@arch-cadre/core 0.0.55 → 0.0.57

package/dist/_virtual/_rolldown/runtime.cjs

@@ -0,0 +1 @@
+var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object.prototype.hasOwnProperty,o=(e,i,o,s)=>{if(i&&typeof i==`object`||typeof i==`function`)for(var c=r(i),l=0,u=c.length,d;l<u;l++)d=c[l],!a.call(e,d)&&d!==o&&t(e,d,{get:(e=>i[e]).bind(null,d),enumerable:!(s=n(i,d))||s.enumerable});return e},s=(n,r,a)=>(a=n==null?{}:e(i(n)),o(r||!n||!n.__esModule?t(a,`default`,{value:n,enumerable:!0}):a,n));exports.__toESM=s;

package/dist/_virtual/_rolldown/runtime.mjs

@@ -0,0 +1 @@
+var e=Object.defineProperty,t=(t,n)=>{let r={};for(var i in t)e(r,i,{get:t[i],enumerable:!0});return n||e(r,Symbol.toStringTag,{value:`Module`}),r};export{t as __exportAll};

package/dist/core/auth/augment.cjs

@@ -0,0 +1 @@
+const e=globalThis,t=e.__KRYO_IDENTITY_AUGMENTERS__??new Set,n=e.__KRYO_SESSION_AUGMENTERS__??new Set,r=e.__KRYO_PASSWORD_RESET_SESSION_AUGMENTERS__??new Set;e.__KRYO_IDENTITY_AUGMENTERS__=t,e.__KRYO_SESSION_AUGMENTERS__=n,e.__KRYO_PASSWORD_RESET_SESSION_AUGMENTERS__=r;function i(e){t.add(e)}function a(e){n.add(e)}function o(e){r.add(e)}async function s(e,n){let r=n||{};for(let n of t){let t=await n(e);r={...r,...t}}return{...e,...r}}async function c(e){let t={};for(let r of n){let n=await r(e);t={...t,...n}}return{...e,...t}}async function l(e){let t={};for(let n of r){let r=await n(e);t={...t,...r}}return{...e,...t}}exports.augmentPasswordResetSession=l,exports.augmentSession=c,exports.augmentUser=s,exports.registerIdentityAugmenter=i,exports.registerPasswordResetSessionAugmenter=o,exports.registerSessionAugmenter=a;

package/dist/core/auth/augment.d.cts

@@ -0,0 +1,20 @@
+import { FullUser, PasswordResetSession, Session, User } from "./types.cjs";
+
+//#region src/core/auth/augment.d.ts
+/**
+ * REGISTRIES FOR MODULAR EXTENSIONS
+ */
+type IdentityAugmenter = (user: User) => Promise<Partial<FullUser>>;
+type SessionAugmenter = (session: Session) => Promise<Partial<Session>>;
+type PasswordResetSessionAugmenter = (session: PasswordResetSession) => Promise<Partial<PasswordResetSession>>;
+declare function registerIdentityAugmenter(augmenter: IdentityAugmenter): void;
+declare function registerSessionAugmenter(augmenter: SessionAugmenter): void;
+declare function registerPasswordResetSessionAugmenter(augmenter: PasswordResetSessionAugmenter): void;
+/**
+ * EXECUTION FUNCTIONS
+ */
+declare function augmentUser(user: User, coreRbacData?: Record<string, any>): Promise<FullUser>;
+declare function augmentSession(session: Session): Promise<Session>;
+//#endregion
+export { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter };
+//# sourceMappingURL=augment.d.cts.map

package/dist/core/auth/augment.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"augment.d.cts","names":[],"sources":["../../../src/core/auth/augment.ts"],"mappings":";;;;;AAA6E;KAMxE,iBAAA,IAAqB,IAAA,EAAM,IAAA,KAAS,OAAA,CAAQ,OAAA,CAAQ,QAAA;AAAA,KACpD,gBAAA,IAAoB,OAAA,EAAS,OAAA,KAAY,OAAA,CAAQ,OAAA,CAAQ,OAAA;AAAA,KACzD,6BAAA,IACH,OAAA,EAAS,oBAAA,KACN,OAAA,CAAQ,OAAA,CAAQ,oBAAA;AAAA,iBAuBL,yBAAA,CAA0B,SAAA,EAAW,iBAAA;AAAA,iBAIrC,wBAAA,CAAyB,SAAA,EAAW,gBAAA;AAAA,iBAIpC,qCAAA,CACd,SAAA,EAAW,6BAAA;;;;iBAQS,WAAA,CACpB,IAAA,EAAM,IAAA,EACN,YAAA,GAAe,MAAA,gBACd,OAAA,CAAQ,QAAA;AAAA,iBASW,cAAA,CAAe,OAAA,EAAS,OAAA,GAAU,OAAA,CAAQ,OAAA"}

package/dist/core/auth/augment.d.mts

@@ -0,0 +1,20 @@
+import { FullUser, PasswordResetSession, Session, User } from "./types.mjs";
+
+//#region src/core/auth/augment.d.ts
+/**
+ * REGISTRIES FOR MODULAR EXTENSIONS
+ */
+type IdentityAugmenter = (user: User) => Promise<Partial<FullUser>>;
+type SessionAugmenter = (session: Session) => Promise<Partial<Session>>;
+type PasswordResetSessionAugmenter = (session: PasswordResetSession) => Promise<Partial<PasswordResetSession>>;
+declare function registerIdentityAugmenter(augmenter: IdentityAugmenter): void;
+declare function registerSessionAugmenter(augmenter: SessionAugmenter): void;
+declare function registerPasswordResetSessionAugmenter(augmenter: PasswordResetSessionAugmenter): void;
+/**
+ * EXECUTION FUNCTIONS
+ */
+declare function augmentUser(user: User, coreRbacData?: Record<string, any>): Promise<FullUser>;
+declare function augmentSession(session: Session): Promise<Session>;
+//#endregion
+export { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter };
+//# sourceMappingURL=augment.d.mts.map

package/dist/core/auth/augment.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"augment.d.mts","names":[],"sources":["../../../src/core/auth/augment.ts"],"mappings":";;;;;AAA6E;KAMxE,iBAAA,IAAqB,IAAA,EAAM,IAAA,KAAS,OAAA,CAAQ,OAAA,CAAQ,QAAA;AAAA,KACpD,gBAAA,IAAoB,OAAA,EAAS,OAAA,KAAY,OAAA,CAAQ,OAAA,CAAQ,OAAA;AAAA,KACzD,6BAAA,IACH,OAAA,EAAS,oBAAA,KACN,OAAA,CAAQ,OAAA,CAAQ,oBAAA;AAAA,iBAuBL,yBAAA,CAA0B,SAAA,EAAW,iBAAA;AAAA,iBAIrC,wBAAA,CAAyB,SAAA,EAAW,gBAAA;AAAA,iBAIpC,qCAAA,CACd,SAAA,EAAW,6BAAA;;;;iBAQS,WAAA,CACpB,IAAA,EAAM,IAAA,EACN,YAAA,GAAe,MAAA,gBACd,OAAA,CAAQ,QAAA;AAAA,iBASW,cAAA,CAAe,OAAA,EAAS,OAAA,GAAU,OAAA,CAAQ,OAAA"}

package/dist/core/auth/augment.mjs

@@ -0,0 +1,2 @@
+const e=globalThis,t=e.__KRYO_IDENTITY_AUGMENTERS__??new Set,n=e.__KRYO_SESSION_AUGMENTERS__??new Set,r=e.__KRYO_PASSWORD_RESET_SESSION_AUGMENTERS__??new Set;e.__KRYO_IDENTITY_AUGMENTERS__=t,e.__KRYO_SESSION_AUGMENTERS__=n,e.__KRYO_PASSWORD_RESET_SESSION_AUGMENTERS__=r;function i(e){t.add(e)}function a(e){n.add(e)}function o(e){r.add(e)}async function s(e,n){let r=n||{};for(let n of t){let t=await n(e);r={...r,...t}}return{...e,...r}}async function c(e){let t={};for(let r of n){let n=await r(e);t={...t,...n}}return{...e,...t}}async function l(e){let t={};for(let n of r){let r=await n(e);t={...t,...r}}return{...e,...t}}export{l as augmentPasswordResetSession,c as augmentSession,s as augmentUser,i as registerIdentityAugmenter,o as registerPasswordResetSessionAugmenter,a as registerSessionAugmenter};
+//# sourceMappingURL=augment.mjs.map

