@arch-cadre/core 0.0.42 → 0.0.43

package/dist/core/auth/augment.d.ts

@@ -0,0 +1,18 @@
+import type { FullUser, PasswordResetSession, Session, User } from "./types";
+/**
+ * REGISTRIES FOR MODULAR EXTENSIONS
+ */
+type IdentityAugmenter = (user: User) => Promise<Partial<FullUser>>;
+type SessionAugmenter = (session: Session) => Promise<Partial<Session>>;
+type PasswordResetSessionAugmenter = (session: PasswordResetSession) => Promise<Partial<PasswordResetSession>>;
+export declare function registerIdentityAugmenter(augmenter: IdentityAugmenter): void;
+export declare function registerSessionAugmenter(augmenter: SessionAugmenter): void;
+export declare function registerPasswordResetSessionAugmenter(augmenter: PasswordResetSessionAugmenter): void;
+/**
+ * EXECUTION FUNCTIONS
+ */
+export declare function augmentUser(user: User, coreRbacData?: Record<string, any>): Promise<FullUser>;
+export declare function augmentSession(session: Session): Promise<Session>;
+export declare function augmentPasswordResetSession(session: PasswordResetSession): Promise<PasswordResetSession>;
+export {};
+//# sourceMappingURL=augment.d.ts.map

package/dist/core/auth/augment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"augment.d.ts","sourceRoot":"","sources":["../../../src/core/auth/augment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,oBAAoB,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,SAAS,CAAC;AAE7E;;GAEG;AAEH,KAAK,iBAAiB,GAAG,CAAC,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;AACpE,KAAK,gBAAgB,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;AACxE,KAAK,6BAA6B,GAAG,CACnC,OAAO,EAAE,oBAAoB,KAC1B,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC,CAAC;AAuB5C,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,iBAAiB,QAErE;AAED,wBAAgB,wBAAwB,CAAC,SAAS,EAAE,gBAAgB,QAEnE;AAED,wBAAgB,qCAAqC,CACnD,SAAS,EAAE,6BAA6B,QAGzC;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,IAAI,EACV,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GACjC,OAAO,CAAC,QAAQ,CAAC,CAOnB;AAED,wBAAsB,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAOvE;AAED,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,oBAAoB,CAAC,CAO/B"}

package/dist/core/auth/augment.js

@@ -0,0 +1,45 @@
+var _a, _b, _c;
+const globalForAugment = globalThis;
+const identityAugmenters = (_a = globalForAugment.__KRYO_IDENTITY_AUGMENTERS__) !== null && _a !== void 0 ? _a : new Set();
+const sessionAugmenters = (_b = globalForAugment.__KRYO_SESSION_AUGMENTERS__) !== null && _b !== void 0 ? _b : new Set();
+const passwordResetSessionAugmenters = (_c = globalForAugment.__KRYO_PASSWORD_RESET_SESSION_AUGMENTERS__) !== null && _c !== void 0 ? _c : new Set();
+globalForAugment.__KRYO_IDENTITY_AUGMENTERS__ = identityAugmenters;
+globalForAugment.__KRYO_SESSION_AUGMENTERS__ = sessionAugmenters;
+globalForAugment.__KRYO_PASSWORD_RESET_SESSION_AUGMENTERS__ =
+    passwordResetSessionAugmenters;
+export function registerIdentityAugmenter(augmenter) {
+    identityAugmenters.add(augmenter);
+}
+export function registerSessionAugmenter(augmenter) {
+    sessionAugmenters.add(augmenter);
+}
+export function registerPasswordResetSessionAugmenter(augmenter) {
+    passwordResetSessionAugmenters.add(augmenter);
+}
+/**
+ * EXECUTION FUNCTIONS
+ */
+export async function augmentUser(user, coreRbacData) {
+    let augmentedData = coreRbacData || {};
+    for (const augmenter of identityAugmenters) {
+        const data = await augmenter(user);
+        augmentedData = { ...augmentedData, ...data };
+    }
+    return { ...user, ...augmentedData };
+}
+export async function augmentSession(session) {
+    let augmentedData = {};
+    for (const augmenter of sessionAugmenters) {
+        const data = await augmenter(session);
+        augmentedData = { ...augmentedData, ...data };
+    }
+    return { ...session, ...augmentedData };
+}
+export async function augmentPasswordResetSession(session) {
+    let augmentedData = {};
+    for (const augmenter of passwordResetSessionAugmenters) {
+        const data = await augmenter(session);
+        augmentedData = { ...augmentedData, ...data };
+    }
+    return { ...session, ...augmentedData };
+}

