@absolutejs/auth 0.22.5 → 0.22.7

package/dist/index.js

@@ -3192,19 +3192,22 @@ var signout = ({
     userSessionId: user_session_id.value
   });
   const signoutSession = authSessionStore ? compatibilityLayer.session : session;
-  try {
-    await onSignOut?.({
-      authProvider: auth_provider.value,
-      session: signoutSession,
-      userSessionId: user_session_id.value
-    });
-  } catch (err) {
-    console.error("[signout] Sign out operation failed:", {
-      authProvider: auth_provider.value,
-      error: err instanceof Error ? err.message : err,
-      stack: err instanceof Error ? err.stack : undefined
-    });
-    return status("Internal Server Error", "Sign out operation failed");
+  const currentSession = signoutSession[user_session_id.value];
+  if (currentSession !== undefined) {
+    try {
+      await onSignOut?.({
+        authProvider: auth_provider.value,
+        session: signoutSession,
+        userSessionId: user_session_id.value
+      });
+    } catch (err) {
+      console.error("[signout] Sign out operation failed:", {
+        authProvider: auth_provider.value,
+        error: err instanceof Error ? err.message : err,
+        stack: err instanceof Error ? err.stack : undefined
+      });
+      return status("Internal Server Error", "Sign out operation failed");
+    }
   }
   delete signoutSession[user_session_id.value];
   if (authSessionStore) {
@@ -3219,7 +3222,7 @@ var signout = ({
   return new Response(null, { status: 204 });
 }, {
   cookie: t8.Cookie({
-    auth_provider: authProviderOption,
+    auth_provider: t8.Optional(authProviderOption),
     user_session_id: t8.Optional(t8.TemplateLiteral("${string}-${string}-${string}-${string}-${string}"))
   })
 });
@@ -3289,399 +3292,154 @@ var createInMemoryAuthSessionStore = (input = {}) => {
     listUnregisteredSessionIds: async () => [...unregisteredSessions.keys()]
   };
 };
-// src/linkedProviderResolver.ts
-var uniqueStrings = (values) => [...new Set(values)];
-var getEffectiveScopes = (grant, binding) => {
-  if (binding.availableScopes.length === 0) {
-    return uniqueStrings(grant.grantedScopes);
-  }
-  const bindingScopeSet = new Set(binding.availableScopes);
-  return uniqueStrings(grant.grantedScopes.filter((scope) => bindingScopeSet.has(scope)));
+// node_modules/@neondatabase/serverless/index.mjs
+var vo = Object.create;
+var Te = Object.defineProperty;
+var xo = Object.getOwnPropertyDescriptor;
+var So = Object.getOwnPropertyNames;
+var Eo = Object.getPrototypeOf;
+var Ao = Object.prototype.hasOwnProperty;
+var Co = (r, e, t10) => (e in r) ? Te(r, e, { enumerable: true, configurable: true, writable: true, value: t10 }) : r[e] = t10;
+var a = (r, e) => Te(r, "name", { value: e, configurable: true });
+var z = (r, e) => () => (r && (e = r(r = 0)), e);
+var I = (r, e) => () => (e || r((e = { exports: {} }).exports, e), e.exports);
+var ne = (r, e) => {
+  for (var t10 in e)
+    Te(r, t10, {
+      get: e[t10],
+      enumerable: true
+    });
 };
-var hasRequiredScopes = (availableScopes, requiredScopes) => (requiredScopes ?? []).every((scope) => availableScopes.includes(scope));
-var isGrantUsable = (grant) => grant.status === "active" || grant.status === "refresh_required";
-var isBindingUsable = (binding) => binding.status === "active";
-var needsRefresh = (lease, now, minValidityMs) => {
-  if (!lease)
-    return true;
-  if (lease.expiresAt === undefined)
-    return false;
-  return lease.expiresAt <= now + (minValidityMs ?? 0);
+var Mn = (r, e, t10, n) => {
+  if (e && typeof e == "object" || typeof e == "function")
+    for (let i of So(e))
+      !Ao.call(r, i) && i !== t10 && Te(r, i, { get: () => e[i], enumerable: !(n = xo(e, i)) || n.enumerable });
+  return r;
 };
-var ensureLeaseScopes = (lease, requiredScopes) => {
-  if (!hasRequiredScopes(lease.grantedScopes, requiredScopes)) {
-    throw new Error("Linked provider access token lease is missing required scopes");
+var xe = (r, e, t10) => (t10 = r != null ? vo(Eo(r)) : {}, Mn(e || !r || !r.__esModule ? Te(t10, "default", { value: r, enumerable: true }) : t10, r));
+var D = (r) => Mn(Te({}, "__esModule", { value: true }), r);
+var E = (r, e, t10) => Co(r, typeof e != "symbol" ? e + "" : e, t10);
+var On = I((ct) => {
+  p();
+  ct.byteLength = To;
+  ct.toByteArray = Po;
+  ct.fromByteArray = Lo;
+  var ue = [], ee = [], _o = typeof Uint8Array < "u" ? Uint8Array : Array, Ut = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+  for (Se = 0, Un = Ut.length;Se < Un; ++Se)
+    ue[Se] = Ut[Se], ee[Ut.charCodeAt(Se)] = Se;
+  var Se, Un;
+  ee[45] = 62;
+  ee[95] = 63;
+  function Dn(r) {
+    var e = r.length;
+    if (e % 4 > 0)
+      throw new Error("Invalid string. Length must be a multiple of 4");
+    var t10 = r.indexOf("=");
+    t10 === -1 && (t10 = e);
+    var n = t10 === e ? 0 : 4 - t10 % 4;
+    return [t10, n];
   }
-};
-var ensureLeaseValidity = (lease, now, minValidityMs) => {
-  if (lease.expiresAt === undefined)
-    return;
-  if (lease.expiresAt <= now + (minValidityMs ?? 0)) {
-    throw new Error("Linked provider access token lease does not satisfy minimum validity");
+  a(Dn, "getLens");
+  function To(r) {
+    var e = Dn(r), t10 = e[0], n = e[1];
+    return (t10 + n) * 3 / 4 - n;
   }
-};
-var buildResolvedCredential = (grant, binding) => ({
-  bindingId: binding.id,
-  grantId: grant.id,
-  ownerRef: grant.ownerRef,
-  connectorProvider: binding.connectorProvider,
-  providerFamily: grant.providerFamily,
-  authProviderKey: grant.authProviderKey,
-  externalAccountId: binding.externalAccountId,
-  externalAccountType: binding.externalAccountType,
-  scopes: getEffectiveScopes(grant, binding),
-  capabilities: binding.capabilities ? [...binding.capabilities] : undefined,
-  label: binding.label,
-  username: binding.username,
-  email: binding.email,
-  metadata: {
-    ...grant.metadata ?? {},
-    ...binding.metadata ?? {}
+  a(To, "byteLength");
+  function Io(r, e, t10) {
+    return (e + t10) * 3 / 4 - t10;
   }
+  a(Io, "_byteLength");
+  function Po(r) {
+    var e, t10 = Dn(r), n = t10[0], i = t10[1], s = new _o(Io(r, n, i)), o = 0, u = i > 0 ? n - 4 : n, c;
+    for (c = 0;c < u; c += 4)
+      e = ee[r.charCodeAt(c)] << 18 | ee[r.charCodeAt(c + 1)] << 12 | ee[r.charCodeAt(c + 2)] << 6 | ee[r.charCodeAt(c + 3)], s[o++] = e >> 16 & 255, s[o++] = e >> 8 & 255, s[o++] = e & 255;
+    return i === 2 && (e = ee[r.charCodeAt(c)] << 2 | ee[r.charCodeAt(c + 1)] >> 4, s[o++] = e & 255), i === 1 && (e = ee[r.charCodeAt(c)] << 10 | ee[r.charCodeAt(c + 1)] << 4 | ee[r.charCodeAt(c + 2)] >> 2, s[o++] = e >> 8 & 255, s[o++] = e & 255), s;
+  }
+  a(Po, "toByteArray");
+  function Ro(r) {
+    return ue[r >> 18 & 63] + ue[r >> 12 & 63] + ue[r >> 6 & 63] + ue[r & 63];
+  }
+  a(Ro, "tripletToBase64");
+  function Bo(r, e, t10) {
+    for (var n, i = [], s = e;s < t10; s += 3)
+      n = (r[s] << 16 & 16711680) + (r[s + 1] << 8 & 65280) + (r[s + 2] & 255), i.push(Ro(n));
+    return i.join("");
+  }
+  a(Bo, "encodeChunk");
+  function Lo(r) {
+    for (var e, t10 = r.length, n = t10 % 3, i = [], s = 16383, o = 0, u = t10 - n;o < u; o += s)
+      i.push(Bo(r, o, o + s > u ? u : o + s));