package/dist/core/auth/augment.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"augment.mjs","names":[],"sources":["../../../src/core/auth/augment.ts"],"sourcesContent":["import type { FullUser, PasswordResetSession, Session, User } from \"./types\";\n\n/**\n * REGISTRIES FOR MODULAR EXTENSIONS\n */\n\ntype IdentityAugmenter = (user: User) => Promise<Partial<FullUser>>;\ntype SessionAugmenter = (session: Session) => Promise<Partial<Session>>;\ntype PasswordResetSessionAugmenter = (\n  session: PasswordResetSession,\n) => Promise<Partial<PasswordResetSession>>;\n\nconst globalForAugment = globalThis as unknown as {\n  __KRYO_IDENTITY_AUGMENTERS__: Set<IdentityAugmenter> | undefined;\n  __KRYO_SESSION_AUGMENTERS__: Set<SessionAugmenter> | undefined;\n  __KRYO_PASSWORD_RESET_SESSION_AUGMENTERS__:\n  | Set<PasswordResetSessionAugmenter>\n  | undefined;\n};\n\nconst identityAugmenters =\n  globalForAugment.__KRYO_IDENTITY_AUGMENTERS__ ?? new Set<IdentityAugmenter>();\nconst sessionAugmenters =\n  globalForAugment.__KRYO_SESSION_AUGMENTERS__ ?? new Set<SessionAugmenter>();\nconst passwordResetSessionAugmenters =\n  globalForAugment.__KRYO_PASSWORD_RESET_SESSION_AUGMENTERS__ ??\n  new Set<PasswordResetSessionAugmenter>();\n\nglobalForAugment.__KRYO_IDENTITY_AUGMENTERS__ = identityAugmenters;\nglobalForAugment.__KRYO_SESSION_AUGMENTERS__ = sessionAugmenters;\nglobalForAugment.__KRYO_PASSWORD_RESET_SESSION_AUGMENTERS__ =\n  passwordResetSessionAugmenters;\n\nexport function registerIdentityAugmenter(augmenter: IdentityAugmenter) {\n  identityAugmenters.add(augmenter);\n}\n\nexport function registerSessionAugmenter(augmenter: SessionAugmenter) {\n  sessionAugmenters.add(augmenter);\n}\n\nexport function registerPasswordResetSessionAugmenter(\n  augmenter: PasswordResetSessionAugmenter,\n) {\n  passwordResetSessionAugmenters.add(augmenter);\n}\n\n/**\n * EXECUTION FUNCTIONS\n */\nexport async function augmentUser(\n  user: User,\n  coreRbacData?: Record<string, any>,\n): Promise<FullUser> {\n  let augmentedData = coreRbacData || {};\n  for (const augmenter of identityAugmenters) {\n    const data = await augmenter(user);\n    augmentedData = { ...augmentedData, ...data };\n  }\n  return { ...user, ...augmentedData } as FullUser;\n}\n\nexport async function augmentSession(session: Session): Promise<Session> {\n  let augmentedData = {};\n  for (const augmenter of sessionAugmenters) {\n    const data = await augmenter(session);\n    augmentedData = { ...augmentedData, ...data };\n  }\n  return { ...session, ...augmentedData } as Session;\n}\n\nexport async function augmentPasswordResetSession(\n  session: PasswordResetSession,\n): Promise<PasswordResetSession> {\n  let augmentedData = {};\n  for (const augmenter of passwordResetSessionAugmenters) {\n    const data = await augmenter(session);\n    augmentedData = { ...augmentedData, ...data };\n  }\n  return { ...session, ...augmentedData } as PasswordResetSession;\n}\n"],"mappings":"AAYA,MAAM,EAAmB,WAQnB,EACJ,EAAiB,8BAAgC,IAAI,IACjD,EACJ,EAAiB,6BAA+B,IAAI,IAChD,EACJ,EAAiB,4CACjB,IAAI,IAEN,EAAiB,6BAA+B,EAChD,EAAiB,4BAA8B,EAC/C,EAAiB,2CACf,EAEF,SAAgB,EAA0B,EAA8B,CACtE,EAAmB,IAAI,EAAU,CAGnC,SAAgB,EAAyB,EAA6B,CACpE,EAAkB,IAAI,EAAU,CAGlC,SAAgB,EACd,EACA,CACA,EAA+B,IAAI,EAAU,CAM/C,eAAsB,EACpB,EACA,EACmB,CACnB,IAAI,EAAgB,GAAgB,EAAE,CACtC,IAAK,IAAM,KAAa,EAAoB,CAC1C,IAAM,EAAO,MAAM,EAAU,EAAK,CAClC,EAAgB,CAAE,GAAG,EAAe,GAAG,EAAM,CAE/C,MAAO,CAAE,GAAG,EAAM,GAAG,EAAe,CAGtC,eAAsB,EAAe,EAAoC,CACvE,IAAI,EAAgB,EAAE,CACtB,IAAK,IAAM,KAAa,EAAmB,CACzC,IAAM,EAAO,MAAM,EAAU,EAAQ,CACrC,EAAgB,CAAE,GAAG,EAAe,GAAG,EAAM,CAE/C,MAAO,CAAE,GAAG,EAAS,GAAG,EAAe,CAGzC,eAAsB,EACpB,EAC+B,CAC/B,IAAI,EAAgB,EAAE,CACtB,IAAK,IAAM,KAAa,EAAgC,CACtD,IAAM,EAAO,MAAM,EAAU,EAAQ,CACrC,EAAgB,CAAE,GAAG,EAAe,GAAG,EAAM,CAE/C,MAAO,CAAE,GAAG,EAAS,GAAG,EAAe"}

package/dist/core/auth/email-verification.cjs

@@ -0,0 +1 @@
+"use server";require(`../../_virtual/_rolldown/runtime.cjs`);const e=require(`../../server/database/inject.cjs`),t=require(`../../server/database/schema.cjs`),n=require(`./utils/encode.cjs`),r=require(`../../server/emails/index.cjs`),i=require(`./logic.cjs`),a=require(`./session.cjs`);let o=require(`drizzle-orm`),s=require(`date-fns`),c=require(`next/headers`);async function l(){i.registerSecurityRequirement(async(e,t)=>t.emailVerifiedAt?{satisfied:!0}:{satisfied:!1,redirect:`/verify-email?unverified`})}async function u(n,r){let[i]=await e.db.select().from(t.emailVerificationTable).where((0,o.and)((0,o.eq)(t.emailVerificationTable.id,r),(0,o.eq)(t.emailVerificationTable.userId,n)));return i}async function d(r,i){await f(r);let a=n.generateRandomOTP(),[o]=await e.db.insert(t.emailVerificationTable).values({userId:r,code:a,email:i,expiresAt:new Date((0,s.addHours)(new Date,1))}).returning();return o}async function f(n){await e.db.delete(t.emailVerificationTable).where((0,o.eq)(t.emailVerificationTable.userId,n))}async function p(e,t){await r.sendVerifyEmail(e,t)}async function m(e){(await(0,c.cookies)()).set(`email_verification`,e.id,{httpOnly:!0,path:`/`,secure:process.env.NODE_ENV===`production`,sameSite:`lax`,expires:e.expiresAt})}async function h(){(await(0,c.cookies)()).delete(`email_verification`)}async function g(){let{user:e}=await a.getCurrentSession();if(!e)return null;let t=(await(0,c.cookies)()).get(`email_verification`)?.value??null;if(!t)return null;let n=await u(e.id,t);return n||await h(),n}exports.createEmailVerificationRequest=d,exports.deleteEmailVerificationRequestCookie=h,exports.deleteUserEmailVerificationRequest=f,exports.getUserEmailVerificationRequest=u,exports.getUserEmailVerificationRequestFromRequest=g,exports.initEmailVerification=l,exports.sendVerificationEmail=p,exports.setEmailVerificationRequestCookie=m;

package/dist/core/auth/email-verification.d.cts

@@ -0,0 +1,62 @@
+import { emailVerificationTable } from "../../server/database/schema.cjs";
+
+//#region src/core/auth/email-verification.d.ts
+/**
+ * Register Email Verification as a Core Security Requirement.
+ */
+declare function initEmailVerification(): Promise<void>;
+/**
+ * Retrieves a specific email verification request for a user.
+ */
+declare function getUserEmailVerificationRequest(userId: string, id: string): Promise<{
+  id: string;
+  email: string;
+  code: string;
+  userId: string;
+  expiresAt: Date;
+  createdAt: Date;
+  updatedAt: Date | null;
+}>;
+/**
+ * Creates a new email verification request, deleting any existing one for the user.
+ */
+declare function createEmailVerificationRequest(userId: string, email: string): Promise<{
+  id: string;
+  email: string;
+  createdAt: Date;
+  updatedAt: Date | null;
+  userId: string;
+  expiresAt: Date;
+  code: string;
+}>;
+/**
+ * Deletes all email verification requests for a user.
+ */
+declare function deleteUserEmailVerificationRequest(userId: string): Promise<void>;
+/**
+ * Sends a verification email with the OTP code.
+ */
+declare function sendVerificationEmail(email: string, code: string): Promise<void>;
+/**
+ * Sets the email verification request ID in a cookie.
+ */
+declare function setEmailVerificationRequestCookie(request: typeof emailVerificationTable.$inferSelect): Promise<void>;
+/**
+ * Removes the email verification request cookie.
+ */
+declare function deleteEmailVerificationRequestCookie(): Promise<void>;
+/**
+ * Retrieves the current email verification request based on session and cookie.
+ */
+declare function getUserEmailVerificationRequestFromRequest(): Promise<{
+  id: string;
+  email: string;
+  code: string;
+  userId: string;
+  expiresAt: Date;
+  createdAt: Date;
+  updatedAt: Date | null;
+} | null>;
+//#endregion
+export { createEmailVerificationRequest, deleteEmailVerificationRequestCookie, deleteUserEmailVerificationRequest, getUserEmailVerificationRequest, getUserEmailVerificationRequestFromRequest, initEmailVerification, sendVerificationEmail, setEmailVerificationRequestCookie };
+//# sourceMappingURL=email-verification.d.cts.map

package/dist/core/auth/email-verification.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-verification.d.cts","names":[],"sources":["../../../src/core/auth/email-verification.ts"],"mappings":";;;;;AAeA;iBAAsB,qBAAA,CAAA,GAAqB,OAAA;;;;iBAerB,+BAAA,CACpB,MAAA,UACA,EAAA,WAAU,OAAA;;;;;;;;;;;;iBAkBU,8BAAA,CACpB,MAAA,UACA,KAAA,WAAa,OAAA;;;;;;;;;;;;iBAsBO,kCAAA,CACpB,MAAA,WACC,OAAA;;;;iBASmB,qBAAA,CACpB,KAAA,UACA,IAAA,WACC,OAAA;;;;iBAOmB,iCAAA,CACpB,OAAA,SAAgB,sBAAA,CAAuB,YAAA,GACtC,OAAA;;;;iBAemB,oCAAA,CAAA,GAAwC,OAAA;;;;iBAQxC,0CAAA,CAAA,GAA0C,OAAA"}

package/dist/core/auth/email-verification.d.mts

@@ -0,0 +1,62 @@
+import { emailVerificationTable } from "../../server/database/schema.mjs";
+
+//#region src/core/auth/email-verification.d.ts
+/**
+ * Register Email Verification as a Core Security Requirement.
+ */
+declare function initEmailVerification(): Promise<void>;
+/**
+ * Retrieves a specific email verification request for a user.
+ */
+declare function getUserEmailVerificationRequest(userId: string, id: string): Promise<{
+  id: string;
+  email: string;
+  code: string;
+  userId: string;
+  expiresAt: Date;
+  createdAt: Date;
+  updatedAt: Date | null;
+}>;
+/**
+ * Creates a new email verification request, deleting any existing one for the user.
+ */
+declare function createEmailVerificationRequest(userId: string, email: string): Promise<{
+  id: string;
+  email: string;
+  createdAt: Date;
+  updatedAt: Date | null;
+  userId: string;
+  expiresAt: Date;
+  code: string;
+}>;
+/**
+ * Deletes all email verification requests for a user.
+ */
+declare function deleteUserEmailVerificationRequest(userId: string): Promise<void>;
+/**
+ * Sends a verification email with the OTP code.
+ */
+declare function sendVerificationEmail(email: string, code: string): Promise<void>;
+/**
+ * Sets the email verification request ID in a cookie.
+ */
+declare function setEmailVerificationRequestCookie(request: typeof emailVerificationTable.$inferSelect): Promise<void>;
+/**
+ * Removes the email verification request cookie.
+ */
+declare function deleteEmailVerificationRequestCookie(): Promise<void>;
+/**
+ * Retrieves the current email verification request based on session and cookie.
+ */
+declare function getUserEmailVerificationRequestFromRequest(): Promise<{
+  id: string;
+  email: string;
+  code: string;
+  userId: string;
+  expiresAt: Date;
+  createdAt: Date;
+  updatedAt: Date | null;
+} | null>;
+//#endregion
+export { createEmailVerificationRequest, deleteEmailVerificationRequestCookie, deleteUserEmailVerificationRequest, getUserEmailVerificationRequest, getUserEmailVerificationRequestFromRequest, initEmailVerification, sendVerificationEmail, setEmailVerificationRequestCookie };
+//# sourceMappingURL=email-verification.d.mts.map