package/dist/core/auth/email-verification.d.ts

@@ -0,0 +1,58 @@
+import { emailVerificationTable } from "../../server/database/schema";
+/**
+ * Register Email Verification as a Core Security Requirement.
+ */
+export declare function initEmailVerification(): Promise<void>;
+/**
+ * Retrieves a specific email verification request for a user.
+ */
+export declare function getUserEmailVerificationRequest(userId: string, id: string): Promise<{
+    id: string;
+    email: string;
+    code: string;
+    userId: string;
+    expiresAt: Date;
+    createdAt: Date;
+    updatedAt: Date | null;
+}>;
+/**
+ * Creates a new email verification request, deleting any existing one for the user.
+ */
+export declare function createEmailVerificationRequest(userId: string, email: string): Promise<{
+    id: string;
+    email: string;
+    createdAt: Date;
+    updatedAt: Date | null;
+    userId: string;
+    expiresAt: Date;
+    code: string;
+}>;
+/**
+ * Deletes all email verification requests for a user.
+ */
+export declare function deleteUserEmailVerificationRequest(userId: string): Promise<void>;
+/**
+ * Sends a verification email with the OTP code.
+ */
+export declare function sendVerificationEmail(email: string, code: string): Promise<void>;
+/**
+ * Sets the email verification request ID in a cookie.
+ */
+export declare function setEmailVerificationRequestCookie(request: typeof emailVerificationTable.$inferSelect): Promise<void>;
+/**
+ * Removes the email verification request cookie.
+ */
+export declare function deleteEmailVerificationRequestCookie(): Promise<void>;
+/**
+ * Retrieves the current email verification request based on session and cookie.
+ */
+export declare function getUserEmailVerificationRequestFromRequest(): Promise<{
+    id: string;
+    email: string;
+    code: string;
+    userId: string;
+    expiresAt: Date;
+    createdAt: Date;
+    updatedAt: Date | null;
+} | null>;
+//# sourceMappingURL=email-verification.d.ts.map

package/dist/core/auth/email-verification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-verification.d.ts","sourceRoot":"","sources":["../../../src/core/auth/email-verification.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAMtE;;GAEG;AACH,wBAAsB,qBAAqB,kBAU1C;AAED;;GAEG;AACH,wBAAsB,+BAA+B,CACnD,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,MAAM;;;;;;;;GAaX;AAED;;GAEG;AACH,wBAAsB,8BAA8B,CAClD,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM;;;;;;;;GAiBd;AAED;;GAEG;AACH,wBAAsB,kCAAkC,CACtD,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAIf;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAEf;AAED;;GAEG;AACH,wBAAsB,iCAAiC,CACrD,OAAO,EAAE,OAAO,sBAAsB,CAAC,YAAY,GAClD,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;GAEG;AACH,wBAAsB,oCAAoC,IAAI,OAAO,CAAC,IAAI,CAAC,CAG1E;AAED;;GAEG;AACH,wBAAsB,0CAA0C;;;;;;;;UAqB/D"}

