@@ -410,11 +421,11 @@ export class OidcManager {
 
     // Generate refresh token if requested
     if (includeRefreshToken) {
-      const refreshToken = plugins.smartunique.shortId(48);
+      const refreshToken = this.createOpaqueToken(48);
-      const refreshTokenHash = await plugins.smarthash.sha256FromString(refreshToken);
+      const refreshTokenData = new OidcRefreshToken();
-      const refreshTokenData: plugins.idpInterfaces.data.IOidcRefreshToken = {
+      refreshTokenData.id = plugins.smartunique.shortId(12);
-        id: plugins.smartunique.shortId(8),
+      refreshTokenData.data = {
-        tokenHash: refreshTokenHash,
+        tokenHash: OidcRefreshToken.hashToken(refreshToken),
         clientId,
         userId,
         scopes,
@@ -422,7 +433,7 @@ export class OidcManager {
         issuedAt: now,
         revoked: false,
       };
-      this.refreshTokens.set(refreshTokenHash, refreshTokenData);
+      await refreshTokenData.save();
       response.refresh_token = refreshToken;
     }
 
@@ -482,8 +493,7 @@ export class OidcManager {
     }
 
     const accessToken = authHeader.substring(7);
-    const tokenHash = await plugins.smarthash.sha256FromString(accessToken);
+    const tokenData = await this.getAccessTokenByToken(accessToken);
-    const tokenData = this.accessTokens.get(tokenHash);
 
     if (!tokenData) {
       return new Response(JSON.stringify({ error: 'invalid_token' }), {
@@ -495,8 +505,8 @@ export class OidcManager {
       });
     }
 
-    if (tokenData.expiresAt < Date.now()) {
+    if (tokenData.isExpired()) {
-      this.accessTokens.delete(tokenHash);
+      await tokenData.delete();
       return new Response(JSON.stringify({ error: 'invalid_token', error_description: 'Token expired' }), {
         status: 401,
         headers: {
@@ -507,7 +517,7 @@ export class OidcManager {
     }
 
     // Get user claims based on token scopes
-    const userInfo = await this.getUserClaims(tokenData.userId, tokenData.scopes);
+    const userInfo = await this.getUserClaims(tokenData.data.userId, tokenData.data.scopes);
 
     return new Response(JSON.stringify(userInfo), {
       status: 200,
@@ -583,21 +593,20 @@ export class OidcManager {
       return new Response(null, { status: 200 }); // Spec says always return 200
     }
 
-    const tokenHash = await plugins.smarthash.sha256FromString(token);
-
     // Try to revoke as refresh token
     if (!tokenTypeHint || tokenTypeHint === 'refresh_token') {
-      const refreshToken = this.refreshTokens.get(tokenHash);
+      const refreshToken = await this.getRefreshTokenByToken(token);
       if (refreshToken) {
-        refreshToken.revoked = true;
+        await refreshToken.revoke();
         return new Response(null, { status: 200 });
       }
     }
 
     // Try to revoke as access token
     if (!tokenTypeHint || tokenTypeHint === 'access_token') {
-      if (this.accessTokens.has(tokenHash)) {
+      const accessToken = await this.getAccessTokenByToken(token);
-        this.accessTokens.delete(tokenHash);
+      if (accessToken) {
+        await accessToken.delete();
         return new Response(null, { status: 200 });
       }
     }
@@ -616,6 +625,53 @@ export class OidcManager {
     return apps[0] || null;
   }
 