+    return n === 1 ? (e = r[t10 - 1], i.push(ue[e >> 2] + ue[e << 4 & 63] + "==")) : n === 2 && (e = (r[t10 - 2] << 8) + r[t10 - 1], i.push(ue[e >> 10] + ue[e >> 4 & 63] + ue[e << 2 & 63] + "=")), i.join("");
+  }
+  a(Lo, "fromByteArray");
 });
-var annotateFailureMetadata = (metadata, report, now) => ({
-  ...metadata ?? {},
-  lastCredentialFailureAt: now,
-  lastCredentialFailureCode: report.code,
-  lastCredentialFailureMessage: report.message,
-  lastCredentialFailureRetryAt: report.retryAt
-});
-var sortNewestFirst = (items) => [...items].sort((left, right) => right.updatedAt - left.updatedAt);
-var createLinkedProviderCredentialResolver = ({
-  grantStore,
-  bindingStore,
-  loadAccessTokenLease,
-  refreshAccessTokenLease,
-  now = () => Date.now(),
-  onReportFailure
-}) => ({
-  listBindings: async ({ ownerRef, connectorProvider, status }) => sortNewestFirst(await bindingStore.listBindingsByOwner(ownerRef)).filter((binding) => (connectorProvider === undefined || binding.connectorProvider === connectorProvider) && (status === undefined || binding.status === status)),
-  resolveCredential: async (input) => {
-    const bindings = sortNewestFirst(await bindingStore.listBindingsByOwner(input.ownerRef)).filter((binding) => binding.connectorProvider === input.connectorProvider && isBindingUsable(binding) && (input.bindingId === undefined || binding.id === input.bindingId) && (input.externalAccountId === undefined || binding.externalAccountId === input.externalAccountId));
-    for (const binding of bindings) {
-      const grant = await grantStore.getGrant(binding.grantId);
-      if (!grant || grant.ownerRef !== input.ownerRef || !isGrantUsable(grant)) {
-        continue;
-      }
-      const effectiveScopes = getEffectiveScopes(grant, binding);
-      if (!hasRequiredScopes(effectiveScopes, input.requiredScopes)) {
-        continue;
-      }
-      return buildResolvedCredential(grant, binding);
-    }
-    return null;
-  },
-  getAccessToken: async (credential, input) => {
-    const binding = await bindingStore.getBinding(credential.bindingId);
-    if (!binding || !isBindingUsable(binding)) {
-      throw new Error("Linked provider binding is unavailable");
-    }
-    const grant = await grantStore.getGrant(credential.grantId);
-    if (!grant || !isGrantUsable(grant)) {
-      throw new Error("Linked provider grant is unavailable");
-    }
-    const requiredScopes = input?.requiredScopes;
-    const effectiveScopes = getEffectiveScopes(grant, binding);
-    if (!hasRequiredScopes(effectiveScopes, requiredScopes)) {
-      throw new Error("Linked provider credential is missing required scopes");
+var qn = I((Dt) => {
+  p();
+  Dt.read = function(r, e, t10, n, i) {
+    var s, o, u = i * 8 - n - 1, c = (1 << u) - 1, l = c >> 1, f = -7, y = t10 ? i - 1 : 0, g = t10 ? -1 : 1, A = r[e + y];
+    for (y += g, s = A & (1 << -f) - 1, A >>= -f, f += u;f > 0; s = s * 256 + r[e + y], y += g, f -= 8)
+      ;
+    for (o = s & (1 << -f) - 1, s >>= -f, f += n;f > 0; o = o * 256 + r[e + y], y += g, f -= 8)
+      ;
+    if (s === 0)
+      s = 1 - l;
+    else {
+      if (s === c)
+        return o ? NaN : (A ? -1 : 1) * (1 / 0);
+      o = o + Math.pow(2, n), s = s - l;
     }
-    const currentTime = now();
-    let lease = await loadAccessTokenLease(grant);
-    if (needsRefresh(lease, currentTime, input?.minValidityMs)) {
-      if (!refreshAccessTokenLease) {
-        throw new Error("Linked provider access token lease requires refresh");
-      }
-      const refreshed = await refreshAccessTokenLease(grant, input);
-      if (!refreshed) {
-        throw new Error("Linked provider access token refresh failed");
-      }
-      await grantStore.saveGrant(refreshed.grant);
-      lease = refreshed.lease;
+    return (A ? -1 : 1) * o * Math.pow(2, s - n);
+  };
+  Dt.write = function(r, e, t10, n, i, s) {
+    var o, u, c, l = s * 8 - i - 1, f = (1 << l) - 1, y = f >> 1, g = i === 23 ? Math.pow(2, -24) - Math.pow(2, -77) : 0, A = n ? 0 : s - 1, C = n ? 1 : -1, Q = e < 0 || e === 0 && 1 / e < 0 ? 1 : 0;
+    for (e = Math.abs(e), isNaN(e) || e === 1 / 0 ? (u = isNaN(e) ? 1 : 0, o = f) : (o = Math.floor(Math.log(e) / Math.LN2), e * (c = Math.pow(2, -o)) < 1 && (o--, c *= 2), o + y >= 1 ? e += g / c : e += g * Math.pow(2, 1 - y), e * c >= 2 && (o++, c /= 2), o + y >= f ? (u = 0, o = f) : o + y >= 1 ? (u = (e * c - 1) * Math.pow(2, i), o = o + y) : (u = e * Math.pow(2, y - 1) * Math.pow(2, i), o = 0));i >= 8; r[t10 + A] = u & 255, A += C, u /= 256, i -= 8)
+      ;
+    for (o = o << i | u, l += i;l > 0; r[t10 + A] = o & 255, A += C, o /= 256, l -= 8)
+      ;
+    r[t10 + A - C] |= Q * 128;
+  };
+});
+var ri = I((Be) => {
+  p();
+  var Ot = On(), Pe = qn(), Qn = typeof Symbol == "function" && typeof Symbol.for == "function" ? Symbol.for("nodejs.util.inspect.custom") : null;
+  Be.Buffer = h;
+  Be.SlowBuffer = Oo;
+  Be.INSPECT_MAX_BYTES = 50;
+  var lt = 2147483647;
+  Be.kMaxLength = lt;
+  h.TYPED_ARRAY_SUPPORT = Fo();
+  !h.TYPED_ARRAY_SUPPORT && typeof console < "u" && typeof console.error == "function" && console.error("This browser lacks typed array (Uint8Array) support which is required by `buffer` v5.x. Use `buffer` v4.x if you require old browser support.");
+  function Fo() {
+    try {
+      let r = new Uint8Array(1), e = { foo: a(function() {
+        return 42;
+      }, "foo") };
+      return Object.setPrototypeOf(e, Uint8Array.prototype), Object.setPrototypeOf(r, e), r.foo() === 42;
+    } catch {
+      return false;
     }
-    if (!lease) {
-      throw new Error("Linked provider access token lease is unavailable");
-    }
-    ensureLeaseScopes(lease, requiredScopes);
-    ensureLeaseValidity(lease, currentTime, input?.minValidityMs);
-    return lease;
-  },
-  reportFailure: async (credential, report) => {
-    const currentTime = now();
-    const grant = await grantStore.getGrant(credential.grantId);
-    const binding = await bindingStore.getBinding(credential.bindingId);
-    if (grant) {
-      const nextGrant = {
-        ...grant,
-        updatedAt: currentTime,
-        lastRefreshError: report.message ?? report.code,
-        metadata: annotateFailureMetadata(grant.metadata, report, currentTime)
-      };
-      if (report.code === "unauthorized" || report.code === "revoked") {
-        nextGrant.status = "revoked";
-      }
-      await grantStore.saveGrant(nextGrant);
-    }
-    if (binding) {
-      const nextBinding = {
-        ...binding,
-        updatedAt: currentTime,
-        metadata: annotateFailureMetadata(binding.metadata, report, currentTime)
-      };
-      if (report.code === "unauthorized" || report.code === "revoked") {
-        nextBinding.status = "disconnected";
-      } else if (report.code === "insufficient_scope") {
-        nextBinding.status = "restricted";
-      }
-      await bindingStore.saveBinding(nextBinding);
-    }
-    await onReportFailure?.({
-      credential,
-      report,
-      grant: grant ?? undefined,
-      binding: binding ?? undefined
-    });
-  }
-});
-// src/oauthLinkedProviderResolver.ts
-var getGrantedScopes = (scopeValue, fallbackScopes) => {
-  if (typeof scopeValue === "string" && scopeValue.trim().length > 0) {
-    return [...new Set(scopeValue.split(/\s+/).filter(Boolean))];
-  }
