@alepha/react 0.11.10 → 0.11.12

package/dist/auth/index.js

@@ -0,0 +1,3615 @@
+import { $atom, $context, $env, $hook, $inject, $module, $use, Alepha, AlephaError, Atom, Descriptor, KIND, createDescriptor, t } from "alepha";
+import { AlephaDateTime, DateTimeProvider } from "alepha/datetime";
+import { $route, AlephaServer, BadRequestError, HttpClient, ServerProvider, ServerRouterProvider, ServerTimingProvider, UnauthorizedError } from "alepha/server";
+import { AlephaServerCache } from "alepha/server/cache";
+import { AlephaServerLinks, LinkProvider, ServerLinksProvider, apiLinksResponseSchema } from "alepha/server/links";
+import { $logger } from "alepha/logger";
+import React, { StrictMode, createContext, createElement, memo, use, useContext, useEffect, useMemo, useRef, useState } from "react";
+import { Fragment, jsx, jsxs } from "react/jsx-runtime";
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import { ServerStaticProvider } from "alepha/server/static";
+import { renderToString } from "react-dom/server";
+import { RouterProvider } from "alepha/router";
+import { $cookie, AlephaServerCookies, ServerCookiesProvider } from "alepha/server/cookies";
+import { SecurityError, SecurityProvider, userAccountInfoSchema } from "alepha/security";
+
+//#region src/core/services/ReactPageService.ts
+var ReactPageService = class {
+	fetch(pathname, options = {}) {
+		throw new AlephaError("Fetch is not available for this environment.");
+	}
+	render(name, options = {}) {
+		throw new AlephaError("Render is not available for this environment.");
+	}
+};
+
+//#endregion
+//#region src/core/descriptors/$page.ts
+/**
+* Main descriptor for defining a React route in the application.
+*
+* The $page descriptor is the core building block for creating type-safe, SSR-enabled React routes.
+* It provides a declarative way to define pages with powerful features:
+*
+* **Routing & Navigation**
+* - URL pattern matching with parameters (e.g., `/users/:id`)
+* - Nested routing with parent-child relationships
+* - Type-safe URL parameter and query string validation
+*
+* **Data Loading**
+* - Server-side data fetching with the `resolve` function
+* - Automatic serialization and hydration for SSR
+* - Access to request context, URL params, and parent data
+*
+* **Component Loading**
+* - Direct component rendering or lazy loading for code splitting
+* - Client-only rendering when browser APIs are needed
+* - Automatic fallback handling during hydration
+*
+* **Performance Optimization**
+* - Static generation for pre-rendered pages at build time
+* - Server-side caching with configurable TTL and providers
+* - Code splitting through lazy component loading
+*
+* **Error Handling**
+* - Custom error handlers with support for redirects
+* - Hierarchical error handling (child → parent)
+* - HTTP status code handling (404, 401, etc.)
+*
+* **Page Animations**
+* - CSS-based enter/exit animations
+* - Dynamic animations based on page state
+* - Custom timing and easing functions
+*
+* **Lifecycle Management**
+* - Server response hooks for headers and status codes
+* - Page leave handlers for cleanup (browser only)
+* - Permission-based access control
+*
+* @example Simple page with data fetching
+* ```typescript
+* const userProfile = $page({
+*   path: "/users/:id",
+*   schema: {
+*     params: t.object({ id: t.int() }),
+*     query: t.object({ tab: t.optional(t.text()) })
+*   },
+*   resolve: async ({ params }) => {
+*     const user = await userApi.getUser(params.id);
+*     return { user };
+*   },
+*   lazy: () => import("./UserProfile.tsx")
+* });
+* ```
+*
+* @example Nested routing with error handling
+* ```typescript
+* const projectSection = $page({
+*   path: "/projects/:id",
+*   children: () => [projectBoard, projectSettings],
+*   resolve: async ({ params }) => {
+*     const project = await projectApi.get(params.id);
+*     return { project };
+*   },
+*   errorHandler: (error) => {
+*     if (HttpError.is(error, 404)) {
+*       return <ProjectNotFound />;
+*     }
+*   }
+* });
+* ```
+*
+* @example Static generation with caching
+* ```typescript
+* const blogPost = $page({
+*   path: "/blog/:slug",
+*   static: {
+*     entries: posts.map(p => ({ params: { slug: p.slug } }))
+*   },
+*   resolve: async ({ params }) => {
+*     const post = await loadPost(params.slug);
+*     return { post };
+*   }
+* });
+* ```
+*/
+const $page = (options) => {
+	return createDescriptor(PageDescriptor, options);
+};
+var PageDescriptor = class extends Descriptor {
+	reactPageService = $inject(ReactPageService);
+	onInit() {
+		if (this.options.static) this.options.cache ??= { store: {
+			provider: "memory",
+			ttl: [1, "week"]
+		} };
+	}
+	get name() {
+		return this.options.name ?? this.config.propertyKey;
+	}
+	/**
+	* For testing or build purposes.
+	*
+	* This will render the page (HTML layout included or not) and return the HTML + context.
+	* Only valid for server-side rendering, it will throw an error if called on the client-side.
+	*/
+	async render(options) {
+		return this.reactPageService.render(this.name, options);
+	}
+	async fetch(options) {
+		return this.reactPageService.fetch(this.options.path || "", options);
+	}
+	match(url) {
+		return false;
+	}
+	pathname(config) {
+		return this.options.path || "";
+	}
+};
+$page[KIND] = PageDescriptor;
+
+//#endregion
+//#region src/core/components/ClientOnly.tsx
+/**
+* A small utility component that renders its children only on the client side.
+*
+* Optionally, you can provide a fallback React node that will be rendered.
+*
+* You should use this component when
+* - you have code that relies on browser-specific APIs
+* - you want to avoid server-side rendering for a specific part of your application
+* - you want to prevent pre-rendering of a component
+*/
+const ClientOnly = (props$1) => {
+	const [mounted, setMounted] = useState(false);
+	useEffect(() => setMounted(true), []);
+	if (props$1.disabled) return props$1.children;
+	return mounted ? props$1.children : props$1.fallback;
+};
+var ClientOnly_default = ClientOnly;
+
+//#endregion
+//#region src/core/components/ErrorViewer.tsx
+const ErrorViewer = ({ error, alepha }) => {
+	const [expanded, setExpanded] = useState(false);
+	if (alepha.isProduction()) return /* @__PURE__ */ jsx(ErrorViewerProduction, {});
+	const stackLines = error.stack?.split("\n") ?? [];
+	const previewLines = stackLines.slice(0, 5);
+	const hiddenLineCount = stackLines.length - previewLines.length;
+	const copyToClipboard = (text) => {
+		navigator.clipboard.writeText(text).catch((err) => {
+			console.error("Clipboard error:", err);
+		});
+	};
+	const styles = {
+		container: {
+			padding: "24px",
+			backgroundColor: "#FEF2F2",
+			color: "#7F1D1D",
+			border: "1px solid #FECACA",
+			borderRadius: "16px",
+			boxShadow: "0 8px 24px rgba(0,0,0,0.05)",
+			fontFamily: "monospace",
+			maxWidth: "768px",
+			margin: "40px auto"
+		},
+		heading: {
+			fontSize: "20px",
+			fontWeight: "bold",
+			marginBottom: "10px"
+		},
+		name: {
+			fontSize: "16px",
+			fontWeight: 600
+		},
+		message: {
+			fontSize: "14px",
+			marginBottom: "16px"
+		},
+		sectionHeader: {
+			display: "flex",
+			justifyContent: "space-between",
+			alignItems: "center",
+			fontSize: "12px",
+			marginBottom: "4px",
+			color: "#991B1B"
+		},
+		copyButton: {
+			fontSize: "12px",
+			color: "#DC2626",
+			background: "none",
+			border: "none",
+			cursor: "pointer",
+			textDecoration: "underline"
+		},
+		stackContainer: {
+			backgroundColor: "#FEE2E2",
+			padding: "12px",
+			borderRadius: "8px",
+			fontSize: "13px",
+			lineHeight: "1.4",
+			overflowX: "auto",
+			whiteSpace: "pre-wrap"
+		},
+		expandLine: {
+			color: "#F87171",
+			cursor: "pointer",
+			marginTop: "8px"
+		}
+	};
+	return /* @__PURE__ */ jsxs("div", {
+		style: styles.container,
+		children: [/* @__PURE__ */ jsxs("div", { children: [
+			/* @__PURE__ */ jsx("div", {
+				style: styles.heading,
+				children: "🔥 Error"
+			}),
+			/* @__PURE__ */ jsx("div", {
+				style: styles.name,
+				children: error.name
+			}),
+			/* @__PURE__ */ jsx("div", {
+				style: styles.message,
+				children: error.message
+			})
+		] }), stackLines.length > 0 && /* @__PURE__ */ jsxs("div", { children: [/* @__PURE__ */ jsxs("div", {
+			style: styles.sectionHeader,
+			children: [/* @__PURE__ */ jsx("span", { children: "Stack trace" }), /* @__PURE__ */ jsx("button", {
+				type: "button",
+				onClick: () => copyToClipboard(error.stack),
+				style: styles.copyButton,
+				children: "Copy all"
+			})]
+		}), /* @__PURE__ */ jsxs("pre", {
+			style: styles.stackContainer,
+			children: [(expanded ? stackLines : previewLines).map((line, i) => /* @__PURE__ */ jsx("div", { children: line }, i)), !expanded && hiddenLineCount > 0 && /* @__PURE__ */ jsxs("div", {
+				style: styles.expandLine,
+				onClick: () => setExpanded(true),
+				children: [
+					"+ ",
+					hiddenLineCount,
+					" more lines..."
+				]
+			})]
+		})] })]
+	});
+};
+var ErrorViewer_default = ErrorViewer;
+const ErrorViewerProduction = () => {
+	const styles = {
+		container: {
+			padding: "24px",
+			backgroundColor: "#FEF2F2",
+			color: "#7F1D1D",
+			border: "1px solid #FECACA",
+			borderRadius: "16px",
+			boxShadow: "0 8px 24px rgba(0,0,0,0.05)",
+			fontFamily: "monospace",
+			maxWidth: "768px",
+			margin: "40px auto",
+			textAlign: "center"
+		},
+		heading: {
+			fontSize: "20px",
+			fontWeight: "bold",
+			marginBottom: "8px"
+		},
+		name: {
+			fontSize: "16px",
+			fontWeight: 600,
+			marginBottom: "4px"
+		},
+		message: {
+			fontSize: "14px",
+			opacity: .85
+		}
+	};
+	return /* @__PURE__ */ jsxs("div", {
+		style: styles.container,
+		children: [/* @__PURE__ */ jsx("div", {
+			style: styles.heading,
+			children: "🚨 An error occurred"
+		}), /* @__PURE__ */ jsx("div", {
+			style: styles.message,
+			children: "Something went wrong. Please try again later."
+		})]
+	});
+};
+
+//#endregion
+//#region src/core/contexts/RouterLayerContext.ts
+const RouterLayerContext = createContext(void 0);
+
+//#endregion
+//#region src/core/errors/Redirection.ts
+/**
+* Used for Redirection during the page loading.
+*
+* Depends on the context, it can be thrown or just returned.
+*/
+var Redirection = class extends Error {
+	redirect;
+	constructor(redirect) {
+		super("Redirection");
+		this.redirect = redirect;
+	}
+};
+
+//#endregion
+//#region src/core/contexts/AlephaContext.ts
+const AlephaContext = createContext(void 0);
+
+//#endregion
+//#region src/core/hooks/useAlepha.ts
+/**
+* Main Alepha hook.
+*
+* It provides access to the Alepha instance within a React component.
+*
+* With Alepha, you can access the core functionalities of the framework:
+*
+* - alepha.state() for state management
+* - alepha.inject() for dependency injection
+* - alepha.events.emit() for event handling
+* etc...
+*/
+const useAlepha = () => {
+	const alepha = useContext(AlephaContext);
+	if (!alepha) throw new AlephaError("Hook 'useAlepha()' must be used within an AlephaContext.Provider");
+	return alepha;
+};
+
+//#endregion
+//#region src/core/hooks/useEvents.ts
+/**
+* Allow subscribing to multiple Alepha events. See {@link Hooks} for available events.
+*
+* useEvents is fully typed to ensure correct event callback signatures.
+*
+* @example
+* ```tsx
+* useEvents(
+*   {
+*     "react:transition:begin": (ev) => {
+*       console.log("Transition began to:", ev.to);
+*     },
+*     "react:transition:error": {
+*       priority: "first",
+*       callback: (ev) => {
+*         console.error("Transition error:", ev.error);
+*       },
+*     },
+*   },
+*   [],
+* );
+* ```
+*/
+const useEvents = (opts, deps) => {
+	const alepha = useAlepha();
+	useEffect(() => {
+		if (!alepha.isBrowser()) return;
+		const subs = [];
+		for (const [name, hook] of Object.entries(opts)) subs.push(alepha.events.on(name, hook));
+		return () => {
+			for (const clear of subs) clear();
+		};
+	}, deps);
+};
+
+//#endregion
+//#region src/core/hooks/useStore.ts
+function useStore(target, defaultValue) {
+	const alepha = useAlepha();
+	useMemo(() => {
+		if (defaultValue != null && alepha.state.get(target) == null) alepha.state.set(target, defaultValue);
+	}, [defaultValue]);
+	const [state, setState] = useState(alepha.state.get(target));
+	useEffect(() => {
+		if (!alepha.isBrowser()) return;
+		const key = target instanceof Atom ? target.key : target;
+		return alepha.events.on("state:mutate", (ev) => {
+			if (ev.key === key) setState(ev.value);
+		});
+	}, []);
+	return [state, (value) => {
+		alepha.state.set(target, value);
+	}];
+}
+
+//#endregion
+//#region src/core/hooks/useRouterState.ts
+const useRouterState = () => {
+	const [state] = useStore("alepha.react.router.state");
+	if (!state) throw new AlephaError("Missing react router state");
+	return state;
+};
+
+//#endregion
+//#region src/core/components/ErrorBoundary.tsx
+/**
+* A reusable error boundary for catching rendering errors
+* in any part of the React component tree.
+*/
+var ErrorBoundary = class extends React.Component {
+	constructor(props$1) {
+		super(props$1);
+		this.state = {};
+	}
+	/**
+	* Update state so the next render shows the fallback UI.
+	*/
+	static getDerivedStateFromError(error) {
+		return { error };
+	}
+	/**
+	* Lifecycle method called when an error is caught.
+	* You can log the error or perform side effects here.
+	*/
+	componentDidCatch(error, info) {
+		if (this.props.onError) this.props.onError(error, info);
+	}
+	render() {
+		if (this.state.error) return this.props.fallback(this.state.error);
+		return this.props.children;
+	}
+};
+var ErrorBoundary_default = ErrorBoundary;
+
+//#endregion
+//#region src/core/components/NestedView.tsx
+/**
+* A component that renders the current view of the nested router layer.
+*
+* To be simple, it renders the `element` of the current child page of a parent page.