package/dist/core/auth/email-verification.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-verification.d.mts","names":[],"sources":["../../../src/core/auth/email-verification.ts"],"mappings":";;;;;AAeA;iBAAsB,qBAAA,CAAA,GAAqB,OAAA;;;;iBAerB,+BAAA,CACpB,MAAA,UACA,EAAA,WAAU,OAAA;;;;;;;;;;;;iBAkBU,8BAAA,CACpB,MAAA,UACA,KAAA,WAAa,OAAA;;;;;;;;;;;;iBAsBO,kCAAA,CACpB,MAAA,WACC,OAAA;;;;iBASmB,qBAAA,CACpB,KAAA,UACA,IAAA,WACC,OAAA;;;;iBAOmB,iCAAA,CACpB,OAAA,SAAgB,sBAAA,CAAuB,YAAA,GACtC,OAAA;;;;iBAemB,oCAAA,CAAA,GAAwC,OAAA;;;;iBAQxC,0CAAA,CAAA,GAA0C,OAAA"}

package/dist/core/auth/email-verification.mjs

@@ -0,0 +1,2 @@
+"use server";import{db as e}from"../../server/database/inject.mjs";import{emailVerificationTable as t}from"../../server/database/schema.mjs";import{generateRandomOTP as n}from"./utils/encode.mjs";import{sendVerifyEmail as r}from"../../server/emails/index.mjs";import{registerSecurityRequirement as i}from"./logic.mjs";import{getCurrentSession as a}from"./session.mjs";import{and as o,eq as s}from"drizzle-orm";import{addHours as c}from"date-fns";import{cookies as l}from"next/headers";async function u(){i(async(e,t)=>t.emailVerifiedAt?{satisfied:!0}:{satisfied:!1,redirect:`/verify-email?unverified`})}async function d(n,r){let[i]=await e.select().from(t).where(o(s(t.id,r),s(t.userId,n)));return i}async function f(r,i){await p(r);let a=n(),[o]=await e.insert(t).values({userId:r,code:a,email:i,expiresAt:new Date(c(new Date,1))}).returning();return o}async function p(n){await e.delete(t).where(s(t.userId,n))}async function m(e,t){await r(e,t)}async function h(e){(await l()).set(`email_verification`,e.id,{httpOnly:!0,path:`/`,secure:process.env.NODE_ENV===`production`,sameSite:`lax`,expires:e.expiresAt})}async function g(){(await l()).delete(`email_verification`)}async function _(){let{user:e}=await a();if(!e)return null;let t=(await l()).get(`email_verification`)?.value??null;if(!t)return null;let n=await d(e.id,t);return n||await g(),n}export{f as createEmailVerificationRequest,g as deleteEmailVerificationRequestCookie,p as deleteUserEmailVerificationRequest,d as getUserEmailVerificationRequest,_ as getUserEmailVerificationRequestFromRequest,u as initEmailVerification,m as sendVerificationEmail,h as setEmailVerificationRequestCookie};
+//# sourceMappingURL=email-verification.mjs.map

package/dist/core/auth/email-verification.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-verification.mjs","names":[],"sources":["../../../src/core/auth/email-verification.ts"],"sourcesContent":["\"use server\";\n\nimport { addHours } from \"date-fns\";\nimport { and, eq } from \"drizzle-orm\";\nimport { cookies } from \"next/headers\";\nimport { db } from \"../../server/database/inject\";\nimport { emailVerificationTable } from \"../../server/database/schema\";\nimport { sendVerifyEmail } from \"../../server/emails/index\";\nimport { registerSecurityRequirement } from \"./logic\";\nimport { getCurrentSession } from \"./session\";\nimport { generateRandomOTP } from \"./utils/encode\";\n\n/**\n * Register Email Verification as a Core Security Requirement.\n */\nexport async function initEmailVerification() {\n  registerSecurityRequirement(async (_session, user) => {\n    if (!user.emailVerifiedAt) {\n      return {\n        satisfied: false,\n        redirect: \"/verify-email?unverified\",\n      };\n    }\n    return { satisfied: true };\n  });\n}\n\n/**\n * Retrieves a specific email verification request for a user.\n */\nexport async function getUserEmailVerificationRequest(\n  userId: string,\n  id: string,\n) {\n  const [session] = await db\n    .select()\n    .from(emailVerificationTable)\n    .where(\n      and(\n        eq(emailVerificationTable.id, id),\n        eq(emailVerificationTable.userId, userId),\n      ),\n    );\n\n  return session;\n}\n\n/**\n * Creates a new email verification request, deleting any existing one for the user.\n */\nexport async function createEmailVerificationRequest(\n  userId: string,\n  email: string,\n) {\n  await deleteUserEmailVerificationRequest(userId);\n\n  const code = generateRandomOTP();\n\n  const [verificationRequest] = await db\n    .insert(emailVerificationTable)\n    .values({\n      userId,\n      code,\n      email,\n      expiresAt: new Date(addHours(new Date(), 1)),\n    })\n    .returning();\n\n  return verificationRequest;\n}\n\n/**\n * Deletes all email verification requests for a user.\n */\nexport async function deleteUserEmailVerificationRequest(\n  userId: string,\n): Promise<void> {\n  await db\n    .delete(emailVerificationTable)\n    .where(eq(emailVerificationTable.userId, userId));\n}\n\n/**\n * Sends a verification email with the OTP code.\n */\nexport async function sendVerificationEmail(\n  email: string,\n  code: string,\n): Promise<void> {\n  await sendVerifyEmail(email, code);\n}\n\n/**\n * Sets the email verification request ID in a cookie.\n */\nexport async function setEmailVerificationRequestCookie(\n  request: typeof emailVerificationTable.$inferSelect,\n): Promise<void> {\n  const cookieStore = await cookies();\n\n  cookieStore.set(\"email_verification\", request.id, {\n    httpOnly: true,\n    path: \"/\",\n    secure: process.env.NODE_ENV === \"production\",\n    sameSite: \"lax\",\n    expires: request.expiresAt,\n  });\n}\n\n/**\n * Removes the email verification request cookie.\n */\nexport async function deleteEmailVerificationRequestCookie(): Promise<void> {\n  const cookieStore = await cookies();\n  cookieStore.delete(\"email_verification\");\n}\n\n/**\n * Retrieves the current email verification request based on session and cookie.\n */\nexport async function getUserEmailVerificationRequestFromRequest() {\n  const { user } = await getCurrentSession();\n\n  if (!user) {\n    return null;\n  }\n\n  const cookieStore = await cookies();\n  const id = cookieStore.get(\"email_verification\")?.value ?? null;\n\n  if (!id) {\n    return null;\n  }\n\n  const request = await getUserEmailVerificationRequest(user.id, id);\n\n  if (!request) {\n    await deleteEmailVerificationRequestCookie();\n  }\n\n  return request;\n}\n"],"mappings":"qeAeA,eAAsB,GAAwB,CAC5C,EAA4B,MAAO,EAAU,IACtC,EAAK,gBAMH,CAAE,UAAW,GAAM,CALjB,CACL,UAAW,GACX,SAAU,2BACX,CAGH,CAMJ,eAAsB,EACpB,EACA,EACA,CACA,GAAM,CAAC,GAAW,MAAM,EACrB,QAAQ,CACR,KAAK,EAAuB,CAC5B,MACC,EACE,EAAG,EAAuB,GAAI,EAAG,CACjC,EAAG,EAAuB,OAAQ,EAAO,CAC1C,CACF,CAEH,OAAO,EAMT,eAAsB,EACpB,EACA,EACA,CACA,MAAM,EAAmC,EAAO,CAEhD,IAAM,EAAO,GAAmB,CAE1B,CAAC,GAAuB,MAAM,EACjC,OAAO,EAAuB,CAC9B,OAAO,CACN,SACA,OACA,QACA,UAAW,IAAI,KAAK,EAAS,IAAI,KAAQ,EAAE,CAAC,CAC7C,CAAC,CACD,WAAW,CAEd,OAAO,EAMT,eAAsB,EACpB,EACe,CACf,MAAM,EACH,OAAO,EAAuB,CAC9B,MAAM,EAAG,EAAuB,OAAQ,EAAO,CAAC,CAMrD,eAAsB,EACpB,EACA,EACe,CACf,MAAM,EAAgB,EAAO,EAAK,CAMpC,eAAsB,EACpB,EACe,EACK,MAAM,GAAS,EAEvB,IAAI,qBAAsB,EAAQ,GAAI,CAChD,SAAU,GACV,KAAM,IACN,OAAQ,QAAQ,IAAI,WAAa,aACjC,SAAU,MACV,QAAS,EAAQ,UAClB,CAAC,CAMJ,eAAsB,GAAsD,EACtD,MAAM,GAAS,EACvB,OAAO,qBAAqB,CAM1C,eAAsB,GAA6C,CACjE,GAAM,CAAE,QAAS,MAAM,GAAmB,CAE1C,GAAI,CAAC,EACH,OAAO,KAIT,IAAM,GADc,MAAM,GAAS,EACZ,IAAI,qBAAqB,EAAE,OAAS,KAE3D,GAAI,CAAC,EACH,OAAO,KAGT,IAAM,EAAU,MAAM,EAAgC,EAAK,GAAI,EAAG,CAMlE,OAJK,GACH,MAAM,GAAsC,CAGvC"}

