@arch-cadre/core 0.0.6

package/dist/core/auth/logic.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic.mjs","names":[],"sources":["../../../src/core/auth/logic.ts"],"sourcesContent":["\"use server\";\n\nimport { eq, inArray } from \"drizzle-orm\";\nimport {\n  verifyPasswordHash,\n  verifyPasswordStrength,\n} from \"../../server/auth/password\";\nimport {\n  createUser,\n  getUserById,\n  getUserFromEmail,\n  getUserPasswordHash,\n  verifyUsernameInput,\n} from \"../../server/auth/user\";\nimport { db } from \"../../server/database/inject\";\nimport {\n  permissionsTable,\n  rolesTable,\n  rolesToPermissionsTable,\n  usersToPermissionsTable,\n  usersToRolesTable,\n} from \"../../server/database/schema\";\nimport { eventBus } from \"../event-bus\";\nimport {\n  augmentSession,\n  augmentUser,\n  registerIdentityAugmenter,\n  registerPasswordResetSessionAugmenter,\n  registerSessionAugmenter,\n} from \"./augment\";\nimport {\n  createEmailVerificationRequest,\n  sendVerificationEmail,\n  setEmailVerificationRequestCookie,\n} from \"./email-verification\";\nimport {\n  createSession,\n  deleteSessionTokenCookie,\n  generateSessionToken,\n  getCurrentSession,\n  invalidateSession,\n  setSessionTokenCookie,\n} from \"./session\";\nimport type {\n  AuthResponse,\n  FullUser,\n  Session,\n  SessionFlags,\n  User,\n  UserPermission,\n  UserRole,\n} from \"./types\";\nimport {\n  type LoginInput,\n  loginSchema,\n  type RegisterInput,\n  registerSchema,\n} from \"./validation\";\n\n/**\n * Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień\n */\nasync function coreRbacAugmenter(user: User): Promise<Record<string, any>> {\n  try {\n    // 1. Fetch direct roles\n    const userRoles = await db\n      .select({ name: rolesTable.name })\n      .from(usersToRolesTable)\n      .innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id))\n      .where(eq(usersToRolesTable.userId, user.id));\n\n    const roles = userRoles.map((r) => r.name);\n\n    // 2. Fetch direct permissions\n    const userDirectPerms = await db\n      .select({ name: permissionsTable.name })\n      .from(usersToPermissionsTable)\n      .innerJoin(\n        permissionsTable,\n        eq(usersToPermissionsTable.permissionId, permissionsTable.id),\n      )\n      .where(eq(usersToPermissionsTable.userId, user.id));\n\n    const directPerms = userDirectPerms.map((p) => p.name);\n\n    // 3. Fetch permissions from roles\n    let rolePerms: string[] = [];\n    if (roles.length > 0) {\n      const roleIdsResult = await db\n        .select({ id: rolesTable.id })\n        .from(rolesTable)\n        .where(inArray(rolesTable.name, roles));\n\n      const roleIds = roleIdsResult.map((r) => r.id);\n\n      if (roleIds.length > 0) {\n        const rolePermsData = await db\n          .select({ name: permissionsTable.name })\n          .from(rolesToPermissionsTable)\n          .innerJoin(\n            permissionsTable,\n            eq(rolesToPermissionsTable.permissionId, permissionsTable.id),\n          )\n          .where(inArray(rolesToPermissionsTable.roleId, roleIds));\n        rolePerms = rolePermsData.map((p) => p.name);\n      }\n    }\n\n    return {\n      roles,\n      permissions: Array.from(new Set([...directPerms, ...rolePerms])),\n    };\n  } catch (error) {\n    console.error(\"[Auth:RBAC] Failed to augment user:\", error);\n    return { roles: [], permissions: [] };\n  }\n}\n\n/**\n * Registry for login validators (e.g. 2FA module)\n */\ntype AuthValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)\n */\ntype SecurityRequirement = (\n  session: Session,\n  user: FullUser,\n) => Promise<{ satisfied: boolean; redirect?: string } | null>;\n\n/**\n * Registry for password reset validators (e.g. 2FA module requiring check during reset)\n */\ntype PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for email verification validators\n */\ntype EmailVerificationValidator = (\n  userId: string,\n) => Promise<AuthResponse | null>;\n\nconst globalForAuth = globalThis as unknown as {\n  __WINKLY_AUTH_VALIDATORS__: Set<AuthValidator> | undefined;\n  __WINKLY_SECURITY_REQUIREMENTS__: Set<SecurityRequirement> | undefined;\n  __WINKLY_PASSWORD_RESET_VALIDATORS__: Set<PasswordResetValidator> | undefined;\n  __WINKLY_EMAIL_VERIFICATION_VALIDATORS__:\n    | Set<EmailVerificationValidator>\n    | undefined;\n};\n\nconst authValidators =\n  globalForAuth.__WINKLY_AUTH_VALIDATORS__ ?? new Set<AuthValidator>();\nconst securityRequirements =\n  globalForAuth.__WINKLY_SECURITY_REQUIREMENTS__ ??\n  new Set<SecurityRequirement>();\nconst passwordResetValidators =\n  globalForAuth.__WINKLY_PASSWORD_RESET_VALIDATORS__ ??\n  new Set<PasswordResetValidator>();\nconst emailVerificationValidators =\n  globalForAuth.__WINKLY_EMAIL_VERIFICATION_VALIDATORS__ ??\n  new Set<EmailVerificationValidator>();\n\nglobalForAuth.__WINKLY_AUTH_VALIDATORS__ = authValidators;\nglobalForAuth.__WINKLY_SECURITY_REQUIREMENTS__ = securityRequirements;\nglobalForAuth.__WINKLY_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;\nglobalForAuth.