@arch-cadre/core 0.0.6

package/dist/core/auth/logic.cjs

@@ -0,0 +1,224 @@
+"use server";
+
+const require_runtime = require('../../_virtual/_rolldown/runtime.cjs');
+const require_validation = require('./validation.cjs');
+const require_event_bus = require('../event-bus.cjs');
+const require_inject = require('../../server/database/inject.cjs');
+const require_schema = require('../../server/database/schema.cjs');
+const require_password = require('../../server/auth/password.cjs');
+const require_user = require('../../server/auth/user.cjs');
+const require_augment = require('./augment.cjs');
+const require_email_verification = require('./email-verification.cjs');
+const require_session = require('./session.cjs');
+let drizzle_orm = require("drizzle-orm");
+
+//#region src/core/auth/logic.ts
+/**
+* Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień
+*/
+async function coreRbacAugmenter(user) {
+	try {
+		const roles = (await require_inject.db.select({ name: require_schema.rolesTable.name }).from(require_schema.usersToRolesTable).innerJoin(require_schema.rolesTable, (0, drizzle_orm.eq)(require_schema.usersToRolesTable.roleId, require_schema.rolesTable.id)).where((0, drizzle_orm.eq)(require_schema.usersToRolesTable.userId, user.id))).map((r) => r.name);
+		const directPerms = (await require_inject.db.select({ name: require_schema.permissionsTable.name }).from(require_schema.usersToPermissionsTable).innerJoin(require_schema.permissionsTable, (0, drizzle_orm.eq)(require_schema.usersToPermissionsTable.permissionId, require_schema.permissionsTable.id)).where((0, drizzle_orm.eq)(require_schema.usersToPermissionsTable.userId, user.id))).map((p) => p.name);
+		let rolePerms = [];
+		if (roles.length > 0) {
+			const roleIds = (await require_inject.db.select({ id: require_schema.rolesTable.id }).from(require_schema.rolesTable).where((0, drizzle_orm.inArray)(require_schema.rolesTable.name, roles))).map((r) => r.id);
+			if (roleIds.length > 0) rolePerms = (await require_inject.db.select({ name: require_schema.permissionsTable.name }).from(require_schema.rolesToPermissionsTable).innerJoin(require_schema.permissionsTable, (0, drizzle_orm.eq)(require_schema.rolesToPermissionsTable.permissionId, require_schema.permissionsTable.id)).where((0, drizzle_orm.inArray)(require_schema.rolesToPermissionsTable.roleId, roleIds))).map((p) => p.name);
+		}
+		return {
+			roles,
+			permissions: Array.from(new Set([...directPerms, ...rolePerms]))
+		};
+	} catch (error) {
+		console.error("[Auth:RBAC] Failed to augment user:", error);
+		return {
+			roles: [],
+			permissions: []
+		};
+	}
+}
+const globalForAuth = globalThis;
+const authValidators = globalForAuth.__WINKLY_AUTH_VALIDATORS__ ?? /* @__PURE__ */ new Set();
+const securityRequirements = globalForAuth.__WINKLY_SECURITY_REQUIREMENTS__ ?? /* @__PURE__ */ new Set();
+const passwordResetValidators = globalForAuth.__WINKLY_PASSWORD_RESET_VALIDATORS__ ?? /* @__PURE__ */ new Set();
+const emailVerificationValidators = globalForAuth.__WINKLY_EMAIL_VERIFICATION_VALIDATORS__ ?? /* @__PURE__ */ new Set();
+globalForAuth.__WINKLY_AUTH_VALIDATORS__ = authValidators;
+globalForAuth.__WINKLY_SECURITY_REQUIREMENTS__ = securityRequirements;
+globalForAuth.__WINKLY_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;
+globalForAuth.__WINKLY_EMAIL_VERIFICATION_VALIDATORS__ = emailVerificationValidators;
+async function registerAuthValidator(validator) {
+	authValidators.add(validator);
+}
+async function registerPasswordResetValidator(validator) {
+	passwordResetValidators.add(validator);
+}
+async function registerEmailVerificationValidator(validator) {
+	emailVerificationValidators.add(validator);
+}
+async function registerSecurityRequirement(requirement) {
+	securityRequirements.add(requirement);
+}
+async function runPasswordResetValidators(userId) {
+	for (const validator of passwordResetValidators) {
+		const interception = await validator(userId);
+		if (interception) return interception;
+	}
+	return null;
+}
+async function runEmailVerificationValidators(userId) {
+	for (const validator of emailVerificationValidators) {
+		const interception = await validator(userId);
+		if (interception) return interception;
+	}
+	return null;
+}
+/**
+* Augments a base user with data from all registered modules.
