@absolutejs/auth 0.22.6 → 0.23.0

package/dist/ui/index.js

@@ -0,0 +1,2212 @@
+// @bun
+// node_modules/citra/dist/index.js
+var NUM_GENERATOR_BYTES = 32;
+var BASE64_BLOCK_SIZE = 4;
+var anilistProfileQuery = `query {
+  Viewer {
+    id
+    name
+    about
+    avatar {
+      large
+      medium
+    }
+    bannerImage
+    siteUrl
+    createdAt
+    updatedAt
+    donatorTier
+    donatorBadge
+    unreadNotificationCount
+    options {
+      titleLanguage
+      displayAdultContent
+      airingNotifications
+      profileColor
+      activityMergeTime
+      staffNameLanguage
+    }
+    mediaListOptions {
+      scoreFormat
+      rowOrder
+      animeList {
+        sectionOrder
+        customLists
+        advancedScoringEnabled
+      }
+      mangaList {
+        sectionOrder
+        customLists
+        advancedScoringEnabled
+      }
+    }
+    statistics {
+      anime {
+        count
+        meanScore
+        minutesWatched
+        episodesWatched
+      }
+      manga {
+        count
+        meanScore
+        chaptersRead
+        volumesRead
+      }
+    }
+    favourites {
+      anime {
+        nodes {
+          id
+          title {
+            romaji
+            english
+          }
+          siteUrl
+        }
+      }
+      manga {
+        nodes {
+          id
+          title {
+            romaji
+            english
+          }
+          siteUrl
+        }
+      }
+      characters {
+        nodes {
+          id
+          name {
+            full
+          }
+          image {
+            large
+          }
+        }
+      }
+      staff {
+        nodes {
+          id
+          name {
+            full
+          }
+          image {
+            large
+          }
+        }
+      }
+      studios {
+        nodes {
+          id
+          name
+          siteUrl
+        }
+      }
+    }
+    isFollower
+    isFollowing
+  }
+}`;
+var defineProviders = (providers) => providers;
+var providers = defineProviders({
+  "42": {
+    authorizationUrl: "https://api.intra.42.fr/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.intra.42.fr/v2/me"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.intra.42.fr/oauth/token"
+    }
+  },
+  amazoncognito: {
+    authorizationUrl: "https://${domain}/oauth2/authorize",
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => `https://${config.domain}/oauth2/userInfo`
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: (config) => `https://${config.domain}/oauth2/revoke`
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `https://${config.domain}/oauth2/token`
+    }
+  },
+  anilist: {
+    authorizationUrl: "https://anilist.co/api/v2/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      body: {
+        query: anilistProfileQuery
+      },
+      encoding: "application/json",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json"
+      },
+      method: "POST",
+      url: "https://graphql.anilist.co"
+    },
+    scopeRequired: false,
+    subject: ["data", "Viewer", "id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://anilist.co/api/v2/oauth/token"
+    }
+  },
+  apple: {
+    authorizationUrl: "https://appleid.apple.com/auth/authorize",
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://appleid.apple.com/auth/userinfo"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://appleid.apple.com/auth/token"
+    }
+  },
+  atlassian: {
+    authorizationUrl: "https://auth.atlassian.com/authorize",
+    createAuthorizationURLSearchParams: {
+      audience: "api.atlassian.com"
+    },
+    email: ["email"],
+    fullName: ["name"],
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["picture"],
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.atlassian.com/me"
+    },
+    scopeRequired: true,
+    subject: ["account_id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://auth.atlassian.com/oauth/token"
+    }
+  },
+  auth0: {
+    authorizationUrl: (config) => `https://${config.domain}/authorize`,
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => `https://${config.domain}/userinfo`
+    },
+    revocationRequest: {
+      authIn: "body",
+      body: new URLSearchParams({
+        token_type_hint: "refresh_token"
+      }),
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: (config) => `https://${config.domain}/oauth/revoke`
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `https://${config.domain}/oauth/token`
+    }
+  },
+  authentik: {
+    authorizationUrl: (config) => `https://${config.baseURL}/oauth/authorize`,
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => `https://${config.baseURL}/api/v3/user/`
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `https://${config.baseURL}/oauth/token`
+    }
+  },
+  autodesk: {
+    authorizationUrl: "https://developer.api.autodesk.com/authentication/v2/authorize",
+    email: ["email"],
+    familyName: ["family_name"],
+    fullName: ["name"],
+    givenName: ["given_name"],
+    isOIDC: true,
+    isRefreshable: true,
+    picture: ["picture"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.userprofile.autodesk.com/userinfo"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://developer.api.autodesk.com/authentication/v2/token"
+    }
+  },
+  battlenet: {
+    authorizationUrl: "https://oauth.battle.net/authorize",
+    isOIDC: true,
+    isRefreshable: false,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://oauth.battle.net/userinfo"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://oauth.battle.net/token"
+    }
+  },
+  bitbucket: {
+    authorizationUrl: "https://bitbucket.org/site/oauth2/authorize",
+    fullName: ["display_name"],
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["links", "avatar", "href"],
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.bitbucket.org/2.0/user"
+    },
+    scopeRequired: false,
+    subject: ["uuid"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://bitbucket.org/site/oauth2/access_token"
+    }
+  },
+  box: {
+    authorizationUrl: "https://account.box.com/api/oauth2/authorize",
+    email: ["login"],
+    fullName: ["name"],
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["avatar_url"],
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.box.com/2.0/users/me"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: "https://api.box.com/oauth2/revoke"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.box.com/oauth2/token"
+    }
+  },
+  bungie: {
+    authorizationUrl: "https://www.bungie.net/en/OAuth/Authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      headers: {
+        "X-API-Key": "<YOUR_API_KEY>"
+      },
+      method: "GET",
+      url: "https://www.bungie.net/Platform/User/GetCurrentBungieNetUser"
+    },
+    scopeRequired: false,
+    subject: ["Response", "membershipId"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://www.bungie.net/Platform/App/OAuth/token"
+    }
+  },
+  coinbase: {
+    authorizationUrl: "https://www.coinbase.com/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.coinbase.com/v2/user"
+    },
+    scopeRequired: false,
+    subject: ["data", "id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.coinbase.com/oauth/token"
+    }
+  },
+  discord: {
