@arch-cadre/core 0.0.23 → 0.0.26

package/dist/core/auth/logic.cjs

@@ -1,224 +1 @@
-"use server";
-
-const require_runtime = require('../../_virtual/_rolldown/runtime.cjs');
-const require_validation = require('./validation.cjs');
-const require_event_bus = require('../event-bus.cjs');
-const require_inject = require('../../server/database/inject.cjs');
-const require_schema = require('../../server/database/schema.cjs');
-const require_augment = require('./augment.cjs');
-const require_password = require('../../server/auth/password.cjs');
-const require_user = require('../../server/auth/user.cjs');
-const require_email_verification = require('./email-verification.cjs');
-const require_session = require('./session.cjs');
-let drizzle_orm = require("drizzle-orm");
-
-//#region src/core/auth/logic.ts
-/**
-* Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień
-*/
-async function coreRbacAugmenter(user) {
-	try {
-		const roles = (await require_inject.db.select({ name: require_schema.rolesTable.name }).from(require_schema.usersToRolesTable).innerJoin(require_schema.rolesTable, (0, drizzle_orm.eq)(require_schema.usersToRolesTable.roleId, require_schema.rolesTable.id)).where((0, drizzle_orm.eq)(require_schema.usersToRolesTable.userId, user.id))).map((r) => r.name);
-		const directPerms = (await require_inject.db.select({ name: require_schema.permissionsTable.name }).from(require_schema.usersToPermissionsTable).innerJoin(require_schema.permissionsTable, (0, drizzle_orm.eq)(require_schema.usersToPermissionsTable.permissionId, require_schema.permissionsTable.id)).where((0, drizzle_orm.eq)(require_schema.usersToPermissionsTable.userId, user.id))).map((p) => p.name);
-		let rolePerms = [];
-		if (roles.length > 0) {
-			const roleIds = (await require_inject.db.select({ id: require_schema.rolesTable.id }).from(require_schema.rolesTable).where((0, drizzle_orm.inArray)(require_schema.rolesTable.name, roles))).map((r) => r.id);
-			if (roleIds.length > 0) rolePerms = (await require_inject.db.select({ name: require_schema.permissionsTable.name }).from(require_schema.rolesToPermissionsTable).innerJoin(require_schema.permissionsTable, (0, drizzle_orm.eq)(require_schema.rolesToPermissionsTable.permissionId, require_schema.permissionsTable.id)).where((0, drizzle_orm.inArray)(require_schema.rolesToPermissionsTable.roleId, roleIds))).map((p) => p.name);
-		}
-		return {
-			roles,
-			permissions: Array.from(new Set([...directPerms, ...rolePerms]))
-		};
-	} catch (error) {
-		console.error("[Auth:RBAC] Failed to augment user:", error);
-		return {
-			roles: [],
-			permissions: []
-		};
-	}
-}
-const globalForAuth = globalThis;
-const authValidators = globalForAuth.__KRYO_AUTH_VALIDATORS__ ?? /* @__PURE__ */ new Set();
-const securityRequirements = globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ ?? /* @__PURE__ */ new Set();
-const passwordResetValidators = globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ ?? /* @__PURE__ */ new Set();
-const emailVerificationValidators = globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ ?? /* @__PURE__ */ new Set();
-globalForAuth.__KRYO_AUTH_VALIDATORS__ = authValidators;
-globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ = securityRequirements;
-globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;
-globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ = emailVerificationValidators;
-async function registerAuthValidator(validator) {
-	authValidators.add(validator);
-}
-async function registerPasswordResetValidator(validator) {
-	passwordResetValidators.add(validator);
-}
-async function registerEmailVerificationValidator(validator) {
-	emailVerificationValidators.add(validator);
-}
-async function registerSecurityRequirement(requirement) {
-	securityRequirements.add(requirement);
-}
-async function runPasswordResetValidators(userId) {
-	for (const validator of passwordResetValidators) {
-		const interception = await validator(userId);
-		if (interception) return interception;
-	}
-	return null;
-}
-async function runEmailVerificationValidators(userId) {
-	for (const validator of emailVerificationValidators) {
-		const interception = await validator(userId);
-		if (interception) return interception;
-	}
-	return null;
-}
-/**
-* Augments a base user with data from all registered modules.
-* This is now just a wrapper that includes core RBAC data.
-*/
-async function performFullUserAugmentation(user) {
-	return await require_augment.augmentUser(user, await coreRbacAugmenter(user));
-}
-/**
-* Checks if the current session satisfies all registered security requirements.
-*/
-async function checkSecurity(session, user, requiredRoles, requiredPermissions, fallbackRedirect) {
-	if (!user) {
-		console.warn("User is required for security check");
-		return {
-			satisfied: false,
-			redirect: fallbackRedirect ?? "/signin"
-		};
-	}
-	const userRoles = Array.isArray(user.roles) ? user.roles : [];
-	const userPermissions = Array.isArray(user.permissions) ? user.permissions : [];
-	if (requiredRoles && requiredRoles.length > 0) {
-		if (!requiredRoles.some((role) => userRoles.includes(role))) {
-			console.warn(`User lacks required roles: ${requiredRoles.join(", ")}`);
-			return {
-				satisfied: false,
-				redirect: fallbackRedirect
-			};
-		}
-	}
-	if (requiredPermissions && requiredPermissions.length > 0) {
-		if (!requiredPermissions.every((perm) => userPermissions.includes(perm))) {
-			console.warn(`User lacks required permissions: ${requiredPermissions.join(", ")}`);
-			return {
-				satisfied: false,
-				redirect: fallbackRedirect
-			};
-		}
-	}
-	if (securityRequirements) for (const requirement of securityRequirements) try {
-		const result = await requirement(session, user);
-		if (result && !result.satisfied) return {
-			...result,
-			redirect: result.redirect ?? fallbackRedirect
-		};
-	} catch (error) {
-		console.error("[Auth:Security] Requirement failed:", error);
-	}
-	return { satisfied: true };
-}
-/**
-* Sign In Logic
-*/
-async function signIn(data) {
-	const { email, password } = await require_validation.loginSchema.parseAsync(data);
-	const user = await require_user.getUserFromEmail(email);
-	if (!user) return {
-		status: "ERROR",
-		message: "Invalid email or password"
-	};
-	const passwordHash = await require_user.getUserPasswordHash(user.id);
-	if (!passwordHash || !await require_password.verifyPasswordHash(passwordHash, password)) return {
-		status: "ERROR",
-		message: "Invalid email or password"
-	};
-	for (const validator of authValidators) {
-		const interception = await validator(user.id);
-		if (interception) return interception;
-	}
-	const sessionFlags = {};
-	const sessionToken = await require_session.generateSessionToken();
-	const session = await require_session.createSession(sessionToken, user.id, sessionFlags);
-	await require_session.setSessionTokenCookie(sessionToken, session.expiresAt);
-	const fullUser = await performFullUserAugmentation(user);
-	await require_event_bus.eventBus.publish("auth:session-created", {
-		session,
-		user: fullUser
-	});
-	return {
-		status: "SUCCESS",
-		session: { ...session },
-		user: { ...fullUser }
-	};
-}
-/**
-* Sign Up Logic
-*/
-async function signUp(data) {
-	const { email, username, password } = require_validation.registerSchema.parse(data);
-	if (!await require_user.verifyUsernameInput(username)) throw new Error("Invalid username");
-	if (!await require_password.verifyPasswordStrength(password)) throw new Error("Weak password");
-	const user = await require_user.createUser(email, username, password);