+* This is now just a wrapper that includes core RBAC data.
+*/
+async function performFullUserAugmentation(user) {
+	return await require_augment.augmentUser(user, await coreRbacAugmenter(user));
+}
+/**
+* Checks if the current session satisfies all registered security requirements.
+*/
+async function checkSecurity(session, user, requiredRoles, requiredPermissions, fallbackRedirect) {
+	if (!user) {
+		console.warn("User is required for security check");
+		return {
+			satisfied: false,
+			redirect: fallbackRedirect ?? "/signin"
+		};
+	}
+	const userRoles = Array.isArray(user.roles) ? user.roles : [];
+	const userPermissions = Array.isArray(user.permissions) ? user.permissions : [];
+	if (requiredRoles && requiredRoles.length > 0) {
+		if (!requiredRoles.some((role) => userRoles.includes(role))) {
+			console.warn(`User lacks required roles: ${requiredRoles.join(", ")}`);
+			return {
+				satisfied: false,
+				redirect: fallbackRedirect
+			};
+		}
+	}
+	if (requiredPermissions && requiredPermissions.length > 0) {
+		if (!requiredPermissions.every((perm) => userPermissions.includes(perm))) {
+			console.warn(`User lacks required permissions: ${requiredPermissions.join(", ")}`);
+			return {
+				satisfied: false,
+				redirect: fallbackRedirect
+			};
+		}
+	}
+	if (securityRequirements) for (const requirement of securityRequirements) try {
+		const result = await requirement(session, user);
+		if (result && !result.satisfied) return {
+			...result,
+			redirect: result.redirect ?? fallbackRedirect
+		};
+	} catch (error) {
+		console.error("[Auth:Security] Requirement failed:", error);
+	}
+	return { satisfied: true };
+}
+/**
+* Sign In Logic
+*/
+async function signIn(data) {
+	const { email, password } = await require_validation.loginSchema.parseAsync(data);
+	const user = await require_user.getUserFromEmail(email);
+	if (!user) return {
+		status: "ERROR",
+		message: "Invalid email or password"
+	};
+	const passwordHash = await require_user.getUserPasswordHash(user.id);
+	if (!passwordHash || !await require_password.verifyPasswordHash(passwordHash, password)) return {
+		status: "ERROR",
+		message: "Invalid email or password"
+	};
+	for (const validator of authValidators) {
+		const interception = await validator(user.id);
+		if (interception) return interception;
+	}
+	const sessionFlags = {};
+	const sessionToken = await require_session.generateSessionToken();
+	const session = await require_session.createSession(sessionToken, user.id, sessionFlags);
+	await require_session.setSessionTokenCookie(sessionToken, session.expiresAt);
+	const fullUser = await performFullUserAugmentation(user);
+	await require_event_bus.eventBus.publish("auth:session-created", {
+		session,
+		user: fullUser
+	});
+	return {
+		status: "SUCCESS",
+		session: { ...session },
+		user: { ...fullUser }
+	};
+}
+/**
+* Sign Up Logic
+*/
+async function signUp(data) {
+	const { email, username, password } = require_validation.registerSchema.parse(data);
+	if (!await require_user.verifyUsernameInput(username)) throw new Error("Invalid username");
+	if (!await require_password.verifyPasswordStrength(password)) throw new Error("Weak password");
+	const user = await require_user.createUser(email, username, password);
+	const verificationRequest = await require_email_verification.createEmailVerificationRequest(user.id, user.email);
+	await require_email_verification.sendVerificationEmail(verificationRequest.email, verificationRequest.code);
+	await require_email_verification.setEmailVerificationRequestCookie(verificationRequest);
+	const sessionFlags = {};
