v1.20.0

feat(auth): add abuse protection for login and OIDC flows with consent-based authorization handling
v1.19.1
2026-04-20 09:46:13 +00:00 · 2026-04-20 09:46:13 +00:00 · 2026-04-20 08:44:05 +00:00 · 2026-04-20 08:44:05 +00:00 · 2026-04-20 08:40:40 +00:00 · 2026-04-20 08:40:40 +00:00
57 changed files with 2091 additions and 447 deletions
@@ -1,5 +1,38 @@
 # Changelog
 ## 2026-04-20 - 1.20.0 - feat(auth)
 add abuse protection for login and OIDC flows with consent-based authorization handling
 - introduces AbuseProtectionManager and AbuseWindow storage to rate limit password login, magic link, password reset, and OIDC token exchange attempts
 - adds housekeeping cleanup for expired abuse protection windows
 - adds typed OIDC prepare/complete authorization requests plus consent evaluation and redirect URL generation
 - updates the login prompt to support OIDC authorization continuation after user login or consent
 - includes tests for abuse protection behavior and OIDC authorization preparation/completion flows
 ## 2026-04-20 - 1.19.1 - fix(ts_interfaces)
 rename generated TypeScript interface files to remove the loint-reception prefix
 - Moves data and request interface files from loint-reception.* names to clean module names under ts_interfaces
 - Renames the shared plugins export to ts_interfaces/plugins.ts
 - Preserves interface contents while standardizing the generated file naming layout
 ## 2026-04-20 - 1.19.0 - feat(oidc)
 persist hashed OIDC tokens, authorization codes, and user consent in smartdata storage
 - replace in-memory OIDC authorization code, access token, refresh token, and consent stores with SmartData document classes
 - store authorization codes and tokens as hashes instead of persisting plaintext values, with helpers for matching, expiration, and revocation
 - persist and merge user consent scopes when issuing authorization codes
 - add cleanup lifecycle management for expired OIDC state and stop the cleanup task when reception shuts down
 - add tests covering hashed code/token matching, authorization code usage, refresh token revocation, and consent scope merging
 ## 2026-04-20 - 1.18.0 - feat(reception)
 persist email action tokens and registration sessions for authentication and signup flows
 - add persisted email action tokens for email login and password reset with one-time consumption and expiry cleanup
 - store registration sessions in the database so signup state, email validation, and SMS verification survive restarts
 - enforce password changes through either a valid reset token or the current password
 - add housekeeping jobs and tests for token/session expiry and state persistence
 ## 2026-04-20 - 1.17.1 - fix(docs)
 refresh module readmes and add repository license file
@@ -1,6 +1,6 @@
 {
  "name": "@idp.global/idp.global",
-  "version": "1.17.1",
+  "version": "1.20.0",
  "description": "An identity provider software managing user authentications, registrations, and sessions.",
  "main": "dist_ts/index.js",
  "typings": "dist_ts/index.d.ts",
@@ -0,0 +1,94 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import {
  AbuseProtectionManager,
  type IAbuseProtectionConfig,
 } from '../ts/reception/classes.abuseprotectionmanager.js';
 import { AbuseWindow } from '../ts/reception/classes.abusewindow.js';
 const createTestAbuseProtectionManager = () => {
  const manager = new AbuseProtectionManager({
    db: { smartdataDb: {} },
  } as any);
  const store = new Map<string, AbuseWindow>();
  const originalSave = AbuseWindow.prototype.save;
  const originalDelete = AbuseWindow.prototype.delete;
  (AbuseWindow.prototype as AbuseWindow & { save: () => Promise<void> }).save = async function () {
    store.set(this.id, this);
  };
  (AbuseWindow.prototype as AbuseWindow & { delete: () => Promise<void> }).delete = async function () {
    store.delete(this.id);
  };
  (manager as any).CAbuseWindow = {
    getInstance: async (queryArg) => store.get(queryArg.id) ?? null,
  };
  const restore = () => {
    AbuseWindow.prototype.save = originalSave;
    AbuseWindow.prototype.delete = originalDelete;
  };
  return {
    manager,
    store,
    restore,
  };
 };
 const testConfig: IAbuseProtectionConfig = {
  maxAttempts: 2,
  windowMillis: 1_000,
  blockDurationMillis: 2_000,
 };
 tap.test('blocks after too many attempts within the active window', async () => {
  const { manager, restore } = createTestAbuseProtectionManager();
  try {
    await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
    await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
    await expect(manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig)).rejects.toThrow();
  } finally {
    restore();
  }
 });
 tap.test('resets attempts after the block and window have elapsed', async () => {
  const { manager, store, restore } = createTestAbuseProtectionManager();
  try {
    await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
    await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
    await expect(manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig)).rejects.toThrow();
    const abuseWindow = Array.from(store.values())[0];
    abuseWindow.data.blockedUntil = Date.now() - 10;
    abuseWindow.data.windowStartedAt = Date.now() - testConfig.windowMillis - 10;
    abuseWindow.data.validUntil = Date.now() + 1_000;
    await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
    expect(abuseWindow.data.attemptCount).toEqual(1);
  } finally {
    restore();
  }
 });
 tap.test('clears stored attempts after a successful action', async () => {
  const { manager, store, restore } = createTestAbuseProtectionManager();
  try {
    await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
    expect(store.size).toEqual(1);
    await manager.clearAttempts('passwordLogin', 'phil@example.com');
    expect(store.size).toEqual(0);
  } finally {
    restore();
  }
 });
 export default tap.start();
@@ -1,6 +1,8 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { EmailActionToken } from '../ts/reception/classes.emailactiontoken.js';
 import { LoginSession } from '../ts/reception/classes.loginsession.js';
 import { RegistrationSession } from '../ts/reception/classes.registrationsession.js';
 import { User } from '../ts/reception/classes.user.js';
 import * as plugins from '../ts/plugins.js';
@@ -12,6 +14,42 @@ const createTestLoginSession = () => {
  return loginSession;
 };
 const createTestEmailActionToken = () => {
  const emailActionToken = new EmailActionToken();
  emailActionToken.id = 'email-action-token';
  emailActionToken.data.email = 'user@example.com';
  emailActionToken.data.action = 'emailLogin';
  emailActionToken.data.validUntil = Date.now() + 60_000;
  let deleted = false;
  (emailActionToken as EmailActionToken & { delete: () => Promise<void> }).delete = async () => {
    deleted = true;
  };
  return {
    emailActionToken,
    wasDeleted: () => deleted,
  };
 };
 const createTestRegistrationSession = () => {
  const registrationSession = new RegistrationSession();
  registrationSession.id = 'registration-session';
  registrationSession.data.emailAddress = 'user@example.com';
  registrationSession.data.validUntil = Date.now() + 60_000;
  let deleted = false;
  (registrationSession as RegistrationSession & { save: () => Promise<void> }).save = async () => undefined;
  (registrationSession as RegistrationSession & { delete: () => Promise<void> }).delete = async () => {
    deleted = true;
  };
  return {
    registrationSession,
    wasDeleted: () => deleted,
  };
 };
 tap.test('hashes passwords with argon2 and verifies them', async () => {
  const passwordHash = await User.hashPassword('correct horse battery staple');
@@ -58,4 +96,45 @@ tap.test('persists transfer tokens as one-time hashes', async () => {
  expect(await loginSession.validateTransferToken(transferToken)).toBeFalse();
 });
 tap.test('consumes email action tokens exactly once', async () => {
  const { emailActionToken, wasDeleted } = createTestEmailActionToken();
  const plainToken = EmailActionToken.createOpaqueToken('emailLogin');
  emailActionToken.data.tokenHash = EmailActionToken.hashToken(plainToken);
  expect(await emailActionToken.consume(plainToken)).toBeTrue();
  expect(wasDeleted()).toBeTrue();
 });
 tap.test('invalidates expired email action tokens', async () => {
  const { emailActionToken, wasDeleted } = createTestEmailActionToken();
  emailActionToken.data.tokenHash = EmailActionToken.hashToken('expired-token');
  emailActionToken.data.validUntil = Date.now() - 1;
  expect(await emailActionToken.consume('expired-token')).toBeFalse();
  expect(wasDeleted()).toBeTrue();
 });
 tap.test('persists registration token validation and sms verification state', async () => {
  const { registrationSession } = createTestRegistrationSession();
  const emailToken = 'registration-token';
  registrationSession.data.hashedEmailToken = RegistrationSession.hashToken(emailToken);
  expect(await registrationSession.validateEmailToken(emailToken)).toBeTrue();
  expect(registrationSession.data.status).toEqual('emailValidated');
  expect(registrationSession.data.collectedData.userData.email).toEqual('user@example.com');
  registrationSession.data.smsCodeHash = RegistrationSession.hashToken('123456');
  expect(await registrationSession.validateSmsCode('123456')).toBeTrue();
  expect(registrationSession.data.status).toEqual('mobileVerified');
 });
 tap.test('removes expired registration sessions on token validation', async () => {
  const { registrationSession, wasDeleted } = createTestRegistrationSession();
  registrationSession.data.hashedEmailToken = RegistrationSession.hashToken('expired-registration');
  registrationSession.data.validUntil = Date.now() - 1;
  expect(await registrationSession.validateEmailToken('expired-registration')).toBeFalse();
  expect(wasDeleted()).toBeTrue();
 });
 export default tap.start();
@@ -0,0 +1,208 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { OidcAccessToken } from '../ts/reception/classes.oidcaccesstoken.js';
 import { OidcAuthorizationCode } from '../ts/reception/classes.oidcauthorizationcode.js';
 import { OidcManager } from '../ts/reception/classes.oidcmanager.js';
 import { OidcRefreshToken } from '../ts/reception/classes.oidcrefreshtoken.js';
 import { OidcUserConsent } from '../ts/reception/classes.oidcuserconsent.js';
 const createTestOidcManager = () => {
  const oidcManager = new OidcManager({
    db: { smartdataDb: {} },
    typedrouter: { addTypedRouter: () => undefined },
    options: { baseUrl: 'https://idp.example' },
  } as any);
  void oidcManager.stop();
  return oidcManager;
 };
 tap.test('stores authorization codes as hashes and marks them used', async () => {
  const authCode = new OidcAuthorizationCode();
  authCode.id = 'oidc-auth-code';
  authCode.data.codeHash = OidcAuthorizationCode.hashCode('plain-auth-code');
  let saveCount = 0;
  (authCode as OidcAuthorizationCode & { save: () => Promise<void> }).save = async () => {
    saveCount++;
  };
  expect(authCode.matchesCode('plain-auth-code')).toBeTrue();
  expect(authCode.matchesCode('wrong-code')).toBeFalse();
  await authCode.markUsed();
  expect(authCode.data.used).toBeTrue();
  expect(saveCount).toEqual(1);
 });
 tap.test('stores access tokens without plaintext persistence', async () => {
  const accessToken = new OidcAccessToken();
  accessToken.id = 'oidc-access-token';
  accessToken.data.tokenHash = OidcAccessToken.hashToken('plain-access-token');
  accessToken.data.expiresAt = Date.now() + 60_000;
  expect(accessToken.matchesToken('plain-access-token')).toBeTrue();
  expect(accessToken.matchesToken('different-access-token')).toBeFalse();
  expect(accessToken.isExpired()).toBeFalse();
 });
 tap.test('revokes persisted refresh tokens', async () => {
  const refreshToken = new OidcRefreshToken();
  refreshToken.id = 'oidc-refresh-token';
  refreshToken.data.tokenHash = OidcRefreshToken.hashToken('plain-refresh-token');
  refreshToken.data.expiresAt = Date.now() + 60_000;
  let saveCount = 0;
  (refreshToken as OidcRefreshToken & { save: () => Promise<void> }).save = async () => {
    saveCount++;
  };
  expect(refreshToken.matchesToken('plain-refresh-token')).toBeTrue();
  expect(refreshToken.data.revoked).toBeFalse();
  await refreshToken.revoke();
  expect(refreshToken.data.revoked).toBeTrue();
  expect(saveCount).toEqual(1);
 });
 tap.test('merges user consent scopes without duplicates', async () => {
  const consent = new OidcUserConsent();
  consent.id = 'oidc-consent';
  consent.data.userId = 'user-1';
  consent.data.clientId = 'client-1';
  consent.data.scopes = ['openid'];
  let saveCount = 0;
  (consent as OidcUserConsent & { save: () => Promise<void> }).save = async () => {
    saveCount++;
  };
  await consent.grantScopes(['openid', 'email', 'profile']);
  expect(consent.data.scopes.sort()).toEqual(['email', 'openid', 'profile']);
  expect(consent.data.grantedAt).toBeGreaterThan(0);
  expect(consent.data.updatedAt).toBeGreaterThan(0);
  expect(saveCount).toEqual(1);
 });
 tap.test('builds an OAuth redirect URL after successful authorization completion', async () => {
  const oidcManager = createTestOidcManager();
  (oidcManager as any).findAppByClientId = async () => ({
    data: {
      name: 'Example App',
      appUrl: 'https://app.example',
      logoUrl: 'https://app.example/logo.png',
      oauthCredentials: {
        clientId: 'client-1',
        redirectUris: ['https://app.example/callback'],
        allowedScopes: ['openid', 'profile', 'email'],
      },
    },
  });
  (oidcManager as any).generateAuthorizationCode = async () => 'generated-auth-code';
  (oidcManager as any).getUserConsent = async () => ({
    data: {
      scopes: ['openid', 'profile', 'email'],
    },
  });
  (oidcManager as any).upsertUserConsent = async () => undefined;
  const result = await oidcManager.completeAuthorizationForUser('user-1', {
    clientId: 'client-1',
    redirectUri: 'https://app.example/callback',
    scope: 'openid profile email',
    state: 'xyz-state',
    codeChallenge: 'challenge',
    codeChallengeMethod: 'S256',
    nonce: 'nonce-1',
    consentApproved: true,
  });
  expect(result.code).toEqual('generated-auth-code');
  expect(result.redirectUrl).toEqual(
    'https://app.example/callback?code=generated-auth-code&state=xyz-state'
  );
  await oidcManager.stop();
 });
 tap.test('prepares OAuth consent when scopes are not yet granted', async () => {
  const oidcManager = createTestOidcManager();
  (oidcManager as any).findAppByClientId = async () => ({
    data: {
      name: 'Example App',
      appUrl: 'https://app.example',
      logoUrl: 'https://app.example/logo.png',
      oauthCredentials: {
        clientId: 'client-1',
        redirectUris: ['https://app.example/callback'],
        allowedScopes: ['openid', 'profile', 'email'],
      },
    },
  });
  (oidcManager as any).getUserConsent = async () => ({
    data: {
      scopes: ['openid'],
    },
  });
  const result = await oidcManager.prepareAuthorizationForUser('user-1', {
    clientId: 'client-1',
    redirectUri: 'https://app.example/callback',
    scope: 'openid profile email',
    state: 'xyz-state',
    prompt: undefined,
    codeChallenge: undefined,
    codeChallengeMethod: undefined,
    nonce: undefined,
  });
  expect(result.status).toEqual('consent_required');
  expect(result.requestedScopes.sort()).toEqual(['email', 'openid', 'profile']);
  expect(result.grantedScopes).toEqual(['openid']);
  await oidcManager.stop();
 });
 tap.test('prepares OAuth authorization as ready when consent already exists', async () => {
  const oidcManager = createTestOidcManager();
  (oidcManager as any).findAppByClientId = async () => ({
    data: {
      name: 'Example App',
      appUrl: 'https://app.example',
      logoUrl: 'https://app.example/logo.png',
      oauthCredentials: {
        clientId: 'client-1',
        redirectUris: ['https://app.example/callback'],
        allowedScopes: ['openid', 'profile', 'email'],
      },
    },
  });
  (oidcManager as any).getUserConsent = async () => ({
    data: {
      scopes: ['openid', 'profile', 'email'],
    },
  });
  const result = await oidcManager.prepareAuthorizationForUser('user-1', {
    clientId: 'client-1',
    redirectUri: 'https://app.example/callback',
    scope: 'openid profile email',
    state: 'xyz-state',
    prompt: undefined,
    codeChallenge: undefined,
    codeChallengeMethod: undefined,
    nonce: undefined,
  });
  expect(result.status).toEqual('ready');
  await oidcManager.stop();
 });
 export default tap.start();
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@idp.global/idp.global',
-  version: '1.17.1',
+  version: '1.20.0',
  description: 'An identity provider software managing user authentications, registrations, and sessions.'