-  return [...new Set(fallbackScopes.filter(Boolean))];
-};
-var getExpiresAt = (tokenResponse) => {
-  const expiresIn = tokenResponse.expires_in;
-  const expiresInSeconds = typeof expiresIn === "number" ? expiresIn : typeof expiresIn === "string" && expiresIn.trim().length > 0 ? Number(expiresIn) : Number.NaN;
-  if (!Number.isFinite(expiresInSeconds) || expiresInSeconds <= 0) {
-    return;
-  }
-  return Date.now() + expiresInSeconds * 1000;
-};
-var createOAuthLinkedProviderCredentialResolver = async ({
-  bindingStore,
-  grantStore,
-  now,
-  providersConfiguration
-}) => {
-  const clientEntries = [];
-  for (const [providerName, providerConfig] of Object.entries(providersConfiguration)) {
-    if (!isValidProviderOption(providerName)) {
-      continue;
-    }
-    const resolvedProviderClientConfiguration = resolveProviderClientConfiguration({
-      providerName,
-      providersConfiguration
-    });
-    if ("error" in resolvedProviderClientConfiguration || !resolvedProviderClientConfiguration.config) {
-      continue;
-    }
-    clientEntries.push(createOAuth2Client(providerName, resolvedProviderClientConfiguration.config.credentials).then((providerInstance) => [providerName, providerInstance]));
-  }
-  const clients = new Map(await Promise.all(clientEntries));
-  return createLinkedProviderCredentialResolver({
-    bindingStore,
-    grantStore,
-    now,
-    loadAccessTokenLease: async (grant) => grant.accessTokenCiphertext ? {
-      accessToken: grant.accessTokenCiphertext,
-      expiresAt: grant.expiresAt,
-      grantedScopes: grant.grantedScopes,
-      tokenType: grant.tokenType
-    } : null,
-    refreshAccessTokenLease: async (grant) => {
-      if (!isValidProviderOption(grant.authProviderKey) || !grant.refreshTokenCiphertext) {
-        return null;
-      }
-      const providerKey = grant.authProviderKey;
-      const providerClientName = typeof grant.metadata?.providerClient === "string" && grant.metadata.providerClient.trim().length > 0 ? grant.metadata.providerClient.trim() : undefined;
-      const resolvedProviderClientConfiguration = resolveProviderClientConfiguration({
-        clientName: providerClientName,
-        providerName: providerKey,
-        providersConfiguration
-      });
-      if ("error" in resolvedProviderClientConfiguration || !resolvedProviderClientConfiguration.config) {
-        return null;
-      }
-      const providerClient = await createOAuth2Client(providerKey, resolvedProviderClientConfiguration.config.credentials);
-      if (!providerClient || !isRefreshableOAuth2Client(providerKey, providerClient)) {
-        return null;
-      }
-      const tokenResponse = await providerClient.refreshAccessToken(grant.refreshTokenCiphertext);
-      const refreshedAt = Date.now();
-      const grantedScopes = getGrantedScopes(Reflect.get(tokenResponse, "scope"), grant.grantedScopes);
-      const tokenType = Reflect.get(tokenResponse, "token_type");
-      const refreshedGrant = {
-        ...grant,
-        accessTokenCiphertext: tokenResponse.access_token,
-        expiresAt: getExpiresAt(tokenResponse),
-        grantedScopes,
-        lastRefreshError: undefined,
-        lastRefreshedAt: refreshedAt,
-        refreshTokenCiphertext: tokenResponse.refresh_token ?? grant.refreshTokenCiphertext,
-        status: "active",
-        tokenType: typeof tokenType === "string" ? tokenType : grant.tokenType,
-        updatedAt: refreshedAt
-      };
-      return {
-        grant: refreshedGrant,
-        lease: {
-          accessToken: refreshedGrant.accessTokenCiphertext ?? "",
-          expiresAt: refreshedGrant.expiresAt,
-          grantedScopes: refreshedGrant.grantedScopes,
-          tokenType: refreshedGrant.tokenType
-        }
-      };
-    }
-  });
-};
-// node_modules/@neondatabase/serverless/index.mjs
-var vo = Object.create;
-var Te = Object.defineProperty;
-var xo = Object.getOwnPropertyDescriptor;
-var So = Object.getOwnPropertyNames;
-var Eo = Object.getPrototypeOf;
-var Ao = Object.prototype.hasOwnProperty;
-var Co = (r, e, t10) => (e in r) ? Te(r, e, { enumerable: true, configurable: true, writable: true, value: t10 }) : r[e] = t10;
-var a = (r, e) => Te(r, "name", { value: e, configurable: true });
-var z = (r, e) => () => (r && (e = r(r = 0)), e);
-var I = (r, e) => () => (e || r((e = { exports: {} }).exports, e), e.exports);
-var ne = (r, e) => {
-  for (var t10 in e)
-    Te(r, t10, {
-      get: e[t10],
-      enumerable: true
-    });
-};
-var Mn = (r, e, t10, n) => {
-  if (e && typeof e == "object" || typeof e == "function")
-    for (let i of So(e))
-      !Ao.call(r, i) && i !== t10 && Te(r, i, { get: () => e[i], enumerable: !(n = xo(e, i)) || n.enumerable });
-  return r;
-};
-var xe = (r, e, t10) => (t10 = r != null ? vo(Eo(r)) : {}, Mn(e || !r || !r.__esModule ? Te(t10, "default", { value: r, enumerable: true }) : t10, r));
-var D = (r) => Mn(Te({}, "__esModule", { value: true }), r);
-var E = (r, e, t10) => Co(r, typeof e != "symbol" ? e + "" : e, t10);
-var On = I((ct) => {
-  p();
-  ct.byteLength = To;
-  ct.toByteArray = Po;
-  ct.fromByteArray = Lo;
-  var ue = [], ee = [], _o = typeof Uint8Array < "u" ? Uint8Array : Array, Ut = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-  for (Se = 0, Un = Ut.length;Se < Un; ++Se)
-    ue[Se] = Ut[Se], ee[Ut.charCodeAt(Se)] = Se;
-  var Se, Un;
-  ee[45] = 62;
-  ee[95] = 63;
-  function Dn(r) {
-    var e = r.length;
-    if (e % 4 > 0)
-      throw new Error("Invalid string. Length must be a multiple of 4");
-    var t10 = r.indexOf("=");
-    t10 === -1 && (t10 = e);
-    var n = t10 === e ? 0 : 4 - t10 % 4;
-    return [t10, n];
-  }
-  a(Dn, "getLens");
-  function To(r) {
-    var e = Dn(r), t10 = e[0], n = e[1];
-    return (t10 + n) * 3 / 4 - n;
-  }
-  a(To, "byteLength");
-  function Io(r, e, t10) {
-    return (e + t10) * 3 / 4 - t10;
-  }
-  a(Io, "_byteLength");
-  function Po(r) {
-    var e, t10 = Dn(r), n = t10[0], i = t10[1], s = new _o(Io(r, n, i)), o = 0, u = i > 0 ? n - 4 : n, c;
-    for (c = 0;c < u; c += 4)
-      e = ee[r.charCodeAt(c)] << 18 | ee[r.charCodeAt(c + 1)] << 12 | ee[r.charCodeAt(c + 2)] << 6 | ee[r.charCodeAt(c + 3)], s[o++] = e >> 16 & 255, s[o++] = e >> 8 & 255, s[o++] = e & 255;
-    return i === 2 && (e = ee[r.charCodeAt(c)] << 2 | ee[r.charCodeAt(c + 1)] >> 4, s[o++] = e & 255), i === 1 && (e = ee[r.charCodeAt(c)] << 10 | ee[r.charCodeAt(c + 1)] << 4 | ee[r.charCodeAt(c + 2)] >> 2, s[o++] = e >> 8 & 255, s[o++] = e & 255), s;
-  }
-  a(Po, "toByteArray");
-  function Ro(r) {
-    return ue[r >> 18 & 63] + ue[r >> 12 & 63] + ue[r >> 6 & 63] + ue[r & 63];
-  }
-  a(Ro, "tripletToBase64");
-  function Bo(r, e, t10) {
-    for (var n, i = [], s = e;s < t10; s += 3)
-      n = (r[s] << 16 & 16711680) + (r[s + 1] << 8 & 65280) + (r[s + 2] & 255), i.push(Ro(n));
-    return i.join("");
-  }
-  a(Bo, "encodeChunk");
-  function Lo(r) {
-    for (var e, t10 = r.length, n = t10 % 3, i = [], s = 16383, o = 0, u = t10 - n;o < u; o += s)
-      i.push(Bo(r, o, o + s > u ? u : o + s));
-    return n === 1 ? (e = r[t10 - 1], i.push(ue[e >> 2] + ue[e << 4 & 63] + "==")) : n === 2 && (e = (r[t10 - 2] << 8) + r[t10 - 1], i.push(ue[e >> 10] + ue[e >> 4 & 63] + ue[e << 2 & 63] + "=")), i.join("");
-  }