+	const sessionToken = await require_session.generateSessionToken();
+	const session = await require_session.createSession(sessionToken, user.id, sessionFlags);
+	await require_session.setSessionTokenCookie(sessionToken, session.expiresAt);
+	const fullUser = await performFullUserAugmentation(user);
+	await require_event_bus.eventBus.publish("auth:session-created", {
+		session,
+		user: fullUser
+	});
+	return {
+		session: { ...session },
+		user: { ...fullUser }
+	};
+}
+/**
+* Finalizes login after a challenge
+*/
+async function finalizeLogin(userId, flags) {
+	const sessionToken = await require_session.generateSessionToken();
+	const session = await require_session.createSession(sessionToken, userId, flags);
+	await require_session.setSessionTokenCookie(sessionToken, session.expiresAt);
+	const user = await require_user.getUserById(userId);
+	if (user) await require_event_bus.eventBus.publish("auth:session-created", {
+		session,
+		user
+	});
+	return {
+		session: session ? { ...session } : null,
+		user: user ? { ...user } : null
+	};
+}
+/**
+* Sign Out
+*/
+async function signOut() {
+	const { session, user } = await require_session.getCurrentSession();
+	if (session) {
+		if (user) await require_event_bus.eventBus.publish("auth:signed-out", { userId: user.id });
+		await require_session.invalidateSession(session.id);
+		await require_session.deleteSessionTokenCookie();
+	}
+}
+
+//#endregion
+exports.checkSecurity = checkSecurity;
+exports.finalizeLogin = finalizeLogin;
+exports.performFullUserAugmentation = performFullUserAugmentation;
+exports.registerAuthValidator = registerAuthValidator;
+exports.registerEmailVerificationValidator = registerEmailVerificationValidator;
+exports.registerPasswordResetValidator = registerPasswordResetValidator;
+exports.registerSecurityRequirement = registerSecurityRequirement;
+exports.runEmailVerificationValidators = runEmailVerificationValidators;
+exports.runPasswordResetValidators = runPasswordResetValidators;
+exports.signIn = signIn;
+exports.signOut = signOut;
+exports.signUp = signUp;

package/dist/core/auth/logic.d.cts

@@ -0,0 +1,110 @@
+import { UserPermission, UserRole } from "../types.cjs";
+import { AuthResponse, FullUser, Session, SessionFlags, User } from "./types.cjs";
+import { LoginInput, RegisterInput } from "./validation.cjs";
+import { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter } from "./augment.cjs";
+
+//#region src/core/auth/logic.d.ts
+/**
+ * Registry for login validators (e.g. 2FA module)
+ */
+type AuthValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)
+ */
+type SecurityRequirement = (session: Session, user: FullUser) => Promise<{
+  satisfied: boolean;
+  redirect?: string;
+} | null>;
+/**
+ * Registry for password reset validators (e.g. 2FA module requiring check during reset)
+ */
+type PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for email verification validators
+ */
+type EmailVerificationValidator = (userId: string) => Promise<AuthResponse | null>;
+declare function registerAuthValidator(validator: AuthValidator): Promise<void>;
+declare function registerPasswordResetValidator(validator: PasswordResetValidator): Promise<void>;
+declare function registerEmailVerificationValidator(validator: EmailVerificationValidator): Promise<void>;
+declare function registerSecurityRequirement(requirement: SecurityRequirement): Promise<void>;
+declare function runPasswordResetValidators(userId: string): Promise<AuthResponse | null>;
+declare function runEmailVerificationValidators(userId: string): Promise<AuthResponse | null>;
+/**
+ * Augments a base user with data from all registered modules.
