@arcblock/did-connect-service 4.0.4 → 4.0.6

package/dist/d1-token-storage.js

@@ -1,83 +0,0 @@
-/**
- * D1TokenStorage — DID Connect token storage backed by D1 (strongly consistent).
- *
- * Drop-in replacement for CloudflareKVStorage. D1 is a single-writer database
- * with consistent reads, avoiding the KV eventual consistency problem where
- * browser polls and wallet writes hit different edge nodes.
- *
- * The `connect_tokens` table schema is managed by D1Store (SCHEMA_SQL).
- * Expired rows are cleaned up lazily on read and probabilistically on create().
- */
-import { EventEmitter } from "events";
-export class D1TokenStorage extends EventEmitter {
-    db;
-    ttl;
-    constructor(db, options = {}) {
-        super();
-        this.db = db;
-        this.ttl = options.ttl ?? 300;
-    }
-    async create(token, status = "created") {
-        const record = { token, status };
-        const expiresAt = Math.floor(Date.now() / 1000) + this.ttl;
-        await this.db
-            .prepare("INSERT OR REPLACE INTO connect_tokens (token, data, expiresAt) VALUES (?, ?, ?)")
-            .bind(token, JSON.stringify(record), expiresAt)
-            .run();
-        this.emit("create", record);
-        // Probabilistic cleanup: ~5% chance per create
-        if (Math.random() < 0.05) {
-            this.cleanup().catch(() => { });
-        }
-        return record;
-    }
-    async read(token) {
-        const row = await this.db
-            .prepare("SELECT data, expiresAt FROM connect_tokens WHERE token = ?")
-            .bind(token)
-            .first();
-        if (!row)
-            return null;
-        // Check expiry
-        if (row.expiresAt < Math.floor(Date.now() / 1000)) {
-            await this.db.prepare("DELETE FROM connect_tokens WHERE token = ?").bind(token).run();
-            return null;
-        }
-        return JSON.parse(row.data);
-    }
-    async update(token, updates) {
-        const existing = await this.read(token);
-        if (!existing)
-            return null;
-        delete updates.token; // prevent token field overwrite
-        const merged = { ...existing, ...updates };
-        const expiresAt = Math.floor(Date.now() / 1000) + this.ttl;
-        await this.db
-            .prepare("UPDATE connect_tokens SET data = ?, expiresAt = ? WHERE token = ?")
-            .bind(JSON.stringify(merged), expiresAt, token)
-            .run();
-        this.emit("update", merged);
-        return merged;
-    }
-    async delete(token) {
-        const existing = await this.read(token);
-        if (existing) {
-            this.emit("destroy", existing);
-        }
-        await this.db.prepare("DELETE FROM connect_tokens WHERE token = ?").bind(token).run();
-    }
-    async exist(token, did) {
-        const record = await this.read(token);
-        if (!record)
-            return false;
-        if (did)
-            return record.did === did;
-        return true;
-    }
-    /** Remove expired rows. Called probabilistically from create(). */
-    async cleanup() {
-        const now = Math.floor(Date.now() / 1000);
-        await this.db.prepare("DELETE FROM connect_tokens WHERE expiresAt < ?").bind(now).run();
-    }
-}
-//# sourceMappingURL=d1-token-storage.js.map

package/dist/d1-token-storage.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"d1-token-storage.js","sourceRoot":"","sources":["../src/d1-token-storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAOtC,MAAM,OAAO,cAAe,SAAQ,YAAY;IACtC,EAAE,CAAa;IACf,GAAG,CAAS;IAEpB,YAAY,EAAc,EAAE,UAAiC,EAAE;QAC7D,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,MAAM,GAAG,SAAS;QAC5C,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC;QAC3D,MAAM,IAAI,CAAC,EAAE;aACV,OAAO,CAAC,iFAAiF,CAAC;aAC1F,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC;aAC9C,GAAG,EAAE,CAAC;QACT,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC5B,+CAA+C;QAC/C,IAAI,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACjC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa;QACtB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE;aACtB,OAAO,CAAC,4DAA4D,CAAC;aACrE,IAAI,CAAC,KAAK,CAAC;aACX,KAAK,EAAuC,CAAC;QAChD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,eAAe;QACf,IAAI,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC;YACtF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,OAA4B;QACtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3B,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,gCAAgC;QACtD,MAAM,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,OAAO,EAAE,CAAC;QAC3C,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC;QAC3D,MAAM,IAAI,CAAC,EAAE;aACV,OAAO,CAAC,mEAAmE,CAAC;aAC5E,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC;aAC9C,GAAG,EAAE,CAAC;QACT,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACjC,CAAC;QACD,MAAM,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC;IACxF,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAa,EAAE,GAAY;QACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1B,IAAI,GAAG;YAAE,OAAO,MAAM,CAAC,GAAG,KAAK,GAAG,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mEAAmE;IAC3D,KAAK,CAAC,OAAO;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,gDAAgD,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;IAC1F,CAAC;CACF"}

