@arcblock/did-connect-service 4.0.5 → 4.0.6

package/dist/email-login-handler.js

@@ -1,238 +0,0 @@
-/**
- * EmailLoginHandler — email code + magic link login for Cloudflare Workers.
- *
- * Flow:
- *   1. POST /sendCode — generate 6-digit code, send via Resend, return { id }
- *   2. GET  /status   — poll whether code has been verified (for UX)
- *   3. POST /login    — verify code (or magic token JWT), derive DID, issue JWT
- *
- * Routes (under /.well-known/service/api/email):
- *   POST /sendCode
- *   GET  /status
- *   POST /login
- */
-import { LOGIN_PROVIDER } from "./constants.js";
-import { deriveDID } from "./identity/federation.js";
-import { signJWT, verifyJWT } from "./identity/jwt.js";
-const PREFIX = "/.well-known/service/api/email";
-export class EmailLoginHandler {
-    options;
-    constructor(options) {
-        this.options = options;
-    }
-    /** Resolve email config: constructor options take priority, fall back to D1 email:config. */
-    async resolveEmailConfig() {
-        if (this.options.resendApiKey && this.options.emailFrom) {
-            return { resendApiKey: this.options.resendApiKey, emailFrom: this.options.emailFrom };
-        }
-        // Fall back to D1 settings
-        const did = this.options.instanceDid;
-        if (!did)
-            return null;
-        try {
-            const raw = await this.options.store.getSetting(did, "email:config");
-            if (!raw)
-                return null;
-            const config = JSON.parse(raw);
-            if (config.resendApiKey && config.fromAddress) {
-                return { resendApiKey: config.resendApiKey, emailFrom: config.fromAddress };
-            }
-        }
-        catch {
-            // ignore
-        }
-        return null;
-    }
-    /** Check whether email login is available (config exists in env or D1). */
-    async isEnabled() {
-        return (await this.resolveEmailConfig()) !== null;
-    }
-    async fetch(request) {
-        const url = new URL(request.url);
-        const path = url.pathname;
-        if (path === `${PREFIX}/sendCode` && request.method === "POST") {
-            return this.sendCode(request);
-        }
-        if (path === `${PREFIX}/status` && request.method === "GET") {
-            return this.checkStatus(request);
-        }
-        if (path === `${PREFIX}/login` && request.method === "POST") {
-            return this.login(request);
-        }
-        return null;
-    }
-    /** POST /sendCode — generate code, send email, return { id }. */
-    async sendCode(request) {
-        const emailConfig = await this.resolveEmailConfig();
-        if (!emailConfig) {
-            return jsonResponse({ error: "Email login is not configured" }, 503);
-        }
-        let body;
-        try {
-            body = await request.json();
-        }
-        catch {
-            return jsonResponse({ error: "Invalid request body" }, 400);
-        }
-        const email = body.email?.toLowerCase().trim();
-        if (!email || !email.includes("@")) {
-            return jsonResponse({ error: "Invalid email address" }, 400);
-        }
-        // Rate limit: 1 code per email per minute
-        if (await this.options.store.isVerifyCodeSent(email)) {
-            return jsonResponse({ error: "Code already sent, please wait" }, 429);
-        }
-        // Generate 6-digit code
-        const code = Array.from({ length: 6 }, () => Math.floor(Math.random() * 10)).join("");
-        const id = await this.options.store.createVerifyCode(code, email, "login");
-        // Generate magic link JWT (30 min)
-        const origin = new URL(request.url).origin;
-        const magicToken = await signJWT({ id, code }, this.options.jwtSecret, 1800);
-        const magicLink = `${origin}/.well-known/service/login?magicToken=${magicToken}`;
-        // Send via Resend API
-        try {
-            const res = await fetch("https://api.resend.com/emails", {
-                method: "POST",
-                headers: {
-                    Authorization: `Bearer ${emailConfig.resendApiKey}`,
-                    "Content-Type": "application/json",
-                },
-                body: JSON.stringify({
-                    from: emailConfig.emailFrom,
-                    to: email,
-                    subject: "Your login code",
-                    html: renderVerifyCodeEmail(code, magicLink),
-                }),
-            });
-            if (!res.ok) {
-                const text = await res.text();
-                return jsonResponse({ error: `Failed to send email: ${text}` }, 500);
-            }
-        }
-        catch (err) {
-            const message = err instanceof Error ? err.message : "Email send failed";
-            return jsonResponse({ error: message }, 500);
-        }
-        await this.options.store.markVerifyCodeSent(code);
-        return jsonResponse({ id });
-    }
-    /** GET /status — check if a verification code has been used. */