 }
@@ -0,0 +1,102 @@
 import * as plugins from '../plugins.js';
 import { Reception } from './classes.reception.js';
 import { AbuseWindow } from './classes.abusewindow.js';
 export interface IAbuseProtectionConfig {
  maxAttempts: number;
  windowMillis: number;
  blockDurationMillis: number;
 }
 export class AbuseProtectionManager {
  public receptionRef: Reception;
  public get db() {
    return this.receptionRef.db.smartdataDb;
  }
  public CAbuseWindow = plugins.smartdata.setDefaultManagerForDoc(this, AbuseWindow);
  constructor(receptionRefArg: Reception) {
    this.receptionRef = receptionRefArg;
  }
  private normalizeIdentifier(identifierArg: string) {
    return identifierArg.trim().toLowerCase();
  }
  private hashIdentifier(identifierArg: string) {
    return plugins.smarthash.sha256FromStringSync(this.normalizeIdentifier(identifierArg));
  }
  private createWindowId(actionArg: string, identifierArg: string) {
    return plugins.smarthash.sha256FromStringSync(
      `${actionArg}:${this.hashIdentifier(identifierArg)}`
    );
  }
  private async getWindow(actionArg: string, identifierArg: string) {
    return this.CAbuseWindow.getInstance({
      id: this.createWindowId(actionArg, identifierArg),
    });
  }
  public async consumeAttempt(
    actionArg: string,
    identifierArg: string,
    configArg: IAbuseProtectionConfig,
    errorTextArg = 'Too many attempts. Please wait before trying again.'
  ) {
    const now = Date.now();
    let abuseWindow = await this.getWindow(actionArg, identifierArg);
    if (!abuseWindow) {
      abuseWindow = new AbuseWindow();
      abuseWindow.id = this.createWindowId(actionArg, identifierArg);
      abuseWindow.data.action = actionArg;
      abuseWindow.data.identifierHash = this.hashIdentifier(identifierArg);
      abuseWindow.data.createdAt = now;
    }
    if (abuseWindow.isBlocked(now)) {
      throw new plugins.typedrequest.TypedResponseError(errorTextArg);
    }
    if (abuseWindow.data.blockedUntil && abuseWindow.data.blockedUntil <= now) {
      abuseWindow.data.attemptCount = 0;
      abuseWindow.data.windowStartedAt = now;
      abuseWindow.data.blockedUntil = 0;
    }
    if (
      !abuseWindow.data.windowStartedAt ||
      abuseWindow.data.windowStartedAt + configArg.windowMillis <= now
    ) {
      abuseWindow.data.attemptCount = 0;
      abuseWindow.data.windowStartedAt = now;
    }
    abuseWindow.data.attemptCount += 1;
    abuseWindow.data.updatedAt = now;
    abuseWindow.data.validUntil = now + configArg.windowMillis;
    if (abuseWindow.data.attemptCount > configArg.maxAttempts) {
      abuseWindow.data.blockedUntil = now + configArg.blockDurationMillis;
      abuseWindow.data.validUntil = abuseWindow.data.blockedUntil;
      await abuseWindow.save();
      throw new plugins.typedrequest.TypedResponseError(errorTextArg);
    }
    await abuseWindow.save();
  }
  public async clearAttempts(actionArg: string, identifierArg: string) {
    const abuseWindow = await this.getWindow(actionArg, identifierArg);
    if (!abuseWindow) {
      return;
    }
    await abuseWindow.delete();
  }
 }
@@ -0,0 +1,33 @@
 import * as plugins from '../plugins.js';
 import type { AbuseProtectionManager } from './classes.abuseprotectionmanager.js';
@plugins.smartdata.Manager()
 export class AbuseWindow extends plugins.smartdata.SmartDataDbDoc<
  AbuseWindow,
  plugins.idpInterfaces.data.IAbuseWindow,
  AbuseProtectionManager
 > {
  @plugins.smartdata.unI()
  public id: string;
  @plugins.smartdata.svDb()
  public data: plugins.idpInterfaces.data.IAbuseWindow['data'] = {
    action: '',
    identifierHash: '',
    attemptCount: 0,
    windowStartedAt: 0,
    blockedUntil: 0,
    validUntil: 0,
    createdAt: 0,
    updatedAt: 0,
  };
  public isBlocked(nowArg = Date.now()) {
    return this.data.blockedUntil > nowArg;
  }
  public isExpired(nowArg = Date.now()) {
    return this.data.validUntil < nowArg;
  }
 }
@@ -0,0 +1,49 @@
 import * as plugins from '../plugins.js';
 import { LoginSessionManager } from './classes.loginsessionmanager.js';
@plugins.smartdata.Manager()
 export class EmailActionToken extends plugins.smartdata.SmartDataDbDoc<
  EmailActionToken,
  plugins.idpInterfaces.data.IEmailActionToken,
  LoginSessionManager
 > {
  public static hashToken(tokenArg: string) {
    return plugins.smarthash.sha256FromStringSync(tokenArg);
  }
  public static createOpaqueToken(actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction) {
    return `${actionArg}_${plugins.crypto.randomBytes(32).toString('base64url')}`;
  }
  @plugins.smartdata.unI()
  public id: string;
  @plugins.smartdata.svDb()
  public data: plugins.idpInterfaces.data.IEmailActionToken['data'] = {
    email: '',
    action: 'emailLogin',
    tokenHash: '',
    validUntil: 0,
    createdAt: 0,
  };
  public isExpired() {
    return this.data.validUntil < Date.now();
  }
  public matchesToken(tokenArg: string) {
    return this.data.tokenHash === EmailActionToken.hashToken(tokenArg);
  }
  public async consume(tokenArg: string) {
    if (this.isExpired() || !this.matchesToken(tokenArg)) {
      if (this.isExpired()) {
        await this.delete();
      }
      return false;
    }
    await this.delete();
    return true;
  }
 }
@@ -34,6 +34,66 @@ export class ReceptionHousekeeping {
      '2 * * * * *'
    );
    this.taskmanager.addAndScheduleTask(
      new plugins.taskbuffer.Task({
        name: 'expiredEmailActionTokens',
        taskFunction: async () => {
          const expiredEmailActionTokens =
            await this.receptionRef.loginSessionManager.CEmailActionToken.getInstances({
              data: {
                validUntil: {
                  $lt: Date.now(),
                } as any,
              },
            });
          for (const emailActionToken of expiredEmailActionTokens) {
            await emailActionToken.delete();
          }
        },
      }),
      '2 * * * * *'
    );
    this.taskmanager.addAndScheduleTask(
      new plugins.taskbuffer.Task({
        name: 'expiredRegistrationSessions',
        taskFunction: async () => {
          const expiredRegistrationSessions =
            await this.receptionRef.registrationSessionManager.CRegistrationSession.getInstances({
              data: {
                validUntil: {
                  $lt: Date.now(),
                } as any,
              },
            });
          for (const registrationSession of expiredRegistrationSessions) {
            await registrationSession.delete();
          }
        },
      }),
      '2 * * * * *'
    );
    this.taskmanager.addAndScheduleTask(
      new plugins.taskbuffer.Task({
        name: 'expiredAbuseWindows',
        taskFunction: async () => {
          const expiredAbuseWindows =
            await this.receptionRef.abuseProtectionManager.CAbuseWindow.getInstances({
              data: {
                validUntil: {
                  $lt: Date.now(),
                } as any,
              },
            });
          for (const abuseWindow of expiredAbuseWindows) {
            await abuseWindow.delete();
          }
        },
      }),
      '2 * * * * *'
    );
    this.taskmanager.start();
    logger.log('info', 'housekeeping started');
  }
@@ -1,27 +1,49 @@
 import * as plugins from '../plugins.js';
 import { EmailActionToken } from './classes.emailactiontoken.js';
 import { LoginSession, type TRefreshTokenValidationResult } from './classes.loginsession.js';
 import { Reception } from './classes.reception.js';
 import { logger } from './logging.js';
 export class LoginSessionManager {
  private readonly abuseProtectionConfigs = {
    passwordLogin: {
      maxAttempts: 5,
      windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
      blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 30 }),
    },
    emailLoginRequest: {
      maxAttempts: 5,
      windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
      blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
    },
    emailLoginToken: {
      maxAttempts: 5,
      windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
      blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 30 }),
    },
    passwordResetRequest: {
      maxAttempts: 5,
      windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
      blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
    },
    passwordResetCompletion: {
      maxAttempts: 5,
      windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
      blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 30 }),
    },
  };
  // refs
  public receptionRef: Reception;
  public get db() {
    return this.receptionRef.db.smartdataDb;
  }
  public CEmailActionToken = plugins.smartdata.setDefaultManagerForDoc(this, EmailActionToken);
  public CLoginSession = plugins.smartdata.setDefaultManagerForDoc(this, LoginSession);
  public loginSessions = new plugins.lik.ObjectMap<LoginSession>();
  public typedRouter = new plugins.typedrequest.TypedRouter();
  public emailTokenMap = new plugins.lik.ObjectMap<{
    email: string;
    token: string;
    action: 'emailLogin' | 'passwordReset';
  }>();
  constructor(receptionRefArg: Reception) {
    this.receptionRef = receptionRefArg;
    this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
@@ -29,6 +51,14 @@ export class LoginSessionManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmailOrUsernameAndPassword>(
        'loginWithEmailOrUsernameAndPassword',
        async (requestData) => {
          const loginIdentifier = requestData.username;
          await this.receptionRef.abuseProtectionManager.consumeAttempt(
            'passwordLogin',
            loginIdentifier,
            this.abuseProtectionConfigs.passwordLogin,
            'Too many login attempts. Please wait before trying again.'
          );
          let user = await this.receptionRef.userManager.CUser.getInstance({
            data: {
              username: requestData.username,
@@ -55,12 +85,16 @@ export class LoginSessionManager {
            }
            const loginSession = await LoginSession.createLoginSessionForUser(user);
            this.loginSessions.add(loginSession);
            const refreshToken = await loginSession.getRefreshToken();
            if (!refreshToken) {
              throw new plugins.typedrequest.TypedResponseError('Could not create login session');
            }
            await this.receptionRef.abuseProtectionManager.clearAttempts(
              'passwordLogin',
              loginIdentifier
            );
            return {
              refreshToken,
              twoFaNeeded: false,
@@ -76,6 +110,12 @@ export class LoginSessionManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmail>(
        'loginWithEmail',
        async (requestDataArg) => {
          await this.receptionRef.abuseProtectionManager.consumeAttempt(
            'emailLoginRequest',
            requestDataArg.email,
            this.abuseProtectionConfigs.emailLoginRequest,
            'Too many magic link requests. Please wait before trying again.'