-	const verificationRequest = await require_email_verification.createEmailVerificationRequest(user.id, user.email);
-	await require_email_verification.sendVerificationEmail(verificationRequest.email, verificationRequest.code);
-	await require_email_verification.setEmailVerificationRequestCookie(verificationRequest);
-	const sessionFlags = {};
-	const sessionToken = await require_session.generateSessionToken();
-	const session = await require_session.createSession(sessionToken, user.id, sessionFlags);
-	await require_session.setSessionTokenCookie(sessionToken, session.expiresAt);
-	const fullUser = await performFullUserAugmentation(user);
-	await require_event_bus.eventBus.publish("auth:session-created", {
-		session,
-		user: fullUser
-	});
-	return {
-		session: { ...session },
-		user: { ...fullUser }
-	};
-}
-/**
-* Finalizes login after a challenge
-*/
-async function finalizeLogin(userId, flags) {
-	const sessionToken = await require_session.generateSessionToken();
-	const session = await require_session.createSession(sessionToken, userId, flags);
-	await require_session.setSessionTokenCookie(sessionToken, session.expiresAt);
-	const user = await require_user.getUserById(userId);
-	if (user) await require_event_bus.eventBus.publish("auth:session-created", {
-		session,
-		user
-	});
-	return {
-		session: session ? { ...session } : null,
-		user: user ? { ...user } : null
-	};
-}
-/**
-* Sign Out
-*/
-async function signOut() {
-	const { session, user } = await require_session.getCurrentSession();
-	if (session) {
-		if (user) await require_event_bus.eventBus.publish("auth:signed-out", { userId: user.id });
-		await require_session.invalidateSession(session.id);
-		await require_session.deleteSessionTokenCookie();
-	}
-}
-
-//#endregion
-exports.checkSecurity = checkSecurity;
-exports.finalizeLogin = finalizeLogin;
-exports.performFullUserAugmentation = performFullUserAugmentation;
-exports.registerAuthValidator = registerAuthValidator;
-exports.registerEmailVerificationValidator = registerEmailVerificationValidator;
-exports.registerPasswordResetValidator = registerPasswordResetValidator;
-exports.registerSecurityRequirement = registerSecurityRequirement;
-exports.runEmailVerificationValidators = runEmailVerificationValidators;
-exports.runPasswordResetValidators = runPasswordResetValidators;
-exports.signIn = signIn;
-exports.signOut = signOut;
-exports.signUp = signUp;
+"use server";require(`../../_virtual/_rolldown/runtime.cjs`);const e=require(`./validation.cjs`),t=require(`../event-bus.cjs`),n=require(`../../server/database/inject.cjs`),r=require(`../../server/database/schema.cjs`),i=require(`./augment.cjs`),a=require(`../../server/auth/password.cjs`),o=require(`../../server/auth/user.cjs`),s=require(`./email-verification.cjs`),c=require(`./session.cjs`);let l=require(`drizzle-orm`);async function u(e){try{let t=(await n.db.select({name:r.rolesTable.name}).from(r.usersToRolesTable).innerJoin(r.rolesTable,(0,l.eq)(r.usersToRolesTable.roleId,r.rolesTable.id)).where((0,l.eq)(r.usersToRolesTable.userId,e.id))).map(e=>e.name),i=(await n.db.select({name:r.permissionsTable.name}).from(r.usersToPermissionsTable).innerJoin(r.permissionsTable,(0,l.eq)(r.usersToPermissionsTable.permissionId,r.permissionsTable.id)).where((0,l.eq)(r.usersToPermissionsTable.userId,e.id))).map(e=>e.name),a=[];if(t.length>0){let e=(await n.db.select({id:r.rolesTable.id}).from(r.rolesTable).where((0,l.inArray)(r.rolesTable.name,t))).map(e=>e.id);e.length>0&&(a=(await n.db.select({name:r.permissionsTable.name}).from(r.rolesToPermissionsTable).innerJoin(r.permissionsTable,(0,l.eq)(r.rolesToPermissionsTable.permissionId,r.permissionsTable.id)).where((0,l.inArray)(r.rolesToPermissionsTable.roleId,e))).map(e=>e.name))}return{roles:t,permissions:Array.from(new Set([...i,...a]))}}catch(e){return console.error(`[Auth:RBAC] Failed to augment user:`,e),{roles:[],permissions:[]}}}const d=globalThis,f=d.__KRYO_AUTH_VALIDATORS__??new Set,p=d.__KRYO_SECURITY_REQUIREMENTS__??new Set,m=d.__KRYO_PASSWORD_RESET_VALIDATORS__??new Set,h=d.__KRYO_EMAIL_VERIFICATION_VALIDATORS__??new Set;d.__KRYO_AUTH_VALIDATORS__=f,d.__KRYO_SECURITY_REQUIREMENTS__=p,d.__KRYO_PASSWORD_RESET_VALIDATORS__=m,d.__KRYO_EMAIL_VERIFICATION_VALIDATORS__=h;async function g(e){f.add(e)}async function _(e){m.add(e)}async function v(e){h.add(e)}async function y(e){p.add(e)}async function b(e){for(let t of m){let n=await t(e);if(n)return n}return null}async function x(e){for(let t of h){let n=await t(e);if(n)return n}return null}async function S(e){return await i.augmentUser(e,await u(e))}async function C(e,t,n,r,i){if(!t)return console.warn(`User is required for security check`),{satisfied:!1,redirect:i??`/signin`};let a=Array.isArray(t.roles)?t.roles:[],o=Array.isArray(t.permissions)?t.permissions:[];if(n&&n.length>0&&!n.some(e=>a.includes(e)))return console.warn(`User lacks required roles: ${n.join(`, `)}`),{satisfied:!1,redirect:i};if(r&&r.length>0&&!r.every(e=>o.includes(e)))return console.warn(`User lacks required permissions: ${r.join(`, `)}`),{satisfied:!1,redirect:i};if(p)for(let n of p)try{let r=await n(e,t);if(r&&!r.satisfied)return{...r,redirect:r.redirect??i}}catch(e){console.error(`[Auth:Security] Requirement failed:`,e)}return{satisfied:!0}}async function w(n){let{email:r,password:i}=await e.loginSchema.parseAsync(n),s=await o.getUserFromEmail(r);if(!s)return{status:`ERROR`,message:`Invalid email or password`};let l=await o.getUserPasswordHash(s.id);if(!l||!await a.verifyPasswordHash(l,i))return{status:`ERROR`,message:`Invalid email or password`};for(let e of f){let t=await e(s.id);if(t)return t}let u={},d=await c.generateSessionToken(),p=await c.createSession(d,s.id,u);await c.setSessionTokenCookie(d,p.expiresAt);let m=await S(s);return await t.eventBus.publish(`auth:session-created`,{session:p,user:m}),{status:`SUCCESS`,session:{...p},user:{...m}}}async function T(n){let{email:r,username:i,password:l}=e.registerSchema.parse(n);if(!await o.verifyUsernameInput(i))throw Error(`Invalid username`);if(!await a.verifyPasswordStrength(l))throw Error(`Weak password`);let u=await o.createUser(r,i,l),d=await s.createEmailVerificationRequest(u.id,u.email);await s.sendVerificationEmail(d.email,d.code),await s.setEmailVerificationRequestCookie(d);let f={},p=await c.generateSessionToken(),m=await c.createSession(p,u.id,f);await c.setSessionTokenCookie(p,m.expiresAt);let h=await S(u);return await t.eventBus.publish(`auth:session-created`,{session:m,user:h}),{session:{...m},user:{...h}}}async function E(e,n){let r=await c.generateSessionToken(),i=await c.createSession(r,e,n);await c.setSessionTokenCookie(r,i.expiresAt);let a=await o.getUserById(e);return a&&await t.eventBus.publish(`auth:session-created`,{session:i,user:a}),{session:i?{...i}:null,user:a?{...a}:null}}async function D(){let{session:e,user:n}=await c.getCurrentSession();e&&(n&&await t.eventBus.publish(`auth:signed-out`,{userId:n.id}),await c.invalidateSession(e.id),await c.deleteSessionTokenCookie())}exports.checkSecurity=C,exports.finalizeLogin=E,exports.performFullUserAugmentation=S,exports.registerAuthValidator=g,exports.registerEmailVerificationValidator=v,exports.registerPasswordResetValidator=_,exports.registerSecurityRequirement=y,exports.runEmailVerificationValidators=x,exports.runPasswordResetValidators=b,exports.signIn=w,exports.signOut=D,exports.signUp=T;

package/dist/core/auth/logic.d.cts

@@ -58,15 +58,15 @@ declare function signUp(data: RegisterInput): Promise<{
     createdAt: Date;