__WINKLY_EMAIL_VERIFICATION_VALIDATORS__ =\n  emailVerificationValidators;\n\nexport async function registerAuthValidator(validator: AuthValidator) {\n  authValidators.add(validator);\n}\n\nexport async function registerPasswordResetValidator(\n  validator: PasswordResetValidator,\n) {\n  passwordResetValidators.add(validator);\n}\n\nexport async function registerEmailVerificationValidator(\n  validator: EmailVerificationValidator,\n) {\n  emailVerificationValidators.add(validator);\n}\n\nexport {\n  registerIdentityAugmenter,\n  registerSessionAugmenter,\n  registerPasswordResetSessionAugmenter,\n  augmentUser,\n  augmentSession,\n};\n\nexport async function registerSecurityRequirement(\n  requirement: SecurityRequirement,\n) {\n  securityRequirements.add(requirement);\n}\n\nexport async function runPasswordResetValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of passwordResetValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\nexport async function runEmailVerificationValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of emailVerificationValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\n/**\n * Augments a base user with data from all registered modules.\n * This is now just a wrapper that includes core RBAC data.\n */\nexport async function performFullUserAugmentation(\n  user: User,\n): Promise<FullUser> {\n  const coreRbacData = await coreRbacAugmenter(user);\n  return await augmentUser(user, coreRbacData);\n}\n\n/**\n * Checks if the current session satisfies all registered security requirements.\n */\nexport async function checkSecurity(\n  session: Session,\n  user: FullUser,\n  requiredRoles?: UserRole[],\n  requiredPermissions?: UserPermission[],\n  fallbackRedirect?: string,\n) {\n  if (!user) {\n    console.warn(\"User is required for security check\");\n    return { satisfied: false, redirect: fallbackRedirect ?? \"/signin\" };\n  }\n\n  const userRoles = Array.isArray(user.roles) ? user.roles : [];\n  const userPermissions = Array.isArray(user.permissions)\n    ? user.permissions\n    : [];\n\n  // 1. Core Role Check (At least one role must match)\n  if (requiredRoles && requiredRoles.length > 0) {\n    const hasRole = requiredRoles.some((role) => userRoles.includes(role));\n    if (!hasRole) {\n      console.warn(`User lacks required roles: ${requiredRoles.join(\", \")}`);\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 2. Core Permission Check (ALL permissions must match)\n  if (requiredPermissions && requiredPermissions.length > 0) {\n    const hasAllPermissions = requiredPermissions.every((perm) =>\n      userPermissions.includes(perm),\n    );\n    if (!hasAllPermissions) {\n      console.warn(\n        `User lacks required permissions: ${requiredPermissions.join(\", \")}`,\n      );\n\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 3. Modular Requirements Check\n  if (securityRequirements) {\n    for (const requirement of securityRequirements) {\n      try {\n        const result = await requirement(session, user);\n        if (result && !result.satisfied) {\n          return {\n            ...result,\n            redirect: result.redirect ?? fallbackRedirect,\n          };\n        }\n      } catch (error) {\n        console.error(\"[Auth:Security] Requirement failed:\", error);\n      }\n    }\n  }\n  return { satisfied: true };\n}\n\n/**\n * Sign In Logic\n */\nexport async function signIn(data: LoginInput): Promise<AuthResponse> {\n  const { email, password } = await loginSchema.parseAsync(data);\n\n  const user = await getUserFromEmail(email);\n  if (!user) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  const passwordHash = await getUserPasswordHash(user.id);\n  if (!passwordHash || !(await verifyPasswordHash(passwordHash, password))) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  // Interception Layer\n  for (const validator of authValidators) {\n    const interception = await validator(user.id);\n    if (interception) return interception;\n  }\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    status: \"SUCCESS\",\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Sign Up Logic\n */\nexport async function signUp(data: RegisterInput) {\n  const { email, username, password } = registerSchema.parse(data);\n\n  if (!(await verifyUsernameInput(username))) {\n    throw new Error(\"Invalid username\");\n  }\n\n  if (!