          );
          logger.log('info', `loginWithEmail requested for: ${requestDataArg.email}`);
          const existingUser = await this.receptionRef.userManager.CUser.getInstance({
            data: {
@@ -84,33 +124,21 @@ export class LoginSessionManager {
          });
          if (existingUser) {
            logger.log('info', `loginWithEmail found user: ${existingUser.data.email}`);
-            this.emailTokenMap.findOneAndRemoveSync(
+            const loginEmailToken = await this.createEmailActionToken(
-              (itemArg) => itemArg.email === existingUser.data.email
+              existingUser.data.email,
              'emailLogin'
            );
            const loginEmailToken = plugins.smartunique.uuid4();
            this.emailTokenMap.add({
              email: existingUser.data.email,
              token: loginEmailToken,
              action: 'emailLogin',
            });
            // lets make sure its only valid for 10 minutes
            plugins.smartdelay.delayFor(600000, null, true).then(() => {
              this.emailTokenMap.findOneAndRemoveSync(
                (itemArg) => itemArg.token === loginEmailToken
              );
            });
            this.receptionRef.receptionMailer.sendLoginWithEMailMail(existingUser, loginEmailToken);
            return {
              status: 'ok',
              testOnlyToken: process.env.TEST_MODE ? loginEmailToken : undefined,
            };
          } else {
            logger.log('info', `loginWithEmail did not find user: ${requestDataArg.email}`);
          }
          const testOnlyToken =
            process.env.TEST_MODE && existingUser
              ? this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
                  ?.token
              : undefined;
          return {
            status: 'ok',
-            testOnlyToken,
+            testOnlyToken: undefined,
          };
        }
      )
@@ -120,9 +148,17 @@ export class LoginSessionManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmailAfterEmailTokenAquired>(
        'loginWithEmailAfterEmailTokenAquired',
        async (requestArg) => {
-          const tokenObject = this.emailTokenMap.findSync((itemArg) => {
+          await this.receptionRef.abuseProtectionManager.consumeAttempt(
-            return itemArg.email === requestArg.email && itemArg.token === requestArg.token;
+            'emailLoginToken',
-          });
+            requestArg.email,
            this.abuseProtectionConfigs.emailLoginToken,
            'Too many magic link attempts. Please wait before trying again.'
          );
          const tokenObject = await this.consumeEmailActionToken(
            requestArg.email,
            requestArg.token,
            'emailLogin'
          );
          if (tokenObject) {
            const user = await this.receptionRef.userManager.CUser.getInstance({
              data: {
@@ -133,11 +169,14 @@ export class LoginSessionManager {
              throw new plugins.typedrequest.TypedResponseError('User not found');
            }
            const loginSession = await LoginSession.createLoginSessionForUser(user);
            this.loginSessions.add(loginSession);
            const refreshToken = await loginSession.getRefreshToken();
            if (!refreshToken) {
              throw new plugins.typedrequest.TypedResponseError('Could not create login session');
            }
            await this.receptionRef.abuseProtectionManager.clearAttempts(
              'emailLoginToken',
              requestArg.email
            );
            return {
              refreshToken,
            };
@@ -206,6 +245,12 @@ export class LoginSessionManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_ResetPassword>(
        'resetPassword',
        async (requestDataArg) => {
          await this.receptionRef.abuseProtectionManager.consumeAttempt(
            'passwordResetRequest',
            requestDataArg.email,
            this.abuseProtectionConfigs.passwordResetRequest,
            'Too many password reset requests. Please wait before trying again.'
          );
          const emailOfPasswordToReset = requestDataArg.email;
          const existingUser = await this.receptionRef.userManager.CUser.getInstance({
            data: {
@@ -213,23 +258,13 @@ export class LoginSessionManager {
            },
          });
          if (existingUser) {
-            this.emailTokenMap.findOneAndRemoveSync(
+            const resetToken = await this.createEmailActionToken(
-              (itemArg) => itemArg.email === existingUser.data.email
+              existingUser.data.email,
              'passwordReset'
            );
            this.emailTokenMap.add({
              email: existingUser.data.email,
              token: plugins.smartunique.shortId(),
              action: 'passwordReset',
            });
            plugins.smartdelay.delayFor(600000, null, true).then(() => {
              this.emailTokenMap.findOneAndRemoveSync(
                (itemArg) => itemArg.email === existingUser.data.email
              );
            });
            this.receptionRef.receptionMailer.sendPasswordResetMail(
              existingUser,
-              this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
+              resetToken
                .token
            );
          }
          // note: we always return ok here, since we don't want to give any indication as to wether a user is already registered with us.
@@ -244,6 +279,53 @@ export class LoginSessionManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_SetNewPassword>(
        'setNewPassword',
        async (requestData) => {
          await this.receptionRef.abuseProtectionManager.consumeAttempt(
            'passwordResetCompletion',
            requestData.email,
            this.abuseProtectionConfigs.passwordResetCompletion,
            'Too many password change attempts. Please wait before trying again.'
          );
          const user = await this.receptionRef.userManager.CUser.getInstance({
            data: {
              email: requestData.email,
            },
          });
          if (!user) {
            throw new plugins.typedrequest.TypedResponseError('User not found');
          }
          if (requestData.tokenArg) {
            const tokenObject = await this.consumeEmailActionToken(
              requestData.email,
              requestData.tokenArg,
              'passwordReset'
            );
            if (!tokenObject) {
              throw new plugins.typedrequest.TypedResponseError('Password reset token invalid');
            }
          } else if (requestData.oldPassword) {
            const passwordOk = await this.receptionRef.userManager.CUser.verifyPassword(
              requestData.oldPassword,
              user.data.passwordHash
            );
            if (!passwordOk) {
              throw new plugins.typedrequest.TypedResponseError('Old password invalid');
            }
          } else {
            throw new plugins.typedrequest.TypedResponseError(
              'Either a reset token or the old password is required'
            );
          }
          user.data.passwordHash = await this.receptionRef.userManager.CUser.hashPassword(
            requestData.newPassword
          );
          await user.save();
          await this.receptionRef.abuseProtectionManager.clearAttempts(
            'passwordResetCompletion',
            requestData.email
          );
          return {
            status: 'ok',
          };
@@ -393,4 +475,50 @@ export class LoginSessionManager {
    const isValid = await loginSession.validateTransferToken(transferTokenArg);
    return isValid ? loginSession : null;
  }
  public async createEmailActionToken(
    emailArg: string,
    actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction
  ) {
    const existingTokens = await this.CEmailActionToken.getInstances({
      'data.email': emailArg,
      'data.action': actionArg,
    });
    for (const existingToken of existingTokens) {
      await existingToken.delete();
    }
    const plainToken = EmailActionToken.createOpaqueToken(actionArg);
    const emailActionToken = new EmailActionToken();
    emailActionToken.id = plugins.smartunique.shortId();
    emailActionToken.data = {
      email: emailArg,
      action: actionArg,
      tokenHash: EmailActionToken.hashToken(plainToken),
      validUntil: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 }),
      createdAt: Date.now(),
    };
    await emailActionToken.save();
    return plainToken;
  }
  public async consumeEmailActionToken(
    emailArg: string,
    tokenArg: string,
    actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction
  ) {
    const emailActionToken = await this.CEmailActionToken.getInstance({
      'data.email': emailArg,
      'data.action': actionArg,
      'data.tokenHash': EmailActionToken.hashToken(tokenArg),
    });
    if (!emailActionToken) {
      return null;
    }
    const consumed = await emailActionToken.consume(tokenArg);
    return consumed ? emailActionToken : null;
  }
 }
@@ -0,0 +1,34 @@
 import * as plugins from '../plugins.js';
 import type { OidcManager } from './classes.oidcmanager.js';
@plugins.smartdata.Manager()
 export class OidcAccessToken extends plugins.smartdata.SmartDataDbDoc<
  OidcAccessToken,
  plugins.idpInterfaces.data.IOidcAccessToken,
  OidcManager
 > {
  public static hashToken(tokenArg: string) {
    return plugins.smarthash.sha256FromStringSync(tokenArg);
  }
  @plugins.smartdata.unI()
  public id: string;
  @plugins.smartdata.svDb()
  public data: plugins.idpInterfaces.data.IOidcAccessToken['data'] = {
    tokenHash: '',
    clientId: '',
    userId: '',
    scopes: [],
    expiresAt: 0,
    issuedAt: 0,
  };
  public isExpired() {
    return this.data.expiresAt < Date.now();
  }
  public matchesToken(tokenArg: string) {
    return this.data.tokenHash === OidcAccessToken.hashToken(tokenArg);
  }
 }
@@ -0,0 +1,44 @@
 import * as plugins from '../plugins.js';
 import type { OidcManager } from './classes.oidcmanager.js';
@plugins.smartdata.Manager()
 export class OidcAuthorizationCode extends plugins.smartdata.SmartDataDbDoc<
  OidcAuthorizationCode,
  plugins.idpInterfaces.data.IAuthorizationCode,
  OidcManager
 > {
  public static hashCode(codeArg: string) {
    return plugins.smarthash.sha256FromStringSync(codeArg);
  }
  @plugins.smartdata.unI()
  public id: string;
  @plugins.smartdata.svDb()
  public data: plugins.idpInterfaces.data.IAuthorizationCode['data'] = {
    codeHash: '',
    clientId: '',
    userId: '',
    scopes: [],
    redirectUri: '',
    codeChallenge: undefined,
    codeChallengeMethod: undefined,
    nonce: undefined,
    expiresAt: 0,
    issuedAt: 0,
    used: false,
  };
  public isExpired() {
    return this.data.expiresAt < Date.now();
  }
  public matchesCode(codeArg: string) {
    return this.data.codeHash === OidcAuthorizationCode.hashCode(codeArg);
  }
  public async markUsed() {
    this.data.used = true;
    await this.save();
  }
 }
@@ -1,36 +1,85 @@
 import * as plugins from '../plugins.js';
 import type { Reception } from './classes.reception.js';
 import type { App } from './classes.app.js';
 import { OidcAccessToken } from './classes.oidcaccesstoken.js';
 import { OidcAuthorizationCode } from './classes.oidcauthorizationcode.js';
 import { OidcRefreshToken } from './classes.oidcrefreshtoken.js';
 import { OidcUserConsent } from './classes.oidcuserconsent.js';
 /**
 * OidcManager handles OpenID Connect (OIDC) server functionality
 * for third-party client authentication.