     updatedAt: Date | null;
     userId: string;
-    expiresAt: Date;
     active_organization_id: string | null;
+    expiresAt: Date;
   };
   user: {
     [x: string]: any;
-    id: string;
     email: string;
-    name: string;
     password: string | null;
+    name: string;
+    id: string;
     image: string | null;
     recovery_code: Buffer<ArrayBufferLike>;
     emailVerifiedAt: Date | null;
@@ -86,14 +86,14 @@ declare function finalizeLogin(userId: string, flags: SessionFlags): Promise<{
     createdAt: Date;
     updatedAt: Date | null;
     userId: string;
-    expiresAt: Date;
     active_organization_id: string | null;
+    expiresAt: Date;
   } | null;
   user: {
-    id: string;
     email: string;
-    name: string;
     password: string | null;
+    name: string;
+    id: string;
     image: string | null;
     recovery_code: Buffer<ArrayBufferLike>;
     emailVerifiedAt: Date | null;

package/dist/core/auth/logic.d.mts

@@ -58,15 +58,15 @@ declare function signUp(data: RegisterInput): Promise<{
     createdAt: Date;
     updatedAt: Date | null;
     userId: string;
-    expiresAt: Date;
     active_organization_id: string | null;
+    expiresAt: Date;
   };
   user: {
     [x: string]: any;
-    id: string;
     email: string;
-    name: string;
     password: string | null;
+    name: string;
+    id: string;
     image: string | null;
     recovery_code: Buffer<ArrayBufferLike>;
     emailVerifiedAt: Date | null;
@@ -86,14 +86,14 @@ declare function finalizeLogin(userId: string, flags: SessionFlags): Promise<{
     createdAt: Date;
     updatedAt: Date | null;
     userId: string;
-    expiresAt: Date;
     active_organization_id: string | null;
+    expiresAt: Date;
   } | null;
   user: {
-    id: string;
     email: string;
-    name: string;
     password: string | null;
+    name: string;
+    id: string;
     image: string | null;
     recovery_code: Buffer<ArrayBufferLike>;
     emailVerifiedAt: Date | null;

package/dist/core/auth/logic.mjs

@@ -1,213 +1,2 @@
-"use server";
-
-import { loginSchema, registerSchema } from "./validation.mjs";
-import { eventBus } from "../event-bus.mjs";
-import { db } from "../../server/database/inject.mjs";
-import { permissionsTable, rolesTable, rolesToPermissionsTable, usersToPermissionsTable, usersToRolesTable } from "../../server/database/schema.mjs";
-import { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter } from "./augment.mjs";
-import { verifyPasswordHash, verifyPasswordStrength } from "../../server/auth/password.mjs";
-import { createUser, getUserById, getUserFromEmail, getUserPasswordHash, verifyUsernameInput } from "../../server/auth/user.mjs";
-import { createEmailVerificationRequest, sendVerificationEmail, setEmailVerificationRequestCookie } from "./email-verification.mjs";
-import { createSession, deleteSessionTokenCookie, generateSessionToken, getCurrentSession, invalidateSession, setSessionTokenCookie } from "./session.mjs";
-import { eq, inArray } from "drizzle-orm";
-
-//#region src/core/auth/logic.ts
-/**
-* Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień
-*/
-async function coreRbacAugmenter(user) {
-	try {
-		const roles = (await db.select({ name: rolesTable.name }).from(usersToRolesTable).innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id)).where(eq(usersToRolesTable.userId, user.id))).map((r) => r.name);
-		const directPerms = (await db.select({ name: permissionsTable.name }).from(usersToPermissionsTable).innerJoin(permissionsTable, eq(usersToPermissionsTable.permissionId, permissionsTable.id)).where(eq(usersToPermissionsTable.userId, user.id))).map((p) => p.name);
-		let rolePerms = [];
-		if (roles.length > 0) {
-			const roleIds = (await db.select({ id: rolesTable.id }).from(rolesTable).where(inArray(rolesTable.name, roles))).map((r) => r.id);
-			if (roleIds.length > 0) rolePerms = (await db.select({ name: permissionsTable.name }).from(rolesToPermissionsTable).innerJoin(permissionsTable, eq(rolesToPermissionsTable.permissionId, permissionsTable.id)).where(inArray(rolesToPermissionsTable.roleId, roleIds))).map((p) => p.name);
-		}
-		return {
-			roles,
-			permissions: Array.from(new Set([...directPerms, ...rolePerms]))
-		};
-	} catch (error) {
-		console.error("[Auth:RBAC] Failed to augment user:", error);
-		return {
-			roles: [],
-			permissions: []
-		};
-	}
-}
-const globalForAuth = globalThis;
-const authValidators = globalForAuth.__KRYO_AUTH_VALIDATORS__ ?? /* @__PURE__ */ new Set();
-const securityRequirements = globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ ?? /* @__PURE__ */ new Set();
-const passwordResetValidators = globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ ?? /* @__PURE__ */ new Set();
-const emailVerificationValidators = globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ ?? /* @__PURE__ */ new Set();
-globalForAuth.__KRYO_AUTH_VALIDATORS__ = authValidators;
-globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ = securityRequirements;
-globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;
-globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ = emailVerificationValidators;
-async function registerAuthValidator(validator) {
-	authValidators.add(validator);
-}
-async function registerPasswordResetValidator(validator) {
-	passwordResetValidators.add(validator);
-}
-async function registerEmailVerificationValidator(validator) {
-	emailVerificationValidators.add(validator);
-}
-async function registerSecurityRequirement(requirement) {
-	securityRequirements.add(requirement);
-}
-async function runPasswordResetValidators(userId) {
-	for (const validator of passwordResetValidators) {
-		const interception = await validator(userId);
-		if (interception) return interception;
-	}
-	return null;
-}
-async function runEmailVerificationValidators(userId) {
-	for (const validator of emailVerificationValidators) {
-		const interception = await validator(userId);
-		if (interception) return interception;
-	}
-	return null;
-}
-/**
-* Augments a base user with data from all registered modules.
-* This is now just a wrapper that includes core RBAC data.
-*/
-async function performFullUserAugmentation(user) {
-	return await augmentUser(user, await coreRbacAugmenter(user));
-}
-/**
-* Checks if the current session satisfies all registered security requirements.
-*/
-async function checkSecurity(session, user, requiredRoles, requiredPermissions, fallbackRedirect) {
-	if (!user) {
-		console.warn("User is required for security check");
-		return {
-			satisfied: false,
-			redirect: fallbackRedirect ?? "/signin"
-		};
-	}
-	const userRoles = Array.isArray(user.roles) ? user.roles : [];
-	const userPermissions = Array.isArray(user.permissions) ? user.permissions : [];
-	if (requiredRoles && requiredRoles.length > 0) {
-		if (!requiredRoles.some((role) => userRoles.includes(role))) {
-			console.warn(`User lacks required roles: ${requiredRoles.join(", ")}`);
-			return {
-				satisfied: false,
-				redirect: fallbackRedirect
-			};
-		}
-	}
-	if (requiredPermissions && requiredPermissions.length > 0) {
-		if (!requiredPermissions.every((perm) => userPermissions.includes(perm))) {
-			console.warn(`User lacks required permissions: ${requiredPermissions.join(", ")}`);
-			return {
-				satisfied: false,
-				redirect: fallbackRedirect
-			};
-		}
-	}
-	if (securityRequirements) for (const requirement of securityRequirements) try {
-		const result = await requirement(session, user);
-		if (result && !result.satisfied) return {
-			...result,
-			redirect: result.redirect ?? fallbackRedirect