package/dist/did-connect-handler.d.ts

@@ -1,57 +0,0 @@
-/**
- * DIDConnectHandler — DID Wallet authentication for Cloudflare Workers.
- *
- * Uses WalletAuthenticator + WalletHandlers from connect-server with an
- * internal Hono app. The browser polls for status, then calls /complete
- * to receive a JWT cookie.
- *
- * Routes (under /.well-known/service/api/did):
- *   GET/POST  /login/token   — create new connect session
- *   GET       /login/status  — poll session status
- *   GET       /login/timeout — expire session
- *   GET       /login/auth    — wallet fetches auth request
- *   POST      /login/auth    — wallet submits auth response
- *   POST      /connect/complete — browser claims JWT cookie after succeed
- */
-import type { D1Store } from "./store/d1-store.js";
-export interface DIDConnectHandlerOptions {
-    store: D1Store;
-    db: D1Database;
-    appSk: string;
-    jwtSecret: string;
-    jwtExpiresIn: number;
-    cookieName: string;
-    rpID?: string | ((request: Request) => string);
-    appInfo?: {
-        name: string;
-        description?: string;
-        icon?: string;
-    };
-    /** Federation: delegator must use { address, pk } (not { did, pk })
-     *  because WalletAuthenticator internally calls toDid(delegator.address). */
-    delegator?: {
-        address: string;
-        pk: string;
-    };
-    /** Federation: master-signed delegation JWT. */
-    delegation?: string;
-    /** Permanent secret key (PSK) — for auto-delegation when SK has been rotated. */
-    appPsk?: string;
-}
-export declare class DIDConnectHandler {
-    private app;
-    private storage;
-    private options;
-    constructor(options: DIDConnectHandlerOptions);
-    /**
-     * Handle an incoming request. Returns a Response if matched, null otherwise.
-     * Hono returns 404 for unmatched routes — we convert that to null so the
-     * caller can fall through to the next handler.
-     */
-    fetch(request: Request): Promise<Response | null>;
-    /** onAuth callback — create/update user, upsert connected account, audit log. */
-    private handleAuth;
-    /** Exchange a succeed token for a JWT cookie (called by browser after status poll). */
-    private handleComplete;
-}
-//# sourceMappingURL=did-connect-handler.d.ts.map

package/dist/did-connect-handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"did-connect-handler.d.ts","sourceRoot":"","sources":["../src/did-connect-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAWH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAGnD,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,EAAE,EAAE,UAAU,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAC,CAAC;IAC/C,OAAO,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAChE;iFAC6E;IAC7E,SAAS,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C,gDAAgD;IAChD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iFAAiF;IACjF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,GAAG,CAAO;IAClB,OAAO,CAAC,OAAO,CAAiB;IAChC,OAAO,CAAC,OAAO,CAA2B;gBAE9B,OAAO,EAAE,wBAAwB;IA2D7C;;;;OAIG;IACG,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAMvD,iFAAiF;YACnE,UAAU;IAqDxB,uFAAuF;YACzE,cAAc;CA+C7B"}