 */
 export class OidcManager {
  private readonly abuseProtectionConfig = {
    oidcTokenExchange: {
      maxAttempts: 10,
      windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 }),
      blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
    },
  };
  public receptionRef: Reception;
  public get db() {
    return this.receptionRef.db.smartdataDb;
  }
-  // In-memory store for authorization codes (short-lived, 10 min TTL)
+  public typedRouter = new plugins.typedrequest.TypedRouter();
  private authorizationCodes = new Map<string, plugins.idpInterfaces.data.IAuthorizationCode>();
-  // In-memory store for access tokens (for validation)
+  public COidcAuthorizationCode = plugins.smartdata.setDefaultManagerForDoc(
-  private accessTokens = new Map<string, plugins.idpInterfaces.data.IOidcAccessToken>();
+    this,
    OidcAuthorizationCode
  );
-  // In-memory store for refresh tokens
+  public COidcAccessToken = plugins.smartdata.setDefaultManagerForDoc(this, OidcAccessToken);
  private refreshTokens = new Map<string, plugins.idpInterfaces.data.IOidcRefreshToken>();
-  // In-memory store for user consents (should be persisted later)
+  public COidcRefreshToken = plugins.smartdata.setDefaultManagerForDoc(this, OidcRefreshToken);
-  private userConsents = new Map<string, plugins.idpInterfaces.data.IUserConsent>();
+
  public COidcUserConsent = plugins.smartdata.setDefaultManagerForDoc(this, OidcUserConsent);
  private cleanupInterval: ReturnType<typeof setInterval> | null = null;
  constructor(receptionRefArg: Reception) {
    this.receptionRef = receptionRefArg;
    this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
-    // Start cleanup task for expired codes/tokens
+    this.typedRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization>(
        'prepareOidcAuthorization',
        async (requestArg) => {
          const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
          if (!jwt) {
            throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
          }
          return this.prepareAuthorizationForUser(jwt.data.userId, requestArg);
        }
      )
    );
    this.typedRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization>(
        'completeOidcAuthorization',
        async (requestArg) => {
          const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
          if (!jwt) {
            throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
          }
          return this.completeAuthorizationForUser(jwt.data.userId, requestArg);
        }
      )
    );
    this.startCleanupTask();
  }
  public async stop() {
    if (this.cleanupInterval) {
      clearInterval(this.cleanupInterval);
      this.cleanupInterval = null;
    }
  }
  /**
   * Get the OIDC Discovery Document
   */
@@ -118,6 +167,10 @@ export class OidcManager {
      return this.errorResponse('unsupported_response_type', 'Only code response type is supported');
    }
    if (prompt && !this.isSupportedPrompt(prompt)) {
      return this.errorResponse('invalid_request', 'Unsupported prompt value');
    }
    // Validate code challenge method if present
    if (codeChallenge && codeChallengeMethod !== 'S256') {
      return this.errorResponse('invalid_request', 'Only S256 code challenge method is supported');
@@ -159,6 +212,9 @@ export class OidcManager {
    if (nonce) {
      loginUrl.searchParams.set('nonce', nonce);
    }
    if (prompt) {
      loginUrl.searchParams.set('prompt', prompt);
    }
    return Response.redirect(loginUrl.toString(), 302);
  }
@@ -174,9 +230,11 @@ export class OidcManager {
    codeChallenge?: string,
    nonce?: string
  ): Promise<string> {
-    const code = plugins.smartunique.shortId(32);
+    const code = this.createOpaqueToken();
-    const authCode: plugins.idpInterfaces.data.IAuthorizationCode = {
+    const authCode = new OidcAuthorizationCode();
-      code,
+    authCode.id = plugins.smartunique.shortId(12);
    authCode.data = {
      codeHash: OidcAuthorizationCode.hashCode(code),
      clientId,
      userId,
      scopes,
@@ -184,14 +242,77 @@ export class OidcManager {
      codeChallenge,
      codeChallengeMethod: codeChallenge ? 'S256' : undefined,
      nonce,
-      expiresAt: Date.now() + 10 * 60 * 1000, // 10 minutes
+      expiresAt: Date.now() + 10 * 60 * 1000,
      issuedAt: Date.now(),
      used: false,
    };
-    this.authorizationCodes.set(code, authCode);
+    await authCode.save();
    return code;
  }
  public async prepareAuthorizationForUser(
    userIdArg: string,
    requestArg: Omit<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization['request'], 'jwt'>
  ): Promise<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization['response']> {
    const resolvedRequest = await this.resolveAuthorizationRequest(requestArg);
    const consentState = await this.evaluateConsentRequirement(
      userIdArg,
      resolvedRequest.clientId,
      resolvedRequest.validScopes,
      resolvedRequest.prompt
    );
    return {
      status: consentState.consentRequired ? ('consent_required' as const) : ('ready' as const),
      clientId: resolvedRequest.clientId,
      appName: resolvedRequest.app.data.name,
      appUrl: resolvedRequest.app.data.appUrl,
      logoUrl: resolvedRequest.app.data.logoUrl,
      requestedScopes: resolvedRequest.validScopes,
      grantedScopes: consentState.grantedScopes,
    };
  }
  public async completeAuthorizationForUser(
    userIdArg: string,
    requestArg: Omit<plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization['request'], 'jwt'>
  ) {
    const resolvedRequest = await this.resolveAuthorizationRequest(requestArg);
    const consentState = await this.evaluateConsentRequirement(
      userIdArg,
      resolvedRequest.clientId,
      resolvedRequest.validScopes,
      resolvedRequest.prompt
    );
    if (consentState.consentRequired && !requestArg.consentApproved) {
      throw new Error('Consent required');
    }
    if (requestArg.consentApproved) {
      await this.upsertUserConsent(userIdArg, resolvedRequest.clientId, resolvedRequest.validScopes);
    }
    const code = await this.generateAuthorizationCode(
      resolvedRequest.clientId,
      userIdArg,
      resolvedRequest.validScopes,
      resolvedRequest.redirectUri,
      resolvedRequest.codeChallenge,
      resolvedRequest.nonce
    );
    const redirectUrl = new URL(resolvedRequest.redirectUri);
    redirectUrl.searchParams.set('code', code);
    redirectUrl.searchParams.set('state', resolvedRequest.state);
    return {
      code,
      redirectUrl: redirectUrl.toString(),
    };
  }
  /**
   * Handle the token endpoint request
   */
@@ -222,6 +343,13 @@ export class OidcManager {
      return this.tokenErrorResponse('invalid_client', 'Missing client_id');
    }
    await this.receptionRef.abuseProtectionManager.consumeAttempt(
      'oidcTokenExchange',
      clientId,
      this.abuseProtectionConfig.oidcTokenExchange,
      'Too many token endpoint attempts. Please wait before retrying.'
    );
    // Find and validate app
    const app = await this.findAppByClientId(clientId);
    if (!app) {
@@ -236,13 +364,20 @@ export class OidcManager {
      }
    }
    let response: Response;
    if (grantType === 'authorization_code') {
-      return this.handleAuthorizationCodeGrant(formData, app);
+      response = await this.handleAuthorizationCodeGrant(formData, app);
    } else if (grantType === 'refresh_token') {
-      return this.handleRefreshTokenGrant(formData, app);
+      response = await this.handleRefreshTokenGrant(formData, app);
    } else {
-      return this.tokenErrorResponse('unsupported_grant_type', 'Unsupported grant type');
+      response = this.tokenErrorResponse('unsupported_grant_type', 'Unsupported grant type');
    }
    if (response.status === 200) {
      await this.receptionRef.abuseProtectionManager.clearAttempts('oidcTokenExchange', clientId);
    }
    return response;
  }
  /**
@@ -261,50 +396,48 @@ export class OidcManager {
    }
    // Find and validate authorization code
-    const authCode = this.authorizationCodes.get(code);
+    const authCode = await this.getAuthorizationCodeByCode(code);
    if (!authCode) {
      return this.tokenErrorResponse('invalid_grant', 'Invalid authorization code');
    }
-    if (authCode.used) {
+    if (authCode.data.used) {
      // Code reuse attack - revoke all tokens for this code
      this.authorizationCodes.delete(code);
      return this.tokenErrorResponse('invalid_grant', 'Authorization code already used');
    }
-    if (authCode.expiresAt < Date.now()) {
+    if (authCode.isExpired()) {
-      this.authorizationCodes.delete(code);
+      await authCode.delete();
      return this.tokenErrorResponse('invalid_grant', 'Authorization code expired');
    }
-    if (authCode.clientId !== app.data.oauthCredentials.clientId) {
+    if (authCode.data.clientId !== app.data.oauthCredentials.clientId) {
      return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
    }
-    if (authCode.redirectUri !== redirectUri) {
+    if (authCode.data.redirectUri !== redirectUri) {
      return this.tokenErrorResponse('invalid_grant', 'Redirect URI mismatch');
    }
    // Verify PKCE if code challenge was used
-    if (authCode.codeChallenge) {
+    if (authCode.data.codeChallenge) {
      if (!codeVerifier) {
        return this.tokenErrorResponse('invalid_grant', 'Code verifier required');
      }
      const expectedChallenge = this.generateS256Challenge(codeVerifier);
-      if (expectedChallenge !== authCode.codeChallenge) {
+      if (expectedChallenge !== authCode.data.codeChallenge) {
        return this.tokenErrorResponse('invalid_grant', 'Invalid code verifier');
      }
    }
    // Mark code as used
-    authCode.used = true;
+    await authCode.markUsed();
    // Generate tokens
    const tokens = await this.generateTokens(
-      authCode.userId,
+      authCode.data.userId,
      app.data.oauthCredentials.clientId,
-      authCode.scopes,
+      authCode.data.scopes,
-      authCode.nonce
+      authCode.data.nonce
    );
    return new Response(JSON.stringify(tokens), {
@@ -330,31 +463,30 @@ export class OidcManager {
      return this.tokenErrorResponse('invalid_request', 'Missing refresh_token');
    }
-    const tokenHash = await plugins.smarthash.sha256FromString(refreshToken);
+    const storedToken = await this.getRefreshTokenByToken(refreshToken);
    const storedToken = this.refreshTokens.get(tokenHash);
    if (!storedToken) {
      return this.tokenErrorResponse('invalid_grant', 'Invalid refresh token');
    }
-    if (storedToken.revoked) {
+    if (storedToken.data.revoked) {
      return this.tokenErrorResponse('invalid_grant', 'Refresh token has been revoked');
    }
-    if (storedToken.expiresAt < Date.now()) {
+    if (storedToken.isExpired()) {
-      this.refreshTokens.delete(tokenHash);
+      await storedToken.delete();
      return this.tokenErrorResponse('invalid_grant', 'Refresh token expired');
    }
-    if (storedToken.clientId !== app.data.oauthCredentials.clientId) {
+    if (storedToken.data.clientId !== app.data.oauthCredentials.clientId) {
      return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
    }
    // Generate new tokens (without new refresh token by default)
    const tokens = await this.generateTokens(
-      storedToken.userId,
+      storedToken.data.userId,
-      storedToken.clientId,
+      storedToken.data.clientId,
-      storedToken.scopes,
+      storedToken.data.scopes,
      undefined,
      false // Don't generate new refresh token
    );
@@ -384,18 +516,18 @@ export class OidcManager {
    const refreshTokenLifetime = 30 * 24 * 3600; // 30 days
    // Generate access token
-    const accessToken = plugins.smartunique.shortId(32);
+    const accessToken = this.createOpaqueToken();
-    const accessTokenHash = await plugins.smarthash.sha256FromString(accessToken);
+    const accessTokenData = new OidcAccessToken();
-    const accessTokenData: plugins.idpInterfaces.data.IOidcAccessToken = {
+    accessTokenData.id = plugins.smartunique.shortId(12);
-      id: plugins.smartunique.shortId(8),
+    accessTokenData.data = {
-      tokenHash: accessTokenHash,
+      tokenHash: OidcAccessToken.hashToken(accessToken),
      clientId,
      userId,
      scopes,
      expiresAt: now + accessTokenLifetime * 1000,
      issuedAt: now,
    };
-    this.accessTokens.set(accessTokenHash, accessTokenData);
+    await accessTokenData.save();
    // Generate ID token (JWT)
    const idToken = await this.generateIdToken(userId, clientId, scopes, nonce);
@@ -410,11 +542,11 @@ export class OidcManager {
    // Generate refresh token if requested
    if (includeRefreshToken) {
-      const refreshToken = plugins.smartunique.shortId(48);
+      const refreshToken = this.createOpaqueToken(48);
-      const refreshTokenHash = await plugins.smarthash.sha256FromString(refreshToken);
+      const refreshTokenData = new OidcRefreshToken();
-      const refreshTokenData: plugins.idpInterfaces.data.IOidcRefreshToken = {
+      refreshTokenData.id = plugins.smartunique.shortId(12);
-        id: plugins.smartunique.shortId(8),
+      refreshTokenData.data = {
-        tokenHash: refreshTokenHash,
+        tokenHash: OidcRefreshToken.hashToken(refreshToken),
        clientId,
        userId,
        scopes,
@@ -422,7 +554,7 @@ export class OidcManager {
        issuedAt: now,
        revoked: false,
      };
-      this.refreshTokens.set(refreshTokenHash, refreshTokenData);
+      await refreshTokenData.save();
      response.refresh_token = refreshToken;
    }
@@ -482,8 +614,7 @@ export class OidcManager {
    }
    const accessToken = authHeader.substring(7);
-    const tokenHash = await plugins.smarthash.sha256FromString(accessToken);
+    const tokenData = await this.getAccessTokenByToken(accessToken);
    const tokenData = this.accessTokens.get(tokenHash);
    if (!tokenData) {
      return new Response(JSON.stringify({ error: 'invalid_token' }), {
@@ -495,8 +626,8 @@ export class OidcManager {
      });
    }
-    if (tokenData.expiresAt < Date.now()) {
+    if (tokenData.isExpired()) {
-      this.accessTokens.delete(tokenHash);
+      await tokenData.delete();
      return new Response(JSON.stringify({ error: 'invalid_token', error_description: 'Token expired' }), {
        status: 401,
        headers: {
@@ -507,7 +638,7 @@ export class OidcManager {
    }
    // Get user claims based on token scopes
-    const userInfo = await this.getUserClaims(tokenData.userId, tokenData.scopes);
+    const userInfo = await this.getUserClaims(tokenData.data.userId, tokenData.data.scopes);