+    authorizationUrl: "https://discord.com/api/oauth2/authorize",
+    email: ["email"],
+    isOIDC: true,
+    isRefreshable: true,
+    picture: ["avatar"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://discord.com/api/users/@me"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://discord.com/api/oauth2/token"
+    }
+  },
+  donationalerts: {
+    authorizationUrl: "https://www.donationalerts.com/oauth/authorize",
+    email: ["data", "email"],
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["data", "avatar"],
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://www.donationalerts.com/api/v1/user/oauth"
+    },
+    scopeRequired: false,
+    subject: ["data", "id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://www.donationalerts.com/oauth/token"
+    }
+  },
+  dribbble: {
+    authorizationUrl: "https://dribbble.com/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: false,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.dribbble.com/v2/user"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://dribbble.com/oauth/token"
+    }
+  },
+  dropbox: {
+    authorizationUrl: "https://www.dropbox.com/oauth2/authorize",
+    email: ["email"],
+    familyName: ["name", "surname"],
+    fullName: ["name", "display_name"],
+    givenName: ["name", "given_name"],
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "POST",
+      url: "https://api.dropboxapi.com/2/users/get_current_account"
+    },
+    revocationRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      url: "https://api.dropboxapi.com/2/auth/token/revoke"
+    },
+    scopeRequired: false,
+    subject: ["account_id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.dropboxapi.com/oauth2/token"
+    }
+  },
+  epicgames: {
+    authorizationUrl: "https://www.epicgames.com/id/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.epicgames.dev/epic/oauth/v2/userInfo"
+    },
+    scopeRequired: false,
+    subject: ["account_id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.epicgames.dev/epic/oauth/v1/token"
+    }
+  },
+  etsy: {
+    authorizationUrl: "https://www.etsy.com/oauth/connect",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://openapi.etsy.com/v3/application/users/me"
+    },
+    scopeRequired: false,
+    subject: ["results", "0", "user_id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.etsy.com/v3/public/oauth/token"
+    }
+  },
+  facebook: {
+    authorizationUrl: "https://www.facebook.com/v16.0/dialog/oauth",
+    email: ["email"],
+    familyName: ["family_name"],
+    fullName: ["name"],
+    givenName: ["given_name"],
+    isOIDC: true,
+    isRefreshable: false,
+    picture: ["picture"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "query",
+      encoding: "application/json",
+      method: "GET",
+      searchParams: [["fields", "id,name,email,picture"]],
+      url: "https://graph.facebook.com/me"
+    },
+    scopeRequired: false,
+    subject: ["sub"],
+    subjectBySource: {
+      idToken: ["sub"],
+      profile: ["id"]
+    },
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://graph.facebook.com/v16.0/oauth/access_token"
+    }
+  },
+  figma: {
+    authorizationUrl: "https://www.figma.com/oauth",
+    email: ["email"],
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["img_url"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.figma.com/v1/me"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.figma.com/v1/oauth/token"
+    }
+  },
+  gitea: {
+    authorizationUrl: (config) => `${config.baseURL}/login/oauth/authorize`,
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => `${config.baseURL}/api/v1/user`
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `${config.baseURL}/login/oauth/access_token`
+    }
+  },
+  github: {
+    authorizationUrl: "https://github.com/login/oauth/authorize",
+    email: ["email"],
+    isOIDC: false,
+    isRefreshable: false,
+    picture: ["avatar_url"],
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.github.com/user"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://github.com/login/oauth/access_token"
+    }
+  },
+  gitlab: {
+    authorizationUrl: (config) => `${config.baseURL}/oauth/authorize`,
+    email: ["email"],
+    fullName: ["name"],
+    isOIDC: true,
+    isRefreshable: true,
+    picture: ["picture"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://gitlab.com/api/v4/user"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: (config) => `${config.baseURL}/oauth/revoke`
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `${config.baseURL}/oauth/token`
+    }
+  },
+  google: {
+    authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    email: ["email"],
+    familyName: ["family_name"],
+    fullName: ["name"],
+    givenName: ["given_name"],
+    isOIDC: true,
+    isRefreshable: true,
+    picture: ["picture"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://openidconnect.googleapis.com/v1/userinfo"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: "https://oauth2.googleapis.com/revoke"
+    },
+    scopeRequired: true,
+    subject: ["sub"],
+    subjectBySource: {
+      idToken: ["sub"],
+      profile: ["sub"]
+    },
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://oauth2.googleapis.com/token"
+    }
+  },
+  intuit: {
+    authorizationUrl: "https://appcenter.intuit.com/connect/oauth2",
+    isOIDC: true,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => config.environment === "production" ? "https://accounts.platform.intuit.com/v1/openid_connect/userinfo" : "https://sandbox-accounts.platform.intuit.com/v1/openid_connect/userinfo"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      headers: (config) => ({
+        Authorization: `Basic ${encodeBase64(`${config.clientId}:${config.clientSecret}`)}`
+      }),
+      tokenParamName: "token",
+      url: "https://developer.api.intuit.com/v2/oauth2/tokens/revoke"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://oauth.platform.intuit.com/oauth2/v1/tokens/bearer"
+    }
+  },
+  kakao: {
+    authorizationUrl: "https://kauth.kakao.com/oauth/authorize",
+    isOIDC: true,
+    isRefreshable: true,
+    picture: ["picture"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://kapi.kakao.com/v2/user/me"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://kauth.kakao.com/oauth/token"
+    }
+  },
+  keycloak: {
+    authorizationUrl: (config) => `${config.realmURL}/protocol/openid-connect/auth`,
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.kick.com/v1/user"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: (config) => `${config.realmURL}/protocol/openid-connect/revoke`
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `${config.realmURL}/protocol/openid-connect/token`
+    }
+  },
+  kick: {
+    authorizationUrl: "https://id.kick.com/oauth/authorize",
+    email: ["data", "email"],
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["data", "profile_picture"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.kick.com/public/v1/users"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: "https://id.kick.com/oauth/revoke"
+    },
+    scopeRequired: true,
+    subject: ["data", "user_id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://id.kick.com/oauth/token"
+    }