(await verifyPasswordStrength(password))) {\n    throw new Error(\"Weak password\");\n  }\n\n  const user = await createUser(email, username, password);\n  const verificationRequest = await createEmailVerificationRequest(\n    user.id,\n    user.email,\n  );\n\n  await sendVerificationEmail(\n    verificationRequest.email,\n    verificationRequest.code,\n  );\n  await setEmailVerificationRequestCookie(verificationRequest);\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Finalizes login after a challenge\n */\nexport async function finalizeLogin(userId: string, flags: SessionFlags) {\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, userId, flags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const user = await getUserById(userId);\n\n  if (user) {\n    await eventBus.publish(\"auth:session-created\", { session, user });\n  }\n\n  return {\n    session: session ? { ...session } : null,\n    user: user ? { ...user } : null,\n  };\n}\n\n/**\n * Sign Out\n */\nexport async function signOut() {\n  const { session, user } = await getCurrentSession();\n  if (session) {\n    if (user) {\n      await eventBus.publish(\"auth:signed-out\", { userId: user.id });\n    }\n    await invalidateSession(session.id);\n    await deleteSessionTokenCookie();\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA8DA,eAAe,kBAAkB,MAA0C;AACzE,KAAI;EAQF,MAAM,SANY,MAAM,GACrB,OAAO,EAAE,MAAM,WAAW,MAAM,CAAC,CACjC,KAAK,kBAAkB,CACvB,UAAU,YAAY,GAAG,kBAAkB,QAAQ,WAAW,GAAG,CAAC,CAClE,MAAM,GAAG,kBAAkB,QAAQ,KAAK,GAAG,CAAC,EAEvB,KAAK,MAAM,EAAE,KAAK;EAY1C,MAAM,eATkB,MAAM,GAC3B,OAAO,EAAE,MAAM,iBAAiB,MAAM,CAAC,CACvC,KAAK,wBAAwB,CAC7B,UACC,kBACA,GAAG,wBAAwB,cAAc,iBAAiB,GAAG,CAC9D,CACA,MAAM,GAAG,wBAAwB,QAAQ,KAAK,GAAG,CAAC,EAEjB,KAAK,MAAM,EAAE,KAAK;EAGtD,IAAI,YAAsB,EAAE;AAC5B,MAAI,MAAM,SAAS,GAAG;GAMpB,MAAM,WALgB,MAAM,GACzB,OAAO,EAAE,IAAI,WAAW,IAAI,CAAC,CAC7B,KAAK,WAAW,CAChB,MAAM,QAAQ,WAAW,MAAM,MAAM,CAAC,EAEX,KAAK,MAAM,EAAE,GAAG;AAE9C,OAAI,QAAQ,SAAS,EASnB,cARsB,MAAM,GACzB,OAAO,EAAE,MAAM,iBAAiB,MAAM,CAAC,CACvC,KAAK,wBAAwB,CAC7B,UACC,kBACA,GAAG,wBAAwB,cAAc,iBAAiB,GAAG,CAC9D,CACA,MAAM,QAAQ,wBAAwB,QAAQ,QAAQ,CAAC,EAChC,KAAK,MAAM,EAAE,KAAK;;AAIhD,SAAO;GACL;GACA,aAAa,MAAM,KAAK,IAAI,IAAI,CAAC,GAAG,aAAa,GAAG,UAAU,CAAC,CAAC;GACjE;UACM,OAAO;AACd,UAAQ,MAAM,uCAAuC,MAAM;AAC3D,SAAO;GAAE,OAAO,EAAE;GAAE,aAAa,EAAE;GAAE;;;AA6BzC,MAAM,gBAAgB;AAStB,MAAM,iBACJ,cAAc,8CAA8B,IAAI,KAAoB;AACtE,MAAM,uBACJ,cAAc,oDACd,IAAI,KAA0B;AAChC,MAAM,0BACJ,cAAc,wDACd,IAAI,KAA6B;AACnC,MAAM,8BACJ,cAAc,4DACd,IAAI,KAAiC;AAEvC,cAAc,6BAA6B;AAC3C,cAAc,mCAAmC;AACjD,cAAc,uCAAuC;AACrD,cAAc,2CACZ;AAEF,eAAsB,sBAAsB,WAA0B;AACpE,gBAAe,IAAI,UAAU;;AAG/B,eAAsB,+BACpB,WACA;AACA,yBAAwB,IAAI,UAAU;;AAGxC,eAAsB,mCACpB,WACA;AACA,6BAA4B,IAAI,UAAU;;AAW5C,eAAsB,4BACpB,aACA;AACA,sBAAqB,IAAI,YAAY;;AAGvC,eAAsB,2BACpB,QAC8B;AAC9B,MAAK,MAAM,aAAa,yBAAyB;EAC/C,MAAM,eAAe,MAAM,UAAU,OAAO;AAC5C,MAAI,aAAc,QAAO;;AAE3B,QAAO;;AAGT,eAAsB,+BACpB,QAC8B;AAC9B,MAAK,MAAM,aAAa,6BAA6B;EACnD,MAAM,eAAe,MAAM,UAAU,OAAO;AAC5C,MAAI,aAAc,QAAO;;AAE3B,QAAO;;;;;;AAOT,eAAsB,4BACpB,MACmB;AAEnB,QAAO,MAAM,YAAY,MADJ,MAAM,kBAAkB,KAAK,CACN;;;;;AAM9C,eAAsB,cACpB,SACA,MACA,eACA,qBACA,kBACA;AACA,KAAI,CAAC,MAAM;AACT,UAAQ,KAAK,sCAAsC;AACnD,SAAO;GAAE,WAAW;GAAO,UAAU,oBAAoB;GAAW;;CAGtE,MAAM,YAAY,MAAM,QAAQ,KAAK,MAAM,GAAG,KAAK,QAAQ,EAAE;CAC7D,MAAM,kBAAkB,MAAM,QAAQ,KAAK,YAAY,GACnD,KAAK,cACL,EAAE;AAGN,KAAI,iBAAiB,cAAc,SAAS,GAE1C;MAAI,CADY,cAAc,MAAM,SAAS,UAAU,SAAS,KAAK,CAAC,EACxD;AACZ,WAAQ,KAAK,8BAA8B,cAAc,KAAK,KAAK,GAAG;AACtE,UAAO;IACL,WAAW;IACX,UAAU;IACX;;;AAKL,KAAI,uBAAuB,oBAAoB,SAAS,GAItD;MAAI,CAHsB,oBAAoB,OAAO,SACnD,gBAAgB,SAAS,KAAK,CAC/B,EACuB;AACtB,WAAQ,KACN,oCAAoC,oBAAoB,KAAK,KAAK,GACnE;AAED,UAAO;IACL,WAAW;IACX,UAAU;IACX;;;AAKL,KAAI,qBACF,MAAK,MAAM,eAAe,qBACxB,KAAI;EACF,MAAM,SAAS,MAAM,YAAY,SAAS,KAAK;AAC/C,MAAI,UAAU,CAAC,OAAO,UACpB,QAAO;GACL,GAAG;GACH,UAAU,OAAO,YAAY;GAC9B;UAEI,OAAO;AACd,UAAQ,MAAM,uCAAuC,MAAM;;AAIjE,QAAO,EAAE,WAAW,MAAM;;;;;AAM5B,eAAsB,OAAO,MAAyC;CACpE,MAAM,EAAE,OAAO,aAAa,MAAM,YAAY,WAAW,KAAK;CAE9D,MAAM,OAAO,MAAM,iBAAiB,MAAM;AAC1C,KAAI,CAAC,KACH,QAAO;EAAE,QAAQ;EAAS,SAAS;EAA6B;CAGlE,MAAM,eAAe,MAAM,oBAAoB,KAAK,GAAG;AACvD,KAAI,CAAC,gBAAgB,CAAE,MAAM,mBAAmB,cAAc,SAAS,CACrE,QAAO;EAAE,QAAQ;EAAS,SAAS;EAA6B;AAIlE,MAAK,MAAM,aAAa,gBAAgB;EACtC,MAAM,eAAe,MAAM,UAAU,KAAK,GAAG;AAC7C,MAAI,aAAc,QAAO;;CAG3B,MAAM,eAA6B,EAAE;CACrC,MAAM,eAAe,MAAM,sBAAsB;CACjD,MAAM,UAAU,MAAM,cAAc,cAAc,KAAK,IAAI,aAAa;AACxE,OAAM,sBAAsB,cAAc,QAAQ,UAAU;CAE5D,MAAM,WAAW,MAAM,4BAA4B,KAAK;AACxD,OAAM,SAAS,QAAQ,wBAAwB;EAAE;EAAS,MAAM;EAAU,CAAC;AAE3E,QAAO;EACL,QAAQ;EACR,SAAS,EAAE,GAAG,SAAS;EACvB,MAAM,EAAE,GAAG,UAAU;EACtB;;;;;AAMH,eAAsB,OAAO,MAAqB;CAChD,MAAM,EAAE,OAAO,UAAU,aAAa,eAAe,MAAM,KAAK;AAEhE,KAAI,CAAE,MAAM,oBAAoB,SAAS,CACvC,OAAM,IAAI,MAAM,mBAAmB;AAGrC,KAAI,CAAE,MAAM,uBAAuB,SAAS,CAC1C,OAAM,IAAI,MAAM,gBAAgB;CAGlC,MAAM,OAAO,MAAM,WAAW,OAAO,UAAU,SAAS;CACxD,MAAM,sBAAsB,MAAM,+BAChC,KAAK,IACL,KAAK,MACN;AAED,OAAM,sBACJ,oBAAoB,OACpB,oBAAoB,KACrB;AACD,OAAM,kCAAkC,oBAAoB;CAE5D,MAAM,eAA6B,EAAE;CACrC,MAAM,eAAe,MAAM,sBAAsB;CACjD,MAAM,UAAU,MAAM,cAAc,cAAc,KAAK,IAAI,aAAa;AACxE,OAAM,sBAAsB,cAAc,QAAQ,UAAU;CAE5D,MAAM,WAAW,MAAM,4BAA4B,KAAK;AACxD,OAAM,SAAS,QAAQ,wBAAwB;EAAE;EAAS,MAAM;EAAU,CAAC;AAE3E,QAAO;EACL,SAAS,EAAE,GAAG,SAAS;EACvB,MAAM,EAAE,GAAG,UAAU;EACtB;;;;;AAMH,eAAsB,cAAc,QAAgB,OAAqB;CACvE,MAAM,eAAe,MAAM,sBAAsB;CACjD,MAAM,UAAU,MAAM,cAAc,cAAc,QAAQ,MAAM;AAChE,OAAM,sBAAsB,cAAc,QAAQ,UAAU;CAE5D,MAAM,OAAO,MAAM,YAAY,OAAO;AAEtC,KAAI,KACF,OAAM,SAAS,QAAQ,wBAAwB;EAAE;EAAS;EAAM,CAAC;AAGnE,QAAO;EACL,SAAS,UAAU,EAAE,GAAG,SAAS,GAAG;EACpC,MAAM,OAAO,EAAE,GAAG,MAAM,GAAG;EAC5B;;;;;AAMH,eAAsB,UAAU;CAC9B,MAAM,EAAE,SAAS,SAAS,MAAM,mBAAmB;AACnD,KAAI,SAAS;AACX,MAAI,KACF,OAAM,SAAS,QAAQ,mBAAmB,EAAE,QAAQ,KAAK,IAAI,CAAC;AAEhE,QAAM,kBAAkB,QAAQ,GAAG;AACnC,QAAM,0BAA0B"}