-		};
-	} catch (error) {
-		console.error("[Auth:Security] Requirement failed:", error);
-	}
-	return { satisfied: true };
-}
-/**
-* Sign In Logic
-*/
-async function signIn(data) {
-	const { email, password } = await loginSchema.parseAsync(data);
-	const user = await getUserFromEmail(email);
-	if (!user) return {
-		status: "ERROR",
-		message: "Invalid email or password"
-	};
-	const passwordHash = await getUserPasswordHash(user.id);
-	if (!passwordHash || !await verifyPasswordHash(passwordHash, password)) return {
-		status: "ERROR",
-		message: "Invalid email or password"
-	};
-	for (const validator of authValidators) {
-		const interception = await validator(user.id);
-		if (interception) return interception;
-	}
-	const sessionFlags = {};
-	const sessionToken = await generateSessionToken();
-	const session = await createSession(sessionToken, user.id, sessionFlags);
-	await setSessionTokenCookie(sessionToken, session.expiresAt);
-	const fullUser = await performFullUserAugmentation(user);
-	await eventBus.publish("auth:session-created", {
-		session,
-		user: fullUser
-	});
-	return {
-		status: "SUCCESS",
-		session: { ...session },
-		user: { ...fullUser }
-	};
-}
-/**
-* Sign Up Logic
-*/
-async function signUp(data) {
-	const { email, username, password } = registerSchema.parse(data);
-	if (!await verifyUsernameInput(username)) throw new Error("Invalid username");
-	if (!await verifyPasswordStrength(password)) throw new Error("Weak password");
-	const user = await createUser(email, username, password);
-	const verificationRequest = await createEmailVerificationRequest(user.id, user.email);
-	await sendVerificationEmail(verificationRequest.email, verificationRequest.code);
-	await setEmailVerificationRequestCookie(verificationRequest);
-	const sessionFlags = {};
-	const sessionToken = await generateSessionToken();
-	const session = await createSession(sessionToken, user.id, sessionFlags);
-	await setSessionTokenCookie(sessionToken, session.expiresAt);
-	const fullUser = await performFullUserAugmentation(user);
-	await eventBus.publish("auth:session-created", {
-		session,
-		user: fullUser
-	});
-	return {
-		session: { ...session },
-		user: { ...fullUser }
-	};
-}
-/**
-* Finalizes login after a challenge
-*/
-async function finalizeLogin(userId, flags) {
-	const sessionToken = await generateSessionToken();
-	const session = await createSession(sessionToken, userId, flags);
-	await setSessionTokenCookie(sessionToken, session.expiresAt);
-	const user = await getUserById(userId);
-	if (user) await eventBus.publish("auth:session-created", {
-		session,
-		user
-	});
-	return {
-		session: session ? { ...session } : null,
-		user: user ? { ...user } : null
-	};
-}
-/**
-* Sign Out
-*/
-async function signOut() {
-	const { session, user } = await getCurrentSession();
-	if (session) {
-		if (user) await eventBus.publish("auth:signed-out", { userId: user.id });
-		await invalidateSession(session.id);
-		await deleteSessionTokenCookie();
-	}
-}
-
-//#endregion
-export { checkSecurity, finalizeLogin, performFullUserAugmentation, registerAuthValidator, registerEmailVerificationValidator, registerPasswordResetValidator, registerSecurityRequirement, runEmailVerificationValidators, runPasswordResetValidators, signIn, signOut, signUp };
+"use server";import{loginSchema as e,registerSchema as t}from"./validation.mjs";import{eventBus as n}from"../event-bus.mjs";import{db as r}from"../../server/database/inject.mjs";import{permissionsTable as i,rolesTable as a,rolesToPermissionsTable as o,usersToPermissionsTable as s,usersToRolesTable as c}from"../../server/database/schema.mjs";import{augmentSession as l,augmentUser as u,registerIdentityAugmenter as d,registerPasswordResetSessionAugmenter as f,registerSessionAugmenter as p}from"./augment.mjs";import{verifyPasswordHash as m,verifyPasswordStrength as h}from"../../server/auth/password.mjs";import{createUser as g,getUserById as _,getUserFromEmail as v,getUserPasswordHash as y,verifyUsernameInput as b}from"../../server/auth/user.mjs";import{createEmailVerificationRequest as x,sendVerificationEmail as S,setEmailVerificationRequestCookie as C}from"./email-verification.mjs";import{createSession as w,deleteSessionTokenCookie as T,generateSessionToken as E,getCurrentSession as D,invalidateSession as O,setSessionTokenCookie as k}from"./session.mjs";import{eq as A,inArray as j}from"drizzle-orm";async function M(e){try{let t=(await r.select({name:a.name}).from(c).innerJoin(a,A(c.roleId,a.id)).where(A(c.userId,e.id))).map(e=>e.name),n=(await r.select({name:i.name}).from(s).innerJoin(i,A(s.permissionId,i.id)).where(A(s.userId,e.id))).map(e=>e.name),l=[];if(t.length>0){let e=(await r.select({id:a.id}).from(a).where(j(a.name,t))).map(e=>e.id);e.length>0&&(l=(await r.select({name:i.name}).from(o).innerJoin(i,A(o.permissionId,i.id)).where(j(o.roleId,e))).map(e=>e.name))}return{roles:t,permissions:Array.from(new Set([...n,...l]))}}catch(e){return console.error(`[Auth:RBAC] Failed to augment user:`,e),{roles:[],permissions:[]}}}const N=globalThis,P=N.__KRYO_AUTH_VALIDATORS__??new Set,F=N.__KRYO_SECURITY_REQUIREMENTS__??new Set,I=N.__KRYO_PASSWORD_RESET_VALIDATORS__??new Set,L=N.__KRYO_EMAIL_VERIFICATION_VALIDATORS__??new Set;N.__KRYO_AUTH_VALIDATORS__=P,N.__KRYO_SECURITY_REQUIREMENTS__=F,N.__KRYO_PASSWORD_RESET_VALIDATORS__=I,N.__KRYO_EMAIL_VERIFICATION_VALIDATORS__=L;async function R(e){P.add(e)}async function z(e){I.add(e)}async function B(e){L.add(e)}async function V(e){F.add(e)}async function H(e){for(let t of I){let n=await t(e);if(n)return n}return null}async function U(e){for(let t of L){let n=await t(e);if(n)return n}return null}async function W(e){return await u(e,await M(e))}async function G(e,t,n,r,i){if(!t)return console.warn(`User is required for security check`),{satisfied:!1,redirect:i??`/signin`};let a=Array.isArray(t.roles)?t.roles:[],o=Array.isArray(t.permissions)?t.permissions:[];if(n&&n.length>0&&!n.some(e=>a.includes(e)))return console.warn(`User lacks required roles: ${n.join(`, `)}`),{satisfied:!1,redirect:i};if(r&&r.length>0&&!r.every(e=>o.includes(e)))return console.warn(`User lacks required permissions: ${r.join(`, `)}`),{satisfied:!1,redirect:i};if(F)for(let n of F)try{let r=await n(e,t);if(r&&!r.satisfied)return{...r,redirect:r.redirect??i}}catch(e){console.error(`[Auth:Security] Requirement failed:`,e)}return{satisfied:!0}}async function K(t){let{email:r,password:i}=await e.parseAsync(t),a=await v(r);if(!a)return{status:`ERROR`,message:`Invalid email or password`};let o=await y(a.id);if(!o||!await m(o,i))return{status:`ERROR`,message:`Invalid email or password`};for(let e of P){let t=await e(a.id);if(t)return t}let s={},c=await E(),l=await w(c,a.id,s);await k(c,l.expiresAt);let u=await W(a);return await n.publish(`auth:session-created`,{session:l,user:u}),{status:`SUCCESS`,session:{...l},user:{...u}}}async function q(e){let{email:r,username:i,password:a}=t.parse(e);if(!await b(i))throw Error(`Invalid username`);if(!await h(a))throw Error(`Weak password`);let o=await g(r,i,a),s=await x(o.id,o.email);await S(s.email,s.code),await C(s);let c={},l=await E(),u=await w(l,o.id,c);await k(l,u.expiresAt);let d=await W(o);return await n.publish(`auth:session-created`,{session:u,user:d}),{session:{...u},user:{...d}}}async function J(e,t){let r=await E(),i=await w(r,e,t);await k(r,i.expiresAt);let a=await _(e);return a&&await n.publish(`auth:session-created`,{session:i,user:a}),{session:i?{...i}:null,user:a?{...a}:null}}async function Y(){let{session:e,user:t}=await D();e&&(t&&await n.publish(`auth:signed-out`,{userId:t.id}),await O(e.id),await T())}export{G as checkSecurity,J as finalizeLogin,W as performFullUserAugmentation,R as registerAuthValidator,B as registerEmailVerificationValidator,z as registerPasswordResetValidator,V as registerSecurityRequirement,U as runEmailVerificationValidators,H as runPasswordResetValidators,K as signIn,Y as signOut,q as signUp};