package/dist/core/auth/email-verification.js

@@ -0,0 +1,105 @@
+"use server";
+import { addHours } from "date-fns";
+import { and, eq } from "drizzle-orm";
+import { cookies } from "next/headers";
+import { db } from "../../server/database/inject";
+import { emailVerificationTable } from "../../server/database/schema";
+import { sendVerifyEmail } from "../../server/emails/index";
+import { registerSecurityRequirement } from "./logic";
+import { getCurrentSession } from "./session";
+import { generateRandomOTP } from "./utils/encode";
+/**
+ * Register Email Verification as a Core Security Requirement.
+ */
+export async function initEmailVerification() {
+    registerSecurityRequirement(async (_session, user) => {
+        if (!user.emailVerifiedAt) {
+            return {
+                satisfied: false,
+                redirect: "/verify-email?unverified",
+            };
+        }
+        return { satisfied: true };
+    });
+}
+/**
+ * Retrieves a specific email verification request for a user.
+ */
+export async function getUserEmailVerificationRequest(userId, id) {
+    const [session] = await db
+        .select()
+        .from(emailVerificationTable)
+        .where(and(eq(emailVerificationTable.id, id), eq(emailVerificationTable.userId, userId)));
+    return session;
+}
+/**
+ * Creates a new email verification request, deleting any existing one for the user.
+ */
+export async function createEmailVerificationRequest(userId, email) {
+    await deleteUserEmailVerificationRequest(userId);
+    const code = generateRandomOTP();
+    const [verificationRequest] = await db
+        .insert(emailVerificationTable)
+        .values({
+        userId,
+        code,
+        email,
+        expiresAt: new Date(addHours(new Date(), 1)),
+    })
+        .returning();
+    return verificationRequest;
+}
+/**
+ * Deletes all email verification requests for a user.
+ */
+export async function deleteUserEmailVerificationRequest(userId) {
+    await db
+        .delete(emailVerificationTable)
+        .where(eq(emailVerificationTable.userId, userId));
+}
+/**
+ * Sends a verification email with the OTP code.
+ */
+export async function sendVerificationEmail(email, code) {
+    await sendVerifyEmail(email, code);
+}
+/**
+ * Sets the email verification request ID in a cookie.
+ */
+export async function setEmailVerificationRequestCookie(request) {
+    const cookieStore = await cookies();
+    cookieStore.set("email_verification", request.id, {
+        httpOnly: true,
+        path: "/",
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        expires: request.expiresAt,
+    });
+}
+/**
+ * Removes the email verification request cookie.
+ */
+export async function deleteEmailVerificationRequestCookie() {
+    const cookieStore = await cookies();
+    cookieStore.delete("email_verification");
+}
+/**
+ * Retrieves the current email verification request based on session and cookie.
+ */
+export async function getUserEmailVerificationRequestFromRequest() {
+    var _a, _b;
+    const { user } = await getCurrentSession();
+    if (!user) {
+        return null;
+    }
+    const cookieStore = await cookies();
+    const id = (_b = (_a = cookieStore.get("email_verification")) === null || _a === void 0 ? void 0 : _a.value) !== null && _b !== void 0 ? _b : null;
+    if (!id) {
+        return null;
+    }
+    const request = await getUserEmailVerificationRequest(user.id, id);
+    if (!request) {
+        await deleteEmailVerificationRequestCookie();
+    }
+    return request;
+}

package/dist/core/auth/events.d.ts

@@ -0,0 +1,53 @@
+import type { Session, User } from "./types";
+export type AuthEventPayloads = {
+    /**
+     * Emitted after password/base credentials are verified,
+     * but BEFORE the final session is created.
+     * Listeners can return a "veto" to require additional factors.
+     */
+    "auth:validate-factors": {
+        userId: string;
+        email: string;
+    };
+    /**
+     * Emitted after a full session is successfully created.
+     */
+    "auth:session-created": {
+        session: Session;
+        user: User;
+    };
+    /**
+     * Emitted after a user signs out.
+     */
+    "auth:signed-out": {
+        userId: string;
+    };
+    /**
+     * Emitted when a password reset is requested.
+     */
+    "auth:password-reset:requested": {
+        userId: string;
+        email: string;
+    };
+    /**
+     * Emitted when a password has been successfully reset.
+     */
+    "auth:password-reset:completed": {
+        userId: string;
+    };
+    /**
+     * Emitted when a verification email is sent.
+     */
+    "auth:verification-requested": {
+        userId: string;
+        email: string;
+    };
+    /**
+     * Emitted when a user successfully verifies their email.
+     */
+    "auth:email-verified": {
+        userId: string;
+        email: string;
+    };
+};
+//# sourceMappingURL=events.d.ts.map

package/dist/core/auth/events.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../../src/core/auth/events.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,SAAS,CAAC;AAE7C,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;;;OAIG;IACH,uBAAuB,EAAE;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IAEF;;OAEG;IACH,sBAAsB,EAAE;QACtB,OAAO,EAAE,OAAO,CAAC;QACjB,IAAI,EAAE,IAAI,CAAC;KACZ,CAAC;IAEF;;OAEG;IACH,iBAAiB,EAAE;QACjB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IAEF;;OAEG;IACH,+BAA+B,EAAE;QAC/B,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IAEF;;OAEG;IACH,+BAA+B,EAAE;QAC/B,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IAEF;;OAEG;IACH,6BAA6B,EAAE;QAC7B,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IAEF;;OAEG;IACH,qBAAqB,EAAE;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;CACH,CAAC"}