+  private createOpaqueToken(byteLength = 32): string {
+    return plugins.crypto.randomBytes(byteLength).toString('base64url');
+  }
+
+  private async getAuthorizationCodeByCode(codeArg: string) {
+    return this.COidcAuthorizationCode.getInstance({
+      'data.codeHash': OidcAuthorizationCode.hashCode(codeArg),
+    });
+  }
+
+  private async getAccessTokenByToken(tokenArg: string) {
+    return this.COidcAccessToken.getInstance({
+      'data.tokenHash': OidcAccessToken.hashToken(tokenArg),
+    });
+  }
+
+  private async getRefreshTokenByToken(tokenArg: string) {
+    return this.COidcRefreshToken.getInstance({
+      'data.tokenHash': OidcRefreshToken.hashToken(tokenArg),
+    });
+  }
+
+  public async getUserConsent(userIdArg: string, clientIdArg: string) {
+    return this.COidcUserConsent.getInstance({
+      'data.userId': userIdArg,
+      'data.clientId': clientIdArg,
+    });
+  }
+
+  public async upsertUserConsent(
+    userIdArg: string,
+    clientIdArg: string,
+    scopesArg: plugins.idpInterfaces.data.TOidcScope[]
+  ) {
+    let userConsent = await this.getUserConsent(userIdArg, clientIdArg);
+
+    if (!userConsent) {
+      userConsent = new OidcUserConsent();
+      userConsent.id = plugins.smartunique.shortId(12);
+      userConsent.data.userId = userIdArg;
+      userConsent.data.clientId = clientIdArg;
+    }
+
+    await userConsent.grantScopes(scopesArg);
+    return userConsent;
+  }
+
   /**
    * Generate S256 PKCE challenge from verifier
    */
@@ -655,29 +711,45 @@ export class OidcManager {
    * Start cleanup task for expired tokens/codes
    */
   private startCleanupTask(): void {
-    setInterval(() => {
+    this.cleanupInterval = setInterval(() => {
-      const now = Date.now();
+      void this.cleanupExpiredOidcState();
+    }, 60 * 1000);
+  }
 
-      // Clean up expired authorization codes
+  private async cleanupExpiredOidcState() {
-      for (const [code, data] of this.authorizationCodes) {
+    const now = Date.now();
-        if (data.expiresAt < now) {
-          this.authorizationCodes.delete(code);
-        }
-      }
 
-      // Clean up expired access tokens
+    const expiredAuthorizationCodes = await this.COidcAuthorizationCode.getInstances({
-      for (const [hash, data] of this.accessTokens) {
+      data: {
-        if (data.expiresAt < now) {
+        expiresAt: {
-          this.accessTokens.delete(hash);
+          $lt: now,
-        }
+        } as any,
-      }
+      },
+    });
+    for (const authCode of expiredAuthorizationCodes) {
+      await authCode.delete();
+    }
 
-      // Clean up expired refresh tokens
+    const expiredAccessTokens = await this.COidcAccessToken.getInstances({
-      for (const [hash, data] of this.refreshTokens) {
+      data: {
-        if (data.expiresAt < now) {
+        expiresAt: {
-          this.refreshTokens.delete(hash);
+          $lt: now,
-        }
+        } as any,
-      }
+      },
-    }, 60 * 1000); // Run every minute
+    });
+    for (const accessToken of expiredAccessTokens) {
+      await accessToken.delete();
+    }
+
+    const expiredRefreshTokens = await this.COidcRefreshToken.getInstances({
+      data: {
+        expiresAt: {
+          $lt: now,
+        } as any,
+      },
+    });
+    for (const refreshToken of expiredRefreshTokens) {
+      await refreshToken.delete();
+    }
   }
 }

ts/reception/classes.oidcrefreshtoken.ts

@@ -0,0 +1,40 @@
+import * as plugins from '../plugins.js';
+import type { OidcManager } from './classes.oidcmanager.js';
+
+@plugins.smartdata.Manager()
+export class OidcRefreshToken extends plugins.smartdata.SmartDataDbDoc<
+  OidcRefreshToken,
+  plugins.idpInterfaces.data.IOidcRefreshToken,
+  OidcManager
+> {
+  public static hashToken(tokenArg: string) {
+    return plugins.smarthash.sha256FromStringSync(tokenArg);
+  }
+
+  @plugins.smartdata.unI()
+  public id: string;
+
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IOidcRefreshToken['data'] = {
+    tokenHash: '',
+    clientId: '',
+    userId: '',
+    scopes: [],
+    expiresAt: 0,
+    issuedAt: 0,
+    revoked: false,
+  };
+
+  public isExpired() {
+    return this.data.expiresAt < Date.now();
+  }
+
+  public matchesToken(tokenArg: string) {
+    return this.data.tokenHash === OidcRefreshToken.hashToken(tokenArg);
+  }
+
+  public async revoke() {
+    this.data.revoked = true;
+    await this.save();
+  }
+}