-    async checkStatus(request) {
-        const url = new URL(request.url);
-        const id = url.searchParams.get("id");
-        if (!id)
-            return jsonResponse({ error: "Missing id parameter" }, 400);
-        // Status is implicit: if the code has been consumed, user is logged in
-        // This endpoint is a placeholder for frontend polling
-        return jsonResponse({ status: "pending" });
-    }
-    /** POST /login — verify code or magic token, derive DID, issue JWT. */
-    async login(request) {
-        let body;
-        try {
-            body = await request.json();
-        }
-        catch {
-            return jsonResponse({ error: "Invalid request body" }, 400);
-        }
-        // Resolve the verification code
-        let verifyCode;
-        if (body.magicToken) {
-            const payload = await verifyJWT(body.magicToken, this.options.jwtSecret);
-            if (!payload || typeof payload.code !== "string") {
-                return jsonResponse({ error: "Invalid or expired magic link" }, 400);
-            }
-            verifyCode = payload.code;
-        }
-        else if (body.code) {
-            verifyCode = body.code;
-        }
-        else {
-            return jsonResponse({ error: "Missing code or magicToken" }, 400);
-        }
-        // Consume verify code (single-use)
-        const record = await this.options.store.consumeVerifyCode(verifyCode);
-        if (!record) {
-            return jsonResponse({ error: "Invalid or expired code" }, 400);
-        }
-        // Derive DID from email (delegates to master in federated mode)
-        const sub = `email|${record.subject}`;
-        const wallet = await deriveDID(sub, {
-            appSk: this.options.appSk,
-            authMaster: this.options.authMaster,
-        });
-        const userDid = wallet.did;
-        const userPk = wallet.pk;
-        // Create or update user
-        const { store } = this.options;
-        const existingUser = await store.getUserByDid(userDid);
-        const isNewUser = !existingUser;
-        if (isNewUser) {
-            await store.createUser({
-                did: userDid,
-                pk: userPk,
-                fullName: record.subject.split("@")[0],
-                email: record.subject,
-                sourceProvider: LOGIN_PROVIDER.EMAIL,
-            });
-            const userCount = await store.getUserCount();
-            if (userCount === 1) {
-                await store.updateUserRole(userDid, "owner");
-            }
-        }
-        else {
-            await store.updateLastLogin(userDid);
-        }
-        // Upsert connected account
-        await store.upsertConnectedAccount({
-            did: userDid,
-            pk: userPk,
-            userDid,
-            provider: "email",
-            id: sub,
-        });
-        // Audit log
-        await store.createAuditLog({
-            action: isNewUser ? "user.register" : "user.login",
-            operatorDid: userDid,
-            metadata: { provider: "email" },
-        });
-        // Sign JWT and set cookie
-        const user = await store.getUserByDid(userDid);
-        const payload = { did: userDid, pk: userPk };
-        if (user?.fullName)
-            payload.displayName = user.fullName;
-        if (user?.role)
-            payload.role = user.role;
-        const jwt = await signJWT(payload, this.options.jwtSecret, this.options.jwtExpiresIn);
-        let cookie = `${this.options.cookieName}=${jwt}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=${this.options.jwtExpiresIn}`;
-        const cookieDomain = typeof this.options.rpID === "string" ? this.options.rpID : undefined;
-        if (cookieDomain?.includes("."))
-            cookie += `; Domain=${cookieDomain}`;
-        return new Response(JSON.stringify({ ok: true, did: userDid }), {
-            status: 200,
-            headers: {
-                "Content-Type": "application/json",
-                "Set-Cookie": cookie,
-                "Cache-Control": "private, no-store",
-            },
-        });
-    }
-}
-function jsonResponse(data, status = 200) {
-    return new Response(JSON.stringify(data), {
-        status,
-        headers: { "Content-Type": "application/json", "Cache-Control": "private, no-store" },
-    });
-}
-function renderVerifyCodeEmail(code, magicLink) {
-    return `<!DOCTYPE html>
-<html><body style="font-family: sans-serif; max-width: 480px; margin: 0 auto; padding: 20px;">
-  <h2>Your Login Code</h2>
-  <p style="font-size: 32px; font-weight: bold; letter-spacing: 8px; text-align: center; padding: 20px; background: #f5f5f5; border-radius: 8px;">${code}</p>
-  <p>Enter this code in the login form, or click the link below:</p>
-  <p><a href="${magicLink}" style="color: #0066cc;">Sign in with magic link</a></p>
-  <p style="color: #666; font-size: 12px;">This code expires in 30 minutes.</p>
-</body></html>`;
-}
-//# sourceMappingURL=email-login-handler.js.map