 //# sourceMappingURL=logic.mjs.map

package/dist/core/auth/logic.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"logic.mjs","names":[],"sources":["../../../src/core/auth/logic.ts"],"sourcesContent":["\"use server\";\n\nimport { eq, inArray } from \"drizzle-orm\";\nimport {\n  verifyPasswordHash,\n  verifyPasswordStrength,\n} from \"../../server/auth/password\";\nimport {\n  createUser,\n  getUserById,\n  getUserFromEmail,\n  getUserPasswordHash,\n  verifyUsernameInput,\n} from \"../../server/auth/user\";\nimport { db } from \"../../server/database/inject\";\nimport {\n  permissionsTable,\n  rolesTable,\n  rolesToPermissionsTable,\n  usersToPermissionsTable,\n  usersToRolesTable,\n} from \"../../server/database/schema\";\nimport { eventBus } from \"../event-bus\";\nimport {\n  augmentSession,\n  augmentUser,\n  registerIdentityAugmenter,\n  registerPasswordResetSessionAugmenter,\n  registerSessionAugmenter,\n} from \"./augment\";\nimport {\n  createEmailVerificationRequest,\n  sendVerificationEmail,\n  setEmailVerificationRequestCookie,\n} from \"./email-verification\";\nimport {\n  createSession,\n  deleteSessionTokenCookie,\n  generateSessionToken,\n  getCurrentSession,\n  invalidateSession,\n  setSessionTokenCookie,\n} from \"./session\";\nimport type {\n  AuthResponse,\n  FullUser,\n  Session,\n  SessionFlags,\n  User,\n  UserPermission,\n  UserRole,\n} from \"./types\";\nimport {\n  type LoginInput,\n  loginSchema,\n  type RegisterInput,\n  registerSchema,\n} from \"./validation\";\n\n/**\n * Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień\n */\nasync function coreRbacAugmenter(user: User): Promise<Record<string, any>> {\n  try {\n    // 1. Fetch direct roles\n    const userRoles = await db\n      .select({ name: rolesTable.name })\n      .from(usersToRolesTable)\n      .innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id))\n      .where(eq(usersToRolesTable.userId, user.id));\n\n    const roles = userRoles.map((r) => r.name);\n\n    // 2. Fetch direct permissions\n    const userDirectPerms = await db\n      .select({ name: permissionsTable.name })\n      .from(usersToPermissionsTable)\n      .innerJoin(\n        permissionsTable,\n        eq(usersToPermissionsTable.permissionId, permissionsTable.id),\n      )\n      .where(eq(usersToPermissionsTable.userId, user.id));\n\n    const directPerms = userDirectPerms.map((p) => p.name);\n\n    // 3. Fetch permissions from roles\n    let rolePerms: string[] = [];\n    if (roles.length > 0) {\n      const roleIdsResult = await db\n        .select({ id: rolesTable.id })\n        .from(rolesTable)\n        .where(inArray(rolesTable.name, roles));\n\n      const roleIds = roleIdsResult.map((r) => r.id);\n\n      if (roleIds.length > 0) {\n        const rolePermsData = await db\n          .select({ name: permissionsTable.name })\n          .from(rolesToPermissionsTable)\n          .innerJoin(\n            permissionsTable,\n            eq(rolesToPermissionsTable.permissionId, permissionsTable.id),\n          )\n          .where(inArray(rolesToPermissionsTable.roleId, roleIds));\n        rolePerms = rolePermsData.map((p) => p.name);\n      }\n    }\n\n    return {\n      roles,\n      permissions: Array.from(new Set([...directPerms, ...rolePerms])),\n    };\n  } catch (error) {\n    console.error(\"[Auth:RBAC] Failed to augment user:\", error);\n    return { roles: [], permissions: [] };\n  }\n}\n\n/**\n * Registry for login validators (e.g. 2FA module)\n */\ntype AuthValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)\n */\ntype SecurityRequirement = (\n  session: Session,\n  user: FullUser,\n) => Promise<{ satisfied: boolean; redirect?: string } | null>;\n\n/**\n * Registry for password reset validators (e.g. 2FA module requiring check during reset)\n */\ntype PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for email verification validators\n */\ntype EmailVerificationValidator = (\n  userId: string,\n) => Promise<AuthResponse | null>;\n\nconst globalForAuth = globalThis as unknown as {\n  __KRYO_AUTH_VALIDATORS__: Set<AuthValidator> | undefined;\n  __KRYO_SECURITY_REQUIREMENTS__: Set<SecurityRequirement> | undefined;\n  __KRYO_PASSWORD_RESET_VALIDATORS__: Set<PasswordResetValidator> | undefined;\n  __KRYO_EMAIL_VERIFICATION_VALIDATORS__:\n    | Set<EmailVerificationValidator>\n    | undefined;\n};\n\nconst authValidators =\n  globalForAuth.__KRYO_AUTH_VALIDATORS__ ?? new Set<AuthValidator>();\nconst securityRequirements =\n  globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ ??\n  new Set<SecurityRequirement>();\nconst passwordResetValidators =\n  globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ ??\n  new Set<PasswordResetValidator>();\nconst emailVerificationValidators =\n  globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ ??\n  new Set<EmailVerificationValidator>();\n\nglobalForAuth.__KRYO_AUTH_VALIDATORS__ = authValidators;\nglobalForAuth.__KRYO_SECURITY_REQUIREMENTS__ = securityRequirements;\nglobalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;\nglobalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ =\n  emailVerificationValidators;\n\nexport async function registerAuthValidator(validator: AuthValidator) {\n  authValidators.add(validator);\n}\n\nexport async function registerPasswordResetValidator(\n  validator: PasswordResetValidator,\n) {\n  passwordResetValidators.add(validator);\n}\n\nexport async function registerEmailVerificationValidator(\n  validator: EmailVerificationValidator,\n) {\n  emailVerificationValidators.add(validator);\n}\n\nexport {\n  registerIdentityAugmenter,\n  registerSessionAugmenter,\n  registerPasswordResetSessionAugmenter,\n  augmentUser,\n  augmentSession,\n};\n\nexport async function registerSecurityRequirement(\n  requirement: SecurityRequirement,\n) {\n  securityRequirements.add(requirement);\n}\n\nexport async function runPasswordResetValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of passwordResetValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\nexport async function runEmailVerificationValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of emailVerificationValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\n/**\n * Augments a base user with data from all registered modules.\n * This is now just a wrapper that includes core RBAC data.\n */\nexport async function performFullUserAugmentation(\n  user: User,\n): Promise<FullUser> {\n  const coreRbacData = await coreRbacAugmenter(user);\n  return await augmentUser(user, coreRbacData);\n}\n\n/**\n * Checks if the current session satisfies all registered security requirements.