+  },
+  lichess: {
+    authorizationUrl: "https://lichess.org/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: false,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://lichess.org/api/account"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://lichess.org/api/token"
+    }
+  },
+  line: {
+    authorizationUrl: "https://access.line.me/oauth2/v2.1/authorize",
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.line.me/v2/profile"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.line.me/oauth2/v2.1/token"
+    }
+  },
+  linear: {
+    authorizationUrl: "https://linear.app/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: false,
+    profileRequest: {
+      authIn: "header",
+      body: {
+        query: `query { viewer { id name } }`
+      },
+      encoding: "application/json",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json"
+      },
+      method: "POST",
+      url: "https://api.linear.app/graphql"
+    },
+    revocationRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      url: "https://api.linear.app/oauth/revoke"
+    },
+    scopeRequired: false,
+    subject: ["data", "viewer", "id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.linear.app/oauth/token"
+    }
+  },
+  linkedin: {
+    authorizationUrl: "https://www.linkedin.com/oauth/v2/authorization",
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.linkedin.com/v2/me"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://www.linkedin.com/oauth/v2/accessToken"
+    }
+  },
+  mastodon: {
+    authorizationUrl: (config) => `${config.baseURL}/oauth/authorize`,
+    isOIDC: false,
+    isRefreshable: false,
+    picture: ["avatar"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => `${config.baseURL}/api/v1/accounts/verify_credentials`
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: (config) => `${config.baseURL}/oauth/revoke`
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `${config.baseURL}/oauth/token`
+    }
+  },
+  mercadolibre: {
+    authorizationUrl: "https://auth.mercadolibre.com/authorization",
+    isOIDC: false,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.mercadolibre.com/users/me"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.mercadolibre.com/oauth/token"
+    }
+  },
+  mercadopago: {
+    authorizationUrl: "https://auth.mercadopago.com/authorization",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.mercadopago.com/v1/users/me"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.mercadopago.com/oauth/token"
+    }
+  },
+  microsoftentraid: {
+    authorizationUrl: (config) => `https://${config.tenantId}.b2clogin.com/${config.tenantId}/oauth2/v2.0/authorize`,
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => `https://${config.tenantId}.b2clogin.com/${config.tenantId}/openid/userinfo`
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `https://${config.tenantId}.b2clogin.com/${config.tenantId}/oauth2/v2.0/token`
+    }
+  },
+  myanimelist: {
+    authorizationUrl: "https://myanimelist.net/v1/oauth2/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    PKCEMethod: "plain",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.myanimelist.net/v2/users/@me"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://myanimelist.net/v1/oauth2/token"
+    }
+  },
+  naver: {
+    authorizationUrl: "https://nid.naver.com/oauth2.0/authorize",
+    email: ["response", "email"],
+    fullName: ["response", "name"],
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["response", "profile_image"],
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://openapi.naver.com/v1/nid/me"
+    },
+    scopeRequired: false,
+    subject: ["response", "id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://nid.naver.com/oauth2.0/token"
+    }
+  },
+  notion: {
+    authorizationUrl: "https://api.notion.com/v1/oauth/authorize",
+    email: ["bot", "owner", "user", "person", "email"],
+    isOIDC: false,
+    isRefreshable: false,
+    picture: ["bot", "owner", "user", "avatar_url"],
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      headers: {
+        "Notion-Version": "2022-06-28"
+      },
+      method: "GET",
+      url: "https://api.notion.com/v1/users/me"
+    },
+    scopeRequired: false,
+    subject: ["bot", "owner", "user", "id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      url: "https://api.notion.com/v1/oauth/token"
+    }
+  },
+  okta: {
+    authorizationUrl: (config) => `https://${config.domain}/oauth2/default/v1/authorize`,
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => `https://${config.domain}/oauth2/default/v1/userinfo`
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: (config) => `https://${config.domain}/oauth2/default/v1/revoke`
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `https://${config.domain}/oauth2/default/v1/token`
+    }
+  },
+  osu: {
+    authorizationUrl: "https://osu.ppy.sh/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["avatar_url"],
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://osu.ppy.sh/api/v2/me"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://osu.ppy.sh/oauth/token"
+    }
+  },
+  patreon: {
+    authorizationUrl: "https://www.patreon.com/oauth2/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://www.patreon.com/api/oauth2/v2/identity"
+    },
+    scopeRequired: false,
+    subject: ["data", "id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://www.patreon.com/api/oauth2/token"
+    }
+  },
+  polar: {
+    authorizationUrl: "https://polar.sh/oauth2/authorize",
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.polar.sh/v1/oauth2/userinfo"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: "https://api.polar.sh/v1/oauth2/revoke"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.polar.sh/v1/oauth2/token"
+    }
+  },
+  polaraccesslink: {
+    authorizationUrl: "https://flow.polar.com/oauth2/authorization",
+    isOIDC: false,
+    isRefreshable: false,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://www.polaraccesslink.com/v3/users/me"
+    },
+    scopeRequired: false,
+    subject: ["x_user_id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "header",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://polarremote.com/v2/oauth2/token"
+    }
+  },
+  polarteampro: {
+    authorizationUrl: "https://auth.polar.com/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://www.polaraccesslink.com/v3/users/<USER_ID>"
+    },
+    scopeRequired: false,
+    subject: ["x_user_id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "header",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://auth.polar.com/oauth/token"
+    }
+  },
+  reddit: {
+    authorizationUrl: "https://www.reddit.com/api/v1/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://oauth.reddit.com/api/v1/me"
+    },
+    revocationRequest: {
+      authIn: "header",
+      body: new URLSearchParams({
+        token_type_hint: "refresh_token"
+      }),
+      encoding: "application/json",
+      url: "https://www.reddit.com/api/v1/revoke_token"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "header",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://www.reddit.com/api/v1/access_token"
+    }
+  },
+  roblox: {