package/dist/email-login-handler.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"email-login-handler.js","sourceRoot":"","sources":["../src/email-login-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAoBvD,MAAM,MAAM,GAAG,gCAAgC,CAAC;AAEhD,MAAM,OAAO,iBAAiB;IACpB,OAAO,CAA2B;IAE1C,YAAY,OAAiC;QAC3C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,6FAA6F;IAC7F,KAAK,CAAC,kBAAkB;QACtB,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YACxD,OAAO,EAAE,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACxF,CAAC;QACD,2BAA2B;QAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC;QACrC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;YACrE,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YACtB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoD,CAAC;YAClF,IAAI,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,YAAY,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;YAC9E,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2EAA2E;IAC3E,KAAK,CAAC,SAAS;QACb,OAAO,CAAC,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC,KAAK,IAAI,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,OAAgB;QAC1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC;QAE1B,IAAI,IAAI,KAAK,GAAG,MAAM,WAAW,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,IAAI,KAAK,GAAG,MAAM,SAAS,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC5D,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QACnC,CAAC;QACD,IAAI,IAAI,KAAK,GAAG,MAAM,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC5D,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iEAAiE;IACzD,KAAK,CAAC,QAAQ,CAAC,OAAgB;QACrC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACpD,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,EAAE,GAAG,CAAC,CAAC;QACvE,CAAC;QAED,IAAI,IAAwB,CAAC;QAC7B,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC;QAED,0CAA0C;QAC1C,IAAI,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;YACrD,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,gCAAgC,EAAE,EAAE,GAAG,CAAC,CAAC;QACxE,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtF,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAE3E,mCAAmC;QACnC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;QAC3C,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC7E,MAAM,SAAS,GAAG,GAAG,MAAM,yCAAyC,UAAU,EAAE,CAAC;QAEjF,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,+BAA+B,EAAE;gBACvD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,WAAW,CAAC,YAAY,EAAE;oBACnD,cAAc,EAAE,kBAAkB;iBACnC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,IAAI,EAAE,WAAW,CAAC,SAAS;oBAC3B,EAAE,EAAE,KAAK;oBACT,OAAO,EAAE,iBAAiB;oBAC1B,IAAI,EAAE,qBAAqB,CAAC,IAAI,EAAE,SAAS,CAAC;iBAC7C,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBAC9B,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,yBAAyB,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YACvE,CAAC;QACH,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,CAAC;YACzE,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;QAClD,OAAO,YAAY,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,gEAAgE;IACxD,KAAK,CAAC,WAAW,CAAC,OAAgB;QACxC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,EAAE,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,EAAE;YAAE,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,EAAE,GAAG,CAAC,CAAC;QACrE,uEAAuE;QACvE,sDAAsD;QACtD,OAAO,YAAY,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,uEAAuE;IAC/D,KAAK,CAAC,KAAK,CAAC,OAAgB;QAClC,IAAI,IAA4C,CAAC;QACjD,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,gCAAgC;QAChC,IAAI,UAAkB,CAAC;QACvB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACzE,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACjD,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,EAAE,GAAG,CAAC,CAAC;YACvE,CAAC;YACD,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;QAC5B,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACrB,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC;QACzB,CAAC;aAAM,CAAC;YACN,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,EAAE,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,mCAAmC;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QACtE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAC;QACjE,CAAC;QAED,gEAAgE;QAChE,MAAM,GAAG,GAAG,SAAS,MAAM,CAAC,OAAO,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;YAClC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK;YACzB,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU;SACpC,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC;QAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;QAEzB,wBAAwB;QACxB,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAC/B,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,SAAS,GAAG,CAAC,YAAY,CAAC;QAEhC,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,KAAK,CAAC,UAAU,CAAC;gBACrB,GAAG,EAAE,OAAO;gBACZ,EAAE,EAAE,MAAM;gBACV,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACtC,KAAK,EAAE,MAAM,CAAC,OAAO;gBACrB,cAAc,EAAE,cAAc,CAAC,KAAK;aACrC,CAAC,CAAC;YAEH,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE,CAAC;YAC7C,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;gBACpB,MAAM,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC;QAED,2BAA2B;QAC3B,MAAM,KAAK,CAAC,sBAAsB,CAAC;YACjC,GAAG,EAAE,OAAO;YACZ,EAAE,EAAE,MAAM;YACV,OAAO;YACP,QAAQ,EAAE,OAAO;YACjB,EAAE,EAAE,GAAG;SACR,CAAC,CAAC;QAEH,YAAY;QACZ,MAAM,KAAK,CAAC,cAAc,CAAC;YACzB,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YAClD,WAAW,EAAE,OAAO;YACpB,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE;SAChC,CAAC,CAAC;QAEH,0BAA0B;QAC1B,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,OAAO,GAA4B,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;QACtE,IAAI,IAAI,EAAE,QAAQ;YAAE,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC;QACxD,IAAI,IAAI,EAAE,IAAI;YAAE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACzC,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAEtF,IAAI,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,qDAAqD,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QAC/H,MAAM,YAAY,GAAG,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QAC3F,IAAI,YAAY,EAAE,QAAQ,CAAC,GAAG,CAAC;YAAE,MAAM,IAAI,YAAY,YAAY,EAAE,CAAC;QAEtE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE;YAC9D,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,MAAM;gBACpB,eAAe,EAAE,mBAAmB;aACrC;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,YAAY,CAAC,IAAa,EAAE,MAAM,GAAG,GAAG;IAC/C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;QACxC,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,eAAe,EAAE,mBAAmB,EAAE;KACtF,CAAC,CAAC;AACL,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,SAAiB;IAC5D,OAAO;;;oJAG2I,IAAI;;gBAExI,SAAS;;eAEV,CAAC;AAChB,CAAC"}