ts/reception/classes.oidcuserconsent.ts

@@ -0,0 +1,30 @@
+import * as plugins from '../plugins.js';
+import type { OidcManager } from './classes.oidcmanager.js';
+
+@plugins.smartdata.Manager()
+export class OidcUserConsent extends plugins.smartdata.SmartDataDbDoc<
+  OidcUserConsent,
+  plugins.idpInterfaces.data.IUserConsent,
+  OidcManager
+> {
+  @plugins.smartdata.unI()
+  public id: string;
+
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IUserConsent['data'] = {
+    userId: '',
+    clientId: '',
+    scopes: [],
+    grantedAt: 0,
+    updatedAt: 0,
+  };
+
+  public async grantScopes(scopesArg: plugins.idpInterfaces.data.TOidcScope[]) {
+    this.data.scopes = [...new Set([...this.data.scopes, ...scopesArg])];
+    if (!this.data.grantedAt) {
+      this.data.grantedAt = Date.now();
+    }
+    this.data.updatedAt = Date.now();
+    await this.save();
+  }
+}

ts/reception/classes.reception.ts

@@ -78,6 +78,7 @@ export class Reception {
    */
   public async stop() {
     await this.housekeeping.stop();
+    await this.oidcManager.stop();
     console.log('stopped serviceserver!');
     await this.db.stop();
   }

ts/reception/classes.registrationsession.ts

@@ -5,191 +5,187 @@ import { logger } from './logging.js';
 import { User } from './classes.user.js';
 
 /**
- * a RegistrationSession is a in memory session for signing up
+ * a RegistrationSession persists a sign up flow across restarts
  */
-export class RegistrationSession {
+@plugins.smartdata.Manager()
-  // ======
+export class RegistrationSession extends plugins.smartdata.SmartDataDbDoc<
-  // STATIC
+  RegistrationSession,
-  // ======
+  plugins.idpInterfaces.data.IRegistrationSession,
+  RegistrationSessionManager
+> {
+  public static hashToken(tokenArg: string) {
+    return plugins.smarthash.sha256FromStringSync(tokenArg);
+  }
+
   public static async createRegistrationSessionForEmail(
-    registrationSessionManageremailArg: RegistrationSessionManager,
     emailArg: string
   ) {
-    const newRegistrationSession = new RegistrationSession(
+    const newRegistrationSession = new RegistrationSession();
-      registrationSessionManageremailArg,
+    newRegistrationSession.id = plugins.smartunique.shortId();
-      emailArg
+    newRegistrationSession.data.emailAddress = emailArg;
-    );
+    newRegistrationSession.data.validUntil =
-    const emailValidationResult = await newRegistrationSession
+      Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 });
-      .validateEMailAddress()
+    newRegistrationSession.data.createdAt = Date.now();
-      .catch((error) => {
+
-        throw new plugins.typedrequest.TypedResponseError(
+    const emailValidationResult = await newRegistrationSession.validateEMailAddress().catch(() => {
-          'Error occured during email provider & dns validation'
+      throw new plugins.typedrequest.TypedResponseError(
-        );
+        'Error occured during email provider & dns validation'
-      });
+      );
+    });
+
     if (!emailValidationResult?.valid) {
-      newRegistrationSession.destroy();
       throw new plugins.typedrequest.TypedResponseError(
         'Email Address is not valid. Please use a correctly formated email address'
       );
     }
     if (emailValidationResult.disposable) {
-      newRegistrationSession.destroy();
       throw new plugins.typedrequest.TypedResponseError(
         'Email is disposable. Please use a non disposable email address.'
       );
     }
-    console.log(
+
-      `${newRegistrationSession.emailAddress} is valid. Continuing registration process!`
+    const validationToken = await newRegistrationSession.sendTokenValidationEmail();
-    );
+    newRegistrationSession.unhashedEmailToken = validationToken;
-    await newRegistrationSession.sendTokenValidationEmail();
-    console.log(`Successfully sent email validation email`);
     return newRegistrationSession;
   }
 