+ * This is now just a wrapper that includes core RBAC data.
+ */
+declare function performFullUserAugmentation(user: User): Promise<FullUser>;
+/**
+ * Checks if the current session satisfies all registered security requirements.
+ */
+declare function checkSecurity(session: Session, user: FullUser, requiredRoles?: UserRole[], requiredPermissions?: UserPermission[], fallbackRedirect?: string): Promise<{
+  satisfied: boolean;
+  redirect: string | undefined;
+} | {
+  satisfied: boolean;
+  redirect?: undefined;
+}>;
+/**
+ * Sign In Logic
+ */
+declare function signIn(data: LoginInput): Promise<AuthResponse>;
+/**
+ * Sign Up Logic
+ */
+declare function signUp(data: RegisterInput): Promise<{
+  session: {
+    [x: string]: any;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date | null;
+    userId: string;
+    active_organization_id: string | null;
+    expiresAt: Date;
+  };
+  user: {
+    [x: string]: any;
+    id: string;
+    email: string;
+    name: string;
+    password: string | null;
+    image: string | null;
+    recovery_code: Buffer<ArrayBufferLike>;
+    emailVerifiedAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+    roles: UserRole[];
+    permissions: UserPermission[];
+  };
+}>;
+/**
+ * Finalizes login after a challenge
+ */
+declare function finalizeLogin(userId: string, flags: SessionFlags): Promise<{
+  session: {
+    [x: string]: any;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date | null;
+    userId: string;
+    active_organization_id: string | null;
+    expiresAt: Date;
+  } | null;
+  user: {
+    id: string;
+    email: string;
+    name: string;
+    password: string | null;
+    image: string | null;
+    recovery_code: Buffer<ArrayBufferLike>;
+    emailVerifiedAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+  } | null;
+}>;
+/**
+ * Sign Out
+ */
+declare function signOut(): Promise<void>;
+//#endregion
+export { checkSecurity, finalizeLogin, performFullUserAugmentation, registerAuthValidator, registerEmailVerificationValidator, registerPasswordResetValidator, registerSecurityRequirement, runEmailVerificationValidators, runPasswordResetValidators, signIn, signOut, signUp };
+//# sourceMappingURL=logic.d.cts.map

package/dist/core/auth/logic.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic.d.cts","names":[],"sources":["../../../src/core/auth/logic.ts"],"mappings":";;;;;;;;;KAyHK,aAAA,IAAiB,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAK5C,mBAAA,IACH,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,KACH,OAAA;EAAU,SAAA;EAAoB,QAAA;AAAA;;AAR0B;;KAaxD,sBAAA,IAA0B,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAKrD,0BAAA,IACH,MAAA,aACG,OAAA,CAAQ,YAAA;AAAA,iBA6BS,qBAAA,CAAsB,SAAA,EAAW,aAAA,GAAa,OAAA;AAAA,iBAI9C,8BAAA,CACpB,SAAA,EAAW,sBAAA,GAAsB,OAAA;AAAA,iBAKb,kCAAA,CACpB,SAAA,EAAW,0BAAA,GAA0B,OAAA;AAAA,iBAajB,2BAAA,CACpB,WAAA,EAAa,mBAAA,GAAmB,OAAA;AAAA,iBAKZ,0BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;AAAA,iBAQW,8BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;;;;AAnFgC;iBA+FrB,2BAAA,CACpB,IAAA,EAAM,IAAA,GACL,OAAA,CAAQ,QAAA;;;;iBAQW,aAAA,CACpB,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,EACN,aAAA,GAAgB,QAAA,IAChB,mBAAA,GAAsB,cAAA,IACtB,gBAAA,YAAyB,OAAA;;;;;;;;;;iBA+DL,MAAA,CAAO,IAAA,EAAM,UAAA,GAAa,OAAA,CAAQ,YAAA;;;AApIxD;iBAyKsB,MAAA,CAAO,IAAA,EAAM,aAAA,GAAa,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;;AAjJhD;;iBAyLsB,aAAA,CAAc,MAAA,UAAgB,KAAA,EAAO,YAAA,GAAY,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;iBAoBjD,OAAA,CAAA,GAAO,OAAA"}