package/dist/did-connect-handler.js

@@ -1,182 +0,0 @@
-/**
- * DIDConnectHandler — DID Wallet authentication for Cloudflare Workers.
- *
- * Uses WalletAuthenticator + WalletHandlers from connect-server with an
- * internal Hono app. The browser polls for status, then calls /complete
- * to receive a JWT cookie.
- *
- * Routes (under /.well-known/service/api/did):
- *   GET/POST  /login/token   — create new connect session
- *   GET       /login/status  — poll session status
- *   GET       /login/timeout — expire session
- *   GET       /login/auth    — wallet fetches auth request
- *   POST      /login/auth    — wallet submits auth response
- *   POST      /connect/complete — browser claims JWT cookie after succeed
- */
-import { WalletAuthenticator, WalletHandlers } from "@arcblock/did-connect-js";
-import { fromSecretKey } from "@ocap/wallet";
-import { Hono } from "hono";
-import { LOGIN_PROVIDER } from "./constants.js";
-import { D1TokenStorage } from "./store/d1-token-storage.js";
-import { signJWT } from "./identity/jwt.js";
-import { generateDelegation, resolveWalletIdentity } from "./identity/wallet-identity.js";
-export class DIDConnectHandler {
-    app;
-    storage;
-    options;
-    constructor(options) {
-        this.options = options;
-        const identity = resolveWalletIdentity(options.appSk, options.appPsk);
-        this.storage = new D1TokenStorage(options.db, { ttl: 300 });
-        // Delegation priority: explicit > auto (from appPsk) > none
-        const hasDelegation = !!(options.delegator || options.delegation);
-        const useAutoDelegation = !hasDelegation && identity.needsDelegation;
-        let delegationJwt;
-        if (useAutoDelegation) {
-            // Cache the delegation JWT promise — resolved lazily on first call
-            const delegationPromise = generateDelegation(identity);
-            delegationJwt = undefined; // Will be set asynchronously
-            delegationPromise.then((jwt) => {
-                delegationJwt = jwt;
-            });
-        }
-        const authenticator = new WalletAuthenticator({
-            wallet: identity.wallet,
-            appInfo: ({ baseUrl }) => ({
-                name: options.appInfo?.name || "App",
-                description: options.appInfo?.description || "",
-                icon: options.appInfo?.icon || `${baseUrl}/favicon.ico`,
-                link: baseUrl,
-            }),
-            chainInfo: { type: "arcblock", host: "none", id: "none" },
-            ...(options.delegator && { delegator: () => options.delegator }),
-            ...(options.delegation && { delegation: () => options.delegation }),
-            ...(useAutoDelegation && {
-                delegator: () => ({
-                    address: identity.permanentWallet.address,
-                    pk: identity.permanentWallet.pk,
-                }),
-                delegation: () => delegationJwt || "",
-            }),
-        });
-        const handlers = new WalletHandlers({
-            tokenStorage: this.storage,
-            authenticator,
-            options: { prefix: "/.well-known/service/api/did" },
-        });
-        this.app = new Hono();
-        handlers.attach({
-            app: this.app,
-            action: "login",
-            claims: {
-                profile: () => ({ fields: ["fullName", "email", "avatar"] }),
-            },
-            onAuth: ({ userDid, userPk, claims }) => this.handleAuth(userDid, userPk, claims),
-        });
-        this.app.post("/.well-known/service/api/did/connect/complete", (c) => this.handleComplete(c));
-    }
-    /**
-     * Handle an incoming request. Returns a Response if matched, null otherwise.
-     * Hono returns 404 for unmatched routes — we convert that to null so the
-     * caller can fall through to the next handler.
-     */
-    async fetch(request) {
-        const response = await this.app.fetch(request);
-        if (response.status === 404)
-            return null;