-  // ========
+  @plugins.smartdata.unI()
-  // INSTANCE
+  public id: string;
-  // ========
-  public registrationSessionManagerRef: RegistrationSessionManager;
 
-  public emailAddress: string;
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IRegistrationSession['data'] = {
+    emailAddress: '',
+    hashedEmailToken: '',
+    smsCodeHash: null,
+    smsvalidationCounter: 0,
+    status: 'announced',
+    validUntil: 0,
+    createdAt: 0,
+    collectedData: {
+      userData: {
+        username: null,
+        connectedOrgs: [],
+        email: null,
+        name: null,
+        status: null,
+        mobileNumber: null,
+        password: null,
+        passwordHash: null,
+      },
+    },
+  };
 
   /**
    * only used during testing
    */
   public unhashedEmailToken?: string;
-  public hashedEmailToken: string;
-  private smsvalidationCounter = 0;
-  public smsCode: string;
 
-  /**
+  public get emailAddress() {
-   * the status of the registration. should progress in a linear fashion.
+    return this.data.emailAddress;
-   */
+  }
-  public status: 'announced' | 'emailValidated' | 'mobileVerified' | 'registered' | 'failed' =
-    'announced';
 
-  public collectedData: {
+  public get status() {
-    userData: plugins.idpInterfaces.data.IUser['data'];
+    return this.data.status;
-  } = {
+  }
-    userData: {
-      username: null,
-      connectedOrgs: [],
-      email: null,
-      name: null,
-      status: null,
-      mobileNumber: null,
-      password: null,
-      passwordHash: null,
-    },
-  };
 
-  constructor(
+  public set status(statusArg: plugins.idpInterfaces.data.TRegistrationSessionStatus) {
-    registrationSessionManagerRefArg: RegistrationSessionManager,
+    this.data.status = statusArg;
-    emailAddressArg: string
+  }
-  ) {
-    this.registrationSessionManagerRef = registrationSessionManagerRefArg;
-    this.emailAddress = emailAddressArg;
-    this.registrationSessionManagerRef.registrationSessions.addToMap(this.emailAddress, this);
 
-    // lets destroy this after 10 minutes,
+  public get collectedData() {
-    // works in unrefed mode so not blocking node exiting.
+    return this.data.collectedData;
-    plugins.smartdelay.delayFor(600000, null, true).then(() => this.destroy());
+  }
+
+  public isExpired() {
+    return this.data.validUntil < Date.now();
   }
 
   /**
    * validates a token by comparing its hash against the stored hashed token
-   * @param tokenArg
    */
-  public validateEmailToken(tokenArg: string): boolean {
+  public async validateEmailToken(tokenArg: string): Promise<boolean> {
-    const result = this.hashedEmailToken === plugins.smarthash.sha256FromStringSync(tokenArg);
+    if (this.isExpired()) {
-    if (result && this.status === 'announced') {
+      await this.destroy();
-      this.status = 'emailValidated';
+      return false;
-      this.collectedData.userData.email = this.emailAddress;
     }
-    if (!result && this.status === 'announced') {
+
-      this.status = 'failed';
+    const result = this.data.hashedEmailToken === RegistrationSession.hashToken(tokenArg);
+    if (result && this.data.status === 'announced') {
+      this.data.status = 'emailValidated';
+      this.data.collectedData.userData.email = this.data.emailAddress;
+      await this.save();
+    }
+    if (!result && this.data.status === 'announced') {
+      this.data.status = 'failed';
+      await this.save();
     }
     return result;
   }
 