package/dist/core/auth/password-reset.cjs

@@ -0,0 +1,118 @@
+"use server";
+
+const require_runtime = require('../../_virtual/_rolldown/runtime.cjs');
+const require_inject = require('../../server/database/inject.cjs');
+const require_schema = require('../../server/database/schema.cjs');
+const require_index = require('../../server/emails/index.cjs');
+const require_encode = require('./utils/encode.cjs');
+const require_augment = require('./augment.cjs');
+const require_logic = require('./logic.cjs');
+let drizzle_orm = require("drizzle-orm");
+let _oslojs_crypto_sha2 = require("@oslojs/crypto/sha2");
+let _oslojs_encoding = require("@oslojs/encoding");
+let date_fns = require("date-fns");
+let next_headers = require("next/headers");
+
+//#region src/core/auth/password-reset.ts
+/**
+* Creates a new password reset session.
+*/
+async function createPasswordResetSession(token, userId, email) {
+	const sessionId = (0, _oslojs_encoding.encodeHexLowerCase)((0, _oslojs_crypto_sha2.sha256)(new TextEncoder().encode(token)));
+	const [session] = await require_inject.db.insert(require_schema.passwordResetSessionTable).values({
+		id: sessionId,
+		email,
+		code: require_encode.generateRandomOTP(),
+		expiresAt: new Date((0, date_fns.addHours)(/* @__PURE__ */ new Date(), 1)),
+		userId
+	}).returning();
+	return session;
+}
+/**
+* Validates the password reset session token and retrieves user data.
+* The user data is augmented by registered modules (e.g. 2FA).
+*/
+async function validatePasswordResetSessionToken(token) {
+	const sessionId = (0, _oslojs_encoding.encodeHexLowerCase)((0, _oslojs_crypto_sha2.sha256)(new TextEncoder().encode(token)));
+	const [row] = await require_inject.db.select({
+		session: require_schema.passwordResetSessionTable,
+		user: require_schema.userTable
+	}).from(require_schema.passwordResetSessionTable).innerJoin(require_schema.userTable, (0, drizzle_orm.eq)(require_schema.passwordResetSessionTable.userId, require_schema.userTable.id)).where((0, drizzle_orm.eq)(require_schema.passwordResetSessionTable.id, sessionId));
+	if (!row || !row.user) return {
+		session: null,
+		user: null
+	};
+	const { session: baseSession, user: baseUser } = row;
+	if (/* @__PURE__ */ new Date() > baseSession.expiresAt) {
+		await require_inject.db.delete(require_schema.passwordResetSessionTable).where((0, drizzle_orm.eq)(require_schema.passwordResetSessionTable.id, baseSession.id));
+		return {
+			session: null,
+			user: null
+		};
+	}
+	const { password, recovery_code, ...safeUser } = baseUser;
+	const user = await require_logic.performFullUserAugmentation(safeUser);
+	return {
+		session: await require_augment.augmentPasswordResetSession(baseSession),
+		user
+	};
+}
+/**
+* Marks the password reset session as email verified.
+*/
+async function setPasswordResetSessionAsEmailVerified(sessionId) {
+	await require_inject.db.update(require_schema.passwordResetSessionTable).set({ emailVerified: true }).where((0, drizzle_orm.eq)(require_schema.passwordResetSessionTable.id, sessionId));
+}
+/**
+* Invalidates all password reset sessions for a user.
+*/
+async function invalidateUserPasswordResetSessions(userId) {
+	await require_inject.db.delete(require_schema.passwordResetSessionTable).where((0, drizzle_orm.eq)(require_schema.passwordResetSessionTable.userId, userId));
+}
+/**
+* Validates the current password reset session from cookies.
+*/
+async function getCurrentPasswordResetSession() {
+	const token = (await (0, next_headers.cookies)()).get("password_reset_session")?.value ?? null;
+	if (token === null) return {
+		session: null,
+		user: null
+	};
+	const result = await validatePasswordResetSessionToken(token);
+	if (result.session === null) await deletePasswordResetSessionTokenCookie();
+	return result;
+}
+/**
+* Sets the password reset session token cookie.
+*/
+async function setPasswordResetSessionTokenCookie(token, expiresAt) {
+	(await (0, next_headers.cookies)()).set("password_reset_session", token, {
+		expires: expiresAt,
+		sameSite: "lax",
+		httpOnly: true,
+		path: "/",
+		secure: process.env.NODE_ENV === "production"
+	});
+}
+/**
+* Deletes the password reset session token cookie.
+*/
+async function deletePasswordResetSessionTokenCookie() {
+	(await (0, next_headers.cookies)()).delete("password_reset_session");
+}
+/**
+* Sends a password reset email with the OTP code.
+*/
+async function sendPasswordResetEmail(email, code) {
+	await /* @__PURE__ */ require_index.sendResetPassword(email, code);
+}
+
+//#endregion
+exports.createPasswordResetSession = createPasswordResetSession;
+exports.deletePasswordResetSessionTokenCookie = deletePasswordResetSessionTokenCookie;
+exports.getCurrentPasswordResetSession = getCurrentPasswordResetSession;
+exports.invalidateUserPasswordResetSessions = invalidateUserPasswordResetSessions;
+exports.sendPasswordResetEmail = sendPasswordResetEmail;
+exports.setPasswordResetSessionAsEmailVerified = setPasswordResetSessionAsEmailVerified;
+exports.setPasswordResetSessionTokenCookie = setPasswordResetSessionTokenCookie;
+exports.validatePasswordResetSessionToken = validatePasswordResetSessionToken;

package/dist/core/auth/password-reset.d.cts

@@ -0,0 +1,39 @@
+import { PasswordResetAuthSession, PasswordResetSession } from "./types.cjs";
+
+//#region src/core/auth/password-reset.d.ts
+/**
+ * Creates a new password reset session.
+ */
+declare function createPasswordResetSession(token: string, userId: string, email: string): Promise<PasswordResetSession>;
+/**
+ * Validates the password reset session token and retrieves user data.
+ * The user data is augmented by registered modules (e.g. 2FA).
+ */
+declare function validatePasswordResetSessionToken(token: string): Promise<PasswordResetAuthSession>;
+/**
+ * Marks the password reset session as email verified.
+ */
+declare function setPasswordResetSessionAsEmailVerified(sessionId: string): Promise<void>;
+/**
+ * Invalidates all password reset sessions for a user.
+ */
+declare function invalidateUserPasswordResetSessions(userId: string): Promise<void>;
+/**
+ * Validates the current password reset session from cookies.
+ */
+declare function getCurrentPasswordResetSession(): Promise<PasswordResetAuthSession>;
+/**
+ * Sets the password reset session token cookie.
+ */
+declare function setPasswordResetSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
+/**
+ * Deletes the password reset session token cookie.
+ */
+declare function deletePasswordResetSessionTokenCookie(): Promise<void>;
+/**
+ * Sends a password reset email with the OTP code.
+ */
+declare function sendPasswordResetEmail(email: string, code: string): Promise<void>;
+//#endregion
+export { createPasswordResetSession, deletePasswordResetSessionTokenCookie, getCurrentPasswordResetSession, invalidateUserPasswordResetSessions, sendPasswordResetEmail, setPasswordResetSessionAsEmailVerified, setPasswordResetSessionTokenCookie, validatePasswordResetSessionToken };
+//# sourceMappingURL=password-reset.d.cts.map

package/dist/core/auth/password-reset.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.d.cts","names":[],"sources":["../../../src/core/auth/password-reset.ts"],"mappings":";;;;;AAqBA;iBAAsB,0BAAA,CACpB,KAAA,UACA,MAAA,UACA,KAAA,WACC,OAAA,CAAQ,oBAAA;;;;;iBAqBW,iCAAA,CACpB,KAAA,WACC,OAAA,CAAQ,wBAAA;;;;iBAyCW,sCAAA,CACpB,SAAA,WACC,OAAA;AA7CH;;;AAAA,iBAyDsB,mCAAA,CACpB,MAAA,WACC,OAAA;;;;iBASmB,8BAAA,CAAA,GAAkC,OAAA,CAAQ,wBAAA;;AAzBhE;;iBA6CsB,kCAAA,CACpB,KAAA,UACA,SAAA,EAAW,IAAA,GACV,OAAA;;;AAlCH;iBAiDsB,qCAAA,CAAA,GAAyC,OAAA;;;;iBAQzC,sBAAA,CACpB,KAAA,UACA,IAAA,WACC,OAAA"}