-  a(Lo, "fromByteArray");
-});
-var qn = I((Dt) => {
-  p();
-  Dt.read = function(r, e, t10, n, i) {
-    var s, o, u = i * 8 - n - 1, c = (1 << u) - 1, l = c >> 1, f = -7, y = t10 ? i - 1 : 0, g = t10 ? -1 : 1, A = r[e + y];
-    for (y += g, s = A & (1 << -f) - 1, A >>= -f, f += u;f > 0; s = s * 256 + r[e + y], y += g, f -= 8)
-      ;
-    for (o = s & (1 << -f) - 1, s >>= -f, f += n;f > 0; o = o * 256 + r[e + y], y += g, f -= 8)
-      ;
-    if (s === 0)
-      s = 1 - l;
-    else {
-      if (s === c)
-        return o ? NaN : (A ? -1 : 1) * (1 / 0);
-      o = o + Math.pow(2, n), s = s - l;
-    }
-    return (A ? -1 : 1) * o * Math.pow(2, s - n);
-  };
-  Dt.write = function(r, e, t10, n, i, s) {
-    var o, u, c, l = s * 8 - i - 1, f = (1 << l) - 1, y = f >> 1, g = i === 23 ? Math.pow(2, -24) - Math.pow(2, -77) : 0, A = n ? 0 : s - 1, C = n ? 1 : -1, Q = e < 0 || e === 0 && 1 / e < 0 ? 1 : 0;
-    for (e = Math.abs(e), isNaN(e) || e === 1 / 0 ? (u = isNaN(e) ? 1 : 0, o = f) : (o = Math.floor(Math.log(e) / Math.LN2), e * (c = Math.pow(2, -o)) < 1 && (o--, c *= 2), o + y >= 1 ? e += g / c : e += g * Math.pow(2, 1 - y), e * c >= 2 && (o++, c /= 2), o + y >= f ? (u = 0, o = f) : o + y >= 1 ? (u = (e * c - 1) * Math.pow(2, i), o = o + y) : (u = e * Math.pow(2, y - 1) * Math.pow(2, i), o = 0));i >= 8; r[t10 + A] = u & 255, A += C, u /= 256, i -= 8)
-      ;
-    for (o = o << i | u, l += i;l > 0; r[t10 + A] = o & 255, A += C, o /= 256, l -= 8)
-      ;
-    r[t10 + A - C] |= Q * 128;
-  };
-});
-var ri = I((Be) => {
-  p();
-  var Ot = On(), Pe = qn(), Qn = typeof Symbol == "function" && typeof Symbol.for == "function" ? Symbol.for("nodejs.util.inspect.custom") : null;
-  Be.Buffer = h;
-  Be.SlowBuffer = Oo;
-  Be.INSPECT_MAX_BYTES = 50;
-  var lt = 2147483647;
-  Be.kMaxLength = lt;
-  h.TYPED_ARRAY_SUPPORT = Fo();
-  !h.TYPED_ARRAY_SUPPORT && typeof console < "u" && typeof console.error == "function" && console.error("This browser lacks typed array (Uint8Array) support which is required by `buffer` v5.x. Use `buffer` v4.x if you require old browser support.");
-  function Fo() {
-    try {
-      let r = new Uint8Array(1), e = { foo: a(function() {
-        return 42;
-      }, "foo") };
-      return Object.setPrototypeOf(e, Uint8Array.prototype), Object.setPrototypeOf(r, e), r.foo() === 42;
-    } catch {
-      return false;
-    }
-  }
-  a(Fo, "typedArraySupport");
-  Object.defineProperty(h.prototype, "parent", { enumerable: true, get: a(function() {
-    if (h.isBuffer(this))
-      return this.buffer;
-  }, "get") });
-  Object.defineProperty(h.prototype, "offset", { enumerable: true, get: a(function() {
-    if (h.isBuffer(this))
-      return this.byteOffset;
-  }, "get") });
-  function pe(r) {
-    if (r > lt)
-      throw new RangeError('The value "' + r + '" is invalid for option "size"');
-    let e = new Uint8Array(r);
-    return Object.setPrototypeOf(e, h.prototype), e;
-  }
-  a(pe, "createBuffer");
-  function h(r, e, t10) {
-    if (typeof r == "number") {
-      if (typeof e == "string")
-        throw new TypeError('The "string" argument must be of type string. Received type number');
-      return jt(r);
+  }
+  a(Fo, "typedArraySupport");
+  Object.defineProperty(h.prototype, "parent", { enumerable: true, get: a(function() {
+    if (h.isBuffer(this))
+      return this.buffer;
+  }, "get") });
+  Object.defineProperty(h.prototype, "offset", { enumerable: true, get: a(function() {
+    if (h.isBuffer(this))
+      return this.byteOffset;
+  }, "get") });
+  function pe(r) {
+    if (r > lt)
+      throw new RangeError('The value "' + r + '" is invalid for option "size"');
+    let e = new Uint8Array(r);
+    return Object.setPrototypeOf(e, h.prototype), e;
+  }
+  a(pe, "createBuffer");
+  function h(r, e, t10) {
+    if (typeof r == "number") {
+      if (typeof e == "string")
+        throw new TypeError('The "string" argument must be of type string. Received type number');
+      return jt(r);
     }
     return Hn(r, e, t10);
   }
@@ -12994,239 +12752,597 @@ class PgSession {
       return prepared.setToken(token).execute(undefined, token);
     });
   }
-  all(query) {
-    return this.prepareQuery(this.dialect.sqlToQuery(query), undefined, undefined, false).all();
+  all(query) {
+    return this.prepareQuery(this.dialect.sqlToQuery(query), undefined, undefined, false).all();
+  }
+  async count(sql2, token) {
+    const res = await this.execute(sql2, token);
+    return Number(res[0]["count"]);
+  }
+}
+
+// node_modules/drizzle-orm/neon-http/session.js
+var rawQueryConfig = {
+  arrayMode: false,
+  fullResults: true
+};
+var queryConfig = {
+  arrayMode: true,
+  fullResults: true
+};
+
+class NeonHttpPreparedQuery extends PgPreparedQuery {
+  constructor(client, query, logger, fields, _isResponseInArrayMode, customResultMapper) {
+    super(query);
+    this.client = client;
+    this.logger = logger;
+    this.fields = fields;
+    this._isResponseInArrayMode = _isResponseInArrayMode;
+    this.customResultMapper = customResultMapper;
+    this.clientQuery = client.query ?? client;
+  }
+  static [entityKind] = "NeonHttpPreparedQuery";
+  clientQuery;
+  async execute(placeholderValues = {}, token = this.authToken) {
+    const params = fillPlaceholders(this.query.params, placeholderValues);
+    this.logger.logQuery(this.query.sql, params);
+    const { fields, clientQuery, query, customResultMapper } = this;
+    if (!fields && !customResultMapper) {
+      return clientQuery(query.sql, params, token === undefined ? rawQueryConfig : {
+        ...rawQueryConfig,
+        authToken: token
+      });
+    }
+    const result = await clientQuery(query.sql, params, token === undefined ? queryConfig : {
+      ...queryConfig,
+      authToken: token
+    });
+    return this.mapResult(result);
+  }
+  mapResult(result) {
+    if (!this.fields && !this.customResultMapper) {
+      return result;
+    }
+    const rows = result.rows;
+    if (this.customResultMapper) {
+      return this.customResultMapper(rows);
+    }
+    return rows.map((row) => mapResultRow(this.fields, row, this.joinsNotNullableMap));
+  }
+  all(placeholderValues = {}) {
+    const params = fillPlaceholders(this.query.params, placeholderValues);
+    this.logger.logQuery(this.query.sql, params);
+    return this.clientQuery(this.query.sql, params, this.authToken === undefined ? rawQueryConfig : {
+      ...rawQueryConfig,
+      authToken: this.authToken
+    }).then((result) => result.rows);
+  }
+  values(placeholderValues = {}, token) {
+    const params = fillPlaceholders(this.query.params, placeholderValues);
+    this.logger.logQuery(this.query.sql, params);
+    return this.clientQuery(this.query.sql, params, { arrayMode: true, fullResults: true, authToken: token }).then((result) => result.rows);
+  }
+  isResponseInArrayMode() {
+    return this._isResponseInArrayMode;
+  }
+}
+
+class NeonHttpSession extends PgSession {
+  constructor(client, dialect, schema, options = {}) {
+    super(dialect);
+    this.client = client;
+    this.schema = schema;
+    this.options = options;
+    this.clientQuery = client.query ?? client;
+    this.logger = options.logger ?? new NoopLogger;
+  }
+  static [entityKind] = "NeonHttpSession";