+    authorizationUrl: "https://apis.roblox.com/oauth/v1/authorize",
+    isOIDC: true,
+    isRefreshable: true,
+    picture: ["picture"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://apis.roblox.com/oauth/v1/userinfo"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://apis.roblox.com/oauth/v1/token"
+    }
+  },
+  salesforce: {
+    authorizationUrl: "https://login.salesforce.com/services/oauth2/authorize",
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://login.salesforce.com/services/oauth2/userinfo"
+    },
+    revocationRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      url: "https://login.salesforce.com/services/oauth2/revoke"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://login.salesforce.com/services/oauth2/token"
+    }
+  },
+  shikimori: {
+    authorizationUrl: "https://shikimori.org/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://shikimori.one/api/users/whoami"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://shikimori.org/oauth/token"
+    }
+  },
+  slack: {
+    authorizationUrl: "https://slack.com/openid/connect/authorize",
+    isOIDC: true,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "query",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://slack.com/api/users.identity"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: "https://slack.com/api/auth.revoke"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://slack.com/api/openid.connect.token"
+    }
+  },
+  spotify: {
+    authorizationUrl: "https://accounts.spotify.com/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.spotify.com/v1/me"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://accounts.spotify.com/api/token"
+    }
+  },
+  startgg: {
+    authorizationUrl: "https://start.gg/oauth/authorize",
+    email: ["data", "currentUser", "email"],
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      body: {
+        query: `query { currentUser { id slug email player { gamerTag } } }`
+      },
+      encoding: "application/json",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json"
+      },
+      method: "POST",
+      url: "https://api.start.gg/gql/alpha"
+    },
+    scopeRequired: false,
+    subject: ["data", "currentUser", "id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.start.gg/oauth/access_token"
+    }
+  },
+  strava: {
+    authorizationUrl: "https://www.strava.com/oauth/authorize",
+    familyName: ["lastname"],
+    givenName: ["firstname"],
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["profile"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://www.strava.com/api/v3/athlete"
+    },
+    revocationRequest: {
+      authIn: "query",
+      body: new URLSearchParams({
+        token_type_hint: "access_token"
+      }),
+      encoding: "application/json",
+      tokenParamName: "access_token",
+      url: "https://www.strava.com/oauth/deauthorize"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://www.strava.com/oauth/token"
+    }
+  },
+  synology: {
+    authorizationUrl: (config) => `${config.baseURL}/webman/sso/SSOOauth.cgi?client_id=${config.clientId}&response_type=code&redirect_uri=${config.redirectUri}`,
+    isOIDC: false,
+    isRefreshable: false,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => `${config.baseURL}/webman/sso/SSOUserInfo.cgi?client_id=${config.clientId}&access_token=${config.accessToken}`
+    },
+    scopeRequired: false,
+    subject: ["data", "id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `${config.baseURL}/webman/sso/SSOAccessToken.cgi?client_id=${config.clientId}&client_secret=${config.clientSecret}`
+    }
+  },
+  tiktok: {
+    authorizationUrl: "https://www.tiktok.com/v2/auth/authorize",
+    createAuthorizationURLSearchParams: (config) => ({
+      client_key: config.clientId
+    }),
+    isOIDC: false,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "query",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://open.douyin.com/oauth/userinfo"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "token",
+      url: "https://open.tiktokapis.com/v2/oauth/revoke/"
+    },
+    scopeRequired: false,
+    subject: ["data", "open_id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://open.tiktokapis.com/v2/oauth/token/"
+    }
+  },
+  tiltify: {
+    authorizationUrl: "https://v5api.tiltify.com/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://v5api.tiltify.com/api/public/current-user"
+    },
+    scopeRequired: false,
+    subject: ["data", "id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://v5api.tiltify.com/oauth/token"
+    }
+  },
+  tumblr: {
+    authorizationUrl: "https://www.tumblr.com/oauth2/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.tumblr.com/v2/user/info"
+    },
+    scopeRequired: false,
+    subject: ["response", "user", "name"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.tumblr.com/v2/oauth2/token"
+    }
+  },
+  twitch: {
+    authorizationUrl: "https://id.twitch.tv/oauth2/authorize",
+    isOIDC: true,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      headers: (config) => ({
+        "Client-Id": config.clientId
+      }),
+      method: "GET",
+      url: "https://api.twitch.tv/helix/users"
+    },
+    revocationRequest: {
+      authIn: "query",
+      encoding: "application/json",
+      headers: (config) => ({
+        "Client-Id": config.clientId
+      }),
+      tokenParamName: "token",
+      url: "https://id.twitch.tv/oauth2/revoke"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://id.twitch.tv/oauth2/token"
+    }
+  },
+  twitter: {
+    authorizationUrl: "https://twitter.com/i/oauth2/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.twitter.com/2/users/me"
+    },
+    revocationRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      url: "https://api.twitter.com/2/oauth2/revoke"
+    },
+    scopeRequired: false,
+    subject: ["data", "id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.twitter.com/2/oauth2/token"
+    }
+  },
+  vk: {
+    authorizationUrl: "https://oauth.vk.com/authorize",
+    isOIDC: false,
+    isRefreshable: false,
+    profileRequest: {
+      authIn: "query",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.vk.com/method/users.get"
+    },
+    scopeRequired: false,
+    subject: ["response", "0", "id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://oauth.vk.com/access_token"
+    }
+  },
+  withings: {
+    authorizationUrl: "https://account.withings.com/oauth2_user/authorize2",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      body: async (config) => {
+        const props = await getWithingsProps(config);
+        if (props === undefined)
+          throw new Error("Failed to get Withings search properties");
+        const { nonce, hashedSignature } = props;
+        return [
+          ["action", "getuser"],
+          ["nonce", nonce],
+          ["client_id", config.clientId],
+          ["signature", hashedSignature]
+        ];
+      },
+      encoding: "application/x-www-form-urlencoded",
+      method: "POST",
+      url: "https://wbsapi.withings.net/v2/oauth2"
+    },
+    refreshAccessTokenBody: {
+      action: "requesttoken"
+    },
+    revocationRequest: {
+      authIn: "header",
+      body: async (config) => {