   /** validates the sms code */
-  public validateSmsCode(smsCodeArg: string) {
+  public async validateSmsCode(smsCodeArg: string) {
-    this.smsvalidationCounter++;
+    this.data.smsvalidationCounter++;
-    const result = this.smsCode === smsCodeArg;
+    const result = this.data.smsCodeHash === RegistrationSession.hashToken(smsCodeArg);
-    if (this.status === 'emailValidated' && result) {
+    if (this.data.status === 'emailValidated' && result) {
-      this.status = 'mobileVerified';
+      this.data.status = 'mobileVerified';
+      await this.save();
       return result;
-    } else {
-      if (this.smsvalidationCounter === 5) {
-        this.destroy();
-        throw new plugins.typedrequest.TypedResponseError(
-          'Registration cancelled due to repeated wrong verification code submission'
-        );
-      }
-      return false;
     }
+
+    if (this.data.smsvalidationCounter >= 5) {
+      await this.destroy();
+      throw new plugins.typedrequest.TypedResponseError(
+        'Registration cancelled due to repeated wrong verification code submission'
+      );
+    }
+
+    await this.save();
+    return false;
   }
 
-  /**
-   * validate the email address with provider and dns sanity checks
-   * @returns
-   */
   public async validateEMailAddress(): Promise<plugins.smartmail.IEmailValidationResult> {
-    console.log(`validating email ${this.emailAddress}`);
+    const result = await new plugins.smartmail.EmailAddressValidator().validate(this.data.emailAddress);
-    const result = await new plugins.smartmail.EmailAddressValidator().validate(this.emailAddress);
     return result;
   }
 
-  /**
-   * send the validation email
-   */
   public async sendTokenValidationEmail() {
     const uuidToSend = plugins.smartunique.uuid4();
-    this.unhashedEmailToken = uuidToSend;
+    this.data.hashedEmailToken = RegistrationSession.hashToken(uuidToSend);
-    this.hashedEmailToken = plugins.smarthash.sha256FromStringSync(uuidToSend);
+    await this.save();
-    this.registrationSessionManagerRef.receptionRef.receptionMailer.sendRegistrationEmail(
+    this.manager.receptionRef.receptionMailer.sendRegistrationEmail(this, uuidToSend);
-      this,
+    logger.log('info', `sent a validation email with a verification code to ${this.data.emailAddress}`);
-      uuidToSend
+    return uuidToSend;
-    );
-    logger.log('info', `sent a validation email with a verification code to ${this.emailAddress}`);
   }
 
-  /**
-   * validate the mobile number of someone
-   */
   public async sendValidationSms() {
-    this.smsCode =
+    const smsCode =
-      await this.registrationSessionManagerRef.receptionRef.szPlatformClient.smsConnector.sendSmsVerifcation(
+      await this.manager.receptionRef.szPlatformClient.smsConnector.sendSmsVerifcation({
-        {
+        fromName: this.manager.receptionRef.options.name,
-          fromName: this.registrationSessionManagerRef.receptionRef.options.name,
+        toNumber: parseInt(this.data.collectedData.userData.mobileNumber),
-          toNumber: parseInt(this.collectedData.userData.mobileNumber),
+      });
-        }
+    this.data.smsCodeHash = RegistrationSession.hashToken(smsCode);
-      );
+    await this.save();
+    return smsCode;
   }
 
-  /**
-   * this method can be called when this registrationsession is validated
-   * and all data has been set
-   */
   public async manifestUserWithAccountData(): Promise<User> {
-    if (this.status !== 'mobileVerified') {
+    if (this.data.status !== 'mobileVerified') {
       throw new plugins.typedrequest.TypedResponseError(
         'You can only manifest user that have a validated email Address and Mobile Number'
       );
     }
-    if (!this.collectedData) {
+    if (!this.data.collectedData) {
       throw new Error('You have to set the accountdata first');
     }
-    const manifestedUser =
+    const manifestedUser = await this.manager.receptionRef.userManager.CUser.createNewUserForUserData(
-      await this.registrationSessionManagerRef.receptionRef.userManager.CUser.createNewUserForUserData(
+      this.data.collectedData.userData as plugins.idpInterfaces.data.IUser['data']
-        this.collectedData.userData
+    );
-      );
+    this.data.status = 'registered';
+    await this.save();
     return manifestedUser;
   }
 