+*
+* @example
+* ```tsx
+* import { NestedView } from "@alepha/react";
+*
+* class App {
+*   parent = $page({
+*     component: () => <NestedView />,
+*   });
+*
+*   child = $page({
+*     parent: this.root,
+*     component: () => <div>Child Page</div>,
+*   });
+* }
+* ```
+*/
+const NestedView = (props$1) => {
+	const index = use(RouterLayerContext)?.index ?? 0;
+	const state = useRouterState();
+	const [view, setView] = useState(state.layers[index]?.element);
+	const [animation, setAnimation] = useState("");
+	const animationExitDuration = useRef(0);
+	const animationExitNow = useRef(0);
+	useEvents({
+		"react:transition:begin": async ({ previous, state: state$1 }) => {
+			const layer = previous.layers[index];
+			if (`${state$1.url.pathname}/`.startsWith(`${layer?.path}/`)) return;
+			const animationExit = parseAnimation(layer.route?.animation, state$1, "exit");
+			if (animationExit) {
+				const duration = animationExit.duration || 200;
+				animationExitNow.current = Date.now();
+				animationExitDuration.current = duration;
+				setAnimation(animationExit.animation);
+			} else {
+				animationExitNow.current = 0;
+				animationExitDuration.current = 0;
+				setAnimation("");
+			}
+		},
+		"react:transition:end": async ({ state: state$1 }) => {
+			const layer = state$1.layers[index];
+			if (animationExitNow.current) {
+				const duration = animationExitDuration.current;
+				const diff = Date.now() - animationExitNow.current;
+				if (diff < duration) await new Promise((resolve) => setTimeout(resolve, duration - diff));
+			}
+			if (!layer?.cache) {
+				setView(layer?.element);
+				const animationEnter = parseAnimation(layer?.route?.animation, state$1, "enter");
+				if (animationEnter) setAnimation(animationEnter.animation);
+				else setAnimation("");
+			}
+		}
+	}, []);
+	let element = view ?? props$1.children ?? null;
+	if (animation) element = /* @__PURE__ */ jsx("div", {
+		style: {
+			display: "flex",
+			flex: 1,
+			height: "100%",
+			width: "100%",
+			position: "relative",
+			overflow: "hidden"
+		},
+		children: /* @__PURE__ */ jsx("div", {
+			style: {
+				height: "100%",
+				width: "100%",
+				display: "flex",
+				animation
+			},
+			children: element
+		})
+	});
+	if (props$1.errorBoundary === false) return /* @__PURE__ */ jsx(Fragment, { children: element });
+	if (props$1.errorBoundary) return /* @__PURE__ */ jsx(ErrorBoundary_default, {
+		fallback: props$1.errorBoundary,
+		children: element
+	});
+	return /* @__PURE__ */ jsx(ErrorBoundary_default, {
+		fallback: (error) => {
+			const result = state.onError(error, state);
+			if (result instanceof Redirection) return "Redirection inside ErrorBoundary is not allowed.";
+			return result;
+		},
+		children: element
+	});
+};
+var NestedView_default = memo(NestedView);
+function parseAnimation(animationLike, state, type = "enter") {
+	if (!animationLike) return;
+	const DEFAULT_DURATION = 300;
+	const animation = typeof animationLike === "function" ? animationLike(state) : animationLike;
+	if (typeof animation === "string") {
+		if (type === "exit") return;
+		return {
+			duration: DEFAULT_DURATION,
+			animation: `${DEFAULT_DURATION}ms ${animation}`
+		};
+	}
+	if (typeof animation === "object") {
+		const anim = animation[type];
+		const duration = typeof anim === "object" ? anim.duration ?? DEFAULT_DURATION : DEFAULT_DURATION;
+		const name = typeof anim === "object" ? anim.name : anim;
+		if (type === "exit") return {
+			duration,
+			animation: `${duration}ms ${typeof anim === "object" ? anim.timing ?? "" : ""} ${name}`
+		};
+		return {
+			duration,
+			animation: `${duration}ms ${typeof anim === "object" ? anim.timing ?? "" : ""} ${name}`
+		};
+	}
+}
+
+//#endregion
+//#region src/core/components/NotFound.tsx
+function NotFoundPage(props$1) {
+	return /* @__PURE__ */ jsx("div", {
+		style: {
+			height: "100vh",
+			display: "flex",
+			flexDirection: "column",
+			justifyContent: "center",
+			alignItems: "center",
+			textAlign: "center",
+			fontFamily: "sans-serif",
+			padding: "1rem",
+			...props$1.style
+		},
+		children: /* @__PURE__ */ jsx("h1", {
+			style: {
+				fontSize: "1rem",
+				marginBottom: "0.5rem"
+			},
+			children: "404 - This page does not exist"
+		})
+	});
+}
+
+//#endregion
+//#region src/core/providers/ReactPageProvider.ts
+const envSchema$2 = t.object({ REACT_STRICT_MODE: t.boolean({ default: true }) });
+var ReactPageProvider = class {
+	log = $logger();
+	env = $env(envSchema$2);
+	alepha = $inject(Alepha);
+	pages = [];
+	getPages() {
+		return this.pages;
+	}
+	getConcretePages() {
+		const pages = [];
+		for (const page of this.pages) {
+			if (page.children && page.children.length > 0) continue;
+			const fullPath = this.pathname(page.name);
+			if (fullPath.includes(":") || fullPath.includes("*")) {
+				if (typeof page.static === "object") {
+					const entries = page.static.entries;
+					if (entries && entries.length > 0) for (const entry of entries) {
+						const params = entry.params;
+						const path = this.compile(page.path ?? "", params);
+						if (!path.includes(":") && !path.includes("*")) pages.push({
+							...page,
+							name: params[Object.keys(params)[0]],
+							path,
+							...entry
+						});
+					}
+				}
+				continue;
+			}
+			pages.push(page);
+		}
+		return pages;
+	}
+	page(name) {
+		for (const page of this.pages) if (page.name === name) return page;
+		throw new AlephaError(`Page '${name}' not found`);
+	}
+	pathname(name, options = {}) {
+		const page = this.page(name);
+		if (!page) throw new Error(`Page ${name} not found`);
+		let url = page.path ?? "";
+		let parent = page.parent;
+		while (parent) {
+			url = `${parent.path ?? ""}/${url}`;
+			parent = parent.parent;
+		}
+		url = this.compile(url, options.params ?? {});
+		if (options.query) {
+			const query = new URLSearchParams(options.query);
+			if (query.toString()) url += `?${query.toString()}`;
+		}
+		return url.replace(/\/\/+/g, "/") || "/";
+	}
+	url(name, options = {}) {
+		return new URL(this.pathname(name, options), options.host ?? `http://localhost`);
+	}
+	root(state) {
+		const root = createElement(AlephaContext.Provider, { value: this.alepha }, createElement(NestedView_default, {}, state.layers[0]?.element));
+		if (this.env.REACT_STRICT_MODE) return createElement(StrictMode, {}, root);
+		return root;
+	}
+	convertStringObjectToObject = (schema, value) => {
+		if (t.schema.isObject(schema) && typeof value === "object") {
+			for (const key in schema.properties) if (t.schema.isObject(schema.properties[key]) && typeof value[key] === "string") try {
+				value[key] = this.alepha.codec.decode(schema.properties[key], decodeURIComponent(value[key]));
+			} catch (e$1) {}
+		}
+		return value;
+	};
+	/**
+	* Create a new RouterState based on a given route and request.
+	* This method resolves the layers for the route, applying any query and params schemas defined in the route.
+	* It also handles errors and redirects.
+	*/
+	async createLayers(route, state, previous = []) {
+		let context = {};
+		const stack = [{ route }];
+		let parent = route.parent;
+		while (parent) {
+			stack.unshift({ route: parent });
+			parent = parent.parent;
+		}
+		let forceRefresh = false;
+		for (let i = 0; i < stack.length; i++) {
+			const it = stack[i];
+			const route$1 = it.route;
+			const config = {};
+			try {
+				this.convertStringObjectToObject(route$1.schema?.query, state.query);
+				config.query = route$1.schema?.query ? this.alepha.codec.decode(route$1.schema.query, state.query) : {};
+			} catch (e$1) {
+				it.error = e$1;
+				break;
+			}
+			try {
+				config.params = route$1.schema?.params ? this.alepha.codec.decode(route$1.schema.params, state.params) : {};
+			} catch (e$1) {
+				it.error = e$1;
+				break;
+			}
+			it.config = { ...config };
+			if (previous?.[i] && !forceRefresh && previous[i].name === route$1.name) {
+				const url = (str) => str ? str.replace(/\/\/+/g, "/") : "/";
+				if (JSON.stringify({
+					part: url(previous[i].part),
+					params: previous[i].config?.params ?? {}
+				}) === JSON.stringify({
+					part: url(route$1.path),
+					params: config.params ?? {}
+				})) {
+					it.props = previous[i].props;
+					it.error = previous[i].error;
+					it.cache = true;
+					context = {
+						...context,
+						...it.props
+					};
+					continue;
+				}
+				forceRefresh = true;
+			}
+			if (!route$1.resolve) continue;
+			try {
+				const args = Object.create(state);
+				Object.assign(args, config, context);
+				const props$1 = await route$1.resolve?.(args) ?? {};
+				it.props = { ...props$1 };
+				context = {
+					...context,
+					...props$1
+				};
+			} catch (e$1) {
+				if (e$1 instanceof Redirection) return { redirect: e$1.redirect };
+				this.log.error("Page resolver has failed", e$1);
+				it.error = e$1;
+				break;
+			}
+		}
+		let acc = "";
+		for (let i = 0; i < stack.length; i++) {
+			const it = stack[i];
+			const props$1 = it.props ?? {};
+			const params = { ...it.config?.params };
+			for (const key of Object.keys(params)) params[key] = String(params[key]);
+			acc += "/";
+			acc += it.route.path ? this.compile(it.route.path, params) : "";
+			const path = acc.replace(/\/+/, "/");
+			const localErrorHandler = this.getErrorHandler(it.route);
+			if (localErrorHandler) {
+				const onErrorParent = state.onError;
+				state.onError = (error, context$1) => {
+					const result = localErrorHandler(error, context$1);
+					if (result === void 0) return onErrorParent(error, context$1);
+					return result;
+				};
+			}
+			if (!it.error) try {
+				const element = await this.createElement(it.route, {
+					...props$1,
+					...context
+				});
+				state.layers.push({
+					name: it.route.name,
+					props: props$1,
+					part: it.route.path,
+					config: it.config,
+					element: this.renderView(i + 1, path, element, it.route),
+					index: i + 1,
+					path,
+					route: it.route,
+					cache: it.cache
+				});
+			} catch (e$1) {
+				it.error = e$1;
+			}
+			if (it.error) try {
+				let element = await state.onError(it.error, state);
+				if (element === void 0) throw it.error;
+				if (element instanceof Redirection) return { redirect: element.redirect };
+				if (element === null) element = this.renderError(it.error);
+				state.layers.push({
+					props: props$1,
+					error: it.error,
+					name: it.route.name,
+					part: it.route.path,
+					config: it.config,
+					element: this.renderView(i + 1, path, element, it.route),
+					index: i + 1,
+					path,
+					route: it.route
+				});
+				break;
+			} catch (e$1) {
+				if (e$1 instanceof Redirection) return { redirect: e$1.redirect };
+				throw e$1;
+			}
+		}
+		return { state };
+	}
+	createRedirectionLayer(redirect) {
+		return { redirect };
+	}
+	getErrorHandler(route) {
+		if (route.errorHandler) return route.errorHandler;
+		let parent = route.parent;
+		while (parent) {
+			if (parent.errorHandler) return parent.errorHandler;
+			parent = parent.parent;
+		}
+	}
+	async createElement(page, props$1) {
+		if (page.lazy && page.component) this.log.warn(`Page ${page.name} has both lazy and component options, lazy will be used`);
+		if (page.lazy) return createElement((await page.lazy()).default, props$1);
+		if (page.component) return createElement(page.component, props$1);
+	}
+	renderError(error) {
+		return createElement(ErrorViewer_default, {
+			error,
+			alepha: this.alepha
+		});
+	}
+	renderEmptyView() {
+		return createElement(NestedView_default, {});
+	}
+	href(page, params = {}) {
+		const found = this.pages.find((it) => it.name === page.options.name);
+		if (!found) throw new Error(`Page ${page.options.name} not found`);
+		let url = found.path ?? "";
+		let parent = found.parent;
+		while (parent) {
+			url = `${parent.path ?? ""}/${url}`;
+			parent = parent.parent;
+		}
+		url = this.compile(url, params);
+		return url.replace(/\/\/+/g, "/") || "/";
+	}
+	compile(path, params = {}) {
+		for (const [key, value] of Object.entries(params)) path = path.replace(`:${key}`, value);
+		return path;
+	}
+	renderView(index, path, view, page) {
+		view ??= this.renderEmptyView();
+		const element = page.client ? createElement(ClientOnly_default, typeof page.client === "object" ? page.client : {}, view) : view;
+		return createElement(RouterLayerContext.Provider, { value: {
+			index,
+			path
+		} }, element);
+	}
+	configure = $hook({
+		on: "configure",
+		handler: () => {
+			let hasNotFoundHandler = false;
+			const pages = this.alepha.descriptors($page);
+			const hasParent = (it) => {
+				if (it.options.parent) return true;
+				for (const page of pages) if ((page.options.children ? Array.isArray(page.options.children) ? page.options.children : page.options.children() : []).includes(it)) return true;
+			};
+			for (const page of pages) {
+				if (page.options.path === "/*") hasNotFoundHandler = true;
+				if (hasParent(page)) continue;
+				this.add(this.map(pages, page));
+			}
+			if (!hasNotFoundHandler && pages.length > 0) this.add({
+				path: "/*",
+				name: "notFound",
+				cache: true,
+				component: NotFoundPage,
+				onServerResponse: ({ reply }) => {
+					reply.status = 404;
+				}
+			});
+		}
+	});
+	map(pages, target) {
+		const children = target.options.children ? Array.isArray(target.options.children) ? target.options.children : target.options.children() : [];
+		const getChildrenFromParent = (it) => {
+			const children$1 = [];
+			for (const page of pages) if (page.options.parent === it) children$1.push(page);
+			return children$1;
+		};
+		children.push(...getChildrenFromParent(target));
+		return {
+			...target.options,
+			name: target.name,
+			parent: void 0,
+			children: children.map((it) => this.map(pages, it))
+		};
+	}
+	add(entry) {
+		if (this.alepha.isReady()) throw new AlephaError("Router is already initialized");
+		entry.name ??= this.nextId();
+		const page = entry;
+		page.match = this.createMatch(page);
+		this.pages.push(page);
+		if (page.children) for (const child of page.children) {
+			child.parent = page;
+			this.add(child);
+		}
+	}
+	createMatch(page) {
+		let url = page.path ?? "/";
+		let target = page.parent;
+		while (target) {
+			url = `${target.path ?? ""}/${url}`;
+			target = target.parent;
+		}
+		let path = url.replace(/\/\/+/g, "/");
+		if (path.endsWith("/") && path !== "/") path = path.slice(0, -1);
+		return path;
+	}
+	_next = 0;
+	nextId() {
+		this._next += 1;
+		return `P${this._next}`;
+	}
+};
+const isPageRoute = (it) => {
+	return it && typeof it === "object" && typeof it.path === "string" && typeof it.page === "object";
+};
+
+//#endregion
+//#region src/core/providers/ReactServerProvider.ts
+const envSchema$1 = t.object({
+	REACT_SSR_ENABLED: t.optional(t.boolean()),
+	REACT_ROOT_ID: t.text({ default: "root" }),
+	REACT_SERVER_TEMPLATE: t.optional(t.text({ size: "rich" }))
+});
+/**
+* React server provider configuration atom
+*/
+const reactServerOptions = $atom({
+	name: "alepha.react.server.options",
+	schema: t.object({
+		publicDir: t.string(),
+		staticServer: t.object({
+			disabled: t.boolean(),
+			path: t.string({ description: "URL path where static files will be served." })
+		})
+	}),
+	default: {
+		publicDir: "public",
+		staticServer: {
+			disabled: false,
+			path: "/"
+		}
+	}
+});
+var ReactServerProvider = class {
+	log = $logger();
+	alepha = $inject(Alepha);
+	env = $env(envSchema$1);
+	pageApi = $inject(ReactPageProvider);
+	serverProvider = $inject(ServerProvider);
+	serverStaticProvider = $inject(ServerStaticProvider);
+	serverRouterProvider = $inject(ServerRouterProvider);
+	serverTimingProvider = $inject(ServerTimingProvider);
+	ROOT_DIV_REGEX = new RegExp(`<div([^>]*)\\s+id=["']${this.env.REACT_ROOT_ID}["']([^>]*)>(.*?)<\\/div>`, "is");
+	preprocessedTemplate = null;
+	options = $use(reactServerOptions);
+	/**
+	* Configure the React server provider.
+	*/
+	onConfigure = $hook({
+		on: "configure",
+		handler: async () => {
+			const ssrEnabled = this.alepha.descriptors($page).length > 0 && this.env.REACT_SSR_ENABLED !== false;
+			this.alepha.state.set("alepha.react.server.ssr", ssrEnabled);
+			if (this.alepha.isViteDev()) {
+				await this.configureVite(ssrEnabled);
+				return;
+			}
+			let root = "";
+			if (!this.alepha.isServerless()) {
+				root = this.getPublicDirectory();
+				if (!root) this.log.warn("Missing static files, static file server will be disabled");
+				else {
+					this.log.debug(`Using static files from: ${root}`);
+					await this.configureStaticServer(root);
+				}
+			}
+			if (ssrEnabled) {
+				await this.registerPages(async () => this.template);
+				this.log.info("SSR OK");
+				return;
+			}
+			this.log.info("SSR is disabled, use History API fallback");
+			this.serverRouterProvider.createRoute({
+				path: "*",
+				handler: async ({ url, reply }) => {
+					if (url.pathname.includes(".")) {
+						reply.headers["content-type"] = "text/plain";
+						reply.body = "Not Found";
+						reply.status = 404;
+						return;
+					}
+					reply.headers["content-type"] = "text/html";
+					return this.template;
+				}
+			});
+		}
+	});
+	get template() {
+		return this.alepha.env.REACT_SERVER_TEMPLATE ?? "<!DOCTYPE html><html lang='en'><head></head><body></body></html>";
+	}
+	async registerPages(templateLoader) {
+		const template = await templateLoader();
+		if (template) this.preprocessedTemplate = this.preprocessTemplate(template);
+		for (const page of this.pageApi.getPages()) {
+			if (page.children?.length) continue;
+			this.log.debug(`+ ${page.match} -> ${page.name}`);
+			this.serverRouterProvider.createRoute({
+				...page,
+				schema: void 0,
+				method: "GET",
+				path: page.match,
+				handler: this.createHandler(page, templateLoader)
+			});
+		}
+	}
+	/**
+	* Get the public directory path where static files are located.