package/dist/core/auth/events.js

@@ -0,0 +1 @@
+export {};

package/dist/core/auth/logic.d.ts

@@ -0,0 +1,106 @@
+import { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter } from "./augment";
+import type { AuthResponse, FullUser, Session, SessionFlags, User, UserPermission, UserRole } from "./types";
+import { type LoginInput, type RegisterInput } from "./validation";
+/**
+ * Registry for login validators (e.g. 2FA module)
+ */
+type AuthValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)
+ */
+type SecurityRequirement = (session: Session, user: FullUser) => Promise<{
+    satisfied: boolean;
+    redirect?: string;
+} | null>;
+/**
+ * Registry for password reset validators (e.g. 2FA module requiring check during reset)
+ */
+type PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for email verification validators
+ */
+type EmailVerificationValidator = (userId: string) => Promise<AuthResponse | null>;
+export declare function registerAuthValidator(validator: AuthValidator): Promise<void>;
+export declare function registerPasswordResetValidator(validator: PasswordResetValidator): Promise<void>;
+export declare function registerEmailVerificationValidator(validator: EmailVerificationValidator): Promise<void>;
+export { registerIdentityAugmenter, registerSessionAugmenter, registerPasswordResetSessionAugmenter, augmentUser, augmentSession, };
+export declare function registerSecurityRequirement(requirement: SecurityRequirement): Promise<void>;
+export declare function runPasswordResetValidators(userId: string): Promise<AuthResponse | null>;
+export declare function runEmailVerificationValidators(userId: string): Promise<AuthResponse | null>;
+/**
+ * Augments a base user with data from all registered modules.
+ * This is now just a wrapper that includes core RBAC data.
+ */
+export declare function performFullUserAugmentation(user: User): Promise<FullUser>;
+/**
+ * Checks if the current session satisfies all registered security requirements.
+ */
+export declare function checkSecurity(session: Session, user: FullUser, requiredRoles?: UserRole[], requiredPermissions?: UserPermission[], fallbackRedirect?: string): Promise<{
+    satisfied: boolean;
+    redirect: string | undefined;
+} | {
+    satisfied: boolean;
+    redirect?: undefined;
+}>;
+/**
+ * Sign In Logic
+ */
+export declare function signIn(data: LoginInput): Promise<AuthResponse>;
+/**
+ * Sign Up Logic
+ */
+export declare function signUp(data: RegisterInput): Promise<{
+    session: {
+        [x: string]: any;
+        id: string;
+        createdAt: Date;
+        updatedAt: Date | null;
+        userId: string;
+        active_organization_id: string | null;
+        expiresAt: Date;
+    };
+    user: {
+        [x: string]: any;
+        id: string;
+        email: string;
+        name: string;
+        password: string | null;
+        image: string | null;
+        recovery_code: Buffer<ArrayBufferLike>;
+        emailVerifiedAt: Date | null;
+        createdAt: Date;
+        updatedAt: Date | null;
+        roles: UserRole[];
+        permissions: UserPermission[];
+    };
+}>;
+/**
+ * Finalizes login after a challenge
+ */
+export declare function finalizeLogin(userId: string, flags: SessionFlags): Promise<{
+    session: {
+        [x: string]: any;
+        id: string;
+        createdAt: Date;
+        updatedAt: Date | null;
+        userId: string;
+        active_organization_id: string | null;
+        expiresAt: Date;
+    } | null;
+    user: {
+        id: string;
+        email: string;
+        name: string;
+        password: string | null;
+        image: string | null;
+        recovery_code: Buffer<ArrayBufferLike>;
+        emailVerifiedAt: Date | null;
+        createdAt: Date;
+        updatedAt: Date | null;
+    } | null;
+}>;
+/**
+ * Sign Out
+ */
+export declare function signOut(): Promise<void>;
+//# sourceMappingURL=logic.d.ts.map