+  clientQuery;
+  logger;
+  prepareQuery(query, fields, name, isResponseInArrayMode, customResultMapper) {
+    return new NeonHttpPreparedQuery(this.client, query, this.logger, fields, isResponseInArrayMode, customResultMapper);
+  }
+  async batch(queries) {
+    const preparedQueries = [];
+    const builtQueries = [];
+    for (const query of queries) {
+      const preparedQuery = query._prepare();
+      const builtQuery = preparedQuery.getQuery();
+      preparedQueries.push(preparedQuery);
+      builtQueries.push(this.clientQuery(builtQuery.sql, builtQuery.params, {
+        fullResults: true,
+        arrayMode: preparedQuery.isResponseInArrayMode()
+      }));
+    }
+    const batchResults = await this.client.transaction(builtQueries, queryConfig);
+    return batchResults.map((result, i) => preparedQueries[i].mapResult(result, true));
+  }
+  async query(query, params) {
+    this.logger.logQuery(query, params);
+    const result = await this.clientQuery(query, params, { arrayMode: true, fullResults: true });
+    return result;
+  }
+  async queryObjects(query, params) {
+    return this.clientQuery(query, params, { arrayMode: false, fullResults: true });
+  }
+  async count(sql2, token) {
+    const res = await this.execute(sql2, token);
+    return Number(res["rows"][0]["count"]);
+  }
+  async transaction(_transaction, _config = {}) {
+    throw new Error("No transactions support in neon-http driver");
+  }
+}
+
+// node_modules/drizzle-orm/neon-http/driver.js
+class NeonHttpDriver {
+  constructor(client, dialect, options = {}) {
+    this.client = client;
+    this.dialect = dialect;
+    this.options = options;
+    this.initMappers();
+  }
+  static [entityKind] = "NeonHttpDriver";
+  createSession(schema) {
+    return new NeonHttpSession(this.client, this.dialect, schema, { logger: this.options.logger });
+  }
+  initMappers() {
+    export_types.setTypeParser(export_types.builtins.TIMESTAMPTZ, (val) => val);
+    export_types.setTypeParser(export_types.builtins.TIMESTAMP, (val) => val);
+    export_types.setTypeParser(export_types.builtins.DATE, (val) => val);
+    export_types.setTypeParser(export_types.builtins.INTERVAL, (val) => val);
+    export_types.setTypeParser(1231, (val) => val);
+    export_types.setTypeParser(1115, (val) => val);
+    export_types.setTypeParser(1185, (val) => val);
+    export_types.setTypeParser(1187, (val) => val);
+    export_types.setTypeParser(1182, (val) => val);
+  }
+}
+function wrap(target, token, cb, deep) {
+  return new Proxy(target, {
+    get(target2, p2) {
+      const element = target2[p2];
+      if (typeof element !== "function" && (typeof element !== "object" || element === null))
+        return element;
+      if (deep)
+        return wrap(element, token, cb);
+      if (p2 === "query")
+        return wrap(element, token, cb, true);
+      return new Proxy(element, {
+        apply(target3, thisArg, argArray) {
+          const res = target3.call(thisArg, ...argArray);
+          if (typeof res === "object" && res !== null && "setToken" in res && typeof res.setToken === "function") {
+            res.setToken(token);
+          }
+          return cb(target3, p2, res);
+        }
+      });
+    }
+  });
+}
+
+class NeonHttpDatabase extends PgDatabase {
+  static [entityKind] = "NeonHttpDatabase";
+  $withAuth(token) {
+    this.authToken = token;
+    return wrap(this, token, (target, p2, res) => {
+      if (p2 === "with") {
+        return wrap(res, token, (_, __, res2) => res2);
+      }
+      return res;
+    });
+  }
+  async batch(batch) {
+    return this.session.batch(batch);
+  }
+}
+function construct(client, config = {}) {
+  const dialect = new PgDialect({ casing: config.casing });
+  let logger;
+  if (config.logger === true) {
+    logger = new DefaultLogger;
+  } else if (config.logger !== false) {
+    logger = config.logger;
+  }
+  let schema;
+  if (config.schema) {
+    const tablesConfig = extractTablesRelationalConfig(config.schema, createTableRelationsHelpers);
+    schema = {
+      fullSchema: config.schema,
+      schema: tablesConfig.tables,
+      tableNamesMap: tablesConfig.tableNamesMap
+    };
+  }
+  const driver = new NeonHttpDriver(client, dialect, { logger });
+  const session = driver.createSession(schema);
+  const db = new NeonHttpDatabase(dialect, session, schema);
+  db.$client = client;
+  return db;
+}
+function drizzle(...params) {
+  if (typeof params[0] === "string") {
+    const instance = as(params[0]);
+    return construct(instance, params[1]);
   }
-  async count(sql2, token) {
-    const res = await this.execute(sql2, token);
-    return Number(res[0]["count"]);
+  if (isConfig(params[0])) {
+    const { connection, client, ...drizzleConfig } = params[0];
+    if (client)
+      return construct(client, drizzleConfig);
+    if (typeof connection === "object") {
+      const { connectionString, ...options } = connection;
+      const instance2 = as(connectionString, options);
+      return construct(instance2, drizzleConfig);
+    }
+    const instance = as(connection);
+    return construct(instance, drizzleConfig);
   }
+  return construct(params[0], params[1]);
 }
+((drizzle2) => {
+  function mock(config) {
+    return construct({}, config);
+  }
+  drizzle2.mock = mock;
+})(drizzle || (drizzle = {}));
 
-// node_modules/drizzle-orm/neon-http/session.js
-var rawQueryConfig = {
-  arrayMode: false,
-  fullResults: true
+// src/neonAuthSessionStore.ts
+var authSessionsTable = pgTable("auth_sessions", {
+  id: varchar("id", { length: 255 }).primaryKey(),
+  access_token: text("access_token").notNull(),
+  refresh_token: text("refresh_token"),
+  expires_at_ms: bigint("expires_at_ms", { mode: "number" }).notNull(),
+  user_json: jsonb("user_json").$type().notNull(),
+  created_at: timestamp("created_at").notNull().defaultNow(),
+  updated_at: timestamp("updated_at").notNull().defaultNow()
+});
+var authUnregisteredSessionsTable = pgTable("auth_unregistered_sessions", {
+  id: varchar("id", { length: 255 }).primaryKey(),
+  access_token: text("access_token"),
+  refresh_token: text("refresh_token"),
+  expires_at_ms: bigint("expires_at_ms", { mode: "number" }).notNull(),
+  user_identity_json: jsonb("user_identity_json").$type(),
+  session_information_json: jsonb("session_information_json").$type(),
+  created_at: timestamp("created_at").notNull().defaultNow(),
+  updated_at: timestamp("updated_at").notNull().defaultNow()
+});
+var authSessionSchema = {
+  authSessions: authSessionsTable,
+  authUnregisteredSessions: authUnregisteredSessionsTable
 };
-var queryConfig = {
-  arrayMode: true,
-  fullResults: true
+var cloneUser = (value) => {
+  if (value === null || value === undefined)
+    return value;
+  return structuredClone(value);
 };
-
-class NeonHttpPreparedQuery extends PgPreparedQuery {
-  constructor(client, query, logger, fields, _isResponseInArrayMode, customResultMapper) {
-    super(query);
-    this.client = client;
-    this.logger = logger;
-    this.fields = fields;
-    this._isResponseInArrayMode = _isResponseInArrayMode;
-    this.customResultMapper = customResultMapper;
-    this.clientQuery = client.query ?? client;
-  }
-  static [entityKind] = "NeonHttpPreparedQuery";
-  clientQuery;