package/dist/core/auth/logic.d.mts

@@ -0,0 +1,110 @@
+import { UserPermission, UserRole } from "../types.mjs";
+import { AuthResponse, FullUser, Session, SessionFlags, User } from "./types.mjs";
+import { LoginInput, RegisterInput } from "./validation.mjs";
+import { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter } from "./augment.mjs";
+
+//#region src/core/auth/logic.d.ts
+/**
+ * Registry for login validators (e.g. 2FA module)
+ */
+type AuthValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)
+ */
+type SecurityRequirement = (session: Session, user: FullUser) => Promise<{
+  satisfied: boolean;
+  redirect?: string;
+} | null>;
+/**
+ * Registry for password reset validators (e.g. 2FA module requiring check during reset)
+ */
+type PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;
+/**
+ * Registry for email verification validators
+ */
+type EmailVerificationValidator = (userId: string) => Promise<AuthResponse | null>;
+declare function registerAuthValidator(validator: AuthValidator): Promise<void>;
+declare function registerPasswordResetValidator(validator: PasswordResetValidator): Promise<void>;
+declare function registerEmailVerificationValidator(validator: EmailVerificationValidator): Promise<void>;
+declare function registerSecurityRequirement(requirement: SecurityRequirement): Promise<void>;
+declare function runPasswordResetValidators(userId: string): Promise<AuthResponse | null>;
+declare function runEmailVerificationValidators(userId: string): Promise<AuthResponse | null>;
+/**
+ * Augments a base user with data from all registered modules.
+ * This is now just a wrapper that includes core RBAC data.
+ */
+declare function performFullUserAugmentation(user: User): Promise<FullUser>;
+/**
+ * Checks if the current session satisfies all registered security requirements.
+ */
+declare function checkSecurity(session: Session, user: FullUser, requiredRoles?: UserRole[], requiredPermissions?: UserPermission[], fallbackRedirect?: string): Promise<{
+  satisfied: boolean;
+  redirect: string | undefined;
+} | {
+  satisfied: boolean;
+  redirect?: undefined;
+}>;
+/**
+ * Sign In Logic
+ */
+declare function signIn(data: LoginInput): Promise<AuthResponse>;
+/**
+ * Sign Up Logic
+ */
+declare function signUp(data: RegisterInput): Promise<{
+  session: {
+    [x: string]: any;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date | null;
+    userId: string;
+    active_organization_id: string | null;
+    expiresAt: Date;
+  };
+  user: {
+    [x: string]: any;
+    id: string;
+    email: string;
+    name: string;
+    password: string | null;
+    image: string | null;
+    recovery_code: Buffer<ArrayBufferLike>;
+    emailVerifiedAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+    roles: UserRole[];
+    permissions: UserPermission[];
+  };
+}>;
+/**
+ * Finalizes login after a challenge
+ */
+declare function finalizeLogin(userId: string, flags: SessionFlags): Promise<{
+  session: {