package/dist/core/auth/logic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic.d.ts","sourceRoot":"","sources":["../../../src/core/auth/logic.ts"],"names":[],"mappings":"AAuBA,OAAO,EACL,cAAc,EACd,WAAW,EACX,yBAAyB,EACzB,qCAAqC,EACrC,wBAAwB,EACzB,MAAM,WAAW,CAAC;AAcnB,OAAO,KAAK,EACV,YAAY,EACZ,QAAQ,EACR,OAAO,EACP,YAAY,EACZ,IAAI,EACJ,cAAc,EACd,QAAQ,EACT,MAAM,SAAS,CAAC;AACjB,OAAO,EACL,KAAK,UAAU,EAEf,KAAK,aAAa,EAEnB,MAAM,cAAc,CAAC;AA6DtB;;GAEG;AACH,KAAK,aAAa,GAAG,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;AAEtE;;GAEG;AACH,KAAK,mBAAmB,GAAG,CACzB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,QAAQ,KACX,OAAO,CAAC;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAAC;AAE/D;;GAEG;AACH,KAAK,sBAAsB,GAAG,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;AAE/E;;GAEG;AACH,KAAK,0BAA0B,GAAG,CAChC,MAAM,EAAE,MAAM,KACX,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;AA6BlC,wBAAsB,qBAAqB,CAAC,SAAS,EAAE,aAAa,iBAEnE;AAED,wBAAsB,8BAA8B,CAClD,SAAS,EAAE,sBAAsB,iBAGlC;AAED,wBAAsB,kCAAkC,CACtD,SAAS,EAAE,0BAA0B,iBAGtC;AAED,OAAO,EACL,yBAAyB,EACzB,wBAAwB,EACxB,qCAAqC,EACrC,WAAW,EACX,cAAc,GACf,CAAC;AAEF,wBAAsB,2BAA2B,CAC/C,WAAW,EAAE,mBAAmB,iBAGjC;AAED,wBAAsB,0BAA0B,CAC9C,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAM9B;AAED,wBAAsB,8BAA8B,CAClD,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAM9B;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE,IAAI,GACT,OAAO,CAAC,QAAQ,CAAC,CAGnB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,QAAQ,EACd,aAAa,CAAC,EAAE,QAAQ,EAAE,EAC1B,mBAAmB,CAAC,EAAE,cAAc,EAAE,EACtC,gBAAgB,CAAC,EAAE,MAAM;;;;;;GA0D1B;AAED;;GAEG;AACH,wBAAsB,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CAgCpE;AAED;;GAEG;AACH,wBAAsB,MAAM,CAAC,IAAI,EAAE,aAAa;;;;;;;;;;;;;;;;;;;;;;;;GAmC/C;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY;;;;;;;;;;;;;;;;;;;;;GAetE;AAED;;GAEG;AACH,wBAAsB,OAAO,kBAS5B"}