    return new Response(JSON.stringify(userInfo), {
      status: 200,
@@ -583,21 +714,20 @@ export class OidcManager {
      return new Response(null, { status: 200 }); // Spec says always return 200
    }
    const tokenHash = await plugins.smarthash.sha256FromString(token);
    // Try to revoke as refresh token
    if (!tokenTypeHint || tokenTypeHint === 'refresh_token') {
-      const refreshToken = this.refreshTokens.get(tokenHash);
+      const refreshToken = await this.getRefreshTokenByToken(token);
      if (refreshToken) {
-        refreshToken.revoked = true;
+        await refreshToken.revoke();
        return new Response(null, { status: 200 });
      }
    }
    // Try to revoke as access token
    if (!tokenTypeHint || tokenTypeHint === 'access_token') {
-      if (this.accessTokens.has(tokenHash)) {
+      const accessToken = await this.getAccessTokenByToken(token);
-        this.accessTokens.delete(tokenHash);
+      if (accessToken) {
        await accessToken.delete();
        return new Response(null, { status: 200 });
      }
    }
@@ -616,6 +746,125 @@ export class OidcManager {
    return apps[0] || null;
  }
  private isSupportedPrompt(promptArg: string): promptArg is 'none' | 'login' | 'consent' {
    return ['none', 'login', 'consent'].includes(promptArg);
  }
  private async resolveAuthorizationRequest(
    requestArg: Pick<
      plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization['request'],
      'clientId' | 'redirectUri' | 'scope' | 'state' | 'prompt' | 'codeChallenge' | 'codeChallengeMethod' | 'nonce'
    >
  ) {
    if (!requestArg.clientId || !requestArg.redirectUri || !requestArg.scope || !requestArg.state) {
      throw new Error('Missing required OAuth authorization parameters');
    }
    if (requestArg.prompt && !this.isSupportedPrompt(requestArg.prompt)) {
      throw new Error('Unsupported prompt value');
    }
    if (requestArg.codeChallenge && requestArg.codeChallengeMethod !== 'S256') {
      throw new Error('Only S256 code challenge method is supported');
    }
    const app = await this.findAppByClientId(requestArg.clientId);
    if (!app) {
      throw new Error('Unknown client_id');
    }
    if (!app.data.oauthCredentials.redirectUris.includes(requestArg.redirectUri)) {
      throw new Error('Invalid redirect_uri');
    }
    const requestedScopes = requestArg.scope
      .split(' ')
      .filter(Boolean) as plugins.idpInterfaces.data.TOidcScope[];
    const allowedScopes =
      app.data.oauthCredentials.allowedScopes as plugins.idpInterfaces.data.TOidcScope[];
    const validScopes = requestedScopes.filter((scopeArg) => allowedScopes.includes(scopeArg));
    if (!validScopes.includes('openid')) {
      throw new Error('openid scope is required');
    }
    return {
      app,
      clientId: requestArg.clientId,
      redirectUri: requestArg.redirectUri,
      state: requestArg.state,
      prompt: requestArg.prompt,
      codeChallenge: requestArg.codeChallenge,
      codeChallengeMethod: requestArg.codeChallengeMethod,
      nonce: requestArg.nonce,
      validScopes,
    };
  }
  private async evaluateConsentRequirement(
    userIdArg: string,
    clientIdArg: string,
    scopesArg: plugins.idpInterfaces.data.TOidcScope[],
    promptArg?: 'none' | 'login' | 'consent'
  ) {
    const existingConsent = await this.getUserConsent(userIdArg, clientIdArg);
    const grantedScopes = existingConsent?.data.scopes || [];
    const missingScopes = scopesArg.filter((scopeArg) => !grantedScopes.includes(scopeArg));
    return {
      grantedScopes,
      missingScopes,
      consentRequired: promptArg === 'consent' || missingScopes.length > 0,
    };
  }
  private createOpaqueToken(byteLength = 32): string {
    return plugins.crypto.randomBytes(byteLength).toString('base64url');
  }
  private async getAuthorizationCodeByCode(codeArg: string) {
    return this.COidcAuthorizationCode.getInstance({
      'data.codeHash': OidcAuthorizationCode.hashCode(codeArg),
    });
  }
  private async getAccessTokenByToken(tokenArg: string) {
    return this.COidcAccessToken.getInstance({
      'data.tokenHash': OidcAccessToken.hashToken(tokenArg),
    });
  }
  private async getRefreshTokenByToken(tokenArg: string) {
    return this.COidcRefreshToken.getInstance({
      'data.tokenHash': OidcRefreshToken.hashToken(tokenArg),
    });
  }
  public async getUserConsent(userIdArg: string, clientIdArg: string) {
    return this.COidcUserConsent.getInstance({
      'data.userId': userIdArg,
      'data.clientId': clientIdArg,
    });
  }
  public async upsertUserConsent(
    userIdArg: string,
    clientIdArg: string,
    scopesArg: plugins.idpInterfaces.data.TOidcScope[]
  ) {
    let userConsent = await this.getUserConsent(userIdArg, clientIdArg);
    if (!userConsent) {
      userConsent = new OidcUserConsent();
      userConsent.id = plugins.smartunique.shortId(12);
      userConsent.data.userId = userIdArg;
      userConsent.data.clientId = clientIdArg;
    }
    await userConsent.grantScopes(scopesArg);
    return userConsent;
  }
  /**
   * Generate S256 PKCE challenge from verifier
   */
@@ -655,29 +904,45 @@ export class OidcManager {
   * Start cleanup task for expired tokens/codes
   */
  private startCleanupTask(): void {
-    setInterval(() => {
+    this.cleanupInterval = setInterval(() => {
-      const now = Date.now();
+      void this.cleanupExpiredOidcState();
    }, 60 * 1000);
  }
-      // Clean up expired authorization codes
+  private async cleanupExpiredOidcState() {
-      for (const [code, data] of this.authorizationCodes) {
+    const now = Date.now();
        if (data.expiresAt < now) {
          this.authorizationCodes.delete(code);
        }
      }
-      // Clean up expired access tokens
+    const expiredAuthorizationCodes = await this.COidcAuthorizationCode.getInstances({
-      for (const [hash, data] of this.accessTokens) {
+      data: {
-        if (data.expiresAt < now) {
+        expiresAt: {
-          this.accessTokens.delete(hash);
+          $lt: now,
-        }
+        } as any,
-      }
+      },
    });
    for (const authCode of expiredAuthorizationCodes) {
      await authCode.delete();
    }
-      // Clean up expired refresh tokens
+    const expiredAccessTokens = await this.COidcAccessToken.getInstances({
-      for (const [hash, data] of this.refreshTokens) {
+      data: {
-        if (data.expiresAt < now) {
+        expiresAt: {
-          this.refreshTokens.delete(hash);
+          $lt: now,
-        }
+        } as any,
-      }
+      },
-    }, 60 * 1000); // Run every minute
+    });
    for (const accessToken of expiredAccessTokens) {
      await accessToken.delete();
    }
    const expiredRefreshTokens = await this.COidcRefreshToken.getInstances({
      data: {
        expiresAt: {
          $lt: now,
        } as any,
      },
    });
    for (const refreshToken of expiredRefreshTokens) {
      await refreshToken.delete();
    }
  }
 }
@@ -0,0 +1,40 @@
 import * as plugins from '../plugins.js';
 import type { OidcManager } from './classes.oidcmanager.js';
@plugins.smartdata.Manager()
 export class OidcRefreshToken extends plugins.smartdata.SmartDataDbDoc<
  OidcRefreshToken,
  plugins.idpInterfaces.data.IOidcRefreshToken,
  OidcManager
 > {
  public static hashToken(tokenArg: string) {
    return plugins.smarthash.sha256FromStringSync(tokenArg);
  }
  @plugins.smartdata.unI()
  public id: string;
  @plugins.smartdata.svDb()
  public data: plugins.idpInterfaces.data.IOidcRefreshToken['data'] = {
    tokenHash: '',
    clientId: '',
    userId: '',
    scopes: [],
    expiresAt: 0,
    issuedAt: 0,
    revoked: false,
  };
  public isExpired() {
    return this.data.expiresAt < Date.now();
  }
  public matchesToken(tokenArg: string) {
    return this.data.tokenHash === OidcRefreshToken.hashToken(tokenArg);
  }
  public async revoke() {
    this.data.revoked = true;
    await this.save();
  }
 }
@@ -0,0 +1,30 @@
 import * as plugins from '../plugins.js';
 import type { OidcManager } from './classes.oidcmanager.js';
@plugins.smartdata.Manager()
 export class OidcUserConsent extends plugins.smartdata.SmartDataDbDoc<
  OidcUserConsent,
  plugins.idpInterfaces.data.IUserConsent,
  OidcManager
 > {
  @plugins.smartdata.unI()
  public id: string;
  @plugins.smartdata.svDb()
  public data: plugins.idpInterfaces.data.IUserConsent['data'] = {
    userId: '',
    clientId: '',
    scopes: [],
    grantedAt: 0,
    updatedAt: 0,
  };
  public async grantScopes(scopesArg: plugins.idpInterfaces.data.TOidcScope[]) {
    this.data.scopes = [...new Set([...this.data.scopes, ...scopesArg])];
    if (!this.data.grantedAt) {
      this.data.grantedAt = Date.now();
    }
    this.data.updatedAt = Date.now();
    await this.save();
  }
 }
@@ -17,6 +17,7 @@ import { AppConnectionManager } from './classes.appconnectionmanager.js';
 import { ActivityLogManager } from './classes.activitylogmanager.js';
 import { UserInvitationManager } from './classes.userinvitationmanager.js';
 import { OidcManager } from './classes.oidcmanager.js';
 import { AbuseProtectionManager } from './classes.abuseprotectionmanager.js';
 export interface IReceptionOptions {
  /**
@@ -48,6 +49,7 @@ export class Reception {
  public appConnectionManager = new AppConnectionManager(this);
  public activityLogManager = new ActivityLogManager(this);
  public userInvitationManager = new UserInvitationManager(this);
  public abuseProtectionManager = new AbuseProtectionManager(this);
  public oidcManager = new OidcManager(this);
  housekeeping = new ReceptionHousekeeping(this);
@@ -78,6 +80,7 @@ export class Reception {
   */
  public async stop() {
    await this.housekeeping.stop();
    await this.oidcManager.stop();
    console.log('stopped serviceserver!');
    await this.db.stop();
  }
@@ -5,191 +5,187 @@ import { logger } from './logging.js';
 import { User } from './classes.user.js';
 /**
- * a RegistrationSession is a in memory session for signing up
+ * a RegistrationSession persists a sign up flow across restarts
 */
-export class RegistrationSession {
+@plugins.smartdata.Manager()
-  // ======
+export class RegistrationSession extends plugins.smartdata.SmartDataDbDoc<
-  // STATIC
+  RegistrationSession,
-  // ======
+  plugins.idpInterfaces.data.IRegistrationSession,
  RegistrationSessionManager
 > {
  public static hashToken(tokenArg: string) {
    return plugins.smarthash.sha256FromStringSync(tokenArg);
  }
  public static async createRegistrationSessionForEmail(
    registrationSessionManageremailArg: RegistrationSessionManager,
    emailArg: string
  ) {
-    const newRegistrationSession = new RegistrationSession(
+    const newRegistrationSession = new RegistrationSession();
-      registrationSessionManageremailArg,
+    newRegistrationSession.id = plugins.smartunique.shortId();
-      emailArg
+    newRegistrationSession.data.emailAddress = emailArg;
-    );
+    newRegistrationSession.data.validUntil =
-    const emailValidationResult = await newRegistrationSession
+      Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 });
-      .validateEMailAddress()
+    newRegistrationSession.data.createdAt = Date.now();
-      .catch((error) => {
+
-        throw new plugins.typedrequest.TypedResponseError(
+    const emailValidationResult = await newRegistrationSession.validateEMailAddress().catch(() => {
-          'Error occured during email provider & dns validation'
+      throw new plugins.typedrequest.TypedResponseError(
-        );
+        'Error occured during email provider & dns validation'
-      });
+      );
    });
    if (!emailValidationResult?.valid) {
      newRegistrationSession.destroy();
      throw new plugins.typedrequest.TypedResponseError(
        'Email Address is not valid. Please use a correctly formated email address'
      );
    }
    if (emailValidationResult.disposable) {
      newRegistrationSession.destroy();
      throw new plugins.typedrequest.TypedResponseError(
        'Email is disposable. Please use a non disposable email address.'
      );
    }
-    console.log(
+
-      `${newRegistrationSession.emailAddress} is valid. Continuing registration process!`
+    const validationToken = await newRegistrationSession.sendTokenValidationEmail();
-    );
+    newRegistrationSession.unhashedEmailToken = validationToken;
    await newRegistrationSession.sendTokenValidationEmail();
    console.log(`Successfully sent email validation email`);
    return newRegistrationSession;
  }
-  // ========
+  @plugins.smartdata.unI()
-  // INSTANCE
+  public id: string;
  // ========
  public registrationSessionManagerRef: RegistrationSessionManager;
-  public emailAddress: string;
+  @plugins.smartdata.svDb()
  public data: plugins.idpInterfaces.data.IRegistrationSession['data'] = {
    emailAddress: '',
    hashedEmailToken: '',
    smsCodeHash: null,
    smsvalidationCounter: 0,
    status: 'announced',
    validUntil: 0,
    createdAt: 0,
    collectedData: {
      userData: {
        username: null,
        connectedOrgs: [],
        email: null,
        name: null,
        status: null,
        mobileNumber: null,
        password: null,
        passwordHash: null,
      },
    },
  };
  /**
   * only used during testing
   */
  public unhashedEmailToken?: string;
  public hashedEmailToken: string;
  private smsvalidationCounter = 0;
  public smsCode: string;
-  /**
+  public get emailAddress() {
-   * the status of the registration. should progress in a linear fashion.
+    return this.data.emailAddress;
-   */
+  }
  public status: 'announced' | 'emailValidated' | 'mobileVerified' | 'registered' | 'failed' =
    'announced';
-  public collectedData: {
+  public get status() {
-    userData: plugins.idpInterfaces.data.IUser['data'];
+    return this.data.status;
-  } = {
+  }
    userData: {
      username: null,
      connectedOrgs: [],
      email: null,
      name: null,
      status: null,
      mobileNumber: null,
      password: null,
      passwordHash: null,
    },
  };
-  constructor(
+  public set status(statusArg: plugins.idpInterfaces.data.TRegistrationSessionStatus) {
-    registrationSessionManagerRefArg: RegistrationSessionManager,
+    this.data.status = statusArg;
-    emailAddressArg: string
+  }
  ) {
    this.registrationSessionManagerRef = registrationSessionManagerRefArg;
    this.emailAddress = emailAddressArg;
    this.registrationSessionManagerRef.registrationSessions.addToMap(this.emailAddress, this);
-    // lets destroy this after 10 minutes,
+  public get collectedData() {
-    // works in unrefed mode so not blocking node exiting.