+    [x: string]: any;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date | null;
+    userId: string;
+    active_organization_id: string | null;
+    expiresAt: Date;
+  } | null;
+  user: {
+    id: string;
+    email: string;
+    name: string;
+    password: string | null;
+    image: string | null;
+    recovery_code: Buffer<ArrayBufferLike>;
+    emailVerifiedAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date | null;
+  } | null;
+}>;
+/**
+ * Sign Out
+ */
+declare function signOut(): Promise<void>;
+//#endregion
+export { checkSecurity, finalizeLogin, performFullUserAugmentation, registerAuthValidator, registerEmailVerificationValidator, registerPasswordResetValidator, registerSecurityRequirement, runEmailVerificationValidators, runPasswordResetValidators, signIn, signOut, signUp };
+//# sourceMappingURL=logic.d.mts.map

package/dist/core/auth/logic.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic.d.mts","names":[],"sources":["../../../src/core/auth/logic.ts"],"mappings":";;;;;;;;;KAyHK,aAAA,IAAiB,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAK5C,mBAAA,IACH,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,KACH,OAAA;EAAU,SAAA;EAAoB,QAAA;AAAA;;AAR0B;;KAaxD,sBAAA,IAA0B,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAKrD,0BAAA,IACH,MAAA,aACG,OAAA,CAAQ,YAAA;AAAA,iBA6BS,qBAAA,CAAsB,SAAA,EAAW,aAAA,GAAa,OAAA;AAAA,iBAI9C,8BAAA,CACpB,SAAA,EAAW,sBAAA,GAAsB,OAAA;AAAA,iBAKb,kCAAA,CACpB,SAAA,EAAW,0BAAA,GAA0B,OAAA;AAAA,iBAajB,2BAAA,CACpB,WAAA,EAAa,mBAAA,GAAmB,OAAA;AAAA,iBAKZ,0BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;AAAA,iBAQW,8BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;;;;AAnFgC;iBA+FrB,2BAAA,CACpB,IAAA,EAAM,IAAA,GACL,OAAA,CAAQ,QAAA;;;;iBAQW,aAAA,CACpB,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,EACN,aAAA,GAAgB,QAAA,IAChB,mBAAA,GAAsB,cAAA,IACtB,gBAAA,YAAyB,OAAA;;;;;;;;;;iBA+DL,MAAA,CAAO,IAAA,EAAM,UAAA,GAAa,OAAA,CAAQ,YAAA;;;AApIxD;iBAyKsB,MAAA,CAAO,IAAA,EAAM,aAAA,GAAa,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;;AAjJhD;;iBAyLsB,aAAA,CAAc,MAAA,UAAgB,KAAA,EAAO,YAAA,GAAY,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;iBAoBjD,OAAA,CAAA,GAAO,OAAA"}

package/dist/core/auth/logic.mjs

@@ -0,0 +1,213 @@
+"use server";
+
+import { loginSchema, registerSchema } from "./validation.mjs";
+import { eventBus } from "../event-bus.mjs";
+import { db } from "../../server/database/inject.mjs";
+import { permissionsTable, rolesTable, rolesToPermissionsTable, usersToPermissionsTable, usersToRolesTable } from "../../server/database/schema.mjs";
+import { verifyPasswordHash, verifyPasswordStrength } from "../../server/auth/password.mjs";
+import { createUser, getUserById, getUserFromEmail, getUserPasswordHash, verifyUsernameInput } from "../../server/auth/user.mjs";
+import { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter } from "./augment.mjs";
+import { createEmailVerificationRequest, sendVerificationEmail, setEmailVerificationRequestCookie } from "./email-verification.mjs";
+import { createSession, deleteSessionTokenCookie, generateSessionToken, getCurrentSession, invalidateSession, setSessionTokenCookie } from "./session.mjs";
+import { eq, inArray } from "drizzle-orm";
+
+//#region src/core/auth/logic.ts
+/**
+* Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień
+*/
+async function coreRbacAugmenter(user) {
+	try {
+		const roles = (await db.select({ name: rolesTable.name }).from(usersToRolesTable).innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id)).where(eq(usersToRolesTable.userId, user.id))).map((r) => r.name);
+		const directPerms = (await db.select({ name: permissionsTable.name }).from(usersToPermissionsTable).innerJoin(permissionsTable, eq(usersToPermissionsTable.permissionId, permissionsTable.id)).where(eq(usersToPermissionsTable.userId, user.id))).map((p) => p.name);
+		let rolePerms = [];
+		if (roles.length > 0) {
+			const roleIds = (await db.select({ id: rolesTable.id }).from(rolesTable).where(inArray(rolesTable.name, roles))).map((r) => r.id);
+			if (roleIds.length > 0) rolePerms = (await db.select({ name: permissionsTable.name }).from(rolesToPermissionsTable).innerJoin(permissionsTable, eq(rolesToPermissionsTable.permissionId, permissionsTable.id)).where(inArray(rolesToPermissionsTable.roleId, roleIds))).map((p) => p.name);
+		}
+		return {
+			roles,
+			permissions: Array.from(new Set([...directPerms, ...rolePerms]))
+		};
+	} catch (error) {
+		console.error("[Auth:RBAC] Failed to augment user:", error);
+		return {
+			roles: [],
+			permissions: []
+		};
+	}
+}
+const globalForAuth = globalThis;
+const authValidators = globalForAuth.__WINKLY_AUTH_VALIDATORS__ ?? /* @__PURE__ */ new Set();
+const securityRequirements = globalForAuth.__WINKLY_SECURITY_REQUIREMENTS__ ?? /* @__PURE__ */ new Set();
+const passwordResetValidators = globalForAuth.__WINKLY_PASSWORD_RESET_VALIDATORS__ ?? /* @__PURE__ */ new Set();
+const emailVerificationValidators = globalForAuth.__WINKLY_EMAIL_VERIFICATION_VALIDATORS__ ?? /* @__PURE__ */ new Set();
+globalForAuth.__WINKLY_AUTH_VALIDATORS__ = authValidators;
+globalForAuth.__WINKLY_SECURITY_REQUIREMENTS__ = securityRequirements;
+globalForAuth.__WINKLY_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;
+globalForAuth.__WINKLY_EMAIL_VERIFICATION_VALIDATORS__ = emailVerificationValidators;
+async function registerAuthValidator(validator) {
+	authValidators.add(validator);
+}
+async function registerPasswordResetValidator(validator) {
+	passwordResetValidators.add(validator);
+}
+async function registerEmailVerificationValidator(validator) {
+	emailVerificationValidators.add(validator);
+}
+async function registerSecurityRequirement(requirement) {
+	securityRequirements.add(requirement);
+}
+async function runPasswordResetValidators(userId) {
+	for (const validator of passwordResetValidators) {
+		const interception = await validator(userId);
+		if (interception) return interception;
+	}
+	return null;
+}
+async function runEmailVerificationValidators(userId) {
+	for (const validator of emailVerificationValidators) {
+		const interception = await validator(userId);
+		if (interception) return interception;
+	}
+	return null;
+}
+/**
+* Augments a base user with data from all registered modules.
+* This is now just a wrapper that includes core RBAC data.
+*/
+async function performFullUserAugmentation(user) {
+	return await augmentUser(user, await coreRbacAugmenter(user));
+}
+/**
+* Checks if the current session satisfies all registered security requirements.