package/dist/core/auth/password-reset.d.mts

@@ -0,0 +1,39 @@
+import { PasswordResetAuthSession, PasswordResetSession } from "./types.mjs";
+
+//#region src/core/auth/password-reset.d.ts
+/**
+ * Creates a new password reset session.
+ */
+declare function createPasswordResetSession(token: string, userId: string, email: string): Promise<PasswordResetSession>;
+/**
+ * Validates the password reset session token and retrieves user data.
+ * The user data is augmented by registered modules (e.g. 2FA).
+ */
+declare function validatePasswordResetSessionToken(token: string): Promise<PasswordResetAuthSession>;
+/**
+ * Marks the password reset session as email verified.
+ */
+declare function setPasswordResetSessionAsEmailVerified(sessionId: string): Promise<void>;
+/**
+ * Invalidates all password reset sessions for a user.
+ */
+declare function invalidateUserPasswordResetSessions(userId: string): Promise<void>;
+/**
+ * Validates the current password reset session from cookies.
+ */
+declare function getCurrentPasswordResetSession(): Promise<PasswordResetAuthSession>;
+/**
+ * Sets the password reset session token cookie.
+ */
+declare function setPasswordResetSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
+/**
+ * Deletes the password reset session token cookie.
+ */
+declare function deletePasswordResetSessionTokenCookie(): Promise<void>;
+/**
+ * Sends a password reset email with the OTP code.
+ */
+declare function sendPasswordResetEmail(email: string, code: string): Promise<void>;
+//#endregion
+export { createPasswordResetSession, deletePasswordResetSessionTokenCookie, getCurrentPasswordResetSession, invalidateUserPasswordResetSessions, sendPasswordResetEmail, setPasswordResetSessionAsEmailVerified, setPasswordResetSessionTokenCookie, validatePasswordResetSessionToken };
+//# sourceMappingURL=password-reset.d.mts.map

package/dist/core/auth/password-reset.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.d.mts","names":[],"sources":["../../../src/core/auth/password-reset.ts"],"mappings":";;;;;AAqBA;iBAAsB,0BAAA,CACpB,KAAA,UACA,MAAA,UACA,KAAA,WACC,OAAA,CAAQ,oBAAA;;;;;iBAqBW,iCAAA,CACpB,KAAA,WACC,OAAA,CAAQ,wBAAA;;;;iBAyCW,sCAAA,CACpB,SAAA,WACC,OAAA;AA7CH;;;AAAA,iBAyDsB,mCAAA,CACpB,MAAA,WACC,OAAA;;;;iBASmB,8BAAA,CAAA,GAAkC,OAAA,CAAQ,wBAAA;;AAzBhE;;iBA6CsB,kCAAA,CACpB,KAAA,UACA,SAAA,EAAW,IAAA,GACV,OAAA;;;AAlCH;iBAiDsB,qCAAA,CAAA,GAAyC,OAAA;;;;iBAQzC,sBAAA,CACpB,KAAA,UACA,IAAA,WACC,OAAA"}

package/dist/core/auth/password-reset.mjs

@@ -0,0 +1,111 @@
+"use server";
+
+import { db } from "../../server/database/inject.mjs";
+import { passwordResetSessionTable, userTable } from "../../server/database/schema.mjs";
+import { sendResetPassword } from "../../server/emails/index.mjs";
+import { generateRandomOTP } from "./utils/encode.mjs";
+import { augmentPasswordResetSession } from "./augment.mjs";
+import { performFullUserAugmentation } from "./logic.mjs";
+import { eq } from "drizzle-orm";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { addHours } from "date-fns";
+import { cookies } from "next/headers";
+
+//#region src/core/auth/password-reset.ts
+/**
+* Creates a new password reset session.
+*/
+async function createPasswordResetSession(token, userId, email) {
+	const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+	const [session] = await db.insert(passwordResetSessionTable).values({
+		id: sessionId,
+		email,
+		code: generateRandomOTP(),
+		expiresAt: new Date(addHours(/* @__PURE__ */ new Date(), 1)),
+		userId
+	}).returning();
+	return session;
+}
+/**
+* Validates the password reset session token and retrieves user data.
+* The user data is augmented by registered modules (e.g. 2FA).
+*/
+async function validatePasswordResetSessionToken(token) {
+	const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+	const [row] = await db.select({
+		session: passwordResetSessionTable,
+		user: userTable
+	}).from(passwordResetSessionTable).innerJoin(userTable, eq(passwordResetSessionTable.userId, userTable.id)).where(eq(passwordResetSessionTable.id, sessionId));
+	if (!row || !row.user) return {
+		session: null,
+		user: null
+	};
+	const { session: baseSession, user: baseUser } = row;
+	if (/* @__PURE__ */ new Date() > baseSession.expiresAt) {
+		await db.delete(passwordResetSessionTable).where(eq(passwordResetSessionTable.id, baseSession.id));
+		return {
+			session: null,
+			user: null
+		};
+	}
+	const { password, recovery_code, ...safeUser } = baseUser;
+	const user = await performFullUserAugmentation(safeUser);
+	return {
+		session: await augmentPasswordResetSession(baseSession),
+		user
+	};
+}
+/**
+* Marks the password reset session as email verified.
+*/
+async function setPasswordResetSessionAsEmailVerified(sessionId) {
+	await db.update(passwordResetSessionTable).set({ emailVerified: true }).where(eq(passwordResetSessionTable.id, sessionId));
+}
+/**
+* Invalidates all password reset sessions for a user.
+*/
+async function invalidateUserPasswordResetSessions(userId) {
+	await db.delete(passwordResetSessionTable).where(eq(passwordResetSessionTable.userId, userId));
+}
+/**
+* Validates the current password reset session from cookies.
+*/
+async function getCurrentPasswordResetSession() {
+	const token = (await cookies()).get("password_reset_session")?.value ?? null;
+	if (token === null) return {
+		session: null,
+		user: null
+	};
+	const result = await validatePasswordResetSessionToken(token);
+	if (result.session === null) await deletePasswordResetSessionTokenCookie();
+	return result;
+}
+/**
+* Sets the password reset session token cookie.
+*/
+async function setPasswordResetSessionTokenCookie(token, expiresAt) {
+	(await cookies()).set("password_reset_session", token, {
+		expires: expiresAt,
+		sameSite: "lax",
+		httpOnly: true,
+		path: "/",
+		secure: process.env.NODE_ENV === "production"
+	});
+}
+/**
+* Deletes the password reset session token cookie.
+*/
+async function deletePasswordResetSessionTokenCookie() {
+	(await cookies()).delete("password_reset_session");
+}
+/**
+* Sends a password reset email with the OTP code.
+*/
+async function sendPasswordResetEmail(email, code) {
+	await /* @__PURE__ */ sendResetPassword(email, code);
+}
+
+//#endregion
+export { createPasswordResetSession, deletePasswordResetSessionTokenCookie, getCurrentPasswordResetSession, invalidateUserPasswordResetSessions, sendPasswordResetEmail, setPasswordResetSessionAsEmailVerified, setPasswordResetSessionTokenCookie, validatePasswordResetSessionToken };
+//# sourceMappingURL=password-reset.mjs.map