-        return response;
-    }
-    /** onAuth callback — create/update user, upsert connected account, audit log. */
-    async handleAuth(userDid, userPk, claims) {
-        const { store } = this.options;
-        // claims is an array of claim objects — find the profile claim
-        const profileClaim = Array.isArray(claims)
-            ? claims.find((c) => c.type === "profile")
-            : claims?.profile;
-        const profile = profileClaim || {};
-        const existingUser = await store.getUserByDid(userDid);
-        const isNewUser = !existingUser;
-        if (isNewUser) {
-            await store.createUser({
-                did: userDid,
-                pk: userPk,
-                fullName: profile.fullName,
-                email: profile.email,
-                sourceProvider: LOGIN_PROVIDER.WALLET,
-            });
-            // First user becomes owner
-            const userCount = await store.getUserCount();
-            if (userCount === 1) {
-                await store.updateUserRole(userDid, "owner");
-            }
-        }
-        else {
-            await store.updateLastLogin(userDid);
-            // Update profile if wallet provided new data
-            if (profile.fullName || profile.email || profile.avatar) {
-                await store.updateUserProfile(userDid, {
-                    fullName: profile.fullName,
-                    email: profile.email,
-                    avatar: profile.avatar,
-                });
-            }
-        }
-        await store.upsertConnectedAccount({
-            did: userDid,
-            pk: userPk,
-            userDid,
-            provider: "did-connect",
-            id: userDid,
-        });
-        await store.createAuditLog({
-            action: isNewUser ? "user.register" : "user.login",
-            operatorDid: userDid,
-            metadata: { provider: "did-connect" },
-        });
-    }
-    /** Exchange a succeed token for a JWT cookie (called by browser after status poll). */
-    async handleComplete(c) {
-        let body;
-        try {
-            body = await c.req.json();
-        }
-        catch {
-            return c.json({ error: "Invalid request body" }, 400);
-        }
-        const token = body?.token;
-        if (!token) {
-            return c.json({ error: "Missing token" }, 400);
-        }
-        // Read session — must be in "succeed" status
-        const session = await this.storage.read(token);
-        if (!session || session.status !== "succeed") {
-            return c.json({ error: "Invalid or incomplete session" }, 400);
-        }
-        const userDid = session.did;
-        const userPk = session.pk;
-        if (!userDid || !userPk) {
-            return c.json({ error: "Session missing user info" }, 400);
-        }
-        // Look up user for role + display name
-        const user = await this.options.store.getUserByDid(userDid);
-        if (!user) {
-            return c.json({ error: "User not found" }, 400);
-        }
-        const payload = { did: userDid, pk: userPk };
-        if (user.fullName)
-            payload.displayName = user.fullName;
-        if (user.role)
-            payload.role = user.role;
-        const jwt = await signJWT(payload, this.options.jwtSecret, this.options.jwtExpiresIn);
-        const isSecure = new URL(c.req.url).protocol === "https:";
-        const securePart = isSecure ? " Secure;" : "";
-        let cookie = `${this.options.cookieName}=${jwt}; Path=/; HttpOnly;${securePart} SameSite=Lax; Max-Age=${this.options.jwtExpiresIn}`;
-        const cookieDomain = typeof this.options.rpID === "string" ? this.options.rpID : undefined;
-        if (cookieDomain?.includes("."))
-            cookie += `; Domain=${cookieDomain}`;
-        await this.storage.delete(token);
-        c.header("Set-Cookie", cookie);
-        return c.json({ ok: true, did: userDid });
-    }
-}
-//# sourceMappingURL=did-connect-handler.js.map