package/dist/core/auth/logic.cjs

@@ -0,0 +1 @@
+"use server";require(`../../_virtual/_rolldown/runtime.cjs`);const e=require(`./validation.cjs`),t=require(`../event-bus.cjs`),n=require(`../../server/database/inject.cjs`),r=require(`../../server/database/schema.cjs`),i=require(`./augment.cjs`),a=require(`../../server/auth/password.cjs`),o=require(`../../server/auth/user.cjs`),s=require(`./email-verification.cjs`),c=require(`./session.cjs`);let l=require(`drizzle-orm`);async function u(e){try{let t=(await n.db.select({name:r.rolesTable.name}).from(r.usersToRolesTable).innerJoin(r.rolesTable,(0,l.eq)(r.usersToRolesTable.roleId,r.rolesTable.id)).where((0,l.eq)(r.usersToRolesTable.userId,e.id))).map(e=>e.name),i=(await n.db.select({name:r.permissionsTable.name}).from(r.usersToPermissionsTable).innerJoin(r.permissionsTable,(0,l.eq)(r.usersToPermissionsTable.permissionId,r.permissionsTable.id)).where((0,l.eq)(r.usersToPermissionsTable.userId,e.id))).map(e=>e.name),a=[];if(t.length>0){let e=(await n.db.select({id:r.rolesTable.id}).from(r.rolesTable).where((0,l.inArray)(r.rolesTable.name,t))).map(e=>e.id);e.length>0&&(a=(await n.db.select({name:r.permissionsTable.name}).from(r.rolesToPermissionsTable).innerJoin(r.permissionsTable,(0,l.eq)(r.rolesToPermissionsTable.permissionId,r.permissionsTable.id)).where((0,l.inArray)(r.rolesToPermissionsTable.roleId,e))).map(e=>e.name))}return{roles:t,permissions:Array.from(new Set([...i,...a]))}}catch(e){return console.error(`[Auth:RBAC] Failed to augment user:`,e),{roles:[],permissions:[]}}}const d=globalThis,f=d.__KRYO_AUTH_VALIDATORS__??new Set,p=d.__KRYO_SECURITY_REQUIREMENTS__??new Set,m=d.__KRYO_PASSWORD_RESET_VALIDATORS__??new Set,h=d.__KRYO_EMAIL_VERIFICATION_VALIDATORS__??new Set;d.__KRYO_AUTH_VALIDATORS__=f,d.__KRYO_SECURITY_REQUIREMENTS__=p,d.__KRYO_PASSWORD_RESET_VALIDATORS__=m,d.__KRYO_EMAIL_VERIFICATION_VALIDATORS__=h;async function g(e){f.add(e)}async function _(e){m.add(e)}async function v(e){h.add(e)}async function y(e){p.add(e)}async function b(e){for(let t of m){let n=await t(e);if(n)return n}return null}async function x(e){for(let t of h){let n=await t(e);if(n)return n}return null}async function S(e){return await i.augmentUser(e,await u(e))}async function C(e,t,n,r,i){if(!t)return console.warn(`User is required for security check`),{satisfied:!1,redirect:i??`/signin`};let a=Array.isArray(t.roles)?t.roles:[],o=Array.isArray(t.permissions)?t.permissions:[];if(n&&n.length>0&&!n.some(e=>a.includes(e)))return console.warn(`User lacks required roles: ${n.join(`, `)}`),{satisfied:!1,redirect:i};if(r&&r.length>0&&!r.every(e=>o.includes(e)))return console.warn(`User lacks required permissions: ${r.join(`, `)}`),{satisfied:!1,redirect:i};if(p)for(let n of p)try{let r=await n(e,t);if(r&&!r.satisfied)return{...r,redirect:r.redirect??i}}catch(e){console.error(`[Auth:Security] Requirement failed:`,e)}return{satisfied:!0}}async function w(n){let{email:r,password:i}=await e.loginSchema.parseAsync(n),s=await o.getUserFromEmail(r);if(!s)return{status:`ERROR`,message:`Invalid email or password`};let l=await o.getUserPasswordHash(s.id);if(!l||!await a.verifyPasswordHash(l,i))return{status:`ERROR`,message:`Invalid email or password`};for(let e of f){let t=await e(s.id);if(t)return t}let u={},d=await c.generateSessionToken(),p=await c.createSession(d,s.id,u);await c.setSessionTokenCookie(d,p.expiresAt);let m=await S(s);return await t.eventBus.publish(`auth:session-created`,{session:p,user:m}),{status:`SUCCESS`,session:{...p},user:{...m}}}async function T(n){let{email:r,username:i,password:l}=e.registerSchema.parse(n);if(!await o.verifyUsernameInput(i))throw Error(`Invalid username`);if(!await a.verifyPasswordStrength(l))throw Error(`Weak password`);let u=await o.createUser(r,i,l),d=await s.createEmailVerificationRequest(u.id,u.email);await s.sendVerificationEmail(d.email,d.code),await s.setEmailVerificationRequestCookie(d);let f={},p=await c.generateSessionToken(),m=await c.createSession(p,u.id,f);await c.setSessionTokenCookie(p,m.expiresAt);let h=await S(u);return await t.eventBus.publish(`auth:session-created`,{session:m,user:h}),{session:{...m},user:{...h}}}async function E(e,n){let r=await c.generateSessionToken(),i=await c.createSession(r,e,n);await c.setSessionTokenCookie(r,i.expiresAt);let a=await o.getUserById(e);return a&&await t.eventBus.publish(`auth:session-created`,{session:i,user:a}),{session:i?{...i}:null,user:a?{...a}:null}}async function D(){let{session:e,user:n}=await c.getCurrentSession();e&&(n&&await t.eventBus.publish(`auth:signed-out`,{userId:n.id}),await c.invalidateSession(e.id),await c.deleteSessionTokenCookie())}exports.checkSecurity=C,exports.finalizeLogin=E,exports.performFullUserAugmentation=S,exports.registerAuthValidator=g,exports.registerEmailVerificationValidator=v,exports.registerPasswordResetValidator=_,exports.registerSecurityRequirement=y,exports.runEmailVerificationValidators=x,exports.runPasswordResetValidators=b,exports.signIn=w,exports.signOut=D,exports.signUp=T;

package/dist/core/auth/logic.d.cts

@@ -0,0 +1,110 @@
+import { UserPermission, UserRole } from "../types.cjs";
+import { AuthResponse, FullUser, Session, SessionFlags, User } from "./types.cjs";
+import { LoginInput, RegisterInput } from "./validation.cjs";
+import { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter } from "./augment.cjs";
+
+//#region src/core/auth/logic.d.ts
+/**
+ * Registry for login validators (e.g. 2FA module)
+ */
+type AuthValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)
+ */
+type SecurityRequirement = (session: Session, user: FullUser) => Promise<{
+  satisfied: boolean;
+  redirect?: string;
+} | null>;
+/**
+ * Registry for password reset validators (e.g. 2FA module requiring check during reset)
+ */
+type PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for email verification validators
+ */
+type EmailVerificationValidator = (userId: string) => Promise<AuthResponse | null>;
+declare function registerAuthValidator(validator: AuthValidator): Promise<void>;
+declare function registerPasswordResetValidator(validator: PasswordResetValidator): Promise<void>;
+declare function registerEmailVerificationValidator(validator: EmailVerificationValidator): Promise<void>;
+declare function registerSecurityRequirement(requirement: SecurityRequirement): Promise<void>;
+declare function runPasswordResetValidators(userId: string): Promise<AuthResponse | null>;
+declare function runEmailVerificationValidators(userId: string): Promise<AuthResponse | null>;
+/**
+ * Augments a base user with data from all registered modules.
+ * This is now just a wrapper that includes core RBAC data.
+ */
+declare function performFullUserAugmentation(user: User): Promise<FullUser>;
+/**
+ * Checks if the current session satisfies all registered security requirements.
+ */
+declare function checkSecurity(session: Session, user: FullUser, requiredRoles?: UserRole[], requiredPermissions?: UserPermission[], fallbackRedirect?: string): Promise<{
+  satisfied: boolean;
+  redirect: string | undefined;
+} | {
+  satisfied: boolean;
+  redirect?: undefined;
+}>;
+/**
+ * Sign In Logic
+ */
+declare function signIn(data: LoginInput): Promise<AuthResponse>;
+/**
+ * Sign Up Logic
+ */
+declare function signUp(data: RegisterInput): Promise<{
+  session: {
+    [x: string]: any;
+    id: string;
+    active_organization_id: string | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+    userId: string;
+    expiresAt: Date;
+  };
+  user: {
+    [x: string]: any;
+    id: string;
+    email: string;
+    name: string;
+    password: string | null;
+    image: string | null;
+    recovery_code: Buffer<ArrayBufferLike>;
+    emailVerifiedAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+    roles: UserRole[];
+    permissions: UserPermission[];
+  };
+}>;
+/**
+ * Finalizes login after a challenge
+ */
+declare function finalizeLogin(userId: string, flags: SessionFlags): Promise<{
+  session: {
+    [x: string]: any;
+    id: string;
+    active_organization_id: string | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+    userId: string;
+    expiresAt: Date;
+  } | null;
+  user: {
+    id: string;
+    email: string;
+    name: string;
+    password: string | null;
+    image: string | null;
+    recovery_code: Buffer<ArrayBufferLike>;
+    emailVerifiedAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+  } | null;
+}>;
+/**
+ * Sign Out
+ */
+declare function signOut(): Promise<void>;
+//#endregion
+export { checkSecurity, finalizeLogin, performFullUserAugmentation, registerAuthValidator, registerEmailVerificationValidator, registerPasswordResetValidator, registerSecurityRequirement, runEmailVerificationValidators, runPasswordResetValidators, signIn, signOut, signUp };
+//# sourceMappingURL=logic.d.cts.map