package/dist/core/auth/password-reset.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.mjs","names":[],"sources":["../../../src/core/auth/password-reset.ts"],"sourcesContent":["\"use server\";\n\nimport { sha256 } from \"@oslojs/crypto/sha2\";\nimport { encodeHexLowerCase } from \"@oslojs/encoding\";\nimport { addHours } from \"date-fns\";\nimport { eq } from \"drizzle-orm\";\nimport { cookies } from \"next/headers\";\nimport { db } from \"../../server/database/inject\";\nimport {\n  passwordResetSessionTable,\n  userTable,\n} from \"../../server/database/schema\";\nimport { sendResetPassword } from \"../../server/emails\";\nimport { augmentPasswordResetSession } from \"./augment\";\nimport { performFullUserAugmentation } from \"./logic\";\nimport type { PasswordResetAuthSession, PasswordResetSession } from \"./types\";\nimport { generateRandomOTP } from \"./utils/encode\";\n\n/**\n * Creates a new password reset session.\n */\nexport async function createPasswordResetSession(\n  token: string,\n  userId: string,\n  email: string,\n): Promise<PasswordResetSession> {\n  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));\n\n  const [session] = await db\n    .insert(passwordResetSessionTable)\n    .values({\n      id: sessionId,\n      email: email,\n      code: generateRandomOTP(),\n      expiresAt: new Date(addHours(new Date(), 1)),\n      userId: userId,\n    })\n    .returning();\n\n  return session;\n}\n\n/**\n * Validates the password reset session token and retrieves user data.\n * The user data is augmented by registered modules (e.g. 2FA).\n */\nexport async function validatePasswordResetSessionToken(\n  token: string,\n): Promise<PasswordResetAuthSession> {\n  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));\n\n  const [row] = await db\n    .select({\n      session: passwordResetSessionTable,\n      user: userTable,\n    })\n    .from(passwordResetSessionTable)\n    .innerJoin(userTable, eq(passwordResetSessionTable.userId, userTable.id))\n    .where(eq(passwordResetSessionTable.id, sessionId));\n\n  if (!row || !row.user) {\n    return { session: null, user: null };\n  }\n\n  const { session: baseSession, user: baseUser } = row;\n\n  // Check for expiration\n  if (new Date() > baseSession.expiresAt) {\n    await db\n      .delete(passwordResetSessionTable)\n      .where(eq(passwordResetSessionTable.id, baseSession.id));\n    return { session: null, user: null };\n  }\n\n  // STRICTLY remove non-serializable and sensitive fields\n  const { password, recovery_code, ...safeUser } = baseUser;\n\n  // AUGMENT (EXTENSIBILITY POINTS)\n  const user = await performFullUserAugmentation(safeUser as any);\n  const session = await augmentPasswordResetSession(\n    baseSession as PasswordResetSession,\n  );\n\n  return { session, user };\n}\n\n/**\n * Marks the password reset session as email verified.\n */\nexport async function setPasswordResetSessionAsEmailVerified(\n  sessionId: string,\n): Promise<void> {\n  await db\n    .update(passwordResetSessionTable)\n    .set({\n      emailVerified: true,\n    })\n    .where(eq(passwordResetSessionTable.id, sessionId));\n}\n\n/**\n * Invalidates all password reset sessions for a user.\n */\nexport async function invalidateUserPasswordResetSessions(\n  userId: string,\n): Promise<void> {\n  await db\n    .delete(passwordResetSessionTable)\n    .where(eq(passwordResetSessionTable.userId, userId));\n}\n\n/**\n * Validates the current password reset session from cookies.\n */\nexport async function getCurrentPasswordResetSession(): Promise<PasswordResetAuthSession> {\n  const cookieStore = await cookies();\n  const token = cookieStore.get(\"password_reset_session\")?.value ?? null;\n\n  if (token === null) {\n    return { session: null, user: null };\n  }\n\n  const result = await validatePasswordResetSessionToken(token);\n\n  if (result.session === null) {\n    await deletePasswordResetSessionTokenCookie();\n  }\n\n  return result;\n}\n\n/**\n * Sets the password reset session token cookie.\n */\nexport async function setPasswordResetSessionTokenCookie(\n  token: string,\n  expiresAt: Date,\n): Promise<void> {\n  const cookieStore = await cookies();\n\n  cookieStore.set(\"password_reset_session\", token, {\n    expires: expiresAt,\n    sameSite: \"lax\",\n    httpOnly: true,\n    path: \"/\",\n    secure: process.env.NODE_ENV === \"production\",\n  });\n}\n\n/**\n * Deletes the password reset session token cookie.\n */\nexport async function deletePasswordResetSessionTokenCookie(): Promise<void> {\n  const cookieStore = await cookies();\n  cookieStore.delete(\"password_reset_session\");\n}\n\n/**\n * Sends a password reset email with the OTP code.\n */\nexport async function sendPasswordResetEmail(\n  email: string,\n  code: string,\n): Promise<void> {\n  await sendResetPassword(email, code);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAqBA,eAAsB,2BACpB,OACA,QACA,OAC+B;CAC/B,MAAM,YAAY,mBAAmB,OAAO,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAAC;CAE7E,MAAM,CAAC,WAAW,MAAM,GACrB,OAAO,0BAA0B,CACjC,OAAO;EACN,IAAI;EACG;EACP,MAAM,mBAAmB;EACzB,WAAW,IAAI,KAAK,yBAAS,IAAI,MAAM,EAAE,EAAE,CAAC;EACpC;EACT,CAAC,CACD,WAAW;AAEd,QAAO;;;;;;AAOT,eAAsB,kCACpB,OACmC;CACnC,MAAM,YAAY,mBAAmB,OAAO,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAAC;CAE7E,MAAM,CAAC,OAAO,MAAM,GACjB,OAAO;EACN,SAAS;EACT,MAAM;EACP,CAAC,CACD,KAAK,0BAA0B,CAC/B,UAAU,WAAW,GAAG,0BAA0B,QAAQ,UAAU,GAAG,CAAC,CACxE,MAAM,GAAG,0BAA0B,IAAI,UAAU,CAAC;AAErD,KAAI,CAAC,OAAO,CAAC,IAAI,KACf,QAAO;EAAE,SAAS;EAAM,MAAM;EAAM;CAGtC,MAAM,EAAE,SAAS,aAAa,MAAM,aAAa;AAGjD,qBAAI,IAAI,MAAM,GAAG,YAAY,WAAW;AACtC,QAAM,GACH,OAAO,0BAA0B,CACjC,MAAM,GAAG,0BAA0B,IAAI,YAAY,GAAG,CAAC;AAC1D,SAAO;GAAE,SAAS;GAAM,MAAM;GAAM;;CAItC,MAAM,EAAE,UAAU,eAAe,GAAG,aAAa;CAGjD,MAAM,OAAO,MAAM,4BAA4B,SAAgB;AAK/D,QAAO;EAAE,SAJO,MAAM,4BACpB,YACD;EAEiB;EAAM;;;;;AAM1B,eAAsB,uCACpB,WACe;AACf,OAAM,GACH,OAAO,0BAA0B,CACjC,IAAI,EACH,eAAe,MAChB,CAAC,CACD,MAAM,GAAG,0BAA0B,IAAI,UAAU,CAAC;;;;;AAMvD,eAAsB,oCACpB,QACe;AACf,OAAM,GACH,OAAO,0BAA0B,CACjC,MAAM,GAAG,0BAA0B,QAAQ,OAAO,CAAC;;;;;AAMxD,eAAsB,iCAAoE;CAExF,MAAM,SADc,MAAM,SAAS,EACT,IAAI,yBAAyB,EAAE,SAAS;AAElE,KAAI,UAAU,KACZ,QAAO;EAAE,SAAS;EAAM,MAAM;EAAM;CAGtC,MAAM,SAAS,MAAM,kCAAkC,MAAM;AAE7D,KAAI,OAAO,YAAY,KACrB,OAAM,uCAAuC;AAG/C,QAAO;;;;;AAMT,eAAsB,mCACpB,OACA,WACe;AAGf,EAFoB,MAAM,SAAS,EAEvB,IAAI,0BAA0B,OAAO;EAC/C,SAAS;EACT,UAAU;EACV,UAAU;EACV,MAAM;EACN,QAAQ,QAAQ,IAAI,aAAa;EAClC,CAAC;;;;;AAMJ,eAAsB,wCAAuD;AAE3E,EADoB,MAAM,SAAS,EACvB,OAAO,yBAAyB;;;;;AAM9C,eAAsB,uBACpB,OACA,MACe;AACf,OAAM,kCAAkB,OAAO,KAAK"}