+    return this.data.collectedData;
-    plugins.smartdelay.delayFor(600000, null, true).then(() => this.destroy());
+  }
  public isExpired() {
    return this.data.validUntil < Date.now();
  }
  /**
   * validates a token by comparing its hash against the stored hashed token
   * @param tokenArg
   */
-  public validateEmailToken(tokenArg: string): boolean {
+  public async validateEmailToken(tokenArg: string): Promise<boolean> {
-    const result = this.hashedEmailToken === plugins.smarthash.sha256FromStringSync(tokenArg);
+    if (this.isExpired()) {
-    if (result && this.status === 'announced') {
+      await this.destroy();
-      this.status = 'emailValidated';
+      return false;
      this.collectedData.userData.email = this.emailAddress;
    }
-    if (!result && this.status === 'announced') {
+
-      this.status = 'failed';
+    const result = this.data.hashedEmailToken === RegistrationSession.hashToken(tokenArg);
    if (result && this.data.status === 'announced') {
      this.data.status = 'emailValidated';
      this.data.collectedData.userData.email = this.data.emailAddress;
      await this.save();
    }
    if (!result && this.data.status === 'announced') {
      this.data.status = 'failed';
      await this.save();
    }
    return result;
  }
  /** validates the sms code */
-  public validateSmsCode(smsCodeArg: string) {
+  public async validateSmsCode(smsCodeArg: string) {
-    this.smsvalidationCounter++;
+    this.data.smsvalidationCounter++;
-    const result = this.smsCode === smsCodeArg;
+    const result = this.data.smsCodeHash === RegistrationSession.hashToken(smsCodeArg);
-    if (this.status === 'emailValidated' && result) {
+    if (this.data.status === 'emailValidated' && result) {
-      this.status = 'mobileVerified';
+      this.data.status = 'mobileVerified';
      await this.save();
      return result;
    } else {
      if (this.smsvalidationCounter === 5) {
        this.destroy();
        throw new plugins.typedrequest.TypedResponseError(
          'Registration cancelled due to repeated wrong verification code submission'
        );
      }
      return false;
    }
    if (this.data.smsvalidationCounter >= 5) {
      await this.destroy();
      throw new plugins.typedrequest.TypedResponseError(
        'Registration cancelled due to repeated wrong verification code submission'
      );
    }
    await this.save();
    return false;
  }
  /**
   * validate the email address with provider and dns sanity checks
   * @returns
   */
  public async validateEMailAddress(): Promise<plugins.smartmail.IEmailValidationResult> {
-    console.log(`validating email ${this.emailAddress}`);
+    const result = await new plugins.smartmail.EmailAddressValidator().validate(this.data.emailAddress);
    const result = await new plugins.smartmail.EmailAddressValidator().validate(this.emailAddress);
    return result;
  }
  /**
   * send the validation email
   */
  public async sendTokenValidationEmail() {
    const uuidToSend = plugins.smartunique.uuid4();
-    this.unhashedEmailToken = uuidToSend;
+    this.data.hashedEmailToken = RegistrationSession.hashToken(uuidToSend);
-    this.hashedEmailToken = plugins.smarthash.sha256FromStringSync(uuidToSend);
+    await this.save();
-    this.registrationSessionManagerRef.receptionRef.receptionMailer.sendRegistrationEmail(
+    this.manager.receptionRef.receptionMailer.sendRegistrationEmail(this, uuidToSend);
-      this,
+    logger.log('info', `sent a validation email with a verification code to ${this.data.emailAddress}`);
-      uuidToSend
+    return uuidToSend;
    );
    logger.log('info', `sent a validation email with a verification code to ${this.emailAddress}`);
  }
  /**
   * validate the mobile number of someone
   */
  public async sendValidationSms() {
-    this.smsCode =
+    const smsCode =
-      await this.registrationSessionManagerRef.receptionRef.szPlatformClient.smsConnector.sendSmsVerifcation(
+      await this.manager.receptionRef.szPlatformClient.smsConnector.sendSmsVerifcation({
-        {
+        fromName: this.manager.receptionRef.options.name,
-          fromName: this.registrationSessionManagerRef.receptionRef.options.name,
+        toNumber: parseInt(this.data.collectedData.userData.mobileNumber),
-          toNumber: parseInt(this.collectedData.userData.mobileNumber),
+      });
-        }
+    this.data.smsCodeHash = RegistrationSession.hashToken(smsCode);
-      );
+    await this.save();
    return smsCode;
  }
  /**
   * this method can be called when this registrationsession is validated
   * and all data has been set
   */
  public async manifestUserWithAccountData(): Promise<User> {
-    if (this.status !== 'mobileVerified') {
+    if (this.data.status !== 'mobileVerified') {
      throw new plugins.typedrequest.TypedResponseError(
        'You can only manifest user that have a validated email Address and Mobile Number'
      );
    }
-    if (!this.collectedData) {
+    if (!this.data.collectedData) {
      throw new Error('You have to set the accountdata first');
    }
-    const manifestedUser =
+    const manifestedUser = await this.manager.receptionRef.userManager.CUser.createNewUserForUserData(
-      await this.registrationSessionManagerRef.receptionRef.userManager.CUser.createNewUserForUserData(
+      this.data.collectedData.userData as plugins.idpInterfaces.data.IUser['data']
-        this.collectedData.userData
+    );
-      );
+    this.data.status = 'registered';
    await this.save();
    return manifestedUser;
  }
-  /**
+  public async destroy() {
-   * destroys the registrationsession
+    await this.delete();
   */
  public destroy() {
    this.registrationSessionManagerRef.registrationSessions.removeFromMap(this.emailAddress);
  }
 }
@@ -5,10 +5,14 @@ import { logger } from './logging.js';
 export class RegistrationSessionManager {
  public receptionRef: Reception;
  public registrationSessions = new plugins.lik.FastMap<RegistrationSession>();
  public typedRouter = new plugins.typedrequest.TypedRouter();
  public get db() {
    return this.receptionRef.db.smartdataDb;
  }
  public CRegistrationSession = plugins.smartdata.setDefaultManagerForDoc(this, RegistrationSession);
  constructor(receptionRefArg: Reception) {
    this.receptionRef = receptionRefArg;
    this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
@@ -29,17 +33,16 @@ export class RegistrationSessionManager {
              `We sent you an Email with more information.`
            );
          }
-          // check for exiting SignupSession
+
-          const existingSession = this.registrationSessions.getByKey(requestData.email);
+          const existingSessions = await this.CRegistrationSession.getInstances({
-          if (existingSession) {
+            'data.emailAddress': requestData.email,
          });
          for (const existingSession of existingSessions) {
            logger.log('warn', `destroyed old signupSession for ${requestData.email}`);
-            existingSession.destroy();
+            await existingSession.destroy();
          }
          // lets check the email before we create a signup session
          const newSignupSession = await RegistrationSession.createRegistrationSessionForEmail(
            this,
            requestData.email
          ).catch((e: plugins.typedrequest.TypedResponseError) => {
            console.log(e.errorText);
@@ -63,10 +66,7 @@ export class RegistrationSessionManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_AfterRegistrationEmailClicked>(
        'afterRegistrationEmailClicked',
        async (requestData) => {
-          console.log(requestData);
+          const signupSession = await this.findRegistrationSessionByToken(requestData.token);
          const signupSession = await this.registrationSessions.find(async (itemArg) =>
            itemArg.validateEmailToken(requestData.token)
          );
          if (signupSession) {
            return {
              email: signupSession.emailAddress,
@@ -86,9 +86,7 @@ export class RegistrationSessionManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_SetDataForRegistration>(
        'setDataForRegistration',
        async (requestData) => {
-          const registrationSession = await this.registrationSessions.find(async (itemArg) =>
+          const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
            itemArg.validateEmailToken(requestData.token)
          );
          if (!registrationSession) {
            throw new plugins.typedrequest.TypedResponseError(
              'could not find a matching signupsession'
@@ -114,9 +112,7 @@ export class RegistrationSessionManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_MobileVerificationForRegistration>(
        'mobileVerificationForRegistration',
        async (requestData) => {
-          const registrationSession = await this.registrationSessions.find(async (itemArg) =>
+          const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
            itemArg.validateEmailToken(requestData.token)
          );
          if (!registrationSession) {
            throw new plugins.typedrequest.TypedResponseError(
              'could not find a matching signupsession'
@@ -131,17 +127,16 @@ export class RegistrationSessionManager {
          }
          if (requestData.mobileNumber) {
            registrationSession.status = 'emailValidated';
            registrationSession.collectedData.userData.mobileNumber = requestData.mobileNumber;
-            await registrationSession.sendValidationSms();
+            const smsCode = await registrationSession.sendValidationSms();
            return {
              messageSent: true,
-              testOnlySmsCode: process.env.TEST_MODE ? registrationSession.smsCode : null,
+              testOnlySmsCode: process.env.TEST_MODE ? smsCode : null,
            };
          }
          if (requestData.verificationCode) {
-            const validationResult = registrationSession.validateSmsCode(
+            const validationResult = await registrationSession.validateSmsCode(
              requestData.verificationCode
            );
            return {
@@ -160,9 +155,7 @@ export class RegistrationSessionManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_FinishRegistration>(
        'finishRegistration',
        async (requestData) => {
-          const registrationSession = await this.registrationSessions.find(async (itemArg) =>
+          const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
            itemArg.validateEmailToken(requestData.token)
          );
          if (!registrationSession) {
            throw new plugins.typedrequest.TypedResponseError(
              'could not find a matching signupsession'
@@ -170,7 +163,7 @@ export class RegistrationSessionManager {
          }
          const resultingUser = await registrationSession.manifestUserWithAccountData();
-          registrationSession.destroy();
+          await registrationSession.destroy();
          this.receptionRef.receptionMailer.sendWelcomeEMail(resultingUser);
          return {
            accountData: {
@@ -187,4 +180,17 @@ export class RegistrationSessionManager {
      )
    );
  }
  public async findRegistrationSessionByToken(tokenArg: string) {
    const registrationSession = await this.CRegistrationSession.getInstance({
      'data.hashedEmailToken': RegistrationSession.hashToken(tokenArg),
    });
    if (!registrationSession) {
      return null;
    }
    const isValid = await registrationSession.validateEmailToken(tokenArg);
    return isValid ? registrationSession : null;
  }
 }
@@ -76,6 +76,18 @@ export class IdpRequests {
    );
  }
  public get completeOidcAuthorization() {
    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization>(
      'completeOidcAuthorization'
    );
  }
  public get prepareOidcAuthorization() {
    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization>(
      'prepareOidcAuthorization'
    );
  }
  public get resetPassword() {
    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ResetPassword>(
      'resetPassword'
@@ -0,0 +1,13 @@
 export interface IAbuseWindow {
  id: string;
  data: {
    action: string;
    identifierHash: string;
    attemptCount: number;
    windowStartedAt: number;
    blockedUntil: number;
    validUntil: number;
    createdAt: number;
    updatedAt: number;
  };
 }
@@ -1,4 +1,4 @@
-import type { TAppType } from './loint-reception.app.js';
+import type { TAppType } from './app.js';
 export type TAppConnectionStatus = 'active' | 'disconnected';
@@ -1,4 +1,4 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 export type TSupportedCurrency = 'EUR';
@@ -1,3 +1,3 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 export interface IDevice extends plugins.tsclass.network.IDevice {}
@@ -0,0 +1,12 @@
 export type TEmailActionTokenAction = 'emailLogin' | 'passwordReset';
 export interface IEmailActionToken {
  id: string;
  data: {
    email: string;
    action: TEmailActionTokenAction;