package/dist/core/auth/logic.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic.d.cts","names":[],"sources":["../../../src/core/auth/logic.ts"],"mappings":";;;;;;;;;KAyHK,aAAA,IAAiB,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAK5C,mBAAA,IACH,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,KACH,OAAA;EAAU,SAAA;EAAoB,QAAA;AAAA;;AAR0B;;KAaxD,sBAAA,IAA0B,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAKrD,0BAAA,IACH,MAAA,aACG,OAAA,CAAQ,YAAA;AAAA,iBA6BS,qBAAA,CAAsB,SAAA,EAAW,aAAA,GAAa,OAAA;AAAA,iBAI9C,8BAAA,CACpB,SAAA,EAAW,sBAAA,GAAsB,OAAA;AAAA,iBAKb,kCAAA,CACpB,SAAA,EAAW,0BAAA,GAA0B,OAAA;AAAA,iBAajB,2BAAA,CACpB,WAAA,EAAa,mBAAA,GAAmB,OAAA;AAAA,iBAKZ,0BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;AAAA,iBAQW,8BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;;;;AAnFgC;iBA+FrB,2BAAA,CACpB,IAAA,EAAM,IAAA,GACL,OAAA,CAAQ,QAAA;;;;iBAQW,aAAA,CACpB,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,EACN,aAAA,GAAgB,QAAA,IAChB,mBAAA,GAAsB,cAAA,IACtB,gBAAA,YAAyB,OAAA;;;;;;;;;;iBA+DL,MAAA,CAAO,IAAA,EAAM,UAAA,GAAa,OAAA,CAAQ,YAAA;;;AApIxD;iBAyKsB,MAAA,CAAO,IAAA,EAAM,aAAA,GAAa,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;;AAjJhD;;iBAyLsB,aAAA,CAAc,MAAA,UAAgB,KAAA,EAAO,YAAA,GAAY,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;iBAoBjD,OAAA,CAAA,GAAO,OAAA"}

package/dist/core/auth/logic.d.mts

@@ -0,0 +1,110 @@
+import { UserPermission, UserRole } from "../types.mjs";
+import { AuthResponse, FullUser, Session, SessionFlags, User } from "./types.mjs";
+import { LoginInput, RegisterInput } from "./validation.mjs";
+import { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter } from "./augment.mjs";
+
+//#region src/core/auth/logic.d.ts
+/**
+ * Registry for login validators (e.g. 2FA module)
+ */
+type AuthValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)
+ */
+type SecurityRequirement = (session: Session, user: FullUser) => Promise<{
+  satisfied: boolean;
+  redirect?: string;
+} | null>;
+/**
+ * Registry for password reset validators (e.g. 2FA module requiring check during reset)
+ */
+type PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for email verification validators
+ */
+type EmailVerificationValidator = (userId: string) => Promise<AuthResponse | null>;
+declare function registerAuthValidator(validator: AuthValidator): Promise<void>;
+declare function registerPasswordResetValidator(validator: PasswordResetValidator): Promise<void>;
+declare function registerEmailVerificationValidator(validator: EmailVerificationValidator): Promise<void>;
+declare function registerSecurityRequirement(requirement: SecurityRequirement): Promise<void>;
+declare function runPasswordResetValidators(userId: string): Promise<AuthResponse | null>;
+declare function runEmailVerificationValidators(userId: string): Promise<AuthResponse | null>;
+/**
+ * Augments a base user with data from all registered modules.
+ * This is now just a wrapper that includes core RBAC data.
+ */
+declare function performFullUserAugmentation(user: User): Promise<FullUser>;
+/**
+ * Checks if the current session satisfies all registered security requirements.
+ */
+declare function checkSecurity(session: Session, user: FullUser, requiredRoles?: UserRole[], requiredPermissions?: UserPermission[], fallbackRedirect?: string): Promise<{
+  satisfied: boolean;
+  redirect: string | undefined;
+} | {
+  satisfied: boolean;
+  redirect?: undefined;
+}>;
+/**
+ * Sign In Logic
+ */
+declare function signIn(data: LoginInput): Promise<AuthResponse>;
+/**
+ * Sign Up Logic
+ */
+declare function signUp(data: RegisterInput): Promise<{
+  session: {
+    [x: string]: any;
+    id: string;
+    active_organization_id: string | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+    userId: string;
+    expiresAt: Date;
+  };
+  user: {
+    [x: string]: any;
+    id: string;
+    email: string;
+    name: string;
+    password: string | null;
+    image: string | null;
+    recovery_code: Buffer<ArrayBufferLike>;
+    emailVerifiedAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+    roles: UserRole[];
+    permissions: UserPermission[];
+  };
+}>;
+/**
+ * Finalizes login after a challenge
+ */
+declare function finalizeLogin(userId: string, flags: SessionFlags): Promise<{
+  session: {
+    [x: string]: any;
+    id: string;
+    active_organization_id: string | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+    userId: string;
+    expiresAt: Date;
+  } | null;
+  user: {
+    id: string;
+    email: string;
+    name: string;
+    password: string | null;
+    image: string | null;
+    recovery_code: Buffer<ArrayBufferLike>;
+    emailVerifiedAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+  } | null;
+}>;
+/**
+ * Sign Out
+ */
+declare function signOut(): Promise<void>;
+//#endregion
+export { checkSecurity, finalizeLogin, performFullUserAugmentation, registerAuthValidator, registerEmailVerificationValidator, registerPasswordResetValidator, registerSecurityRequirement, runEmailVerificationValidators, runPasswordResetValidators, signIn, signOut, signUp };
+//# sourceMappingURL=logic.d.mts.map

package/dist/core/auth/logic.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic.d.mts","names":[],"sources":["../../../src/core/auth/logic.ts"],"mappings":";;;;;;;;;KAyHK,aAAA,IAAiB,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAK5C,mBAAA,IACH,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,KACH,OAAA;EAAU,SAAA;EAAoB,QAAA;AAAA;;AAR0B;;KAaxD,sBAAA,IAA0B,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAKrD,0BAAA,IACH,MAAA,aACG,OAAA,CAAQ,YAAA;AAAA,iBA6BS,qBAAA,CAAsB,SAAA,EAAW,aAAA,GAAa,OAAA;AAAA,iBAI9C,8BAAA,CACpB,SAAA,EAAW,sBAAA,GAAsB,OAAA;AAAA,iBAKb,kCAAA,CACpB,SAAA,EAAW,0BAAA,GAA0B,OAAA;AAAA,iBAajB,2BAAA,CACpB,WAAA,EAAa,mBAAA,GAAmB,OAAA;AAAA,iBAKZ,0BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;AAAA,iBAQW,8BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;;;;AAnFgC;iBA+FrB,2BAAA,CACpB,IAAA,EAAM,IAAA,GACL,OAAA,CAAQ,QAAA;;;;iBAQW,aAAA,CACpB,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,EACN,aAAA,GAAgB,QAAA,IAChB,mBAAA,GAAsB,cAAA,IACtB,gBAAA,YAAyB,OAAA;;;;;;;;;;iBA+DL,MAAA,CAAO,IAAA,EAAM,UAAA,GAAa,OAAA,CAAQ,YAAA;;;AApIxD;iBAyKsB,MAAA,CAAO,IAAA,EAAM,aAAA,GAAa,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;;AAjJhD;;iBAyLsB,aAAA,CAAc,MAAA,UAAgB,KAAA,EAAO,YAAA,GAAY,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;iBAoBjD,OAAA,CAAA,GAAO,OAAA"}

package/dist/core/auth/logic.mjs

@@ -0,0 +1,2 @@
+"use server";import{loginSchema as e,registerSchema as t}from"./validation.mjs";import{eventBus as n}from"../event-bus.mjs";import{db as r}from"../../server/database/inject.mjs";import{permissionsTable as i,rolesTable as a,rolesToPermissionsTable as o,usersToPermissionsTable as s,usersToRolesTable as c}from"../../server/database/schema.mjs";import{augmentSession as l,augmentUser as u,registerIdentityAugmenter as d,registerPasswordResetSessionAugmenter as f,registerSessionAugmenter as p}from"./augment.mjs";import{verifyPasswordHash as m,verifyPasswordStrength as h}from"../../server/auth/password.mjs";import{createUser as g,getUserById as _,getUserFromEmail as v,getUserPasswordHash as y,verifyUsernameInput as b}from"../../server/auth/user.mjs";import{createEmailVerificationRequest as x,sendVerificationEmail as S,setEmailVerificationRequestCookie as C}from"./email-verification.mjs";import{createSession as w,deleteSessionTokenCookie as T,generateSessionToken as E,getCurrentSession as D,invalidateSession as O,setSessionTokenCookie as k}from"./session.mjs";import{eq as A,inArray as j}from"drizzle-orm";async function M(e){try{let t=(await r.select({name:a.name}).from(c).innerJoin(a,A(c.roleId,a.id)).where(A(c.userId,e.id))).map(e=>e.name),n=(await r.select({name:i.name}).from(s).innerJoin(i,A(s.permissionId,i.id)).where(A(s.userId,e.id))).map(e=>e.name),l=[];if(t.length>0){let e=(await r.select({id:a.id}).from(a).where(j(a.name,t))).map(e=>e.id);e.length>0&&(l=(await r.select({name:i.name}).from(o).innerJoin(i,A(o.permissionId,i.id)).where(j(o.roleId,e))).map(e=>e.name))}return{roles:t,permissions:Array.from(new Set([...n,...l]))}}catch(e){return console.error(`[Auth:RBAC] Failed to augment user:`,e),{roles:[],permissions:[]}}}const N=globalThis,P=N.__KRYO_AUTH_VALIDATORS__??new Set,F=N.__KRYO_SECURITY_REQUIREMENTS__??new Set,I=N.__KRYO_PASSWORD_RESET_VALIDATORS__??new Set,L=N.__KRYO_EMAIL_VERIFICATION_VALIDATORS__??new Set;N.__KRYO_AUTH_VALIDATORS__=P,N.__KRYO_SECURITY_REQUIREMENTS__=F,N.__KRYO_PASSWORD_RESET_VALIDATORS__=I,N.__KRYO_EMAIL_VERIFICATION_VALIDATORS__=L;async function R(e){P.add(e)}async function z(e){I.add(e)}async function B(e){L.add(e)}async function V(e){F.add(e)}async function H(e){for(let t of I){let n=await t(e);if(n)return n}return null}async function U(e){for(let t of L){let n=await t(e);if(n)return n}return null}async function W(e){return await u(e,await M(e))}async function G(e,t,n,r,i){if(!t)return console.warn(`User is required for security check`),{satisfied:!1,redirect:i??`/signin`};let a=Array.isArray(t.roles)?t.roles:[],o=Array.isArray(t.permissions)?t.permissions:[];if(n&&n.length>0&&!n.some(e=>a.includes(e)))return console.warn(`User lacks required roles: ${n.join(`, `)}`),{satisfied:!1,redirect:i};if(r&&r.length>0&&!r.every(e=>o.includes(e)))return console.warn(`User lacks required permissions: ${r.join(`, `)}`),{satisfied:!1,redirect:i};if(F)for(let n of F)try{let r=await n(e,t);if(r&&!r.satisfied)return{...r,redirect:r.redirect??i}}catch(e){console.error(`[Auth:Security] Requirement failed:`,e)}return{satisfied:!0}}async function K(t){let{email:r,password:i}=await e.parseAsync(t),a=await v(r);if(!a)return{status:`ERROR`,message:`Invalid email or password`};let o=await y(a.id);if(!o||!await m(o,i))return{status:`ERROR`,message:`Invalid email or password`};for(let e of P){let t=await e(a.id);if(t)return t}let s={},c=await E(),l=await w(c,a.id,s);await k(c,l.expiresAt);let u=await W(a);return await n.publish(`auth:session-created`,{session:l,user:u}),{status:`SUCCESS`,session:{...l},user:{...u}}}async function q(e){let{email:r,username:i,password:a}=t.parse(e);if(!await b(i))throw Error(`Invalid username`);if(!await h(a))throw Error(`Weak password`);let o=await g(r,i,a),s=await x(o.id,o.email);await S(s.email,s.code),await C(s);let c={},l=await E(),u=await w(l,o.id,c);await k(l,u.expiresAt);let d=await W(o);return await n.publish(`auth:session-created`,{session:u,user:d}),{session:{...u},user:{...d}}}async function J(e,t){let r=await E(),i=await w(r,e,t);await k(r,i.expiresAt);let a=await _(e);return a&&await n.publish(`auth:session-created`,{session:i,user:a}),{session:i?{...i}:null,user:a?{...a}:null}}async function Y(){let{session:e,user:t}=await D();e&&(t&&await n.publish(`auth:signed-out`,{userId:t.id}),await O(e.id),await T())}export{G as checkSecurity,J as finalizeLogin,W as performFullUserAugmentation,R as registerAuthValidator,B as registerEmailVerificationValidator,z as registerPasswordResetValidator,V as registerSecurityRequirement,U as runEmailVerificationValidators,H as runPasswordResetValidators,K as signIn,Y as signOut,q as signUp};
+//# sourceMappingURL=logic.mjs.map