package/dist/federation-utils.d.ts

@@ -1,23 +0,0 @@
-/**
- * Federation utilities — DID derivation delegation for multi-site auth.
- *
- * In standalone mode, DID is derived locally via fromAppDid(sub, localSK).
- * In federated mode, DID derivation is delegated to the master worker via
- * Service Binding RPC (zero-latency, same-thread call).
- */
-import type { AuthEntrypointInterface } from "./auth-entrypoint.js";
-/**
- * Derive a user DID from a subject identifier.
- *
- * @param sub - Provider-prefixed subject (e.g. "google-oauth2|123", "email|user@example.com")
- * @param options.appSk - Local app secret key (standalone mode)
- * @param options.authMaster - Service Binding to master worker (federated mode)
- */
-export declare function deriveDID(sub: string, options: {
-    appSk: string;
-    authMaster?: AuthEntrypointInterface;
-}): Promise<{
-    did: string;
-    pk: string;
-}>;
-//# sourceMappingURL=federation-utils.d.ts.map

package/dist/federation-utils.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"federation-utils.d.ts","sourceRoot":"","sources":["../src/federation-utils.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAEpE;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,MAAM,EACX,OAAO,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,uBAAuB,CAAA;CAAE,GAC/D,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAAC,CAQtC"}

package/dist/federation-utils.js

@@ -1,25 +0,0 @@
-/**
- * Federation utilities — DID derivation delegation for multi-site auth.
- *
- * In standalone mode, DID is derived locally via fromAppDid(sub, localSK).
- * In federated mode, DID derivation is delegated to the master worker via
- * Service Binding RPC (zero-latency, same-thread call).
- */
-import { fromAppDid } from "@arcblock/did-ext";
-/**
- * Derive a user DID from a subject identifier.
- *
- * @param sub - Provider-prefixed subject (e.g. "google-oauth2|123", "email|user@example.com")
- * @param options.appSk - Local app secret key (standalone mode)
- * @param options.authMaster - Service Binding to master worker (federated mode)
- */
-export async function deriveDID(sub, options) {
-    if (options.authMaster) {
-        // Federated mode: RPC call to master (zero-delay, same thread)
-        return options.authMaster.deriveDID(sub);
-    }
-    // Standalone mode: local derivation
-    const wallet = fromAppDid(sub, options.appSk);
-    return { did: wallet.address, pk: wallet.publicKey };
-}
-//# sourceMappingURL=federation-utils.js.map

package/dist/federation-utils.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"federation-utils.js","sourceRoot":"","sources":["../src/federation-utils.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAI/C;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,GAAW,EACX,OAAgE;IAEhE,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,+DAA+D;QAC/D,OAAO,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;IACD,oCAAoC;IACpC,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9C,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC;AACvD,CAAC"}