+	*/
+	getPublicDirectory() {
+		const maybe = [join(process.cwd(), `dist/${this.options.publicDir}`), join(process.cwd(), this.options.publicDir)];
+		for (const it of maybe) if (existsSync(it)) return it;
+		return "";
+	}
+	/**
+	* Configure the static file server to serve files from the given root directory.
+	*/
+	async configureStaticServer(root) {
+		await this.serverStaticProvider.createStaticServer({
+			root,
+			cacheControl: {
+				maxAge: 3600,
+				immutable: true
+			},
+			...this.options.staticServer
+		});
+	}
+	/**
+	* Configure Vite for SSR.
+	*/
+	async configureVite(ssrEnabled) {
+		if (!ssrEnabled) return;
+		this.log.info("SSR (dev) OK");
+		const url = `http://${process.env.SERVER_HOST}:${process.env.SERVER_PORT}`;
+		await this.registerPages(() => fetch(`${url}/index.html`).then((it) => it.text()).catch(() => void 0));
+	}
+	/**
+	* For testing purposes, creates a render function that can be used.
+	*/
+	async render(name, options = {}) {
+		const page = this.pageApi.page(name);
+		const url = new URL(this.pageApi.url(name, options));
+		const state = {
+			url,
+			params: options.params ?? {},
+			query: options.query ?? {},
+			onError: () => null,
+			layers: [],
+			meta: {}
+		};
+		this.log.trace("Rendering", { url });
+		await this.alepha.events.emit("react:server:render:begin", { state });
+		const { redirect } = await this.pageApi.createLayers(page, state);
+		if (redirect) return {
+			state,
+			html: "",
+			redirect
+		};
+		if (!options.html) {
+			this.alepha.state.set("alepha.react.router.state", state);
+			return {
+				state,
+				html: renderToString(this.pageApi.root(state))
+			};
+		}
+		const template = this.template ?? "";
+		const html = this.renderToHtml(template, state, options.hydration);
+		if (html instanceof Redirection) return {
+			state,
+			html: "",
+			redirect
+		};
+		const result = {
+			state,
+			html
+		};
+		await this.alepha.events.emit("react:server:render:end", result);
+		return result;
+	}
+	createHandler(route, templateLoader) {
+		return async (serverRequest) => {
+			const { url, reply, query, params } = serverRequest;
+			const template = await templateLoader();
+			if (!template) throw new AlephaError("Missing template for SSR rendering");
+			this.log.trace("Rendering page", { name: route.name });
+			const state = {
+				url,
+				params,
+				query,
+				onError: () => null,
+				layers: []
+			};
+			if (this.alepha.has(ServerLinksProvider)) this.alepha.state.set("alepha.server.request.apiLinks", await this.alepha.inject(ServerLinksProvider).getUserApiLinks({
+				user: serverRequest.user,
+				authorization: serverRequest.headers.authorization
+			}));
+			let target = route;
+			while (target) {
+				if (route.can && !route.can()) {
+					reply.status = 403;
+					reply.headers["content-type"] = "text/plain";
+					return "Forbidden";
+				}
+				target = target.parent;
+			}
+			await this.alepha.events.emit("react:server:render:begin", {
+				request: serverRequest,
+				state
+			});
+			this.serverTimingProvider.beginTiming("createLayers");
+			const { redirect } = await this.pageApi.createLayers(route, state);
+			this.serverTimingProvider.endTiming("createLayers");
+			if (redirect) return reply.redirect(redirect);
+			reply.headers["content-type"] = "text/html";
+			reply.headers["cache-control"] = "no-store, no-cache, must-revalidate, proxy-revalidate";
+			reply.headers.pragma = "no-cache";
+			reply.headers.expires = "0";
+			const html = this.renderToHtml(template, state);
+			if (html instanceof Redirection) {
+				reply.redirect(typeof html.redirect === "string" ? html.redirect : this.pageApi.href(html.redirect));
+				return;
+			}
+			const event = {
+				request: serverRequest,
+				state,
+				html
+			};
+			await this.alepha.events.emit("react:server:render:end", event);
+			route.onServerResponse?.(serverRequest);
+			this.log.trace("Page rendered", { name: route.name });
+			return event.html;
+		};
+	}
+	renderToHtml(template, state, hydration = true) {
+		const element = this.pageApi.root(state);
+		this.alepha.state.set("alepha.react.router.state", state);
+		this.serverTimingProvider.beginTiming("renderToString");
+		let app = "";
+		try {
+			app = renderToString(element);
+		} catch (error) {
+			this.log.error("renderToString has failed, fallback to error handler", error);
+			const element$1 = state.onError(error, state);
+			if (element$1 instanceof Redirection) return element$1;
+			app = renderToString(element$1);
+			this.log.debug("Error handled successfully with fallback");
+		}
+		this.serverTimingProvider.endTiming("renderToString");
+		const response = { html: template };
+		if (hydration) {
+			const { request, context, ...store } = this.alepha.context.als?.getStore() ?? {};
+			const hydrationData = {
+				...store,
+				"alepha.react.router.state": void 0,
+				layers: state.layers.map((it) => ({
+					...it,
+					error: it.error ? {
+						...it.error,
+						name: it.error.name,
+						message: it.error.message,
+						stack: !this.alepha.isProduction() ? it.error.stack : void 0
+					} : void 0,
+					index: void 0,
+					path: void 0,
+					element: void 0,
+					route: void 0
+				}))
+			};
+			const script = `<script>window.__ssr=${JSON.stringify(hydrationData)}<\/script>`;
+			this.fillTemplate(response, app, script);
+		}
+		return response.html;
+	}
+	preprocessTemplate(template) {
+		const bodyCloseIndex = template.match(/<\/body>/i)?.index ?? template.length;
+		const beforeScript = template.substring(0, bodyCloseIndex);
+		const afterScript = template.substring(bodyCloseIndex);
+		const rootDivMatch = beforeScript.match(this.ROOT_DIV_REGEX);
+		if (rootDivMatch) {
+			const beforeDiv = beforeScript.substring(0, rootDivMatch.index);
+			const afterDivStart = rootDivMatch.index + rootDivMatch[0].length;
+			const afterDiv = beforeScript.substring(afterDivStart);
+			return {
+				beforeApp: `${beforeDiv}<div${rootDivMatch[1]} id="${this.env.REACT_ROOT_ID}"${rootDivMatch[2]}>`,
+				afterApp: `</div>${afterDiv}`,
+				beforeScript: "",
+				afterScript
+			};
+		}
+		const bodyMatch = beforeScript.match(/<body([^>]*)>/i);
+		if (bodyMatch) {
+			const beforeBody = beforeScript.substring(0, bodyMatch.index + bodyMatch[0].length);
+			const afterBody = beforeScript.substring(bodyMatch.index + bodyMatch[0].length);
+			return {
+				beforeApp: `${beforeBody}<div id="${this.env.REACT_ROOT_ID}">`,
+				afterApp: `</div>${afterBody}`,
+				beforeScript: "",
+				afterScript
+			};
+		}
+		return {
+			beforeApp: `<div id="${this.env.REACT_ROOT_ID}">`,
+			afterApp: `</div>`,
+			beforeScript,
+			afterScript
+		};
+	}
+	fillTemplate(response, app, script) {
+		if (!this.preprocessedTemplate) this.preprocessedTemplate = this.preprocessTemplate(response.html);
+		response.html = this.preprocessedTemplate.beforeApp + app + this.preprocessedTemplate.afterApp + script + this.preprocessedTemplate.afterScript;
+	}
+};
+
+//#endregion
+//#region src/core/services/ReactPageServerService.ts
+var ReactPageServerService = class extends ReactPageService {
+	reactServerProvider = $inject(ReactServerProvider);
+	serverProvider = $inject(ServerProvider);
+	async render(name, options = {}) {
+		return this.reactServerProvider.render(name, options);
+	}
+	async fetch(pathname, options = {}) {
+		const response = await fetch(`${this.serverProvider.hostname}/${pathname}`);
+		const html = await response.text();
+		if (options?.html) return {
+			html,
+			response
+		};
+		const match = html.match(this.reactServerProvider.ROOT_DIV_REGEX);
+		if (match) return {
+			html: match[3],
+			response
+		};
+		throw new AlephaError("Invalid HTML response");
+	}
+};
+
+//#endregion
+//#region src/core/providers/ReactBrowserRouterProvider.ts
+var ReactBrowserRouterProvider = class extends RouterProvider {
+	log = $logger();
+	alepha = $inject(Alepha);
+	pageApi = $inject(ReactPageProvider);
+	add(entry) {
+		this.pageApi.add(entry);
+	}
+	configure = $hook({
+		on: "configure",
+		handler: async () => {
+			for (const page of this.pageApi.getPages()) if (page.component || page.lazy) this.push({
+				path: page.match,
+				page
+			});
+		}
+	});
+	async transition(url, previous = [], meta = {}) {
+		const { pathname, search } = url;
+		const state = {
+			url,
+			query: {},
+			params: {},
+			layers: [],
+			onError: () => null,
+			meta
+		};
+		await this.alepha.events.emit("react:action:begin", { type: "transition" });
+		await this.alepha.events.emit("react:transition:begin", {
+			previous: this.alepha.state.get("alepha.react.router.state"),
+			state
+		});
+		try {
+			const { route, params } = this.match(pathname);
+			const query = {};
+			if (search) for (const [key, value] of new URLSearchParams(search).entries()) query[key] = String(value);
+			state.query = query;
+			state.params = params ?? {};
+			if (isPageRoute(route)) {
+				const { redirect } = await this.pageApi.createLayers(route.page, state, previous);
+				if (redirect) return redirect;
+			}
+			if (state.layers.length === 0) state.layers.push({
+				name: "not-found",
+				element: createElement(NotFoundPage),
+				index: 0,
+				path: "/"
+			});
+			await this.alepha.events.emit("react:action:success", { type: "transition" });
+			await this.alepha.events.emit("react:transition:success", { state });
+		} catch (e$1) {
+			this.log.error("Transition has failed", e$1);
+			state.layers = [{
+				name: "error",
+				element: this.pageApi.renderError(e$1),
+				index: 0,
+				path: "/"
+			}];
+			await this.alepha.events.emit("react:action:error", {
+				type: "transition",
+				error: e$1
+			});
+			await this.alepha.events.emit("react:transition:error", {
+				error: e$1,
+				state
+			});
+		}
+		if (previous) for (let i = 0; i < previous.length; i++) {
+			const layer = previous[i];
+			if (state.layers[i]?.name !== layer.name) this.pageApi.page(layer.name)?.onLeave?.();
+		}
+		this.alepha.state.set("alepha.react.router.state", state);
+		await this.alepha.events.emit("react:action:end", { type: "transition" });
+		await this.alepha.events.emit("react:transition:end", { state });
+	}
+	root(state) {
+		return this.pageApi.root(state);
+	}
+};
+
+//#endregion
+//#region src/core/providers/ReactBrowserProvider.ts
+const envSchema = t.object({ REACT_ROOT_ID: t.text({ default: "root" }) });
+/**
+* React browser renderer configuration atom
+*/
+const reactBrowserOptions = $atom({
+	name: "alepha.react.browser.options",
+	schema: t.object({ scrollRestoration: t.enum(["top", "manual"]) }),
+	default: { scrollRestoration: "top" }
+});
+var ReactBrowserProvider = class {
+	env = $env(envSchema);
+	log = $logger();
+	client = $inject(LinkProvider);
+	alepha = $inject(Alepha);
+	router = $inject(ReactBrowserRouterProvider);
+	dateTimeProvider = $inject(DateTimeProvider);
+	options = $use(reactBrowserOptions);
+	getRootElement() {
+		const root = this.document.getElementById(this.env.REACT_ROOT_ID);
+		if (root) return root;
+		const div = this.document.createElement("div");
+		div.id = this.env.REACT_ROOT_ID;
+		this.document.body.prepend(div);
+		return div;
+	}
+	transitioning;
+	get state() {
+		return this.alepha.state.get("alepha.react.router.state");
+	}
+	/**
+	* Accessor for Document DOM API.
+	*/
+	get document() {
+		return window.document;
+	}
+	/**
+	* Accessor for History DOM API.
+	*/
+	get history() {
+		return window.history;
+	}
+	/**
+	* Accessor for Location DOM API.
+	*/
+	get location() {
+		return window.location;
+	}
+	get base() {
+		const base = import.meta.env?.BASE_URL;
+		if (!base || base === "/") return "";
+		return base;
+	}
+	get url() {
+		const url = this.location.pathname + this.location.search;
+		if (this.base) return url.replace(this.base, "");
+		return url;
+	}
+	pushState(path, replace) {
+		const url = this.base + path;
+		if (replace) this.history.replaceState({}, "", url);
+		else this.history.pushState({}, "", url);
+	}
+	async invalidate(props$1) {
+		const previous = [];
+		this.log.trace("Invalidating layers");
+		if (props$1) {
+			const [key] = Object.keys(props$1);
+			const value = props$1[key];
+			for (const layer of this.state.layers) {
+				if (layer.props?.[key]) {
+					previous.push({
+						...layer,
+						props: {
+							...layer.props,
+							[key]: value
+						}
+					});
+					break;
+				}
+				previous.push(layer);
+			}
+		}
+		await this.render({ previous });
+	}
+	async go(url, options = {}) {
+		this.log.trace(`Going to ${url}`, {
+			url,
+			options
+		});
+		await this.render({
+			url,
+			previous: options.force ? [] : this.state.layers,
+			meta: options.meta
+		});
+		if (this.state.url.pathname + this.state.url.search !== url) {
+			this.pushState(this.state.url.pathname + this.state.url.search);
+			return;
+		}
+		this.pushState(url, options.replace);
+	}
+	async render(options = {}) {
+		const previous = options.previous ?? this.state.layers;
+		const url = options.url ?? this.url;
+		const start = this.dateTimeProvider.now();
+		this.transitioning = {
+			to: url,
+			from: this.state?.url.pathname
+		};
+		this.log.debug("Transitioning...", { to: url });
+		const redirect = await this.router.transition(new URL(`http://localhost${url}`), previous, options.meta);
+		if (redirect) {
+			this.log.info("Redirecting to", { redirect });
+			if (redirect.startsWith("http")) window.location.href = redirect;
+			else return await this.render({ url: redirect });
+		}
+		const ms = this.dateTimeProvider.now().diff(start);
+		this.log.info(`Transition OK [${ms}ms]`, this.transitioning);
+		this.transitioning = void 0;
+	}
+	/**
+	* Get embedded layers from the server.
+	*/
+	getHydrationState() {
+		try {
+			if ("__ssr" in window && typeof window.__ssr === "object") return window.__ssr;
+		} catch (error) {
+			console.error(error);
+		}
+	}
+	onTransitionEnd = $hook({
+		on: "react:transition:end",
+		handler: () => {
+			if (this.options.scrollRestoration === "top" && typeof window !== "undefined" && !this.alepha.isTest()) {
+				this.log.trace("Restoring scroll position to top");
+				window.scrollTo(0, 0);
+			}
+		}
+	});
+	ready = $hook({
+		on: "ready",
+		handler: async () => {
+			const hydration = this.getHydrationState();
+			const previous = hydration?.layers ?? [];
+			if (hydration) {
+				for (const [key, value] of Object.entries(hydration)) if (key !== "layers") this.alepha.state.set(key, value);
+			}
+			await this.render({ previous });
+			const element = this.router.root(this.state);
+			await this.alepha.events.emit("react:browser:render", {
+				element,
+				root: this.getRootElement(),
+				hydration,
+				state: this.state
+			});
+			window.addEventListener("popstate", () => {
+				if (this.base + this.state.url.pathname === this.location.pathname) return;
+				this.log.debug("Popstate event triggered - rendering new state", { url: this.location.pathname + this.location.search });
+				this.render();
+			});
+		}
+	});
+};
+
+//#endregion
+//#region src/core/services/ReactRouter.ts
+var ReactRouter = class {
+	alepha = $inject(Alepha);
+	pageApi = $inject(ReactPageProvider);
+	get state() {
+		return this.alepha.state.get("alepha.react.router.state");
+	}
+	get pages() {
+		return this.pageApi.getPages();
+	}
+	get concretePages() {
+		return this.pageApi.getConcretePages();
+	}
+	get browser() {
+		if (this.alepha.isBrowser()) return this.alepha.inject(ReactBrowserProvider);
+	}
+	isActive(href, options = {}) {
+		const current = this.state.url.pathname;
+		let isActive = current === href || current === `${href}/` || `${current}/` === href;
+		if (options.startWith && !isActive) isActive = current.startsWith(href);
+		return isActive;
+	}
+	path(name, config = {}) {
+		return this.pageApi.pathname(name, {
+			params: {
+				...this.state.params,
+				...config.params
+			},
+			query: config.query
+		});
+	}
+	/**
+	* Reload the current page.