    tokenHash: string;
    validUntil: number;
    createdAt: number;
  };
 }
@@ -1,13 +1,16 @@
-export * from './loint-reception.activity.js';
+export * from './abusewindow.js';
-export * from './loint-reception.app.js';
+export * from './activity.js';
-export * from './loint-reception.oidc.js';
+export * from './app.js';
-export * from './loint-reception.appconnection.js';
+export * from './emailactiontoken.js';
-export * from './loint-reception.billingplan.js';
+export * from './oidc.js';
-export * from './loint-reception.device.js';
+export * from './appconnection.js';
-export * from './loint-reception.jwt.js';
+export * from './billingplan.js';
-export * from './loint-reception.loginsession.js';
+export * from './device.js';
-export * from './loint-reception.organization.js';
+export * from './jwt.js';
-export * from './loint-reception.paddlecheckoutdata.js';
+export * from './loginsession.js';
-export * from './loint-reception.role.js';
+export * from './organization.js';
-export * from './loint-reception.user.js';
+export * from './paddlecheckoutdata.js';
-export * from './loint-reception.userinvitation.js';
+export * from './registrationsession.js';
 export * from './role.js';
 export * from './user.js';
 export * from './userinvitation.js';
@@ -1,13 +0,0 @@
 import * as plugins from '../loint-reception.plugins.js';
 import { type IBillingPlan } from './loint-reception.billingplan.js';
 import { type IRole } from './loint-reception.role.js';
 export interface IOrganization {
  id: string;
  data: {
    name: string;
    slug: string;
    billingPlanId: string;
    roleIds: string[];
  };
 }
@@ -11,86 +11,94 @@ export type TOidcScope = 'openid' | 'profile' | 'email' | 'organizations' | 'rol
 * Authorization code for OAuth 2.0 authorization code flow
 */
 export interface IAuthorizationCode {
-  /** The authorization code string */
+  id: string;
-  code: string;
+  data: {
-  /** OAuth client ID */
+    /** Hashed authorization code string */
-  clientId: string;
+    codeHash: string;
-  /** User ID who authorized */
+    /** OAuth client ID */
-  userId: string;
+    clientId: string;
-  /** Scopes granted */
+    /** User ID who authorized */
-  scopes: TOidcScope[];
+    userId: string;
-  /** Redirect URI used in authorization request */
+    /** Scopes granted */
-  redirectUri: string;
+    scopes: TOidcScope[];
-  /** PKCE code challenge (S256 hashed) */
+    /** Redirect URI used in authorization request */
-  codeChallenge?: string;
+    redirectUri: string;
-  /** PKCE code challenge method */
+    /** PKCE code challenge (S256 hashed) */
-  codeChallengeMethod?: 'S256';
+    codeChallenge?: string;
-  /** Nonce from authorization request (for ID token) */
+    /** PKCE code challenge method */
-  nonce?: string;
+    codeChallengeMethod?: 'S256';
-  /** Expiration timestamp (10 minutes from creation) */
+    /** Nonce from authorization request (for ID token) */
-  expiresAt: number;
+    nonce?: string;
-  /** Whether the code has been used (single-use) */
+    /** Expiration timestamp (10 minutes from creation) */
-  used: boolean;
+    expiresAt: number;
    /** Creation timestamp */
    issuedAt: number;
    /** Whether the code has been used (single-use) */
    used: boolean;
  };
 }
 /**
 * OIDC Access Token (opaque or JWT)
 */
 export interface IOidcAccessToken {
  /** Token identifier */
  id: string;
-  /** The access token string (or hash for storage) */
+  data: {
-  tokenHash: string;
+    /** The access token string hash for storage */
-  /** OAuth client ID */
+    tokenHash: string;
-  clientId: string;
+    /** OAuth client ID */
-  /** User ID */
+    clientId: string;
-  userId: string;
+    /** User ID */
-  /** Granted scopes */
+    userId: string;
-  scopes: TOidcScope[];
+    /** Granted scopes */
-  /** Expiration timestamp */
+    scopes: TOidcScope[];
-  expiresAt: number;
+    /** Expiration timestamp */
-  /** Creation timestamp */
+    expiresAt: number;
-  issuedAt: number;
+    /** Creation timestamp */
    issuedAt: number;
  };
 }
 /**
 * OIDC Refresh Token
 */
 export interface IOidcRefreshToken {
  /** Token identifier */
  id: string;
-  /** The refresh token string (or hash for storage) */
+  data: {
-  tokenHash: string;
+    /** The refresh token string hash for storage */
-  /** OAuth client ID */
+    tokenHash: string;
-  clientId: string;
+    /** OAuth client ID */
-  /** User ID */
+    clientId: string;
-  userId: string;
+    /** User ID */
-  /** Granted scopes */
+    userId: string;
-  scopes: TOidcScope[];
+    /** Granted scopes */
-  /** Expiration timestamp */
+    scopes: TOidcScope[];
-  expiresAt: number;
+    /** Expiration timestamp */
-  /** Creation timestamp */
+    expiresAt: number;
-  issuedAt: number;
+    /** Creation timestamp */
-  /** Whether the token has been revoked */
+    issuedAt: number;
-  revoked: boolean;
+    /** Whether the token has been revoked */
    revoked: boolean;
  };
 }
 /**
 * User consent record for an OAuth client
 */
 export interface IUserConsent {
  /** Unique identifier */
  id: string;
-  /** User who gave consent */
+  data: {
-  userId: string;
+    /** User who gave consent */
-  /** OAuth client ID */
+    userId: string;
-  clientId: string;
+    /** OAuth client ID */
-  /** Scopes the user consented to */
+    clientId: string;
-  scopes: TOidcScope[];
+    /** Scopes the user consented to */
-  /** When consent was granted */
+    scopes: TOidcScope[];
-  grantedAt: number;
+    /** When consent was granted */
-  /** When consent was last updated */
+    grantedAt: number;
-  updatedAt: number;
+    /** When consent was last updated */
    updatedAt: number;
  };
 }
 /**
@@ -0,0 +1,13 @@
 import * as plugins from '../plugins.js';
 import { type IBillingPlan } from './billingplan.js';
 import { type IRole } from './role.js';
 export interface IOrganization {
  id: string;
  data: {
    name: string;
    slug: string;
    billingPlanId: string;
    roleIds: string[];
  };
 }
@@ -1,5 +1,5 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
-import { type IRole } from './loint-reception.role.js';
+import { type IRole } from './role.js';
 export interface ISubOrgProperty {
  name: string;
@@ -0,0 +1,31 @@
 export type TRegistrationSessionStatus =
  | 'announced'
  | 'emailValidated'
  | 'mobileVerified'
  | 'registered'
  | 'failed';
 export interface IRegistrationSession {
  id: string;
  data: {
    emailAddress: string;
    hashedEmailToken: string;
    smsCodeHash?: string | null;
    smsvalidationCounter: number;
    status: TRegistrationSessionStatus;
    validUntil: number;
    createdAt: number;
    collectedData: {
      userData: {
        username?: string | null;
        connectedOrgs: string[];
        email?: string | null;
        name?: string | null;
        status?: 'new' | 'active' | 'deleted' | 'suspended' | null;
        mobileNumber?: string | null;
        password?: string | null;
        passwordHash?: string | null;
      };
    };
  };
 }
@@ -1,4 +1,4 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 /** Standard role types available in all organizations */
 export type TStandardRole = 'owner' | 'admin' | 'editor' | 'guest' | 'viewer' | 'outlaw';
@@ -1,5 +1,5 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
-import { type IRole } from './loint-reception.role.js';
+import { type IRole } from './role.js';
 export interface IUser {
  id: string;
@@ -1,4 +1,4 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 /**
 * A UserInvitation represents an invitation to join an organization.
@@ -1,4 +1,4 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 import * as data from '../data/index.js';
 /**
@@ -1,5 +1,5 @@
 import * as data from '../data/index.js';
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 // Get all global apps
 export interface IReq_GetGlobalApps
@@ -0,0 +1,72 @@
 import * as plugins from '../plugins.js';
 import { type IUser, type IRole } from '../data/index.js';
 import { type TOidcScope } from '../data/index.js';
 export interface IReq_InternalAuthorization
  extends plugins.typedRequestInterfaces.implementsTR<
    plugins.typedRequestInterfaces.ITypedRequest,
    IReq_InternalAuthorization
  > {
  method: '';
  request: {
    accountData: IUser;
    jwt: string;
  };
  response: {
    accountData: IUser;
    jwt: string;
    relevantRoles: IRole[];
  };
 }
 export interface IReq_CompleteOidcAuthorization
  extends plugins.typedRequestInterfaces.implementsTR<
    plugins.typedRequestInterfaces.ITypedRequest,
    IReq_CompleteOidcAuthorization
  > {
  method: 'completeOidcAuthorization';
  request: {
    jwt: string;
    clientId: string;
    redirectUri: string;
    scope: string;
    state: string;
    prompt?: 'none' | 'login' | 'consent';
    codeChallenge?: string;
    codeChallengeMethod?: 'S256';
    nonce?: string;
    consentApproved?: boolean;
  };
  response: {
    code: string;
    redirectUrl: string;
  };
 }
 export interface IReq_PrepareOidcAuthorization
  extends plugins.typedRequestInterfaces.implementsTR<
    plugins.typedRequestInterfaces.ITypedRequest,
    IReq_PrepareOidcAuthorization
  > {
  method: 'prepareOidcAuthorization';
  request: {
    jwt: string;
    clientId: string;
    redirectUri: string;
    scope: string;
    state: string;
    prompt?: 'none' | 'login' | 'consent';
    codeChallenge?: string;
    codeChallengeMethod?: 'S256';
    nonce?: string;
  };
  response: {
    status: 'ready' | 'consent_required';
    clientId: string;
    appName: string;
    appUrl: string;
    logoUrl?: string;
    requestedScopes: TOidcScope[];
    grantedScopes: TOidcScope[];
  };
 }
@@ -1,4 +1,4 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 import * as data from '../data/index.js';
 export interface IReq_UpdatePaymentMethod
@@ -1,12 +1,12 @@
-export * from './loint-reception.admin.js';
+export * from './admin.js';
-export * from './loint-reception.apitoken.js';
+export * from './apitoken.js';
-export * from './loint-reception.app.js';
+export * from './app.js';
-export * from './loint-reception.authorization.js';
+export * from './authorization.js';
-export * from './loint-reception.billingplan.js';
+export * from './billingplan.js';
-export * from './loint-reception.jwt.js';
+export * from './jwt.js';
-export * from './loint-reception.login.js';
+export * from './login.js';
-export * from './loint-reception.organization.js';
+export * from './organization.js';
-export * from './loint-reception.plan.js';
+export * from './plan.js';
-export * from './loint-reception.registration.js';
+export * from './registration.js';
-export * from './loint-reception.user.js';
+export * from './user.js';
-export * from './loint-reception.userinvitation.js';
+export * from './userinvitation.js';
@@ -1,5 +1,5 @@
 import * as data from '../data/index.js';
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 /**
 * Request to get the public key for JWT validation.
@@ -1,4 +1,4 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 import * as data from '../data/index.js';
 export interface IReq_LoginWithEmailOrUsernameAndPassword
@@ -1,19 +0,0 @@
 import * as plugins from '../loint-reception.plugins.js';
 import { type IUser, type IRole } from '../data/index.js';
 export interface IReq_InternalAuthorization
  extends plugins.typedRequestInterfaces.implementsTR<
    plugins.typedRequestInterfaces.ITypedRequest,
    IReq_InternalAuthorization
  > {
  method: '';
  request: {
    accountData: IUser;
    jwt: string;
  };
  response: {
    accountData: IUser;
    jwt: string;
    relevantRoles: IRole[];
  };
 }
@@ -1,5 +1,5 @@
 import * as data from '../data/index.js';
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 export interface IReq_GetOrganizationById
  extends plugins.typedRequestInterfaces.implementsTR<
@@ -1,5 +1,5 @@
 import * as data from '../data/index.js';
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 export interface IReq_GetPlansForOrganizationId
  extends plugins.typedRequestInterfaces.implementsTR<
@@ -1,4 +1,4 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 import { type IUser } from '../data/index.js';
 export interface IReq_FirstRegistration
@@ -1,5 +1,5 @@
 import * as data from '../data/index.js';
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 export interface IReq_GetUserData
  extends plugins.typedRequestInterfaces.implementsTR<
@@ -1,5 +1,5 @@
 import * as data from '../data/index.js';
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 /**
 * Create an invitation to join an organization
@@ -1,4 +1,4 @@
-import * as plugins from '../loint-reception.plugins.js';
+import * as plugins from '../plugins.js';
 export interface ITag_LolePubapi
  extends plugins.typedRequestInterfaces.implementsTag<
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@idp.global/idp.global',
-  version: '1.17.1',
+  version: '1.20.0',
  description: 'An identity provider software managing user authentications, registrations, and sessions.'