\n */\nexport async function checkSecurity(\n  session: Session,\n  user: FullUser,\n  requiredRoles?: UserRole[],\n  requiredPermissions?: UserPermission[],\n  fallbackRedirect?: string,\n) {\n  if (!user) {\n    console.warn(\"User is required for security check\");\n    return { satisfied: false, redirect: fallbackRedirect ?? \"/signin\" };\n  }\n\n  const userRoles = Array.isArray(user.roles) ? user.roles : [];\n  const userPermissions = Array.isArray(user.permissions)\n    ? user.permissions\n    : [];\n\n  // 1. Core Role Check (At least one role must match)\n  if (requiredRoles && requiredRoles.length > 0) {\n    const hasRole = requiredRoles.some((role) => userRoles.includes(role));\n    if (!hasRole) {\n      console.warn(`User lacks required roles: ${requiredRoles.join(\", \")}`);\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 2. Core Permission Check (ALL permissions must match)\n  if (requiredPermissions && requiredPermissions.length > 0) {\n    const hasAllPermissions = requiredPermissions.every((perm) =>\n      userPermissions.includes(perm),\n    );\n    if (!hasAllPermissions) {\n      console.warn(\n        `User lacks required permissions: ${requiredPermissions.join(\", \")}`,\n      );\n\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 3. Modular Requirements Check\n  if (securityRequirements) {\n    for (const requirement of securityRequirements) {\n      try {\n        const result = await requirement(session, user);\n        if (result && !result.satisfied) {\n          return {\n            ...result,\n            redirect: result.redirect ?? fallbackRedirect,\n          };\n        }\n      } catch (error) {\n        console.error(\"[Auth:Security] Requirement failed:\", error);\n      }\n    }\n  }\n  return { satisfied: true };\n}\n\n/**\n * Sign In Logic\n */\nexport async function signIn(data: LoginInput): Promise<AuthResponse> {\n  const { email, password } = await loginSchema.parseAsync(data);\n\n  const user = await getUserFromEmail(email);\n  if (!user) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  const passwordHash = await getUserPasswordHash(user.id);\n  if (!passwordHash || !(await verifyPasswordHash(passwordHash, password))) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  // Interception Layer\n  for (const validator of authValidators) {\n    const interception = await validator(user.id);\n    if (interception) return interception;\n  }\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    status: \"SUCCESS\",\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Sign Up Logic\n */\nexport async function signUp(data: RegisterInput) {\n  const { email, username, password } = registerSchema.parse(data);\n\n  if (!(await verifyUsernameInput(username))) {\n    throw new Error(\"Invalid username\");\n  }\n\n  if (!(await verifyPasswordStrength(password))) {\n    throw new Error(\"Weak password\");\n  }\n\n  const user = await createUser(email, username, password);\n  const verificationRequest = await createEmailVerificationRequest(\n    user.id,\n    user.email,\n  );\n\n  await sendVerificationEmail(\n    verificationRequest.email,\n    verificationRequest.code,\n  );\n  await setEmailVerificationRequestCookie(verificationRequest);\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Finalizes login after a challenge\n */\nexport async function finalizeLogin(userId: string, flags: SessionFlags) {\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, userId, flags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const user = await getUserById(userId);\n\n  if (user) {\n    await eventBus.publish(\"auth:session-created\", { session, user });\n  }\n\n  return {\n    session: session ? { ...session } : null,\n    user: user ? { ...user } : null,\n  };\n}\n\n/**\n * Sign Out\n */\nexport async function signOut() {\n  const { session, user } = await getCurrentSession();\n  if (session) {\n    if (user) {\n      await eventBus.publish(\"auth:signed-out\", { userId: user.id });\n    }\n    await invalidateSession(session.id);\n    await deleteSessionTokenCookie();\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA8DA,eAAe,kBAAkB,MAA0C;AACzE,KAAI;EAQF,MAAM,SANY,MAAM,GACrB,OAAO,EAAE,MAAM,WAAW,MAAM,CAAC,CACjC,KAAK,kBAAkB,CACvB,UAAU,YAAY,GAAG,kBAAkB,QAAQ,WAAW,GAAG,CAAC,CAClE,MAAM,GAAG,kBAAkB,QAAQ,KAAK,GAAG,CAAC,EAEvB,KAAK,MAAM,EAAE,KAAK;EAY1C,MAAM,eATkB,MAAM,GAC3B,OAAO,EAAE,MAAM,iBAAiB,MAAM,CAAC,CACvC,KAAK,wBAAwB,CAC7B,UACC,kBACA,GAAG,wBAAwB,cAAc,iBAAiB,GAAG,CAC9D,CACA,MAAM,GAAG,wBAAwB,QAAQ,KAAK,GAAG,CAAC,EAEjB,KAAK,MAAM,EAAE,KAAK;EAGtD,IAAI,YAAsB,EAAE;AAC5B,MAAI,MAAM,SAAS,GAAG;GAMpB,MAAM,WALgB,MAAM,GACzB,OAAO,EAAE,IAAI,WAAW,IAAI,CAAC,CAC7B,KAAK,WAAW,CAChB,MAAM,QAAQ,WAAW,MAAM,MAAM,CAAC,EAEX,KAAK,MAAM,EAAE,GAAG;AAE9C,OAAI,QAAQ,SAAS,EASnB,cARsB,MAAM,GACzB,OAAO,EAAE,MAAM,iBAAiB,MAAM,CAAC,CACvC,KAAK,wBAAwB,CAC7B,UACC,kBACA,GAAG,wBAAwB,cAAc,iBAAiB,GAAG,CAC9D,CACA,MAAM,QAAQ,wBAAwB,QAAQ,QAAQ,CAAC,EAChC,KAAK,MAAM,EAAE,KAAK;;AAIhD,SAAO;GACL;GACA,aAAa,MAAM,KAAK,IAAI,IAAI,CAAC,GAAG,aAAa,GAAG,UAAU,CAAC,CAAC;GACjE;UACM,OAAO;AACd,UAAQ,MAAM,uCAAuC,MAAM;AAC3D,SAAO;GAAE,OAAO,EAAE;GAAE,aAAa,EAAE;GAAE;;;AA6BzC,MAAM,gBAAgB;AAStB,MAAM,iBACJ,cAAc,4CAA4B,IAAI,KAAoB;AACpE,MAAM,uBACJ,cAAc,kDACd,IAAI,KAA0B;AAChC,MAAM,0BACJ,cAAc,sDACd,IAAI,KAA6B;AACnC,MAAM,8BACJ,cAAc,0DACd,IAAI,KAAiC;AAEvC,cAAc,2BAA2B;AACzC,cAAc,iCAAiC;AAC/C,cAAc,qCAAqC;AACnD,cAAc,yCACZ;AAEF,eAAsB,sBAAsB,WAA0B;AACpE,gBAAe,IAAI,UAAU;;AAG/B,eAAsB,+BACpB,WACA;AACA,yBAAwB,IAAI,UAAU;;AAGxC,eAAsB,mCACpB,WACA;AACA,6BAA4B,IAAI,UAAU;;AAW5C,eAAsB,4BACpB,aACA;AACA,sBAAqB,IAAI,YAAY;;AAGvC,eAAsB,2BACpB,QAC8B;AAC9B,MAAK,MAAM,aAAa,yBAAyB;EAC/C,MAAM,eAAe,MAAM,UAAU,OAAO;AAC5C,MAAI,aAAc,QAAO;;AAE3B,QAAO;;AAGT,eAAsB,+BACpB,QAC8B;AAC9B,MAAK,MAAM,aAAa,6BAA6B;EACnD,MAAM,eAAe,MAAM,UAAU,OAAO;AAC5C,MAAI,aAAc,QAAO;;AAE3B,QAAO;;;;;;AAOT,eAAsB,4BACpB,MACmB;AAEnB,QAAO,MAAM,YAAY,MADJ,MAAM,kBAAkB,KAAK,CACN;;;;;AAM9C,eAAsB,cACpB,SACA,MACA,eACA,qBACA,kBACA;AACA,KAAI,CAAC,MAAM;AACT,UAAQ,KAAK,sCAAsC;AACnD,SAAO;GAAE,WAAW;GAAO,UAAU,oBAAoB;GAAW;;CAGtE,MAAM,YAAY,MAAM,QAAQ,KAAK,MAAM,GAAG,KAAK,QAAQ,EAAE;CAC7D,MAAM,kBAAkB,MAAM,QAAQ,KAAK,YAAY,GACnD,KAAK,cACL,EAAE;AAGN,KAAI,iBAAiB,cAAc,SAAS,GAE1C;MAAI,CADY,cAAc,MAAM,SAAS,UAAU,SAAS,KAAK,CAAC,EACxD;AACZ,WAAQ,KAAK,8BAA8B,cAAc,KAAK,KAAK,GAAG;AACtE,UAAO;IACL,WAAW;IACX,UAAU;IACX;;;AAKL,KAAI,uBAAuB,oBAAoB,SAAS,GAItD;MAAI,CAHsB,oBAAoB,OAAO,SACnD,gBAAgB,SAAS,KAAK,CAC/B,EACuB;AACtB,WAAQ,KACN,oCAAoC,oBAAoB,KAAK,KAAK,GACnE;AAED,UAAO;IACL,WAAW;IACX,UAAU;IACX;;;AAKL,KAAI,qBACF,MAAK,MAAM,eAAe,qBACxB,KAAI;EACF,MAAM,SAAS,MAAM,YAAY,SAAS,KAAK;AAC/C,MAAI,UAAU,CAAC,OAAO,UACpB,QAAO;GACL,GAAG;GACH,UAAU,OAAO,YAAY;GAC9B;UAEI,OAAO;AACd,UAAQ,MAAM,uCAAuC,MAAM;;AAIjE,QAAO,EAAE,WAAW,MAAM;;;;;AAM5B,eAAsB,OAAO,MAAyC;CACpE,MAAM,EAAE,OAAO,aAAa,MAAM,YAAY,WAAW,KAAK;CAE9D,MAAM,OAAO,MAAM,iBAAiB,MAAM;AAC1C,KAAI,CAAC,KACH,QAAO;EAAE,QAAQ;EAAS,SAAS;EAA6B;CAGlE,MAAM,eAAe,MAAM,oBAAoB,KAAK,GAAG;AACvD,KAAI,CAAC,gBAAgB,CAAE,MAAM,mBAAmB,cAAc,SAAS,CACrE,QAAO;EAAE,QAAQ;EAAS,SAAS;EAA6B;AAIlE,MAAK,MAAM,aAAa,gBAAgB;EACtC,MAAM,eAAe,MAAM,UAAU,KAAK,GAAG;AAC7C,MAAI,aAAc,QAAO;;CAG3B,MAAM,eAA6B,EAAE;CACrC,MAAM,eAAe,MAAM,sBAAsB;CACjD,MAAM,UAAU,MAAM,cAAc,cAAc,KAAK,IAAI,aAAa;AACxE,OAAM,sBAAsB,cAAc,QAAQ,UAAU;CAE5D,MAAM,WAAW,MAAM,4BAA4B,KAAK;AACxD,OAAM,SAAS,QAAQ,wBAAwB;EAAE;EAAS,MAAM;EAAU,CAAC;AAE3E,QAAO;EACL,QAAQ;EACR,SAAS,EAAE,GAAG,SAAS;EACvB,MAAM,EAAE,GAAG,UAAU;EACtB;;;;;AAMH,eAAsB,OAAO,MAAqB;CAChD,MAAM,EAAE,OAAO,UAAU,aAAa,eAAe,MAAM,KAAK;AAEhE,KAAI,CAAE,MAAM,oBAAoB,SAAS,CACvC,OAAM,IAAI,MAAM,mBAAmB;AAGrC,KAAI,CAAE,MAAM,uBAAuB,SAAS,CAC1C,OAAM,IAAI,MAAM,gBAAgB;CAGlC,MAAM,OAAO,MAAM,WAAW,OAAO,UAAU,SAAS;CACxD,MAAM,sBAAsB,MAAM,+BAChC,KAAK,IACL,KAAK,MACN;AAED,OAAM,sBACJ,oBAAoB,OACpB,oBAAoB,KACrB;AACD,OAAM,kCAAkC,oBAAoB;CAE5D,MAAM,eAA6B,EAAE;CACrC,MAAM,eAAe,MAAM,sBAAsB;CACjD,MAAM,UAAU,MAAM,cAAc,cAAc,KAAK,IAAI,aAAa;AACxE,OAAM,sBAAsB,cAAc,QAAQ,UAAU;CAE5D,MAAM,WAAW,MAAM,4BAA4B,KAAK;AACxD,OAAM,SAAS,QAAQ,wBAAwB;EAAE;EAAS,MAAM;EAAU,CAAC;AAE3E,QAAO;EACL,SAAS,EAAE,GAAG,SAAS;EACvB,MAAM,EAAE,GAAG,UAAU;EACtB;;;;;AAMH,eAAsB,cAAc,QAAgB,OAAqB;CACvE,MAAM,eAAe,MAAM,sBAAsB;CACjD,MAAM,UAAU,MAAM,cAAc,cAAc,QAAQ,MAAM;AAChE,OAAM,sBAAsB,cAAc,QAAQ,UAAU;CAE5D,MAAM,OAAO,MAAM,YAAY,OAAO;AAEtC,KAAI,KACF,OAAM,SAAS,QAAQ,wBAAwB;EAAE;EAAS;EAAM,CAAC;AAGnE,QAAO;EACL,SAAS,UAAU,EAAE,GAAG,SAAS,GAAG;EACpC,MAAM,OAAO,EAAE,GAAG,MAAM,GAAG;EAC5B;;;;;AAMH,eAAsB,UAAU;CAC9B,MAAM,EAAE,SAAS,SAAS,MAAM,mBAAmB;AACnD,KAAI,SAAS;AACX,MAAI,KACF,OAAM,SAAS,QAAQ,mBAAmB,EAAE,QAAQ,KAAK,IAAI,CAAC;AAEhE,QAAM,kBAAkB,QAAQ,GAAG;AACnC,QAAM,0BAA0B"}