+	* This is equivalent to calling `go()` with the current pathname and search.
+	*/
+	async reload() {
+		if (!this.browser) return;
+		await this.go(this.location.pathname + this.location.search, {
+			replace: true,
+			force: true
+		});
+	}
+	getURL() {
+		if (!this.browser) return this.state.url;
+		return new URL(this.location.href);
+	}
+	get location() {
+		if (!this.browser) throw new Error("Browser is required");
+		return this.browser.location;
+	}
+	get current() {
+		return this.state;
+	}
+	get pathname() {
+		return this.state.url.pathname;
+	}
+	get query() {
+		const query = {};
+		for (const [key, value] of new URLSearchParams(this.state.url.search).entries()) query[key] = String(value);
+		return query;
+	}
+	async back() {
+		this.browser?.history.back();
+	}
+	async forward() {
+		this.browser?.history.forward();
+	}
+	async invalidate(props$1) {
+		await this.browser?.invalidate(props$1);
+	}
+	async go(path, options) {
+		for (const page of this.pages) if (page.name === path) {
+			await this.browser?.go(this.path(path, options), options);
+			return;
+		}
+		await this.browser?.go(path, options);
+	}
+	anchor(path, options = {}) {
+		let href = path;
+		for (const page of this.pages) if (page.name === path) {
+			href = this.path(path, options);
+			break;
+		}
+		return {
+			href: this.base(href),
+			onClick: (ev) => {
+				ev.stopPropagation();
+				ev.preventDefault();
+				this.go(href, options).catch(console.error);
+			}
+		};
+	}
+	base(path) {
+		const base = import.meta.env?.BASE_URL;
+		if (!base || base === "/") return path;
+		return base + path;
+	}
+	/**
+	* Set query params.
+	*
+	* @param record
+	* @param options
+	*/
+	setQueryParams(record, options = {}) {
+		const func = typeof record === "function" ? record : () => record;
+		const search = new URLSearchParams(func(this.query)).toString();
+		const state = search ? `${this.pathname}?${search}` : this.pathname;
+		if (options.push) window.history.pushState({}, "", state);
+		else window.history.replaceState({}, "", state);
+	}
+};
+
+//#endregion
+//#region src/core/index.ts
+/**
+* Provides full-stack React development with declarative routing, server-side rendering, and client-side hydration.
+*
+* The React module enables building modern React applications using the `$page` descriptor on class properties.
+* It delivers seamless server-side rendering, automatic code splitting, and client-side navigation with full
+* type safety and schema validation for route parameters and data.
+*
+* @see {@link $page}
+* @module alepha.react
+*/
+const AlephaReact = $module({
+	name: "alepha.react",
+	descriptors: [$page],
+	services: [
+		ReactServerProvider,
+		ReactPageProvider,
+		ReactRouter,
+		ReactPageService,
+		ReactPageServerService
+	],
+	register: (alepha) => alepha.with(AlephaDateTime).with(AlephaServer).with(AlephaServerCache).with(AlephaServerLinks).with({
+		provide: ReactPageService,
+		use: ReactPageServerService
+	}).with(ReactServerProvider).with(ReactPageProvider).with(ReactRouter)
+});
+
+//#endregion
+//#region ../../node_modules/oauth4webapi/build/index.js
+let USER_AGENT$1;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT$1 = `oauth4webapi/v3.8.2`;
+function looseInstanceOf(input, expected) {
+	if (input == null) return false;
+	try {
+		return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
+	} catch {
+		return false;
+	}
+}
+const ERR_INVALID_ARG_VALUE$1 = "ERR_INVALID_ARG_VALUE";
+const ERR_INVALID_ARG_TYPE$1 = "ERR_INVALID_ARG_TYPE";
+function CodedTypeError$1(message, code, cause) {
+	const err = new TypeError(message, { cause });
+	Object.assign(err, { code });
+	return err;
+}
+const allowInsecureRequests$1 = Symbol();
+const clockSkew$1 = Symbol();
+const clockTolerance$1 = Symbol();
+const customFetch$1 = Symbol();
+const modifyAssertion$1 = Symbol();
+const jweDecrypt = Symbol();
+const encoder = new TextEncoder();
+const decoder$1 = new TextDecoder();
+function buf(input) {
+	if (typeof input === "string") return encoder.encode(input);
+	return decoder$1.decode(input);
+}
+let encodeBase64Url;
+if (Uint8Array.prototype.toBase64) encodeBase64Url = (input) => {
+	if (input instanceof ArrayBuffer) input = new Uint8Array(input);
+	return input.toBase64({
+		alphabet: "base64url",
+		omitPadding: true
+	});
+};
+else {
+	const CHUNK_SIZE = 32768;
+	encodeBase64Url = (input) => {
+		if (input instanceof ArrayBuffer) input = new Uint8Array(input);
+		const arr = [];
+		for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+		return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+	};
+}
+let decodeBase64Url;
+if (Uint8Array.fromBase64) decodeBase64Url = (input) => {
+	try {
+		return Uint8Array.fromBase64(input, { alphabet: "base64url" });
+	} catch (cause) {
+		throw CodedTypeError$1("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE$1, cause);
+	}
+};
+else decodeBase64Url = (input) => {
+	try {
+		const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
+		const bytes = new Uint8Array(binary.length);
+		for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+		return bytes;
+	} catch (cause) {
+		throw CodedTypeError$1("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE$1, cause);
+	}
+};
+function b64u(input) {
+	if (typeof input === "string") return decodeBase64Url(input);
+	return encodeBase64Url(input);
+}
+var UnsupportedOperationError = class extends Error {
+	code;
+	constructor(message, options) {
+		super(message, options);
+		this.name = this.constructor.name;
+		this.code = UNSUPPORTED_OPERATION;
+		Error.captureStackTrace?.(this, this.constructor);
+	}
+};
+var OperationProcessingError = class extends Error {
+	code;
+	constructor(message, options) {
+		super(message, options);
+		this.name = this.constructor.name;
+		if (options?.code) this.code = options?.code;
+		Error.captureStackTrace?.(this, this.constructor);
+	}
+};
+function OPE(message, code, cause) {
+	return new OperationProcessingError(message, {
+		code,
+		cause
+	});
+}
+function isJsonObject(input) {
+	if (input === null || typeof input !== "object" || Array.isArray(input)) return false;
+	return true;
+}
+function prepareHeaders(input) {
+	if (looseInstanceOf(input, Headers)) input = Object.fromEntries(input.entries());
+	const headers$1 = new Headers(input ?? {});
+	if (USER_AGENT$1 && !headers$1.has("user-agent")) headers$1.set("user-agent", USER_AGENT$1);
+	if (headers$1.has("authorization")) throw CodedTypeError$1("\"options.headers\" must not include the \"authorization\" header name", ERR_INVALID_ARG_VALUE$1);
+	return headers$1;
+}
+function signal$1(url, value) {
+	if (value !== void 0) {
+		if (typeof value === "function") value = value(url.href);
+		if (!(value instanceof AbortSignal)) throw CodedTypeError$1("\"options.signal\" must return or be an instance of AbortSignal", ERR_INVALID_ARG_TYPE$1);
+		return value;
+	}
+}
+function replaceDoubleSlash(pathname) {
+	if (pathname.includes("//")) return pathname.replace("//", "/");
+	return pathname;
+}
+function prependWellKnown(url, wellKnown, allowTerminatingSlash = false) {
+	if (url.pathname === "/") url.pathname = wellKnown;
+	else url.pathname = replaceDoubleSlash(`${wellKnown}/${allowTerminatingSlash ? url.pathname : url.pathname.replace(/(\/)$/, "")}`);
+	return url;
+}
+function appendWellKnown(url, wellKnown) {
+	url.pathname = replaceDoubleSlash(`${url.pathname}/${wellKnown}`);
+	return url;
+}
+async function performDiscovery$1(input, urlName, transform, options) {
+	if (!(input instanceof URL)) throw CodedTypeError$1(`"${urlName}" must be an instance of URL`, ERR_INVALID_ARG_TYPE$1);
+	checkProtocol(input, options?.[allowInsecureRequests$1] !== true);
+	const url = transform(new URL(input.href));
+	const headers$1 = prepareHeaders(options?.headers);
+	headers$1.set("accept", "application/json");
+	return (options?.[customFetch$1] || fetch)(url.href, {
+		body: void 0,
+		headers: Object.fromEntries(headers$1.entries()),
+		method: "GET",
+		redirect: "manual",
+		signal: signal$1(url, options?.signal)
+	});
+}
+async function discoveryRequest(issuerIdentifier, options) {
+	return performDiscovery$1(issuerIdentifier, "issuerIdentifier", (url) => {
+		switch (options?.algorithm) {
+			case void 0:
+			case "oidc":
+				appendWellKnown(url, ".well-known/openid-configuration");
+				break;
+			case "oauth2":
+				prependWellKnown(url, ".well-known/oauth-authorization-server");
+				break;
+			default: throw CodedTypeError$1("\"options.algorithm\" must be \"oidc\" (default), or \"oauth2\"", ERR_INVALID_ARG_VALUE$1);
+		}
+		return url;
+	}, options);
+}
+function assertNumber(input, allow0, it, code, cause) {
+	try {
+		if (typeof input !== "number" || !Number.isFinite(input)) throw CodedTypeError$1(`${it} must be a number`, ERR_INVALID_ARG_TYPE$1, cause);
+		if (input > 0) return;
+		if (allow0) {
+			if (input !== 0) throw CodedTypeError$1(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE$1, cause);
+			return;
+		}
+		throw CodedTypeError$1(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE$1, cause);
+	} catch (err) {
+		if (code) throw OPE(err.message, code, cause);
+		throw err;
+	}
+}
+function assertString$1(input, it, code, cause) {
+	try {
+		if (typeof input !== "string") throw CodedTypeError$1(`${it} must be a string`, ERR_INVALID_ARG_TYPE$1, cause);
+		if (input.length === 0) throw CodedTypeError$1(`${it} must not be empty`, ERR_INVALID_ARG_VALUE$1, cause);
+	} catch (err) {
+		if (code) throw OPE(err.message, code, cause);
+		throw err;
+	}
+}
+async function processDiscoveryResponse(expectedIssuerIdentifier, response) {
+	const expected = expectedIssuerIdentifier;
+	if (!(expected instanceof URL) && expected !== _nodiscoverycheck) throw CodedTypeError$1("\"expectedIssuerIdentifier\" must be an instance of URL", ERR_INVALID_ARG_TYPE$1);
+	if (!looseInstanceOf(response, Response)) throw CodedTypeError$1("\"response\" must be an instance of Response", ERR_INVALID_ARG_TYPE$1);
+	if (response.status !== 200) throw OPE("\"response\" is not a conform Authorization Server Metadata response (unexpected HTTP status code)", RESPONSE_IS_NOT_CONFORM, response);
+	assertReadableResponse(response);
+	const json = await getResponseJsonBody(response);
+	assertString$1(json.issuer, "\"response\" body \"issuer\" property", INVALID_RESPONSE, { body: json });
+	if (expected !== _nodiscoverycheck && new URL(json.issuer).href !== expected.href) throw OPE("\"response\" body \"issuer\" property does not match the expected value", JSON_ATTRIBUTE_COMPARISON, {
+		expected: expected.href,
+		body: json,
+		attribute: "issuer"
+	});
+	return json;
+}
+function assertApplicationJson(response) {
+	assertContentType(response, "application/json");
+}
+function notJson(response, ...types) {
+	let msg = "\"response\" content-type must be ";
+	if (types.length > 2) {
+		const last = types.pop();
+		msg += `${types.join(", ")}, or ${last}`;
+	} else if (types.length === 2) msg += `${types[0]} or ${types[1]}`;
+	else msg += types[0];
+	return OPE(msg, RESPONSE_IS_NOT_JSON, response);
+}
+function assertContentType(response, contentType) {
+	if (getContentType(response) !== contentType) throw notJson(response, contentType);
+}
+function randomBytes() {
+	return b64u(crypto.getRandomValues(new Uint8Array(32)));
+}
+function generateRandomCodeVerifier() {
+	return randomBytes();
+}
+function generateRandomState() {
+	return randomBytes();
+}
+async function calculatePKCECodeChallenge$1(codeVerifier) {
+	assertString$1(codeVerifier, "codeVerifier");
+	return b64u(await crypto.subtle.digest("SHA-256", buf(codeVerifier)));
+}
+function getClockSkew(client) {
+	const skew = client?.[clockSkew$1];
+	return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
+}
+function getClockTolerance(client) {
+	const tolerance = client?.[clockTolerance$1];
+	return typeof tolerance === "number" && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
+}
+function epochTime() {
+	return Math.floor(Date.now() / 1e3);
+}
+function assertAs(as) {
+	if (typeof as !== "object" || as === null) throw CodedTypeError$1("\"as\" must be an object", ERR_INVALID_ARG_TYPE$1);
+	assertString$1(as.issuer, "\"as.issuer\"");
+}
+function assertClient(client) {
+	if (typeof client !== "object" || client === null) throw CodedTypeError$1("\"client\" must be an object", ERR_INVALID_ARG_TYPE$1);
+	assertString$1(client.client_id, "\"client.client_id\"");
+}
+function ClientSecretPost$1(clientSecret) {
+	assertString$1(clientSecret, "\"clientSecret\"");
+	return (_as, client, body, _headers) => {
+		body.set("client_id", client.client_id);
+		body.set("client_secret", clientSecret);
+	};
+}
+function None$1() {
+	return (_as, client, body, _headers) => {
+		body.set("client_id", client.client_id);
+	};
+}
+const URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
+	try {
+		return new URL(url, base);
+	} catch {
+		return null;
+	}
+};
+function checkProtocol(url, enforceHttps) {
+	if (enforceHttps && url.protocol !== "https:") throw OPE("only requests to HTTPS are allowed", HTTP_REQUEST_FORBIDDEN, url);
+	if (url.protocol !== "https:" && url.protocol !== "http:") throw OPE("only HTTP and HTTPS requests are allowed", REQUEST_PROTOCOL_FORBIDDEN, url);
+}
+function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
+	let url;
+	if (typeof value !== "string" || !(url = URLParse(value))) throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === void 0 ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });
+	checkProtocol(url, enforceHttps);
+	return url;
+}
+function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
+	if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
+	return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
+}
+function isDPoPNonceError(err) {
+	if (err instanceof WWWAuthenticateChallengeError) {
+		const { 0: challenge, length } = err.cause;
+		return length === 1 && challenge.scheme === "dpop" && challenge.parameters.error === "use_dpop_nonce";
+	}
+	if (err instanceof ResponseBodyError) return err.error === "use_dpop_nonce";
+	return false;
+}
+var ResponseBodyError = class extends Error {
+	cause;
+	code;
+	error;
+	status;
+	error_description;
+	response;
+	constructor(message, options) {
+		super(message, options);
+		this.name = this.constructor.name;
+		this.code = RESPONSE_BODY_ERROR;
+		this.cause = options.cause;
+		this.error = options.cause.error;
+		this.status = options.response.status;
+		this.error_description = options.cause.error_description;
+		Object.defineProperty(this, "response", {
+			enumerable: false,
+			value: options.response
+		});
+		Error.captureStackTrace?.(this, this.constructor);
+	}
+};
+var AuthorizationResponseError = class extends Error {
+	cause;
+	code;
+	error;
+	error_description;
+	constructor(message, options) {
+		super(message, options);
+		this.name = this.constructor.name;
+		this.code = AUTHORIZATION_RESPONSE_ERROR;
+		this.cause = options.cause;
+		this.error = options.cause.get("error");
+		this.error_description = options.cause.get("error_description") ?? void 0;
+		Error.captureStackTrace?.(this, this.constructor);
+	}
+};
+var WWWAuthenticateChallengeError = class extends Error {
+	cause;
+	code;
+	response;
+	status;
+	constructor(message, options) {
+		super(message, options);
+		this.name = this.constructor.name;
+		this.code = WWW_AUTHENTICATE_CHALLENGE;
+		this.cause = options.cause;
+		this.status = options.response.status;
+		this.response = options.response;
+		Object.defineProperty(this, "response", { enumerable: false });
+		Error.captureStackTrace?.(this, this.constructor);
+	}
+};
+const tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
+const token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+[=]{0,2}";