-  /**
+  public async destroy() {
-   * destroys the registrationsession
+    await this.delete();
-   */
-  public destroy() {
-    this.registrationSessionManagerRef.registrationSessions.removeFromMap(this.emailAddress);
   }
 }

ts/reception/classes.registrationsessionmanager.ts

@@ -5,10 +5,14 @@ import { logger } from './logging.js';
 
 export class RegistrationSessionManager {
   public receptionRef: Reception;
-
-  public registrationSessions = new plugins.lik.FastMap<RegistrationSession>();
   public typedRouter = new plugins.typedrequest.TypedRouter();
 
+  public get db() {
+    return this.receptionRef.db.smartdataDb;
+  }
+
+  public CRegistrationSession = plugins.smartdata.setDefaultManagerForDoc(this, RegistrationSession);
+
   constructor(receptionRefArg: Reception) {
     this.receptionRef = receptionRefArg;
     this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
@@ -29,17 +33,16 @@ export class RegistrationSessionManager {
               `We sent you an Email with more information.`
             );
           }
-          // check for exiting SignupSession
+
-          const existingSession = this.registrationSessions.getByKey(requestData.email);
+          const existingSessions = await this.CRegistrationSession.getInstances({
-          if (existingSession) {
+            'data.emailAddress': requestData.email,
+          });
+          for (const existingSession of existingSessions) {
             logger.log('warn', `destroyed old signupSession for ${requestData.email}`);
-            existingSession.destroy();
+            await existingSession.destroy();
           }
 
-          // lets check the email before we create a signup session
-
           const newSignupSession = await RegistrationSession.createRegistrationSessionForEmail(
-            this,
             requestData.email
           ).catch((e: plugins.typedrequest.TypedResponseError) => {
             console.log(e.errorText);
@@ -63,10 +66,7 @@ export class RegistrationSessionManager {
       new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_AfterRegistrationEmailClicked>(
         'afterRegistrationEmailClicked',
         async (requestData) => {
-          console.log(requestData);
+          const signupSession = await this.findRegistrationSessionByToken(requestData.token);
-          const signupSession = await this.registrationSessions.find(async (itemArg) =>
-            itemArg.validateEmailToken(requestData.token)
-          );
           if (signupSession) {
             return {
               email: signupSession.emailAddress,
@@ -86,9 +86,7 @@ export class RegistrationSessionManager {
       new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_SetDataForRegistration>(
         'setDataForRegistration',
         async (requestData) => {
-          const registrationSession = await this.registrationSessions.find(async (itemArg) =>
+          const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
-            itemArg.validateEmailToken(requestData.token)
-          );
           if (!registrationSession) {
             throw new plugins.typedrequest.TypedResponseError(
               'could not find a matching signupsession'
@@ -114,9 +112,7 @@ export class RegistrationSessionManager {
       new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_MobileVerificationForRegistration>(
         'mobileVerificationForRegistration',
         async (requestData) => {
-          const registrationSession = await this.registrationSessions.find(async (itemArg) =>
+          const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
-            itemArg.validateEmailToken(requestData.token)
-          );
           if (!registrationSession) {
             throw new plugins.typedrequest.TypedResponseError(
               'could not find a matching signupsession'
@@ -131,17 +127,16 @@ export class RegistrationSessionManager {
           }
 
           if (requestData.mobileNumber) {
-            registrationSession.status = 'emailValidated';
             registrationSession.collectedData.userData.mobileNumber = requestData.mobileNumber;
-            await registrationSession.sendValidationSms();
+            const smsCode = await registrationSession.sendValidationSms();
             return {
               messageSent: true,
-              testOnlySmsCode: process.env.TEST_MODE ? registrationSession.smsCode : null,
+              testOnlySmsCode: process.env.TEST_MODE ? smsCode : null,
             };
           }
 