 }
@@ -12,7 +12,6 @@ import {
  domtools,
 } from '@design.estate/dees-element';
 // third party catalogs
 import '@uptime.link/webwidget';
 import '@design.estate/dees-catalog';
@@ -29,6 +28,12 @@ declare global {
 export class IdpLoginPrompt extends DeesElement {
  public static demo = () => html`<idp-loginprompt></idp-loginprompt>`;
  @state()
  accessor oidcConsentState: plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization['response'] | null = null;
  @state()
  accessor oidcConsentError = '';
  @property()
  accessor productOfInterest: string;
@@ -48,6 +53,155 @@ export class IdpLoginPrompt extends DeesElement {
    domtools.elementBasic.setup();
  }
  private getOidcAuthorizationContext(): Omit<
    plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization['request'],
    'jwt'
  > | null {
    const currentUrl = plugins.smarturl.Smarturl.createFromUrl(window.location.href);
    if (currentUrl.searchParams.oauth !== 'true') {
      return null;
    }
    const clientId = currentUrl.searchParams.client_id;
    const redirectUri = currentUrl.searchParams.redirect_uri;
    const scope = currentUrl.searchParams.scope;
    const state = currentUrl.searchParams.state;
    if (!clientId || !redirectUri || !scope || !state) {
      return null;
    }
    const prompt = ['none', 'login', 'consent'].includes(currentUrl.searchParams.prompt)
      ? (currentUrl.searchParams.prompt as 'none' | 'login' | 'consent')
      : undefined;
    return {
      clientId,
      redirectUri,
      scope,
      state,
      prompt,
      codeChallenge: currentUrl.searchParams.code_challenge || undefined,
      codeChallengeMethod:
        currentUrl.searchParams.code_challenge_method === 'S256' ? 'S256' : undefined,
      nonce: currentUrl.searchParams.nonce || undefined,
    };
  }
  private redirectOidcError(errorArg: string, descriptionArg?: string) {
    const oidcContext = this.getOidcAuthorizationContext();
    if (!oidcContext) {
      return false;
    }
    const redirectUrl = new URL(oidcContext.redirectUri);
    redirectUrl.searchParams.set('error', errorArg);
    redirectUrl.searchParams.set('state', oidcContext.state);
    if (descriptionArg) {
      redirectUrl.searchParams.set('error_description', descriptionArg);
    }
    window.location.href = redirectUrl.toString();
    return true;
  }
  private getOidcScopeDescription(scopeArg: plugins.idpInterfaces.data.TOidcScope) {
    const scopeMap: Record<plugins.idpInterfaces.data.TOidcScope, string> = {
      openid: 'Confirm your identity with this app.',
      profile: 'Share your display name and username.',
      email: 'Share your email address.',
      organizations: 'Share your organizations and their roles.',
      roles: 'Share your platform roles.',
    };
    return scopeMap[scopeArg];
  }
  private getOidcAppHost(appUrlArg: string) {
    try {
      return new URL(appUrlArg).hostname;
    } catch {
      return appUrlArg;
    }
  }
  private async prepareOidcAuthorization(jwtArg: string) {
    const oidcContext = this.getOidcAuthorizationContext();
    if (!oidcContext) {
      return null;
    }
    const idpState = await IdpState.getSingletonInstance();
    return idpState.idpClient.requests.prepareOidcAuthorization
      .fire({
        jwt: jwtArg,
        ...oidcContext,
      })
      .catch(() => null);
  }
  private async handleOidcAfterLogin(jwtArg: string) {
    const oidcContext = this.getOidcAuthorizationContext();
    if (!oidcContext) {
      return false;
    }
    const loginForm = this.shadowRoot.querySelector('#loginForm') as DeesForm | null;
    loginForm?.setStatus('pending', 'preparing application authorization...');
    this.oidcConsentError = '';
    const preparation = await this.prepareOidcAuthorization(jwtArg);
    if (!preparation) {
      loginForm?.setStatus('error', 'could not prepare the application authorization');
      return true;
    }
    if (preparation.status === 'consent_required') {
      if (oidcContext.prompt === 'none') {
        this.redirectOidcError('consent_required');
        return true;
      }
      this.oidcConsentState = preparation;
      return true;
    }
    await this.completeOidcAuthorization(jwtArg);
    return true;
  }
  private async completeOidcAuthorization(jwtArg: string, consentApproved = false) {
    const oidcContext = this.getOidcAuthorizationContext();
    if (!oidcContext) {
      return false;
    }
    const idpState = await IdpState.getSingletonInstance();
    const loginForm = this.shadowRoot.querySelector('#loginForm') as DeesForm | null;
    loginForm?.setStatus('pending', 'authorizing application...');
    this.oidcConsentError = '';
    const response = await idpState.idpClient.requests.completeOidcAuthorization
      .fire({
        jwt: jwtArg,
        ...oidcContext,
        consentApproved,
      })
      .catch(() => null);
    if (!response?.redirectUrl) {
      if (this.oidcConsentState) {
        this.oidcConsentError = 'Could not authorize the application.';
      } else {
        loginForm?.setStatus('error', 'could not authorize the application');
      }
      return false;
    }
    window.location.href = response.redirectUrl;
    return true;
  }
  public static styles = [
    cssManager.defaultStyles,
    css`
@@ -103,10 +257,147 @@ export class IdpLoginPrompt extends DeesElement {
      .form-footer a:hover {
        opacity: 0.8;
      }
      .consent-card {
        display: flex;
        flex-direction: column;
        gap: 16px;
        padding: 24px;
        border: 1px solid rgba(255, 255, 255, 0.08);
        border-radius: 18px;
        background: rgba(255, 255, 255, 0.04);
      }
      .consent-appname {
        font-size: 20px;
        font-weight: 600;
      }
      .consent-appurl {
        color: var(--muted-foreground);
        font-size: 14px;
        word-break: break-word;
      }
      .consent-scopes {
        display: flex;
        flex-direction: column;
        gap: 12px;
      }
      .consent-scope {
        padding: 14px 16px;
        border-radius: 14px;
        background: rgba(255, 255, 255, 0.03);
      }
      .consent-scope-header {
        display: flex;
        justify-content: space-between;
        gap: 12px;
        font-weight: 600;
        text-transform: uppercase;
        letter-spacing: 0.04em;
        font-size: 12px;
      }
      .consent-scope-tag {
        color: #9cd67c;
      }
      .consent-scope-description {
        margin-top: 6px;
        color: var(--muted-foreground);
        font-size: 14px;
        line-height: 1.5;
      }
      .consent-actions {
        display: flex;
        justify-content: flex-end;
        gap: 12px;
      }
      .consent-button {
        border: none;
        border-radius: 999px;
        padding: 12px 18px;
        font: inherit;
        cursor: pointer;
      }
      .consent-button-secondary {
        background: rgba(255, 255, 255, 0.08);
        color: var(--foreground);
      }
      .consent-button-primary {
        background: linear-gradient(135deg, #9b7bff, #5fd1ff);
        color: #0a0a0a;
        font-weight: 600;
      }
      .consent-error {
        color: #ff9a9a;
        font-size: 14px;
      }
    `,
  ];
  public render(): TemplateResult {
    if (this.oidcConsentState) {
      return html`
        <idp-centercontainer>
          <div class="form-header">
            <h2>Continue to ${this.oidcConsentState.appName}</h2>
            <p>Review and approve the access this app is requesting.</p>
          </div>
          <div class="consent-card">
            <div class="consent-appname">${this.oidcConsentState.appName}</div>
            <div class="consent-appurl">${this.getOidcAppHost(this.oidcConsentState.appUrl)}</div>
            <div class="consent-scopes">
              ${this.oidcConsentState.requestedScopes.map((scopeArg) => html`
                <div class="consent-scope">
                  <div class="consent-scope-header">
                    <span>${scopeArg}</span>
                    ${this.oidcConsentState.grantedScopes.includes(scopeArg)
                      ? html`<span class="consent-scope-tag">Previously allowed</span>`
                      : null}
                  </div>
                  <div class="consent-scope-description">${this.getOidcScopeDescription(scopeArg)}</div>
                </div>
              `)}
            </div>
            ${this.oidcConsentError ? html`<div class="consent-error">${this.oidcConsentError}</div>` : null}
            <div class="consent-actions">
              <button
                class="consent-button consent-button-secondary"
                @click=${() => {
                  this.redirectOidcError('access_denied');
                }}
              >
                Cancel
              </button>
              <button
                class="consent-button consent-button-primary"
                @click=${async () => {
                  const idpState = await IdpState.getSingletonInstance();
                  const jwt = await idpState.idpClient.getJwt();
                  if (!jwt) {
                    this.redirectOidcError('login_required');
                    return;
                  }
                  await this.completeOidcAuthorization(jwt, true);
                }}
              >
                Allow and continue
              </button>
            </div>
          </div>
        </idp-centercontainer>
      `;
    }
    return html`
      <idp-centercontainer>
        <div class="form-header">
@@ -115,12 +406,12 @@ export class IdpLoginPrompt extends DeesElement {
        </div>
        <dees-form
          id="loginForm"
-          @formData="${(eventArg) => {
+          @formData=${(eventArg) => {
            this.login({
              emailAddress: eventArg.detail.data.emailAddress,
              passwordArg: eventArg.detail.data.password,
            });
-          }}"
+          }}
        >
          <dees-input-text
            id="loginEmailInput"
@@ -137,7 +428,8 @@ export class IdpLoginPrompt extends DeesElement {
          <dees-form-submit id="loginSubmitButton"></dees-form-submit>
        </dees-form>
        <div class="form-footer">
-          Don't have an account? <a @click=${async () => {
+          Don't have an account?
          <a @click=${async () => {
            const idpState = await IdpState.getSingletonInstance();
            idpState.domtools.router.pushUrl('/register');
          }}>Create one</a>
@@ -147,32 +439,48 @@ export class IdpLoginPrompt extends DeesElement {
  }
  public async firstUpdated() {
-    const domtoolsInstance = await this.domtoolsPromise;
+    await this.domtoolsPromise;
-    const loginForm: DeesForm = this.shadowRoot.querySelector('#loginForm');
+    const idpState = await IdpState.getSingletonInstance();
-    const loginPasswordInput: DeesInputText = loginForm.querySelector('#loginPasswordInput');
+    const loginForm = this.shadowRoot.querySelector('#loginForm') as DeesForm;
-    const loginSubmitButton: DeesFormSubmit = loginForm.querySelector('#loginSubmitButton');
+    const loginPasswordInput = loginForm.querySelector('#loginPasswordInput') as DeesInputText;
    const loginSubmitButton = loginForm.querySelector('#loginSubmitButton') as DeesFormSubmit;
    const oidcContext = this.getOidcAuthorizationContext();
    const setButtonText = async () => {
      if (loginPasswordInput.value) {
-        console.log('updating text of loginprompt.');
+        loginSubmitButton.text = oidcContext ? 'Sign in and continue' : 'Login';
        loginSubmitButton.text = 'Login';
      } else {
        loginSubmitButton.text = 'Send magic link (or enter password)';
      }
    };
    loginForm.changeSubject.subscribe(() => {
-      console.log(`checking button text ${loginPasswordInput.value}`);
+      void setButtonText();
      setButtonText();
    });
-    setButtonText();
+    await setButtonText();
    if (oidcContext) {
      const loggedIn = await idpState.idpClient.determineLoginStatus(false);
      if (!loggedIn && oidcContext.prompt === 'none') {
        this.redirectOidcError('login_required');
        return;
      }
      if (loggedIn && oidcContext.prompt !== 'login') {
        const jwt = await idpState.idpClient.getJwt();
        if (jwt) {
          await this.handleOidcAfterLogin(jwt);
        }
      }
    }
  }
  private login = async (valueArg: { emailAddress: string; passwordArg: string }) => {
-    // lets disable the submit button
+    const loginSubmitButton = this.shadowRoot.querySelector(
-    const loginSubmitButton: plugins.deesCatalog.DeesFormSubmit = this.shadowRoot.querySelector('#loginSubmitButton');
+      '#loginSubmitButton'
    ) as plugins.deesCatalog.DeesFormSubmit;
    loginSubmitButton.disabled = true;
-    // lets define the needed requests
+
    const idpState = await IdpState.getSingletonInstance();
-    const loginForm: DeesForm = this.shadowRoot.querySelector('#loginForm');
+    const loginForm = this.shadowRoot.querySelector('#loginForm') as DeesForm;
    const loginRequestWithUsernameAndPassword =
      idpState.idpClient.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_LoginWithEmailOrUsernameAndPassword>(
        'loginWithEmailOrUsernameAndPassword'
@@ -182,19 +490,19 @@ export class IdpLoginPrompt extends DeesElement {
        'loginWithEmail'
      );
    // lets do the actual logging in
    if (valueArg.emailAddress && valueArg.passwordArg) {
      loginForm.setStatus('pending', 'logging in...');
      const response = await loginRequestWithUsernameAndPassword
        .fire({
-          username: valueArg.emailAddress, // TODO: rename to emailAddress
+          username: valueArg.emailAddress,
          password: valueArg.passwordArg,
        })
        .catch(() => {
          loginForm.setStatus('error', 'could not log you in. Try Again!');
-          return;
+          return null;
        });
      if (!response) {
        loginSubmitButton.disabled = false;
        return;
      }
      if (response.refreshToken) {
@@ -202,11 +510,13 @@ export class IdpLoginPrompt extends DeesElement {
        const jwt = await idpState.idpClient.refreshJwt(response.refreshToken);
        if (jwt) {
          loginForm.setStatus('success', 'obtained jwt.');
-          idpState.domtools.router.pushUrl('/account');
+          const oidcHandled = await this.handleOidcAfterLogin(jwt);
          if (!oidcHandled) {
            idpState.domtools.router.pushUrl('/account');
          }
        } else {
          loginForm.setStatus('error', 'something went wrong');
        }
      } else {
      }
    } else if (valueArg.emailAddress && !valueArg.passwordArg) {
      loginForm.setStatus('pending', 'sending magic link...');
@@ -216,13 +526,13 @@ export class IdpLoginPrompt extends DeesElement {
      if (response.status === 'ok') {
        loginForm.setStatus('success', 'Please check your email!');
      }
      console.log(response);
    }
    loginSubmitButton.disabled = false;
  };
  public async dispatchJwt(jwtArg?: string) {
    if (jwtArg !== undefined) {
      console.log(`dispatching jwt from loginprompt.`);
      this.jwt = jwtArg;
      await domtools.plugins.smartdelay.delayFor(200);
      this.dispatchEvent(
@@ -237,9 +547,7 @@ export class IdpLoginPrompt extends DeesElement {
  }
  public async focus() {
-    (
+    (this.shadowRoot.querySelector('#loginEmailInput') as plugins.deesCatalog.DeesInputText).focus();
      this.shadowRoot.querySelector('#loginEmailInput') as plugins.deesCatalog.DeesInputText
    ).focus();
  }
  public async show() {
Author	SHA1	Message	Date
jkunz	3cd7499f3f	v1.20.0 Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-04-20 09:46:13 +00:00
jkunz	29a21fd3b3	feat(auth): add abuse protection for login and OIDC flows with consent-based authorization handling	2026-04-20 09:46:13 +00:00
jkunz	21f5abb49b	v1.19.1 Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-04-20 08:44:05 +00:00
jkunz	68469b0740	fix(ts_interfaces): rename generated TypeScript interface files to remove the loint-reception prefix	2026-04-20 08:44:05 +00:00
jkunz	525a72b73b	v1.19.0 Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-04-20 08:40:40 +00:00
jkunz	d913dfaeb1	feat(oidc): persist hashed OIDC tokens, authorization codes, and user consent in smartdata storage	2026-04-20 08:40:40 +00:00
jkunz	fe9da65437	v1.18.0 Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-04-20 08:27:35 +00:00
jkunz	28d30fe392	feat(reception): persist email action tokens and registration sessions for authentication and signup flows	2026-04-20 08:27:35 +00:00
`@@ -1,4 +1,4 @@`
	`import type { TAppType } from './loint-reception.app.js';`	`import type { TAppType } from './app.js';`

	`export type TAppConnectionStatus = 'active' \| 'disconnected';`	`export type TAppConnectionStatus = 'active' \| 'disconnected';`
`@@ -1,4 +1,4 @@`
	`import * as plugins from '../loint-reception.plugins.js';`	`import * as plugins from '../plugins.js';`

	`export type TSupportedCurrency = 'EUR';`	`export type TSupportedCurrency = 'EUR';`
`@@ -1,3 +1,3 @@`
	`import * as plugins from '../loint-reception.plugins.js';`	`import * as plugins from '../plugins.js';`

	`export interface IDevice extends plugins.tsclass.network.IDevice {}`	`export interface IDevice extends plugins.tsclass.network.IDevice {}`