+        const props = await getWithingsProps(config);
+        if (!props)
+          throw new Error("Failed to get Withings props");
+        const { nonce, hashedSignature } = props;
+        return [
+          ["action", "revoke"],
+          ["client_id", config.clientId],
+          ["nonce", nonce],
+          ["signature", hashedSignature]
+        ];
+      },
+      encoding: "application/x-www-form-urlencoded",
+      method: "POST",
+      url: "https://wbsapi.withings.net/v2/oauth2"
+    },
+    scopeRequired: true,
+    subject: ["userid"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://wbsapi.withings.net/v2/oauth2"
+    },
+    validateAuthorizationCodeBody: {
+      action: "requesttoken"
+    }
+  },
+  workos: {
+    authorizationUrl: (config) => `https://${config.domain}/oauth2/authorize`,
+    createAuthorizationURLSearchParams: () => {
+      const nonce = crypto.randomUUID();
+      return {
+        nonce
+      };
+    },
+    email: ["email"],
+    familyName: ["family_name"],
+    fullName: ["name"],
+    givenName: ["given_name"],
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "POST",
+      url: (config) => `https://${config.domain}/oauth2/userinfo`
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `https://${config.domain}/oauth2/token`
+    }
+  },
+  yahoo: {
+    authorizationUrl: "https://api.login.yahoo.com/oauth2/request_auth",
+    isOIDC: true,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.login.yahoo.com/openid/v1/userinfo"
+    },
+    revocationRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      url: "https://api.login.yahoo.com/oauth2/revoke"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.login.yahoo.com/oauth2/get_token"
+    }
+  },
+  yandex: {
+    authorizationUrl: "https://oauth.yandex.com/authorize",
+    createAuthorizationURLSearchParams: {
+      device_id: crypto.randomUUID(),
+      device_name: `${navigator.platform ?? "Unknown"} \u2014 ${(navigator.userAgent.split(")")[0] || "").split("(").pop() || "Unknown"}`
+    },
+    email: ["default_email"],
+    familyName: ["last_name"],
+    fullName: ["real_name"],
+    givenName: ["first_name"],
+    isOIDC: false,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://login.yandex.ru/info"
+    },
+    revocationRequest: {
+      authIn: "body",
+      encoding: "application/json",
+      tokenParamName: "access_token",
+      url: "https://oauth.yandex.com/revoke_token"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://oauth.yandex.com/token"
+    }
+  },
+  zoom: {
+    authorizationUrl: "https://zoom.us/oauth/authorize",
+    email: ["email"],
+    familyName: ["last_name"],
+    givenName: ["first_name"],
+    isOIDC: false,
+    isRefreshable: true,
+    picture: ["pic_url"],
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.zoom.us/v2/users/me"
+    },
+    revocationRequest: {
+      authIn: "query",
+      encoding: "application/json",
+      headers: (config) => ({
+        Authorization: `Basic ${btoa(`${config.clientId}:${config.clientSecret}`)}`
+      }),
+      tokenParamName: "token",
+      url: "https://zoom.us/oauth/revoke"
+    },
+    scopeRequired: false,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://zoom.us/oauth/token"
+    }
+  }
+});
+var isValidProviderOption = (option) => Object.hasOwn(providers, option);
+var isRefreshableProviderOption = (option) => {
+  if (!isValidProviderOption(option))
+    return false;
+  const provider = providers[option];
+  return provider.isRefreshable;
+};
+var isRevocableProviderOption = (option) => {
+  if (!isValidProviderOption(option))
+    return false;
+  const provider = providers[option];
+  return provider.revocationRequest !== undefined;
+};
+var isPKCEProviderOption = (option) => {
+  if (!isValidProviderOption(option))
+    return false;
+  const provider = providers[option];
+  return provider.PKCEMethod !== undefined;
+};
+var isOIDCProviderOption = (option) => {
+  if (!isValidProviderOption(option))
+    return false;
+  const provider = providers[option];
+  return provider.isOIDC;
+};
+var isScopeRequiredProviderOption = (option) => {
+  if (!isValidProviderOption(option))
+    return false;
+  const provider = providers[option];
+  return provider.scopeRequired;
+};
+var isRefreshableOAuth2Client = (providerName, client) => isRefreshableProviderOption(providerName);
+var isRevocableOAuth2Client = (providerName, client) => isRevocableProviderOption(providerName);
+var hasClientSecret = (credentials) => {
+  if (typeof credentials !== "object" || credentials === null)
+    return false;
+  const secret = Reflect.get(credentials, "clientSecret");
+  return typeof secret === "string";
+};
+var isObject = (x) => x !== null && typeof x === "object" && !Array.isArray(x) && Object.prototype.toString.call(x) === "[object Object]";
+var isExpectedType = (value, kind) => {
+  switch (kind) {
+    case "string":
+      return typeof value === "string";
+    case "number":
+      return typeof value === "number";
+    case "boolean":
+      return typeof value === "boolean";
+    case "object":
+      return typeof value === "object" && value !== null;
+  }
+};
+var createOAuth2FetchError = async (response) => {
+  const clone = response.clone();
+  const prefix = `HTTP ${response.status} ${response.statusText} for ${response.url}`;
+  const payload = await response.json().catch(() => null);
+  if (payload && typeof payload === "object" && Object.keys(payload).length) {
+    return new Error(`${prefix}
+${JSON.stringify(payload)}`);
+  }
+  const text = await clone.text().catch(() => "");
+  if (text) {
+    return new Error(`${prefix}
+${text}`);
+  }
+  return new Error(prefix);
+};
+var encodeBase64 = (input) => {
+  let raw;
+  if (typeof input === "string") {
+    raw = input;
+  } else {
+    const bytes = input instanceof Uint8Array ? input : new Uint8Array(input);
+    raw = bytes.reduce((acc, byte) => acc + String.fromCharCode(byte), "");
+  }
+  return btoa(raw);
+};
+var decodeBase64 = (input, toUint8Array = false) => {
+  const b64 = input.replace(/-/g, "+").replace(/_/g, "/") + "==".slice(0, (BASE64_BLOCK_SIZE - input.length % BASE64_BLOCK_SIZE) % BASE64_BLOCK_SIZE);
+  const raw = atob(b64);
+  if (!toUint8Array) {
+    return raw;
+  }
+  const bytes = new Uint8Array(raw.length);
+  for (let i = 0;i < raw.length; i++) {
+    bytes[i] = raw.charCodeAt(i);
+  }
+  return bytes;
+};
+var hmacSha256 = async (message, secret) => {
+  const encoder = new TextEncoder;
+  const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { hash: "SHA-256", name: "HMAC" }, false, ["sign"]);
+  const sigBuffer = await crypto.subtle.sign("HMAC", key, encoder.encode(message));
+  return Array.from(new Uint8Array(sigBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+};
+var decodeJWT = (tokenString) => {
+  const [headerSegment, payloadSegment, signatureSegment] = tokenString.split(".");
+  if (!headerSegment || !payloadSegment || !signatureSegment) {
+    throw new Error("Invalid JWT format");
+  }
+  const decodedPayload = decodeBase64(payloadSegment);
+  if (typeof decodedPayload !== "string") {
+    throw new Error("Expected JWT payload to be a UTF-8 string");
+  }
+  return JSON.parse(decodedPayload);
+};