package/dist/core/auth/rbac.cjs

@@ -0,0 +1,118 @@
+"use server";
+
+const require_runtime = require('../../_virtual/_rolldown/runtime.cjs');
+const require_inject = require('../../server/database/inject.cjs');
+const require_schema = require('../../server/database/schema.cjs');
+const require_service = require('../notifications/service.cjs');
+require('../notifications/index.cjs');
+let drizzle_orm = require("drizzle-orm");
+
+//#region src/core/auth/rbac.ts
+if (typeof window === "undefined") require_service.notificationService.init();
+/**
+* CORE RBAC LOGIC
+* This file handles all database operations for Roles and Permissions.
+*/
+async function getRoles() {
+	return await require_inject.db.select().from(require_schema.rolesTable).orderBy(require_schema.rolesTable.name);
+}
+async function getRoleById(roleId) {
+	const [role] = await require_inject.db.select().from(require_schema.rolesTable).where((0, drizzle_orm.eq)(require_schema.rolesTable.id, roleId));
+	return role;
+}
+async function createRole(name, description) {
+	return await require_inject.db.insert(require_schema.rolesTable).values({
+		name,
+		description
+	}).returning();
+}
+async function deleteRole(roleId) {
+	return await require_inject.db.delete(require_schema.rolesTable).where((0, drizzle_orm.eq)(require_schema.rolesTable.id, roleId));
+}
+async function getPermissions() {
+	return await require_inject.db.select().from(require_schema.permissionsTable).orderBy(require_schema.permissionsTable.name);
+}
+async function createPermission(name, description) {
+	return await require_inject.db.insert(require_schema.permissionsTable).values({
+		name,
+		description
+	}).returning();
+}
+async function deletePermission(permissionId) {
+	return await require_inject.db.delete(require_schema.permissionsTable).where((0, drizzle_orm.eq)(require_schema.permissionsTable.id, permissionId));
+}
+async function getRolePermissions(roleId) {
+	return await require_inject.db.select({
+		id: require_schema.permissionsTable.id,
+		name: require_schema.permissionsTable.name
+	}).from(require_schema.rolesToPermissionsTable).innerJoin(require_schema.permissionsTable, (0, drizzle_orm.eq)(require_schema.rolesToPermissionsTable.permissionId, require_schema.permissionsTable.id)).where((0, drizzle_orm.eq)(require_schema.rolesToPermissionsTable.roleId, roleId));
+}
+async function assignPermissionToRole(roleId, permissionId) {
+	return await require_inject.db.insert(require_schema.rolesToPermissionsTable).values({
+		roleId,
+		permissionId
+	}).onConflictDoNothing();
+}
+async function revokePermissionFromRole(roleId, permissionId) {
+	return await require_inject.db.delete(require_schema.rolesToPermissionsTable).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(require_schema.rolesToPermissionsTable.roleId, roleId), (0, drizzle_orm.eq)(require_schema.rolesToPermissionsTable.permissionId, permissionId)));
+}
+async function assignRoleToUser(userId, roleId) {
+	return await require_inject.db.insert(require_schema.usersToRolesTable).values({
+		userId,
+		roleId
+	}).onConflictDoNothing();
+}
+async function revokeRoleFromUser(userId, roleId) {
+	return await require_inject.db.delete(require_schema.usersToRolesTable).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(require_schema.usersToRolesTable.userId, userId), (0, drizzle_orm.eq)(require_schema.usersToRolesTable.roleId, roleId)));
+}
+async function assignPermissionToUser(userId, permissionId) {
+	return await require_inject.db.insert(require_schema.usersToPermissionsTable).values({
+		userId,
+		permissionId
+	}).onConflictDoNothing();
+}
+async function revokePermissionFromUser(userId, permissionId) {
+	return await require_inject.db.delete(require_schema.usersToPermissionsTable).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(require_schema.usersToPermissionsTable.userId, userId), (0, drizzle_orm.eq)(require_schema.usersToPermissionsTable.permissionId, permissionId)));
+}
+async function getUserRbacData(userId) {
+	const roles = await require_inject.db.select({
+		id: require_schema.rolesTable.id,
+		name: require_schema.rolesTable.name
+	}).from(require_schema.usersToRolesTable).innerJoin(require_schema.rolesTable, (0, drizzle_orm.eq)(require_schema.usersToRolesTable.roleId, require_schema.rolesTable.id)).where((0, drizzle_orm.eq)(require_schema.usersToRolesTable.userId, userId));
+	const directPermissions = await require_inject.db.select({
+		id: require_schema.permissionsTable.id,
+		name: require_schema.permissionsTable.name
+	}).from(require_schema.usersToPermissionsTable).innerJoin(require_schema.permissionsTable, (0, drizzle_orm.eq)(require_schema.usersToPermissionsTable.permissionId, require_schema.permissionsTable.id)).where((0, drizzle_orm.eq)(require_schema.usersToPermissionsTable.userId, userId));
+	let rolePermissions = [];
+	if (roles.length > 0) {
+		const roleIds = roles.map((r) => r.id);
+		rolePermissions = await require_inject.db.select({
+			id: require_schema.permissionsTable.id,
+			name: require_schema.permissionsTable.name
+		}).from(require_schema.rolesToPermissionsTable).innerJoin(require_schema.permissionsTable, (0, drizzle_orm.eq)(require_schema.rolesToPermissionsTable.permissionId, require_schema.permissionsTable.id)).where((0, drizzle_orm.inArray)(require_schema.rolesToPermissionsTable.roleId, roleIds));
+	}
+	const effectiveMap = /* @__PURE__ */ new Map();
+	for (const p of [...directPermissions, ...rolePermissions]) effectiveMap.set(p.id, p);
+	return {
+		roles,
+		directPermissions,
+		effectivePermissions: Array.from(effectiveMap.values())
+	};
+}
+
+//#endregion
+exports.assignPermissionToRole = assignPermissionToRole;
+exports.assignPermissionToUser = assignPermissionToUser;
+exports.assignRoleToUser = assignRoleToUser;
+exports.createPermission = createPermission;
+exports.createRole = createRole;
+exports.deletePermission = deletePermission;
+exports.deleteRole = deleteRole;
+exports.getPermissions = getPermissions;
+exports.getRoleById = getRoleById;
+exports.getRolePermissions = getRolePermissions;
+exports.getRoles = getRoles;
+exports.getUserRbacData = getUserRbacData;
+exports.revokePermissionFromRole = revokePermissionFromRole;
+exports.revokePermissionFromUser = revokePermissionFromUser;
+exports.revokeRoleFromUser = revokeRoleFromUser;