+const quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*\"((?:[^\"\\\\]|\\\\.)*)\"";
+const paramMatcher = "(" + tokenMatch + ")\\s*=\\s*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)";
+const schemeRE = /* @__PURE__ */ new RegExp("^[,\\s]*(" + tokenMatch + ")\\s(.*)");
+const quotedParamRE = /* @__PURE__ */ new RegExp("^[,\\s]*" + quotedParamMatcher + "[,\\s]*(.*)");
+const unquotedParamRE = /* @__PURE__ */ new RegExp("^[,\\s]*" + paramMatcher + "[,\\s]*(.*)");
+const token68ParamRE = /* @__PURE__ */ new RegExp("^(" + token68Match + ")(?:$|[,\\s])(.*)");
+function parseWwwAuthenticateChallenges(response) {
+	if (!looseInstanceOf(response, Response)) throw CodedTypeError$1("\"response\" must be an instance of Response", ERR_INVALID_ARG_TYPE$1);
+	const header = response.headers.get("www-authenticate");
+	if (header === null) return;
+	const challenges = [];
+	let rest = header;
+	while (rest) {
+		let match = rest.match(schemeRE);
+		const scheme = match?.["1"].toLowerCase();
+		rest = match?.["2"];
+		if (!scheme) return;
+		const parameters = {};
+		let token68;
+		while (rest) {
+			let key;
+			let value;
+			if (match = rest.match(quotedParamRE)) {
+				[, key, value, rest] = match;
+				if (value.includes("\\")) try {
+					value = JSON.parse(`"${value}"`);
+				} catch {}
+				parameters[key.toLowerCase()] = value;
+				continue;
+			}
+			if (match = rest.match(unquotedParamRE)) {
+				[, key, value, rest] = match;
+				parameters[key.toLowerCase()] = value;
+				continue;
+			}
+			if (match = rest.match(token68ParamRE)) {
+				if (Object.keys(parameters).length) break;
+				[, token68, rest] = match;
+				break;
+			}
+			return;
+		}
+		const challenge = {
+			scheme,
+			parameters
+		};
+		if (token68) challenge.token68 = token68;
+		challenges.push(challenge);
+	}
+	if (!challenges.length) return;
+	return challenges;
+}
+async function parseOAuthResponseErrorBody(response) {
+	if (response.status > 399 && response.status < 500) {
+		assertReadableResponse(response);
+		assertApplicationJson(response);
+		try {
+			const json = await response.clone().json();
+			if (isJsonObject(json) && typeof json.error === "string" && json.error.length) return json;
+		} catch {}
+	}
+}
+async function checkOAuthBodyError(response, expected, label) {
+	if (response.status !== expected) {
+		checkAuthenticationChallenges(response);
+		let err;
+		if (err = await parseOAuthResponseErrorBody(response)) {
+			await response.body?.cancel();
+			throw new ResponseBodyError("server responded with an error in the response body", {
+				cause: err,
+				response
+			});
+		}
+		throw OPE(`"response" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);
+	}
+}
+function assertDPoP(option) {
+	if (!branded.has(option)) throw CodedTypeError$1("\"options.DPoP\" is not a valid DPoPHandle", ERR_INVALID_ARG_VALUE$1);
+}
+const skipSubjectCheck$1 = Symbol();
+function getContentType(input) {
+	return input.headers.get("content-type")?.split(";")[0];
+}
+async function authenticatedRequest(as, client, clientAuthentication, url, body, headers$1, options) {
+	await clientAuthentication(as, client, body, headers$1);
+	headers$1.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8");
+	return (options?.[customFetch$1] || fetch)(url.href, {
+		body,
+		headers: Object.fromEntries(headers$1.entries()),
+		method: "POST",
+		redirect: "manual",
+		signal: signal$1(url, options?.signal)
+	});
+}
+async function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
+	const url = resolveEndpoint(as, "token_endpoint", client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests$1] !== true);
+	parameters.set("grant_type", grantType);
+	const headers$1 = prepareHeaders(options?.headers);
+	headers$1.set("accept", "application/json");
+	if (options?.DPoP !== void 0) {
+		assertDPoP(options.DPoP);
+		await options.DPoP.addProof(url, headers$1, "POST");
+	}
+	const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers$1, options);
+	options?.DPoP?.cacheNonce(response, url);
+	return response;
+}
+async function refreshTokenGrantRequest(as, client, clientAuthentication, refreshToken, options) {
+	assertAs(as);
+	assertClient(client);
+	assertString$1(refreshToken, "\"refreshToken\"");
+	const parameters = new URLSearchParams(options?.additionalParameters);
+	parameters.set("refresh_token", refreshToken);
+	return tokenEndpointRequest(as, client, clientAuthentication, "refresh_token", parameters, options);
+}
+const idTokenClaims = /* @__PURE__ */ new WeakMap();
+const jwtRefs = /* @__PURE__ */ new WeakMap();
+function getValidatedIdTokenClaims(ref) {
+	if (!ref.id_token) return;
+	const claims = idTokenClaims.get(ref);
+	if (!claims) throw CodedTypeError$1("\"ref\" was already garbage collected or did not resolve from the proper sources", ERR_INVALID_ARG_VALUE$1);
+	return claims;
+}
+async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
+	assertAs(as);
+	assertClient(client);
+	if (!looseInstanceOf(response, Response)) throw CodedTypeError$1("\"response\" must be an instance of Response", ERR_INVALID_ARG_TYPE$1);
+	await checkOAuthBodyError(response, 200, "Token Endpoint");
+	assertReadableResponse(response);
+	const json = await getResponseJsonBody(response);
+	assertString$1(json.access_token, "\"response\" body \"access_token\" property", INVALID_RESPONSE, { body: json });
+	assertString$1(json.token_type, "\"response\" body \"token_type\" property", INVALID_RESPONSE, { body: json });
+	json.token_type = json.token_type.toLowerCase();
+	if (json.expires_in !== void 0) {
+		let expiresIn = typeof json.expires_in !== "number" ? parseFloat(json.expires_in) : json.expires_in;
+		assertNumber(expiresIn, true, "\"response\" body \"expires_in\" property", INVALID_RESPONSE, { body: json });
+		json.expires_in = expiresIn;
+	}
+	if (json.refresh_token !== void 0) assertString$1(json.refresh_token, "\"response\" body \"refresh_token\" property", INVALID_RESPONSE, { body: json });
+	if (json.scope !== void 0 && typeof json.scope !== "string") throw OPE("\"response\" body \"scope\" property must be a string", INVALID_RESPONSE, { body: json });
+	if (json.id_token !== void 0) {
+		assertString$1(json.id_token, "\"response\" body \"id_token\" property", INVALID_RESPONSE, { body: json });
+		const requiredClaims = [
+			"aud",
+			"exp",
+			"iat",
+			"iss",
+			"sub"
+		];
+		if (client.require_auth_time === true) requiredClaims.push("auth_time");
+		if (client.default_max_age !== void 0) {
+			assertNumber(client.default_max_age, true, "\"client.default_max_age\"");
+			requiredClaims.push("auth_time");
+		}
+		if (additionalRequiredIdTokenClaims?.length) requiredClaims.push(...additionalRequiredIdTokenClaims);
+		const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(void 0, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, "RS256"), getClockSkew(client), getClockTolerance(client), decryptFn).then(validatePresence.bind(void 0, requiredClaims)).then(validateIssuer.bind(void 0, as)).then(validateAudience.bind(void 0, client.client_id));
+		if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
+			if (claims.azp === void 0) throw OPE("ID Token \"aud\" (audience) claim includes additional untrusted audiences", JWT_CLAIM_COMPARISON, {
+				claims,
+				claim: "aud"
+			});
+			if (claims.azp !== client.client_id) throw OPE("unexpected ID Token \"azp\" (authorized party) claim value", JWT_CLAIM_COMPARISON, {
+				expected: client.client_id,
+				claims,
+				claim: "azp"
+			});
+		}
+		if (claims.auth_time !== void 0) assertNumber(claims.auth_time, true, "ID Token \"auth_time\" (authentication time)", INVALID_RESPONSE, { claims });
+		jwtRefs.set(response, jwt);
+		idTokenClaims.set(json, claims);
+	}
+	if (recognizedTokenTypes?.[json.token_type] !== void 0) recognizedTokenTypes[json.token_type](response, json);
+	else if (json.token_type !== "dpop" && json.token_type !== "bearer") throw new UnsupportedOperationError("unsupported `token_type` value", { cause: { body: json } });
+	return json;
+}
+function checkAuthenticationChallenges(response) {
+	let challenges;
+	if (challenges = parseWwwAuthenticateChallenges(response)) throw new WWWAuthenticateChallengeError("server responded with a challenge in the WWW-Authenticate HTTP Header", {
+		cause: challenges,
+		response
+	});
+}
+async function processRefreshTokenResponse(as, client, response, options) {
+	return processGenericAccessTokenResponse(as, client, response, void 0, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+function validateAudience(expected, result) {
+	if (Array.isArray(result.claims.aud)) {
+		if (!result.claims.aud.includes(expected)) throw OPE("unexpected JWT \"aud\" (audience) claim value", JWT_CLAIM_COMPARISON, {
+			expected,
+			claims: result.claims,
+			claim: "aud"
+		});
+	} else if (result.claims.aud !== expected) throw OPE("unexpected JWT \"aud\" (audience) claim value", JWT_CLAIM_COMPARISON, {
+		expected,
+		claims: result.claims,
+		claim: "aud"
+	});
+	return result;
+}
+function validateIssuer(as, result) {
+	const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
+	if (result.claims.iss !== expected) throw OPE("unexpected JWT \"iss\" (issuer) claim value", JWT_CLAIM_COMPARISON, {
+		expected,
+		claims: result.claims,
+		claim: "iss"
+	});
+	return result;
+}
+const branded = /* @__PURE__ */ new WeakSet();
+function brand(searchParams) {
+	branded.add(searchParams);
+	return searchParams;
+}
+const nopkce = Symbol();
+async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {
+	assertAs(as);
+	assertClient(client);
+	if (!branded.has(callbackParameters)) throw CodedTypeError$1("\"callbackParameters\" must be an instance of URLSearchParams obtained from \"validateAuthResponse()\", or \"validateJwtAuthResponse()", ERR_INVALID_ARG_VALUE$1);
+	assertString$1(redirectUri, "\"redirectUri\"");
+	const code = getURLSearchParameter(callbackParameters, "code");
+	if (!code) throw OPE("no authorization code in \"callbackParameters\"", INVALID_RESPONSE);
+	const parameters = new URLSearchParams(options?.additionalParameters);
+	parameters.set("redirect_uri", redirectUri);
+	parameters.set("code", code);
+	if (codeVerifier !== nopkce) {
+		assertString$1(codeVerifier, "\"codeVerifier\"");
+		parameters.set("code_verifier", codeVerifier);
+	}
+	return tokenEndpointRequest(as, client, clientAuthentication, "authorization_code", parameters, options);
+}
+const jwtClaimNames = {
+	aud: "audience",
+	c_hash: "code hash",
+	client_id: "client id",
+	exp: "expiration time",
+	iat: "issued at",
+	iss: "issuer",
+	jti: "jwt id",
+	nonce: "nonce",
+	s_hash: "state hash",
+	sub: "subject",
+	ath: "access token hash",
+	htm: "http method",
+	htu: "http uri",
+	cnf: "confirmation",
+	auth_time: "authentication time"
+};
+function validatePresence(required, result) {
+	for (const claim of required) if (result.claims[claim] === void 0) throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, { claims: result.claims });
+	return result;
+}
+const expectNoNonce = Symbol();
+const skipAuthTimeCheck = Symbol();
+async function processAuthorizationCodeResponse(as, client, response, options) {
+	if (typeof options?.expectedNonce === "string" || typeof options?.maxAge === "number" || options?.requireIdToken) return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);
+	return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {
+	const additionalRequiredClaims = [];
+	switch (expectedNonce) {
+		case void 0:
+			expectedNonce = expectNoNonce;
+			break;
+		case expectNoNonce: break;
+		default:
+			assertString$1(expectedNonce, "\"expectedNonce\" argument");
+			additionalRequiredClaims.push("nonce");
+	}
+	maxAge ??= client.default_max_age;
+	switch (maxAge) {
+		case void 0:
+			maxAge = skipAuthTimeCheck;
+			break;
+		case skipAuthTimeCheck: break;
+		default:
+			assertNumber(maxAge, true, "\"maxAge\" argument");
+			additionalRequiredClaims.push("auth_time");
+	}
+	const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);
+	assertString$1(result.id_token, "\"response\" body \"id_token\" property", INVALID_RESPONSE, { body: result });
+	const claims = getValidatedIdTokenClaims(result);
+	if (maxAge !== skipAuthTimeCheck) {
+		const now = epochTime() + getClockSkew(client);
+		const tolerance = getClockTolerance(client);
+		if (claims.auth_time + maxAge < now - tolerance) throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, {
+			claims,
+			now,
+			tolerance,
+			claim: "auth_time"
+		});
+	}
+	if (expectedNonce === expectNoNonce) {
+		if (claims.nonce !== void 0) throw OPE("unexpected ID Token \"nonce\" claim value", JWT_CLAIM_COMPARISON, {
+			expected: void 0,
+			claims,
+			claim: "nonce"
+		});
+	} else if (claims.nonce !== expectedNonce) throw OPE("unexpected ID Token \"nonce\" claim value", JWT_CLAIM_COMPARISON, {
+		expected: expectedNonce,
+		claims,
+		claim: "nonce"
+	});
+	return result;
+}
+async function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {
+	const result = await processGenericAccessTokenResponse(as, client, response, void 0, decryptFn, recognizedTokenTypes);
+	const claims = getValidatedIdTokenClaims(result);
+	if (claims) {
+		if (client.default_max_age !== void 0) {
+			assertNumber(client.default_max_age, true, "\"client.default_max_age\"");
+			const now = epochTime() + getClockSkew(client);
+			const tolerance = getClockTolerance(client);
+			if (claims.auth_time + client.default_max_age < now - tolerance) throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, {
+				claims,
+				now,
+				tolerance,
+				claim: "auth_time"
+			});
+		}
+		if (claims.nonce !== void 0) throw OPE("unexpected ID Token \"nonce\" claim value", JWT_CLAIM_COMPARISON, {
+			expected: void 0,
+			claims,
+			claim: "nonce"
+		});
+	}
+	return result;
+}
+const WWW_AUTHENTICATE_CHALLENGE = "OAUTH_WWW_AUTHENTICATE_CHALLENGE";
+const RESPONSE_BODY_ERROR = "OAUTH_RESPONSE_BODY_ERROR";
+const UNSUPPORTED_OPERATION = "OAUTH_UNSUPPORTED_OPERATION";
+const AUTHORIZATION_RESPONSE_ERROR = "OAUTH_AUTHORIZATION_RESPONSE_ERROR";
+const PARSE_ERROR = "OAUTH_PARSE_ERROR";
+const INVALID_RESPONSE = "OAUTH_INVALID_RESPONSE";
+const RESPONSE_IS_NOT_JSON = "OAUTH_RESPONSE_IS_NOT_JSON";
+const RESPONSE_IS_NOT_CONFORM = "OAUTH_RESPONSE_IS_NOT_CONFORM";
+const HTTP_REQUEST_FORBIDDEN = "OAUTH_HTTP_REQUEST_FORBIDDEN";
+const REQUEST_PROTOCOL_FORBIDDEN = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN";
+const JWT_TIMESTAMP_CHECK = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED";
+const JWT_CLAIM_COMPARISON = "OAUTH_JWT_CLAIM_COMPARISON_FAILED";
+const JSON_ATTRIBUTE_COMPARISON = "OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED";
+const MISSING_SERVER_METADATA = "OAUTH_MISSING_SERVER_METADATA";
+const INVALID_SERVER_METADATA = "OAUTH_INVALID_SERVER_METADATA";
+function assertReadableResponse(response) {
+	if (response.bodyUsed) throw CodedTypeError$1("\"response\" body has been used already", ERR_INVALID_ARG_VALUE$1);
+}
+async function validateJwt(jws, checkAlg, clockSkew$2, clockTolerance$2, decryptJwt) {
+	let { 0: protectedHeader, 1: payload, length } = jws.split(".");
+	if (length === 5) if (decryptJwt !== void 0) {
+		jws = await decryptJwt(jws);
+		({0: protectedHeader, 1: payload, length} = jws.split("."));
+	} else throw new UnsupportedOperationError("JWE decryption is not configured", { cause: jws });
+	if (length !== 3) throw OPE("Invalid JWT", INVALID_RESPONSE, jws);
+	let header;
+	try {
+		header = JSON.parse(buf(b64u(protectedHeader)));
+	} catch (cause) {
+		throw OPE("failed to parse JWT Header body as base64url encoded JSON", PARSE_ERROR, cause);
+	}
+	if (!isJsonObject(header)) throw OPE("JWT Header must be a top level object", INVALID_RESPONSE, jws);
+	checkAlg(header);