package/dist/core/auth/logic.js

@@ -0,0 +1,245 @@
+"use server";
+var _a, _b, _c, _d;
+import { eq, inArray } from "drizzle-orm";
+import { verifyPasswordHash, verifyPasswordStrength, } from "../../server/auth/password";
+import { createUser, getUserById, getUserFromEmail, getUserPasswordHash, verifyUsernameInput, } from "../../server/auth/user";
+import { db } from "../../server/database/inject";
+import { permissionsTable, rolesTable, rolesToPermissionsTable, usersToPermissionsTable, usersToRolesTable, } from "../../server/database/schema";
+import { eventBus } from "../event-bus";
+import { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter, } from "./augment";
+import { createEmailVerificationRequest, sendVerificationEmail, setEmailVerificationRequestCookie, } from "./email-verification";
+import { createSession, deleteSessionTokenCookie, generateSessionToken, getCurrentSession, invalidateSession, setSessionTokenCookie, } from "./session";
+import { loginSchema, registerSchema, } from "./validation";
+/**
+ * Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień
+ */
+async function coreRbacAugmenter(user) {
+    try {
+        // 1. Fetch direct roles
+        const userRoles = await db
+            .select({ name: rolesTable.name })
+            .from(usersToRolesTable)
+            .innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id))
+            .where(eq(usersToRolesTable.userId, user.id));
+        const roles = userRoles.map((r) => r.name);
+        // 2. Fetch direct permissions
+        const userDirectPerms = await db
+            .select({ name: permissionsTable.name })
+            .from(usersToPermissionsTable)
+            .innerJoin(permissionsTable, eq(usersToPermissionsTable.permissionId, permissionsTable.id))
+            .where(eq(usersToPermissionsTable.userId, user.id));
+        const directPerms = userDirectPerms.map((p) => p.name);
+        // 3. Fetch permissions from roles
+        let rolePerms = [];
+        if (roles.length > 0) {
+            const roleIdsResult = await db
+                .select({ id: rolesTable.id })
+                .from(rolesTable)
+                .where(inArray(rolesTable.name, roles));
+            const roleIds = roleIdsResult.map((r) => r.id);
+            if (roleIds.length > 0) {
+                const rolePermsData = await db
+                    .select({ name: permissionsTable.name })
+                    .from(rolesToPermissionsTable)
+                    .innerJoin(permissionsTable, eq(rolesToPermissionsTable.permissionId, permissionsTable.id))
+                    .where(inArray(rolesToPermissionsTable.roleId, roleIds));
+                rolePerms = rolePermsData.map((p) => p.name);
+            }
+        }
+        return {
+            roles,
+            permissions: Array.from(new Set([...directPerms, ...rolePerms])),
+        };
+    }
+    catch (error) {
+        console.error("[Auth:RBAC] Failed to augment user:", error);
+        return { roles: [], permissions: [] };
+    }
+}
+const globalForAuth = globalThis;
+const authValidators = (_a = globalForAuth.__KRYO_AUTH_VALIDATORS__) !== null && _a !== void 0 ? _a : new Set();
+const securityRequirements = (_b = globalForAuth.__KRYO_SECURITY_REQUIREMENTS__) !== null && _b !== void 0 ? _b : new Set();
+const passwordResetValidators = (_c = globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__) !== null && _c !== void 0 ? _c : new Set();
+const emailVerificationValidators = (_d = globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__) !== null && _d !== void 0 ? _d : new Set();
+globalForAuth.__KRYO_AUTH_VALIDATORS__ = authValidators;
+globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ = securityRequirements;
+globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;
+globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ =
+    emailVerificationValidators;
+export async function registerAuthValidator(validator) {
+    authValidators.add(validator);
+}
+export async function registerPasswordResetValidator(validator) {
+    passwordResetValidators.add(validator);
+}
+export async function registerEmailVerificationValidator(validator) {
+    emailVerificationValidators.add(validator);
+}
+export { registerIdentityAugmenter, registerSessionAugmenter, registerPasswordResetSessionAugmenter, augmentUser, augmentSession, };
+export async function registerSecurityRequirement(requirement) {
+    securityRequirements.add(requirement);
+}
+export async function runPasswordResetValidators(userId) {
+    for (const validator of passwordResetValidators) {
+        const interception = await validator(userId);
+        if (interception)
+            return interception;
+    }
+    return null;
+}
+export async function runEmailVerificationValidators(userId) {
+    for (const validator of emailVerificationValidators) {
+        const interception = await validator(userId);
+        if (interception)
+            return interception;
+    }
+    return null;
+}
+/**
+ * Augments a base user with data from all registered modules.
+ * This is now just a wrapper that includes core RBAC data.
+ */
+export async function performFullUserAugmentation(user) {
+    const coreRbacData = await coreRbacAugmenter(user);
+    return await augmentUser(user, coreRbacData);
+}
+/**
+ * Checks if the current session satisfies all registered security requirements.