+var getWithingsProps = async (config) => {
+  const timestamp = Math.floor(Date.now() / 1000);
+  const signature = `getnonce,${config.clientId},${timestamp}`;
+  const hashedSignature = await hmacSha256(signature, config.clientSecret);
+  const nonceUrl = new URL("https://wbsapi.withings.net/v2/signature");
+  nonceUrl.searchParams.set("action", "getnonce");
+  nonceUrl.searchParams.set("client_id", config.clientId);
+  nonceUrl.searchParams.set("timestamp", timestamp.toString());
+  nonceUrl.searchParams.set("signature", hashedSignature);
+  const nonceResponse = await fetch(nonceUrl.toString(), {
+    method: "POST"
+  });
+  const nonceData = await nonceResponse.json();
+  if (nonceData.status === 0) {
+    return {
+      hashedSignature,
+      nonce: nonceData.body.nonce
+    };
+  }
+  return;
+};
+var createOAuth2Request = ({
+  url,
+  body,
+  authIn,
+  headers,
+  encoding,
+  clientId,
+  clientSecret
+}) => {
+  const oauthHeaders = new Headers(headers);
+  oauthHeaders.set("Accept", "application/json");
+  oauthHeaders.set("User-Agent", "citra");
+  if (authIn === "header") {
+    if (!clientSecret) {
+      throw new Error("clientSecret required for header auth");
+    }
+    oauthHeaders.set("Authorization", `Basic ${encodeBase64(`${clientId}:${clientSecret}`)}`);
+  }
+  if (encoding === "application/json") {
+    oauthHeaders.set("Content-Type", "application/json");
+    return new Request(url, {
+      body: JSON.stringify(body),
+      headers: oauthHeaders,
+      method: "POST"
+    });
+  }
+  oauthHeaders.set("Content-Type", "application/x-www-form-urlencoded");
+  const entries = body instanceof URLSearchParams ? Array.from(body.entries()) : Object.entries(body).filter((entry) => typeof entry[1] === "string");
+  const params = new URLSearchParams(entries);
+  if (authIn === "body") {
+    params.set("client_id", clientId);
+    clientSecret && params.set("client_secret", clientSecret);
+  }
+  return new Request(url, {
+    body: params.toString(),
+    headers: oauthHeaders,
+    method: "POST"
+  });
+};
+var extractPropFromIdentity = (identity, keys, propType) => {
+  let value = identity;
+  for (const key of keys) {
+    if (Array.isArray(value))
+      value = value[Number(key)];
+    if (!isObject(value)) {
+      throw new Error(`Invalid identity data shape: expected object, got ${typeof value}`);
+    }
+    value = value[key];
+  }
+  if (propType !== undefined && !isExpectedType(value, propType)) {
+    throw new Error(`Invalid identity data shape: expected ${propType}, got ${typeof value}`);
+  }
+  return value;
+};
+var getProviderSubjectKeys = (providerConfiguration, source) => providerConfiguration.subjectBySource?.[source] ?? providerConfiguration.subject;
+var setPropInIdentity = (identity, keys, value) => {
+  if (keys.length === 0) {
+    return identity;
+  }
+  let cursor = identity;
+  for (const key of keys.slice(0, -1)) {
+    const next = cursor[key];
+    if (!isObject(next)) {
+      cursor[key] = {};
+    }
+    cursor = cursor[key];
+  }
+  cursor[keys[keys.length - 1]] = value;
+  return identity;
+};
+var normalizeProviderIdentity = ({
+  identity,
+  providerConfiguration,
+  source
+}) => {
+  const sourceKeys = getProviderSubjectKeys(providerConfiguration, source);
+  const canonicalKeys = providerConfiguration.subject;
+  if (sourceKeys.join(".") === canonicalKeys.join(".")) {
+    return identity;
+  }
+  const subject = extractPropFromIdentity(identity, sourceKeys, providerConfiguration.subjectType);
+  const normalizedIdentity = structuredClone(identity);
+  return setPropInIdentity(normalizedIdentity, canonicalKeys, subject);
+};
+var createS256CodeChallenge = async (codeVerifier) => {
+  const data = new TextEncoder().encode(codeVerifier);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return base64Url(hashBuffer);
+};
+var createRandomBase64UrlGenerator = (length) => () => {
+  const buffer = crypto.getRandomValues(new Uint8Array(length));
+  return base64Url(buffer);
+};
+var generateCodeVerifier = createRandomBase64UrlGenerator(NUM_GENERATOR_BYTES);
+var generateState = createRandomBase64UrlGenerator(NUM_GENERATOR_BYTES);
+var base64Url = (input) => encodeBase64(input).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+var providerOptions = Object.keys(providers).filter(isValidProviderOption);
+var refreshableProviderOptions = Object.keys(providers).filter(isRefreshableProviderOption);
+var oidcProviderOptions = Object.keys(providers).filter(isOIDCProviderOption);
+var revocableProviderOptions = Object.keys(providers).filter(isRevocableProviderOption);
+var scopeRequiredProviderOptions = Object.keys(providers).filter(isScopeRequiredProviderOption);
+var pkceProviderOptions = Object.keys(providers).filter(isPKCEProviderOption);
+var createOAuth2Client = async (providerName, config) => {
+  const meta = providers[providerName];
+  const isConfigPropertyFunction = (cfgProp) => typeof cfgProp === "function";
+  const resolveConfigProp = async (cfgProp) => {
+    const result = isConfigPropertyFunction(cfgProp) ? cfgProp(config) : cfgProp;
+    return await result;
+  };
+  const authorizationUrl = await resolveConfigProp(meta.authorizationUrl);
+  const tokenUrl = await resolveConfigProp(meta.tokenRequest.url);
+  return {
+    async createAuthorizationUrl(opts) {
+      const { state, scope = [], searchParams = [], codeVerifier } = opts;
+      const url = new URL(authorizationUrl);
+      url.searchParams.set("response_type", "code");
+      url.searchParams.set("client_id", config.clientId);
+      if (config.redirectUri)
+        url.searchParams.set("redirect_uri", config.redirectUri);
+      if (state)
+        url.searchParams.set("state", state);
+      if (scope.length !== 0) {
+        const delimeter = providerName === "withings" ? "," : " ";
+        url.searchParams.set("scope", scope.join(delimeter));
+      }
+      if (meta.PKCEMethod !== undefined) {
+        if (!codeVerifier) {
+          throw new Error("`codeVerifier` is required when PKCE is enabled");
+        }
+        const codeChallenge = meta.PKCEMethod === "S256" ? await createS256CodeChallenge(codeVerifier) : codeVerifier;
+        url.searchParams.set("code_challenge_method", meta.PKCEMethod);
+        url.searchParams.set("code_challenge", codeChallenge);
+      }
+      Object.entries(resolveConfigProp(meta.createAuthorizationURLSearchParams) ?? {}).forEach(([key, value]) => url.searchParams.set(key, value));
+      searchParams.forEach(([key, value]) => url.searchParams.set(key, value));
+      return url;
+    },
+    async fetchUserProfile(accessToken) {
+      const { profileRequest } = meta;
+      const {
+        url,
+        method,
+        authIn,
+        searchParams,
+        body: profileBody,
+        headers,
+        encoding
+      } = profileRequest;
+      const endpoint = new URL(await resolveConfigProp(url));
+      const resolvedBody = await resolveConfigProp(profileBody);
+      new URLSearchParams(await resolveConfigProp(searchParams)).forEach((value, key) => endpoint.searchParams.append(key, value));
+      let headerEntries = [];
+      const rawHeaders = headers ? await resolveConfigProp(headers) : undefined;