+{"version":3,"file":"logic.mjs","names":[],"sources":["../../../src/core/auth/logic.ts"],"sourcesContent":["\"use server\";\n\nimport { eq, inArray } from \"drizzle-orm\";\nimport {\n  verifyPasswordHash,\n  verifyPasswordStrength,\n} from \"../../server/auth/password.js\";\nimport {\n  createUser,\n  getUserById,\n  getUserFromEmail,\n  getUserPasswordHash,\n  verifyUsernameInput,\n} from \"../../server/auth/user.js\";\nimport { db } from \"../../server/database/inject.js\";\nimport {\n  permissionsTable,\n  rolesTable,\n  rolesToPermissionsTable,\n  usersToPermissionsTable,\n  usersToRolesTable,\n} from \"../../server/database/schema.js\";\nimport { eventBus } from \"../event-bus.js\";\nimport {\n  augmentSession,\n  augmentUser,\n  registerIdentityAugmenter,\n  registerPasswordResetSessionAugmenter,\n  registerSessionAugmenter,\n} from \"./augment.js\";\nimport {\n  createEmailVerificationRequest,\n  sendVerificationEmail,\n  setEmailVerificationRequestCookie,\n} from \"./email-verification.js\";\nimport {\n  createSession,\n  deleteSessionTokenCookie,\n  generateSessionToken,\n  getCurrentSession,\n  invalidateSession,\n  setSessionTokenCookie,\n} from \"./session.js\";\nimport type {\n  AuthResponse,\n  FullUser,\n  Session,\n  SessionFlags,\n  User,\n  UserPermission,\n  UserRole,\n} from \"./types.js\";\nimport {\n  type LoginInput,\n  loginSchema,\n  type RegisterInput,\n  registerSchema,\n} from \"./validation.js\";\n\n/**\n * Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień\n */\nasync function coreRbacAugmenter(user: User): Promise<Record<string, any>> {\n  try {\n    // 1. Fetch direct roles\n    const userRoles = await db\n      .select({ name: rolesTable.name })\n      .from(usersToRolesTable)\n      .innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id))\n      .where(eq(usersToRolesTable.userId, user.id));\n\n    const roles = userRoles.map((r) => r.name);\n\n    // 2. Fetch direct permissions\n    const userDirectPerms = await db\n      .select({ name: permissionsTable.name })\n      .from(usersToPermissionsTable)\n      .innerJoin(\n        permissionsTable,\n        eq(usersToPermissionsTable.permissionId, permissionsTable.id),\n      )\n      .where(eq(usersToPermissionsTable.userId, user.id));\n\n    const directPerms = userDirectPerms.map((p) => p.name);\n\n    // 3. Fetch permissions from roles\n    let rolePerms: string[] = [];\n    if (roles.length > 0) {\n      const roleIdsResult = await db\n        .select({ id: rolesTable.id })\n        .from(rolesTable)\n        .where(inArray(rolesTable.name, roles));\n\n      const roleIds = roleIdsResult.map((r) => r.id);\n\n      if (roleIds.length > 0) {\n        const rolePermsData = await db\n          .select({ name: permissionsTable.name })\n          .from(rolesToPermissionsTable)\n          .innerJoin(\n            permissionsTable,\n            eq(rolesToPermissionsTable.permissionId, permissionsTable.id),\n          )\n          .where(inArray(rolesToPermissionsTable.roleId, roleIds));\n        rolePerms = rolePermsData.map((p) => p.name);\n      }\n    }\n\n    return {\n      roles,\n      permissions: Array.from(new Set([...directPerms, ...rolePerms])),\n    };\n  } catch (error) {\n    console.error(\"[Auth:RBAC] Failed to augment user:\", error);\n    return { roles: [], permissions: [] };\n  }\n}\n\n/**\n * Registry for login validators (e.g. 2FA module)\n */\ntype AuthValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)\n */\ntype SecurityRequirement = (\n  session: Session,\n  user: FullUser,\n) => Promise<{ satisfied: boolean; redirect?: string } | null>;\n\n/**\n * Registry for password reset validators (e.g. 2FA module requiring check during reset)\n */\ntype PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for email verification validators\n */\ntype EmailVerificationValidator = (\n  userId: string,\n) => Promise<AuthResponse | null>;\n\nconst globalForAuth = globalThis as unknown as {\n  __KRYO_AUTH_VALIDATORS__: Set<AuthValidator> | undefined;\n  __KRYO_SECURITY_REQUIREMENTS__: Set<SecurityRequirement> | undefined;\n  __KRYO_PASSWORD_RESET_VALIDATORS__: Set<PasswordResetValidator> | undefined;\n  __KRYO_EMAIL_VERIFICATION_VALIDATORS__:\n  | Set<EmailVerificationValidator>\n  | undefined;\n};\n\nconst authValidators =\n  globalForAuth.__KRYO_AUTH_VALIDATORS__ ?? new Set<AuthValidator>();\nconst securityRequirements =\n  globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ ??\n  new Set<SecurityRequirement>();\nconst passwordResetValidators =\n  globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ ??\n  new Set<PasswordResetValidator>();\nconst emailVerificationValidators =\n  globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ ??\n  new Set<EmailVerificationValidator>();\n\nglobalForAuth.__KRYO_AUTH_VALIDATORS__ = authValidators;\nglobalForAuth.__KRYO_SECURITY_REQUIREMENTS__ = securityRequirements;\nglobalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;\nglobalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ =\n  emailVerificationValidators;\n\nexport async function registerAuthValidator(validator: AuthValidator) {\n  authValidators.add(validator);\n}\n\nexport async function registerPasswordResetValidator(\n  validator: PasswordResetValidator,\n) {\n  passwordResetValidators.add(validator);\n}\n\nexport async function registerEmailVerificationValidator(\n  validator: EmailVerificationValidator,\n) {\n  emailVerificationValidators.add(validator);\n}\n\nexport {\n  registerIdentityAugmenter,\n  registerSessionAugmenter,\n  registerPasswordResetSessionAugmenter,\n  augmentUser,\n  augmentSession,\n};\n\nexport async function registerSecurityRequirement(\n  requirement: SecurityRequirement,\n) {\n  securityRequirements.add(requirement);\n}\n\nexport async function runPasswordResetValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of passwordResetValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\nexport async function runEmailVerificationValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of emailVerificationValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\n/**\n * Augments a base user with data from all registered modules.\n * This is now just a wrapper that includes core RBAC data.\n */\nexport async function performFullUserAugmentation(\n  user: User,\n): Promise<FullUser> {\n  const coreRbacData = await coreRbacAugmenter(user);\n  return await augmentUser(user, coreRbacData);\n}\n\n/**\n * Checks if the current session satisfies all registered security requirements.