package/dist/handler.d.ts

@@ -1,90 +0,0 @@
-/**
- * Auth — Core auth handler for Cloudflare Workers.
- *
- * Routes (prefix-stripped, under /.well-known/service/api/passkey):
- *   GET  /register  — Generate registration challenge options
- *   POST /register  — Verify registration credential, create user, issue JWT
- *   GET  /auth      — Generate authentication challenge options
- *   POST /auth      — Verify authentication credential, issue JWT
- *
- * Session and logout are handled by auth-handler at /did/session and /did/logout.
- */
-import type { D1Store } from "./store/d1-store.js";
-import type { AuthOptions, CallerIdentity, Role } from "./types.js";
-/**
- * Extract Bearer token from Authorization header and resolve access key caller.
- * Returns null if no access key token or if validation fails.
- */
-export declare function resolveAccessKeyCaller(request: Request, store: D1Store, instanceDid?: string): Promise<{
-    did: string;
-    pk: string;
-    role: Role;
-    displayName?: string;
-    blocked: boolean;
-    accessKeyId: string;
-} | null>;
-export declare class Auth {
-    private store;
-    private jwtSecret;
-    private rpName;
-    private rpID?;
-    private jwtExpiresIn;
-    private cookieName;
-    constructor(options: AuthOptions);
-    /** Expose the store for sharing with TeamHandler. */
-    getStore(): D1Store;
-    /**
-     * Handle auth API requests. Expects the prefix to be already stripped —
-     * internally matches /register (GET/POST) and /auth (GET/POST).
-     */
-    fetch(request: Request): Promise<Response>;
-    /** Verify JWT from cookie — hot path, pure crypto, no D1. */
-    verify(request: Request): Promise<CallerIdentity | null>;
-    /**
-     * Full verification: access key (Bearer) first, then JWT + DB check.
-     * Returns null if neither auth method succeeds, or if user is blocked/deleted.
-     */
-    verifyFull(request: Request): Promise<CallerIdentity | null>;
-    /**
-     * Verify access key from Authorization: Bearer header.
-     * Returns CallerIdentity with the key's role, or null.
-     */
-    verifyAccessKey(request: Request): Promise<CallerIdentity | null>;
-    /** Return the login page HTML, filtering methods by builtin-providers settings. */
-    getLoginPage(instanceDid?: string, overrides?: {
-        methods?: string[];
-        oauthProviders?: Array<{
-            name: string;
-            icon?: string;
-        }>;
-    }): Promise<Response>;
-    /** GET /register — Generate registration challenge options.
-     *  Always returns options (even when registration is gated) because:
-     *  - Re-registration of existing passkeys bypasses the gate
-     *  - The registrationAllowed flag lets the client show/hide UI
-     *  - The actual gate is enforced at POST /register time */
-    private handleRegisterRequest;
-    /** POST /register — Verify registration credential, create user, issue JWT. */
-    private handleRegisterResponse;
-    /** GET /auth — Generate authentication challenge options. */
-    private handleAuthRequest;
-    /** POST /auth — Verify authentication credential, issue JWT. */
-    private handleAuthResponse;
-    private handleRegistrationVerify;
-    private handleAuthenticationVerify;
-    /** Clear auth cookie. GET → redirect to /, POST → JSON response. */
-    logout(request: Request): Response;
-    /**
-     * Determine if passkey registration should be allowed.
-     *
-     * Returns true if ANY of:
-     *   1. No users exist (first user becomes owner)
-     *   2. Default access policy is "public"
-     *   3. A valid invitation is presented
-     */
-    private checkRegistrationEligibility;
-    private issueJWT;
-    private getRPID;
-    private extractCookie;
-}
-//# sourceMappingURL=handler.d.ts.map

package/dist/handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AA8CpE;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,OAAO,EACd,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB,GAAG,IAAI,CAAC,CAoCR;AAED,qBAAa,IAAI;IACf,OAAO,CAAC,KAAK,CAAU;IACvB,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,IAAI,CAAC,CAA0C;IACvD,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,UAAU,CAAS;gBAEf,OAAO,EAAE,WAAW;IAShC,qDAAqD;IACrD,QAAQ,IAAI,OAAO;IAInB;;;OAGG;IACG,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAqBhD,6DAA6D;IACvD,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAiB9D;;;OAGG;IACG,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAmBlE;;;OAGG;IACG,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAYvE,mFAAmF;IAC7E,YAAY,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,cAAc,CAAC,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,GAAG,OAAO,CAAC,QAAQ,CAAC;IA+DxJ;;;;+DAI2D;YAC7C,qBAAqB;IA4BnC,+EAA+E;YACjE,sBAAsB;IAkDpC,6DAA6D;YAC/C,iBAAiB;IAoB/B,gEAAgE;YAClD,kBAAkB;YA2ClB,wBAAwB;YAyHxB,0BAA0B;IAgExC,oEAAoE;IACpE,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ;IAsBlC;;;;;;;OAOG;YACW,4BAA4B;YAwB5B,QAAQ;IAqBtB,OAAO,CAAC,OAAO;IAMf,OAAO,CAAC,aAAa;CAWtB"}