-  async execute(placeholderValues = {}, token = this.authToken) {
-    const params = fillPlaceholders(this.query.params, placeholderValues);
-    this.logger.logQuery(this.query.sql, params);
-    const { fields, clientQuery, query, customResultMapper } = this;
-    if (!fields && !customResultMapper) {
-      return clientQuery(query.sql, params, token === undefined ? rawQueryConfig : {
-        ...rawQueryConfig,
-        authToken: token
+var cloneRecord = (value) => value ? structuredClone(value) : undefined;
+var toSessionData = (row) => ({
+  accessToken: row.access_token,
+  expiresAt: row.expires_at_ms,
+  refreshToken: row.refresh_token ?? undefined,
+  user: cloneUser(row.user_json)
+});
+var toUnregisteredSessionData = (row) => ({
+  accessToken: row.access_token ?? undefined,
+  expiresAt: row.expires_at_ms,
+  refreshToken: row.refresh_token ?? undefined,
+  sessionInformation: cloneRecord(row.session_information_json ?? undefined),
+  userIdentity: cloneRecord(row.user_identity_json ?? undefined)
+});
+var createNeonAuthSessionStore = (databaseUrl) => {
+  const sql2 = as(databaseUrl);
+  const db = drizzle(sql2, {
+    schema: authSessionSchema
+  });
+  return {
+    getSession: async (id) => {
+      const [row] = await db.select().from(authSessionsTable).where(eq(authSessionsTable.id, id)).limit(1);
+      return row ? toSessionData(row) : undefined;
+    },
+    setSession: async (id, value) => {
+      await db.insert(authSessionsTable).values({
+        id,
+        access_token: value.accessToken,
+        refresh_token: value.refreshToken ?? null,
+        expires_at_ms: value.expiresAt,
+        user_json: value.user ?? {},
+        updated_at: new Date
+      }).onConflictDoUpdate({
+        target: authSessionsTable.id,
+        set: {
+          access_token: value.accessToken,
+          refresh_token: value.refreshToken ?? null,
+          expires_at_ms: value.expiresAt,
+          user_json: value.user ?? {},
+          updated_at: new Date
+        }
       });
+    },
+    removeSession: async (id) => {
+      await db.delete(authSessionsTable).where(eq(authSessionsTable.id, id));
+    },
+    getUnregisteredSession: async (id) => {
+      const [row] = await db.select().from(authUnregisteredSessionsTable).where(eq(authUnregisteredSessionsTable.id, id)).limit(1);
+      return row ? toUnregisteredSessionData(row) : undefined;
+    },
+    setUnregisteredSession: async (id, value) => {
+      await db.insert(authUnregisteredSessionsTable).values({
+        id,
+        access_token: value.accessToken ?? null,
+        refresh_token: value.refreshToken ?? null,
+        expires_at_ms: value.expiresAt,
+        user_identity_json: value.userIdentity ?? null,
+        session_information_json: value.sessionInformation ?? null,
+        updated_at: new Date
+      }).onConflictDoUpdate({
+        target: authUnregisteredSessionsTable.id,
+        set: {
+          access_token: value.accessToken ?? null,
+          refresh_token: value.refreshToken ?? null,
+          expires_at_ms: value.expiresAt,
+          user_identity_json: value.userIdentity ?? null,
+          session_information_json: value.sessionInformation ?? null,
+          updated_at: new Date
+        }
+      });
+    },
+    removeUnregisteredSession: async (id) => {
+      await db.delete(authUnregisteredSessionsTable).where(eq(authUnregisteredSessionsTable.id, id));
+    },
+    listSessionIds: async () => {
+      const rows = await db.select({ id: authSessionsTable.id }).from(authSessionsTable);
+      return rows.map((row) => row.id);
+    },
+    listUnregisteredSessionIds: async () => {
+      const rows = await db.select({ id: authUnregisteredSessionsTable.id }).from(authUnregisteredSessionsTable);
+      return rows.map((row) => row.id);
     }
-    const result = await clientQuery(query.sql, params, token === undefined ? queryConfig : {
-      ...queryConfig,
-      authToken: token
-    });
-    return this.mapResult(result);
-  }
-  mapResult(result) {
-    if (!this.fields && !this.customResultMapper) {
-      return result;
-    }
-    const rows = result.rows;
-    if (this.customResultMapper) {
-      return this.customResultMapper(rows);
-    }
-    return rows.map((row) => mapResultRow(this.fields, row, this.joinsNotNullableMap));
-  }
-  all(placeholderValues = {}) {
-    const params = fillPlaceholders(this.query.params, placeholderValues);
-    this.logger.logQuery(this.query.sql, params);
-    return this.clientQuery(this.query.sql, params, this.authToken === undefined ? rawQueryConfig : {
-      ...rawQueryConfig,
-      authToken: this.authToken
-    }).then((result) => result.rows);
-  }
-  values(placeholderValues = {}, token) {
-    const params = fillPlaceholders(this.query.params, placeholderValues);
-    this.logger.logQuery(this.query.sql, params);
-    return this.clientQuery(this.query.sql, params, { arrayMode: true, fullResults: true, authToken: token }).then((result) => result.rows);
+  };
+};
+// src/linkedProviderResolver.ts
+var uniqueStrings = (values) => [...new Set(values)];
+var getEffectiveScopes = (grant, binding) => {
+  if (binding.availableScopes.length === 0) {
+    return uniqueStrings(grant.grantedScopes);
   }
-  isResponseInArrayMode() {
-    return this._isResponseInArrayMode;
+  const bindingScopeSet = new Set(binding.availableScopes);
+  return uniqueStrings(grant.grantedScopes.filter((scope) => bindingScopeSet.has(scope)));
+};
+var hasRequiredScopes = (availableScopes, requiredScopes) => (requiredScopes ?? []).every((scope) => availableScopes.includes(scope));
+var isGrantUsable = (grant) => grant.status === "active" || grant.status === "refresh_required";
+var isBindingUsable = (binding) => binding.status === "active";
+var needsRefresh = (lease, now, minValidityMs) => {
+  if (!lease)
+    return true;
+  if (lease.expiresAt === undefined)
+    return false;
+  return lease.expiresAt <= now + (minValidityMs ?? 0);
+};
+var ensureLeaseScopes = (lease, requiredScopes) => {
+  if (!hasRequiredScopes(lease.grantedScopes, requiredScopes)) {
+    throw new Error("Linked provider access token lease is missing required scopes");
   }
-}
-
-class NeonHttpSession extends PgSession {
-  constructor(client, dialect, schema, options = {}) {
-    super(dialect);
-    this.client = client;
-    this.schema = schema;
-    this.options = options;
-    this.clientQuery = client.query ?? client;
-    this.logger = options.logger ?? new NoopLogger;
+};
+var ensureLeaseValidity = (lease, now, minValidityMs) => {
+  if (lease.expiresAt === undefined)
+    return;
+  if (lease.expiresAt <= now + (minValidityMs ?? 0)) {
+    throw new Error("Linked provider access token lease does not satisfy minimum validity");
   }
-  static [entityKind] = "NeonHttpSession";
-  clientQuery;
-  logger;
-  prepareQuery(query, fields, name, isResponseInArrayMode, customResultMapper) {
-    return new NeonHttpPreparedQuery(this.client, query, this.logger, fields, isResponseInArrayMode, customResultMapper);
+};
+var buildResolvedCredential = (grant, binding) => ({
+  bindingId: binding.id,
+  grantId: grant.id,
+  ownerRef: grant.ownerRef,
+  connectorProvider: binding.connectorProvider,
+  providerFamily: grant.providerFamily,