package/dist/core/auth/logic.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic.mjs","names":[],"sources":["../../../src/core/auth/logic.ts"],"sourcesContent":["\"use server\";\n\nimport { eq, inArray } from \"drizzle-orm\";\nimport {\n  verifyPasswordHash,\n  verifyPasswordStrength,\n} from \"../../server/auth/password\";\nimport {\n  createUser,\n  getUserById,\n  getUserFromEmail,\n  getUserPasswordHash,\n  verifyUsernameInput,\n} from \"../../server/auth/user\";\nimport { db } from \"../../server/database/inject\";\nimport {\n  permissionsTable,\n  rolesTable,\n  rolesToPermissionsTable,\n  usersToPermissionsTable,\n  usersToRolesTable,\n} from \"../../server/database/schema\";\nimport { eventBus } from \"../event-bus\";\nimport {\n  augmentSession,\n  augmentUser,\n  registerIdentityAugmenter,\n  registerPasswordResetSessionAugmenter,\n  registerSessionAugmenter,\n} from \"./augment\";\nimport {\n  createEmailVerificationRequest,\n  sendVerificationEmail,\n  setEmailVerificationRequestCookie,\n} from \"./email-verification\";\nimport {\n  createSession,\n  deleteSessionTokenCookie,\n  generateSessionToken,\n  getCurrentSession,\n  invalidateSession,\n  setSessionTokenCookie,\n} from \"./session\";\nimport type {\n  AuthResponse,\n  FullUser,\n  Session,\n  SessionFlags,\n  User,\n  UserPermission,\n  UserRole,\n} from \"./types\";\nimport {\n  type LoginInput,\n  loginSchema,\n  type RegisterInput,\n  registerSchema,\n} from \"./validation\";\n\n/**\n * Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień\n */\nasync function coreRbacAugmenter(user: User): Promise<Record<string, any>> {\n  try {\n    // 1. Fetch direct roles\n    const userRoles = await db\n      .select({ name: rolesTable.name })\n      .from(usersToRolesTable)\n      .innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id))\n      .where(eq(usersToRolesTable.userId, user.id));\n\n    const roles = userRoles.map((r) => r.name);\n\n    // 2. Fetch direct permissions\n    const userDirectPerms = await db\n      .select({ name: permissionsTable.name })\n      .from(usersToPermissionsTable)\n      .innerJoin(\n        permissionsTable,\n        eq(usersToPermissionsTable.permissionId, permissionsTable.id),\n      )\n      .where(eq(usersToPermissionsTable.userId, user.id));\n\n    const directPerms = userDirectPerms.map((p) => p.name);\n\n    // 3. Fetch permissions from roles\n    let rolePerms: string[] = [];\n    if (roles.length > 0) {\n      const roleIdsResult = await db\n        .select({ id: rolesTable.id })\n        .from(rolesTable)\n        .where(inArray(rolesTable.name, roles));\n\n      const roleIds = roleIdsResult.map((r) => r.id);\n\n      if (roleIds.length > 0) {\n        const rolePermsData = await db\n          .select({ name: permissionsTable.name })\n          .from(rolesToPermissionsTable)\n          .innerJoin(\n            permissionsTable,\n            eq(rolesToPermissionsTable.permissionId, permissionsTable.id),\n          )\n          .where(inArray(rolesToPermissionsTable.roleId, roleIds));\n        rolePerms = rolePermsData.map((p) => p.name);\n      }\n    }\n\n    return {\n      roles,\n      permissions: Array.from(new Set([...directPerms, ...rolePerms])),\n    };\n  } catch (error) {\n    console.error(\"[Auth:RBAC] Failed to augment user:\", error);\n    return { roles: [], permissions: [] };\n  }\n}\n\n/**\n * Registry for login validators (e.g. 2FA module)\n */\ntype AuthValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)\n */\ntype SecurityRequirement = (\n  session: Session,\n  user: FullUser,\n) => Promise<{ satisfied: boolean; redirect?: string } | null>;\n\n/**\n * Registry for password reset validators (e.g. 2FA module requiring check during reset)\n */\ntype PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for email verification validators\n */\ntype EmailVerificationValidator = (\n  userId: string,\n) => Promise<AuthResponse | null>;\n\nconst globalForAuth = globalThis as unknown as {\n  __KRYO_AUTH_VALIDATORS__: Set<AuthValidator> | undefined;\n  __KRYO_SECURITY_REQUIREMENTS__: Set<SecurityRequirement> | undefined;\n  __KRYO_PASSWORD_RESET_VALIDATORS__: Set<PasswordResetValidator> | undefined;\n  __KRYO_EMAIL_VERIFICATION_VALIDATORS__:\n  | Set<EmailVerificationValidator>\n  | undefined;\n};\n\nconst authValidators =\n  globalForAuth.__KRYO_AUTH_VALIDATORS__ ?? new Set<AuthValidator>();\nconst securityRequirements =\n  globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ ??\n  new Set<SecurityRequirement>();\nconst passwordResetValidators =\n  globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ ??\n  new Set<PasswordResetValidator>();\nconst emailVerificationValidators =\n  globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ ??\n  new Set<EmailVerificationValidator>();\n\nglobalForAuth.__KRYO_AUTH_VALIDATORS__ = authValidators;\nglobalForAuth.__KRYO_SECURITY_REQUIREMENTS__ = securityRequirements;\nglobalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;\nglobalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ =\n  emailVerificationValidators;\n\nexport async function registerAuthValidator(validator: AuthValidator) {\n  authValidators.add(validator);\n}\n\nexport async function registerPasswordResetValidator(\n  validator: PasswordResetValidator,\n) {\n  passwordResetValidators.add(validator);\n}\n\nexport async function registerEmailVerificationValidator(\n  validator: EmailVerificationValidator,\n) {\n  emailVerificationValidators.add(validator);\n}\n\nexport {\n  registerIdentityAugmenter,\n  registerSessionAugmenter,\n  registerPasswordResetSessionAugmenter,\n  augmentUser,\n  augmentSession,\n};\n\nexport async function registerSecurityRequirement(\n  requirement: SecurityRequirement,\n) {\n  securityRequirements.add(requirement);\n}\n\nexport async function runPasswordResetValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of passwordResetValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\nexport async function runEmailVerificationValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of emailVerificationValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\n/**\n * Augments a base user with data from all registered modules.\n * This is now just a wrapper that includes core RBAC data.\n */\nexport async function performFullUserAugmentation(\n  user: User,\n): Promise<FullUser> {\n  const coreRbacData = await coreRbacAugmenter(user);\n  return await augmentUser(user, coreRbacData);\n}\n\n/**\n * Checks if the current session satisfies all registered security requirements.