+ */
+export async function checkSecurity(session, user, requiredRoles, requiredPermissions, fallbackRedirect) {
+    var _a;
+    if (!user) {
+        console.warn("User is required for security check");
+        return { satisfied: false, redirect: fallbackRedirect !== null && fallbackRedirect !== void 0 ? fallbackRedirect : "/signin" };
+    }
+    const userRoles = Array.isArray(user.roles) ? user.roles : [];
+    const userPermissions = Array.isArray(user.permissions)
+        ? user.permissions
+        : [];
+    // 1. Core Role Check (At least one role must match)
+    if (requiredRoles && requiredRoles.length > 0) {
+        const hasRole = requiredRoles.some((role) => userRoles.includes(role));
+        if (!hasRole) {
+            console.warn(`User lacks required roles: ${requiredRoles.join(", ")}`);
+            return {
+                satisfied: false,
+                redirect: fallbackRedirect,
+            };
+        }
+    }
+    // 2. Core Permission Check (ALL permissions must match)
+    if (requiredPermissions && requiredPermissions.length > 0) {
+        const hasAllPermissions = requiredPermissions.every((perm) => userPermissions.includes(perm));
+        if (!hasAllPermissions) {
+            console.warn(`User lacks required permissions: ${requiredPermissions.join(", ")}`);
+            return {
+                satisfied: false,
+                redirect: fallbackRedirect,
+            };
+        }
+    }
+    // 3. Modular Requirements Check
+    if (securityRequirements) {
+        for (const requirement of securityRequirements) {
+            try {
+                const result = await requirement(session, user);
+                if (result && !result.satisfied) {
+                    return {
+                        ...result,
+                        redirect: (_a = result.redirect) !== null && _a !== void 0 ? _a : fallbackRedirect,
+                    };
+                }
+            }
+            catch (error) {
+                console.error("[Auth:Security] Requirement failed:", error);
+            }
+        }
+    }
+    return { satisfied: true };
+}
+/**
+ * Sign In Logic
+ */
+export async function signIn(data) {
+    const { email, password } = await loginSchema.parseAsync(data);
+    const user = await getUserFromEmail(email);
+    if (!user) {
+        return { status: "ERROR", message: "Invalid email or password" };
+    }
+    const passwordHash = await getUserPasswordHash(user.id);
+    if (!passwordHash || !(await verifyPasswordHash(passwordHash, password))) {
+        return { status: "ERROR", message: "Invalid email or password" };
+    }
+    // Interception Layer
+    for (const validator of authValidators) {
+        const interception = await validator(user.id);
+        if (interception)
+            return interception;
+    }
+    const sessionFlags = {};
+    const sessionToken = await generateSessionToken();
+    const session = await createSession(sessionToken, user.id, sessionFlags);
+    await setSessionTokenCookie(sessionToken, session.expiresAt);
+    const fullUser = await performFullUserAugmentation(user);
+    await eventBus.publish("auth:session-created", { session, user: fullUser });
+    return {
+        status: "SUCCESS",
+        session: { ...session },
+        user: { ...fullUser },
+    };
+}
+/**
+ * Sign Up Logic
+ */
+export async function signUp(data) {
+    const { email, username, password } = registerSchema.parse(data);
+    if (!(await verifyUsernameInput(username))) {
+        throw new Error("Invalid username");
+    }
+    if (!(await verifyPasswordStrength(password))) {
+        throw new Error("Weak password");
+    }
+    const user = await createUser(email, username, password);
+    const verificationRequest = await createEmailVerificationRequest(user.id, user.email);
+    await sendVerificationEmail(verificationRequest.email, verificationRequest.code);
+    await setEmailVerificationRequestCookie(verificationRequest);
+    const sessionFlags = {};
+    const sessionToken = await generateSessionToken();
+    const session = await createSession(sessionToken, user.id, sessionFlags);
+    await setSessionTokenCookie(sessionToken, session.expiresAt);
+    const fullUser = await performFullUserAugmentation(user);
+    await eventBus.publish("auth:session-created", { session, user: fullUser });
+    return {
+        session: { ...session },
+        user: { ...fullUser },
+    };
+}
+/**
+ * Finalizes login after a challenge
+ */
+export async function finalizeLogin(userId, flags) {
+    const sessionToken = await generateSessionToken();
+    const session = await createSession(sessionToken, userId, flags);
+    await setSessionTokenCookie(sessionToken, session.expiresAt);
+    const user = await getUserById(userId);
+    if (user) {
+        await eventBus.publish("auth:session-created", { session, user });
+    }
+    return {
+        session: session ? { ...session } : null,
+        user: user ? { ...user } : null,
+    };
+}
+/**
+ * Sign Out
+ */
+export async function signOut() {
+    const { session, user } = await getCurrentSession();
+    if (session) {
+        if (user) {
+            await eventBus.publish("auth:signed-out", { userId: user.id });
+        }
+        await invalidateSession(session.id);
+        await deleteSessionTokenCookie();
+    }
+}