           if (requestData.verificationCode) {
-            const validationResult = registrationSession.validateSmsCode(
+            const validationResult = await registrationSession.validateSmsCode(
               requestData.verificationCode
             );
             return {
@@ -160,9 +155,7 @@ export class RegistrationSessionManager {
       new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_FinishRegistration>(
         'finishRegistration',
         async (requestData) => {
-          const registrationSession = await this.registrationSessions.find(async (itemArg) =>
+          const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
-            itemArg.validateEmailToken(requestData.token)
-          );
           if (!registrationSession) {
             throw new plugins.typedrequest.TypedResponseError(
               'could not find a matching signupsession'
@@ -170,7 +163,7 @@ export class RegistrationSessionManager {
           }
 
           const resultingUser = await registrationSession.manifestUserWithAccountData();
-          registrationSession.destroy();
+          await registrationSession.destroy();
           this.receptionRef.receptionMailer.sendWelcomeEMail(resultingUser);
           return {
             accountData: {
@@ -187,4 +180,17 @@ export class RegistrationSessionManager {
       )
     );
   }
+
+  public async findRegistrationSessionByToken(tokenArg: string) {
+    const registrationSession = await this.CRegistrationSession.getInstance({
+      'data.hashedEmailToken': RegistrationSession.hashToken(tokenArg),
+    });
+
+    if (!registrationSession) {
+      return null;
+    }
+
+    const isValid = await registrationSession.validateEmailToken(tokenArg);
+    return isValid ? registrationSession : null;
+  }
 }

ts_interfaces/data/index.ts

@@ -1,5 +1,6 @@
 export * from './loint-reception.activity.js';
 export * from './loint-reception.app.js';
+export * from './loint-reception.emailactiontoken.js';
 export * from './loint-reception.oidc.js';
 export * from './loint-reception.appconnection.js';
 export * from './loint-reception.billingplan.js';
@@ -8,6 +9,7 @@ export * from './loint-reception.jwt.js';
 export * from './loint-reception.loginsession.js';
 export * from './loint-reception.organization.js';
 export * from './loint-reception.paddlecheckoutdata.js';
+export * from './loint-reception.registrationsession.js';
 export * from './loint-reception.role.js';
 export * from './loint-reception.user.js';
 export * from './loint-reception.userinvitation.js';

ts_interfaces/data/loint-reception.emailactiontoken.ts

@@ -0,0 +1,12 @@
+export type TEmailActionTokenAction = 'emailLogin' | 'passwordReset';
+
+export interface IEmailActionToken {
+  id: string;
+  data: {
+    email: string;
+    action: TEmailActionTokenAction;
+    tokenHash: string;
+    validUntil: number;
+    createdAt: number;
+  };
+}

ts_interfaces/data/loint-reception.oidc.ts

@@ -11,86 +11,94 @@ export type TOidcScope = 'openid' | 'profile' | 'email' | 'organizations' | 'rol
  * Authorization code for OAuth 2.0 authorization code flow
  */
 export interface IAuthorizationCode {
-  /** The authorization code string */
+  id: string;
-  code: string;
+  data: {
-  /** OAuth client ID */
+    /** Hashed authorization code string */
-  clientId: string;
+    codeHash: string;
-  /** User ID who authorized */
+    /** OAuth client ID */
-  userId: string;
+    clientId: string;
-  /** Scopes granted */
+    /** User ID who authorized */
-  scopes: TOidcScope[];
+    userId: string;
-  /** Redirect URI used in authorization request */
+    /** Scopes granted */
-  redirectUri: string;
+    scopes: TOidcScope[];
-  /** PKCE code challenge (S256 hashed) */
+    /** Redirect URI used in authorization request */
-  codeChallenge?: string;
+    redirectUri: string;
-  /** PKCE code challenge method */
+    /** PKCE code challenge (S256 hashed) */
-  codeChallengeMethod?: 'S256';
+    codeChallenge?: string;
-  /** Nonce from authorization request (for ID token) */
+    /** PKCE code challenge method */
-  nonce?: string;
+    codeChallengeMethod?: 'S256';
-  /** Expiration timestamp (10 minutes from creation) */
+    /** Nonce from authorization request (for ID token) */
-  expiresAt: number;
+    nonce?: string;
-  /** Whether the code has been used (single-use) */
+    /** Expiration timestamp (10 minutes from creation) */
-  used: boolean;
+    expiresAt: number;
+    /** Creation timestamp */
+    issuedAt: number;
+    /** Whether the code has been used (single-use) */
+    used: boolean;
+  };
 }
 