\n */\nexport async function checkSecurity(\n  session: Session,\n  user: FullUser,\n  requiredRoles?: UserRole[],\n  requiredPermissions?: UserPermission[],\n  fallbackRedirect?: string,\n) {\n  if (!user) {\n    console.warn(\"User is required for security check\");\n    return { satisfied: false, redirect: fallbackRedirect ?? \"/signin\" };\n  }\n\n  const userRoles = Array.isArray(user.roles) ? user.roles : [];\n  const userPermissions = Array.isArray(user.permissions)\n    ? user.permissions\n    : [];\n\n  // 1. Core Role Check (At least one role must match)\n  if (requiredRoles && requiredRoles.length > 0) {\n    const hasRole = requiredRoles.some((role) => userRoles.includes(role));\n    if (!hasRole) {\n      console.warn(`User lacks required roles: ${requiredRoles.join(\", \")}`);\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 2. Core Permission Check (ALL permissions must match)\n  if (requiredPermissions && requiredPermissions.length > 0) {\n    const hasAllPermissions = requiredPermissions.every((perm) =>\n      userPermissions.includes(perm),\n    );\n    if (!hasAllPermissions) {\n      console.warn(\n        `User lacks required permissions: ${requiredPermissions.join(\", \")}`,\n      );\n\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 3. Modular Requirements Check\n  if (securityRequirements) {\n    for (const requirement of securityRequirements) {\n      try {\n        const result = await requirement(session, user);\n        if (result && !result.satisfied) {\n          return {\n            ...result,\n            redirect: result.redirect ?? fallbackRedirect,\n          };\n        }\n      } catch (error) {\n        console.error(\"[Auth:Security] Requirement failed:\", error);\n      }\n    }\n  }\n  return { satisfied: true };\n}\n\n/**\n * Sign In Logic\n */\nexport async function signIn(data: LoginInput): Promise<AuthResponse> {\n  const { email, password } = await loginSchema.parseAsync(data);\n\n  const user = await getUserFromEmail(email);\n  if (!user) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  const passwordHash = await getUserPasswordHash(user.id);\n  if (!passwordHash || !(await verifyPasswordHash(passwordHash, password))) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  // Interception Layer\n  for (const validator of authValidators) {\n    const interception = await validator(user.id);\n    if (interception) return interception;\n  }\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    status: \"SUCCESS\",\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Sign Up Logic\n */\nexport async function signUp(data: RegisterInput) {\n  const { email, username, password } = registerSchema.parse(data);\n\n  if (!(await verifyUsernameInput(username))) {\n    throw new Error(\"Invalid username\");\n  }\n\n  if (!(await verifyPasswordStrength(password))) {\n    throw new Error(\"Weak password\");\n  }\n\n  const user = await createUser(email, username, password);\n  const verificationRequest = await createEmailVerificationRequest(\n    user.id,\n    user.email,\n  );\n\n  await sendVerificationEmail(\n    verificationRequest.email,\n    verificationRequest.code,\n  );\n  await setEmailVerificationRequestCookie(verificationRequest);\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Finalizes login after a challenge\n */\nexport async function finalizeLogin(userId: string, flags: SessionFlags) {\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, userId, flags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const user = await getUserById(userId);\n\n  if (user) {\n    await eventBus.publish(\"auth:session-created\", { session, user });\n  }\n\n  return {\n    session: session ? { ...session } : null,\n    user: user ? { ...user } : null,\n  };\n}\n\n/**\n * Sign Out\n */\nexport async function signOut() {\n  const { session, user } = await getCurrentSession();\n  if (session) {\n    if (user) {\n      await eventBus.publish(\"auth:signed-out\", { userId: user.id });\n    }\n    await invalidateSession(session.id);\n    await deleteSessionTokenCookie();\n  }\n}\n"],"mappings":"ylCA8DA,eAAe,EAAkB,EAA0C,CACzE,GAAI,CAQF,IAAM,GANY,MAAM,EACrB,OAAO,CAAE,KAAM,EAAW,KAAM,CAAC,CACjC,KAAK,EAAkB,CACvB,UAAU,EAAY,EAAG,EAAkB,OAAQ,EAAW,GAAG,CAAC,CAClE,MAAM,EAAG,EAAkB,OAAQ,EAAK,GAAG,CAAC,EAEvB,IAAK,GAAM,EAAE,KAAK,CAYpC,GATkB,MAAM,EAC3B,OAAO,CAAE,KAAM,EAAiB,KAAM,CAAC,CACvC,KAAK,EAAwB,CAC7B,UACC,EACA,EAAG,EAAwB,aAAc,EAAiB,GAAG,CAC9D,CACA,MAAM,EAAG,EAAwB,OAAQ,EAAK,GAAG,CAAC,EAEjB,IAAK,GAAM,EAAE,KAAK,CAGlD,EAAsB,EAAE,CAC5B,GAAI,EAAM,OAAS,EAAG,CAMpB,IAAM,GALgB,MAAM,EACzB,OAAO,CAAE,GAAI,EAAW,GAAI,CAAC,CAC7B,KAAK,EAAW,CAChB,MAAM,EAAQ,EAAW,KAAM,EAAM,CAAC,EAEX,IAAK,GAAM,EAAE,GAAG,CAE1C,EAAQ,OAAS,IASnB,GARsB,MAAM,EACzB,OAAO,CAAE,KAAM,EAAiB,KAAM,CAAC,CACvC,KAAK,EAAwB,CAC7B,UACC,EACA,EAAG,EAAwB,aAAc,EAAiB,GAAG,CAC9D,CACA,MAAM,EAAQ,EAAwB,OAAQ,EAAQ,CAAC,EAChC,IAAK,GAAM,EAAE,KAAK,EAIhD,MAAO,CACL,QACA,YAAa,MAAM,KAAK,IAAI,IAAI,CAAC,GAAG,EAAa,GAAG,EAAU,CAAC,CAAC,CACjE,OACM,EAAO,CAEd,OADA,QAAQ,MAAM,sCAAuC,EAAM,CACpD,CAAE,MAAO,EAAE,CAAE,YAAa,EAAE,CAAE,EA6BzC,MAAM,EAAgB,WAShB,EACJ,EAAc,0BAA4B,IAAI,IAC1C,EACJ,EAAc,gCACd,IAAI,IACA,EACJ,EAAc,oCACd,IAAI,IACA,EACJ,EAAc,wCACd,IAAI,IAEN,EAAc,yBAA2B,EACzC,EAAc,+BAAiC,EAC/C,EAAc,mCAAqC,EACnD,EAAc,uCACZ,EAEF,eAAsB,EAAsB,EAA0B,CACpE,EAAe,IAAI,EAAU,CAG/B,eAAsB,EACpB,EACA,CACA,EAAwB,IAAI,EAAU,CAGxC,eAAsB,EACpB,EACA,CACA,EAA4B,IAAI,EAAU,CAW5C,eAAsB,EACpB,EACA,CACA,EAAqB,IAAI,EAAY,CAGvC,eAAsB,EACpB,EAC8B,CAC9B,IAAK,IAAM,KAAa,EAAyB,CAC/C,IAAM,EAAe,MAAM,EAAU,EAAO,CAC5C,GAAI,EAAc,OAAO,EAE3B,OAAO,KAGT,eAAsB,EACpB,EAC8B,CAC9B,IAAK,IAAM,KAAa,EAA6B,CACnD,IAAM,EAAe,MAAM,EAAU,EAAO,CAC5C,GAAI,EAAc,OAAO,EAE3B,OAAO,KAOT,eAAsB,EACpB,EACmB,CAEnB,OAAO,MAAM,EAAY,EADJ,MAAM,EAAkB,EAAK,CACN,CAM9C,eAAsB,EACpB,EACA,EACA,EACA,EACA,EACA,CACA,GAAI,CAAC,EAEH,OADA,QAAQ,KAAK,sCAAsC,CAC5C,CAAE,UAAW,GAAO,SAAU,GAAoB,UAAW,CAGtE,IAAM,EAAY,MAAM,QAAQ,EAAK,MAAM,CAAG,EAAK,MAAQ,EAAE,CACvD,EAAkB,MAAM,QAAQ,EAAK,YAAY,CACnD,EAAK,YACL,EAAE,CAGN,GAAI,GAAiB,EAAc,OAAS,GAEtC,CADY,EAAc,KAAM,GAAS,EAAU,SAAS,EAAK,CAAC,CAGpE,OADA,QAAQ,KAAK,8BAA8B,EAAc,KAAK,KAAK,GAAG,CAC/D,CACL,UAAW,GACX,SAAU,EACX,CAKL,GAAI,GAAuB,EAAoB,OAAS,GAIlD,CAHsB,EAAoB,MAAO,GACnD,EAAgB,SAAS,EAAK,CAC/B,CAMC,OAJA,QAAQ,KACN,oCAAoC,EAAoB,KAAK,KAAK,GACnE,CAEM,CACL,UAAW,GACX,SAAU,EACX,CAKL,GAAI,EACF,IAAK,IAAM,KAAe,EACxB,GAAI,CACF,IAAM,EAAS,MAAM,EAAY,EAAS,EAAK,CAC/C,GAAI,GAAU,CAAC,EAAO,UACpB,MAAO,CACL,GAAG,EACH,SAAU,EAAO,UAAY,EAC9B,OAEI,EAAO,CACd,QAAQ,MAAM,sCAAuC,EAAM,CAIjE,MAAO,CAAE,UAAW,GAAM,CAM5B,eAAsB,EAAO,EAAyC,CACpE,GAAM,CAAE,QAAO,YAAa,MAAM,EAAY,WAAW,EAAK,CAExD,EAAO,MAAM,EAAiB,EAAM,CAC1C,GAAI,CAAC,EACH,MAAO,CAAE,OAAQ,QAAS,QAAS,4BAA6B,CAGlE,IAAM,EAAe,MAAM,EAAoB,EAAK,GAAG,CACvD,GAAI,CAAC,GAAgB,CAAE,MAAM,EAAmB,EAAc,EAAS,CACrE,MAAO,CAAE,OAAQ,QAAS,QAAS,4BAA6B,CAIlE,IAAK,IAAM,KAAa,EAAgB,CACtC,IAAM,EAAe,MAAM,EAAU,EAAK,GAAG,CAC7C,GAAI,EAAc,OAAO,EAG3B,IAAM,EAA6B,EAAE,CAC/B,EAAe,MAAM,GAAsB,CAC3C,EAAU,MAAM,EAAc,EAAc,EAAK,GAAI,EAAa,CACxE,MAAM,EAAsB,EAAc,EAAQ,UAAU,CAE5D,IAAM,EAAW,MAAM,EAA4B,EAAK,CAGxD,OAFA,MAAM,EAAS,QAAQ,uBAAwB,CAAE,UAAS,KAAM,EAAU,CAAC,CAEpE,CACL,OAAQ,UACR,QAAS,CAAE,GAAG,EAAS,CACvB,KAAM,CAAE,GAAG,EAAU,CACtB,CAMH,eAAsB,EAAO,EAAqB,CAChD,GAAM,CAAE,QAAO,WAAU,YAAa,EAAe,MAAM,EAAK,CAEhE,GAAI,CAAE,MAAM,EAAoB,EAAS,CACvC,MAAU,MAAM,mBAAmB,CAGrC,GAAI,CAAE,MAAM,EAAuB,EAAS,CAC1C,MAAU,MAAM,gBAAgB,CAGlC,IAAM,EAAO,MAAM,EAAW,EAAO,EAAU,EAAS,CAClD,EAAsB,MAAM,EAChC,EAAK,GACL,EAAK,MACN,CAED,MAAM,EACJ,EAAoB,MACpB,EAAoB,KACrB,CACD,MAAM,EAAkC,EAAoB,CAE5D,IAAM,EAA6B,EAAE,CAC/B,EAAe,MAAM,GAAsB,CAC3C,EAAU,MAAM,EAAc,EAAc,EAAK,GAAI,EAAa,CACxE,MAAM,EAAsB,EAAc,EAAQ,UAAU,CAE5D,IAAM,EAAW,MAAM,EAA4B,EAAK,CAGxD,OAFA,MAAM,EAAS,QAAQ,uBAAwB,CAAE,UAAS,KAAM,EAAU,CAAC,CAEpE,CACL,QAAS,CAAE,GAAG,EAAS,CACvB,KAAM,CAAE,GAAG,EAAU,CACtB,CAMH,eAAsB,EAAc,EAAgB,EAAqB,CACvE,IAAM,EAAe,MAAM,GAAsB,CAC3C,EAAU,MAAM,EAAc,EAAc,EAAQ,EAAM,CAChE,MAAM,EAAsB,EAAc,EAAQ,UAAU,CAE5D,IAAM,EAAO,MAAM,EAAY,EAAO,CAMtC,OAJI,GACF,MAAM,EAAS,QAAQ,uBAAwB,CAAE,UAAS,OAAM,CAAC,CAG5D,CACL,QAAS,EAAU,CAAE,GAAG,EAAS,CAAG,KACpC,KAAM,EAAO,CAAE,GAAG,EAAM,CAAG,KAC5B,CAMH,eAAsB,GAAU,CAC9B,GAAM,CAAE,UAAS,QAAS,MAAM,GAAmB,CAC/C,IACE,GACF,MAAM,EAAS,QAAQ,kBAAmB,CAAE,OAAQ,EAAK,GAAI,CAAC,CAEhE,MAAM,EAAkB,EAAQ,GAAG,CACnC,MAAM,GAA0B"}