+      if (rawHeaders instanceof Headers)
+        headerEntries = Array.from(rawHeaders.entries());
+      else if (Array.isArray(rawHeaders))
+        headerEntries = rawHeaders;
+      else if (rawHeaders && typeof rawHeaders === "object")
+        headerEntries = Object.entries(rawHeaders);
+      const profileHeaders = Object.fromEntries(headerEntries.filter(([, v]) => v !== ""));
+      if (authIn === "header") {
+        profileHeaders.Authorization = `Bearer ${accessToken}`;
+      } else {
+        endpoint.searchParams.append("access_token", accessToken);
+      }
+      const init = { headers: profileHeaders, method };
+      if (method === "POST" && resolvedBody != null) {
+        profileHeaders["Content-Type"] = encoding;
+        init.body = encoding === "application/json" ? JSON.stringify(resolvedBody) : new URLSearchParams(resolvedBody).toString();
+      }
+      const response = await fetch(endpoint.toString(), init);
+      if (!response.ok)
+        throw await createOAuth2FetchError(response);
+      return response.json();
+    },
+    async refreshAccessToken(refreshToken) {
+      const { authIn, encoding } = meta.tokenRequest;
+      const params = new URLSearchParams(meta.refreshAccessTokenBody);
+      params.set("grant_type", "refresh_token");
+      params.set("refresh_token", refreshToken);
+      const { clientId } = config;
+      let clientSecretValue;
+      if (hasClientSecret(config)) {
+        clientSecretValue = config.clientSecret;
+        params.set("client_id", clientId);
+        params.set("client_secret", clientSecretValue);
+      }
+      const request = createOAuth2Request({
+        authIn,
+        body: params,
+        clientId,
+        clientSecret: clientSecretValue,
+        encoding,
+        url: tokenUrl
+      });
+      const response = await fetch(request);
+      if (!response.ok)
+        throw await createOAuth2FetchError(response);
+      return response.json();
+    },
+    async revokeToken(token) {
+      const { revocationRequest } = meta;
+      if (!revocationRequest) {
+        throw new Error("Token revocation not defined for this provider");
+      }
+      const { url, authIn, body, headers, tokenParamName } = revocationRequest;
+      const endpoint = await resolveConfigProp(url);
+      const resolvedBody = await resolveConfigProp(body);
+      const revocationBody = new URLSearchParams(resolvedBody);
+      const revocationHeaders = new Headers(headers && await resolveConfigProp(headers));
+      const { clientId } = config;
+      const clientSecret = hasClientSecret(config) ? config.clientSecret : undefined;
+      let request;
+      if (authIn === "body") {
+        revocationBody.set(tokenParamName, token);
+        revocationBody.set("client_id", clientId);
+        if (clientSecret)
+          revocationBody.set("client_secret", clientSecret);
+        request = createOAuth2Request({
+          authIn: "body",
+          body: revocationBody,
+          clientId,
+          clientSecret,
+          encoding: "application/x-www-form-urlencoded",
+          headers: revocationHeaders,
+          url: endpoint.toString()
+        });
+      } else if (authIn === "header") {
+        revocationHeaders.set("Authorization", `Bearer ${token}`);
+        request = createOAuth2Request({
+          authIn: "header",
+          body: revocationBody,
+          clientId,
+          clientSecret,
+          encoding: "application/x-www-form-urlencoded",
+          headers: revocationHeaders,
+          url: endpoint.toString()
+        });
+      } else {
+        request = createOAuth2Request({
+          authIn: "query",
+          body: revocationBody,
+          clientId,
+          clientSecret,
+          encoding: "application/x-www-form-urlencoded",
+          headers: revocationHeaders,
+          url: `${endpoint.toString()}?${tokenParamName}=${token}`
+        });
+      }
+      const response = await fetch(request);
+      if (!response.ok)
+        throw await createOAuth2FetchError(response);
+    },
+    async validateAuthorizationCode(opts) {
+      const { code, codeVerifier } = opts;
+      const { authIn, encoding } = meta.tokenRequest;
+      const bodyObj = {};
+      for (const key in meta.validateAuthorizationCodeBody ?? {}) {
+        const value = meta.validateAuthorizationCodeBody[key];
+        if (typeof value === "string")
+          bodyObj[key] = value;
+      }
+      bodyObj.grant_type = "authorization_code";
+      bodyObj.code = code;
+      if (config.redirectUri)
+        bodyObj.redirect_uri = config.redirectUri;
+      if (meta.PKCEMethod !== undefined) {
+        if (!codeVerifier) {
+          throw new Error("codeVerifier required when PKCE is enabled");
+        }
+        bodyObj.code_verifier = codeVerifier;
+      }
+      const payload = encoding === "application/json" ? bodyObj : new URLSearchParams(bodyObj);
+      const request = createOAuth2Request({
+        authIn,
+        body: payload,
+        clientId: config.clientId,
+        clientSecret: hasClientSecret(config) ? config.clientSecret : undefined,
+        encoding,
+        url: tokenUrl
+      });
+      const response = await fetch(request);
+      if (!response.ok)
+        throw await createOAuth2FetchError(response);
+      return response.json();
+    }
+  };
+};
+
+// src/ui/renderers.ts
+var escapeHtml = (value) => value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;");
+var defaultAuthorizationHref = (provider, client) => client ? `/oauth2/${provider}/authorization?client=${client}` : `/oauth2/${provider}/authorization`;
+var resolveAuthHtmxRenderers = (config) => {
+  const { connectorTargets, featuredLoginProviders, providerData } = config;
+  const authorizationHref = config.authorizationHref ?? defaultAuthorizationHref;
+  const overrides = config.render ?? {};
+  const providerLabel = (key) => isValidProviderOption(key) ? providerData[key]?.name ?? key : key;
+  const providerLogo = (key) => isValidProviderOption(key) ? providerData[key]?.logoUrl ?? "" : "";
+  const account = (user) => {
+    const fullName = [user.first_name, user.last_name].filter((part) => typeof part === "string" && part.length > 0).join(" ");
+    return `<div class="grid-2">
+    <div class="card"><h2 class="card__title">Canonical account</h2><p class="muted">Absolute Auth keeps one canonical user and links every OAuth identity to it. Conflicting identities raise a merge request.</p></div>
+    <div class="card text-left"><h2 class="card__title">Profile fields</h2>
+      <div class="spread"><span class="muted">Subject</span><span>${escapeHtml(user.sub)}</span></div>
+      <div class="spread"><span class="muted">Name</span><span>${escapeHtml(fullName || "\u2014")}</span></div>
+      <div class="spread"><span class="muted">Email</span><span>${escapeHtml(user.email ?? "\u2014")}</span></div>
+      <div class="spread"><span class="muted">Primary identity</span><span>${escapeHtml(user.primary_auth_identity_id ?? "\u2014")}</span></div>
+    </div>
+  </div>`;
+  };
+  const authMenu = (user) => {
+    if (!user) {
+      return `<a class="btn btn--primary btn--sm" href="/htmx">Sign in</a>`;
+    }
+    const label = user.email ?? user.first_name ?? "Account";