+	if (header.crit !== void 0) throw new UnsupportedOperationError("no JWT \"crit\" header parameter extensions are supported", { cause: { header } });
+	let claims;
+	try {
+		claims = JSON.parse(buf(b64u(payload)));
+	} catch (cause) {
+		throw OPE("failed to parse JWT Payload body as base64url encoded JSON", PARSE_ERROR, cause);
+	}
+	if (!isJsonObject(claims)) throw OPE("JWT Payload must be a top level object", INVALID_RESPONSE, jws);
+	const now = epochTime() + clockSkew$2;
+	if (claims.exp !== void 0) {
+		if (typeof claims.exp !== "number") throw OPE("unexpected JWT \"exp\" (expiration time) claim type", INVALID_RESPONSE, { claims });
+		if (claims.exp <= now - clockTolerance$2) throw OPE("unexpected JWT \"exp\" (expiration time) claim value, expiration is past current timestamp", JWT_TIMESTAMP_CHECK, {
+			claims,
+			now,
+			tolerance: clockTolerance$2,
+			claim: "exp"
+		});
+	}
+	if (claims.iat !== void 0) {
+		if (typeof claims.iat !== "number") throw OPE("unexpected JWT \"iat\" (issued at) claim type", INVALID_RESPONSE, { claims });
+	}
+	if (claims.iss !== void 0) {
+		if (typeof claims.iss !== "string") throw OPE("unexpected JWT \"iss\" (issuer) claim type", INVALID_RESPONSE, { claims });
+	}
+	if (claims.nbf !== void 0) {
+		if (typeof claims.nbf !== "number") throw OPE("unexpected JWT \"nbf\" (not before) claim type", INVALID_RESPONSE, { claims });
+		if (claims.nbf > now + clockTolerance$2) throw OPE("unexpected JWT \"nbf\" (not before) claim value", JWT_TIMESTAMP_CHECK, {
+			claims,
+			now,
+			tolerance: clockTolerance$2,
+			claim: "nbf"
+		});
+	}
+	if (claims.aud !== void 0) {
+		if (typeof claims.aud !== "string" && !Array.isArray(claims.aud)) throw OPE("unexpected JWT \"aud\" (audience) claim type", INVALID_RESPONSE, { claims });
+	}
+	return {
+		header,
+		claims,
+		jwt: jws
+	};
+}
+async function consumeStream(request) {
+	if (request.bodyUsed) throw CodedTypeError$1("form_post Request instances must contain a readable body", ERR_INVALID_ARG_VALUE$1, { cause: request });
+	return request.text();
+}
+async function formPostResponse(request) {
+	if (request.method !== "POST") throw CodedTypeError$1("form_post responses are expected to use the POST method", ERR_INVALID_ARG_VALUE$1, { cause: request });
+	if (getContentType(request) !== "application/x-www-form-urlencoded") throw CodedTypeError$1("form_post responses are expected to use the application/x-www-form-urlencoded content-type", ERR_INVALID_ARG_VALUE$1, { cause: request });
+	return consumeStream(request);
+}
+function checkSigningAlgorithm(client, issuer, fallback, header) {
+	if (client !== void 0) {
+		if (typeof client === "string" ? header.alg !== client : !client.includes(header.alg)) throw OPE("unexpected JWT \"alg\" header parameter", INVALID_RESPONSE, {
+			header,
+			expected: client,
+			reason: "client configuration"
+		});
+		return;
+	}
+	if (Array.isArray(issuer)) {
+		if (!issuer.includes(header.alg)) throw OPE("unexpected JWT \"alg\" header parameter", INVALID_RESPONSE, {
+			header,
+			expected: issuer,
+			reason: "authorization server metadata"
+		});
+		return;
+	}
+	if (fallback !== void 0) {
+		if (typeof fallback === "string" ? header.alg !== fallback : typeof fallback === "function" ? !fallback(header.alg) : !fallback.includes(header.alg)) throw OPE("unexpected JWT \"alg\" header parameter", INVALID_RESPONSE, {
+			header,
+			expected: fallback,
+			reason: "default value"
+		});
+		return;
+	}
+	throw OPE("missing client or server configuration to verify used JWT \"alg\" header parameter", void 0, {
+		client,
+		issuer,
+		fallback
+	});
+}
+function getURLSearchParameter(parameters, name) {
+	const { 0: value, length } = parameters.getAll(name);
+	if (length > 1) throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE);
+	return value;
+}
+const skipStateCheck$1 = Symbol();
+const expectNoState = Symbol();
+function validateAuthResponse(as, client, parameters, expectedState) {
+	assertAs(as);
+	assertClient(client);
+	if (parameters instanceof URL) parameters = parameters.searchParams;
+	if (!(parameters instanceof URLSearchParams)) throw CodedTypeError$1("\"parameters\" must be an instance of URLSearchParams, or URL", ERR_INVALID_ARG_TYPE$1);
+	if (getURLSearchParameter(parameters, "response")) throw OPE("\"parameters\" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()", INVALID_RESPONSE, { parameters });
+	const iss = getURLSearchParameter(parameters, "iss");
+	const state = getURLSearchParameter(parameters, "state");
+	if (!iss && as.authorization_response_iss_parameter_supported) throw OPE("response parameter \"iss\" (issuer) missing", INVALID_RESPONSE, { parameters });
+	if (iss && iss !== as.issuer) throw OPE("unexpected \"iss\" (issuer) response parameter value", INVALID_RESPONSE, {
+		expected: as.issuer,
+		parameters
+	});
+	switch (expectedState) {
+		case void 0:
+		case expectNoState:
+			if (state !== void 0) throw OPE("unexpected \"state\" response parameter encountered", INVALID_RESPONSE, {
+				expected: void 0,
+				parameters
+			});
+			break;
+		case skipStateCheck$1: break;
+		default:
+			assertString$1(expectedState, "\"expectedState\" argument");
+			if (state !== expectedState) throw OPE(state === void 0 ? "response parameter \"state\" missing" : "unexpected \"state\" response parameter value", INVALID_RESPONSE, {
+				expected: expectedState,
+				parameters
+			});
+	}
+	if (getURLSearchParameter(parameters, "error")) throw new AuthorizationResponseError("authorization response from the server is an error", { cause: parameters });
+	const id_token = getURLSearchParameter(parameters, "id_token");
+	const token = getURLSearchParameter(parameters, "token");
+	if (id_token !== void 0 || token !== void 0) throw new UnsupportedOperationError("implicit and hybrid flows are not supported");
+	return brand(new URLSearchParams(parameters));
+}
+async function getResponseJsonBody(response, check = assertApplicationJson) {
+	let json;
+	try {
+		json = await response.json();
+	} catch (cause) {
+		check(response);
+		throw OPE("failed to parse \"response\" body as JSON", PARSE_ERROR, cause);
+	}
+	if (!isJsonObject(json)) throw OPE("\"response\" body must be a top level object", INVALID_RESPONSE, { body: json });
+	return json;
+}
+const _nodiscoverycheck = Symbol();
+const _expectedIssuer = Symbol();
+
+//#endregion
+//#region ../../node_modules/openid-client/build/index.js
+let headers;
+let USER_AGENT;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
+	USER_AGENT = `openid-client/v6.8.1`;
+	headers = { "user-agent": USER_AGENT };
+}
+const int = (config) => {
+	return props.get(config);
+};
+let props;
+let tbi;
+function ClientSecretPost(clientSecret) {
+	if (clientSecret !== void 0) return ClientSecretPost$1(clientSecret);
+	tbi ||= /* @__PURE__ */ new WeakMap();
+	return (as, client, body, headers$1) => {
+		let auth;
+		if (!(auth = tbi.get(client))) {
+			assertString(client.client_secret, "\"metadata.client_secret\"");
+			auth = ClientSecretPost$1(client.client_secret);
+			tbi.set(client, auth);
+		}
+		return auth(as, client, body, headers$1);
+	};
+}
+function assertString(input, it) {
+	if (typeof input !== "string") throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE);
+	if (input.length === 0) throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE);
+}
+function None() {
+	return None$1();
+}
+const skipStateCheck = skipStateCheck$1;
+const skipSubjectCheck = skipSubjectCheck$1;
+const customFetch = customFetch$1;
+const modifyAssertion = modifyAssertion$1;
+const clockSkew = clockSkew$1;
+const clockTolerance = clockTolerance$1;
+const ERR_INVALID_ARG_VALUE = "ERR_INVALID_ARG_VALUE";
+const ERR_INVALID_ARG_TYPE = "ERR_INVALID_ARG_TYPE";
+function CodedTypeError(message, code, cause) {
+	const err = new TypeError(message, { cause });
+	Object.assign(err, { code });
+	return err;
+}
+function calculatePKCECodeChallenge(codeVerifier) {
+	return calculatePKCECodeChallenge$1(codeVerifier);
+}
+function randomPKCECodeVerifier() {
+	return generateRandomCodeVerifier();
+}
+function randomState() {
+	return generateRandomState();
+}
+var ClientError = class extends Error {
+	code;
+	constructor(message, options) {
+		super(message, options);
+		this.name = this.constructor.name;
+		this.code = options?.code;
+		Error.captureStackTrace?.(this, this.constructor);
+	}
+};
+const decoder = new TextDecoder();
+function e(msg, cause, code) {
+	return new ClientError(msg, {
+		cause,
+		code
+	});
+}
+function errorHandler(err) {
+	if (err instanceof TypeError || err instanceof ClientError || err instanceof ResponseBodyError || err instanceof AuthorizationResponseError || err instanceof WWWAuthenticateChallengeError) throw err;
+	if (err instanceof OperationProcessingError) switch (err.code) {
+		case HTTP_REQUEST_FORBIDDEN: throw e("only requests to HTTPS are allowed", err, err.code);
+		case REQUEST_PROTOCOL_FORBIDDEN: throw e("only requests to HTTP or HTTPS are allowed", err, err.code);
+		case RESPONSE_IS_NOT_CONFORM: throw e("unexpected HTTP response status code", err.cause, err.code);
+		case RESPONSE_IS_NOT_JSON: throw e("unexpected response content-type", err.cause, err.code);
+		case PARSE_ERROR: throw e("parsing error occured", err, err.code);
+		case INVALID_RESPONSE: throw e("invalid response encountered", err, err.code);
+		case JWT_CLAIM_COMPARISON: throw e("unexpected JWT claim value encountered", err, err.code);
+		case JSON_ATTRIBUTE_COMPARISON: throw e("unexpected JSON attribute value encountered", err, err.code);
+		case JWT_TIMESTAMP_CHECK: throw e("JWT timestamp claim value failed validation", err, err.code);
+		default: throw e(err.message, err, err.code);
+	}
+	if (err instanceof UnsupportedOperationError) throw e("unsupported operation", err, err.code);
+	if (err instanceof DOMException) switch (err.name) {
+		case "OperationError": throw e("runtime operation error", err, UNSUPPORTED_OPERATION);
+		case "NotSupportedError": throw e("runtime unsupported operation", err, UNSUPPORTED_OPERATION);
+		case "TimeoutError": throw e("operation timed out", err, "OAUTH_TIMEOUT");
+		case "AbortError": throw e("operation aborted", err, "OAUTH_ABORT");
+	}
+	throw new ClientError("something went wrong", { cause: err });
+}
+function handleEntraId(server, as, options) {
+	if (server.origin === "https://login.microsoftonline.com" && (!options?.algorithm || options.algorithm === "oidc")) {
+		as[kEntraId] = true;
+		return true;
+	}
+	return false;
+}
+function handleB2Clogin(server, options) {
+	if (server.hostname.endsWith(".b2clogin.com") && (!options?.algorithm || options.algorithm === "oidc")) return true;
+	return false;
+}
+async function discovery(server, clientId, metadata, clientAuthentication, options) {
+	const instance = new Configuration(await performDiscovery(server, options), clientId, metadata, clientAuthentication);
+	let internals = int(instance);
+	if (options?.[customFetch]) internals.fetch = options[customFetch];
+	if (options?.timeout) internals.timeout = options.timeout;
+	if (options?.execute) for (const extension of options.execute) extension(instance);
+	return instance;
+}
+async function performDiscovery(server, options) {
+	if (!(server instanceof URL)) throw CodedTypeError("\"server\" must be an instance of URL", ERR_INVALID_ARG_TYPE);
+	const resolve = !server.href.includes("/.well-known/");
+	const timeout = options?.timeout ?? 30;
+	const signal$2 = AbortSignal.timeout(timeout * 1e3);
+	const as = await (resolve ? discoveryRequest(server, {
+		algorithm: options?.algorithm,
+		[customFetch$1]: options?.[customFetch],
+		[allowInsecureRequests$1]: options?.execute?.includes(allowInsecureRequests),
+		signal: signal$2,
+		headers: new Headers(headers)
+	}) : (options?.[customFetch] || fetch)((() => {
+		checkProtocol(server, options?.execute?.includes(allowInsecureRequests) ? false : true);
+		return server.href;
+	})(), {
+		headers: Object.fromEntries(new Headers({
+			accept: "application/json",
+			...headers
+		}).entries()),
+		body: void 0,
+		method: "GET",
+		redirect: "manual",
+		signal: signal$2
+	})).then((response) => processDiscoveryResponse(_nodiscoverycheck, response)).catch(errorHandler);
+	if (resolve && new URL(as.issuer).href !== server.href) handleEntraId(server, as, options) || handleB2Clogin(server, options) || (() => {
+		throw new ClientError("discovered metadata issuer does not match the expected issuer", {
+			code: JSON_ATTRIBUTE_COMPARISON,
+			cause: {
+				expected: server.href,
+				body: as,
+				attribute: "issuer"
+			}
+		});
+	})();
+	return as;
+}
+function getServerHelpers(metadata) {
+	return { supportsPKCE: {
+		__proto__: null,
+		value(method = "S256") {
+			return metadata.code_challenge_methods_supported?.includes(method) === true;
+		}
+	} };
+}
+function addServerHelpers(metadata) {
+	Object.defineProperties(metadata, getServerHelpers(metadata));
+}
+const kEntraId = Symbol();
+var Configuration = class {
+	constructor(server, clientId, metadata, clientAuthentication) {
+		if (typeof clientId !== "string" || !clientId.length) throw CodedTypeError("\"clientId\" must be a non-empty string", ERR_INVALID_ARG_TYPE);
+		if (typeof metadata === "string") metadata = { client_secret: metadata };
+		if (metadata?.client_id !== void 0 && clientId !== metadata.client_id) throw CodedTypeError("\"clientId\" and \"metadata.client_id\" must be the same", ERR_INVALID_ARG_VALUE);
+		const client = {
+			...structuredClone(metadata),
+			client_id: clientId
+		};
+		client[clockSkew$1] = metadata?.[clockSkew$1] ?? 0;
+		client[clockTolerance$1] = metadata?.[clockTolerance$1] ?? 30;
+		let auth;
+		if (clientAuthentication) auth = clientAuthentication;
+		else if (typeof client.client_secret === "string" && client.client_secret.length) auth = ClientSecretPost(client.client_secret);
+		else auth = None();
+		let c = Object.freeze(client);
+		const clone = structuredClone(server);
+		if (kEntraId in server) clone[_expectedIssuer] = ({ claims: { tid } }) => server.issuer.replace("{tenantid}", tid);
+		let as = Object.freeze(clone);
+		props ||= /* @__PURE__ */ new WeakMap();
+		props.set(this, {
+			__proto__: null,
+			as,
+			c,
+			auth,
+			tlsOnly: true,
+			jwksCache: {}
+		});
+	}
+	serverMetadata() {
+		const metadata = structuredClone(int(this).as);
+		addServerHelpers(metadata);
+		return metadata;
+	}
+	clientMetadata() {
+		return structuredClone(int(this).c);
+	}
+	get timeout() {
+		return int(this).timeout;
+	}
+	set timeout(value) {
+		int(this).timeout = value;
+	}
+	get [customFetch]() {
+		return int(this).fetch;
+	}
+	set [customFetch](value) {
+		int(this).fetch = value;
+	}
+};
+Object.freeze(Configuration.prototype);
+function getHelpers(response) {
+	let exp = void 0;
+	if (response.expires_in !== void 0) {
+		const now = /* @__PURE__ */ new Date();
+		now.setSeconds(now.getSeconds() + response.expires_in);
+		exp = now.getTime();
+	}
+	return {
+		expiresIn: {
+			__proto__: null,
+			value() {
+				if (exp) {
+					const now = Date.now();
+					if (exp > now) return Math.floor((exp - now) / 1e3);
+					return 0;
+				}
+			}
+		},
+		claims: {
+			__proto__: null,
+			value() {
+				try {
+					return getValidatedIdTokenClaims(this);
+				} catch {
+					return;
+				}
+			}
+		}
+	};
+}
+function addHelpers(response) {
+	Object.defineProperties(response, getHelpers(response));
+}
+function allowInsecureRequests(config) {
+	int(config).tlsOnly = false;
+}
+function stripParams(url) {
+	url = new URL(url);
+	url.search = "";
+	url.hash = "";
+	return url.href;
+}
+function webInstanceOf(input, toStringTag) {
+	try {
+		return Object.getPrototypeOf(input)[Symbol.toStringTag] === toStringTag;
+	} catch {
+		return false;
+	}