\n */\nexport async function checkSecurity(\n  session: Session,\n  user: FullUser,\n  requiredRoles?: UserRole[],\n  requiredPermissions?: UserPermission[],\n  fallbackRedirect?: string,\n) {\n  if (!user) {\n    console.warn(\"User is required for security check\");\n    return { satisfied: false, redirect: fallbackRedirect ?? \"/signin\" };\n  }\n\n  const userRoles = Array.isArray(user.roles) ? user.roles : [];\n  const userPermissions = Array.isArray(user.permissions)\n    ? user.permissions\n    : [];\n\n  // 1. Core Role Check (At least one role must match)\n  if (requiredRoles && requiredRoles.length > 0) {\n    const hasRole = requiredRoles.some((role) => userRoles.includes(role));\n    if (!hasRole) {\n      console.warn(`User lacks required roles: ${requiredRoles.join(\", \")}`);\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 2. Core Permission Check (ALL permissions must match)\n  if (requiredPermissions && requiredPermissions.length > 0) {\n    const hasAllPermissions = requiredPermissions.every((perm) =>\n      userPermissions.includes(perm),\n    );\n    if (!hasAllPermissions) {\n      console.warn(\n        `User lacks required permissions: ${requiredPermissions.join(\", \")}`,\n      );\n\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 3. Modular Requirements Check\n  if (securityRequirements) {\n    for (const requirement of securityRequirements) {\n      try {\n        const result = await requirement(session, user);\n        if (result && !result.satisfied) {\n          return {\n            ...result,\n            redirect: result.redirect ?? fallbackRedirect,\n          };\n        }\n      } catch (error) {\n        console.error(\"[Auth:Security] Requirement failed:\", error);\n      }\n    }\n  }\n  return { satisfied: true };\n}\n\n/**\n * Sign In Logic\n */\nexport async function signIn(data: LoginInput): Promise<AuthResponse> {\n  const { email, password } = await loginSchema.parseAsync(data);\n\n  const user = await getUserFromEmail(email);\n  if (!user) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  const passwordHash = await getUserPasswordHash(user.id);\n  if (!passwordHash || !(await verifyPasswordHash(passwordHash, password))) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  // Interception Layer\n  for (const validator of authValidators) {\n    const interception = await validator(user.id);\n    if (interception) return interception;\n  }\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    status: \"SUCCESS\",\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Sign Up Logic\n */\nexport async function signUp(data: RegisterInput) {\n  const { email, username, password } = registerSchema.parse(data);\n\n  if (!(await verifyUsernameInput(username))) {\n    throw new Error(\"Invalid username\");\n  }\n\n  if (!(await verifyPasswordStrength(password))) {\n    throw new Error(\"Weak password\");\n  }\n\n  const user = await createUser(email, username, password);\n  const verificationRequest = await createEmailVerificationRequest(\n    user.id,\n    user.email,\n  );\n\n  await sendVerificationEmail(\n    verificationRequest.email,\n    verificationRequest.code,\n  );\n  await setEmailVerificationRequestCookie(verificationRequest);\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Finalizes login after a challenge\n */\nexport async function finalizeLogin(userId: string, flags: SessionFlags) {\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, userId, flags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const user = await getUserById(userId);\n\n  if (user) {\n    await eventBus.publish(\"auth:session-created\", { session, user });\n  }\n\n  return {\n    session: session ? { ...session } : null,\n    user: user ? { ...user } : null,\n  };\n}\n\n/**\n * Sign Out\n */\nexport async function signOut() {\n  const { session, user } = await getCurrentSession();\n  if (session) {\n    if (user) {\n      await eventBus.publish(\"auth:signed-out\", { userId: user.id });\n    }\n    await invalidateSession(session.id);\n    await deleteSessionTokenCookie();\n  }\n}\n"],"mappings":"ylCA8DA,eAAe,EAAkB,EAA0C,CACzE,GAAI,CAQF,IAAM,GANY,MAAM,EACrB,OAAO,CAAE,KAAM,EAAW,KAAM,CAAC,CACjC,KAAK,EAAkB,CACvB,UAAU,EAAY,EAAG,EAAkB,OAAQ,EAAW,GAAG,CAAC,CAClE,MAAM,EAAG,EAAkB,OAAQ,EAAK,GAAG,CAAC,EAEvB,IAAK,GAAM,EAAE,KAAK,CAYpC,GATkB,MAAM,EAC3B,OAAO,CAAE,KAAM,EAAiB,KAAM,CAAC,CACvC,KAAK,EAAwB,CAC7B,UACC,EACA,EAAG,EAAwB,aAAc,EAAiB,GAAG,CAC9D,CACA,MAAM,EAAG,EAAwB,OAAQ,EAAK,GAAG,CAAC,EAEjB,IAAK,GAAM,EAAE,KAAK,CAGlD,EAAsB,EAAE,CAC5B,GAAI,EAAM,OAAS,EAAG,CAMpB,IAAM,GALgB,MAAM,EACzB,OAAO,CAAE,GAAI,EAAW,GAAI,CAAC,CAC7B,KAAK,EAAW,CAChB,MAAM,EAAQ,EAAW,KAAM,EAAM,CAAC,EAEX,IAAK,GAAM,EAAE,GAAG,CAE1C,EAAQ,OAAS,IASnB,GARsB,MAAM,EACzB,OAAO,CAAE,KAAM,EAAiB,KAAM,CAAC,CACvC,KAAK,EAAwB,CAC7B,UACC,EACA,EAAG,EAAwB,aAAc,EAAiB,GAAG,CAC9D,CACA,MAAM,EAAQ,EAAwB,OAAQ,EAAQ,CAAC,EAChC,IAAK,GAAM,EAAE,KAAK,EAIhD,MAAO,CACL,QACA,YAAa,MAAM,KAAK,IAAI,IAAI,CAAC,GAAG,EAAa,GAAG,EAAU,CAAC,CAAC,CACjE,OACM,EAAO,CAEd,OADA,QAAQ,MAAM,sCAAuC,EAAM,CACpD,CAAE,MAAO,EAAE,CAAE,YAAa,EAAE,CAAE,EA6BzC,MAAM,EAAgB,WAShB,EACJ,EAAc,0BAA4B,IAAI,IAC1C,EACJ,EAAc,gCACd,IAAI,IACA,EACJ,EAAc,oCACd,IAAI,IACA,EACJ,EAAc,wCACd,IAAI,IAEN,EAAc,yBAA2B,EACzC,EAAc,+BAAiC,EAC/C,EAAc,mCAAqC,EACnD,EAAc,uCACZ,EAEF,eAAsB,EAAsB,EAA0B,CACpE,EAAe,IAAI,EAAU,CAG/B,eAAsB,EACpB,EACA,CACA,EAAwB,IAAI,EAAU,CAGxC,eAAsB,EACpB,EACA,CACA,EAA4B,IAAI,EAAU,CAW5C,eAAsB,EACpB,EACA,CACA,EAAqB,IAAI,EAAY,CAGvC,eAAsB,EACpB,EAC8B,CAC9B,IAAK,IAAM,KAAa,EAAyB,CAC/C,IAAM,EAAe,MAAM,EAAU,EAAO,CAC5C,GAAI,EAAc,OAAO,EAE3B,OAAO,KAGT,eAAsB,EACpB,EAC8B,CAC9B,IAAK,IAAM,KAAa,EAA6B,CACnD,IAAM,EAAe,MAAM,EAAU,EAAO,CAC5C,GAAI,EAAc,OAAO,EAE3B,OAAO,KAOT,eAAsB,EACpB,EACmB,CAEnB,OAAO,MAAM,EAAY,EADJ,MAAM,EAAkB,EAAK,CACN,CAM9C,eAAsB,EACpB,EACA,EACA,EACA,EACA,EACA,CACA,GAAI,CAAC,EAEH,OADA,QAAQ,KAAK,sCAAsC,CAC5C,CAAE,UAAW,GAAO,SAAU,GAAoB,UAAW,CAGtE,IAAM,EAAY,MAAM,QAAQ,EAAK,MAAM,CAAG,EAAK,MAAQ,EAAE,CACvD,EAAkB,MAAM,QAAQ,EAAK,YAAY,CACnD,EAAK,YACL,EAAE,CAGN,GAAI,GAAiB,EAAc,OAAS,GAEtC,CADY,EAAc,KAAM,GAAS,EAAU,SAAS,EAAK,CAAC,CAGpE,OADA,QAAQ,KAAK,8BAA8B,EAAc,KAAK,KAAK,GAAG,CAC/D,CACL,UAAW,GACX,SAAU,EACX,CAKL,GAAI,GAAuB,EAAoB,OAAS,GAIlD,CAHsB,EAAoB,MAAO,GACnD,EAAgB,SAAS,EAAK,CAC/B,CAMC,OAJA,QAAQ,KACN,oCAAoC,EAAoB,KAAK,KAAK,GACnE,CAEM,CACL,UAAW,GACX,SAAU,EACX,CAKL,GAAI,EACF,IAAK,IAAM,KAAe,EACxB,GAAI,CACF,IAAM,EAAS,MAAM,EAAY,EAAS,EAAK,CAC/C,GAAI,GAAU,CAAC,EAAO,UACpB,MAAO,CACL,GAAG,EACH,SAAU,EAAO,UAAY,EAC9B,OAEI,EAAO,CACd,QAAQ,MAAM,sCAAuC,EAAM,CAIjE,MAAO,CAAE,UAAW,GAAM,CAM5B,eAAsB,EAAO,EAAyC,CACpE,GAAM,CAAE,QAAO,YAAa,MAAM,EAAY,WAAW,EAAK,CAExD,EAAO,MAAM,EAAiB,EAAM,CAC1C,GAAI,CAAC,EACH,MAAO,CAAE,OAAQ,QAAS,QAAS,4BAA6B,CAGlE,IAAM,EAAe,MAAM,EAAoB,EAAK,GAAG,CACvD,GAAI,CAAC,GAAgB,CAAE,MAAM,EAAmB,EAAc,EAAS,CACrE,MAAO,CAAE,OAAQ,QAAS,QAAS,4BAA6B,CAIlE,IAAK,IAAM,KAAa,EAAgB,CACtC,IAAM,EAAe,MAAM,EAAU,EAAK,GAAG,CAC7C,GAAI,EAAc,OAAO,EAG3B,IAAM,EAA6B,EAAE,CAC/B,EAAe,MAAM,GAAsB,CAC3C,EAAU,MAAM,EAAc,EAAc,EAAK,GAAI,EAAa,CACxE,MAAM,EAAsB,EAAc,EAAQ,UAAU,CAE5D,IAAM,EAAW,MAAM,EAA4B,EAAK,CAGxD,OAFA,MAAM,EAAS,QAAQ,uBAAwB,CAAE,UAAS,KAAM,EAAU,CAAC,CAEpE,CACL,OAAQ,UACR,QAAS,CAAE,GAAG,EAAS,CACvB,KAAM,CAAE,GAAG,EAAU,CACtB,CAMH,eAAsB,EAAO,EAAqB,CAChD,GAAM,CAAE,QAAO,WAAU,YAAa,EAAe,MAAM,EAAK,CAEhE,GAAI,CAAE,MAAM,EAAoB,EAAS,CACvC,MAAU,MAAM,mBAAmB,CAGrC,GAAI,CAAE,MAAM,EAAuB,EAAS,CAC1C,MAAU,MAAM,gBAAgB,CAGlC,IAAM,EAAO,MAAM,EAAW,EAAO,EAAU,EAAS,CAClD,EAAsB,MAAM,EAChC,EAAK,GACL,EAAK,MACN,CAED,MAAM,EACJ,EAAoB,MACpB,EAAoB,KACrB,CACD,MAAM,EAAkC,EAAoB,CAE5D,IAAM,EAA6B,EAAE,CAC/B,EAAe,MAAM,GAAsB,CAC3C,EAAU,MAAM,EAAc,EAAc,EAAK,GAAI,EAAa,CACxE,MAAM,EAAsB,EAAc,EAAQ,UAAU,CAE5D,IAAM,EAAW,MAAM,EAA4B,EAAK,CAGxD,OAFA,MAAM,EAAS,QAAQ,uBAAwB,CAAE,UAAS,KAAM,EAAU,CAAC,CAEpE,CACL,QAAS,CAAE,GAAG,EAAS,CACvB,KAAM,CAAE,GAAG,EAAU,CACtB,CAMH,eAAsB,EAAc,EAAgB,EAAqB,CACvE,IAAM,EAAe,MAAM,GAAsB,CAC3C,EAAU,MAAM,EAAc,EAAc,EAAQ,EAAM,CAChE,MAAM,EAAsB,EAAc,EAAQ,UAAU,CAE5D,IAAM,EAAO,MAAM,EAAY,EAAO,CAMtC,OAJI,GACF,MAAM,EAAS,QAAQ,uBAAwB,CAAE,UAAS,OAAM,CAAC,CAG5D,CACL,QAAS,EAAU,CAAE,GAAG,EAAS,CAAG,KACpC,KAAM,EAAO,CAAE,GAAG,EAAM,CAAG,KAC5B,CAMH,eAAsB,GAAU,CAC9B,GAAM,CAAE,UAAS,QAAS,MAAM,GAAmB,CAC/C,IACE,GACF,MAAM,EAAS,QAAQ,kBAAmB,CAAE,OAAQ,EAAK,GAAI,CAAC,CAEhE,MAAM,EAAkB,EAAQ,GAAG,CACnC,MAAM,GAA0B"}