+    return `<span class="muted">${escapeHtml(label)}</span><a class="btn btn--ghost btn--sm" href="/htmx/signout">Sign out</a>`;
+  };
+  const connectorLinks = () => connectorTargets.map((target) => `<div class="card text-left"><h2 class="card__title row"><img class="entity__logo" alt="" src="${providerLogo(target.provider)}" />${escapeHtml(target.label)}</h2><p class="muted">${escapeHtml(target.description)}</p><a class="btn btn--primary" href="${authorizationHref(target.provider, "connector")}">Link ${escapeHtml(target.label)}</a></div>`).join("");
+  const connectors = (payload) => {
+    const scopeList = (scopes) => scopes.map((scope) => `<span class="scope">${escapeHtml(scope)}</span>`).join("");
+    const bindings = payload.bindings.length === 0 ? `<div class="empty-state">No external accounts linked.</div>` : `<div class="entity-list">${payload.bindings.map((binding) => `<div class="entity"><div class="entity__meta"><span class="entity__title">${escapeHtml(binding.label ?? binding.externalAccountId)}<span class="pill">${escapeHtml(binding.connectorProvider)}</span></span><span class="entity__sub">${escapeHtml(binding.externalAccountType)} \xB7 ${escapeHtml(binding.status)}</span><div class="scope-list">${scopeList(binding.availableScopes)}</div></div><div class="entity__actions"><form hx-delete="/htmx/connectors/bindings/${binding.id}" hx-target="#connector-list" hx-swap="innerHTML"><button class="btn btn--danger btn--sm" type="submit">Remove</button></form></div></div>`).join("")}</div>`;
+    const grants = payload.grants.length === 0 ? `<div class="empty-state">No connector grants yet.</div>` : `<div class="entity-list">${payload.grants.map((grant) => `<div class="entity"><div class="entity__meta"><span class="entity__title">${escapeHtml(grant.authProviderKey)}<span class="pill pill--indigo">${escapeHtml(grant.status)}</span></span><span class="entity__sub">Subject ${escapeHtml(grant.providerSubject)}</span><div class="scope-list">${scopeList(grant.grantedScopes)}</div></div><div class="entity__actions"><form hx-delete="/htmx/connectors/grants/${grant.id}" hx-target="#connector-list" hx-swap="innerHTML"><button class="btn btn--danger btn--sm" type="submit">Remove</button></form></div></div>`).join("")}</div>`;
+    return `<h3 class="provider-heading">External accounts</h3>${bindings}<h3 class="provider-heading">Grants</h3>${grants}`;
+  };
+  const identities = (payload, query) => {
+    const pending = payload.mergeRequests.filter((req) => req.status === "pending");
+    const mergesHtml = pending.length === 0 ? "" : `<div class="stack"><h3 class="provider-heading">Merge requests</h3><div class="entity-list">${pending.map((req) => `<div class="entity card--danger"><div class="entity__meta"><span class="entity__title">${escapeHtml(providerLabel(req.conflicting_auth_provider))} conflict</span><span class="entity__sub">Subject ${escapeHtml(req.conflicting_provider_subject)}</span></div><div class="entity__actions">
+                <form hx-post="/htmx/merge/${req.id}" hx-target="#identities-list" hx-swap="innerHTML" hx-include="#identity-query"><button class="btn btn--primary btn--sm" type="submit">Merge</button></form>
+                <form hx-delete="/htmx/merge/${req.id}" hx-target="#identities-list" hx-swap="innerHTML" hx-include="#identity-query"><button class="btn btn--ghost btn--sm" type="submit">Dismiss</button></form>
+              </div></div>`).join("")}</div></div>`;
+    const term = query.trim().toLowerCase();
+    const groups = Object.entries(payload.identities).map(([provider, list]) => ({
+      identities: list.filter((identity) => term === "" || providerLabel(provider).toLowerCase().includes(term) || identity.id.toLowerCase().includes(term) || identity.provider_subject.toLowerCase().includes(term)),
+      provider
+    })).filter((group) => group.identities.length > 0);
+    const groupsHtml = groups.length === 0 ? `<div class="empty-state">No identities match your search.</div>` : groups.map((group) => `<div class="provider-group"><h3 class="provider-heading">${providerLogo(group.provider) ? `<img class="entity__logo" alt="" src="${providerLogo(group.provider)}" />` : ""}${escapeHtml(providerLabel(group.provider))}</h3><div class="entity-list">${group.identities.map((identity) => `<div class="entity"><div class="entity__main"><div class="entity__meta"><span class="entity__title">${escapeHtml(identity.provider_subject)}${identity.isPrimary ? `<span class="pill pill--primary">Primary</span>` : ""}</span><span class="entity__sub">${escapeHtml(identity.id)}</span></div></div><div class="entity__actions">
+                      ${identity.isPrimary ? "" : `<form hx-post="/htmx/identities/${identity.id}/primary" hx-target="#identities-list" hx-swap="innerHTML" hx-include="#identity-query"><button class="btn btn--neutral btn--sm" type="submit">Set primary</button></form>`}
+                      <form hx-delete="/htmx/identities/${identity.id}" hx-target="#identities-list" hx-swap="innerHTML" hx-include="#identity-query"><button class="btn btn--danger btn--sm" type="submit">Remove</button></form>
+                    </div></div>`).join("")}</div></div>`).join("");
+    return `${mergesHtml}${groupsHtml}`;
+  };
+  const protectedView = (user) => `<section class="auth-section stack"><div><h1 class="page-heading">Protected page</h1><p class="muted">Your authenticated session resolves to this user record.</p></div><pre class="json">${escapeHtml(JSON.stringify(user, null, 2))}</pre></section>`;
+  const providerLogin = (verb, includeDropdown) => {
+    const featured = featuredLoginProviders.map((provider) => `<a class="oauth-button" href="${authorizationHref(provider)}"><img class="oauth-button__icon" alt="" src="${providerLogo(provider)}" /><span class="oauth-button__text">${escapeHtml(verb)} ${escapeHtml(providerLabel(provider))}</span></a>`).join("");
+    if (!includeDropdown) {
+      return `<div class="oauth-grid">${featured}</div>`;
+    }
+    const options = providerOptions.map((provider) => `<option value="${provider}">${escapeHtml(providerLabel(provider))}</option>`).join("");
+    return `<div class="oauth-grid">${featured}
+    <div class="separator"><span class="separator__line"></span><span class="separator__text">or any provider</span><span class="separator__line"></span></div>
+    <form class="oauth-grid" action="/htmx/login-redirect" method="get">
+      <select class="provider-select" name="provider" required>
+        <option value="">Select a provider\u2026</option>${options}
+      </select>
+      <button class="btn btn--primary" type="submit">Continue</button>
+    </form>
+  </div>`;
+  };
+  return {
+    account: overrides.account ?? account,
+    authMenu: overrides.authMenu ?? authMenu,
+    connectorLinks: overrides.connectorLinks ?? connectorLinks,
+    connectors: overrides.connectors ?? connectors,
+    escapeHtml,
+    identities: overrides.identities ?? identities,
+    protected: overrides.protected ?? protectedView,
+    providerLogin: overrides.providerLogin ?? providerLogin
+  };
+};
+export {
+  resolveAuthHtmxRenderers,
+  escapeHtml
+};
+
+//# debugId=E4E67AE168C02C8A64756E2164756E21
+//# sourceMappingURL=index.js.map