+}
+async function authorizationCodeGrant(config, currentUrl, checks, tokenEndpointParameters, options) {
+	checkConfig(config);
+	if (options?.flag !== retry && !(currentUrl instanceof URL) && !webInstanceOf(currentUrl, "Request")) throw CodedTypeError("\"currentUrl\" must be an instance of URL, or Request", ERR_INVALID_ARG_TYPE);
+	let authResponse;
+	let redirectUri;
+	const { as, c, auth, fetch: fetch$1, tlsOnly, jarm, hybrid, nonRepudiation, timeout, decrypt, implicit } = int(config);
+	if (options?.flag === retry) {
+		authResponse = options.authResponse;
+		redirectUri = options.redirectUri;
+	} else {
+		if (!(currentUrl instanceof URL)) {
+			const request = currentUrl;
+			currentUrl = new URL(currentUrl.url);
+			switch (request.method) {
+				case "GET": break;
+				case "POST":
+					const params = new URLSearchParams(await formPostResponse(request));
+					if (hybrid) currentUrl.hash = params.toString();
+					else for (const [k, v] of params.entries()) currentUrl.searchParams.append(k, v);
+					break;
+				default: throw CodedTypeError("unexpected Request HTTP method", ERR_INVALID_ARG_VALUE);
+			}
+		}
+		redirectUri = stripParams(currentUrl);
+		switch (true) {
+			case !!jarm:
+				authResponse = await jarm(currentUrl, checks?.expectedState);
+				break;
+			case !!hybrid:
+				authResponse = await hybrid(currentUrl, checks?.expectedNonce, checks?.expectedState, checks?.maxAge);
+				break;
+			case !!implicit: throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");
+			default: try {
+				authResponse = validateAuthResponse(as, c, currentUrl.searchParams, checks?.expectedState);
+			} catch (err) {
+				errorHandler(err);
+			}
+		}
+	}
+	const response = await authorizationCodeGrantRequest(as, c, auth, authResponse, redirectUri, checks?.pkceCodeVerifier || nopkce, {
+		additionalParameters: tokenEndpointParameters,
+		[customFetch$1]: fetch$1,
+		[allowInsecureRequests$1]: !tlsOnly,
+		DPoP: options?.DPoP,
+		headers: new Headers(headers),
+		signal: signal(timeout)
+	}).catch(errorHandler);
+	if (typeof checks?.expectedNonce === "string" || typeof checks?.maxAge === "number") checks.idTokenExpected = true;
+	const p = processAuthorizationCodeResponse(as, c, response, {
+		expectedNonce: checks?.expectedNonce,
+		maxAge: checks?.maxAge,
+		requireIdToken: checks?.idTokenExpected,
+		[jweDecrypt]: decrypt
+	});
+	let result;
+	try {
+		result = await p;
+	} catch (err) {
+		if (retryable(err, options)) return authorizationCodeGrant(config, void 0, checks, tokenEndpointParameters, {
+			...options,
+			flag: retry,
+			authResponse,
+			redirectUri
+		});
+		errorHandler(err);
+	}
+	result.id_token && await nonRepudiation?.(response);
+	addHelpers(result);
+	return result;
+}
+async function refreshTokenGrant(config, refreshToken, parameters, options) {
+	checkConfig(config);
+	parameters = new URLSearchParams(parameters);
+	const { as, c, auth, fetch: fetch$1, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);
+	const response = await refreshTokenGrantRequest(as, c, auth, refreshToken, {
+		[customFetch$1]: fetch$1,
+		[allowInsecureRequests$1]: !tlsOnly,
+		additionalParameters: parameters,
+		DPoP: options?.DPoP,
+		headers: new Headers(headers),
+		signal: signal(timeout)
+	}).catch(errorHandler);
+	const p = processRefreshTokenResponse(as, c, response, { [jweDecrypt]: decrypt });
+	let result;
+	try {
+		result = await p;
+	} catch (err) {
+		if (retryable(err, options)) return refreshTokenGrant(config, refreshToken, parameters, {
+			...options,
+			flag: retry
+		});
+		errorHandler(err);
+	}
+	result.id_token && await nonRepudiation?.(response);
+	addHelpers(result);
+	return result;
+}
+function buildAuthorizationUrl(config, parameters) {
+	checkConfig(config);
+	const { as, c, tlsOnly, hybrid, jarm, implicit } = int(config);
+	const authorizationEndpoint = resolveEndpoint(as, "authorization_endpoint", false, tlsOnly);
+	parameters = new URLSearchParams(parameters);
+	if (!parameters.has("client_id")) parameters.set("client_id", c.client_id);
+	if (!parameters.has("request_uri") && !parameters.has("request")) {
+		if (!parameters.has("response_type")) parameters.set("response_type", hybrid ? "code id_token" : implicit ? "id_token" : "code");
+		if (implicit && !parameters.has("nonce")) throw CodedTypeError("response_type=id_token clients must provide a nonce parameter in their authorization request parameters", ERR_INVALID_ARG_VALUE);
+		if (jarm) parameters.set("response_mode", "jwt");
+	}
+	for (const [k, v] of parameters.entries()) authorizationEndpoint.searchParams.append(k, v);
+	return authorizationEndpoint;
+}
+function buildEndSessionUrl(config, parameters) {
+	checkConfig(config);
+	const { as, c, tlsOnly } = int(config);
+	const endSessionEndpoint = resolveEndpoint(as, "end_session_endpoint", false, tlsOnly);
+	parameters = new URLSearchParams(parameters);
+	if (!parameters.has("client_id")) parameters.set("client_id", c.client_id);
+	for (const [k, v] of parameters.entries()) endSessionEndpoint.searchParams.append(k, v);
+	return endSessionEndpoint;
+}
+function checkConfig(input) {
+	if (!(input instanceof Configuration)) throw CodedTypeError("\"config\" must be an instance of Configuration", ERR_INVALID_ARG_TYPE);
+	if (Object.getPrototypeOf(input) !== Configuration.prototype) throw CodedTypeError("subclassing Configuration is not allowed", ERR_INVALID_ARG_VALUE);
+}
+function signal(timeout) {
+	return timeout ? AbortSignal.timeout(timeout * 1e3) : void 0;
+}
+function retryable(err, options) {
+	if (options?.DPoP && options.flag !== retry) return isDPoPNonceError(err);
+	return false;
+}
+const retry = Symbol();
+
+//#endregion
+//#region src/auth/descriptors/$auth.ts
+/**
+* Creates an authentication provider descriptor for handling user login flows.
+*
+* Supports multiple authentication strategies: credentials (username/password), OAuth2,
+* and OIDC (OpenID Connect). Handles token management, user profile retrieval, and
+* integration with both external identity providers (Auth0, Keycloak) and internal realms.
+*
+* **Authentication Types**: Credentials, OAuth2 (Google, GitHub), OIDC, External providers
+*
+* @example
+* ```ts
+* class AuthProviders {
+*   // Internal credentials-based auth
+*   credentials = $auth({
+*     realm: this.userRealm,
+*     credentials: {
+*       account: async ({ username, password }) => {
+*         return await this.validateUser(username, password);
+*       }
+*     }
+*   });
+*
+*   // External OIDC provider
+*   keycloak = $auth({
+*     oidc: {
+*       issuer: "https://auth.example.com",
+*       clientId: "my-app",
+*       clientSecret: "secret",
+*       redirectUri: "/auth/callback"
+*     }
+*   });
+* }
+* ```
+*/
+const $auth = (options) => {
+	return createDescriptor(AuthDescriptor, options);
+};
+var AuthDescriptor = class extends Descriptor {
+	securityProvider = $inject(SecurityProvider);
+	dateTimeProvider = $inject(DateTimeProvider);
+	oauth;
+	get name() {
+		return this.options.name ?? this.config.propertyKey;
+	}
+	get jwks_uri() {
+		const jwks = this.oauth?.serverMetadata().jwks_uri;
+		if (!jwks) throw new AlephaError("No JWKS URI available for the auth provider");
+		return jwks;
+	}
+	get scope() {
+		if ("oauth" in this.options) return this.options.oauth.scope;
+		if ("oidc" in this.options) return this.options.oidc.scope || "openid profile email";
+		throw new AlephaError("No OAuth2 or OIDC configuration available for the auth provider");
+	}
+	get redirect_uri() {
+		if ("oauth" in this.options) return this.options.oauth.redirectUri;
+		if ("oidc" in this.options) return this.options.oidc.redirectUri;
+		throw new AlephaError("No OAuth2 or OIDC configuration available for the auth provider");
+	}
+	/**
+	* Refreshes the access token using the refresh token.
+	* Can be used on oauth2, oidc or credentials auth providers.
+	*/
+	async refresh(refreshToken, accessToken) {
+		if ("realm" in this.options) return this.options.realm.refreshToken(refreshToken, accessToken).then((it) => it.tokens).catch((error) => {
+			throw new SecurityError("Failed to refresh access token using the refresh token (realm)", { cause: error });
+		});
+		else if (this.oauth) try {
+			return {
+				...await refreshTokenGrant(this.oauth, refreshToken),
+				issued_at: this.dateTimeProvider.now().unix()
+			};
+		} catch (error) {
+			throw new SecurityError("Failed to refresh access token using the refresh token (oauth2)", { cause: error });
+		}
+		throw new AlephaError("No realm or OAuth2 configuration available for refreshing the access token");
+	}
+	/**
+	* Extracts user information from the access token.
+	* This is used to create a user account from the access token.
+	*/
+	async user(tokens) {
+		try {
+			if ("oauth" in this.options) {
+				const profile = await this.options.oauth.userinfo(tokens);
+				if (this.options.oauth.account) return this.options.oauth.account({
+					...tokens,
+					user: profile
+				});
+				return this.securityProvider.createUserFromPayload(profile);
+			}
+			if ("oidc" in this.options) {
+				const payload = this.getUserFromIdToken(tokens.id_token || "");
+				if (this.options.oidc.account) return this.options.oidc.account({
+					...tokens,
+					user: payload
+				});
+				return this.securityProvider.createUserFromPayload(payload);
+			}
+		} catch (error) {
+			throw new SecurityError("Failed to extract user from identity provider tokens", { cause: error });
+		}
+		throw new AlephaError("This authentication does not support user extraction from tokens");
+	}
+	getUserFromIdToken(idToken) {
+		try {
+			return JSON.parse(Buffer.from(idToken.split(".")[1], "base64").toString("utf8"));
+		} catch (error) {
+			throw new AlephaError("Failed to parse ID Token payload", { cause: error });
+		}
+	}
+	async prepare() {
+		const addons = [];
+		addons.push(allowInsecureRequests);
+		if ("oidc" in this.options) {
+			const { oidc } = this.options;
+			this.oauth = await discovery(new URL(oidc.issuer), oidc.clientId, { client_secret: oidc.clientSecret }, void 0, { execute: addons });
+		}
+		if ("oauth" in this.options) {
+			const { oauth } = this.options;
+			this.oauth = new Configuration({
+				authorization_endpoint: oauth.authorization,
+				token_endpoint: oauth.token,
+				issuer: oauth.authorization,
+				jwks_uri: void 0,
+				end_session_endpoint: void 0
+			}, oauth.clientId, { client_secret: oauth.clientSecret });
+		}
+	}
+};
+$auth[KIND] = AuthDescriptor;
+
+//#endregion
+//#region src/auth/schemas/tokensSchema.ts
+const tokensSchema = t.object({
+	provider: t.text(),
+	access_token: t.text({ size: "rich" }),
+	issued_at: t.number(),
+	expires_in: t.optional(t.number()),
+	refresh_token: t.optional(t.text({ size: "rich" })),
+	refresh_token_expires_in: t.optional(t.number()),
+	refresh_expires_in: t.optional(t.number({ description: "Alias of `refresh_token_expires_in` for compatibility with some providers." })),
+	id_token: t.optional(t.text({ size: "rich" })),
+	scope: t.optional(t.text())
+});
+
+//#endregion
+//#region src/auth/schemas/tokenResponseSchema.ts
+const tokenResponseSchema = t.extend(tokensSchema, {
+	user: userAccountInfoSchema,
+	api: apiLinksResponseSchema
+});
+
+//#endregion
+//#region src/auth/schemas/userinfoResponseSchema.ts
+const userinfoResponseSchema = t.object({
+	user: t.optional(userAccountInfoSchema),
+	api: apiLinksResponseSchema
+});
+
+//#endregion
+//#region src/auth/services/ReactAuth.ts
+/**
+* Browser, SSR friendly, service to handle authentication.
+*/
+var ReactAuth = class ReactAuth {
+	log = $logger();
+	alepha = $inject(Alepha);
+	httpClient = $inject(HttpClient);
+	static path = {
+		login: "/oauth/login",
+		callback: "/oauth/callback",
+		logout: "/oauth/logout",
+		token: "/_auth/token",
+		refresh: "/_auth/refresh",
+		userinfo: "/_auth/userinfo"
+	};
+	onBeginTransition = $hook({
+		on: "react:transition:begin",
+		handler: async (event) => {
+			if (this.alepha.isBrowser()) Object.defineProperty(event.state, "user", { get: () => this.user });
+		}
+	});
+	onFetchRequest = $hook({
+		on: "client:onRequest",
+		handler: async ({ request }) => {
+			if (this.alepha.isBrowser() && this.user) request.credentials ??= "include";
+		}
+	});
+	/**
+	* Get the current authenticated user.
+	*
+	* Alias for `alepha.state.get("user")`
+	*/
+	get user() {
+		return this.alepha.state.get("alepha.server.request.user");
+	}
+	async ping() {
+		const { data } = await this.httpClient.fetch(ReactAuth.path.userinfo, { schema: { response: userinfoResponseSchema } });
+		this.alepha.state.set("alepha.server.request.apiLinks", data.api);
+		this.alepha.state.set("alepha.server.request.user", data.user);
+		return data.user;
+	}
+	async login(provider, options) {
+		if (options.username || options.password) {
+			const { data } = await this.httpClient.fetch(`${options.hostname || ""}${ReactAuth.path.token}?provider=${provider}`, {
+				method: "POST",
+				body: JSON.stringify({
+					username: options.username,
+					password: options.password,
+					...options
+				}),
+				schema: { response: tokenResponseSchema }
+			});
+			this.alepha.state.set("alepha.server.request.apiLinks", data.api);
+			this.alepha.state.set("alepha.server.request.user", data.user);
+			return data;
+		}
+		if (this.alepha.isBrowser()) {
+			const browser = this.alepha.inject(ReactBrowserProvider);
+			const redirect = options.redirect || (browser.transitioning ? window.location.origin + browser.transitioning.to : window.location.href);
+			const href = `${window.location.origin}${ReactAuth.path.login}?provider=${provider}&redirect_uri=${encodeURIComponent(redirect)}`;
+			if (browser.transitioning) throw new Redirection(href);
+			else {
+				window.location.href = href;
+				return {};
+			}
+		}
+		throw new Redirection(`${ReactAuth.path.login}?provider=${provider}&redirect_uri=${options.redirect || "/"}`);
+	}
+	logout() {
+		window.location.href = `${ReactAuth.path.logout}?post_logout_redirect_uri=${encodeURIComponent(window.location.origin)}`;
+	}
+};
+
+//#endregion
+//#region src/auth/providers/ReactAuthProvider.ts
+var ReactAuthProvider = class {
+	log = $logger();
+	alepha = $inject(Alepha);
+	serverCookiesProvider = $inject(ServerCookiesProvider);
+	dateTimeProvider = $inject(DateTimeProvider);
+	serverLinksProvider = $inject(ServerLinksProvider);
+	reactAuth = $inject(ReactAuth);
+	authorizationCode = $cookie({
+		name: "authorizationCode",
+		ttl: [15, "minutes"],
+		httpOnly: true,
+		schema: t.object({
+			provider: t.text(),
+			codeVerifier: t.optional(t.text({ size: "long" })),
+			redirectUri: t.optional(t.text({ size: "long" })),
+			state: t.optional(t.text()),
+			nonce: t.optional(t.text())
+		})
+	});
+	tokens = $cookie({
+		name: "tokens",
+		ttl: [30, "days"],
+		httpOnly: true,
+		compress: true,
+		encrypt: true,
+		schema: tokensSchema
+	});
+	onRender = $hook({
+		on: "react:server:render:begin",
+		handler: async ({ request, state }) => {
+			if (request?.user) {
+				const { token, realm, ...user } = request.user;
+				this.alepha.state.set("alepha.server.request.user", user);
+				state.user = user;
+			}
+		}
+	});
+	get identities() {
+		return this.alepha.descriptors($auth).filter((auth) => !auth.options.disabled);
+	}
+	configure = $hook({
+		on: "configure",
+		handler: async () => {
+			for (const identity of this.identities) await identity.prepare();
+		}
+	});
+	getAccessTokens(tokens) {
+		const idp = this.provider(tokens.provider);
+		if ("oidc" in idp.options && !("realm" in idp.options) && idp.options.oidc?.useIdToken) return tokens.id_token;
+		return tokens.access_token;
+	}
+	/**
+	* Fill request headers with access token from cookies or fallback to provider's fallback function.