package/dist/core/auth/rbac.d.cts

@@ -0,0 +1,61 @@
+import * as pg from "pg";
+
+//#region src/core/auth/rbac.d.ts
+/**
+ * CORE RBAC LOGIC
+ * This file handles all database operations for Roles and Permissions.
+ */
+declare function getRoles(): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}[]>;
+declare function getRoleById(roleId: string): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}>;
+declare function createRole(name: string, description?: string): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}[]>;
+declare function deleteRole(roleId: string): Promise<pg.QueryResult<never>>;
+declare function getPermissions(): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}[]>;
+declare function createPermission(name: string, description?: string): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}[]>;
+declare function deletePermission(permissionId: string): Promise<pg.QueryResult<never>>;
+declare function getRolePermissions(roleId: string): Promise<{
+  id: string;
+  name: string;
+}[]>;
+declare function assignPermissionToRole(roleId: string, permissionId: string): Promise<pg.QueryResult<never>>;
+declare function revokePermissionFromRole(roleId: string, permissionId: string): Promise<pg.QueryResult<never>>;
+declare function assignRoleToUser(userId: string, roleId: string): Promise<pg.QueryResult<never>>;
+declare function revokeRoleFromUser(userId: string, roleId: string): Promise<pg.QueryResult<never>>;
+declare function assignPermissionToUser(userId: string, permissionId: string): Promise<pg.QueryResult<never>>;
+declare function revokePermissionFromUser(userId: string, permissionId: string): Promise<pg.QueryResult<never>>;
+declare function getUserRbacData(userId: string): Promise<{
+  roles: {
+    id: string;
+    name: string;
+  }[];
+  directPermissions: {
+    id: string;
+    name: string;
+  }[];
+  effectivePermissions: {
+    id: string;
+    name: string;
+  }[];
+}>;
+//#endregion
+export { assignPermissionToRole, assignPermissionToUser, assignRoleToUser, createPermission, createRole, deletePermission, deleteRole, getPermissions, getRoleById, getRolePermissions, getRoles, getUserRbacData, revokePermissionFromRole, revokePermissionFromUser, revokeRoleFromUser };
+//# sourceMappingURL=rbac.d.cts.map

package/dist/core/auth/rbac.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.cts","names":[],"sources":["../../../src/core/auth/rbac.ts"],"mappings":";;;;;;AAyBA;iBAAsB,QAAA,CAAA,GAAQ,OAAA;;;;;iBAIR,WAAA,CAAY,MAAA,WAAc,OAAA;;;;;iBAQ1B,UAAA,CAAW,IAAA,UAAc,WAAA,YAAoB,OAAA;;;;;iBAI7C,UAAA,CAAW,MAAA,WAAc,OAAA,CAAf,EAAA,CAAe,WAAA;AAAA,iBAMzB,cAAA,CAAA,GAAc,OAAA;;;;;iBAOd,gBAAA,CAAiB,IAAA,UAAc,WAAA,YAAoB,OAAA;;;;;iBAOnD,gBAAA,CAAiB,YAAA,WAAoB,OAAA,CAArB,EAAA,CAAqB,WAAA;AAAA,iBAQrC,kBAAA,CAAmB,MAAA,WAAc,OAAA;;;;iBAcjC,sBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFsB,EAAA,CAEtB,WAAA;AAAA,iBAQA,wBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFwB,EAAA,CAExB,WAAA;AAAA,iBAcA,gBAAA,CAAiB,MAAA,UAAgB,MAAA,WAAc,OAAA,CAA/B,EAAA,CAA+B,WAAA;AAAA,iBAO/C,kBAAA,CAAmB,MAAA,UAAgB,MAAA,WAAc,OAAA,CAA/B,EAAA,CAA+B,WAAA;AAAA,iBAWjD,sBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFsB,EAAA,CAEtB,WAAA;AAAA,iBAQA,wBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFwB,EAAA,CAExB,WAAA;AAAA,iBAYA,eAAA,CAAgB,MAAA,WAAc,OAAA"}

package/dist/core/auth/rbac.d.mts

@@ -0,0 +1,61 @@
+import * as pg from "pg";
+
+//#region src/core/auth/rbac.d.ts
+/**
+ * CORE RBAC LOGIC
+ * This file handles all database operations for Roles and Permissions.
+ */
+declare function getRoles(): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}[]>;
+declare function getRoleById(roleId: string): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}>;
+declare function createRole(name: string, description?: string): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}[]>;
+declare function deleteRole(roleId: string): Promise<pg.QueryResult<never>>;
+declare function getPermissions(): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}[]>;
+declare function createPermission(name: string, description?: string): Promise<{
+  id: string;
+  name: string;
+  description: string | null;
+}[]>;
+declare function deletePermission(permissionId: string): Promise<pg.QueryResult<never>>;
+declare function getRolePermissions(roleId: string): Promise<{
+  id: string;
+  name: string;
+}[]>;
+declare function assignPermissionToRole(roleId: string, permissionId: string): Promise<pg.QueryResult<never>>;
+declare function revokePermissionFromRole(roleId: string, permissionId: string): Promise<pg.QueryResult<never>>;
+declare function assignRoleToUser(userId: string, roleId: string): Promise<pg.QueryResult<never>>;
+declare function revokeRoleFromUser(userId: string, roleId: string): Promise<pg.QueryResult<never>>;
+declare function assignPermissionToUser(userId: string, permissionId: string): Promise<pg.QueryResult<never>>;
+declare function revokePermissionFromUser(userId: string, permissionId: string): Promise<pg.QueryResult<never>>;
+declare function getUserRbacData(userId: string): Promise<{
+  roles: {
+    id: string;
+    name: string;
+  }[];
+  directPermissions: {
+    id: string;
+    name: string;
+  }[];
+  effectivePermissions: {
+    id: string;
+    name: string;
+  }[];
+}>;
+//#endregion
+export { assignPermissionToRole, assignPermissionToUser, assignRoleToUser, createPermission, createRole, deletePermission, deleteRole, getPermissions, getRoleById, getRolePermissions, getRoles, getUserRbacData, revokePermissionFromRole, revokePermissionFromUser, revokeRoleFromUser };
+//# sourceMappingURL=rbac.d.mts.map

package/dist/core/auth/rbac.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.mts","names":[],"sources":["../../../src/core/auth/rbac.ts"],"mappings":";;;;;;AAyBA;iBAAsB,QAAA,CAAA,GAAQ,OAAA;;;;;iBAIR,WAAA,CAAY,MAAA,WAAc,OAAA;;;;;iBAQ1B,UAAA,CAAW,IAAA,UAAc,WAAA,YAAoB,OAAA;;;;;iBAI7C,UAAA,CAAW,MAAA,WAAc,OAAA,CAAf,EAAA,CAAe,WAAA;AAAA,iBAMzB,cAAA,CAAA,GAAc,OAAA;;;;;iBAOd,gBAAA,CAAiB,IAAA,UAAc,WAAA,YAAoB,OAAA;;;;;iBAOnD,gBAAA,CAAiB,YAAA,WAAoB,OAAA,CAArB,EAAA,CAAqB,WAAA;AAAA,iBAQrC,kBAAA,CAAmB,MAAA,WAAc,OAAA;;;;iBAcjC,sBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFsB,EAAA,CAEtB,WAAA;AAAA,iBAQA,wBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFwB,EAAA,CAExB,WAAA;AAAA,iBAcA,gBAAA,CAAiB,MAAA,UAAgB,MAAA,WAAc,OAAA,CAA/B,EAAA,CAA+B,WAAA;AAAA,iBAO/C,kBAAA,CAAmB,MAAA,UAAgB,MAAA,WAAc,OAAA,CAA/B,EAAA,CAA+B,WAAA;AAAA,iBAWjD,sBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFsB,EAAA,CAEtB,WAAA;AAAA,iBAQA,wBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFwB,EAAA,CAExB,WAAA;AAAA,iBAYA,eAAA,CAAgB,MAAA,WAAc,OAAA"}