+*/
+async function checkSecurity(session, user, requiredRoles, requiredPermissions, fallbackRedirect) {
+	if (!user) {
+		console.warn("User is required for security check");
+		return {
+			satisfied: false,
+			redirect: fallbackRedirect ?? "/signin"
+		};
+	}
+	const userRoles = Array.isArray(user.roles) ? user.roles : [];
+	const userPermissions = Array.isArray(user.permissions) ? user.permissions : [];
+	if (requiredRoles && requiredRoles.length > 0) {
+		if (!requiredRoles.some((role) => userRoles.includes(role))) {
+			console.warn(`User lacks required roles: ${requiredRoles.join(", ")}`);
+			return {
+				satisfied: false,
+				redirect: fallbackRedirect
+			};
+		}
+	}
+	if (requiredPermissions && requiredPermissions.length > 0) {
+		if (!requiredPermissions.every((perm) => userPermissions.includes(perm))) {
+			console.warn(`User lacks required permissions: ${requiredPermissions.join(", ")}`);
+			return {
+				satisfied: false,
+				redirect: fallbackRedirect
+			};
+		}
+	}
+	if (securityRequirements) for (const requirement of securityRequirements) try {
+		const result = await requirement(session, user);
+		if (result && !result.satisfied) return {
+			...result,
+			redirect: result.redirect ?? fallbackRedirect
+		};
+	} catch (error) {
+		console.error("[Auth:Security] Requirement failed:", error);
+	}
+	return { satisfied: true };
+}
+/**
+* Sign In Logic
+*/
+async function signIn(data) {
+	const { email, password } = await loginSchema.parseAsync(data);
+	const user = await getUserFromEmail(email);
+	if (!user) return {
+		status: "ERROR",
+		message: "Invalid email or password"
+	};
+	const passwordHash = await getUserPasswordHash(user.id);
+	if (!passwordHash || !await verifyPasswordHash(passwordHash, password)) return {
+		status: "ERROR",
+		message: "Invalid email or password"
+	};
+	for (const validator of authValidators) {
+		const interception = await validator(user.id);
+		if (interception) return interception;
+	}
+	const sessionFlags = {};
+	const sessionToken = await generateSessionToken();
+	const session = await createSession(sessionToken, user.id, sessionFlags);
+	await setSessionTokenCookie(sessionToken, session.expiresAt);
+	const fullUser = await performFullUserAugmentation(user);
+	await eventBus.publish("auth:session-created", {
+		session,
+		user: fullUser
+	});
+	return {
+		status: "SUCCESS",
+		session: { ...session },
+		user: { ...fullUser }
+	};
+}
+/**
+* Sign Up Logic
+*/
+async function signUp(data) {
+	const { email, username, password } = registerSchema.parse(data);
+	if (!await verifyUsernameInput(username)) throw new Error("Invalid username");
+	if (!await verifyPasswordStrength(password)) throw new Error("Weak password");
+	const user = await createUser(email, username, password);
+	const verificationRequest = await createEmailVerificationRequest(user.id, user.email);
+	await sendVerificationEmail(verificationRequest.email, verificationRequest.code);
+	await setEmailVerificationRequestCookie(verificationRequest);
+	const sessionFlags = {};
+	const sessionToken = await generateSessionToken();
+	const session = await createSession(sessionToken, user.id, sessionFlags);
+	await setSessionTokenCookie(sessionToken, session.expiresAt);
+	const fullUser = await performFullUserAugmentation(user);
+	await eventBus.publish("auth:session-created", {
+		session,
+		user: fullUser
+	});
+	return {
+		session: { ...session },
+		user: { ...fullUser }
+	};
+}
+/**
+* Finalizes login after a challenge
+*/
+async function finalizeLogin(userId, flags) {
+	const sessionToken = await generateSessionToken();
+	const session = await createSession(sessionToken, userId, flags);
+	await setSessionTokenCookie(sessionToken, session.expiresAt);
+	const user = await getUserById(userId);
+	if (user) await eventBus.publish("auth:session-created", {
+		session,
+		user
+	});
+	return {
+		session: session ? { ...session } : null,
+		user: user ? { ...user } : null
+	};
+}
+/**
+* Sign Out
+*/
+async function signOut() {
+	const { session, user } = await getCurrentSession();
+	if (session) {
+		if (user) await eventBus.publish("auth:signed-out", { userId: user.id });
+		await invalidateSession(session.id);
+		await deleteSessionTokenCookie();
+	}
+}
+
+//#endregion
+export { checkSecurity, finalizeLogin, performFullUserAugmentation, registerAuthValidator, registerEmailVerificationValidator, registerPasswordResetValidator, registerSecurityRequirement, runEmailVerificationValidators, runPasswordResetValidators, signIn, signOut, signUp };
+//# sourceMappingURL=logic.mjs.map