+	*/
+	onRequest = $hook({
+		on: "server:onRequest",
+		after: this.serverCookiesProvider,
+		handler: async ({ request }) => {
+			const cookies = request.cookies;
+			if (cookies) {
+				const tokens = await this.cookiesToTokens(cookies);
+				if (tokens) {
+					request.headers.authorization = `Bearer ${this.getAccessTokens(tokens)}`;
+					this.log.trace("Access token set in request headers", { provider: tokens.provider });
+				}
+			}
+			if (!request.headers.authorization) {
+				for (const provider of this.identities) if (!("realm" in provider.options) && !!provider.options.fallback) {
+					const token = await provider.options.fallback();
+					if (token) {
+						request.headers.authorization = `Bearer ${token}`;
+						break;
+					}
+				}
+			}
+		}
+	});
+	/**
+	* Convert cookies to tokens.
+	* If the tokens are expired, try to refresh them using the refresh token.
+	*/
+	async cookiesToTokens(cookies) {
+		const tokens = this.tokens.get({ cookies });
+		if (!tokens) {
+			this.log.trace("No tokens found in cookies");
+			return;
+		}
+		this.log.trace("Tokens found in cookies", {
+			expires_in: tokens.expires_in,
+			issued_at: tokens.issued_at
+		});
+		const refreshedTokens = await this.refreshTokens(tokens);
+		if (!refreshedTokens) {
+			this.tokens.del({ cookies });
+			return;
+		}
+		if (refreshedTokens.access_token !== tokens.access_token) this.setTokens(refreshedTokens, cookies);
+		return refreshedTokens;
+	}
+	async refreshTokens(tokens) {
+		if (tokens.expires_in && tokens.issued_at) {
+			if (tokens.issued_at + (tokens.expires_in - 10) < this.dateTimeProvider.now().unix()) {
+				this.log.trace("Tokens are expired");
+				if (tokens.refresh_token) {
+					this.log.trace("Trying to refresh tokens using refresh token");
+					try {
+						const newTokens = {
+							...await this.provider(tokens).refresh(tokens.refresh_token, tokens.access_token),
+							provider: tokens.provider,
+							issued_at: this.dateTimeProvider.now().unix()
+						};
+						this.log.debug("Tokens refreshed successfully");
+						return newTokens;
+					} catch (e$1) {
+						this.log.warn("Failed to refresh token", e$1);
+					}
+				}
+				return;
+			}
+		}
+		if (!tokens.issued_at && tokens.access_token) return;
+		return tokens;
+	}
+	/**
+	* Get user information.
+	*/
+	userinfo = $route({
+		path: ReactAuth.path.userinfo,
+		schema: { response: userinfoResponseSchema },
+		handler: async ({ user, headers: headers$1, cookies }) => {
+			const tokens = this.tokens.get({ cookies });
+			if (tokens) {
+				const provider = this.provider(tokens);
+				if (!("realm" in provider.options)) {
+					const user$1 = await provider.user(tokens);
+					return {
+						api: await this.serverLinksProvider.getUserApiLinks({
+							authorization: headers$1.authorization,
+							user: user$1
+						}),
+						user: user$1
+					};
+				}
+			}
+			return {
+				api: await this.serverLinksProvider.getUserApiLinks({
+					authorization: headers$1.authorization,
+					user
+				}),
+				user
+			};
+		}
+	});
+	/**
+	* Refresh a token for internal providers.
+	*/
+	refresh = $route({
+		path: ReactAuth.path.refresh,
+		method: "POST",
+		schema: {
+			query: t.object({ provider: t.text() }),
+			body: t.object({
+				refresh_token: t.text({ size: "rich" }),
+				access_token: t.optional(t.text({
+					size: "rich",
+					description: "Required if provider has stateless refresh token on credentials mode"
+				}))
+			}),
+			response: tokensSchema
+		},
+		handler: async ({ query, body, cookies }) => {
+			const provider = this.provider(query);
+			const tokens = {
+				provider: query.provider,
+				...await provider.refresh(body.refresh_token, body.access_token)
+			};
+			this.setTokens(tokens, cookies);
+			return tokens;
+		}
+	});
+	/**
+	* Login for local password-based authentication.
+	*/
+	token = $route({
+		path: ReactAuth.path.token,
+		method: "POST",
+		schema: {
+			query: t.object({ provider: t.text() }),
+			body: t.object({
+				username: t.text(),
+				password: t.text()
+			}),
+			response: tokenResponseSchema
+		},
+		handler: async ({ query, body, cookies }) => {
+			const provider = this.provider(query);
+			const realm = "realm" in provider.options && provider.options.realm;
+			if (!realm) throw new SecurityError(`Auth provider '${query.provider}' does not support password grant`);
+			const credentials = "credentials" in provider.options && provider.options.credentials;
+			if (!credentials) throw new SecurityError(`Auth provider '${query.provider}' does not support password grant`);
+			let user;
+			try {
+				user = await credentials.account(body);
+			} catch (e$1) {
+				throw new UnauthorizedError(`Failed to authenticate user`, { cause: e$1 });
+			}
+			const tokens = {
+				provider: query.provider,
+				...await realm.createToken(user)
+			};
+			this.setTokens(tokens, cookies);
+			const api = await this.serverLinksProvider.getUserApiLinks({ user });
+			return {
+				...tokens,
+				user,
+				api
+			};
+		}
+	});
+	/**
+	* Oauth2/OIDC login route.
+	*/
+	login = $route({
+		path: ReactAuth.path.login,
+		schema: { query: t.object({
+			provider: t.text(),
+			redirect_uri: t.optional(t.text({ size: "rich" }))
+		}) },
+		handler: async ({ query, url, reply }) => {
+			const provider = this.provider(query);
+			const oauth = provider.oauth;
+			if (!oauth) throw new SecurityError(`Auth provider '${query.provider}' does not support OAuth2`);
+			const scope = provider.scope;
+			let redirect_uri = provider.redirect_uri || ReactAuth.path.callback;
+			if (redirect_uri.startsWith("/")) redirect_uri = `${url.protocol}//${url.host}${redirect_uri}`;
+			const oidc = "oidc" in provider.options && provider.options.oidc;
+			if (!oauth.serverMetadata().supportsPKCE()) {
+				const state = randomState();
+				const parameters$1 = {
+					redirect_uri,
+					state
+				};
+				if (oidc) parameters$1.nonce = randomState();
+				if (scope) parameters$1.scope = scope;
+				this.authorizationCode.set({
+					state,
+					nonce: parameters$1.nonce,
+					redirectUri: query.redirect_uri ?? "/",
+					provider: query.provider
+				});
+				reply.redirect(buildAuthorizationUrl(oauth, parameters$1).toString());
+				return;
+			}
+			const codeVerifier = randomPKCECodeVerifier();
+			const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
+			const parameters = {
+				redirect_uri,
+				code_challenge: codeChallenge,
+				code_challenge_method: "S256"
+			};
+			if (scope) parameters.scope = scope;
+			this.authorizationCode.set({
+				codeVerifier,
+				redirectUri: query.redirect_uri ?? "/",
+				provider: query.provider
+			});
+			reply.redirect(buildAuthorizationUrl(oauth, parameters).toString());
+		}
+	});
+	/**
+	* Callback for OAuth2/OIDC providers.
+	* It handles the authorization code flow and retrieves the access token.
+	*/
+	callback = $route({
+		path: ReactAuth.path.callback,
+		handler: async ({ url, reply, cookies }) => {
+			const authorizationCode = this.authorizationCode.get({ cookies });
+			if (!authorizationCode) throw new BadRequestError("Missing code verifier");
+			const provider = this.provider(authorizationCode);
+			const oauth = provider.oauth;
+			if (!oauth) throw new SecurityError(`Auth provider '${provider.name}' does not support OAuth2`);
+			const redirectUri = authorizationCode.redirectUri ?? "/";
+			const externalTokens = await authorizationCodeGrant(oauth, url, {
+				pkceCodeVerifier: authorizationCode.codeVerifier,
+				expectedState: authorizationCode.state,
+				expectedNonce: authorizationCode.nonce
+			}).then((tokens$1) => ({
+				issued_at: this.dateTimeProvider.now().unix(),
+				provider: provider.name,
+				...tokens$1
+			})).catch((e$1) => {
+				this.log.error("Failed to get access token", e$1);
+				throw new SecurityError("Failed to get access token", { cause: e$1 });
+			});
+			this.authorizationCode.del({ cookies });
+			const realm = "realm" in provider.options && provider.options.realm;
+			if (!realm) {
+				this.setTokens(externalTokens, cookies);
+				reply.redirect(redirectUri);
+				return;
+			}
+			const user = await provider.user(externalTokens);
+			const tokens = await realm.createToken(user);
+			this.setTokens({
+				...tokens,
+				issued_at: this.dateTimeProvider.now().unix(),
+				provider: provider.name
+			}, cookies);
+			reply.redirect(redirectUri);
+		}
+	});
+	/**
+	* Logout route for OAuth2/OIDC providers.
+	*/
+	logout = $route({
+		path: ReactAuth.path.logout,
+		method: "GET",
+		schema: { query: t.object({ post_logout_redirect_uri: t.optional(t.text()) }) },
+		handler: async ({ query, reply, cookies }) => {
+			const redirect = query.post_logout_redirect_uri ?? "/";
+			const tokens = this.tokens.get({ cookies });
+			if (!tokens) {
+				reply.redirect(redirect);
+				return;
+			}
+			const provider = this.provider(tokens.provider);
+			this.tokens.del({ cookies });
+			if ("realm" in provider.options && tokens.refresh_token) {
+				const onDeleteSession = provider.options.realm.options.settings?.onDeleteSession;
+				if (onDeleteSession) try {
+					await onDeleteSession(tokens.refresh_token);
+				} catch (e$1) {
+					this.log.error("Failed to delete session", e$1);
+				}
+			}
+			const oauth = provider.oauth;
+			if (!oauth) {
+				reply.redirect(redirect);
+				return;
+			}
+			const params = new URLSearchParams();
+			const idToken = tokens?.id_token;
+			params.set("post_logout_redirect_uri", redirect);
+			if (idToken) params.set("id_token_hint", idToken);
+			const customLogoutUri = "oidc" in provider.options ? provider.options.oidc?.logoutUri : void 0;
+			if (customLogoutUri) {
+				reply.redirect(`${customLogoutUri}?${params}`);
+				return;
+			}
+			if (!oauth.serverMetadata().end_session_endpoint) {
+				reply.redirect(redirect);
+				return;
+			}
+			reply.redirect(buildEndSessionUrl(oauth, params).toString());
+		}
+	});
+	provider(opts) {
+		const name = typeof opts === "string" ? opts : opts.provider;
+		const identity = this.identities.find((identity$1) => identity$1.name === name);
+		if (!identity) throw new SecurityError(`Auth provider '${name}' not found`);
+		return identity;
+	}
+	setTokens(tokens, cookies) {
+		const exp = tokens.refresh_token_expires_in || tokens.refresh_expires_in || tokens.expires_in;
+		const ttl = exp ? this.dateTimeProvider.duration(exp, "seconds") : void 0;
+		this.tokens.set(tokens, {
+			cookies,
+			ttl
+		});
+	}
+};
+
+//#endregion
+//#region src/auth/descriptors/$authGithub.ts
+/**
+* Already configured GitHub authentication descriptor.
+*
+* Uses OAuth2 to authenticate users via their GitHub accounts.
+* Upon successful authentication, it links the GitHub account to a user session.
+*
+* Environment Variables:
+* - `GITHUB_CLIENT_ID`: The client ID obtained from the GitHub Developer Settings.
+* - `GITHUB_CLIENT_SECRET`: The client secret obtained from the GitHub Developer Settings.
+*/
+const $authGithub = (realm, options) => {
+	const { alepha } = $context();
+	const env = alepha.parseEnv(t.object({
+		GITHUB_CLIENT_ID: t.string(),
+		GITHUB_CLIENT_SECRET: t.string()
+	}));
+	return $auth({
+		realm,
+		name: "github",
+		oauth: {
+			clientId: env.GITHUB_CLIENT_ID,
+			clientSecret: env.GITHUB_CLIENT_SECRET,
+			authorization: "https://github.com/login/oauth/authorize",
+			token: "https://github.com/login/oauth/access_token",
+			scope: "read:user user:email",
+			userinfo: async (tokens) => {
+				const BASE_URL = "https://api.github.com";
+				const res = await fetch(`${BASE_URL}/user`, { headers: {
+					Authorization: `Bearer ${tokens.access_token}`,
+					"User-Agent": "Alepha"
+				} }).then((res$1) => res$1.json());
+				const user = { sub: res.id.toString() };
+				if (res.email) user.email = res.email;
+				if (res.name) user.name = res.name.trim();
+				if (res.avatar_url) user.picture = res.avatar_url;
+				if (!user.email) {
+					const res$1 = await fetch(`${BASE_URL}/user/emails`, { headers: {
+						Authorization: `Bearer ${tokens.access_token}`,
+						"User-Agent": "Alepha"
+					} });
+					if (res$1.ok) {
+						const emails = await res$1.json();
+						user.email = (emails.find((e$1) => e$1.primary) ?? emails[0]).email;
+					}
+				}
+				return user;
+			},
+			...options
+		}
+	});
+};
+
+//#endregion
+//#region src/auth/descriptors/$authGoogle.ts
+/**
+* Already configured Google authentication descriptor.
+*
+* Uses OpenID Connect (OIDC) to authenticate users via their Google accounts.
+* Upon successful authentication, it links the Google account to a user session.
+*
+* Environment Variables:
+* - `GOOGLE_CLIENT_ID`: The client ID obtained from the Google Developer Console.
+* - `GOOGLE_CLIENT_SECRET`: The client secret obtained from the Google Developer Console.
+*/
+const $authGoogle = (realm, options) => {
+	const { alepha } = $context();
+	const env = alepha.parseEnv(t.object({
+		GOOGLE_CLIENT_ID: t.string(),
+		GOOGLE_CLIENT_SECRET: t.string()
+	}));
+	return $auth({
+		realm,
+		name: "google",
+		oidc: {
+			issuer: "https://accounts.google.com",
+			clientId: env.GOOGLE_CLIENT_ID,
+			clientSecret: env.GOOGLE_CLIENT_SECRET,
+			...options
+		}
+	});
+};
+
+//#endregion
+//#region src/auth/errors/SessionExpiredError.ts
+var SessionExpiredError = class extends AlephaError {
+	name = "SessionExpiredError";
+	status = 401;
+};
+
+//#endregion
+//#region src/auth/hooks/useAuth.ts
+const useAuth = () => {
+	const alepha = useAlepha();
+	const [user] = useStore("alepha.server.request.user");
+	return {
+		user,
+		logout: () => {
+			alepha.inject(ReactAuth).logout();
+		},
+		login: async (provider, options = {}) => {
+			await alepha.inject(ReactAuth).login(provider, options);
+		},
+		can: (name) => {
+			return alepha.inject(LinkProvider).can(name);
+		}
+	};
+};
+
+//#endregion
+//#region src/auth/index.ts
+/**
+* The ReactAuthModule provides authentication services for React applications.
+*
+* @see {@link ReactAuthProvider}
+* @module alepha.react.auth
+*/
+const AlephaReactAuth = $module({
+	name: "alepha.react.auth",
+	descriptors: [$auth],
+	services: [
+		AlephaReact,
+		AlephaServerCookies,
+		ReactAuthProvider,
+		ReactAuth
+	]
+});
+
+//#endregion
+export { $auth, $authGithub, $authGoogle, AlephaReactAuth, AuthDescriptor, ReactAuth, ReactAuthProvider, SessionExpiredError, useAuth };
+//# sourceMappingURL=index.js.map