package/dist/did-connect-handler.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"did-connect-handler.js","sourceRoot":"","sources":["../src/did-connect-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAE5C,OAAO,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAoB1F,MAAM,OAAO,iBAAiB;IACpB,GAAG,CAAO;IACV,OAAO,CAAiB;IACxB,OAAO,CAA2B;IAE1C,YAAY,OAAiC;QAC3C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,MAAM,QAAQ,GAAG,qBAAqB,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QACtE,IAAI,CAAC,OAAO,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;QAE5D,4DAA4D;QAC5D,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;QAClE,MAAM,iBAAiB,GAAG,CAAC,aAAa,IAAI,QAAQ,CAAC,eAAe,CAAC;QACrE,IAAI,aAAiC,CAAC;QACtC,IAAI,iBAAiB,EAAE,CAAC;YACtB,mEAAmE;YACnE,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YACvD,aAAa,GAAG,SAAS,CAAC,CAAC,6BAA6B;YACxD,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC7B,aAAa,GAAG,GAAG,CAAC;YACtB,CAAC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;YAC5C,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO,EAAE,CAAC,EAAE,OAAO,EAAuB,EAAE,EAAE,CAAC,CAAC;gBAC9C,IAAI,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,IAAI,KAAK;gBACpC,WAAW,EAAE,OAAO,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE;gBAC/C,IAAI,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,IAAI,GAAG,OAAO,cAAc;gBACvD,IAAI,EAAE,OAAO;aACd,CAAC;YACF,SAAS,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE;YACzD,GAAG,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,SAAU,EAAE,CAAC;YACjE,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAW,EAAE,CAAC;YACpE,GAAG,CAAC,iBAAiB,IAAI;gBACvB,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;oBAChB,OAAO,EAAE,QAAQ,CAAC,eAAe,CAAC,OAAO;oBACzC,EAAE,EAAE,QAAQ,CAAC,eAAe,CAAC,EAAE;iBAChC,CAAC;gBACF,UAAU,EAAE,GAAG,EAAE,CAAC,aAAa,IAAI,EAAE;aACtC,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,IAAI,cAAc,CAAC;YAClC,YAAY,EAAE,IAAI,CAAC,OAAO;YAC1B,aAAa;YACb,OAAO,EAAE,EAAE,MAAM,EAAE,8BAA8B,EAAE;SACpD,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEtB,QAAQ,CAAC,MAAM,CAAC;YACd,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,MAAM,EAAE,OAAO;YACf,MAAM,EAAE;gBACN,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;aAC7D;YACD,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAoD,EAAE,EAAE,CACxF,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC;SAC3C,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,+CAA+C,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;IAChG,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,KAAK,CAAC,OAAgB;QAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/C,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACzC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,iFAAiF;IACzE,KAAK,CAAC,UAAU,CAAC,OAAe,EAAE,MAAc,EAAE,MAAW;QACnE,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAE/B,+DAA+D;QAC/D,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;YACxC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC;YAC/C,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC;QACpB,MAAM,OAAO,GAAG,YAAY,IAAI,EAAE,CAAC;QAEnC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,SAAS,GAAG,CAAC,YAAY,CAAC;QAEhC,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,KAAK,CAAC,UAAU,CAAC;gBACrB,GAAG,EAAE,OAAO;gBACZ,EAAE,EAAE,MAAM;gBACV,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,cAAc,EAAE,cAAc,CAAC,MAAM;aACtC,CAAC,CAAC;YAEH,2BAA2B;YAC3B,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE,CAAC;YAC7C,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;gBACpB,MAAM,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YACrC,6CAA6C;YAC7C,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACxD,MAAM,KAAK,CAAC,iBAAiB,CAAC,OAAO,EAAE;oBACrC,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,KAAK,CAAC,sBAAsB,CAAC;YACjC,GAAG,EAAE,OAAO;YACZ,EAAE,EAAE,MAAM;YACV,OAAO;YACP,QAAQ,EAAE,aAAa;YACvB,EAAE,EAAE,OAAO;SACZ,CAAC,CAAC;QAEH,MAAM,KAAK,CAAC,cAAc,CAAC;YACzB,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YAClD,WAAW,EAAE,OAAO;YACpB,QAAQ,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE;SACtC,CAAC,CAAC;IACL,CAAC;IAED,uFAAuF;IAC/E,KAAK,CAAC,cAAc,CAAC,CAAU;QACrC,IAAI,IAAwB,CAAC;QAC7B,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,EAAE,GAAG,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;QAC1B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,GAAG,CAAC,CAAC;QACjD,CAAC;QAED,6CAA6C;QAC7C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC7C,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,EAAE,GAAG,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC;QAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;QAC1B,IAAI,CAAC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;YACxB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,EAAE,GAAG,CAAC,CAAC;QAC7D,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,GAAG,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,OAAO,GAA4B,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;QACtE,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvD,IAAI,IAAI,CAAC,IAAI;YAAE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAEtF,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC1D,MAAM,UAAU,GAAG,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9C,IAAI,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,sBAAsB,UAAU,0BAA0B,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QACpI,MAAM,YAAY,GAAG,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QAC3F,IAAI,YAAY,EAAE,QAAQ,CAAC,GAAG,CAAC;YAAE,MAAM,IAAI,YAAY,YAAY,EAAE,CAAC;QAEtE,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAEjC,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QAC/B,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5C,CAAC;CACF"}