+  authProviderKey: grant.authProviderKey,
+  externalAccountId: binding.externalAccountId,
+  externalAccountType: binding.externalAccountType,
+  scopes: getEffectiveScopes(grant, binding),
+  capabilities: binding.capabilities ? [...binding.capabilities] : undefined,
+  label: binding.label,
+  username: binding.username,
+  email: binding.email,
+  metadata: {
+    ...grant.metadata ?? {},
+    ...binding.metadata ?? {}
   }
-  async batch(queries) {
-    const preparedQueries = [];
-    const builtQueries = [];
-    for (const query of queries) {
-      const preparedQuery = query._prepare();
-      const builtQuery = preparedQuery.getQuery();
-      preparedQueries.push(preparedQuery);
-      builtQueries.push(this.clientQuery(builtQuery.sql, builtQuery.params, {
-        fullResults: true,
-        arrayMode: preparedQuery.isResponseInArrayMode()
-      }));
+});
+var annotateFailureMetadata = (metadata, report, now) => ({
+  ...metadata ?? {},
+  lastCredentialFailureAt: now,
+  lastCredentialFailureCode: report.code,
+  lastCredentialFailureMessage: report.message,
+  lastCredentialFailureRetryAt: report.retryAt
+});
+var sortNewestFirst = (items) => [...items].sort((left, right) => right.updatedAt - left.updatedAt);
+var createLinkedProviderCredentialResolver = ({
+  grantStore,
+  bindingStore,
+  loadAccessTokenLease,
+  refreshAccessTokenLease,
+  now = () => Date.now(),
+  onReportFailure
+}) => ({
+  listBindings: async ({ ownerRef, connectorProvider, status }) => sortNewestFirst(await bindingStore.listBindingsByOwner(ownerRef)).filter((binding) => (connectorProvider === undefined || binding.connectorProvider === connectorProvider) && (status === undefined || binding.status === status)),
+  resolveCredential: async (input) => {
+    const bindings = sortNewestFirst(await bindingStore.listBindingsByOwner(input.ownerRef)).filter((binding) => binding.connectorProvider === input.connectorProvider && isBindingUsable(binding) && (input.bindingId === undefined || binding.id === input.bindingId) && (input.externalAccountId === undefined || binding.externalAccountId === input.externalAccountId));
+    for (const binding of bindings) {
+      const grant = await grantStore.getGrant(binding.grantId);
+      if (!grant || grant.ownerRef !== input.ownerRef || !isGrantUsable(grant)) {
+        continue;
+      }
+      const effectiveScopes = getEffectiveScopes(grant, binding);
+      if (!hasRequiredScopes(effectiveScopes, input.requiredScopes)) {
+        continue;
+      }
+      return buildResolvedCredential(grant, binding);
+    }
+    return null;
+  },
+  getAccessToken: async (credential, input) => {
+    const binding = await bindingStore.getBinding(credential.bindingId);
+    if (!binding || !isBindingUsable(binding)) {
+      throw new Error("Linked provider binding is unavailable");
+    }
+    const grant = await grantStore.getGrant(credential.grantId);
+    if (!grant || !isGrantUsable(grant)) {
+      throw new Error("Linked provider grant is unavailable");
+    }
+    const requiredScopes = input?.requiredScopes;
+    const effectiveScopes = getEffectiveScopes(grant, binding);
+    if (!hasRequiredScopes(effectiveScopes, requiredScopes)) {
+      throw new Error("Linked provider credential is missing required scopes");
+    }
+    const currentTime = now();
+    let lease = await loadAccessTokenLease(grant);
+    if (needsRefresh(lease, currentTime, input?.minValidityMs)) {
+      if (!refreshAccessTokenLease) {
+        throw new Error("Linked provider access token lease requires refresh");
+      }
+      const refreshed = await refreshAccessTokenLease(grant, input);
+      if (!refreshed) {
+        throw new Error("Linked provider access token refresh failed");
+      }
+      await grantStore.saveGrant(refreshed.grant);
+      lease = refreshed.lease;
     }
-    const batchResults = await this.client.transaction(builtQueries, queryConfig);
-    return batchResults.map((result, i) => preparedQueries[i].mapResult(result, true));
-  }
-  async query(query, params) {
-    this.logger.logQuery(query, params);
-    const result = await this.clientQuery(query, params, { arrayMode: true, fullResults: true });
-    return result;
-  }
-  async queryObjects(query, params) {
-    return this.clientQuery(query, params, { arrayMode: false, fullResults: true });
-  }
-  async count(sql2, token) {
-    const res = await this.execute(sql2, token);
-    return Number(res["rows"][0]["count"]);
-  }
-  async transaction(_transaction, _config = {}) {
-    throw new Error("No transactions support in neon-http driver");
-  }
-}
-
-// node_modules/drizzle-orm/neon-http/driver.js
-class NeonHttpDriver {
-  constructor(client, dialect, options = {}) {
-    this.client = client;
-    this.dialect = dialect;
-    this.options = options;
-    this.initMappers();
-  }
-  static [entityKind] = "NeonHttpDriver";
-  createSession(schema) {
-    return new NeonHttpSession(this.client, this.dialect, schema, { logger: this.options.logger });
-  }
-  initMappers() {
-    export_types.setTypeParser(export_types.builtins.TIMESTAMPTZ, (val) => val);
-    export_types.setTypeParser(export_types.builtins.TIMESTAMP, (val) => val);
-    export_types.setTypeParser(export_types.builtins.DATE, (val) => val);
-    export_types.setTypeParser(export_types.builtins.INTERVAL, (val) => val);
-    export_types.setTypeParser(1231, (val) => val);
-    export_types.setTypeParser(1115, (val) => val);
-    export_types.setTypeParser(1185, (val) => val);
-    export_types.setTypeParser(1187, (val) => val);
-    export_types.setTypeParser(1182, (val) => val);
-  }
-}
-function wrap(target, token, cb, deep) {
-  return new Proxy(target, {
-    get(target2, p2) {
-      const element = target2[p2];
-      if (typeof element !== "function" && (typeof element !== "object" || element === null))
-        return element;
-      if (deep)
-        return wrap(element, token, cb);
-      if (p2 === "query")
-        return wrap(element, token, cb, true);
-      return new Proxy(element, {
-        apply(target3, thisArg, argArray) {
-          const res = target3.call(thisArg, ...argArray);
-          if (typeof res === "object" && res !== null && "setToken" in res && typeof res.setToken === "function") {
-            res.setToken(token);
-          }
-          return cb(target3, p2, res);
-        }
-      });
+    if (!lease) {
+      throw new Error("Linked provider access token lease is unavailable");
     }
-  });
-}
-
-class NeonHttpDatabase extends PgDatabase {
-  static [entityKind] = "NeonHttpDatabase";
-  $withAuth(token) {
-    this.authToken = token;
-    return wrap(this, token, (target, p2, res) => {
-      if (p2 === "with") {
-        return wrap(res, token, (_, __, res2) => res2);
+    ensureLeaseScopes(lease, requiredScopes);
+    ensureLeaseValidity(lease, currentTime, input?.minValidityMs);
+    return lease;
+  },
+  reportFailure: async (credential, report) => {
+    const currentTime = now();
+    const grant = await grantStore.getGrant(credential.grantId);
+    const binding = await bindingStore.getBinding(credential.bindingId);
+    if (grant) {
+      const nextGrant = {
+        ...grant,
+        updatedAt: currentTime,
+        lastRefreshError: report.message ?? report.code,