package/dist/core/auth/password-reset.cjs

@@ -0,0 +1 @@
+"use server";require(`../../_virtual/_rolldown/runtime.cjs`);const e=require(`../../server/database/inject.cjs`),t=require(`../../server/database/schema.cjs`),n=require(`./augment.cjs`),r=require(`./utils/encode.cjs`),i=require(`../../server/emails/index.cjs`),a=require(`./logic.cjs`);let o=require(`drizzle-orm`),s=require(`@oslojs/crypto/sha2`),c=require(`@oslojs/encoding`),l=require(`date-fns`),u=require(`next/headers`);async function d(n,i,a){let o=(0,c.encodeHexLowerCase)((0,s.sha256)(new TextEncoder().encode(n))),[u]=await e.db.insert(t.passwordResetSessionTable).values({id:o,email:a,code:r.generateRandomOTP(),expiresAt:new Date((0,l.addHours)(new Date,1)),userId:i}).returning();return u}async function f(r){let i=(0,c.encodeHexLowerCase)((0,s.sha256)(new TextEncoder().encode(r))),[l]=await e.db.select({session:t.passwordResetSessionTable,user:t.userTable}).from(t.passwordResetSessionTable).innerJoin(t.userTable,(0,o.eq)(t.passwordResetSessionTable.userId,t.userTable.id)).where((0,o.eq)(t.passwordResetSessionTable.id,i));if(!l||!l.user)return{session:null,user:null};let{session:u,user:d}=l;if(new Date>u.expiresAt)return await e.db.delete(t.passwordResetSessionTable).where((0,o.eq)(t.passwordResetSessionTable.id,u.id)),{session:null,user:null};let{password:f,recovery_code:p,...m}=d,h=await a.performFullUserAugmentation(m);return{session:await n.augmentPasswordResetSession(u),user:h}}async function p(n){await e.db.update(t.passwordResetSessionTable).set({emailVerified:!0}).where((0,o.eq)(t.passwordResetSessionTable.id,n))}async function m(n){await e.db.delete(t.passwordResetSessionTable).where((0,o.eq)(t.passwordResetSessionTable.userId,n))}async function h(){let e=(await(0,u.cookies)()).get(`password_reset_session`)?.value??null;if(e===null)return{session:null,user:null};let t=await f(e);return t.session===null&&await _(),t}async function g(e,t){(await(0,u.cookies)()).set(`password_reset_session`,e,{expires:t,sameSite:`lax`,httpOnly:!0,path:`/`,secure:process.env.NODE_ENV===`production`})}async function _(){(await(0,u.cookies)()).delete(`password_reset_session`)}async function v(e,t){await i.sendResetPassword(e,t)}exports.createPasswordResetSession=d,exports.deletePasswordResetSessionTokenCookie=_,exports.getCurrentPasswordResetSession=h,exports.invalidateUserPasswordResetSessions=m,exports.sendPasswordResetEmail=v,exports.setPasswordResetSessionAsEmailVerified=p,exports.setPasswordResetSessionTokenCookie=g,exports.validatePasswordResetSessionToken=f;

package/dist/core/auth/password-reset.d.cts

@@ -0,0 +1,39 @@
+import { PasswordResetAuthSession, PasswordResetSession } from "./types.cjs";
+
+//#region src/core/auth/password-reset.d.ts
+/**
+ * Creates a new password reset session.
+ */
+declare function createPasswordResetSession(token: string, userId: string, email: string): Promise<PasswordResetSession>;
+/**
+ * Validates the password reset session token and retrieves user data.
+ * The user data is augmented by registered modules (e.g. 2FA).
+ */
+declare function validatePasswordResetSessionToken(token: string): Promise<PasswordResetAuthSession>;
+/**
+ * Marks the password reset session as email verified.
+ */
+declare function setPasswordResetSessionAsEmailVerified(sessionId: string): Promise<void>;
+/**
+ * Invalidates all password reset sessions for a user.
+ */
+declare function invalidateUserPasswordResetSessions(userId: string): Promise<void>;
+/**
+ * Validates the current password reset session from cookies.
+ */
+declare function getCurrentPasswordResetSession(): Promise<PasswordResetAuthSession>;
+/**
+ * Sets the password reset session token cookie.
+ */
+declare function setPasswordResetSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
+/**
+ * Deletes the password reset session token cookie.
+ */
+declare function deletePasswordResetSessionTokenCookie(): Promise<void>;
+/**
+ * Sends a password reset email with the OTP code.
+ */
+declare function sendPasswordResetEmail(email: string, code: string): Promise<void>;
+//#endregion
+export { createPasswordResetSession, deletePasswordResetSessionTokenCookie, getCurrentPasswordResetSession, invalidateUserPasswordResetSessions, sendPasswordResetEmail, setPasswordResetSessionAsEmailVerified, setPasswordResetSessionTokenCookie, validatePasswordResetSessionToken };
+//# sourceMappingURL=password-reset.d.cts.map

package/dist/core/auth/password-reset.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.d.cts","names":[],"sources":["../../../src/core/auth/password-reset.ts"],"mappings":";;;;;AAqBA;iBAAsB,0BAAA,CACpB,KAAA,UACA,MAAA,UACA,KAAA,WACC,OAAA,CAAQ,oBAAA;;;;;iBAqBW,iCAAA,CACpB,KAAA,WACC,OAAA,CAAQ,wBAAA;;;;iBAyCW,sCAAA,CACpB,SAAA,WACC,OAAA;AA7CH;;;AAAA,iBAyDsB,mCAAA,CACpB,MAAA,WACC,OAAA;;;;iBASmB,8BAAA,CAAA,GAAkC,OAAA,CAAQ,wBAAA;;AAzBhE;;iBA6CsB,kCAAA,CACpB,KAAA,UACA,SAAA,EAAW,IAAA,GACV,OAAA;;;AAlCH;iBAiDsB,qCAAA,CAAA,GAAyC,OAAA;;;;iBAQzC,sBAAA,CACpB,KAAA,UACA,IAAA,WACC,OAAA"}

package/dist/core/auth/password-reset.d.mts

@@ -0,0 +1,39 @@
+import { PasswordResetAuthSession, PasswordResetSession } from "./types.mjs";
+
+//#region src/core/auth/password-reset.d.ts
+/**
+ * Creates a new password reset session.
+ */
+declare function createPasswordResetSession(token: string, userId: string, email: string): Promise<PasswordResetSession>;
+/**
+ * Validates the password reset session token and retrieves user data.
+ * The user data is augmented by registered modules (e.g. 2FA).
+ */
+declare function validatePasswordResetSessionToken(token: string): Promise<PasswordResetAuthSession>;
+/**
+ * Marks the password reset session as email verified.
+ */
+declare function setPasswordResetSessionAsEmailVerified(sessionId: string): Promise<void>;
+/**
+ * Invalidates all password reset sessions for a user.
+ */
+declare function invalidateUserPasswordResetSessions(userId: string): Promise<void>;
+/**
+ * Validates the current password reset session from cookies.
+ */
+declare function getCurrentPasswordResetSession(): Promise<PasswordResetAuthSession>;
+/**
+ * Sets the password reset session token cookie.
+ */
+declare function setPasswordResetSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
+/**
+ * Deletes the password reset session token cookie.
+ */
+declare function deletePasswordResetSessionTokenCookie(): Promise<void>;
+/**
+ * Sends a password reset email with the OTP code.
+ */
+declare function sendPasswordResetEmail(email: string, code: string): Promise<void>;
+//#endregion
+export { createPasswordResetSession, deletePasswordResetSessionTokenCookie, getCurrentPasswordResetSession, invalidateUserPasswordResetSessions, sendPasswordResetEmail, setPasswordResetSessionAsEmailVerified, setPasswordResetSessionTokenCookie, validatePasswordResetSessionToken };
+//# sourceMappingURL=password-reset.d.mts.map

package/dist/core/auth/password-reset.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.d.mts","names":[],"sources":["../../../src/core/auth/password-reset.ts"],"mappings":";;;;;AAqBA;iBAAsB,0BAAA,CACpB,KAAA,UACA,MAAA,UACA,KAAA,WACC,OAAA,CAAQ,oBAAA;;;;;iBAqBW,iCAAA,CACpB,KAAA,WACC,OAAA,CAAQ,wBAAA;;;;iBAyCW,sCAAA,CACpB,SAAA,WACC,OAAA;AA7CH;;;AAAA,iBAyDsB,mCAAA,CACpB,MAAA,WACC,OAAA;;;;iBASmB,8BAAA,CAAA,GAAkC,OAAA,CAAQ,wBAAA;;AAzBhE;;iBA6CsB,kCAAA,CACpB,KAAA,UACA,SAAA,EAAW,IAAA,GACV,OAAA;;;AAlCH;iBAiDsB,qCAAA,CAAA,GAAyC,OAAA;;;;iBAQzC,sBAAA,CACpB,KAAA,UACA,IAAA,WACC,OAAA"}