 /**
  * OIDC Access Token (opaque or JWT)
  */
 export interface IOidcAccessToken {
-  /** Token identifier */
   id: string;
-  /** The access token string (or hash for storage) */
+  data: {
-  tokenHash: string;
+    /** The access token string hash for storage */
-  /** OAuth client ID */
+    tokenHash: string;
-  clientId: string;
+    /** OAuth client ID */
-  /** User ID */
+    clientId: string;
-  userId: string;
+    /** User ID */
-  /** Granted scopes */
+    userId: string;
-  scopes: TOidcScope[];
+    /** Granted scopes */
-  /** Expiration timestamp */
+    scopes: TOidcScope[];
-  expiresAt: number;
+    /** Expiration timestamp */
-  /** Creation timestamp */
+    expiresAt: number;
-  issuedAt: number;
+    /** Creation timestamp */
+    issuedAt: number;
+  };
 }
 
 /**
  * OIDC Refresh Token
  */
 export interface IOidcRefreshToken {
-  /** Token identifier */
   id: string;
-  /** The refresh token string (or hash for storage) */
+  data: {
-  tokenHash: string;
+    /** The refresh token string hash for storage */
-  /** OAuth client ID */
+    tokenHash: string;
-  clientId: string;
+    /** OAuth client ID */
-  /** User ID */
+    clientId: string;
-  userId: string;
+    /** User ID */
-  /** Granted scopes */
+    userId: string;
-  scopes: TOidcScope[];
+    /** Granted scopes */
-  /** Expiration timestamp */
+    scopes: TOidcScope[];
-  expiresAt: number;
+    /** Expiration timestamp */
-  /** Creation timestamp */
+    expiresAt: number;
-  issuedAt: number;
+    /** Creation timestamp */
-  /** Whether the token has been revoked */
+    issuedAt: number;
-  revoked: boolean;
+    /** Whether the token has been revoked */
+    revoked: boolean;
+  };
 }
 
 /**
  * User consent record for an OAuth client
  */
 export interface IUserConsent {
-  /** Unique identifier */
   id: string;
-  /** User who gave consent */
+  data: {
-  userId: string;
+    /** User who gave consent */
-  /** OAuth client ID */
+    userId: string;
-  clientId: string;
+    /** OAuth client ID */
-  /** Scopes the user consented to */
+    clientId: string;
-  scopes: TOidcScope[];
+    /** Scopes the user consented to */
-  /** When consent was granted */
+    scopes: TOidcScope[];
-  grantedAt: number;
+    /** When consent was granted */
-  /** When consent was last updated */
+    grantedAt: number;
-  updatedAt: number;
+    /** When consent was last updated */
+    updatedAt: number;
+  };
 }
 
 /**

ts_interfaces/data/loint-reception.registrationsession.ts

@@ -0,0 +1,31 @@
+export type TRegistrationSessionStatus =
+  | 'announced'
+  | 'emailValidated'
+  | 'mobileVerified'
+  | 'registered'
+  | 'failed';
+
+export interface IRegistrationSession {
+  id: string;
+  data: {
+    emailAddress: string;
+    hashedEmailToken: string;
+    smsCodeHash?: string | null;
+    smsvalidationCounter: number;
+    status: TRegistrationSessionStatus;
+    validUntil: number;
+    createdAt: number;
+    collectedData: {
+      userData: {
+        username?: string | null;
+        connectedOrgs: string[];
+        email?: string | null;
+        name?: string | null;
+        status?: 'new' | 'active' | 'deleted' | 'suspended' | null;
+        mobileNumber?: string | null;
+        password?: string | null;
+        passwordHash?: string | null;
+      };
+    };
+  };
+}

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@idp.global/idp.global',
-  version: '1.17.1',
+  version: '1.19.0',
   description: 'An identity provider software managing user authentications, registrations, and sessions.'
 }