package/dist/did.d.ts

@@ -1,14 +0,0 @@
-/**
- * DID derivation from passkey public key using @arcblock/did.
- *
- * Matches blocklet-server's pattern: pass raw Uint8Array to fromPublicKey.
- * Uses @noble/hashes (pure JS SHA-256) — Workers compatible.
- */
-/**
- * Derive a `did:abt` DID from a WebAuthn credential public key.
- *
- * @param publicKey - The COSE public key bytes from WebAuthn registration
- * @returns DID string (e.g. "z1abc...")
- */
-export declare function derivePasskeyDID(publicKey: Uint8Array): string;
-//# sourceMappingURL=did.d.ts.map

package/dist/did.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"did.d.ts","sourceRoot":"","sources":["../src/did.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,UAAU,GAAG,MAAM,CAE9D"}

package/dist/did.js

@@ -1,17 +0,0 @@
-/**
- * DID derivation from passkey public key using @arcblock/did.
- *
- * Matches blocklet-server's pattern: pass raw Uint8Array to fromPublicKey.
- * Uses @noble/hashes (pure JS SHA-256) — Workers compatible.
- */
-import { fromPublicKey } from "@arcblock/did";
-/**
- * Derive a `did:abt` DID from a WebAuthn credential public key.
- *
- * @param publicKey - The COSE public key bytes from WebAuthn registration
- * @returns DID string (e.g. "z1abc...")
- */
-export function derivePasskeyDID(publicKey) {
-    return fromPublicKey(publicKey, "passkey");
-}
-//# sourceMappingURL=did.js.map

package/dist/did.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"did.js","sourceRoot":"","sources":["../src/did.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAqB;IACpD,OAAO,aAAa,CAAC,SAAS,EAAE,SAAS,CAAW,CAAC;AACvD,CAAC"}

package/dist/email-login-handler.d.ts

@@ -1,50 +0,0 @@
-/**
- * EmailLoginHandler — email code + magic link login for Cloudflare Workers.
- *
- * Flow:
- *   1. POST /sendCode — generate 6-digit code, send via Resend, return { id }
- *   2. GET  /status   — poll whether code has been verified (for UX)
- *   3. POST /login    — verify code (or magic token JWT), derive DID, issue JWT
- *
- * Routes (under /.well-known/service/api/email):
- *   POST /sendCode
- *   GET  /status
- *   POST /login
- */
-import type { AuthEntrypointInterface } from "./identity/auth-entrypoint.js";
-import type { D1Store } from "./store/d1-store.js";
-export interface EmailLoginHandlerOptions {
-    store: D1Store;
-    appSk: string;
-    jwtSecret: string;
-    jwtExpiresIn: number;
-    cookieName: string;
-    rpID?: string | ((request: Request) => string);
-    /** Resend API key for sending emails. Falls back to D1 email:config at runtime. */
-    resendApiKey?: string;
-    /** From address for verification emails. Falls back to D1 email:config at runtime. */
-    emailFrom?: string;
-    /** Instance DID for loading settings from D1. */
-    instanceDid?: string;
-    /** Service Binding to master Worker (federated mode). */
-    authMaster?: AuthEntrypointInterface;
-}
-export declare class EmailLoginHandler {
-    private options;
-    constructor(options: EmailLoginHandlerOptions);
-    /** Resolve email config: constructor options take priority, fall back to D1 email:config. */
-    resolveEmailConfig(): Promise<{
-        resendApiKey: string;
-        emailFrom: string;
-    } | null>;
-    /** Check whether email login is available (config exists in env or D1). */
-    isEnabled(): Promise<boolean>;
-    fetch(request: Request): Promise<Response | null>;
-    /** POST /sendCode — generate code, send email, return { id }. */
-    private sendCode;
-    /** GET /status — check if a verification code has been used. */
-    private checkStatus;
-    /** POST /login — verify code or magic token, derive DID, issue JWT. */
-    private login;
-}
-//# sourceMappingURL=email-login-handler.d.ts.map

package/dist/email-login-handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"email-login-handler.d.ts","sourceRoot":"","sources":["../src/email-login-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,+BAA+B,CAAC;AAI7E,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAEnD,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAC,CAAC;IAC/C,mFAAmF;IACnF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,sFAAsF;IACtF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yDAAyD;IACzD,UAAU,CAAC,EAAE,uBAAuB,CAAC;CACtC;AAID,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,OAAO,CAA2B;gBAE9B,OAAO,EAAE,wBAAwB;IAI7C,6FAA6F;IACvF,kBAAkB,IAAI,OAAO,CAAC;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAoBvF,2EAA2E;IACrE,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAI7B,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAgBvD,iEAAiE;YACnD,QAAQ;IA6DtB,gEAAgE;YAClD,WAAW;IASzB,uEAAuE;YACzD,KAAK;CA+FpB"}