+        metadata: annotateFailureMetadata(grant.metadata, report, currentTime)
+      };
+      if (report.code === "unauthorized" || report.code === "revoked") {
+        nextGrant.status = "revoked";
       }
-      return res;
+      await grantStore.saveGrant(nextGrant);
+    }
+    if (binding) {
+      const nextBinding = {
+        ...binding,
+        updatedAt: currentTime,
+        metadata: annotateFailureMetadata(binding.metadata, report, currentTime)
+      };
+      if (report.code === "unauthorized" || report.code === "revoked") {
+        nextBinding.status = "disconnected";
+      } else if (report.code === "insufficient_scope") {
+        nextBinding.status = "restricted";
+      }
+      await bindingStore.saveBinding(nextBinding);
+    }
+    await onReportFailure?.({
+      credential,
+      report,
+      grant: grant ?? undefined,
+      binding: binding ?? undefined
     });
   }
-  async batch(batch) {
-    return this.session.batch(batch);
-  }
-}
-function construct(client, config = {}) {
-  const dialect = new PgDialect({ casing: config.casing });
-  let logger;
-  if (config.logger === true) {
-    logger = new DefaultLogger;
-  } else if (config.logger !== false) {
-    logger = config.logger;
-  }
-  let schema;
-  if (config.schema) {
-    const tablesConfig = extractTablesRelationalConfig(config.schema, createTableRelationsHelpers);
-    schema = {
-      fullSchema: config.schema,
-      schema: tablesConfig.tables,
-      tableNamesMap: tablesConfig.tableNamesMap
-    };
+});
+// src/oauthLinkedProviderResolver.ts
+var getGrantedScopes = (scopeValue, fallbackScopes) => {
+  if (typeof scopeValue === "string" && scopeValue.trim().length > 0) {
+    return [...new Set(scopeValue.split(/\s+/).filter(Boolean))];
   }
-  const driver = new NeonHttpDriver(client, dialect, { logger });
-  const session = driver.createSession(schema);
-  const db = new NeonHttpDatabase(dialect, session, schema);
-  db.$client = client;
-  return db;
-}
-function drizzle(...params) {
-  if (typeof params[0] === "string") {
-    const instance = as(params[0]);
-    return construct(instance, params[1]);
+  return [...new Set(fallbackScopes.filter(Boolean))];
+};
+var getExpiresAt = (tokenResponse) => {
+  const expiresIn = tokenResponse.expires_in;
+  const expiresInSeconds = typeof expiresIn === "number" ? expiresIn : typeof expiresIn === "string" && expiresIn.trim().length > 0 ? Number(expiresIn) : Number.NaN;
+  if (!Number.isFinite(expiresInSeconds) || expiresInSeconds <= 0) {
+    return;
   }
-  if (isConfig(params[0])) {
-    const { connection, client, ...drizzleConfig } = params[0];
-    if (client)
-      return construct(client, drizzleConfig);
-    if (typeof connection === "object") {
-      const { connectionString, ...options } = connection;
-      const instance2 = as(connectionString, options);
-      return construct(instance2, drizzleConfig);
+  return Date.now() + expiresInSeconds * 1000;
+};
+var createOAuthLinkedProviderCredentialResolver = async ({
+  bindingStore,
+  grantStore,
+  now,
+  providersConfiguration
+}) => {
+  const clientEntries = [];
+  for (const [providerName, providerConfig] of Object.entries(providersConfiguration)) {
+    if (!isValidProviderOption(providerName)) {
+      continue;
     }
-    const instance = as(connection);
-    return construct(instance, drizzleConfig);
-  }
-  return construct(params[0], params[1]);
-}
-((drizzle2) => {
-  function mock(config) {
-    return construct({}, config);
+    const resolvedProviderClientConfiguration = resolveProviderClientConfiguration({
+      providerName,
+      providersConfiguration
+    });
+    if ("error" in resolvedProviderClientConfiguration || !resolvedProviderClientConfiguration.config) {
+      continue;
+    }
+    clientEntries.push(createOAuth2Client(providerName, resolvedProviderClientConfiguration.config.credentials).then((providerInstance) => [providerName, providerInstance]));
   }
-  drizzle2.mock = mock;
-})(drizzle || (drizzle = {}));
-
+  const clients = new Map(await Promise.all(clientEntries));
+  return createLinkedProviderCredentialResolver({
+    bindingStore,
+    grantStore,
+    now,
+    loadAccessTokenLease: async (grant) => grant.accessTokenCiphertext ? {
+      accessToken: grant.accessTokenCiphertext,
+      expiresAt: grant.expiresAt,
+      grantedScopes: grant.grantedScopes,
+      tokenType: grant.tokenType
+    } : null,
+    refreshAccessTokenLease: async (grant) => {
+      if (!isValidProviderOption(grant.authProviderKey) || !grant.refreshTokenCiphertext) {
+        return null;
+      }
+      const providerKey = grant.authProviderKey;
+      const providerClientName = typeof grant.metadata?.providerClient === "string" && grant.metadata.providerClient.trim().length > 0 ? grant.metadata.providerClient.trim() : undefined;
+      const resolvedProviderClientConfiguration = resolveProviderClientConfiguration({
+        clientName: providerClientName,
+        providerName: providerKey,
+        providersConfiguration
+      });
+      if ("error" in resolvedProviderClientConfiguration || !resolvedProviderClientConfiguration.config) {
+        return null;
+      }
+      const providerClient = await createOAuth2Client(providerKey, resolvedProviderClientConfiguration.config.credentials);
+      if (!providerClient || !isRefreshableOAuth2Client(providerKey, providerClient)) {
+        return null;
+      }
+      const tokenResponse = await providerClient.refreshAccessToken(grant.refreshTokenCiphertext);
+      const refreshedAt = Date.now();
+      const grantedScopes = getGrantedScopes(Reflect.get(tokenResponse, "scope"), grant.grantedScopes);
+      const tokenType = Reflect.get(tokenResponse, "token_type");
+      const refreshedGrant = {
+        ...grant,
+        accessTokenCiphertext: tokenResponse.access_token,
+        expiresAt: getExpiresAt(tokenResponse),
+        grantedScopes,
+        lastRefreshError: undefined,
+        lastRefreshedAt: refreshedAt,
+        refreshTokenCiphertext: tokenResponse.refresh_token ?? grant.refreshTokenCiphertext,
+        status: "active",
+        tokenType: typeof tokenType === "string" ? tokenType : grant.tokenType,
+        updatedAt: refreshedAt
+      };
+      return {
+        grant: refreshedGrant,
+        lease: {
+          accessToken: refreshedGrant.accessTokenCiphertext ?? "",
+          expiresAt: refreshedGrant.expiresAt,
+          grantedScopes: refreshedGrant.grantedScopes,
+          tokenType: refreshedGrant.tokenType
+        }
+      };
+    }
+  });
+};
 // src/neonLinkedProviders.ts
 var linkedProviderGrantsTable = pgTable("linked_provider_grants", {
   id: varchar("id", { length: 255 }).primaryKey(),
@@ -13753,6 +13869,7 @@ export {
   createOAuthLinkedProviderCredentialResolver,
   createNeonOAuthLinkedProviderCredentialResolver,
   createNeonLinkedProviderStores,
+  createNeonAuthSessionStore,
   createLinkedProviderCredentialResolver,
   createInMemoryLinkedProviderStores,
   createInMemoryAuthSessionStore,
@@ -13765,5 +13882,5 @@ export {
   AbsoluteAuthIdentityConflictError
 };
 
-//# debugId=A110EE8D76C9D5C964756E2164756E21
+//# debugId=7F98E858A24BE38A64756E2164756E21
 //# sourceMappingURL=index.js.map